[warrenm]

What makes you think a language can mitigate supply chain attacks?

For any arbitrary language you define, I can create a known-bad library and punch it into the download stream

If you want to mitigate supply-chain attacks, you need to look at all of the following (at least!):

- library source

- file-signature

- signature key-verification

- static analysis of library functionality

- processor-dependent rogue behavior detection

- OS-dependent rogue behavior detection

This is not a language problem - this is a source and runtime problem

[SebastianFish]

I think you have good points about the file signature and key-verification. I was hoping that we could expand the conversation around static analysis of library functionality as some languages offer features to simplify certain kinds of static analysis. For instance, Rust's borrowing semantics are a language feature that make certain memory usage attributes possible to verify statically.

From a run-time perspective, there are lots of instances where untrusted code has to be executed and there are various sandboxing related approaches there (running in a walled off-VM for instance). From a deployment standpoint that doesn't scale if you need to have an actual VMware instance running per package/dependency. My hope is that a language implemented over a virtual machine might be able to achieve similar levels of security with less overhead.

[warrenm]

>a language implemented over a virtual machine might be able to achieve similar levels of security with less overhead

So ... anything running on the JVM (Java, Scala, etc), for example?