[danpalmer]

Exactly, that was their point. I suspect there are a lot of software supply chains that are actually compromised, because it's just too easy when this is the standard of software engineering.

It's easy to forget that git for example is not just a big "undo" button, it's a cryptographically secure audit log of all changes made, that allows you to know exactly what software you're actually shipping.

[bostik]

> cryptographically secure audit log of all changes made, that allows you to know exactly what software you're actually shipping.

To be pedantic: not quite.

Git is certainly a cryptographically secure audit log[ß] but it only tells you what the source code was that went _into_ the build at the time of checkout. You can subvert the process through malice (eg. Solar Winds), through incompetence (eg. off-tree "magic" patching as a build step), or through sheer negligence.

Reproducible and auditable builds are a much harder problem than source code provenance.

ß: from my previous job: once auditors understood what git is, they loved it. They, by their profession, love immutability. Failing that, they consider tamper-evidence a really good second-best.

[danpalmer]

Of course, I was simplifying this somewhat to make a point. I think git can be a significant part of the solution, but there's a lot more that goes into it.