Supply chain poisoning

frank.duignan · March 2, 2021, 4:56pm

There’s a lot of talk about supply chain poisoning from the security industry at the moment. What safeguards are in place to prevent this happening in PlatformIO. Does it use code signing to verify compilers and other tool-chain elements?

maxgerhardt · March 3, 2021, 11:55am

CC @ivankravets for this topic

frank.duignan · March 3, 2021, 12:39pm

How do I CC him? I don’t see a button for that.

maxgerhardt · March 3, 2021, 12:59pm

No, I’ve CC-ed him already by mentioning his @.

ivankravets · March 3, 2021, 1:59pm

PlatformIO Core uses a genuine PlatformIO Trusted Registry that helps to eliminate any security issues. Each package has its own SHA-256 checksum which will be verified on the client-side. Also, all traffic goes through HTTPS.

frank.duignan · March 3, 2021, 2:25pm

Thank you, that is very reassuring

mcspr · June 28, 2021, 9:47pm

I think this is still about the topic’s question… checksum does verify the package integrity, so this makes sure the server and the client have the same file. Is something like GPG signing in the plans, so the package origin is verified as well? Would it also makes sense to have an ability for the client ‘pin’ the hash of the package instead or in addition to the version spec?