The compromise of SolarWinds’ system management tool raised a lot of interesting issues for anyone using a CI/CD (continuous integration and continuous delivery) build process for their software. How can we ensure that the software we distribute to our users is the software we intend to build? Are all the dependencies for our code the ones we intended to have? If we’re using third-party modules, are they still what we expect?
It’s a complex problem, made more complex by the layered and nested foundation of dependencies we’ve placed under all our code. Modern development relies on code from repositories all over the world, developed by countless teams and individuals we will never meet. Even so, we trust their code to be what it says—a trust that we pass on to our users.
Read the original article: