| ▲ | irishcoffee 4 hours ago | ||||||||||||||||
> unless you work for a government contractor where they have strict security policies ... So you're saying there is a blueprint for mitigating this already, and it just isn't followed? | |||||||||||||||||
| ▲ | kankerlijer 4 hours ago | parent | next [-] | ||||||||||||||||
It's more work and more restrictive I suppose. Any business is free to set up jfrog Artifactory and only allow the installation of approved dependencies. And anyone can pull Ironbank images I believe. | |||||||||||||||||
| ▲ | parliament32 4 hours ago | parent | prev [-] | ||||||||||||||||
Yes, but it requires people. Typically, you identify a package you want (or a new version of a package you want) and you send off a request to a separate security team. They analyze and approve, and the package becomes available in your internal package manager. But this means 1) you need that team of people to do that work, and 2) there's a lot of hurry-up-and-wait involved. | |||||||||||||||||
| |||||||||||||||||