“Software supply chain management” is one of those terms that sounds like Venture Capital-funded vendor marketing bullshit right up until it isn’t.
In 2016 the npm left-pad
incident taught many of us in the software industry the importance of:
- The fragility of depending directly on central package management systems, such as
npm
or nuget.org, hence why artifact proxying tools like JFrog Artifactory became so important; and - How centralized package management systems probably need to make stronger security and availability guarantees, such as not allowing hard deletes of packages in the first place.
One of the distinguishing features of nuget.org is they make it very, very hard for authors to delete their packages - only in exceptional cases, such as malware inclusion, will they allow the permanent deletion of packages.
Imagine my surprise yesterday, when I discovered that two of our Akka.NET packages were deleted1, by Microsoft, without any advanced notice. I only discovered that this was an issue when one of my own Akka.NET applications failed to build on CI/CD due to missing package versions.
I’ll get into the reasons why they did this, but the bottom line is: this is a disturbing precedent that really should never be repeated.
In essence, Microsoft’s adjacent business units abused NuGet to deal with their own security vulnerabilities - getting a level of access that would never be granted to any other publisher on the platform.