Hi,
Can someone from the dev team comment on procedures implemented to guard against supply chain attacks? Both for core DietPi and for the programs found in dietpi-software?
Thanks
Software title available within dietpi-software are not developed by us. We install them from official sources (mainly GitHub) or via apt package manager.
1 Like
Hi, thanks for the response.
It is clear that dietpi-software entries are from 3rd parties. I was hoping there might be an, even tacit, agreement that those authors utilize some form of vulnerability checking of their packages.
Same for DietPi. I have no idea what goes into the OS itself and am only speculating that packages are employed at some point. And if so, knowing there are safeguards in place would be reassuring.
It is not my intent to call into question the DietPi authors and maintainers commitment to quality. I have always been impressed by and grateful for DietPi. Thank you for a great product.
Perhaps a misunderstanding about what DietPi is and what we do.
DietPi is not an operating system in its own right. It is a set of bash scripts on a Debian image. Depending on the SBC, we mainly use Raspberry OS, Armbian or just Debian. For the base OS, Debian’s default package manager apt is used to install and manage software packages. We have no influence on this. If I am not mistaken, checks are made at this higher level before the packages arrive at the package server.
For software titles installed from GitHub, we have no agreement with the creator/developer. I am not aware of anything like this on other operating systems. Every user is free to install what they want from any source.
As for the DietPi bash code, we publish our code on GitHub. Everyone is invited to contribute to and review our code. We also run a beta phase before we release a new version. There, everyone is invited to join in and test.
What you say makes sense, you’ve answered my question and filled some knowledge gaps to boot.
Thanks again for taking the time to respond and for the great product.