The Risks of Single Maintainer Dependencies

The importance of maintaining secure software supply chain and mitigating the risk of personnel attrition in DevOps and Cybersecurity

• Trust is hard to establish in the DevOps ecosystem, especially for solo maintainers
• Invest in engineering resources and ensure personal security to mitigate the risk of hacks and attacks
• Bring other people into the inner circle and the maintainer track to share responsibilities and prevent catastrophic attrition
• Create processes to mitigate the lottery factor for solo maintainers
• Maintainers are the secure software supply chain and critical to preventing bad middleware and potential CVEs
• The story of npm event stream and the crypto bandit illustrates the importance of single maintainers in the broader secure software supply chain

The story of npm event stream and the crypto bandit illustrates the importance of single maintainers in the broader secure software supply chain. The popular JavaScript npm streaming library, event stream, was used everywhere as a transitive dependency. A new person was given ownership access to the repository and npm publishing access, and they injected a crypto wallet stealer into the module. This got shipped out as part of an npm package that was consumed by a bunch of other npm packages, potentially affecting hundreds of thousands of people. The owner had given away ownership because they no longer used the module and didn't get anything from maintaining it. This highlights the importance of maintaining secure software supply chain and mitigating the risk of personnel attrition in DevOps and Cybersecurity.

John McBride is a single maintainer for Cobra; a Go command line bootstrapping library and core dependency for many CNCF projects, including Kubernetes, Helm, Etcd, Istio, Linkerd, and many more. John will discuss the challenges of being a single maintainer on such an important project, the lottery factor, the need for contributor community, and the secure software supply chain implications this has for the entire CNCF ecosystem.Click here to view captioning/translation in the MeetingPlay platform!