As the complexity of our software systems grows – and they ingest more and more dependencies to deliver their functionality – the supply chain becomes more complex, and thus more difficult to secure. The industry is forming a consensus around a baseline set of properties for a secure software supply chain, yet these are not enough to protect against some of the high-profile attacks we have seen in recent years. In some cases they may not even have made detection easier. The industry needs to do better, we need to do better. An attacker who compromises a software supply chain can greatly increase the blast radius of their attack to all eventual users of the system. In some cases the exploits are overlooked or unintended bugs; some others have been known to be more deliberate and insidious (most recently, SunBurst/Solarigate).This presentation shares the experience of the CNCF SIG-Security Supply Chain Working Group with particular attention to intricacies and sharp edges of the practice of creating and maintaining a tightly-secured software supply chain.