Open Source Software Supply Chain

My preferred method for installing open source software is typically to install directly from linux os repositories, such as dnf or apt. This seems to be the most reliable way to ensure you are installing the software with code that has not been tampered with that includes dependencies within the supply chain of the repository. Since I don’t have the time or the expertise to audit code for security vulnerabilities, I trust that the established repositories are reasonably stable and free from many known security vulnerabilities.

I take some issue with Flatpak’s/Snaps that are compiled by volunteers who are not the developers of the program, as I have learned that these can introduce hidden vulnerabilities related to the flatpak/snap dependencies, and not the software code itself).

On MacOS, I am a bit lost.

Homebrew has some security concerns noted here:

Are their major obstacles that stop open source software from being available for MacOS via installation download (1 click), which is validated to some extent by macOS gatekeeper, or available via the MacOS App Store?

Ledger, beancount, & hledger are mainly a command line programs, which may be part of the reason why they are seperate from the normal MacOS supply chain ecosystem, but are their similar supply chain processes for validating command line software installations?

submitted by /u/czerny2018
[link] [comments]
This is a companion discussion topic for the original entry at