(Done) May Meetup: Secure Clojure Supply Chains #14
Replies: 4 comments 7 replies
-
|
@madclj/meetup May meetup: I've been interested in supply-chain attacks for a few years now. I think Clojure has a ways to go in protecting from them in practice. It would be great to get everyone's take on it and maybe we can prototype some ideas. |
Beta Was this translation helpful? Give feedback.
-
|
Will be there with the girls. |
Beta Was this translation helpful? Give feedback.
-
|
Note that the meetup today is on the 3rd floor in the "Pop" conference room. StartingBlock is using the 2nd floor classroom for storage after yielding some office space back to the owners. I'll try and put a sign on the door. |
Beta Was this translation helpful? Give feedback.
-
|
Our discussion was split in two parts. The first part we considered attack vectors (and defenses) during the development lifecycle of adding a new feature to some Clojure application. Time roughly goes from left-to-right, with the first phase being development on a dev machine, second being CI testing and deployment to an integration environment, and third being a deployment to production. From left-to-right:
Second half we considered what it would concretely mean for Clojure projects to be "more reproducible", why we would even want reproducibility, and where reproducible builds for Clojure stand in May 2025. On the left we have a measure of "Build Reproducibility", where at the bottom we can reproduce 0% of our Clojure project from source (perhaps we were just handed a native binary), and at the top we can completely recreate our Clojure project from source, bit-for-bit. On the far right, we have an inverse measure of "Trust" that we are required to have. On the bottom we must 100% trust all parties involved in creating the binary (the diagram lines up horizonally, so 100% trust == 0% reproducible builds). At the top (0%) we don't need to trust anyone because our builds are 100% reproducible. Measure of Trust needed falls much slower than adding reproducibility. In the middle we have four more measures, from left to right:
On the left, we sketched what different % reproducible Clojure projects might look like.
|
Beta Was this translation helpful? Give feedback.


Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
👍 to RSVP
https://madclj.com/
Wednesday, May 14th, 2025
6:30 PM to 9:00 PM CT
StartingBlock Madison
821 E Washington Ave
-!!->> 3rd floor ("Pop" Conference Room) <<-!!-
Madison, WI
What are ways Clojure programs can be exploited via supply chain attacks? Are jars always what they seem? When is a git SHA not enough? What can we do to detect and prevent attacks?
Let's brainstorm some ideas.
.ofiles in jars. can we ignore untrusted AOT compiled Clojure files?xz-style backdoor inbbLet's try and design and prototype some detection tools during the meetup.
Beta Was this translation helpful? Give feedback.
All reactions