Comment by lapcat
8 days ago
> Do you still trust them not to do self-reporting or phoning home, even though it is $0 and closed source?
If you trust Little Snitch on Mac, then yes.
They've been in business for over 20 years. They're not going to blow their entire business and reputation for a few Linux users.
Yep, I trust the obdev.at / Snitch guys.
I do wonder however, are they sufficiently careful about their processes and own machines to avoid a supply chain attack completely.
They must be a target for the various hacking groups out there.
We have not detected a targeted attack yet. On the Mac side, we are safe: No dependencies on any third party libraries. Only Apple.
On the Linux side, there is no single big vendor such as Apple who provides all the necessary libraries. I have tried to choose reputable sources from crates.io only, but to be honest, I don't know a secure solution to the problem.
Thanks very much for your reply.
This comment seems a bit confused.
A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?
They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.
3 replies →
That seems... not correct?
The comment was asking about preventing a compromised supplier for the developers.
A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.
I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.
3 replies →
This seems pedantic and I think you know what they’re questioning and why.
23 replies →