Secure the Software Supply Chain

Why is it that 7 years after a simple key-value store was written as the very first example contract for ethereum by the inventor, we still do not have a secure root for our software supply chain?

Why is the most useful thing we could have delivered for web2 right away - a way to end the MITM attacks and backdoors in all our package registires - why was it not delivered for them?

Why are we pretending to be web3 when the entire industry’s security is squarely grounded in web2 hierarchal architectures?

The answer is the same as everything else going wrong in the industry, a combination of greed and incompetence.

I started to write a long post explaining the history of pre-ethereum decentralized DNS, early ENS efforts, the evolution of the ENS architecture and organization, and why we eventually decided we had to take back the problem and solve it properly.

Instead of posting that, we will just start releasing our alternative tools. If and when we establish that our way is better, and the industry finally frees itself from all the backdoors owned by the very institutions we want to replace, maybe then I will give that context to everything.

Right now, the priority is fixing the problem. We will post updates here as new tools become available, and what our confidence is in the security level of those tools.

Feel free to join our chat if you want to contribute.

2022-05-31: All of these tools are alpha-quality and should not yet be trusted for serious money at stake.

Until the industry is taking this problem seriously, every time there is a supply chain attack against end users, I will collect it here. Right now, the priority is fixing the problem.

The entire supply chain is vulnerable to these kinds of attacks because the PKI infrastructure is fundamentally rooted in something that is backdoored.