文学文享（92）：泛读文献《Poisoning the software supply chain》

摘要：Today, the editor will interpret and share "Poisoning the software supply chain" from the three sections of "mind map, intensive r

分享兴趣，传播快乐，增长见闻，留下美好。

亲爱的您，这里是LearningYard新学苑！

今天小编为大家带来文献泛读。

欢迎您的访问！

Share interest, spread happiness, increase Knowledge, and leave beautiful.

Dear, this is the LearingYard New Academy!

Today, the editor brings you the literature reading.

Welcome to visit!

1 内容摘要（Content summary）

今天小编将从“思维导图、精读内容、知识补充”三个板块，解读分享文献《Poisoning the software supply chain》。

Today, the editor will interpret and share "Poisoning the software supply chain" from the three sections of "mind map, intensive reading content, and knowledge supplement".

2 思维导图（Mind mapping）

3 精读内容（Intensive reading content）

本期将对一篇03年的软件供应链相关文章进行泛读，本篇文章也是之前提到的第二篇提到了软件供应链一词的国外文献。作者开篇介绍道，攻击者更倾向于入侵软件包的开发与分发站点，等着毫无防备的用户进行安装，这种攻击十分有效率，且此类攻击在持续增长。

This issue will conduct a general reading of an article related to software supply chain from 2003. This article is also the second foreign literature mentioned earlier that mentions the term software supply chain. The author begins by introducing that attackers are more inclined to invade the development and distribution sites of software packages, waiting for unsuspecting users to install them. This type of attack is highly effective and continues to grow.

传统的软件供应链本就具备一定的防范攻击的能力，因为传统软件开发通常是在半封闭的环境中，外界很难对其进行访问。但如今的网络化环境使得电子访问变得容易得多，不过高度结构化的分发链也只会允许少数内部人员或顶尖外部攻击者篡改软件。

The traditional software supply chain already has a certain ability to prevent attacks, because traditional software development is usually carried out in a semi closed environment, and it is difficult for the outside world to access it. But today's networked environment makes electronic access much easier, but highly structured distribution chains only allow a few internal personnel or top external attackers to tamper with software.

逐渐地，网络的发展使互联网本身就成为了一种软件供应链中软件的分销渠道，很多人开始从网络上获取软件，而不是通过光盘等实体媒介。软件的形态也多种多样，它可以是一个文件下载、浏览器插件、功能组件，也可以是一个Java小程序。

Gradually, the development of the network has made the Internet itself a software distribution channel in the software supply chain. Many people begin to obtain software from the network, rather than through physical media such as CDs. There are also various forms of software, which can be a file download, browser plugin, functional component, or a Java mini program.

一些具有严格控制权的专有软件供应商，如微软和Java，很快意识到了新的在线分发软件所带来的风险，并给出了相应的防范措施，比如微软的Authenticode技术和Java的签名归档文件技术。

Some proprietary software vendors with strict control, such as Microsoft and Java, quickly realized the risks brought by new online distribution software and provided corresponding preventive measures, such as Microsoft's Authenticode technology and Java's signature archive file technology.

开源软件因为其更加复杂的运行环境，遭受攻击的可能也相对更高，涉及到软件开发、软件打包和分发的复杂的相互关联网络也为攻击者创造了更多可攻击的点。但是复杂的开源开发和分发链也可通过同行评审更快地抓到攻击者，有利也有弊。

Open source software, due to its more complex operating environment, is relatively more susceptible to attacks, and the complex interconnected networks involved in software development, packaging, and distribution create more vulnerable points for attackers. However, complex open-source development and distribution chains can also catch attackers faster through peer review, which has both advantages and disadvantages.

很多开源软件供应商也采取了与专有软件供应商相当的安全防护技术，例如软件包加密签名，但这些签名功能有限，只能表明该软件包的软件版本以及此后是否被篡改过，无法提供软件包的完整情况。

Many open-source software vendors have also adopted security protection technologies comparable to proprietary software vendors, such as package encryption signatures. However, these signature functions are limited and can only indicate the software version of the package and whether it has been tampered with since then, and cannot provide the complete information of the package.

PGP被认为是一种较为通用的开源软件签名格式，在PGP中用户会签署其他用户的公钥，表明他们信任该公钥所属的个人声称拥有该公钥的这一事实，但由于不存在中央权威可信机构，可能会导致用户获取到没有信任路径的软件包。

PGP is considered a relatively common open source software signature format, in which users sign other users' public keys, indicating their trust in the fact that the individual to whom the public key belongs claims to own it. However, due to the absence of a central authoritative trust authority, it may result in users obtaining software packages without a trust path.

用于分担主网站软件分发负载的镜像站点也是开源软件供应链中另一个复杂的因素，软件开发者无法掌控主要的分发站点，也没有一个可信赖的站点作为依据来验证其他站点。镜像网站往往也无法察觉主站是否遭到攻击或篡改，导致复制出来的文件也是损坏的。

The mirror site used to share the software distribution load of the main website is another complex factor in the open source software supply chain. Software developers cannot control the main distribution site, nor do they have a reliable site as a basis to verify other sites. Mirrored websites often cannot detect whether the main site has been attacked or tampered with, resulting in copied files being damaged.

文章最后作者认为针对开源软件的攻击会持续存在，玷污软件并最终通过少量努力诱骗大量毫无戒心的用户下载软件，我们应当着手努力推行采用更先进的技术管控风险，促使现有的开源供应商采纳诸如数字签名等一系列好用的现有技术，保障软件供应链安全。

At the end of the article, the author believes that attacks against open source software will continue to exist, tarnishing the software and ultimately luring a large number of unsuspecting users to download it through a small amount of effort. We should strive to promote the use of more advanced technologies to control risks, encourage existing open source suppliers to adopt a series of useful existing technologies such as digital signatures, and ensure the security of the software supply chain.

4 知识补充（Knowledge supplement）

什么是烧录？

What is burning?

烧录是一种将数据或程序写入存储介质的过程。烧录通常涉及将计算机程序或数据从计算机转移到可编程的存储器芯片上。这一过程是通过特定的设备或机器完成的，以确保数据能够准确无误地存储在芯片中。

Burning is a process of writing data or programs into a storage medium. Burning typically involves transferring computer programs or data from a computer to a programmable memory chip. This process is completed through specific devices or machines to ensure that data can be accurately stored in the chip.

在烧录过程中，需要使用专门的烧录设备，如烧录器或烧录软件。这些设备能够将用户需要的数据或程序通过特定的接口传输到目标存储介质上。在传输过程中，数据会被转化为特定的格式和编码，以确保能够正确地被存储芯片识别和写入。一旦数据成功写入存储介质，就完成了整个烧录过程。

During the burning process, specialized burning equipment such as a burner or burning software is required. These devices are capable of transferring user required data or programs to the target storage medium through specific interfaces. During the transmission process, data will be converted into a specific format and encoding to ensure that it can be correctly recognized and written by the storage chip. Once the data is successfully written to the storage medium, the entire burning process is completed.

烧录技术广泛应用于多个领域。在软件行业，烧录用于将程序代码写入软件存储介质，以供用户安装和使用。在硬件制造领域，烧录则常用于设备驱动程序的写入，以确保硬件设备能够正常工作。此外，在个性化定制领域，如嵌入式系统开发、智能家居设备等，烧录技术也发挥着重要作用。通过烧录，可以实现设备的个性化配置和定制化服务。

Burning technology is widely used in multiple fields. In the software industry, burning is used to write program code into software storage media for users to install and use. In the field of hardware manufacturing, burning is commonly used for writing device drivers to ensure that hardware devices can function properly. In addition, in the field of personalized customization, such as embedded system development, smart home devices, etc., burning technology also plays an important role. Through burning, personalized device configuration and customized services can be achieved.

今天的分享就到这里了。

如果您对今天的文章有独特的想法，

欢迎给我们留言，

让我们相约明天，

祝您今天过得开心快乐！

That's all for today's sharing.

If you have a unique idea about the article,

please leave us a message,

and let us meet tomorrow.

I wish you a nice day!

参考资料：

翻译：ChatGPT 4