Strategy against Supply Chain Attacks

[mfhepp]

Just wondering: What is the strategy against Supply Chain Attacks? Given that KeePassXC is a super-attractive target, and the growing number of attempts to compromise common libraries (see e.g. this one on PyPi), I am wondering how KeePassXC can be protected against this.

Please note that I am not so much concerned of malicious pull-requests against the actual KeePassXC sources (even though there are many possible tricks to obscure malicious additions, e.g. as shown here or potential attack vectors in typical Github-based CI-workflows.

My main concern are targeted attempts to compromise upstream repositories.

Is this on the radar? If so, what are mitigation strategies?

Edit:

Most likely targets for such Supply Chain attacks would be the documented build dependencies like Qt5.

We will have to consider malicious insertions there that specifically target KeePassXC, i.e. they would remain inactive and hence most likely undetected in other usages of these libraries.

[droidmonkey]

Short answer: you can never fully protect yourself from this, if you don't own the FULL stack then there will always be a possible way to introduce an upstream attack.

We limit our dependencies to the bare minimum possible. We also keep them up to date with every release. This would be classified as a risk reduction approach, which is the best we can do.