Network Policies Towards Software Supply Chain Compromise

Hi network operators,

As RPKI validation continues to become increasingly broadly deployed (yay!), I wanted to highlight and ask what deployment policies are towards dependency validation and pinning of RPKI validation software. For example, routinator's dependency graph is somewhat large, and includes at least one or two single-maintainer projects[1] which could inject arbitrary results into the RPKI-based filters.

Certainly routinator is not the only project to fall prey to modern development practices which tend to have an exponentially expanding TCB, which makes it a concern that has landed in the laps of sysadmins instead of developers.

I assume the large players are considering these issues and taking them into account when deploying, eg by writing tools to compare the feeds of multiple RPKI validators and rejecting any differences, am I correct in that assumption, and are there any open source projects to do so that smaller operators should be looking at using as well?


[1] eg GitHub - vorner/log-reroute: Utility to allow changing the destination of the Rust log crate at runtime, as many times as needed. could edit your RPKI feed if, vorner wanted to.