惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Last Watchdog
The Last Watchdog
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 热门话题
G
GRAHAM CLULEY
S
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
SegmentFault 最新的问题
IT之家
IT之家
阮一峰的网络日志
阮一峰的网络日志
Recorded Future
Recorded Future
I
Intezer
云风的 BLOG
云风的 BLOG
博客园 - Franky
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
T
Tenable Blog
The Hacker News
The Hacker News
T
The Blog of Author Tim Ferriss
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News and Events Feed by Topic
有赞技术团队
有赞技术团队
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
N
News and Events Feed by Topic
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Secure Thoughts
The Register - Security
The Register - Security
B
Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
The Cloudflare Blog
Webroot Blog
Webroot Blog
W
WeLiveSecurity
H
Heimdal Security Blog
博客园 - 三生石上(FineUI控件)
V
Vulnerabilities – Threatpost
G
Google Developers Blog
O
OpenAI News
V
V2EX
罗磊的独立博客
博客园_首页
N
News | PayPal Newsroom
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
TaoSecurity Blog
TaoSecurity Blog
Cloudbric
Cloudbric
H
Hacker News: Front Page
博客园 - 叶小钗
T
Tor Project blog
AI
AI

VMware Blogs

Diagnostics for VMware Cloud Foundation (VCF) 9.1 with Old Versions of VCF Components Mastering Infrastructure Policies in VMware Cloud Foundation Automation 9.1 Modernizing the Private Cloud: Why VCF 9.1 Lifecycle Management is a Game Changer Announcing the VMware Cloud Foundation 9.1 Upgrade Planning Tool VCF Breakroom Chats Episode 86 – Containers Made Easy: The New “Container-as-a-Service” in VCF 9.1 Securing Your VCF 9.1 Infrastructure with the Symantec Identity Security Platform Virtually Speaking: The AI Reality Check with Dave Linthicum Zero Touch Provisioning: Activating Edge Sites with VMware Cloud Foundation Edge 9.1 VCF Breakroom Chats Episode 85 – Cloning Success at Scale: Inside VCF 9.1’s App Stack Formation VMware Cloud on AWS の使用状況を確認できる API Unlocking the Full Potential of Programmable Infrastructure with VMware Cloud Foundation 9.1 – New Features and Capabilities Smarter Patching at Scale: Vulnerability Assessment and Remediation with VMware Tanzu Platform Encrypted vMotion Offload to Intel QAT in VMware Cloud Foundation 9.1 Deepen Your Expertise: Four Key Benefits of Attending Increase Deployment Flexibility with VCF Edge Automation 1.0.3 Avi Advantage: Automating Certificate Management of VCF Workloads More Memory, Less Effort: Configuring Memory Tiering in VCF 9.1 VCF 9.1 Licensing: Programmatic, Centralized, and Built to Scale Why APJ Networking Professionals Need Private Cloud Expertise VCF 9.1 Networking: Simpler VPC Connectivity Control VCF 9.1 Networking: Exploring Network Services for Virtual Private Clouds VCF Networking 9.1: Seamless DDI Integration with Infoblox Expand Shared VMDKs with Clustered Applications in VMware vSAN for VCF 9.1 Monetizing Zero-Trust Security with VCF 9.1 and VMware vDefend VMware vSAN Protection and Recovery Enhancements for VCF 9.1 Deliver Production SQL Server DBaaS with VMware Data Services Manager 9.1 Maximizing Profitability: VCF 9.1 Cost-Focused Approach for VMware Cloud Service Providers Modernizing Your Infrastructure: Introducing VMware Cloud Foundation 9.1 to VCSPs VCF 9.1 is Available: Explore the New Features in Hands-on Labs What’s New with vSphere in VMware Cloud Foundation 9.1? Resizing VMware vCenter in VMware Cloud Foundation 9 Non-Disruptive VMware vCenter Patching in VMware Cloud Foundation 9.1 VMware vCenter Virtual Hardware Gets an Upgrade in vSphere with VCF 9.1 AI Has Changed the Threat Landscape. Is Your Infrastructure Ready? Simplifying Storage with the New Effective Capacity View in VMware vSAN for VCF 9.1 Auto-RAID in VMware vSAN for VCF 9.1 – Comprehensive System-Managed Data Resilience Introducing VMmark 4.1: Enhanced Power Efficiency Benchmarking for Private Cloud Infrastructure Advanced Memory Tiering Enhancements in VMware Cloud Foundation 9.1 VCF 9.1 Is Here. See It in Action. 博通發布 VMware Cloud Foundation 9.1 How Broadcom Is Helping Enterprises Win the AI Security Sprint How to Prepare for the World of AI Driven Exploits Avi Innovations for VCF 9.1: Powering Kubernetes, Agentic AI and VPC Workloads VCF 9.1: The Secure, Cost-Effective Private Cloud Platform for Production AI Announcing VCF 9.1: Modern Private Cloud Built for Efficiency and Resilience Announcing VMware Cloud Foundation Edge 9.1: A Scalable, Autonomous Edge Platform Accelerate, Streamline, and Control Your Self-Service Private Cloud with VMware Cloud Foundation 9.1 Deploy Modern Apps Faster, Scale Smarter, and Lower Your TCO with VMware vSphere Kubernetes Service in VCF 9.1 Scale Smarter, Save More: Redefining Infrastructure Economics with VMware vSphere in VCF 9.1 AI with VCF 9.1 on AMD GPUs: Build with open frameworks and simplify management, at a lower TCO Streamline, Simplify and Protect all your AI workloads with VCF 9.1 Simplify Workload Connectivity and Enhance Network Scale and Performance with VCF 9.1 VMware and CrowdStrike Deliver New Integration for Cyber Recovery Workflows How Many Users Can Your LLM Server Really Handle? From Infrastructure to Agents: A Hands-On Guide to Secure Private AI with Broadcom – Part 2 The New Frontier: Leading the Cloud-Native Evolution Replicating VMware vSphere Configuration Profile Desired State Webinar Recap: Design and Architecture Considerations for VMware vSphere Kubernetes Service on VMware Cloud Foundation Kubernetes 1.36: What Actually Changed for Enterprise Platforms Enhance Lateral Security and Ingress Load Balancing for Kubernetes Workloads Avi Load Balancer Analytics: Root Cause Application Performance Issues in Minutes Analyst Insight Series #3: Policy-Driven Governance and Multi-Tenant Control Post-Quantum Readiness on VMware Cloud Foundation Registration Is Live for Las Vegas | $ave with Early-Bird May 21, 2026: What’s New in VMware Tanzu Data Intelligence 10.4 From Infrastructure to Agents: A Hands-On Guide to Secure Private AI with Broadcom – Part 1 Stop Guessing: Advanced Monitoring and Troubleshooting for Data Services CPU, Disk, Network, and Memory Workload Profiles for DVD Store Database Testing How VMware Salt Automates Compliance Across Private Cloud Analyst Insight Series #2: Operational Scalability and Lifecycle Management MCP vs. APIs: Why You Need Both for AI Applications The Real Constraint on Enterprise AI isn’t GPUs; It’s Power Deploying Harbor Service in Air-Gapped VMware Cloud Foundation 9.0 Why Enhanced DirectPath Wins for High-Performance Apps Bridging the (.Local) Gap: A Split-Domain Design for VMware Cloud Foundation Deployment Observability on VMware vSphere Kubernetes Service VMware Cloud on AWS: Introducing the Usage Report APIs Converging VMware vSphere to VMware Cloud Foundation 9.0: The Top 10 Questions Answered May 6, 2026: What’s New in Tanzu Platform 10.4: Powering Agentic Apps at Scale VMware Tanzu RabbitMQ Powers the Modern Data Lakehouse with New Spark Integration and Enterprise Tooling Tanzu Data Intelligence 10.4 Delivers AI-Driven Analytics, Unified Real-Time Operations, and Sovereign Resilience Enterprise-Ready Agents Made Simple & Safe with VMware Tanzu Platform Agent Foundations Introducing Tanzu Platform 10.4: Extending Platform as a Service to Agentic Applications How AI-Assisted Analytics in Tanzu Data Intelligence Can Help Remove the SQL Bottleneck From Prototype to Production: Securing Database MCP at Enterprise Scale The Compelling Case for a Private Cloud Data Intelligence Platform The Unification Dividend: Consolidating Database Operations on VMware Cloud Foundation The Modern Spring Workflow Is Enterprise-Ready and AI-Boosted [TAM Blog] セキュアブート証明書の有効期限切れに関する注意点と対応について Accelerate Lateral Security and Ingress Load Balancing for Kubernetes Workloads From Platform to Data: Building a Cloud-Native Developer Experience On-Prem with VMware Cloud Foundation How VMware Cloud Foundation (VCF) Training Helps Keep Top Tech Talent in APJ Build Your Case for Attending VMware Explore 2026 Spring 開発元が提供する商用サポート「VMware Tanzu® Spring Essentials」とは VMware Cloud on AWS より i7i.metal-24xl インスタンスの提供開始 VMware Advanced Memory Tiering Tips for Success VMware Cloud Foundation Edge 9.0: Two-Host Edge Site Deployment with Brownfield Import Your Database Is About to Become an AI Tool. Is It Ready? Applying GitOps Principles to Maintain Desired State Configuration using VMware vSphere Configuration Profile – Part 3 Webinar Recap: Converging VMware vSphere to VMware Cloud Foundation 9.0
The Open Source Advantage: Building from Source for Ultimate Security
william jime · 2026-05-16 · via VMware Blogs

The convenience of modern software distribution—relying on upstream projects to provide pre-built, easy-to-install packages—is undeniable. It is hard to dispute using public repositories of pre-built software like Docker Hub is great for getting up and running quickly.

However, recent security incidents, such as the unauthorized access to the build infrastructure of the popular security scanner Trivy, serve as a stark reminder of a fundamental vulnerability: when you use a pre-built binary, you are trusting not just the source code, but also the integrity of the entire supply chain that produced it.

This became apparent when over 1,000 SaaS environments were impacted by the malicious code hackers injected into builds of Trivy according Mandiant Consulting. While Trivy’s maintainers acted swiftly, and critically, determined that their source code was unaffected, the incident highlights a crucial consideration: where your software is built really matters. However there is a bright spot at the end of this story, because some users of Trivy were protected because of how they downloaded that open source project as you’ll read below.

The Risk in Pre-Built Trust

When you install a package, you are placing immense trust in the upstream provider’s security practices, including:

  1. Build Infrastructure Security: Was the server or environment used to compile the binary secure and uncompromised? This is where the Trivy incident occurred—a vulnerability in the infrastructure, not the code itself.
  2. Signing Key Security: Was the key used to sign the package protected? A compromised key allows an attacker to distribute malicious binaries disguised as legitimate updates.
  3. Distribution Channel Integrity: Is the repository or CDN from which you downloaded the binary secure against man-in-the-middle attacks or unauthorized uploads?

In a scenario like the Trivy infrastructure hack, an attacker could have potentially injected malicious code into the final binary during the compilation process, even if the public source code repository remained pristine and uncompromised. The checksums of the published binary would be valid, but the binary itself would still be a vehicle for the exploit.

Why Building from Source is Your Best Defense

Building software from the public, auditable source code offers an unparalleled layer of supply chain security:

1. Direct Code-to-Binary Verification

When you clone the repository and run the build command, you are compiling the exact code that has been publicly reviewed, discussed, and committed by the project’s developers.

  • You control the environment:  You are compiling the code on a machine and environment that you control and trust. This allows you to ensure the environment follows security best practices like SLSA-3, which provide added safeguards against attacks. This bypasses the risk of a third-party build server being compromised.
  • Source Integrity is the Single Point of Trust: Instead of trusting the source code and the maintainer’s infrastructure, you only need to verify that the source code matches the publicly available, known-good repository (often verified via Git commit hashes).
  • Source code changes are often reviewed by humans. Builds are not: A pull request has the added benefit of human oversight which could catch a malicious change before it’s introduced. Contrast that to a build system, which typically is fully automated, ideal for an attacker to inject a change that goes undetected.

2. Auditing and Reproducibility

For critical security tools or fundamental infrastructure components, building from source is a prerequisite for security auditing.

  • Reproducible Builds: The ideal for open source is reproducible builds, where anyone running the same source code through the same build process yields an identical binary. While not all projects achieve this perfectly, striving for it allows for independent verification that the published binaries match the source code. When you build it yourself, you establish your own baseline of trust.

3. Isolation from Upstream Infrastructure Vulnerabilities

Building from source completely insulates you from build infrastructure compromises. If an attacker gains access to the upstream project’s CI/CD pipeline or build server, they can modify the published packages. If the source code remains secure, your self-built binary, compiled from that secure source, will also be clean. Using public build services like Github Actions can be convenient, but unfortunately these services are highly visible targets.

How to make Building from Source Scalable

It must be acknowledged that building from source isn’t always practical. It requires time, appropriate build dependencies, and computational resources. For complex applications, the sheer difficulty can be a barrier. However a solution Bitnami Secure Images means organizations don’t have to choose between security best practices and keeping their workload in-balance

Broadcom manages a state-of-the-art build infrastructure that adheres to Supply-chain Levels for Software Artifacts Standard Level 3. This means the build environment is completely on private, fully controlled infrastructure instead of easy-to-target public infrastructure such as Github where a lot of OSS is built today. Additionally it’s monitored by a team of experts who have been working with open source for decades. 

For example, when the Trivy incident happened, Bitnami Secure Images customers were immune from the attack. And they didn’t have to do anything other than continue to pull containers from BSI’s private, secure registry of trusted content. All the while benefiting from the near-zero CVEs, FIPS and STIG support and world-class Helm charts.

The Trivy incident is a valuable lesson: The security of an open source project is not just about the code; it’s about the entire process from commit to package. By choosing to build from the source code, you are effectively cutting out one of the most volatile and hardest-to-audit segments of the software supply chain: the upstream build infrastructure. In the world of security, controlling your own destiny is the ultimate defense. The Open Source Advantage: Building from Source for Ultimate Security is made accessible and affordable for everyone with Bitnami Secure Images.