2Ara
Supply chain risks for OS packages
The risks of supply chain attacks on software libraries is well documented, however, I have not seen much on OS packages/dependencies. How important is it to both 1) pin OS dependencies (apt,rpm,etc.) and 2) host them in private repositories?
The same logic would seem to apply as software libraries, but again, most of the supply chain discussion is centered around those and not OS packages.
