Network Policies Towards Software Supply Chain Compromise

[Matt Corallo <nanog () as397444 net>]

Hi network operators,

As RPKI validation continues to become increasingly broadly deployed (yay!), I wanted to highlight 
and ask what deployment policies are towards dependency validation and pinning of RPKI validation 
software. For example, routinator's dependency graph is somewhat large, and includes at least one or 
two single-maintainer projects[1] which could inject arbitrary results into the RPKI-based filters.

Certainly routinator is not the only project to fall prey to modern development practices which tend 
to have an exponentially expanding TCB, which makes it a concern that has landed in the laps of 
sysadmins instead of developers.

I assume the large players are considering these issues and taking them into account when deploying, 
eg by writing tools to compare the feeds of multiple RPKI validators and rejecting any differences, 
am I correct in that assumption, and are there any open source projects to do so that smaller 
operators should be looking at using as well?

Matt

[1] eg https://github.com/vorner/log-reroute could edit your RPKI feed if, vorner wanted to.