Open Source Summit Europe 2025

Ken Thompson's "Reflection on Trusting Trust" warns against blindly relying on others' code, emphasizing the gap between reviewed source and built artifacts. This is critical for developers navigating complex trust models, where source code alone offers limited assurance. Recent supply chain attacks on open source packages, like xz and boltdb-go, expose the real-world practicality of deceiving traditional source reviews, threatening the foundation of open source consumption.

In this talk, we discuss a novel method for analysing and investigating the code that actually gets built using Capslock, an open source CLI tool for analyzing Go packages. By analysing and exposing discrepancies between a package’s advertised and actual permissions, potential attacks (such as the malicious version of boltdb-go) can be thwarted. Integrating this capability information into both free public data sources (e.g. deps.dev) and guided code review systems enables developers to shift left, and feel more confident trusting open source.