TODO: Need mitigation description for "Dependency confusion" threat

[lehors]

The 'Dependency Confusion' threat (link) needs a mitigation section and perhaps examples.

[TomHennen]

@meder would you be interested in sending a PR for this? It's very much inline with the dependency track and your recent blog post.

[michaelwinser]

I would suggest that all builds should pull only from an internal artifact registry and that admission to that registry be explicitly managed and audited. Especially the namespace.

[meder]

I suppose there are two ways to look at the mitigations on the threats page: using existing SLSA tracks vs best practices. I was leaning towards applying the existing SLSA tracks lens, given that I see explicit callouts to SLSA not addressing some threats. I think the idea is to give others a way to understand what SLSA does and doesn't address. Once the dependency track is a thing the page could be updated.

[TomHennen]

I suppose there are two ways to look at the mitigations on the threats page: using existing SLSA tracks vs best practices. I was leaning towards applying the existing SLSA tracks lens, given that I see explicit callouts to SLSA not addressing some threats. I think the idea is to give others a way to understand what SLSA does and doesn't address. Once the dependency track is a thing the page could be updated.

This is what I was thinking. For now just say it's not addressed but link to Meder's recent blog post for ideas. Then update once the dep track is done.

Assigning this to Meder per his request as it's well aligned with the dependency track.