David Chisnall (*Now with 50% more sarcasm!*)@david_chisnall@infosec.exchange
I guess, in light of the liblzma debacle, today is a good time to remind everyone that the #CHERIoT platform was designed from the ground up with supply-chain security in mind. If you want to use some third-party code, you can audit precisely the APIs from other components that it can use, the set of things that can call it, the set of devices it can directly access, the amount of heap memory it can allocate, and more.
For a case study, see our ongoing work on compartmentalising the network stack, where we can fearlessly reuse third-party code and know that we are safe from entire classes of compromise.
If you want to build IoT devices with long, low-maintenance, secure lifetimes, SCI Semiconductor may have the microcontroller that you need to realise your goals.