This week a supply-chain attack was identified in the Python ecosystem, this issue does not affect the Delta Lake project. THe compromise of some shared workflows used in GitHub Actions which are not used anywhere in the Delta Lake project, but the incident is a reminder of the importance of consistent focus on secure defaults.
Buoyant Data is invested in the security of the Delta Lake project and is helping with the following:
- Working with security experts to define a more strict GitHub Actions policy across the delta-io and delta-incubator organizations.
- Auditing recent activity across the org and the GitHub Actions used by projects.
- Setting up a responsible disclosure process to inform project maintainers and allow for swift remediation of any potential issues for the project in the future.
With regards to responsible disclosure we have set up security@buoyantdata.com where we can accept security disclosures relating to the Delta Lake project or one of our open source projects like oxbow.
If your organization has questions about auditing your data supply-chain security, we're happy to help, drop me an email and we'll chat!!
