pitrou opened a new issue, #44688: URL: https://github.com/apache/arrow/issues/44688
### Describe the enhancement requested For now this is more of a wishlist/discussion issue, but could grow into a more precise meta-task if we want to move forward. There have been growing concerns over the years over the fragility of software supply chains, particularly when open source software is concerned. Some standards and practices have been proposed to help prevent such attacks: * [SLSA](https://slsa.dev/spec/v1.0/) (apparently pronounced "salsa") is, AFAIU, a specification that help projects evaluate and improve their build and test practices * Software bills of materials (SBOM) are a type of artifact that precisely describe the provenance of code shipped within a package (related link: announcement of a ["SBOM for Python packages" project](https://discuss.python.org/t/sboms-for-python-packages-project/70261); also: [Accelerating SBOM success with the help of SLSA](https://slsa.dev/blog/2022/05/slsa-sbom)) * [OpenSSF scorecards](https://securityscorecards.dev/) provide a standard vocabulary to evaluate a software projects' security practices Arrow C++ in particular has a non-trivial set of dependencies that are incorporated in the build process in various ways. For example, for Python wheels we use vcpkg on a specific changeset, potentially with home-grown patches. This of course applies to other bindings of Arrow C++ where we may produce binary packages (such as R). We should evaluate whether any of these could help us improve our intrinsic quality, or would merely amount to additional bureaucracy (related link: [concerns by a prominent member of the Python packaging community](https://discuss.python.org/t/sboms-for-python-packages-project/70261/8)). Note: if desirable, this could, and should, typically be funded by interested companies. ### Component(s) C++, Python -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@arrow.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
