Every pip install is an act of trust. Have you thought about who you’re trusting?
Open source runs the world. The Kubernetes cluster you operate, the Python packages your models depend on, the base images your containers are built from — almost none of it was written by your team. You inherited it from strangers on the internet, and you ship it to production every day.
That’s not a criticism. It’s a miracle, and it works because of an implicit social contract: the author publishes something, you use it, and neither of you changes the terms without warning. The author doesn’t silently modify what you already pulled. You don’t redistribute it as your own. The contract is unwritten, largely unenforceable — and the entire industry depends on it holding.
Occasionally, it breaks.
A maintainer gets compromised. A package gets abandoned and re-registered by someone else. A Docker image tag gets quietly overwritten — latest today is not latest tomorrow. A well-meaning contributor adds telemetry that phones home. Sometimes it’s malicious. Sometimes it’s just careless. The result is the same: something you trusted unconditionally is now running inside your perimeter, doing things you didn’t agree to.
You don’t have a supply chain problem when you get breached. You had one the moment you
docker pulled without pinning the digest.
The mitigation is ownership, not paranoia.
The answer isn’t to stop using open source. It’s to stop treating upstream registries as your runtime dependency. Pull once, verify, mirror locally, and own what you run. In practice this means:
- A private container registry — Harbor, Zot — as the single source of truth for every image in your cluster. Nothing pulls from Docker Hub or ghcr.io at runtime.
- A private PyPI mirror for your Python dependencies. What’s in your mirror is what runs. No surprise updates, no dependency confusion attacks.
- Images and packages pinned to digests, not tags. A tag is a pointer that moves. A digest is a fingerprint — it cannot lie.
- Every update treated as a new intake: pulled, scanned with Trivy or Grype, reviewed, promoted deliberately. Not
lateston a schedule — a conscious decision each time.
Mirroring isn’t distrust of open source. It’s respect for it — you’re taking the time to verify what you consume rather than outsourcing that judgment to an upstream maintainer you’ve never met.
The social contract of open source is real and worth honouring. Contribute back. Report vulnerabilities. Fund the maintainers you depend on. But “honouring the contract” doesn’t mean “trust blindly at runtime.” Those are different things.
The maintainer held up their end. Make sure you’ve held up yours — by knowing exactly what version of their work is running in your cluster, right now, verified by digest.
Next: setting up a fully air-gapped software supply chain on bare-metal Kubernetes — private registry, PyPI mirror, digest pinning, and automated vulnerability gating in CI.