SLSA vs. Software Supply Chain Attacks

Past Attacks and How SLSA Helps More than a condiment or dance style, SLSA is a framework for strengthening the security of the software supply chain. SLSA, or supply-chain levels for software artifacts, provides an incremental series of defensive measures that prevents tampering and improves the integrity of a software…

How to Make Package Signing Useful

The Case for Farm-to-Table Package SigningThe benefits and limitations of signing an open source package–using a private key to create a unique digital signature–are a surprisingly contentious topic. One of the maintainers associated with the Python Package Index maintainer has a cogent blog post called “Why Package Signing…