Here at Chainguard, we believe that everyone benefits from better security in open-source software. That’s why we’re so excited that the OpenSSF has just created a new “Securing Software Repositories” working group, which aims to bring maintainers of software repositories and package managers together to share and develop best practices for secure software distribution. So far, the group has seen participants from many language communities, including PHP, Python, Ruby, Java, and Rust.
The group has discussed many possible security enhancements:
- package signing with Sigstore
- using The Update Framework (TUF) to manage package owners
- tamper-evident package repositories with transparency logs
- software bills of materials (SBOMs)
- rolling out multifactor authentication.
The group’s charter tasks it with developing non-binding recommendations about best practices in package security and aligning. To that end, there are in-progress efforts to compile data about practices across various language ecosystems, formalize a threat model to help analyze various risks, and provide a clearinghouse for package repository data that could be used to fight typosquatting attacks and for other research.
Chainguard is proud to be an OpenSSF member because of initiatives like this working group. We encourage you to learn more about the Securing Software Repositories working group at the OpenSSF blog! The meetings are publicly listed on the OSSF calendar, and the members hang out in the #securing_software_repos channel on the OpenSSF Slack.