In 2022, the OpenSSF Securing Software Repositories Working Group embarked on an effort to survey the current security landscape of package manager ecosystems.
This effort provides a survey/landscape of different security mechanisms and features that are implemented across the different ecosystems as they pertain to security critical user journeys. The goal of this exercise is to understand overall security priorities, and to cross-pollinate ideas, threat models and designs across the ecosystems.
The survey covers the following topics:
- Integrity
- Typos and dependency confusion
- Handling compromise and malice
- Protecting the ecosystem
- Authentication and credential management
- Policy
- SBOMs
- Identifying and producing good dependencies
As of 31st December 2022, the working group looked at the results and created a summary of the findings and recommendations.
This web form contains the survey questions
For more information, detailed survey responses (with sanitized PII) are recorded in this CSV.