Produce whitepaper of recommendations for securing package repositories #16
Comments
|
Also to add, Threats, Risks, and Mitigations in the Open Source Ecosystem has a bunch of information on threats, many of which apply to ecosystems. |
|
I suggest starting with a list of attacks (or threats) that you (might) want to counter, then show controls against them. Ideally with examples. A starting point: "Taxonomy of Attacks on Open-Source Software Supply Chains" S2C2F has a nice list of attacks & then mappings to countermeasures. https://github.com/ossf/s2c2f For example:
Hopefully that gets the idea across :-). |
|
The simplest threat model: just assume an entire software repo can be (temporarily) taken over. The rest are details. |
Absolutely, I agree that should be in the set.
I don't agree. There are many attacks that do not involve taking over a whole repo, and they need to be addressed as well. Let's collect all the ones that matter. |
My point is that they follow from the general assumption of a compromised repo. |
Sure! I just wanted to make sure that we also covered other cases where the whole repo wasn't compromised, but there was instead some other kind of problem. |
|
We've started organizing this content on Package Manager Security Roadmap |
This working group has produced a ton of useful information about how best to build a secure package repository, along with data on what repositories are currently doing. Can we crystallize this into an easy-to-digest guide to package repository security for package repository admins/maintainers? Topics would include (by no means complete):
(There could also be a good research paper "Systematization of Knowledge" here—CC @joshuagl).
CC @woodruffw
Misc references
The text was updated successfully, but these errors were encountered: