-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Produce whitepaper of recommendations for securing package repositories #16
Comments
Also to add, Threats, Risks, and Mitigations in the Open Source Ecosystem has a bunch of information on threats, many of which apply to ecosystems. |
I suggest starting with a list of attacks (or threats) that you (might) want to counter, then show controls against them. Ideally with examples. A starting point: "Taxonomy of Attacks on Open-Source Software Supply Chains" S2C2F has a nice list of attacks & then mappings to countermeasures. https://github.com/ossf/s2c2f For example:
Hopefully that gets the idea across :-). |
The simplest threat model: just assume an entire software repo can be (temporarily) taken over. The rest are details. |
Absolutely, I agree that should be in the set.
I don't agree. There are many attacks that do not involve taking over a whole repo, and they need to be addressed as well. Let's collect all the ones that matter. |
My point is that they follow from the general assumption of a compromised repo. |
Sure! I just wanted to make sure that we also covered other cases where the whole repo wasn't compromised, but there was instead some other kind of problem. |
We've started organizing this content on Package Manager Security Roadmap |
This working group has produced a ton of useful information about how best to build a secure package repository, along with data on what repositories are currently doing. Can we crystallize this into an easy-to-digest guide to package repository security for package repository admins/maintainers? Topics would include (by no means complete):
(There could also be a good research paper "Systematization of Knowledge" here—CC @joshuagl).
CC @woodruffw
Misc references
The text was updated successfully, but these errors were encountered: