Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Produce whitepaper of recommendations for securing package repositories #16

Open
znewman01 opened this issue Jun 20, 2023 · 8 comments
Open

Comments

@znewman01
Copy link

This working group has produced a ton of useful information about how best to build a secure package repository, along with data on what repositories are currently doing. Can we crystallize this into an easy-to-digest guide to package repository security for package repository admins/maintainers? Topics would include (by no means complete):

(There could also be a good research paper "Systematization of Knowledge" here—CC @joshuagl).

CC @woodruffw

Misc references

@scovetta
Copy link

scovetta commented Jun 22, 2023

Also to add, Threats, Risks, and Mitigations in the Open Source Ecosystem has a bunch of information on threats, many of which apply to ecosystems.

@david-a-wheeler
Copy link

I suggest starting with a list of attacks (or threats) that you (might) want to counter, then show controls against them. Ideally with examples.

A starting point: "Taxonomy of Attacks on Open-Source Software Supply Chains"
https://arxiv.org/abs/2204.04008

S2C2F has a nice list of attacks & then mappings to countermeasures. https://github.com/ossf/s2c2f

For example:

  • Package could be deleted from repo by maintainer, leading to build failures worldwide. Example: left-pad.
    • Control: Forbid deletion from repo after XYZ days unless legally required; keep multiple copies.
  • Might serve malicious code (intentionally created)
    • Control: Use scanners to detect potentially malicious code, block deployment
  • Package maintainer's account subverted, enabling attack to upload subverted package
    • Control: Require MFA for maintainers.

Hopefully that gets the idea across :-).

@trishankatdatadog
Copy link
Contributor

The simplest threat model: just assume an entire software repo can be (temporarily) taken over. The rest are details.

@david-a-wheeler
Copy link

The simplest threat model: just assume an entire software repo can be (temporarily) taken over.

Absolutely, I agree that should be in the set.

The rest are details.

I don't agree. There are many attacks that do not involve taking over a whole repo, and they need to be addressed as well. Let's collect all the ones that matter.

@trishankatdatadog
Copy link
Contributor

I don't agree. There are many attacks that do not involve taking over a whole repo, and they need to be addressed as well. Let's collect all the ones that matter.

My point is that they follow from the general assumption of a compromised repo.

@david-a-wheeler
Copy link

My point is that they follow from the general assumption of a compromised repo.

Sure! I just wanted to make sure that we also covered other cases where the whole repo wasn't compromised, but there was instead some other kind of problem.

@steiza
Copy link
Member

steiza commented Oct 5, 2023

We've started organizing this content on Package Manager Security Roadmap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants