search

OWASP / packman

A documentation and tracking project with the goal of making package management systems more secure.
47 stars 11 forks source link

Integrity of packages #6

Closed evilpacket closed 5 years ago

evilpacket commented 5 years ago

I think we should have a top level category around integrity verification that is separate from package signing.

For example npm supports sub resource integrity with SHA-512 hashes for newly published packages and has the ability to increase the strength of that hash in the future.

I propose something like this.

Integrity verification

Package manager provides a method for verifying the integrity of the downloaded package.

* we would want to define this.

Happy to PR this but figured discussion was desired first.

mkonda commented 5 years ago

Adding this. We can then discuss and iterate on it in the same place.