issues
search
bnonni
/
drpm.tools
Decentralized Registry Package Manager (DRPM)
https://drpm.tools/
Apache License 2.0
2
stars
0
forks
source link
Package Security and Integrity
#4
Open
bnonni
opened
1 month ago
bnonni
commented
1 month ago
Make it possible for devs to have confidence in the packages they are installing
Use DIDs for signing packages
dpm.software website can show reputation and trust metrics such as:
who published it
number of installs
signatures on each package published
verification of that signature (✅)
instructions for self verifying signature against downloaded code
integrity hash that version is locked to
display publisher did and did doc containing dwn url
link to the GitHub repo to see commit history, stars, tests, etc.
features to ensure confidence:
signature verification on package updates at time of install / resolution
ability to check signatures on package record contents via cli tool (
dpm verify did:dht:web5/api/0.1.0 <signature>
)
protocol rules to disable the ability to republish to the same version number
way to check integrity of the protocol installed to user dwn
dpm verify did:dht:web5/api/0.1.0 <signature>)