entropic-dev / entropic

🦝 :package: a package registry for anything, but mostly javascript 🦝 🦝 🦝
https://discourse.entropic.dev/
Apache License 2.0
5.29k stars 152 forks source link

Building a compromise-resilient registry with TUF and in-toto #321

Open trishankatdatadog opened 5 years ago

trishankatdatadog commented 5 years ago

Is this a feature request or a bug?

Feature request

Expected behavior:

In order to better distinguish itself from npm, and add more value, Entropic should use The Update Framework (TUF) to secure the package registry in a compromise-resilient manner: i.e. a compromise of the registry does not result in the instant compromise of all packages. A high-level overview of TUF is available in this podcast with @andrew.

To ease adoption, Entropic may start with the minimum security model, where the registry signs for all packages using online keys, or signing keys that are accessible on-demand by the registry. This model protects users from man-in-the-middle (MitM) attacks, but not a compromise of the registry itself.

To achieve compromise-resilience, Entropic should support the maximum security model, where a subset of packages are signed using offline keys, or signing keys kept off the repository, by their respective developers. This model protects users of these packages from a compromise of the registry itself.

To provide even stronger security guarantees in the maximum security model, Entropic may allow developers to use in-toto to provide end-to-end integrity of packages. in-toto ensures that packages were not tampered with from the moment developers checked in source code to a VCS system to the moment packages were built and uploaded to the registry.

The Datadog Agent integrations are an example of a real-world deployment using both TUF and in-toto to achieve compromise-resilience.

More technical information about how TUF and in-toto can be combined is available in ITE-2 and ITE-3.

Actual behavior:

I haven't looked deeply into it, so I don't want to misrepresent, but Entropic probably uses TLS to secure packages in transit, but not at rest. Please correct me if I am wrong.

Steps to replicate:

N/A

Environment info (where relevant)

N/A

Cc @jlegrone @SantiagoTorres @JustinCappos