In order to better distinguish itself from npm, and add more value, Entropic should use The Update Framework (TUF) to secure the package registry in a compromise-resilient manner: i.e. a compromise of the registry does not result in the instant compromise of all packages. A high-level overview of TUF is available in this podcast with @andrew.
To ease adoption, Entropic may start with the minimum security model, where the registry signs for all packages using online keys, or signing keys that are accessible on-demand by the registry. This model protects users from man-in-the-middle (MitM) attacks, but not a compromise of the registry itself.
To achieve compromise-resilience, Entropic should support the maximum security model, where a subset of packages are signed using offline keys, or signing keys kept off the repository, by their respective developers. This model protects users of these packages from a compromise of the registry itself.
To provide even stronger security guarantees in the maximum security model, Entropic may allow developers to use in-toto to provide end-to-end integrity of packages. in-toto ensures that packages were not tampered with from the moment developers checked in source code to a VCS system to the moment packages were built and uploaded to the registry.
The Datadog Agent integrations are an example of a real-world deployment using both TUF and in-toto to achieve compromise-resilience.
More technical information about how TUF and in-toto can be combined is available in ITE-2 and ITE-3.
Actual behavior:
I haven't looked deeply into it, so I don't want to misrepresent, but Entropic probably uses TLS to secure packages in transit, but not at rest. Please correct me if I am wrong.
Is this a feature request or a bug?
Feature request
Expected behavior:
In order to better distinguish itself from npm, and add more value, Entropic should use The Update Framework (TUF) to secure the package registry in a compromise-resilient manner: i.e. a compromise of the registry does not result in the instant compromise of all packages. A high-level overview of TUF is available in this podcast with @andrew.
To ease adoption, Entropic may start with the minimum security model, where the registry signs for all packages using online keys, or signing keys that are accessible on-demand by the registry. This model protects users from man-in-the-middle (MitM) attacks, but not a compromise of the registry itself.
To achieve compromise-resilience, Entropic should support the maximum security model, where a subset of packages are signed using offline keys, or signing keys kept off the repository, by their respective developers. This model protects users of these packages from a compromise of the registry itself.
To provide even stronger security guarantees in the maximum security model, Entropic may allow developers to use in-toto to provide end-to-end integrity of packages. in-toto ensures that packages were not tampered with from the moment developers checked in source code to a VCS system to the moment packages were built and uploaded to the registry.
The Datadog Agent integrations are an example of a real-world deployment using both TUF and in-toto to achieve compromise-resilience.
More technical information about how TUF and in-toto can be combined is available in ITE-2 and ITE-3.
Actual behavior:
I haven't looked deeply into it, so I don't want to misrepresent, but Entropic probably uses TLS to secure packages in transit, but not at rest. Please correct me if I am wrong.
Steps to replicate:
N/A
Environment info (where relevant)
N/A
Cc @jlegrone @SantiagoTorres @JustinCappos