One of the higher-impact activities of this working group is writing up learnings from a package repository implementing a capability, to make it easier for other repositories to develop the same capability.
We're hoping @sethmlarson will lead writing this document, with review assistance and question answering from @segiddins @di and @woodruffw (as well as any other interested parties from the working group).
One of the higher-impact activities of this working group is writing up learnings from a package repository implementing a capability, to make it easier for other repositories to develop the same capability.
One example of this was the https://repos.openssf.org/build-provenance-for-all-package-registries, which resulted in the funding proposal https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew.
A relatively new capability is "Trusted Publishing" (see https://docs.pypi.org/trusted-publishers/ and https://guides.rubygems.org/trusted-publishing/) which allows people to publish to a package repository without having to provision and manage a long-lived API key.
We would like a guide exploring the idea of Trusted Publishing and with lessons learned from implementation to be added to https://github.com/ossf/wg-securing-software-repos/tree/main/docs.
We're hoping @sethmlarson will lead writing this document, with review assistance and question answering from @segiddins @di and @woodruffw (as well as any other interested parties from the working group).