wg-securing-software-repos

OpenSSF Working Group on Securing Software Repositories

Motivation

This working group is for and focuses on the maintainers of software repositories, software registries, and tools which rely on them, at various levels including system, language, plugin, extensions and container systems. It provides a forum to share experiences and to discuss shared problems, risks and threats.

Objective

• Enable faster cross-pollination of existing ideas across ecosystems (including technical measures, infrastructure approaches, and policies)
• Act as a clearinghouse for new ideas that could benefit multiple ecosystems
• Enable maintainers to better align and coordinate policies and changes between different ecosystems
• Identify & escalate needs for infrastructure and assistance for shared tooling and/or services (to be filled by supportive or sponsoring organizations (such as the OpenSSF))
• Develop methods for sharing data related to software repositories, software registries, and tools which rely on them
• Delegate solving particular problems and goals to subgroups or other workgroups as appropriate

The working group may create:

• Normative, non-binding recommendations on common schemas
• Descriptive documentation of experiences and best practices

Antigoals

• The working group is not a governing body and does not create binding obligations on members
• The working group does not dictate technologies, tools or solutions, though members are free to recommend them to one another

Published work

See also https://repos.openssf.org/

• Trusted Publishers for All Package Repositories - July 2024

  Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.

• Principles for Package Repository Security - February 2024

  A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.

• Build Provenance and Code-signing for Homebrew - July 2023

  A proposal for introducing build provenance and cryptographic signatures to the Homebrew package manager.

• Build Provenance for All Package Registries - July 2023

  Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions.

• The Package Manager Landscape Survey - December 2022

  A survey/landscape of different security mechanisms and features that are implemented across the different ecosystems as they pertain to security critical user journeys.

Projects

Governance

The CHARTER.md outlines the scope and governance of our group activities, as well as the maintainers of this repository.

This group is co-chaired by Dustin Ingram and Zach Steindler.

Communication

• Meeting Minutes
• Mailing list. Manage your subscriptions to Open SSF mailing lists.
• OpenSSF Slack instance in the #wg_securing_software_repos channel (see here for an invite)

Meeting times

Zoom every other Wednesday, alternating between EMEA (13:00 UTC) and APAC-friendly times (22:00 UTC).

The meeting invite is available on the public OSSF calendar.

Meeting Notes

Meeting notes are maintained in a Google Doc. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

Intellectual Property

In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:

1. Software source code: Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;
2. Data: Any of the Community Data License Agreements, available at https://www.cdla.io;
3. Specifications: Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0;
4. All other Documentation: Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/