OpenSSF Working Group on Securing Software Repositories
This working group is for and focuses on the maintainers of software repositories, software registries, and tools which rely on them, at various levels including system, language, plugin, extensions and container systems. It provides a forum to share experiences and to discuss shared problems, risks and threats.
The working group may create:
See also https://repos.openssf.org/
Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
A proposal for introducing build provenance and cryptographic signatures to the Homebrew package manager.
Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions.
A survey/landscape of different security mechanisms and features that are implemented across the different ecosystems as they pertain to security critical user journeys.
Name | Repository/Home Page | Notes | Status |
---|---|---|---|
Repository Service for TUF | https://github.com/repository-service-tuf/repository-service-tuf | Meeting Notes | Sandbox |
The CHARTER.md outlines the scope and governance of our group activities, as well as the maintainers of this repository.
This group is co-chaired by Dustin Ingram and Zach Steindler.
#wg_securing_software_repos
channel (see here for an invite) Zoom every other Wednesday, alternating between EMEA (13:00 UTC) and APAC-friendly times (22:00 UTC).
The meeting invite is available on the public OSSF calendar.
Meeting notes are maintained in a Google Doc. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows: