GitHub Actions are commonly used to automate processes in repositories, by running CI (continuous integration) tests on pull requests for example. It can also be used to make a package…
Read More
We are excited to announce that the OpenSSF is hosting Security of Open Source Software (SOSS) Community Day Japan 2024, scheduled for Wednesday, October 30, 2024. This one-day event will…
Read More
In July, a historic moment took place for open source, where it took center stage at the two-day "OSPOs for Good" symposium at the United Nations. Co-hosted by Kenya and Germany,…
Read More
In July, Open Source Security Foundation (OpenSSF) participated in three key events that highlight its dedication to enhancing open source software security for the global public good: the United Nations…
Read More
By Seth Michael Larson
The Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group (WG) has just released a new guide for maintainers of open source software repositories. The guide details a new security capability named “Trusted Publishers” which utilizes the OpenID Connect standard (OIDC) to authenticate with a package repository without the use of long-lived secrets thus avoiding many related security and operational challenges.
Trusted Publishers: Enhancing Security for Open Source Repositories
The guide details the implementation and design considerations gathered from implementing Trusted Publishers in multiple open source software repositories like the Python Package Index (PyPI) and Rubygems.org.
Implementation and Design Considerations
Trusted Publishers pair well with other security technologies like SLSA build provenance as they are built on the same underlying technology in OIDC. For some identity providers, Trusted Publishers also allow binding verifiable metadata like the source repository URL to a published artifact to avoid social confusion attacks like “Star-Jacking”.
User Adoption and Impact
In addition to added security benefits, Trusted Publishers are popular with users when they’re available. For example, PyPI added support for Trusted Publishers in April of 2023 and has since seen over 14,000 projects voluntarily adopt Trusted Publishers.
Accessing and Contributing to the Guide
You can find the guide hosted on openssf.org and submit contributions on GitHub. Thanks to everyone in the working group who contributed their expertise and reviews during the writing of this guide.
About the OpenSSF Securing Software Repositories Working Group
The OpenSSF Securing Software Repositories Working Group focuses on the maintainers of software repositories, software registries, and tools which rely on them. The working group provides a forum to share experiences and to discuss shared problems, risks, and threats. For more information on the OpenSSF Securing Software Repositories Working Group, see our GitHub Repo.
About the Author
Seth Larson is the Security Developer-in-Residence at the Python Software Foundation, Python Software Foundation Fellow, maintainer of popular Python open source packages like urllib3 and Requests, and an advocate for open source sustainability and security.
Malware is at the top of the list among things that keep security and development organizations on edge.
Read More
Open source package repositories (like npm, PyPI, RubyGems, and others) serve out billions of packages per day. Most of the software we all use includes packages from these repositories, making…
Read More
OpenSSF Welcomes Datadog as Premier Member
Read More
We're thrilled to announce that the agenda for Secure Open Source Software (SOSS) Community Day EU on September 19, 2024, is now live! Join us for a day filled with…
Read More
As the Call for Proposals (CFP) for the Secure Open Source Software (SOSS) Fusion Conference wrapped up, we wanted to share some insights about the submissions that highlight how Fusion will be a premier event in open source security. SOSS Fusion brings together the brightest minds in software development and cybersecurity to secure the open source software that we all depend on. With a total of 198 submissions from 143 different organizations (including individual contributors as well as small or medium-sized enterprises, the Program Committee (PC) is currently reviewing proposals to finalize an agenda that promises to be both innovative and engaging.
Breakdown of SOSS Fusion CFP Submissions
Nearly 50% of submissions are focused on Software Development and Open Source Software as well as AI and Security. Nearly 20% of the submissions focused on the topic of OSS Consumption and End Users. 30% of the submissions focused on a variety of topics such as Diversity and Community Development, Public Policy, OSPOs and Security, as well Security Education.
Just over 80% of the talks submitted have never been presented before, indicating that we may be reaching an audience that is not engaged in other conferences. This diversity of content aligns with our goal of fostering fresh ideas and innovative approaches to open source security. Nearly 60% of submissions come from a diversity, equity, and inclusion background and just over 40% of the submissions come from the greater Global community, outside the United States and Canada.
Sponsor SOSS Fusion or a Co-Located Event
We currently have sponsorship opportunities available for organizations that want to show their support for open source security. Whether you are a large enterprise organization or a startup, sponsoring SOSS Fusion will give your organization the key visibility and recognition aligned to a critical topic that affects everyone: the security of our open source ecosystems. Check out the sponsorship prospectus or get in touch with our team today!
Just before SOSS Fusion, we are excited to offer opportunities for co-located events. These events are smaller gatherings that help create a community to discuss important issues. A limited number of spots are available.
Key Dates to Remember
- CFP Notifications: Tuesday, July 30
- Schedule Announcement: Wednesday, July 31
- Presentation Slide Due Date: Friday, October 18
- Event Dates: Monday, October 21 (Co-Located Events), Tuesday, October 22 – Wednesday, October 23 (Fusion Conference)
The agenda will be confirmed by the PC on July 29, ensuring a well-rounded and comprehensive program that addresses the most pressing issues in open source security.
What to Expect at SOSS Fusion 2024
The SOSS Fusion Conference will host in-depth technical conversations on innovative and industry-leading ways to secure open source software. This collaborative platform will feature a range of session types, including lightning talks, session presentations, panel discussions, and keynote sessions. Attendees can look forward to gaining insights from thought leaders and participating in discussions on various topics, including:
- OSPO: Security and Open Source Program Offices
- Maintainer Roles: Securing Open Source Software
- Dev: Secure Integration in the Software Development Lifecycle
- What’s Next: Fresh Ideas for Security Research & Innovation
- Digital Public Goods (DPG): Public Sector Promotion & Adoption
- Public Policy: Regulations to Improve Open Source Security
- As We Are: How Diversity Improves Security
- Education (K-12+): The Future of Secure Open Source Software
- End Users: Secure Supply Chains
- Dependencies: Understanding the OSS in Your Stack
- Towards a Secure Baseline: Ecosystem’s Role in Security
- AI for Security: Leveraging AI to Secure Open Source Software
- Security for AI: Starting with Security for Open Source AI
Join Us in Atlanta
SOSS Fusion 2024 will take place in Atlanta, Georgia, and promises to be an event filled with knowledge sharing, networking, and collaboration. Don’t miss the opportunity to be part of this groundbreaking event that is set to shape the future of open source software security.
For more information, including registration details, sponsorship opportunities, and travel arrangements, please visit our SOSS Fusion event page.