By Dustin Ingram, Google
This month, we are focusing on the OpenSSF Securing Software Repositories (SSR) Working Group. Learn more about what we’ve been working on and how you can help out!
The SSR WG focuses on the maintainers of software repositories, software registries, and the tools that rely on them. By repositories, we include all platforms where software is developed, including GitHub and other platforms. By registries, we include platforms such as package registries and other ways to distribute software artifacts. We bring together maintainers of these repositories and provide a forum to discuss and tackle shared problems, risks and threats.
Highlights of the Past Few Months
Last year, we conducted a survey of prominent software repositories, and early this year, we published the results and blog. This survey highlights prominent software repositories from different programming languages ecosystems, such as Python, Java, Ruby, Node.js, and more. The goal of the survey was to understand overall security priorities and to cross-pollinate ideas, threat models, and designs across the ecosystems.
Our top priority this year was bringing build provenance to software registries. Build provenance lets you verifiably link a package back to its source code and build process, which allows users to verify that a package contains what it says. Why is this important now? Tooling for generating provenance has gotten to the point where it’s doable – and the npm ecosystem has already done it. We put together an essential guide on how other package registries can adopt build provenance in their ecosystem.
The plan is to work with other ecosystems to bring them the same best practices. For example, we’re currently working with the Homebrew maintainers on a proposal to bring it to the Homebrew ecosystem. We picked Homebrew because it’s an ecosystem with a relatively centralized build platform, making it easier to bring provenance to a large portion of the ecosystem with minimal changes.
New and Upcoming Initiatives
With support from the SSR WG, the Python Package Index (PyPI) recently implemented Trusted Publishing, a more secure way to publish packages without needing to share long-lived passwords or API tokens with external systems. To do this, trusted publishing uses OpenID Connect (OIDC) based credentials to exchange short-lived tokens between a trusted third-party service (such as GitHub Actions) and PyPI. The working group is currently working on making a guide for how other package registries can adopt similar measures.
More generally, with everything we work on, we aim to do the hard work so that we can minimize the amount of upfront effort maintainers have to do to adopt secure practices. For example, utilizing a feature such as trusted publishing or provenance generation should be as easy as changing a line or two a GitHub Action.
If you’re a maintainer or a contributor to a software repository, join and talk to us about your repository, and how we can help! We’re also interested in hearing from users – are you a superuser of npm and have ideas about what should be happening here? This working group would be good for you.
We also have a Slack channel as well as a GitHub repository with more documentation in it. The group meets on Zoom every other Wednesday, alternating between EMEA (13:00 UTC) and APAC-friendly times (22:00 UTC). We’d really love other software repository people to chat and introduce themselves.
About the Author
Dustin Ingram is a software engineer on Google’s Open Source Security Team, where he works on improving the security of open-source software that Google & the rest of the world relies on. He’s also a director of the Python Software Foundation, and maintainer of the Python Package Index.