Skip to main content

OpenSSF Securing Software Repositories Working Group Releases Principles for Package Repository Security

By February 8, 2024Blog
Principles for Package Repository Security

By Jack Cable, Senior Technical Advisor, CISA and Zach Steindler, Principal Engineer, GitHub

Today, the OpenSSF Securing Software Repositories Working Group released v0.1 of Principles for Package Repository Security, a framework for package repositories to assess their current security capabilities and to help roadmap future improvements.

The framework represents a collaboration between the OpenSSF Securing Software Repositories Working Group and the Cybersecurity and Infrastructure Security Agency (CISA). CISA’s Open Source Software Security Roadmap published in September lays out goals to further strengthen the open source ecosystem, with advancing package manager security a key effort.

Compromises of widely used open source dependencies can have widespread consequences. Package repositories are at a critical point in the open source ecosystem to help prevent or mitigate such attacks. Even simple actions like having a documented account recovery policy can lead to robust security improvements. At the same time, capabilities must be balanced with resource constraints of package repositories, many of which are operated by nonprofit organizations.

The framework defines four levels of security maturity of package repositories across four categories of capabilities: authentication, authorization, general capabilities, and command-line interface (CLI) tooling. Package repositories can leverage the framework to self-assess their security maturity and develop a plan to further strengthen their platforms over time.

Through the framework, we hope to accelerate the pace at which package repositories can drive high-impact security improvements within their products. Package repositories typically follow a number of steps to adopt security improvements: determining a security capability to focus on, writing up a proposal for that security capability for community review and approval, at which point the proposal goes on a backlog for implementation unless funding is sought to prioritize implementation.

While all these steps are part of a healthy ecosystem – getting community feedback can help ensure the resulting implementation works well with other parts of the ecosystem – they also require domain expertise from maintainers who are already stretched thin. Through our general framework, which builds on existing work such as Python’s Packaging Fundable Improvements, we hope that package repositories can kickstart or further mature their security improvement roadmap.

At the same time, we encourage package repositories to take advantage of funding opportunities for completed proposals. Over the years, a number of foundations, companies, and governments have supported improvements to open source package repositories. For example, OpenSSF Alpha-Omega has funded work with Rust, Python Software Foundation, and Homebrew, and the Sovereign Tech Fund has funded work with RubyGems and the Python Package Index.

Just like everything the OpenSSF Securing Software Repositories Working Group does, note that this is a voluntary framework, and not a mandate of things package repositories must do. Several package repositories gave us valuable feedback to shape v0.1 of the framework, and we look forward to additional feedback to help us shape future versions.

Security threats change over time, as do the security capabilities that address those threats. Our goal is to help package repositories more quickly deliver the security capabilities that best help strengthen the security of their ecosystems.

For more information on the OpenSSF Securing Software Repositories Working Group, see our GitHub Repo.

Note: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to in this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

About the Authors

Jack CableJack Cable is a Senior Technical Advisor at CISA, where he helps lead the agency’s work on Secure by Design and open source security. Prior to CISA, Jack was a TechCongress fellow in the Senate, where he authored open source security legislation. Jack is a top ranked bug bounty hacker, having identified over 350 vulnerabilities in hundreds of companies.

zach_steindlerZach is a co-chair of the Securing Software Repositories Working Group and a member of the OpenSSF’s Technical Advisory Council. He works at GitHub on securing software development for open source and enterprises. Away from computers he enjoys gardening and welding.