From 89295fca2ae7f2b323b89d5edc7db19eff0c2772 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Wed, 29 Jan 2025 10:00:20 -0500 Subject: [PATCH 1/5] Add 2025 Q1 Securing Repos WG update Signed-off-by: Zach Steindler --- TI-reports/2025/2025-Q1-Repos-WG.md | 51 +++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 TI-reports/2025/2025-Q1-Repos-WG.md diff --git a/TI-reports/2025/2025-Q1-Repos-WG.md b/TI-reports/2025/2025-Q1-Repos-WG.md new file mode 100644 index 00000000..53816120 --- /dev/null +++ b/TI-reports/2025/2025-Q1-Repos-WG.md @@ -0,0 +1,51 @@ +# 2025 Q1 Securing Software Repositories Working Group + +## Overview + +**Mission**: Improve security of software repositories (npm, PyPI, RubyGems, ...) by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. + +**Links**: +- [GitHub repository](https://github.com/ossf/wg-securing-software-repos) +- [Slack channel](https://openssf.slack.com/archives/C034CBLMQ9G) +- [WG meeting docs](https://docs.google.com/document/d/18Y8HxntL2RkcgqoFdhdLpj17e4MOSCdskP1IoDiuP1s/edit?usp=sharing) + +## Securing Software Repositories Working Group + +### Purpose + +Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. + +### Current Status + +- [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidnace is live +- Letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware +- Meetings continue every other week, with async discussions in the Slack channel + +### Up Next + +- Hire contractor; publish package yanking guidance +- [Funding request: UI/UX support for attestations on software repos](https://github.com/ossf/tac/issues/424) +- Continue supporting landing security capabilities in software repositories + +### Questions/Issues for the TAC + +- None at this time + +## RSTUF Project + +### Purpose + +Provide a service to protect repository index from tampering by distributing them with The Update Framework (TUF) + +### Current Status + +- Continuing to work towards v1.0 release to run alongside RubyGems and PyPI and sign their repository index +- [Funding approved: 2025 cloud development costs](https://github.com/ossf/tac/issues/417) + +### Up Next + +- [Security audit with OSTIF](https://github.com/ossf/tac/issues/379) + +### Questions/Issues for the TAC + +- None at this time From 9b7a6c4be5d75f3ac1ee10a6c75253c1ab2aea21 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Wed, 29 Jan 2025 10:06:09 -0500 Subject: [PATCH 2/5] Fix typo Signed-off-by: Zach Steindler --- TI-reports/2025/2025-Q1-Repos-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2025/2025-Q1-Repos-WG.md b/TI-reports/2025/2025-Q1-Repos-WG.md index 53816120..121e38a2 100644 --- a/TI-reports/2025/2025-Q1-Repos-WG.md +++ b/TI-reports/2025/2025-Q1-Repos-WG.md @@ -17,7 +17,7 @@ Improve security of software repositories by providing a forum for discussion, a ### Current Status -- [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidnace is live +- [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidance is live - Letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware - Meetings continue every other week, with async discussions in the Slack channel From ec473caa41c96d64de3a795578a9e00b31c6b392 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Wed, 29 Jan 2025 16:00:04 -0500 Subject: [PATCH 3/5] Add Sonatype Central's support for Sigstore Signature Validation Signed-off-by: Zach Steindler --- TI-reports/2025/2025-Q1-Repos-WG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/TI-reports/2025/2025-Q1-Repos-WG.md b/TI-reports/2025/2025-Q1-Repos-WG.md index 121e38a2..655a8069 100644 --- a/TI-reports/2025/2025-Q1-Repos-WG.md +++ b/TI-reports/2025/2025-Q1-Repos-WG.md @@ -17,6 +17,7 @@ Improve security of software repositories by providing a forum for discussion, a ### Current Status +- [Central now performs Sigstore Signature Validation](https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/) - [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidance is live - Letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware - Meetings continue every other week, with async discussions in the Slack channel From c35ba903bde15cfa48ed86b50f52d090596f59ad Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 4 Feb 2025 09:03:40 -0500 Subject: [PATCH 4/5] Updates from reviews Signed-off-by: Zach Steindler --- TI-reports/2025/2025-Q1-Repos-WG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TI-reports/2025/2025-Q1-Repos-WG.md b/TI-reports/2025/2025-Q1-Repos-WG.md index 655a8069..b2f7f800 100644 --- a/TI-reports/2025/2025-Q1-Repos-WG.md +++ b/TI-reports/2025/2025-Q1-Repos-WG.md @@ -19,7 +19,7 @@ Improve security of software repositories by providing a forum for discussion, a - [Central now performs Sigstore Signature Validation](https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/) - [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidance is live -- Letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware +- Submitted letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware - Meetings continue every other week, with async discussions in the Slack channel ### Up Next @@ -45,7 +45,7 @@ Provide a service to protect repository index from tampering by distributing the ### Up Next -- [Security audit with OSTIF](https://github.com/ossf/tac/issues/379) +- [Security audit with OSTIF](https://github.com/ossf/tac/issues/379) started Feb 3rd 2025 ### Questions/Issues for the TAC From c664caef06fe8d26b9d1e4b975e470ab5dd2073e Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Fri, 7 Feb 2025 11:29:36 -0500 Subject: [PATCH 5/5] Expand purpose statement Signed-off-by: Zach Steindler --- TI-reports/2025/2025-Q1-Repos-WG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TI-reports/2025/2025-Q1-Repos-WG.md b/TI-reports/2025/2025-Q1-Repos-WG.md index b2f7f800..5605435e 100644 --- a/TI-reports/2025/2025-Q1-Repos-WG.md +++ b/TI-reports/2025/2025-Q1-Repos-WG.md @@ -13,7 +13,7 @@ ### Purpose -Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. +Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities. ### Current Status