Add 2025 Q1 Securing Repos WG update #444
Conversation
Signed-off-by: Zach Steindler <[email protected]>
Signed-off-by: Zach Steindler <[email protected]>
|
Should we add the Central sigstore validation as an update? (https://www.sonatype.com/blog/central-publisher-portal-now-validates-sigstore-signatures) |
Signed-off-by: Zach Steindler <[email protected]>
It has now been added - thanks! |
| Provide a service to protect repository index from tampering by distributing them with The Update Framework (TUF) | ||
|
|
||
| ### Current Status | ||
|
|
There was a problem hiding this comment.
RSTUF is starting the security audit from 3rd February 2025
There was a problem hiding this comment.
Is this in support of upcoming project graduation? Or do you expect that is still farther out?
There was a problem hiding this comment.
Added the start date - thanks!
There was a problem hiding this comment.
@kairoaraujo can correct me if I'm wrong, but I don't think we're in a particular hurry for RSTUF project graduation. For now we want to focus on standing it up for RubyGems and PyPI and demonstrate its usefulness.
There was a problem hiding this comment.
The RSTUF project's focus right now is getting the security audit, release 1.0.0 final, and asking OpenSSF support to promote the project, from helping public repositories (PyPI, RubyGems, Crates, etc) to going beyond and showing organizations how to secure their content distribution.
The success of this phase, IMHO, is the guarantee that this project can go to the graduation.
There was a problem hiding this comment.
That sounds great! I think it makes sense to defer graduation until there's more adoption.
Signed-off-by: Zach Steindler <[email protected]>
|
|
||
| - Hire contractor; publish package yanking guidance | ||
| - [Funding request: UI/UX support for attestations on software repos](https://github.com/ossf/tac/issues/424) | ||
| - Continue supporting landing security capabilities in software repositories |
There was a problem hiding this comment.
Are you targeting specific ones in the coming quarter?
There was a problem hiding this comment.
The somewhat-glib answer is whoever shows up and wants to work together! A more helpful answer is that we're tracking security capabilities in progress across many ecosystems with work in progress or proposed in PyPI, RubyGems, NuGet, and Rust Crates. Last week we had a promising early conversation with Conda Forge about potential future collaborations.
There was a problem hiding this comment.
That's really great to hear! Whatever you're able to share about the ecosystems you're tracking and/or are hoping to collaborate with would be a great addition here :)
| Provide a service to protect repository index from tampering by distributing them with The Update Framework (TUF) | ||
|
|
||
| ### Current Status | ||
|
|
There was a problem hiding this comment.
Is this in support of upcoming project graduation? Or do you expect that is still farther out?
Signed-off-by: Zach Steindler <[email protected]>
For the upcoming TAC meeting Tuesday Feb 4th