Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 2025 Q1 Securing Repos WG update #444

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+52 −0
Open

Add 2025 Q1 Securing Repos WG update #444

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
89295fc
Add 2025 Q1 Securing Repos WG update
steiza Jan 29, 2025
9b7a6c4
Fix typo
steiza Jan 29, 2025
ec473ca
Add Sonatype Central's support for Sigstore Signature Validation
steiza Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions TI-reports/2025/2025-Q1-Repos-WG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# 2025 Q1 Securing Software Repositories Working Group

## Overview

**Mission**: Improve security of software repositories (npm, PyPI, RubyGems, ...) by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities.

**Links**:
- [GitHub repository](https://github.com/ossf/wg-securing-software-repos)
- [Slack channel](https://openssf.slack.com/archives/C034CBLMQ9G)
- [WG meeting docs](https://docs.google.com/document/d/18Y8HxntL2RkcgqoFdhdLpj17e4MOSCdskP1IoDiuP1s/edit?usp=sharing)

## Securing Software Repositories Working Group

### Purpose

Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities.

### Current Status

- [Central now performs Sigstore Signature Validation](https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/)
- [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidance is live
- Letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence doesn't actually say what the status is. Did the WG send that letter?

- Meetings continue every other week, with async discussions in the Slack channel

### Up Next

- Hire contractor; publish package yanking guidance
- [Funding request: UI/UX support for attestations on software repos](https://github.com/ossf/tac/issues/424)
- Continue supporting landing security capabilities in software repositories

### Questions/Issues for the TAC

- None at this time

## RSTUF Project

### Purpose

Provide a service to protect repository index from tampering by distributing them with The Update Framework (TUF)

### Current Status

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSTUF is starting the security audit from 3rd February 2025

- Continuing to work towards v1.0 release to run alongside RubyGems and PyPI and sign their repository index
- [Funding approved: 2025 cloud development costs](https://github.com/ossf/tac/issues/417)

### Up Next

- [Security audit with OSTIF](https://github.com/ossf/tac/issues/379)

### Questions/Issues for the TAC

- None at this time