This interactive session will discuss the important role of package registries in securing the open source software supply chain, as well as best practices and guiding principles for a secure package registry ecosystem. Maintainers have been managing risk in their ecosystems since the start and are the first line of defense for ecosystem code quality. But package registries also have a responsibility to protect developers depending on their package ecosystem and, ultimately, the end-users of the software. This responsibility to maintain safety and reliability must be balanced against the freedom and creativity of package maintainers whose skill, innovation, and gumption allow others to accomplish great things.

Cybersecurity incidents are among the greatest threats facing organizations today. This event, held in partnership with OpenSSF and CNCF, gathers security practitioners, open source developers, and others interested in software supply chain security to; explore the security threats affecting the software supply chain, share best practices and mitigation tactics and Increase knowledge about how to best secure open source software.



What Role Do Package Registries Have in Securing the Supply Chain?

Conference: SupplyChainSecurityCon 2022

Authors: Margaret Tucker, Justin Colannino

Abstract

Post a comment

Related work

Securing the IaC Supply Chain

Zero Trust Supply Chains with Project Sigstore and SPIFFE