Package Transparency for WebAssembly Registries

The presentation discusses the use of package transparency and webassembly to create secure and portable software package registries.

• Package registries are indexes of content that map name and version to what's actually there
• Package transparency combines certificate transparency and package concepts to provide defenses against attacks
• Webassembly can be used to create portable and secure software
• The use of monitors can add security to the system
• Verification of package authors can be done inside the content using signatures

The presentation explains that package transparency can prevent modified records from being downloaded by checking the hash linkage and log inclusion proof. It also notes that the consistency of the login map can be checked by monitors to prevent indefinite freezing. Additionally, the use of signatures in webassembly can verify the author of the content.

WebAssembly (Wasm) is a significant advancement in the portability and security of code, but for Wasm to be useful we need a way to publish and distribute it. This presents a unique opportunity to correspondingly advance the state of the art in supply chain security. That's why the Bytecode Alliance, a Wasm-focused non-profit, is working on developing a new registry protocol for Wasm packages, with security at the center, called warg. Warg is designed to offer "Package Transparency" by building on verifiable data structures from the field of Certificate Transparency. This means that the entire state of a registry can be validated by monitors, replicated by mirrors, and operator compromise can easily be detected. Come attend the talk to learn more about it from two Registry SIG members and implementors!