This is why I love working with mega-minds like Nigel Brown. We discovered a very common pattern around malicious packages known as 'star jacking'. Package managers (save Golang) do very little checks around the affiliation claims a package makes on its metadata. Someone could create a rinky-dink unknown package and claim it originates from the Linux Kernel GitHub repository. This makes it particularly difficult to trace source of origin (find the source code that built the package). I started sigstore to address this, but as much as sigstore has been a success now implemented by NPM (Node Package Manager) and others, many communities have not yet adopted sigstore or anything close to sigstore. With this new historical provenance check created at Stacklok, we are able to establish where a package comes from, which will help us shield many users from supply chain attacks. I remember Nigel bringing up the results in a jupyter notebook and seeing the clear correlation. It was one of those wow moments, where you feel grateful to work alongside such smart people.
Software provenance (or proof of origin) helps you make sure that the OSS package you're installing is truly what it says it is. But how can you determine proof of origin for open source packages if they're not yet signed or built with sigstore (the gold standard)?
Join us for a LIVE DEMO w/ CTO Luke Hinds and Staff Engineer Nigel Brown next Tues, 1/16, to find out.
We'll talk through an alternative way to determine proof of origin for OSS packages based on historical Git tags and package versions (and how we're working with the community to ultimately support sigstore adoption). https://lnkd.in/gujQzSAE