You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to better distinguish itself from npm, and add more value, Entropic should use The Update Framework (TUF) to secure the package registry in a compromise-resilient manner: i.e. a compromise of the registry does not result in the instant compromise of all packages. A high-level overview of TUF is available in this podcast with @andrew.
To ease adoption, Entropic may start with the minimum security model, where the registry signs for all packages using online keys, or signing keys that are accessible on-demand by the registry. This model protects users from man-in-the-middle (MitM) attacks, but not a compromise of the registry itself.
To achieve compromise-resilience, Entropic should support the maximum security model, where a subset of packages are signed using offline keys, or signing keys kept off the repository, by their respective developers. This model protects users of these packages from a compromise of the registry itself.
To provide even stronger security guarantees in the maximum security model, Entropic may allow developers to use in-toto to provide end-to-end integrity of packages. in-toto ensures that packages were not tampered with from the moment developers checked in source code to a VCS system to the moment packages were built and uploaded to the registry.
The Datadog Agent integrations are an example of a real-world deployment using both TUF and in-toto to achieve compromise-resilience.
More technical information about how TUF and in-toto can be combined is available in ITE-2 and ITE-3.
Actual behavior:
I haven't looked deeply into it, so I don't want to misrepresent, but Entropic probably uses TLS to secure packages in transit, but not at rest. Please correct me if I am wrong.
Is this a feature request or a bug?
Feature request
Expected behavior:
In order to better distinguish itself from npm, and add more value, Entropic should use The Update Framework (TUF) to secure the package registry in a compromise-resilient manner: i.e. a compromise of the registry does not result in the instant compromise of all packages. A high-level overview of TUF is available in this podcast with @andrew.
To ease adoption, Entropic may start with the minimum security model, where the registry signs for all packages using online keys, or signing keys that are accessible on-demand by the registry. This model protects users from man-in-the-middle (MitM) attacks, but not a compromise of the registry itself.
To achieve compromise-resilience, Entropic should support the maximum security model, where a subset of packages are signed using offline keys, or signing keys kept off the repository, by their respective developers. This model protects users of these packages from a compromise of the registry itself.
To provide even stronger security guarantees in the maximum security model, Entropic may allow developers to use in-toto to provide end-to-end integrity of packages. in-toto ensures that packages were not tampered with from the moment developers checked in source code to a VCS system to the moment packages were built and uploaded to the registry.
The Datadog Agent integrations are an example of a real-world deployment using both TUF and in-toto to achieve compromise-resilience.
More technical information about how TUF and in-toto can be combined is available in ITE-2 and ITE-3.
Actual behavior:
I haven't looked deeply into it, so I don't want to misrepresent, but Entropic probably uses TLS to secure packages in transit, but not at rest. Please correct me if I am wrong.
Steps to replicate:
N/A
Environment info (where relevant)
N/A
Cc @jlegrone @SantiagoTorres @JustinCappos
The text was updated successfully, but these errors were encountered: