-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Determine package publish schema #26
Comments
Good call! cc @lukehinds for the Rekor side. |
Another thing to consider might be the purl spec: https://github.com/package-url/purl-spec |
If signing is present it would be good to capture the signature and the pub key used (with the assumption they signed the listed digest with the aforementioned). |
Great point @lukehinds ! Looks like Ruby supports signing here: https://guides.rubygems.org/security/ My understanding is that PyPI might support signing, but I can't find any evidence NPM does. |
Is this resolved by #81, or is there more to do here? There's several things that would be cool to add to the spec, should those be tracked here or in separate issues? |
I think with #81 merged we should be able to carry on working on the schema in a versioned way, as such separate issues per topic seems appropriate |
Note: this is specifically for the package manager ingestion part of the system.
Right now, when we pull packages from package managers, we eventually serialize them into
ossmalware/pkg/library.Package
instances. This creates a dependency on my package here which really isn't needed since we're not using the rest of the analysis portions of that repo.Instead, I'd like to brainstorm what fields we'd want to include in a package entry moving forward. For example, if this system were to send details upstream to researchers or maybe a system like Rekor, what fields would we want to include?
Things like:
These are just some examples. Curious to get y'all's thoughts.
The text was updated successfully, but these errors were encountered: