Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Determine package publish schema #26

Open
jordan-wright opened this issue Feb 3, 2021 · 6 comments
Open

Determine package publish schema #26

jordan-wright opened this issue Feb 3, 2021 · 6 comments

Comments

@jordan-wright
Copy link
Contributor

Note: this is specifically for the package manager ingestion part of the system.

Right now, when we pull packages from package managers, we eventually serialize them into ossmalware/pkg/library.Package instances. This creates a dependency on my package here which really isn't needed since we're not using the rest of the analysis portions of that repo.

Instead, I'd like to brainstorm what fields we'd want to include in a package entry moving forward. For example, if this system were to send details upstream to researchers or maybe a system like Rekor, what fields would we want to include?

Things like:

  • Name
  • Package manager
  • Author
  • Link to package
  • Version
  • Created Date
  • Hash(es)
  • Download Count

These are just some examples. Curious to get y'all's thoughts.

@dlorenc
Copy link
Contributor

dlorenc commented Feb 3, 2021

Good call!

cc @lukehinds for the Rekor side.

@dlorenc
Copy link
Contributor

dlorenc commented Feb 3, 2021

Another thing to consider might be the purl spec: https://github.com/package-url/purl-spec

@lukehinds
Copy link

If signing is present it would be good to capture the signature and the pub key used (with the assumption they signed the listed digest with the aforementioned).

@dlorenc
Copy link
Contributor

dlorenc commented Feb 4, 2021

Great point @lukehinds !

Looks like Ruby supports signing here: https://guides.rubygems.org/security/

My understanding is that PyPI might support signing, but I can't find any evidence NPM does.

@georgevanburgh
Copy link
Contributor

Is this resolved by #81, or is there more to do here? There's several things that would be cool to add to the spec, should those be tracked here or in separate issues?

@tom--pollard
Copy link
Contributor

I think with #81 merged we should be able to carry on working on the schema in a versioned way, as such separate issues per topic seems appropriate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants