Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create "Binary Transparency for Artifact Registries" guide #47

Open
haydentherapper opened this issue Sep 4, 2024 · 0 comments · May be fixed by #48
Open

Create "Binary Transparency for Artifact Registries" guide #47

haydentherapper opened this issue Sep 4, 2024 · 0 comments · May be fixed by #48

Comments

@haydentherapper
Copy link

Binary Transparency (BT) adds cryptographic immutability and discoverability to package identifiers and metadata, and when applied to artifact registries, prevents registries from acting maliciously, e.g. by tampering with existing artifact versions or serving new malicious versions.

As usage of Binary Transparency is not widespread and overlaps with other related supply chain security projects, this guide will serve as an overview to BT, discussing threats mitigated by BT, case studies of where BT has been applied, and how BT compares to other solutions like code signing or attestations. If you attended the WG meeting where I presented on BT, this guide will be a far more detailed analysis of BT and should serve as a the source of truth for how we want to discuss BT applied to artifact registries.

An implementation of this guide will follow shortly, with a goal of turning the API into a spec for C2SP.

haydentherapper added a commit to haydentherapper/wg-securing-software-repos that referenced this issue Sep 4, 2024
Fixes ossf#47

Signed-off-by: Hayden B <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant