Explore the challenges and solutions in bringing provenance to open source software in this 27-minute conference talk by Trevor Rosen and Zach Steindler from GitHub/npm. Delve into npm's integration with Sigstore to address the lack of verifiable links between packages and their source code. Learn about the complexities of securing build processes, the implications of developer identity verification, and the potential for applying these approaches to other package ecosystems. Gain insights into one of the most significant efforts in software supply chain security and consider fundamental perspectives on package provenance across the open source landscape.
Bringing Provenance to Open Source - Lessons from Npm's Sigstore Integration
Overview
Syllabus
Bringing Provenance to All of Open Source: Lessons from Npm’s... - Trevor Rosen & Zach Steindler
Taught by
Linux Foundation
Tags
Related Courses
-
NPM and Sigstore - Provenance Comes to the World's Largest OSS Ecosystem
-
Where Does Your Software Really Come From - Artifact Attestations and Open Source Verification
-
Growing the Chain: Trusting Build Provenance from Userspace
-
Protecting the World's Greatest Open Source Ecosystem with Sigstore
-
Sigstore: Evolution and Future of Software Security Signing
-
Policy Compliance with Sigstore - From Signing Software to Validating the Whole Software Supply Chain
