Will Large-Scale Automated Scanning Stop Malware on OSS Repositories?

Explore the challenges and limitations of large-scale automated scanning for malware detection in open-source software repositories in this 41-minute conference talk by Zachary Newman from Chainguard, Inc. Examine the case study of Python's PyPI, which implemented an automated scanning system in 2020, to understand why such approaches often fall short. Learn about the practical constraints faced by repository maintainers, including high package upload volumes and limited volunteer resources, which make even low false-positive rates problematic. Discover the current equilibrium involving third-party researchers and human intervention in malware detection. Gain insights into the broader context of supply chain threats and the importance of considering maintainer needs when designing security solutions. This talk offers valuable lessons for package repository administrators, security professionals, and anyone concerned about malware in open-source software ecosystems.