Create "Binary Transparency for Artifact Registries" guide #47
Comments
haydentherapper
added a commit
to haydentherapper/wg-securing-software-repos
that referenced
this issue
Sep 4, 2024
Fixes ossf#47 Signed-off-by: Hayden B <hblauzvern@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Binary Transparency (BT) adds cryptographic immutability and discoverability to package identifiers and metadata, and when applied to artifact registries, prevents registries from acting maliciously, e.g. by tampering with existing artifact versions or serving new malicious versions.
As usage of Binary Transparency is not widespread and overlaps with other related supply chain security projects, this guide will serve as an overview to BT, discussing threats mitigated by BT, case studies of where BT has been applied, and how BT compares to other solutions like code signing or attestations. If you attended the WG meeting where I presented on BT, this guide will be a far more detailed analysis of BT and should serve as a the source of truth for how we want to discuss BT applied to artifact registries.
An implementation of this guide will follow shortly, with a goal of turning the API into a spec for C2SP.
The text was updated successfully, but these errors were encountered: