Joshua is a collaborator and maintainer on The Update Framework (TUF) and Supply-chain Levels for Software Artifacts (SLSA) projects. He is fortunate enough to work on these projects, and others, at VMware in their Open Source Technology Center. In a past life he spent many years working on and with the Yocto Project. Joshua has spoken at several events including Linux Security Summit, Embedded Linux Conference, and KubeCon + CloudNativeCon.
In this talk, Joshua Lock and Marina Moore will discuss common attacks on package managers, and the kinds of threats that package managers face as part of the software supply chain. They will then present The Update Framework (TUF), a mechanism for securing package managers against these threats in a simple, resilient way that will protect users against even nation state attacks. Package managers can adopt all features of TUF wholesale, or start with the subset that will be most helpful for their users. This talk will conclude with a demonstration of TUF’s versatility; explaining how TUF has been adopted by the Python Packaging Index (PyPI) to provide end-to-end protection of packages from the developer to the end user, and how this adoption can be used as a model for other package managers looking to improve software distribution and update security.
We’ve managed to bring all of you together from different package manager communities, but can we also bring the package managers you work on together? Is there room for one package manager to rule them all, or will package management always be a very domain-centric activity? If it does, is that good or bad?