Skip to main content
FOSDEM PWA

Current state of attestations in programming language ecosystems

K.3.201 | Day 1 | 11:00 - 11:25 | Speakers: Zach Steindler

Current state of attestations in programming language ecosystems
A picture of a devroom at FOSDEM 2024
Open in browser
Get involved in the conversation!Join the chat

Notes

Abstract

Over the past few years, npm, PyPI, RubyGems, and Maven Central have implemented attestations to provide build provenance: linking a package to its exact source code and build instructions. Some of these ecosystems also implemented publish/release attestations detailing exactly what files a specific version of a package should contain. These attestations are distributed as Sigstore bundles, so we'll start out by going over enough Sigstore to understand how to verify and get the attestation information from these bundles, the APIs to get these attestations for each ecosystem, and discuss the implementation tradeoffs made by each ecosystem, as well as alternatives for non-programming language ecosystems to consider.

Speakers

Zach Steindler

Zach is the chair of the OpenSSF's Technical Advisory Council and co-chair of the Securing Repositories Working Group which helps coordinate security improvements in programming language package repositories like PyPI and npm. He works at GitHub on securing software development for open source. Away from computers he enjoys gardening and welding.

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.