Adding 2026 Q2 TAC update for Securing Repos WG#613
Conversation
Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Zach Steindler <steiza@github.com>
marcelamelara
left a comment
marcelamelara
left a comment
There was a problem hiding this comment.
Thanks @steiza ! I've got a couple questions :)
| - Recommend that repositories using trusted publishing disable events from pull_request_target (implemented by npm, PyPI, and Rust Crates) | ||
| - Trusted publishing has been hugely valuable as a signal of suspicious packages, as well as a tool for incident response | ||
| - Welcome to our new co-chair Mike Fiedler; and thanks to former co-chair Dustin Ingram for his years of service | ||
| - We've accepted the Package Analysis and Malicious Packages projects from Securing Critical Projects WG |
There was a problem hiding this comment.
Could you pls shed some light on what's next for these projects following this transition?
There was a problem hiding this comment.
Our intention is for the projects to continue to operate as they were. There is some maintenance in there, but mostly this involves the Malicious Packages project reviewing and publishing submissions from security researchers. Malicious Packages maintainers have also been proactively notifying operators of package repositories during large-scale campaigns, which we greatly appreciate.
There has been increased security researcher activity since about September of last year, as package managers have seen more frequent and larger scale malware campaigns.
|
|
||
| ### Up Next | ||
|
|
||
| - [Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/868)? |
There was a problem hiding this comment.
What role do you expect the WG to take in this, advising, helping with implementation, etc.?
There was a problem hiding this comment.
We would definitely appreciate folks who operate other package repositories to share any relevant experiences and learnings on the RFC. In this particular case, many existing package repositories have avoided making this design decision, but when it's successfully implemented we'll add it to our guidance on https://repos.openssf.org/ for newer / future package repositories to learn from.
4 participants
For the upcoming TAC meeting.