npm and Sigstore: Provenance Comes to the World's Largest OSS Ecosystem

Automation

npm and Sigstore join forces to bring provenance to the largest open source ecosystem, simplifying package verification, and increasing trust through automated tracking and transparency.

Key takeaways
  • npm and Sigstore team up to provide provenance to the largest open source ecosystem.
  • Existing methods for verifying packages’ integrity (PGP) are cumbersome and don’t provide trust.
  • NPM will now require --providence flag when publishing a package.
  • Providence provides a way to get more certainty and concreteness into the software development flow.
  • Maintainers need a simple and automated way to provide build provenance.
  • The OpenSSF and GitHub are working together to integrate provenance into open source registries.
  • Sigstore CA will provide a transparency log (ReCore) to allow tracking and verification of builds.
  • Existing build processes can be modified to produce provable outputs.
  • Machine identity, not human identity, should be the focus of signature issuance.
  • Signing should be simple, and verifying should be automated.
  • Transparency is key to build trust and accountability in software development.

More talks

37C3 - Vierjahresrückblick des CCC

RailsConf 2023 - Teaching Capybara Testing - An Illustrated Adventure by Brandon Weaver

Software Development in Challenging Times - Richard Campbell - NDC Porto 2023

37C3 - Unsere Worte sind unsere Waffen

You're Growing, but Are You Scaling? (DeveloperWeek Global 2020)

From Start-up to Success: Lessons Learned from Entrepreneur Visionary Michele Romanow | Futurist 23

Axel Springer CEO and Chairman Mathias Döpfner | Full Interview | Code 2022

37C3 Sendezentrum - Who Killed The Internet? And a promising alternative for Public Communication …