From 4c1eab852ff8adad7467024b01c7047245fa6ca2 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Fri, 22 May 2026 15:06:23 -0400 Subject: [PATCH 1/2] Adding 2026 Q2 TAC update for Securing Repos WG Signed-off-by: Zach Steindler --- TI-reports/2026/2026-Q2-Repos-WG.md | 41 +++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 TI-reports/2026/2026-Q2-Repos-WG.md diff --git a/TI-reports/2026/2026-Q2-Repos-WG.md b/TI-reports/2026/2026-Q2-Repos-WG.md new file mode 100644 index 00000000..77156ec4 --- /dev/null +++ b/TI-reports/2026/2026-Q2-Repos-WG.md @@ -0,0 +1,41 @@ +# 2026 Q2 Securing Software Repositories Working Group + +## Overview + +_Required: Sum up the status, health of your TI, and the community in a few sentences. Consider this the TL;DR for the rest of the report. How is your community doing health-wise (e.g., is the number of active contributors increasing or decreasing) ? What are the latest news? + + +## Securing Software Repositories Working Group + +### Purpose + +Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities. + +### Current Status + +- Recent attacks on package repositories + - Mitigating attacks with [npm preview of staged publishing](https://docs.npmjs.com/staged-publishing) + - Recommend that repositories using trusted publishing disable events from pull_request_target (implemented by npm, PyPI, and Rust Crates) + - Trusted publishing has been hugely valuable as a signal of suspicious packages, as well as a tool for incident response +- Welcome to our new co-chair Mike Fiedler; and thanks to former co-chair Dustin Ingram for his years of service +- We've accepted the Package Analysis and Malicious Packages projects from Securing Critical Projects WG + +### Up Next + +- [Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/868)? + +### Funding requests and updates + +RSTUF is participating in the [summer 2026 LFX Mentorship funding request](https://github.com/ossf/tac/issues/573). + +No other funding request are in progress at this time. + +There are no plans currently to apply for additional funding. + +### Questions/Issues for the TAC + +None at this time! + +## Additional Information + +None at this time. From 1535dd2d15d2e6baa1bb78223392048d81bc0f28 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Fri, 22 May 2026 15:16:30 -0400 Subject: [PATCH 2/2] Add overview Signed-off-by: Zach Steindler --- TI-reports/2026/2026-Q2-Repos-WG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/TI-reports/2026/2026-Q2-Repos-WG.md b/TI-reports/2026/2026-Q2-Repos-WG.md index 77156ec4..5f3baa27 100644 --- a/TI-reports/2026/2026-Q2-Repos-WG.md +++ b/TI-reports/2026/2026-Q2-Repos-WG.md @@ -2,8 +2,7 @@ ## Overview -_Required: Sum up the status, health of your TI, and the community in a few sentences. Consider this the TL;DR for the rest of the report. How is your community doing health-wise (e.g., is the number of active contributors increasing or decreasing) ? What are the latest news? - +Package repositories are under attack. There are several ongoing campaigns that distribute replicating malware via the major package repositories. Previous security capabilities organized by this working group have been helpful, but additional security capabilities are needed to protect open source ecosystems. ## Securing Software Repositories Working Group