-
Notifications
You must be signed in to change notification settings - Fork 82
Adding 2026 Q2 TAC update for Securing Repos WG #613
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # 2026 Q2 Securing Software Repositories Working Group | ||
|
|
||
| ## Overview | ||
|
|
||
| Package repositories are under attack. There are several ongoing campaigns that distribute replicating malware via the major package repositories. Previous security capabilities organized by this working group have been helpful, but additional security capabilities are needed to protect open source ecosystems. | ||
|
|
||
| ## Securing Software Repositories Working Group | ||
|
|
||
| ### Purpose | ||
|
|
||
| Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities. | ||
|
|
||
| ### Current Status | ||
|
|
||
| - Recent attacks on package repositories | ||
| - Mitigating attacks with [npm preview of staged publishing](https://docs.npmjs.com/staged-publishing) | ||
| - Recommend that repositories using trusted publishing disable events from pull_request_target (implemented by npm, PyPI, and Rust Crates) | ||
| - Trusted publishing has been hugely valuable as a signal of suspicious packages, as well as a tool for incident response | ||
| - Welcome to our new co-chair Mike Fiedler; and thanks to former co-chair Dustin Ingram for his years of service | ||
| - We've accepted the Package Analysis and Malicious Packages projects from Securing Critical Projects WG | ||
|
|
||
| ### Up Next | ||
|
|
||
| - [Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/868)? | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What role do you expect the WG to take in this, advising, helping with implementation, etc.?
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We would definitely appreciate folks who operate other package repositories to share any relevant experiences and learnings on the RFC. In this particular case, many existing package repositories have avoided making this design decision, but when it's successfully implemented we'll add it to our guidance on https://repos.openssf.org/ for newer / future package repositories to learn from. |
||
|
|
||
| ### Funding requests and updates | ||
|
|
||
| RSTUF is participating in the [summer 2026 LFX Mentorship funding request](https://github.com/ossf/tac/issues/573). | ||
|
|
||
| No other funding request are in progress at this time. | ||
|
|
||
| There are no plans currently to apply for additional funding. | ||
|
|
||
| ### Questions/Issues for the TAC | ||
|
|
||
| None at this time! | ||
|
|
||
| ## Additional Information | ||
|
|
||
| None at this time. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you pls shed some light on what's next for these projects following this transition?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our intention is for the projects to continue to operate as they were. There is some maintenance in there, but mostly this involves the Malicious Packages project reviewing and publishing submissions from security researchers. Malicious Packages maintainers have also been proactively notifying operators of package repositories during large-scale campaigns, which we greatly appreciate.
There has been increased security researcher activity since about September of last year, as package managers have seen more frequent and larger scale malware campaigns.