You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the higher-impact activities of this working group is writing up learnings from a package repository implementing a capability, to make it easier for other repositories to develop the same capability.
We're hoping @sethmlarson will lead writing this document, with review assistance and question answering from @segiddins@di and @woodruffw (as well as any other interested parties from the working group).
The text was updated successfully, but these errors were encountered:
One of the higher-impact activities of this working group is writing up learnings from a package repository implementing a capability, to make it easier for other repositories to develop the same capability.
One example of this was the https://repos.openssf.org/build-provenance-for-all-package-registries, which resulted in the funding proposal https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew.
A relatively new capability is "Trusted Publishing" (see https://docs.pypi.org/trusted-publishers/ and https://guides.rubygems.org/trusted-publishing/) which allows people to publish to a package repository without having to provision and manage a long-lived API key.
We would like a guide exploring the idea of Trusted Publishing and with lessons learned from implementation to be added to https://github.com/ossf/wg-securing-software-repos/tree/main/docs.
We're hoping @sethmlarson will lead writing this document, with review assistance and question answering from @segiddins @di and @woodruffw (as well as any other interested parties from the working group).
The text was updated successfully, but these errors were encountered: