From bc72b057394be94d0258d8cd9bb48b64ed4d3462 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Fri, 24 Oct 2025 15:27:58 -0400 Subject: [PATCH] Add Q4 Securing Software Repositories WG TAC update Signed-off-by: Zach Steindler --- TI-reports/2025/2025-Q4-Repos-WG.md | 39 +++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 TI-reports/2025/2025-Q4-Repos-WG.md diff --git a/TI-reports/2025/2025-Q4-Repos-WG.md b/TI-reports/2025/2025-Q4-Repos-WG.md new file mode 100644 index 00000000..679091f8 --- /dev/null +++ b/TI-reports/2025/2025-Q4-Repos-WG.md @@ -0,0 +1,39 @@ +# 2025 Q4 Securing Software Repositories Working Group + +## Overview + +**Mission**: Improve security of software repositories (npm, PyPI, RubyGems, ...) by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. + +**Links**: +- [GitHub repository](https://github.com/ossf/wg-securing-software-repos) +- [Slack channel](https://openssf.slack.com/archives/C034CBLMQ9G) +- [WG meeting docs](https://docs.google.com/document/d/18Y8HxntL2RkcgqoFdhdLpj17e4MOSCdskP1IoDiuP1s/edit?usp=sharing) + +## Securing Software Repositories Working Group + +### Purpose + +Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities. + +### Current Status + +- [UI/UX support for attestations on software repos - phase 1 (recommendations) complete](https://github.com/ossf/wg-securing-software-repos/blob/main/docs/attestations-style-guide.md) +- [RSTUF had v1.0.0 release](https://github.com/repository-service-tuf/repository-service-tuf/releases/tag/v1.0.0) +- [NuGet now supports Trusted Publishing](https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing) + +### Up Next + +- Lots of continued attacks / mitigation discussions + - Phishing maintainers for TOTP (should we move to phishing-resistant MFA?) + - Quarantine / soft-delete as capabilities for dealing with increased malware submissions + - Malware detection capabilities + +### Package repositories in the news + +- [GitHub's plan for a more secure npm supply chain](https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/) +- [Open Infrastructure is Not Free](https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/) +- [The Transition of RubyGems Repository Ownership](https://www.ruby-lang.org/en/news/2025/10/17/rubygems-repository-transition/) + +### Questions/Issues for the TAC + +- None at this time