Matthew Suozzo
Matthew Suozzo is a Software Engineer at Google working on supply chain security.
Sessions
10-26
16:20
25min
Rebuilding Trust: Asserting Integrity in Language Package Ecosystems
Matthew Suozzo
Language package registries play a pivotal role in the open-source software ecosystem. However their widespread popularity has drawn the attention of malicious actors. Registry developers have responded to these attacks, as well as the public pressure for action, with identity and artifact validation features. But these efforts will take time, maintainer participation, and new package releases to address the pervasive assurance gaps that remain. To address these shortcomings, we explore an alternate approach to assess package integrity using reproducible build concepts.
Main stage