Package managers are part of the infrastructure that enables anyone to use software. Package managers are a software ecosystem’s backbone. They host software from respected software producers and are seen as trusted sources of software by their users. Unfortunately, these package managers are not as secure as users think they are. At different points in the life cycle of software, vulnerabilities can enter the software and the package manager cannot be held responsible for it.
In this project, we want to use a distributed ledger that stores trust data about software packages to support the trust that customers of the package managers have. Such trust data can be whether the package contains known vulnerabilities, whether the package stems from a reproducible build, whether the package is maintained frequently, whether its developers are reputable, etc. The data is in turn used by package managers to provide trust data about their software packages.
The first prototype of TrustSECO was implemented in the Odyssey Hackathon.
At Odyssey we also created an infographic about TrustSECO:
