Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Improve resiliency against supply chain attacks #9889

Open
jgilbert2017 opened this issue Mar 30, 2024 · 3 comments
Open

[Feature]: Improve resiliency against supply chain attacks #9889

jgilbert2017 opened this issue Mar 30, 2024 · 3 comments
Labels
Area: Data Integrity Area: Security feature-request Customer feature request Pipeline:Icebox

Comments

@jgilbert2017
Copy link

jgilbert2017 commented Mar 30, 2024
edited
Loading

Related Problem

Background: Supply chain attacks are becoming an increased vector for compromise.

Most recently, the open source library xz was compromised via a bad actor who inserted malicious code via a change to a source tarball that was not present in the git tree.

The current trust paradigm of nuget is based upon publisher trust via a signing key which can then be used to publish arbitrary binary nuget packages (*.nupkg).

An improvement to this model would be to allow trusted publishers to publish source releases (via signing a release tag) rather than a binary.

This would increase transparency and reduce the chance that a bad actor introduces malicious code into a binary.

The Elevator Pitch

Support publishing nuget packages via the package owner submitting a link to a git repository and a commit hash.

The nuget server backend should permanently mirror the the repository and checkout and build the nupkg artifact.

The nuget gallery should link to the mirrored source tree and commit.

Additional Context and Details

In support of this idea, it appears that go language packages work via a git tag.

cc: @FiloSottile, @rsc, @anarazel

https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowo2acmyx2k

Go does even better: every version+hash is checked into an immutable append-only transparency log that not even Google can tamper with undetectably.

If you change the contents of a git tag, it will just be rejected. No override, excuses or not.

Really every git-tag based system should do this.
@jgilbert2017 jgilbert2017 added the feature-request Customer feature request label Mar 30, 2024
@erdembayar
Copy link
Contributor

cc @JonDouglas

@JonDouglas
Copy link
Contributor

For this proposal, are you suggesting a concept of build provenance / trusted publishing similar to this?

image

I'm about to write a larger/broader proposal on this, so stay tuned!

@jgilbert2017
Copy link
Author

wow, that looks like it 💯 provided the artifacts that are published to the nuget server are being built by github from source.

this would be an enormous and necessary step up in defense against supply chain attacks. you da man.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Data Integrity Area: Security feature-request Customer feature request Pipeline:Icebox
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JonDouglas @erdembayar @jgilbert2017