SPEC-8 — Supply-Chain Security

I would like to propose a reflection on best practices that projects should follow to secure their projects from a supply-chain perspective.

A few ideas of things to consider to help Quickstart the discussion:

  • OpenSSF has a scorecard system and I think it would be good to follow their recommendations. They also provide scorecards with interesting metrics.
  • Trusted Publishers: GitHub to PyPi
  • SLSA, secure artifacts. It’s easy to do with GH actions, e.g. with Flask
  • Build on top of SPEC 6 (keys to the castle)
  • else …
5 Likes

A very relevant problem, and one that we have, historically, not paid enough attention to :+1:

1 Like

Re: Trusted Publishers – Last I checked, it does not work if you use publish workflow from template. Has that changed?

Can you clarify what you mean? I use Trusted publishers on a few projects without issues. Are you saying it’s difficult to automate the setup of new projects due to the extra steps required? i.e. not just a token, but you need to create an environment on GH and share that to PyPi.

@tupui , I was referring to Supported PyPI trusted publishers · Issue #136 · OpenAstronomy/github-actions-workflows · GitHub and Trusted publishing: Support for GitHub reusable workflows · Issue #11096 · pypi/warehouse · GitHub

1 Like

I’m doing an analysis on lots of projects based on the scorecards system as part of my PhD research. Happy to be pat of this discussions and help working on this spec.

3 Likes

An additional thing to add to the list are more “social” things than technical:

  • work to disconnect platform (like GitHub) privileges from “status in the project”
    • e.g. reduce the amount of privileged accounts and document people’s status via something that isn’t “commit rights” or “admin” status on GitHub
  • “never be in a hurry” - work on establishing routines that mean you are never in a hurry and that it is normal to push back against people who do try to create a sense of urgency
    • e.g. the story around xz involved some amount of creating a sense of urgency and immediacy for the maintainers. If it was normal to push back on such tactics I think they are less effective.

There are probably more social aspects, but I can’t think of more.