Recent attacks targeting major open source repositories such as npm and PyPI have cast a spotlight on a critical issue: the software supply chain is increasingly vulnerable. Attackers are leveraging the trust and collaborative nature of open source ecosystems, deploying malicious versions of popular packages to exploit users and systems.
These incidents underscore the urgent need for enhanced security protocols and vigilant practices within the open source community, especially considering that 96% of today’s codebases contain some open source software.
Join us for a fireside chat featuring special guest Dustin Ingram, a Fellow at the Python Software Foundation. We’ll discuss the importance of establishing trust and reinforcing security within open source repositories, the proactive steps being taken by these repositories and their dependent organizations, and the broader implications for the open source ecosystem as a whole.
We’ll cover:
- The imperative for enhanced trust and security in light of recent supply chain attacks
- The nature and variety of today’s threats
- Initiatives like Trusted Publishing for PyPI, in collaboration with key partners, aimed at fortifying the publishing process
- The central role played by repositories in the open source ecosystem and maintaining the balance between security and user convenience
- Future directions in securing public repositories, including the integration of software attestations
- Demonstration of securely publishing packages using ActiveState’s Trusted Publisher integration with PyPI
Whether you’re concerned with your organization’s use of open source, a seasoned developer or a community advocate, get the front row seat for how open source repos can be secured for everyone.
