Package managers are part of the infrastructure that enables anyone to use software in theworldwide software ecosystem. Package managers are a software ecosystem’s backbone. They host software from respected software producers and are seen as trusted sources of software by their users. Unfortunately, these package managers are not as secure as users think they are. At different points in the life cycle of software, vulnerabilities can enter the software and the package manager cannot be held responsible for it.
In this project, we want to use a distributed ledger that stores trust data about software packages to support the trust that customers of the package managers have. Such trust data can be whether the package contains known vulnerabilities, whether the package stems from a reproducible build, whether the package is maintained frequently, whether its developers are reputable, etc. The data is in turn used by package managers to provide trust data about their software packages.
One of the most powerful things of TrustSECO is that it is ecosystem agnostic, so whether your package is an Egg, a gem, or an npm-package, it can become trusted with TrustSECO.
More information can be found on our web site: https://secureseco.org/secureseco-introduction/trustseco/
Everything we developed is under the Alfero GPL V3.
