hngopher.com

       [HN Gopher] The Secure Open Source Pilot Program
       ___________________________________________________________________
        
       The Secure Open Source Pilot Program
        
       Author : theafh
       Score  : 65 points
       Date   : 2021-10-01 14:28 UTC (8 hours ago)
        
 (HTM) web link (security.googleblog.com)
 (TXT) w3m dump (security.googleblog.com)
        
       | tux1968 wrote:
       | The $505 reward amount is a cute touch.
       | 
       | Reading this post lead me to learn about the
       | 
       | https://www.sigstore.dev/
       | 
       | initiative which is interesting in its own right. Not being able
       | to trust where the software we rely on originates, and hasn't
       | been tampered with along the way, is a weakness that we've been
       | turning a blind eye to, for too long.
        
         | playcache wrote:
         | agree, sigstore is an awesome project when you delve into the
         | architecture. transparency logs and ephemeral key signing!
        
           | dane-pgp wrote:
           | You'll probably enjoy how it is being used to secure the Arch
           | Linux package ecosystem then:
           | 
           | https://github.com/kpcyrd/pacman-bintrans
        
       | usr1106 wrote:
       | Interesting that they refer to the Core Infrastructure
       | Initiative. Not in the sense that they participated in funding
       | it. But interesting because that project does not seem to be very
       | alive. I browsed the web site recently and the general impression
       | is it has not been updated for years. So after the first
       | initiative faded away they create the next one?
        
         | scovetta wrote:
         | The Open Source Security Foundation (openssf.org) is arguably
         | the successor to the Core Infrastructure Initiative and is very
         | much alive.
        
           | mikeyouse wrote:
           | Not even arguably - explicitly. From the CII website:
           | 
           | > _The CII has been replaced by the Open Source Security
           | Foundation (OpenSSF). Please go to the OpenSSF site for
           | current activities in securing open source software. In
           | particular, the CII Best Practices badge work continues as
           | part of the OpenSSF Best Practices Working Group, while the
           | CII research conducted on open source software security by
           | Harvard continues as part of the OpenSSF Securing Critical
           | Projects Working Group._
           | 
           | > _This CII website is being retained to preserve historical
           | information and to help with transition to the OpenSSF._
        
       | coolspot wrote:
       | This and other Google's contributions into software security,
       | such as Project Zero deserve much praise!
        
         | jacques_chester wrote:
         | Agreed. They're putting their money where a lot of mouths are.
        
       ___________________________________________________________________
       (page generated 2021-10-01 23:01 UTC)