wg-securing-software-repos icon indicating copy to clipboard operation
wg-securing-software-repos copied to clipboard
verified publisher icon ossf

Add recommednations for package repositories looking to rollout Trusted Publishers

Open sethmlarson opened this issue 1 year ago • 2 comments

Identified this as a gap with the current Trusted Publishers guide, specifically that the focus is almost exclusively on the Trusted Publisher mechanism itself rather than recommendations on how a package repository might do an initial rollout. A few examples:

  • How to choose identity providers for an initial rollout
  • Number of identity providers to support for initial rollout
  • Changes to the User Interface for Trusted Publishers
  • Messaging around being a UX improvement in addition to a security improvement

sethmlarson avatar Jul 26 '24 16:07 sethmlarson

Maybe not "Which identity providers to support for the initial rollout" but "How to choose identity providers for an initial rollout" 🙂

di avatar Jul 26 '24 16:07 di

@di Thank you, changed my phrasing to match what I actually meant!

sethmlarson avatar Jul 26 '24 16:07 sethmlarson

I would say this is done! https://repos.openssf.org/trusted-publishers-for-all-package-repositories

steiza avatar Sep 05 '24 18:09 steiza