Securing Package Repositories in Open Source

CRob discusses package repository security with two people who know a lot about the topic. Zach Steindler is a principal engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group. Jack Cable is a senior technical advisor at CISA. Earlier this year, Zach and Jack published a helpful guide of best practices called “Principles for Package Repository Security.”

• 00:48 - Jack and Zach share their backgrounds
• 02:59 - What package repositories are and why they’re important to open source users
• 04:17 - The positive impact package security has on downstream users
• 07:06 - Jack and Zach offer insight into the "Prinicples for Package Repository Security" document
• 11:18 - Future endeavors of the Securing Software Repositories Working Group
• 17:32 - Jack and Zach answer CRob’s rapid-fire questions
• 19:31 - Advice for those entering the industry
• 21:28 - Jack and Zach share their calls to action 

Episode links:

• Zach Steindler on LinkedIn
• Jack Cable on LinkedIn
• OpenSSF on LinkedIn
• Securing Package Repositories Working Group
• Principles for Package Repository Security document
• Subscribe to the OpenSSF newsletter
• Get involved with the OpenSSF community