mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-25 23:11:02 +08:00
Merge pull request #26830 from lzx916/master
Update and rename sources/news/20220809 Github Takes Action To Preven…
This commit is contained in:
六开箱
GitHub
commit
d3878d7615
@ -1,38 +0,0 @@
|
||||
[#]: subject: "Github Takes Action To Prevent Supply Chain Attacks On Open Source"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/08/github-takes-action-to-prevent-supply-chain-attacks-on-open-source/"
|
||||
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "lzx916"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Github Takes Action To Prevent Supply Chain Attacks On Open Source
|
||||
======
|
||||
A series of further software supply chain breaches have highlighted the essential need to secure software chains of custody in the wake of the 2020 SolarWinds cyberespionage campaign, in which Russian hackers infiltrated a widely used IT management platform and snuck contaminated upgrades into it. And since open source initiatives are fundamentally decentralised and frequently ad hoc activities, the problem is especially urgent in this context. After a slew of unsettling hacks of widely used JavaScript software packages from GitHub’s well-known “npm” registry, the business unveiled a strategy this week to provide improved open source security protections.
|
||||
|
||||
The code-signing platform Sigstore will be supported by GitHub, which is owned by Microsoft, for npm software packages. Code signing is akin to a digital wax seal. In order to make it considerably simpler for open source maintainers to confirm that the code they produce is the same code that ultimately ends up in the software packages that are actually being downloaded by people globally, cross-industry collaboration led to the creation of the tool.
|
||||
|
||||
GitHub is not the only part of the open source ecosystem, but Dan Lorenc, CEO of Chainguard, which is a co-developer of Sigstore, notes that it is a vital hub for the community because it is where the great majority of projects store and share their source code. However, developers usually visit a package management when they truly want to download open source software or tools.
|
||||
|
||||
By making Sigstore available to package managers, developers may handle cryptographic checks and requirements as software goes through the supply chain with the help of the Sigstore tools. This increases transparency throughout every stage of the product’s journey. Many individuals, according to Lorenc, are astounded to learn that these integrity checks haven’t been implemented yet and that a sizable portion of the open source ecosystem has long relied on blind faith. The Biden White House released an executive order in May 2021 that dealt primarily with software supply chain security.
|
||||
|
||||
The Linux Foundation, Google, Red Hat, Purdue University, and Chainguard all contributed to the development of Sigstore. There is now official software for signing Python package distributions using Sigstore, and Kubernetes, an open source environment for developing software, now supports it.
|
||||
|
||||
Sigstore relies on being free and simple to use to encourage adoption, much as the major industry push to promote HTTPS web encryption, which was made possible in large part by tools like Let’s Encrypt from the nonprofit Internet Security Research Group. According to Github, the project will begin with a proposal on how Sigstore will be implemented for npm and an open comment period to get community input on the precise deployment strategy for the tool. However, the ultimate objective is to make such code signing available to as many open source projects as possible to make supply chain attacks considerably more challenging.
|
||||
|
||||
“We want to see a world where eventually all software artifacts are signed and linked back to the source code,” GitHub’s Hutchings says. “That is why it is so important to build on an open technology stack like Sigstore that other packaging repositories can adopt as well.”
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/08/github-takes-action-to-prevent-supply-chain-attacks-on-open-source/
|
||||
|
||||
作者:[Laveesh Kocher][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
|
||||
[b]: https://github.com/lkxed
|
||||
@ -0,0 +1,38 @@
|
||||
[#]: subject: "Github Takes Action To Prevent Supply Chain Attacks On Open Source"
|
||||
[#]: via: "https://www.opensourceforu.com/2022/08/github-takes-action-to-prevent-supply-chain-attacks-on-open-source/"
|
||||
[#]: author: "Laveesh Kocher https://www.opensourceforu.com/author/laveesh-kocher/"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "lzx916"
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
为防止对开源供应链的攻击,Github 在行动
|
||||
======
|
||||
在 2020 年「SolarWinds」网络间谍活动之后,一系列进一步的软件供应链漏洞突显了确保软件监管链安全的必要性。在这场间谍活动中,俄罗斯黑客渗透到一个广泛使用的IT管理平台,并将受污染的升级产品悄悄带入其中。由于开源项目从根本上来说是分散的,而且经常是临时的活动,因此在这种背景下,这个问题尤其紧迫。GitHub 著名的 npm 注册表中广泛使用的 JavaScript 软件包遭到一系列令人不安的黑客攻击后,该公司本周公布了一项战略,以提供更好的开源安全保护。
|
||||
|
||||
代码签名平台 Sigstore 将由微软旗下的 GitHub 支持,以用于 npm 软件包。代码签名类似于数字蜡封。为了让开源维护者更加容易地确认他们编写的代码是否与全球范围内人们实际下载的软件包中最终包含的代码相同,跨行业协作促成了该工具的创建。
|
||||
|
||||
GitHub 并不是开源生态系统的唯一组成部分,但 Sigstore 的联合开发者、Chainguard 的首席执行官 Dan Lorenc 指出,它是社区的一个重要枢纽,因为绝大多数项目都在这里存储和共享源代码。然而,当开发人员真正想下载开源软件或工具时,他们通常会访问包管理。
|
||||
|
||||
通过让包管理器可以使用 Sigstore,开发人员可以在 Sigstore 工具的帮助下,在软件通过供应链时处理加密检查和要求。这增加了产品流通过程中每个阶段的透明度。Lorenc 说,许多人惊讶地发现,这些完整性检查还没有实施,开源生态系统中相当大的一部分长期以来一直依赖于盲目的信心。拜登政府于 2021 年 5 月发布了一项行政命令,主要处理软件供应链安全问题。
|
||||
|
||||
Linux 基金会、Google、Red Hat、Purdue Universit 和 Chainguard 都对 Sigstore 的开发做出了贡献。现在有了使用 Sigstore 为 Python 包发行版签名的官方软件,而且开发软件的开源环境 Kubernetes 现在也支持它。
|
||||
|
||||
Sigstore 依靠免费和简单易用来鼓励采用,就像主要行业推动 HTTPS 网络加密一样,这在很大程度上是由非营利互联网安全研究集团(Internet Security Research Group)的 Let’s Encrypt 等工具实现的。据 Github 称,该项目会首先提出 Sigstore 将如何在 npm 中实现的建议,并在开放评论期征求社区人员对该工具的精确部署策略的意见。然而,最终的目标是让这样的代码签名能够被尽可能多的开源项目使用,从而实现对供应链的攻击。
|
||||
|
||||
GitHub 的 Hutchings 说:“我们希望看到这样一个世界,最终所有的软件工件都被签名并链接回源代码,这就是为什么构建像 Sigstore 这样的开放技术栈是如此重要,其他打包存储库也可以采用这种技术。”
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.opensourceforu.com/2022/08/github-takes-action-to-prevent-supply-chain-attacks-on-open-source/
|
||||
|
||||
作者:[Laveesh Kocher][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[lzx916](https://github.com/lzx916)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://www.opensourceforu.com/author/laveesh-kocher/
|
||||
[b]: https://github.com/lkxed
|
||||
Loading…
Reference in New Issue
Block a user