-
Notifications
You must be signed in to change notification settings - Fork 428
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
26 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Assignment Proposal | ||
|
||
## Title | ||
|
||
Ensuring the integrity and source of software packages | ||
|
||
## Names and KTH ID | ||
|
||
- Martin Lindefors ([email protected]) | ||
- Melvin Jakobsson ([email protected]) | ||
|
||
## Deadline | ||
|
||
- Week 6 | ||
|
||
## Category | ||
|
||
- Demo | ||
|
||
## Description | ||
|
||
We intend to demonstrate how easy it can be to fall victim to attacks such as typosquatting or dependency confusion. We will do this by creating two bogus packages in `pip` & `npm` and highlight some weaknesses in those package managers. We will then show how to cryptographically verify the authenticity of packages using Sigstore & `npm audit`. Finally we will end with a note on the importance of verifying the origin of software, an often overlooked aspect of software development. | ||
|
||
**Relevance** | ||
|
||
Since the demo will include both package managers and software verification it is relevant for both of this weeks topics. In particular, verifying the origin of software packages is more relevant than ever because of the widespread nature of package managers and the comfortability of outsourcing code to these packages. Furthermore, there are several examples of attacks related to package managers. |