SecurityWeek reports that open source software security is being planned to be strengthened by the Cybersecurity and Infrastructure Security Agency through the Principles for Package Repository Security.
Such a new framework, introduced after an OSS security summit with open source community leaders, not only establishes package repository security maturity levels but also advances information sharing and partnership among operators of open source software, according to CISA. Also announced during the summit were the Rust Foundation's new threat model for the Crates.io package repository, the Python Software Foundation's expanded credential-less publishing effort, and Packagist's and Composer's improved security measures. "Open source software is foundational to the critical infrastructure Americans rely on every day. As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come," said CISA Director Jen Easterly.
