- Presented at: ACM SCORED workshop 2023
- Presented by: William Woodruff
This talk is intended to expose its audience (academics and researchers who are interested in the packaging side of supply-chain security) to the practical considerations that open source programmers and package index maintainers are making while determining how (and if) to integrate code-signing into the systems they maintain.
As such, it's intended to bridge a (perceived) gap in theoretical and practical collaboration, with an explicit goal of exposing academics and researchers to the challenges that emerge when lifting theoretical code-signing schemes onto ecosystems whose reliability and stability are critical to the basic health of the Internet.
It's also intended to cast sunlight on the "quotidian" problems that are often ignored when constructing theoretically sound and ideal code-signing schemes, like the risk of increased operational burden for open-source maintainers and the problems (and privacy concerns!) of identity and identity malleability in primarily pseudonymous open-source ecosystems.