Package Management
Trust Nothing, Trace Everything: Auditing Package Builds at Scale with OSS Rebuild
<p>While reproducible builds provide a gold standard for artifact integrity, they often treat the build process itself as a black box: either it matches or it doesn't. But in an era of sophisticated supply chain attacks like the XZ backdoor and Shai Hulud, understanding why a build behaves the way it does is just as critical as the final output. To secure the open-source package ecosystem, we needed to look inside this black box. In this talk, we explore how OSS Rebuild instruments the build environment to detect "badness" in real-time. We detail our open-source observability suite, featuring a transparent network proxy for uncovering hidden remote dependencies and an eBPF-based system analyzer for examining build behavior in fine detail.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/k3201 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>In September 2024, the good name of crates.io was invoked and besmirched by a phishing attack that targeted the owners of many popular crates, much as other language ecosystems had been the target of attacks in the preceding couple of weeks.</p> <p>This talk will go over how this all went down, what we did, and how a worldwide Rust Project <-> Rust Foundation <-> Alpha-Omega collaboration was crucial in its rapid mitigation.</p>
|
| 1/31/26 |
<p>Over the past few years, <a href="https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/">npm</a>, <a href="https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/">PyPI</a>, <a href="https://github.com/ruby/rubygems/pull/8239">RubyGems</a>, and <a href="https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/">Maven Central</a> have implemented attestations to provide build provenance: linking a package to its ...
|
| 1/31/26 |
<p>Package management systems tackle resolving package dependencies in different ways, which usually involves associating a package a name and version at least. In this talk I am doing a bit of an exploration of the solution space, including how dependencies are resolved in: - a language specific package manager with a lock file (example: cargo https://doc.rust-lang.org/cargo/) - by a typical distribution (example: Debian https://www.debian.org/ ) - by Nix(https://nixos.org/) and ...
|
| 1/31/26 |
<p>Package managers are legion. Every language and operating system has its own solution, each with subtly different semantics for dependency resolution. This fragmentation prevents multi-lingual projects expressing precise dependencies across language ecosystems, means external system and hardware dependencies are implicit and unversioned, and obscures security vulnerabilities that lie in the full dependency graph. We present the Package Calculus, a formalism for dependency resolution that ...
|
| 1/31/26 |
<p>At FOSDEM 2018, we introduced Package-URL (PURL: https://github.com/package-url/purl-spec), a "mostly" universal URL to identify and locate software packages: https://archive.fosdem.org/2018/schedule/event/purl/</p> <p>Now, PURL is an international standard to accurately and consistently reference packages across ecosystems, regardless of whether you're working with language-specific managers, OS distributions, or containerized environments.</p> <p>This talk highlights the journey of PURL, ...
|
| 1/31/26 |
<p>Package manifests record source-level dependencies: <em>pandas</em> depends on <em>numpy</em>'s code. The story is different for binary dependencies: <em>numpy</em> depends on <em>OpenBLAS</em>'s binaries, but package managers can't easily see this. We must map the OSS ecosystem's binary dependency relationships to reliably (1) identify upstream security vulnerabilities and (2) properly credit and financially support maintainers. I propose solving this problem by creating a global index of ...
|
| 1/31/26 |
<p>Package registries are critical infrastructure used by almost all software. As they scale, package registries become critical points of supply chain security. They also become leveraged points of attack. Most registries operate on dwindling funding from grants, donations, and in-kind resources while facing increased costs across every facet of their operation and development. Something has to change.</p> <p>The Alpha-Omega project has been raising the alarm, funding security improvements, and ...
|
