Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors
arxiv(2024)
摘要
Many software applications incorporate open-source third-party packages
distributed by public package registries. Guaranteeing authorship along this
supply chain is a challenge. Package maintainers can guarantee package
authorship through software signing. However, it is unclear how common this
practice is, and whether the resulting signatures are created properly. Prior
work has provided raw data on registry signing practices, but only measured
single platforms, did not consider quality, did not consider time, and did not
assess factors that may influence signing. We do not have up-to-date
measurements of signing practices nor do we know the quality of existing
signatures. Furthermore, we lack a comprehensive understanding of factors that
influence signing adoption.
This study addresses this gap. We provide measurements across three kinds of
package registries: traditional software (Maven, PyPI), container images
(DockerHub), and machine learning models (Hugging Face). For each registry, we
describe the nature of the signed artifacts as well as the current quantity and
quality of signatures. Then, we examine longitudinal trends in signing
practices. Finally, we use a quasi-experiment to estimate the effect that
various factors had on software signing practices. To summarize our findings:
(1) mandating signature adoption improves the quantity of signatures; (2)
providing dedicated tooling improves the quality of signing; (3) getting
started is the hard part – once a maintainer begins to sign, they tend to
continue doing so; and (4) although many supply chain attacks are mitigable via
signing, signing adoption is primarily affected by registry policy rather than
by public knowledge of attacks, new engineering standards, etc. These findings
highlight the importance of software package registry managers and signing
infrastructure.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要