Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors
Taylor R. Schorlemmer, Kelechi G. Kalu, Luke Chigges, Kyung Myung Ko, Eman Abdul-Muhd Abu Ishgair, Saurabh Bagchi
IEEE Symposium on Security and Privacy 2024 · Day 1 · Continental Ballroom 4
This technical article delves into the findings presented by Taylor R. Schorlemmer and co-authors at the IEEE S&P conference, based on their paper investigating software signing practices across four major public package registries: PyPI, Maven Central, DockerHub, and Hugging Face. The talk, titled "Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors," addresses a critical aspect of software supply chain security by providing an up-to-date, multi-registry empirical analysis of signature adoption and efficacy.
AI review
This is a critical, data-driven analysis of software signing across major registries, exposing a gaping hole in supply chain security. The research provides actionable insights, proving that policy and tooling, not just fear, are the only levers that move the needle. A must-read for anyone serious about securing the software ecosystem.