Software transparency: improving package manager security

Speaker: Benjamin

Track: Security

Type: Short talk (20 minutes)

Room: Auditório

Time: Jul 21 (Sun), 14:30

Duration: 0:20

Software transparency is an effort to improve on the cryptographic signatures of the APT package manager by introducing a Merkle tree transparency log for package meta data and source code, similar to certificate transparency. This allows us to provide two security properties: The detection of targeted backdoors introduced by a malicious archive and the validation of the reproducible builds property.

We present an overview of the architecture and report on the progress made since DebConf18, which includes:

  • (almost) removing online operations for the client
  • secured mirror available
  • compatibility to Certificate Transparency gossip hub to defend against equivocation attacks

There are also lots of things that still need to be done, and we will talk about that as well!