Andrew Nesbitt andrew

git-pkgs+ gittuf integration investigation

This document explores how git-pkgs and gittuf could integrate to enable dependency-aware security policies for Git repositories. The goal: let gittuf enforce policies like "adding new runtime dependencies requires two approvals" or "block dependencies with critical CVEs" by leveraging git-pkgs' understanding of package ecosystems.

What git-pkgs does

git-pkgs is a Git subcommand for tracking package dependencies across git history. It answers questions like "when was this dependency added?", "who added it?", and "what changed between these two commits?" with a unified interface across 40+ package ecosystems.

git-pkgs was recently rewritten from Ruby into Go, partly to enable this kind of integration (importable as a Go library) and partly to simplify deployment as a single binary. It's in early development and can be adapted to work well with gittuf based on feedback.

OSS Tier List

Initial thought: https://mastodon.social/@andrewnez/112151957657701569

Based on https://en.wikipedia.org/wiki/Tier_list

Comments and critiques welcome

Usage ideas:

Browser extension: detect you're looking at a webpage of a package or repo, show you the project's Tier for quick and easy classification

IPFS collab repos that have a top level dependency on both ipfs and ipfs-http-client:

Top IPFS collab dependencies

Dependencies that appear more than once in all collab package.json's that require at least one IPFS/IPLD/Libp2p package.

Also see most-used-ipfs-collab-dependencies.md

package	collab usage	PL org
chai	52
ipfs	47	ipfs
mocha	45

	Toss a coin to your maintainer,
	O guardian of the tree,
	For the forests of dependency
	Are darker than they seem.

	He patches through the nightfall,
	He merges through the dawn,
	While the auditors ride eastward
	To demand another form.

	Repository,Owner,File Path,HTML URL,Size,Downloaded
	jaegertracing/jaeger,jaegertracing,THREAT-MODEL.md,https://github.com/jaegertracing/jaeger/blob/0cf2b7bc16f8acb94fa0f427c12f7868de667cfa/THREAT-MODEL.md,,Yes
	backstage/backstage,backstage,docs/overview/threat-model.md,https://github.com/backstage/backstage/blob/9f67ede0651a187ed890df3de4caee941e078c95/docs/overview/threat-model.md,,Yes
	dotnet/msbuild,dotnet,documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,https://github.com/dotnet/msbuild/blob/e4dc6152ef4332d8736cadc189044aa3446956f4/documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,,Yes
	projectcontour/contour,projectcontour,site/content/resources/security-threat-model.md,https://github.com/projectcontour/contour/blob/0119d761110441ad3a4ed9406e339eb28ead5da7/site/content/resources/security-threat-model.md,,Yes
	cncf/tag-security,cncf,community/assessments/projects/tikv/tikv-threat-model.md,https://github.com/cncf/tag-security/blob/e9e846978149d349300fccb15feff43e58def8ad/commu

	[["github.com", 3114781],
	["gitlab.com", 32138],
	["bitbucket.org", 25904],
	["gitee.com", 20218],
	["gitbox.apache.org", 6262],
	["svn.apache.org", 5852],
	["git-wip-us.apache.org", 3167],
	["wiki.opendaylight.org", 3108],
	["code.google.com", 2217],
	["git.eclipse.org", 1772],

	http://artifactory.javassh.com/opensource-releases
	http://artifactory.javassh.com/opensource-snapshots
	http://artifacts.metaborg.org/content/repositories/releases
	http://artifacts.metaborg.org/content/repositories/snapshots
	http://bp-cms-commons.sourceforge.net/m2repo
	http://files.couchbase.com/maven2
	http://java.freehep.org/maven2
	http://maven.ecs.soton.ac.uk/content/repositories/openimaj-releases
	http://maven.ecs.soton.ac.uk/content/repositories/openimaj-snapshots
	http://maven.inria.fr/artifactory/malai-public-snapshot

	["golang.org/x/text",
	"golang.org/x/crypto",
	"github.com/FiloSottile/mkcert",
	"github.com/DHowett/go-plist",
	"software.sslmate.com/src/go-pkcs12",
	"golang.org/x/net",
	"golang.org/x/exp/notary",
	"golang.org/x/sys",
	"git.apache.org/thrift.git",
	"github.com/beorn7/perks",