Hey Everybody! I chose the article “Boosting faith in the authenticity of open source software” to talk about how it affects present day software and how we can build off it. The article starts off presenting, Speranza is a new system that allows users to verify the authenticity of open source software packages while preserving the identity of developers. It builds on an existing signing system called Sigstore but uses a novel “identity co-commitments” cryptographic technique to prove a trusted developer signed the software without revealing their identity. The article shows how Speranza enables trust in open source software through automatic verification of authenticity from maintainers.
Speranza presents an interesting case study for computer science students because it sits at the field of cryptography, real-world security issues, core computer science challenges, and the open source ecosystem so ubiquitous in the field. Specifically, the novel “identity co-commitments” technique aims to address the practical threat of vulnerabilities being introduced into software supply chains, whether through some type of malice. In order to take care of the identity, it aligns with both usability and privacy goals in computer science. For CS students deeply embedded in open source as users and future contributors, understanding the latest developments working to up security and privacy could deeply inform both perspectives. More broadly, this research borders computer science trade-offs around security, privacy, and useability that come across domains.
As a student learning about building both front-end and back-end software systems, I found this article on the Speranza software authentication project a good addition to know about. I relied heavily on open source code in assignments, often importing libraries without much thought into their integrity. This resource impressed upon me that you can never fully trust third party code, even from regular or normal open source developers.
I now understand the privacy-preservation behind Speranza’s design. By avoiding revealing developer identities in the authentication process, the system overcomes adoption barriers and aligns motives between creators and users of open source work. The commitment to privacy likely occurs from an open source mindset resisting that overcome.
Reading about Speranza’s novel technical approach using zero-knowledge proofs was clarifying as well from a software architecture perspective. Thinking through how I may include third party open source functionality in future applications, I need to consider adding checks on the integrity and origin of imported code. Though Speranza itself deals with authentication before download, it inspired me to reflect on similar proofs-of-authenticity within a completed software project. If I can confirm signed identities of any imported dependencies, it would make me more confident my project doesn’t have vulnerabilities introduced through my software supply chain. I still have much more to learn, but Speranza made me realize the trustworthy software development I had never considered.
December 20, 2023
andicuni
https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html
A Day in the Life as a CS Blogger 