Security News > 2023 > April > Google delivers secure open source software packages

Google has announced the Google Cloud Assured Open Source Software service, which aims to be a trusted source of secure open source packages, and the deps.

With Assured OSS, Google offers organizations the opportunity to integrate into their own developer workflows the same OSS packages Google uses and secures.

"Threat actors regularly attempt to compromise the source code and source repos for OSS projects. By building Assured OSS packages from a Google-secured and managed mirror rather than directly off the web, Google is able to take responsibility for securing the source code, repo, securing end-to-end build, packaging and deploy so the integrity of the source code is maintained even if it or its repo has been compromised," Andy Chang, Group Product Manager at Google Cloud, told Help Net Security.

The packages are built with Cloud Build, include evidence of verifiable SLSA-compliance, are signed by Google and are distributed from an Artifact Registry secured by Google.

Google previously said that users will be able to submit packages from their own OSS portfolio to be secured and managed through the Google Cloud managed service.

"The deps.dev data set is continuously updated from a range of sources: package registries, the Open Source Vulnerability database, code hosts such as GitHub and GitLab, and the software artifacts themselves," says the Google Open Source Security Team.

News URL

https://www.helpnetsecurity.com/2023/04/13/google-secure-open-source-software-packages/