Pyrsia sets out to be the torch that lights up the open-source supply chain.
THE PROBLEM WITH OPEN SOURCE SECURITY
Not knowing where all your software comes from means hard-to-spot risks to the integrity of your services. Without constant identity checks and safety protocols for keys and secrets, open source dependencies can open the door to breaches, exploits and supply chain attacks.
WHERE DOES PYRSIA FIT IN...
What does Pyrsia address in SLSA's threat landscape?
Firmly the "dependencies" section. The only way to obtaining confidence is to have detailed transparent information across the supply chain.
WHAT PYRSIA SETS OUT TO PROVIDE
- Confident Providence of the package (e.g. Signed commit, Build log attestations, Non-repudiation of publisher)
- Immutable History (e.g. transparency log of every package in it's original state and it's metadata as it changes over time)
- Secure and Efficient Distribution (e.g. verifiable integrity of the package and it's source)
- Fault tolerance - Decentralized nodes over P2P network provide fault tolerance
GUIDING PRINCIPLES
- Represents data in formats that are both machine- and human-readable.
- Built on open standards for the open source community.
- Focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
Gain confidence by having transparency on the source of the packages you need
ACTORS & ENTITIES
SOURCE REVISION
ARTIFACT DESCRIPTIONS
IMMUTABLE LEDGER
DISTRIBUTED NETWORK
REPUTABLE PARTNERS
KEY CONCEPTS
PACKAGES
are specific file(s) are consumed by developers to build their software
ARTIFACTS
are the abstraction of specific packages types (e.g Docker or Conan) which are loosely binary blobs
NODES
are the software that connects system together. They provide local access to package managers.
NETWORK
references to the whole interconnect system of nodes and the various mechanism they use to communicate with one another
COMPOSABLE ELEMENTS
- Single application services provides a universal API for seamless integration options
- Accompanying command line interface provides easy access of all the key functions of the services
- Targeting developers system with the flexibility to be deployed anywhere, even the cloud
- Simplified network topology for how node connects. Reducing complexity for a more deterministic outcome.
DEVELOPER WORKFLOW
SIMPLE INSTALLATIONS
Get started withe a one step installer. Followed up by generating signing keys.


OBTAIN YOUR DEPENDENCIES
Build your project as you always would. In this example we are downloading a container image with Docker. We are then able to inspect the artifact and check the source.