Pyrsia sets out to be the torch that lights up the open-source supply chain.

THE PROBLEM WITH OPEN SOURCE SECURITY

Not knowing where all your software comes from means hard-to-spot risks to the integrity of your services. Without constant identity checks and safety protocols for keys and secrets, open source dependencies can open the door to breaches, exploits and supply chain attacks.

WHERE DOES PYRSIA FIT IN...

What does Pyrsia address in SLSA's threat landscape?
Firmly the "dependencies" section. The only way to obtaining confidence is to have detailed transparent information across the supply chain.

WHAT PYRSIA SETS OUT TO PROVIDE

Confident Providence of the package (e.g. Signed commit, Build log attestations, Non-repudiation of publisher)
Immutable History (e.g. transparency log of every package in it's original state and it's metadata as it changes over time)
Secure and Efficient Distribution (e.g. verifiable integrity of the package and it's source)
Fault tolerance - Decentralized nodes over P2P network provide fault tolerance

GUIDING PRINCIPLES

Represents data in formats that are both machine- and human-readable.
Built on open standards for the open source community.
Focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.

Gain confidence by having transparency on the source of the packages you need

ACTORS & ENTITIES

Attestations proved non-repudiation so developers know exactly who wrote the code, how it was built and how the artifact was published. Built on standard like Sigstore's Cosign to NPM Packages Signing allows developers to rapidly add their containers to pyrsia network along side their favorite container registries. Other notable efforts include Notary V2.

SOURCE REVISION

Open interoperable standards such as Git Commit Signatures help to pin down the exact commit where the source code originates from. Know the author and commit who wrote the code. Know who built and published the code from their secured environment.

ARTIFACT DESCRIPTIONS

Open interoperable standards such as the Linux Foundation's SPDX, OWASP CycloneDX, or Build Info as used to collect facts and communicate facts about packages. Leverage and integrate with the technologies you are already relying on to secure your supply chain.

IMMUTABLE LEDGER

Every package ever published forever record in an unchanging ledger persists the consistent reproducible data pointing to a uniquely identifiable artifact that can always be available in the network.

DISTRIBUTED NETWORK

Each node connects through relays to discover each other. When a node download a package that's requested by it's peer it's cached and seeding the network when another node looks for the same package. This provides a robust and highly available package ecosystem not limited by a central repository.

REPUTABLE PARTNERS

In order to bootstrap trust, only a select few reputable entities will build and publishing images. These image will be available to everyone. Members of the CD Foundation will all the have chance to volunteer their resources to help establish the first distributed network, but we are most excited for the future!

KEY CONCEPTS

PACKAGES

are specific file(s) are consumed by developers to build their software

ARTIFACTS

are the abstraction of specific packages types (e.g Docker or Conan) which are loosely binary blobs

NODES

are the software that connects system together. They provide local access to package managers.

NETWORK

references to the whole interconnect system of nodes and the various mechanism they use to communicate with one another

COMPOSABLE ELEMENTS

Single application services provides a universal API for seamless integration options
Accompanying command line interface provides easy access of all the key functions of the services
Targeting developers system with the flexibility to be deployed anywhere, even the cloud
Simplified network topology for how node connects. Reducing complexity for a more deterministic outcome.

DEVELOPER WORKFLOW

SIMPLE INSTALLATIONS

Get started withe a one step installer. Followed up by generating signing keys.

Download container image with docker screenshot

OBTAIN YOUR DEPENDENCIES

Build your project as you always would. In this example we are downloading a container image with Docker. We are then able to inspect the artifact and check the source.