Pyrsia sets out to be the torch that lights up the open-source supply chain.
THE PROBLEM WITH OPEN SOURCE SECURITY
Not knowing where all your software comes from means hard-to-spot risks to the integrity of your services. Without constant identity checks and safety protocols for keys and secrets, open source dependencies can open the door to breaches, exploits and supply chain attacks.
WHERE DOES PYRSIA FIT IN...
What does Pyrsia address in SLSA's threat landscape?
Firmly the "dependencies" section. The only way to obtaining confidence is to have detailed transparent information across the supply chain.
WHAT PYRSIA SETS OUT TO PROVIDE
- Confident Providence of the package (e.g. Signed commit, Build log attestations, Non-repudiation of publisher)
- Immutable History (e.g. transparency log of every package in it's original state and it's metadata as it changes over time)
- Secure and Efficient Distribution (e.g. verifiable integrity of the package and it's source)
- Fault tolerance - Decentralized nodes over P2P network provide fault tolerance
- Represents data in formats that are both machine- and human-readable.
- Built on open standards for the open source community.
- Focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
Gain confidence by having transparency on the source of the packages you need
ACTORS & ENTITIES
are specific file(s) are consumed by developers to build their software
are the abstraction of specific packages types (e.g Docker or Conan) which are loosely binary blobs
are the software that connects system together. They provide local access to package managers.
references to the whole interconnect system of nodes and the various mechanism they use to communicate with one another
- Single application services provides a universal API for seamless integration options
- Accompanying command line interface provides easy access of all the key functions of the services
- Targeting developers system with the flexibility to be deployed anywhere, even the cloud
- Simplified network topology for how node connects. Reducing complexity for a more deterministic outcome.
Get started withe a one step installer. Followed up by generating signing keys.
OBTAIN YOUR DEPENDENCIES
Build your project as you always would. In this example we are downloading a container image with Docker. We are then able to inspect the artifact and check the source.