Software Library Package Management (npm, pypi, etc)
We built Asset Transparency to be integrated with existing tools. We would be delighted to integrate the technology with critical web and software infrastructure.
For package managers Asset Transparency can add substantial value:
- Protecting downstream package consumers from credential compromises that modify existing releases by making those changes detectable.
- Providing package management hosting services the ability to audit and recover from attacks that put the integrity of the package archive into question.
- Increasing trust with users by showing that there is a third-party safeguard protecting their project from unexpected code additions.
We believe that transparency logs may have a place verifying the contents viewed and downloaded by every end user. And, there are many potentially interesting ideas to explore:
- How can we empower web developers to mark assets that should be verified against Asset Transparency with web standards (http headers, sitemaps, etc) and have the browsers enforce that?
- What sort of UX would help users understand a file they downloaded didn’t match the Asset Transparency digest entry?
- What would the UX look like if a users Asset Transparency log becomes invalid through corruption, or an attack?
- What would internet scale caching infrastructure look like for Asset Transparency? There is prior art like OCSP proxies, DNS, etc.
Please start a discussion on the Transparency Log group about browsers and Asset Transparency.