Google Assured Open Source Software (Assured OSS)

2022: Open Source Validated and Trusted Packages Repository Launch Plan

On May 18, 2022, Google announced that it would launch a repository of validated and trusted open source packages.

Assured Open Source Software (Assured OSS) is useful for developers of enterprise applications fearing supply chain problems.

The repository will contain distributed open source packages created from the source code after checking its origin and all its dependencies. Before creating a package, the source code will also be checked and tested for vulnerabilities. The packages created will contain Google's digital signature and enhanced metadata according to the SLSA framework to ensure the integrity of the supply chain.

Only a limited number of selected users will gain early access to the service. The stage of public testing is scheduled for the third quarter of 2022.

The service will be paid (to cover infrastructure costs associated with the creation, hosting and testing of packages, including automated phasing with more than 100 thousand cores), but prices have not yet been set.

To begin with, Assured OSS will have about 500 packages on Java and used Python by Google. Then, over time, their number will grow and cover more languages. programming Users will also be able to enter open source packages they use for validation and testing.

Studies show that enterprise software often uses outdated and vulnerable versions of touch-free components. Google intends to fix this problem by porting back security patches to older versions of packages, even if their developers do not.

In addition, Google will cooperate with the IB company Snyk, integrating its service into the platform and tools Snyk^[1].

Notes