guac
| guac | wg-securing-software-https | |
|---|---|---|
| 4 | 1 | |
| 1,179 | - | |
| 1.2% | - | |
| 9.8 | - | |
| about 4 hours ago | - | |
| Go | ||
| Apache License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
guac
-
Double-Entry Bookkeeping as a Directed Graph
Interestingly I sort of went in the other direction at one point -- converting what was obviously a graph (build pipelines) into a from-to / credit-debit representation. On reflection it's just an edge list.
My main problem with adapting the representation was in the incommensurability of different kinds of asset moving through the pipeline. How does one credit source code and debit a blob store? I thought about learning more about multi-currency accounting as a source for ideas but never followed it up.
That effort inspired my thinking about a "Universal Asset Graph" for software[0] -- keeping track of not just containment but also movement and transformation of software. It's a partial but not complete inspiration for GUAC, which aims to capture software part relations for easy querying.
[0] https://theoryof.predictable.software/articles/some-requirem...
[1] https://guac.sh
-
Python 3.12.0 from a supply chain security perspective
> biggest takeaway from this article is the Supply chain Levels for Software Artifacts (SLSA) security framework
See also GUAC from Kusari, Google, Citi, and others:
“GUAC (Graph for Understanding Artifact Composition) aims to fill in the gaps by ingesting software metadata, like SBOMs, and mapping out relationships between software. When you know how one piece of software affects another, you’ll be able to fully understand your software security position and act as needed.”
https://guac.sh
https://www.kusari.dev
- Guac
- guac: Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them
wg-securing-software-https
-
Python 3.12.0 from a supply chain security perspective
Great question! PyPI already supports Trusted Publishers [1], which gets you most of the benefits of SLSA build provenance (provable link between artifacts and a public software repository). Implementing Trusted Publishers is the recommended first step for ecosystems looking to implement build provenance [2].
[1] https://docs.pypi.org/trusted-publishers/
[2] https://github.com/ossf/wg-securing-software-https://docs.py...
I don't think there's a big effort /right now/ to implement complete SLSA build provenance for PyPI and expose it for users to verify.
What are some alternatives?
slsa-verifier - Verify provenance from SLSA compliant builders
encapsule
setuptools - Official project repository for the Setuptools build system