[philips]

I think a big step forward is for folks to pin versions of things. NPM and pip and many other systems let software depend on a semantic versioning of their dependencies which makes it impossible to know what will be installed. If you at least know what is going to be installed and the URL is known then you can rely on a third party notary to tell you the expected contents...

Which is what we are building with Asset Transparency to provide a public transparency log backed database of URL content digests.

https://www.transparencylog.com

We have started to build tools for integrating into release pipelines too:

https://www.transparencylog.com/software-release-process-int...

I think it would be great to see package management systems use things like this. Go already does.

If anyone wants to get started quickly checkout our CLI tool:

https://github.com/transparencylog/tl

[p932]

How this compares with https://github.com/theupdateframework/notary?

[philips]

Notary is a signing scheme from the publisher. It is an improvement over GPG signing + a better scheme for signaling to clients the next version to update.

Asset Transparency doesn't require the publisher to be involved at all and can work on any URL on the internet that is publicly accessible. It also complementary to signing schemes.

Here is the Asset Transparency CLI fetching and verifying the contents of a notary release for example:

    tl get https://github.com/theupdateframework/notary/releases/download/v0.6.1/notary-Linux-amd64

Or if you are curious hit the service’s lookup endpoint directly:

    curl http://beta-asset.transparencylog.net/lookup/github.com/theupdateframework/notary/releases/download/v0.6.1/notary-Linux-amd64

[trishankdatadog]

Philip is right: they are complementary:

https://ssl.engineering.nyu.edu/blog/2020-02-03-transparent-...