The motivation of the working group is to focus on helping maintainers of software repositories, software registries, and tools which rely on them. It is both a forum to share experiences and discuss shared problems (for more information, see Communication) as well as a place to publish content to benefit package repositories.
A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions.
A proposal for introducing build provenance and cryptographic signatures to the Homebrew package manager. This is a list of materials (surveys, documents, proposals, and so on) released by the OpenSSF Securing Software Repositories Working Group.
A survey/landscape of different security mechanisms and features that are implemented across the different ecosystems as they pertain to security critical user journeys.