The motivation of the working group is to focus on helping maintainers of software repositories, software registries, and tools which rely on them. It is both a forum to share experiences and discuss shared problems (for more information, see Communication) as well as a place to publish content to benefit package repositories.
A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
Guidance for package registries adopting or revising a package deletion policy.
Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions.
A proposal for introducing build provenance and cryptographic signatures to the Homebrew package manager. This is a list of materials (surveys, documents, proposals, and so on) released by the OpenSSF Securing Software Repositories Working Group.
A survey/landscape of different security mechanisms and features that are implemented across the different ecosystems as they pertain to security critical user journeys.