Does Elm follow some reference implementations in the term of updating packages or do we need something like The Update Framework?
The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
I’m just wondering whether this project could be a good fit for Elm or not
Though TUF technologies have been customized to meet end-user specifications, four core principles continue to be central to its design.
The first is separation of responsibilities for signing metadata, which means one compromised key does not automatically compromise all repository users.
The second specifies a fixed number of signatures agreeing to the authenticity of what is presented in the metadata that accompanies an update before the server will download it.
A third principle works to help a repository to recover quickly from a compromise by providing an automatic way to revoke signing keys. By doing so, hackers can not sign metadata to authenticate malware.
Lastly, TUF keeps the most vulnerable signing keys offline, which greatly reduces the risk that they can be stolen or compromised.
I don’t see that the Elm package system follows any of this, other than incidentally some aspects 3 carrying over from the fact that a user account on Github could have its password reset in the event of being hacked.
I wanted to do a review of all things relevant and interesting for elm but didn’t get the time to do so yet. Nevertheless I encourage people interested on the matter to watch some of the talks of that conference!
Currently, there isn’t dedicated work toward supply chain security in Elm other than verifying tarball checksums, and other than what GitHub has in place since packages are required to be GitHub repositories.