HackMD - Collaborative Markdown Knowledge Base

* Release of Package Managers Suppliers release packages to distributors. The package by itself does not include a proof of authenticity. A signing authority, coming from the distributor is tasked with adding a proof of authenticity. However there is no verifiable information as to what relationship exists between the original package producer and the distributor. Often it is relied implicity by the statement made by the distributor about the supplier. A consumer of a released software wants: to understand and verify that an actual relationship link exists between the producer and Supplier of a certain software component package and the Signing Authority of that software component package. There is no standardized way to: enable the consumer to verify that a well known trusted relationship exists between these actors for a certain software component package exists and is still valid. * Multi party Evaluation of a Released Software Component or a package In IT industry it is a common practice that once a Software product is released, it is evaluated on various aspects. For example, an auditing company or code review company or a government body will examine the software product and issue authoritative reports about the software product. The end users (consumers or distribution entities) uses these report to make an accurate assessment as to whether the software product is deemed fit to use or of low quality. There are multiple such authoritative bodies that make such assessments. Discovery of all sources of such reports and/or identity of the authoritaitve bodies adds a significant cost to the end user o consumer. A consumer of released software wants: to offload the burden of identifying all relevant authoritative entities to a single entity who does this on their behalf to offload the burden to filter from and select all statements that are applicable to the released software product to an entity who does this on their behalf to make informed decisions on which authoritative entities to believe based on the best visibility of all authoritative entities possible There is no standardized way to: aggregate large numbers of related statements in one place and discover them there referencing other statements via a statement identifying or discover all (or at least a critical mass) of relevant authoritative entities * Security Analysis of a Software Product This use case is a specialization of the use case above. Multiple Security researchers often run sophisticated security analysis tools on a a software package. The intention is to identify any security weaknesses or vulnerabilities on the package. A particluar analysis can identify itself about a simple weakness in the software component. Over a period of time, another security researcher may identify a known vulnerability on the same software package. // TO DO COMPLETE THIS... * Promotion of a Software Component by mutliple entities * Auditing of Software Component What the auditor would like to see ??? * Authentic Software Components in Air-Gapped Infrastructure * Firmware Delivery to large set of constrained IoT Devices --> Removes the Introduction Or merge the text into main body... * Rewrite Software Integrator assembling a software product for a smart car ==> Reproducible Build Use Case