September 19-21, 2023
Bilbao, Spain
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central European Summer Time (UTC/GMT +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Thursday, September 21 • 12:50 - 13:30
Will Large-Scale Automated Scanning Stop Malware on OSS Repositories? - Zachary Newman, Chainguard, Inc.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Both academic research and products in industry will scan software for malware. Occasionally, someone suggests that OSS package repositories run one of these tools every time a package gets published to stop malware before it starts. However, a look at the Python’s PyPI, which rolled out such a system in 2020, shows why this doesn’t work, and likely can’t given current approaches to malware detection. This talk is a case study of PyPI to identify requirements for automated malware scanning. Critically, the huge number of packages uploaded to PyPI each week (and the small, all-volunteer team that responds to malware reports) mean that even tiny false-positive rates that would awe malware researchers would create endless work for the PyPI team. There’s good news, however: an equilibrium has emerged, with third-party (human) researchers running their own scanners, then reporting true positives. And surprisingly, malware on these repositories doesn’t alarm the administrators compared with other supply chain threats. The moral: you can’t design solutions without listening to the needs of the open source maintainers who would use it. Anybody who works on package repositories or worries about downloading malware packages from these repositories will learn something from this talk.

avatar for Zachary Newman

Zachary Newman

Research Scientist, Chainguard, Inc.
Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a research scientist... Read More →

Thursday September 21, 2023 12:50 - 13:30 CEST
Room 3H (3JAUREGIA - Floor 3)