From the experts of binary management, JFrog, comes Pyrsia. Pyrsia is a solution to the open source software supply chain like nothing you’ve seen before. You can read a little about it here, here and here.
My high level synopsis is: It’s crazy we install open source software from builds that are not verified. Sure it’s convenient, but you might as well leave your front door open.
Pyrsia is a work in progress, but it solves all of this. Trusted entities run a Pyrsia node that builds the source and everything lives in a blockchain. This is not a blockchain to make wealth or one that will use up power plants to mine coins, this is a blockchain with a purpose. The source-to-binary transition (software supply chain) hashes are all verified and authenticated so when you download something you know a binary was built from a specific source. Take this a step further, and any security audit done will be given back to the community — so big or small companies will benefit and the entire sofware supply chain is much better off.
This is a war to protect all CPU cycles against bad actors. I guarantee we are all running trojan horses in packages or libraries we’ve installed via some package manager at one point or another. It’s impossible to protect against. Pyrsia solves this. This is why Oracle is getting involved.
If you have any questions or for interactive support and community check out Oracle’s public Slack channel for developers.