Abstract

This paper presents SPAM (Secure PAckage Manager), a framework for package management that uses a federated Byzantine fault tolerant system to provide strong security guarantees in the software supply chain.

Key Features

• Byzantine Fault Tolerance: Provides security guarantees even when some nodes are compromised
• Protection Against Malicious Actors: Defends against malicious developers, registries, and integration services
• Federated Trust Network: Ties developer keys with online identities
• Endorsement System: Builds trust through a network of endorsements
• Supply Chain Security: Addresses fundamental security issues in modern package ecosystems

Research Context

This work was part of my graduate research at UC San Diego, addressing the critical problem of trust in package management systems. As software increasingly relies on third-party dependencies, securing the package supply chain becomes essential for preventing malicious code injection and supply chain attacks.

For the full paper, please see the PDF link.