Abstract:Dependency graphs show where released code can flow, while leaving implicit whether the public path used to publish a release changed. We introduce a predecessor-aware release-authority record that compares each package release with its immediate predecessor across publisher, repository, workflow, provenance, signing, and mediation evidence.
We instantiate the record over a purposefully sampled, audited April 2024--June 2026 cohort from npm, PyPI, Maven Central, this http URL, and RubyGems: 45,812 releases, 43,100 eligible predecessor comparisons, and 942 package coordinates. Go is reported separately as a VCS/proxy/checksum-log boundary adapter. Transparent rules identify 204 policy-triggering public release-path discontinuities. The exact trigger policy is the primary candidate queue. A uniform semantic-distance rule selects 320 releases and covers 190/204 triggers; a descriptive regime-specific rule selects 337 releases and covers all 204. In a blinded 60-row shared core, three practitioners rated 20/30 triggers as immediate review, 9/30 as monitoring, 1/30 as no review, and all 30 controls as no review.
These signals are review cues over public release-path evidence. Exact malicious versions in our external alignment have zero overlap with the policy triggers. Same-path compromise, unchanged compromised CI, and versions absent from public snapshots require separate evidence beyond this release-path record.
From: Igor Santos-Grueiro [view email]
[v1]
Sun, 21 Jun 2026 16:58:53 UTC (45 KB)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。