Pyrsia: Decentralized Package Network that Secures the Open Source Supply Chain

Supply chain security in software development has become a critical focus due to the increasing exploitation of software vulnerabilities, particularly in open-source software, which forms the bulk of dependencies in proprietary software. JFrog addresses these concerns with Pyrsia, a decentralized package network designed to enhance the security and trustworthiness of open-source packages by using certified and peer-verified builds. Pyrsia operates through a system of random consensus, ensuring that packages are independently verified by multiple nodes before being committed to the network, which mitigates the risk of network attacks and improves resilience against outages. This approach parallels the distributed nature of power grids, aiming to provide a reliable and secure open-source supply chain. Pyrsia supports the distribution of Docker images and enhances CI system resilience by offering cached and verified images, allowing developers to continue using existing systems without modification while benefiting from improved security and efficiency.