Below is the letter from the TAC chair I wrote for the OpenSSF 2025 annual report.
Hello OpenSSF Community!
2025 has been a year of ups and downs.
In the public sector, lots of maintainers and consumers of open source software have questions about the European Union Cyber Resilience Act (EU CRA), which is why in 2025 we put together high-level guidance and a free course on understanding the EU CRA.
We collaborated with several package repositories on a wide variety of security capabilities, including the release of trusted publishing to crates.io, npm, and NuGet; trusted publishing helps get passwords and long-lived API keys out of build pipelines, which has become a target for attackers). Package repositories are central to open source and are seeing increasing demands which may require changing their operating model, which we outlined in our open letter Open Infrastructure is Not Free.
This year saw the release of the SLSA v1.1 specification and we’re continuing to see excitement around attestations as the key to understanding your software supply chain security. Sigstore is an incredibly popular way to sign those attestations (without having to manage long-lived keys\!) and the Sigstore public good instance transparency log saw an explosion in growth from 5-6 million unique identities per month in January to 14-15 million unique identities per month in September.
We also saw the adoption of Sigstore in signing AI models including NVIDIA’s NGC Catalog based on the model signing specification of the AI/ML Security Working Group. This year also saw the conclusion of the AI Cyber Challenge to build cyber reasoning systems that demonstrate how LLMs and other AI advances can help defenders keep pace with attackers' use of AI.
Last but not least, the TAC (in collaboration with staff) revamped the funding process for OpenSSF technical initiatives. In 2024 we funded 6 proposals with $100,000 and in 2025 we expanded that to funding 14 proposals with $660,000. These proposals spanned security audits, a mentorship program, technical writers, design assistance, and development work, showcasing how OpenSSF technical initiatives are maturing over time, reflected in their evolving needs as they are adopted by wider communities.
Where do we go from here? You needn’t worry that we’ve solved all the problems in securing open source. There’s lots to look forward to in 2026, but let’s not forget all of our successes in 2025, even when we know there’s so much more to do.
More than anything else, what I took away from 2025 is the importance of community. All the security capabilities in the world don’t matter unless we’re working together towards our common goal of securing open source. There’s amazing energy in the OpenSSF - at conferences, in video calls, over online chats - and I can’t wait to see what 2026 brings.
See you online,
Zach Steindler
OpenSSF 2025 TAC Chair