History of Gossamer

The Phlogiston Era

In the beginning, there was the pipe-shell: Developers would use curl to retrieve install scripts and then pipe the output to sh. This was deemed reckless by the information security industry, and led to a lot of Twitter arguments about the Right Way™ to deliver source code.

On , Taylor Hornby wrote Triangle of Secure Code Delivery, inspired by Zooko's Triangle, which described a system that would be secure against different types of powerful adversaries.

Let's Make Security Easy As PIE

In , Paragon Initiative Enterprises (PIE for short) launched with ASGard as an enterprise solution to this problem while brainstorming a world-scale solution.

On , PIE launched a secure-by-default CMS called CMS Airship that offered secure code delivery for the core CMS as well as third-party dependencies.

Although we continued to innovate in this space, we weren't fully satisfied with solutions that didn't cover the entire PHP ecosystem. So we decided to think bigger. — Scott Arciszewski, October 2019

All For One and One For All

The original design for what would become Gossamer was originally proposed in , which led to the development of a proof-of-concept called HERD (Hash-Ensured Replicated Databases), which was named after the concept of herd immunity in pathology.

By combining the idea of maintaining a local snapshot of the current state of affairs from HERD with the original secure code delivery designs of Airship, we later arrived at a scalable design distinct from either of its predecessors.

Towards Securing the Entire PHP Ecosystem

On , PIE began development on sodium_compat—a pure-PHP implementation of (most of) libsodium, along their efforts to add ext/sodium to PHP 7.2.

Ticket #39309 was opened in the WordPress issue tracker on , which outlined the problem and proposed a simple and immediate solution to get WordPress to sign the core updates that are applied automatically.

In October 2017, PIE released Certainty, a utility for keeping CACert.pem files (used for connecting to HTTPS-secured websites with cURL) up-to-date. Part of the verification Certainty employs is powered by Chronicle: an append-only cryptographic ledger based on BLAKE2b.

WordPress Secures Their Automatic Updates

On , WordPress 5.2 was released to the world, which included a mechanism for verifying the Ed25519 signature before applying automatic updates. This effectively improved the security of 33% of the Internet in one fell swoop.

For WordPress users on versions of PHP older than 7.2, sodium_compat provided the cryptographic implementation with no binary dependencies (n.b. if ext/sodium is installed through PECL, sodium_compat defers to the binary implementation written in C for better performance).

However…

While signing core updates is a good way to prevent an attacker capable of compromising the WordPress update servers from getting immediate RCE on the entire WordPress ecosystem, Plugin and Theme updates were still vulnerable.

This presented a catch-22 for the WordPress community:

Enter, Gossamer

After a lot of careful engineering and internal review, PIE published the first draft of libgossamer and opened #49200 on WordPress Trac.

In 2021, PIE launched this website to track the multiple ongoing parallel efforts to secure WordPress and Composer with Gossamer.

And that's where we are !