Presenters

Source

From Chained Libraries to Sigstore: What 500 Years of History Teaches Us About Open Source Security 🚀

History and technology often feel like two parallel lines that never meet. However, Lisa Tagliaferri, a medieval and Renaissance historian turned open-source security expert, argues that the two are deeply intertwined. In a recent talk, Lisa shared how the ways we protected information in the 15th century mirror the ways we secure our software supply chains today.

Security is not a modern invention; it is an age-old negotiation of information. By looking backward, we can better understand how to move forward in the world of open-source security.

✉️ The Letter That Stayed Sealed for 300 Years

In 1697, a meticulously sealed letter was sent to the Hague. It never reached its recipient. For over 300 years, it remained unread—not because it was lost, but because it was “letter locked.”

In 2021, a multidisciplinary team at MIT—consisting of computer scientists, imaging specialists, and conservators—used X-rays and computational unfolding to read the letter without ever breaking the seal. This team didn’t just solve a mystery; they did it using open-access methods and open-source code. This marriage of history and modern technology proves that openness, rather than secrecy, is the ultimate engine for innovation.

🏰 The Vasari Corridor: Isolated Verified Channels

If you walk through Florence today, you will see the Vasari Corridor. Commissioned in 1565 by Cosimo I, this elevated passage allowed the Medici family to move secretly between their offices (the Uffizi) and their palace.

The corridor was a response to the Pazzi conspiracy of the late 15th century, where assassins attacked the Medici heirs. It represents a physical version of isolated verified channels. In the tech world, we use similar “corridors” to ensure our code moves from development to production without interference.

  • Modern Parallel: Think of the SLSA (Salsa) framework, in-toto, and Tekton projects. These tools create the same kind of secure, verified pathways for software that the Vasari Corridor provided for the Medici.

📚 Chained Libraries and Access Control 🔒

Before digital databases, there were chained libraries. At places like the Hereford Cathedral, books were literally chained to the shelves. If you wanted to read a text, the librarian would unlock a gate, and the chain would give you just enough slack to read the book at a nearby desk.

Even at the Bodleian Library at Oxford, users still have to pledge a centuries-old oath: I will not set fire to this library.

  • Modern Parallel: This is access control in its rawest form. Just as the Vatican Library requires passports and interviews to access its archives, modern software relies on Role-Based Access Control (RBAC) and OAuth.
  • The Registries: Think of PyPI and npm as our modern libraries. We have access to the “books” (packages), but they live in a controlled environment where the artifact’s location is verified.

✉️ Letter Locking: Integrity Built Into the Artifact 🛡️

Before the gummed envelope was invented in the 19th century, people used letter locking. This was a sophisticated way of folding paper so that the material itself became the security mechanism. If someone tampered with the letter, the paper would tear in a way that was impossible to hide.

Famous figures like Mary, Queen of Scots and Galileo used these techniques. The Brienne Collection contains 2,600 letters, including 600 that remained sealed for centuries.

  • Modern Parallel: Letter locking is the perfect analogy for Sigstore. In both cases, integrity is baked into the artifact itself rather than added on at the end. It provides tamper evidence that anyone can verify.
  • Non-destructive Analysis: Tools like Wolfi, GUAC, and SBOMs (Software Bill of Materials) act like the MIT X-ray team, allowing us to analyze the contents and security of a package without destroying or compromising it.

🎡 The Alberti Cipher: From Secrecy to Innovation 💡

Leon Battista Alberti, a true Renaissance man, created the first poly-alphabetic cipher using a cipher disc. This invention defeated frequency analysis for the first time in history.

Originally, Alberti wrote his treatise on cryptography in Latin—the language of the elite and powerful. However, 100 years later, his work was translated into vernacular Italian. This shift from a closed language to a common one allowed more people to understand, build upon, and innovate the technology. This democratization of knowledge directly informed:

  1. European diplomatic ciphers.
  2. Rotor machines of 1918.
  3. Modern digital cryptography and transparency logs.

🤝 Conclusion: The Stakes of Openness

The history of security teaches us one vital lesson: If we do not invite more people into security, we create closed systems of knowledge that stifle innovation.

Security technology—whether it is a paper fold, a Latin treatise, or a cryptographic signature—works best when it is accessible. We must continue to build pathways for interdisciplinary thought and diverse backgrounds to enter the field. When we keep security open, we don’t just protect our code; we accelerate our progress.

🙋‍♀️ Q&A with Lisa Tagliaferri

Audience Member: What has it felt like for you to become involved in open-source security with a non-security background, and what should others take away from that?

Lisa Tagliaferri: I came to security from open source originally. I believe that access drives innovation. Coming from a different background helps you see things from a different perspective, which is why inviting more people in and creating pathways for diverse involvement is so important for the future of this space. 🌟

Appendix