logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Ian Lewis, Asra Ali
2023-04-21

tldr - powered by Generative AI

The importance of attestation data in securing the software delivery pipeline and the need for a verification process to establish trust in the attestation data.
  • Attestation data provides proof of an event and allows tracing of outputs from inputs in the software delivery pipeline.
  • Verification process is necessary to ensure integrity and authenticity of the attestation data.
  • Integrity ensures that the attestation data cannot be tampered with, while authenticity ensures identification of the attestation creator.
  • Non-forigibility and non-perishability ensure that the attestation content cannot be influenced by users operating the pipeline.
  • Complete zero trust in the system is necessary to establish trust in the attestation data.
Authors: Michael Lieberman, Mihai Maruseac
2022-10-27

By now, we’re getting bored of hearing the “am I affected by X vulnerability?” question. However, as supply chain attacks become more sophisticated, answering just this question is insufficient. Instead, we need to think about: “If TravisCI was compromised, which software is affected? With a bad actor in your supply chain, what's the blast radius?” There is a ton of information today in SBOMs, in-toto/SLSA attestations, etc. However, these documents observed individually provide limited information, but when put together and related, super-additively expand the knowledge base of our software supply chain. We built a supply chain knowledge graph tool to help better understand the relationships between artifacts and their metadata/identities. Through this high-fidelity graph, we not only answer the hard questions posed earlier, but also make new discoveries. For example, we found that most build-systems rely not only on obvious dependencies like gcc, but often overlooked projects like libpcre and sed.
Authors: Carlos Panato, Jeremy Rickard, Sascha Grunert, Adolfo García Veytia
2022-10-26

Have you ever wondered how the Kubernetes source code is turned into artifacts for everyone to use? How do you know you can trust those artifacts? Have you heard about signing things and you're not sure how that fits in with Kubernetes? In this Kubernetes Special Interest Group (SIG) Release update, we will give a quick overview of SIG Release, highlight recent accomplishments, review our updated roadmap and discuss our continued efforts to move toward full SLSA (Supply-chain Levels for Software Artifacts) compliance. As part of this, we will deep dive into efforts to move all aspects of the build process and distribution to community controlled infrastructure and our efforts to expand artifact signing beyond just containers. Finally, we’ll talk about how attendees can become involved in SIG Release. These efforts are exciting and important, but we need your help! We’ll discuss how to contribute to SIG Release tooling, the Release Manager role, and discuss our contributor ladder.
Authors: Billy Lynch
2022-10-25

Attestations are a useful tool for attaching supply chain metadata to artifacts and images, but how can we attach attestations to source code itself? In this talk, we'll go into some of the ways you can attach attestations to source code with Git. Learn how data can be stored verifiably alongside commits, how attestations can be modeled to describe SLSA source requirements, and how tools like Gitsign can make this easy to add to your CI/CD pipelines.
Authors: Steven Zou, Yan Wang, Alex Xu, Deng Qian, Ziming Zhang
2021-10-14

tldr - powered by Generative AI

Harbor is a CNCF graduated project that helps enterprises distribute and manage cloud native artifacts. The presentation discusses the key features and use cases of Harbor, as well as updates introduced in the most recent release. The focus is on the 2.5 release, which includes improvements and new features such as Cosign integration, tag retention, and replication.
  • Harbor is a CNCF graduated project for managing cloud native artifacts
  • Key features include multi-tenancy, access control, policies, artifact distribution, security and compliance, and extensibility
  • Improvements in the 2.5 release include Cosign integration, tag retention, and replication
  • Cosign integration allows for artifact signing and verification
  • Tag retention allows for automatic deletion of artifacts and associated Cosign signatures
  • Replication policies allow for distribution of artifacts to other Harbor instances or third-party registries