Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Aditya Sirish A Yelgundhalli
2023-04-20
tldr - powered by Generative AI
The presentation discusses the use of the update framework (TUF) and the attestation framework (I10) in securing the software supply chain. It also introduces the witness project and its tools to simplify the creation and consumption of attestations.
- TUF and I10 are complementary projects that can be used together to secure the software supply chain
- TUF allows for the use of metadata to associate internal metadata with the artifact being distributed from the repository
- I10 provides enhanced capabilities for layouts that allow for the verification of the software supply chain execution
- Witness is a community-driven open source implementation of TUF that focuses on indoor attestations
- Witness has developed tools such as the witness run action and the policy tool to simplify the creation and consumption of attestations
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Santiago Torres-Arias, Aditya Sirish A Yelgundhalli
2022-10-26
tldr - powered by Generative AI
The speaker discusses the complexities and vulnerabilities of software supply chains and the need for higher degrees of assurance and resiliency in the pipeline.
- Software supply chains are vulnerable to compromise, with examples including version control systems, build farms, packaging, and testing infrastructure.
- Compromises in the supply chain can have a significant impact on users, reputation, budget, and intellectual property.
- Integrity checks, reproducible builds, verifiable compilers, and secure package delivery can provide higher degrees of assurance and resiliency.
- Centralized metadata storage and integration with CI systems are possible solutions.
- The speaker emphasizes the need for addressing the problem and improving the software supply chain.