Supply Chain Security for Open Source: Pyrsia at CD Summit and KubeCon 2022
I was super excited to be at Kubecon+CloudNativeCon this year. Kubecon has managed to build a great community that goes beyond Kubernetes and has been a good catalyst in bringing together people passionate about OpenSource. Kubecon also has attracted a lot of interest due to the quality of sessions, the number of co-located events, and the opportunity to connect with peers, partners and friends.
This year was particularly meaningful to me as Pyrsia was officially announced as the latest project to join CD Foundation during the co-located CD Summit event. With so much goodness it’s only appropriate to share my excitement (and to some extent my exhaustion) following this wonderful event.
CD Summit
The Continuous Delivery Foundation hosted a co-located event called the CD Summit a day before the flagship event Kubecon. This event is designed to bring together people with a common goal of modernizing tools and practices that power continuous delivery. As we arrived we were greeted by a full house. The venue and arrangements looked quite professional and cozy enough to have rich conversations.
CD Summit was kicked off by JFrog’s -Open Source Program Manager,and CDF Marketing Outreach Chair, Lori Lorusso and CD Foundation Executive Director, Fatih Degirmenci. Fatih was super excited by the announcements that were coming during the day.
Fully decked out laptop with all the CD Foundation stickers to commemorate Pyrsia joining the @CDeliveryFdn! @PyrsiaOSS @_cdevents @jenkinsci @jenkinsxio @OrteliusOs @screwdrivercd @spinnakerio @shipwrightio @tektoncd pic.twitter.com/p7zstkAAUs
— Stephen Chin (@steveonjava) October 25, 2022
#cdsummit was interesting. It was nice to see the ecosystem growing and maturing. It’s no longer just @jenkinsci. Seeing latest updates on @tektoncd @spinnakerio @_cdevents and others. Nice work @fdegir @LoriLorusso and @CDFoundation team for setting it up pic.twitter.com/OrfFxvm5m5
— Dotan Horovits – speaking @AllDayDevOps (@horovits) October 26, 2022
And it’s official!!! @PyrsiaOSS is now an @CDeliveryFdn project!!! @steveonjava @jfrog @Docker @DeployHubProj @Huawei @oracle pic.twitter.com/OG8elm0JMA
— Lori Lorusso @ LF Member Summit ❄️ 😈👩🏽💻💃🏽 (@LoriLorusso) October 25, 2022
3 big announcements were made at the Summit:
We have exciting news! 🎉
🔸 @PyrsiaOSS New Software Supply Chain Security Project
🔸 @tektoncd Graduates
🔸 @_cdevents Releases v0.1Read more: https://t.co/iM3PR9xcBC pic.twitter.com/n6P6wc9gP3
— Continuous Delivery Foundation (CDF) (@CDeliveryFdn) October 25, 2022
The Pyrsia team had three talks focused on the project’s goal of securing the software supply chain. Here’s a quick summary of each session.
Keynote: Hacking the OSS Supply Chain
JFrog’s VP of DevRel, Stephen Chin, introduced the topics of supply chain security and how hacking the supply chain is becoming a commonplace occurrence. This keynote also emphasized that the community currently lacks a holistic approach to address this menace. Stephen Introduced Pyrsia as the newest CDF project and highlighted key features of the project:the importance of “build-from-source,” verification based on consensus, and a decentralized mechanism to keep the supply chain secure and available at all times. This was the perfect kickoff to start a deeper discussion around security and tools that go beyond automating steps in CD.
Bringing Continuous Delivery to Open Source – Breakout Session
My talk ‘Bringing Continuous Delivery to Open Source‘ highlighted the current state of open source trust. I wanted to emphasize that current tools that rely on metrics may not be trustworthy, the results can be faked with sufficient motivation.Instead I wanted to build the case for tools that allow us to protect some parts of the SLSA model – especially highlighting where Pyrsia fits in.
Next up @jfrog rockstar @PyrsiaOSS manager @sudhindraRao bringing continuous delivery to open source #cdsummit @CDeliveryFdn pic.twitter.com/DuBGW3Gb2W
— Lori Lorusso @ LF Member Summit ❄️ 😈👩🏽💻💃🏽 (@LoriLorusso) October 25, 2022
Closing the Supply chain security loop with Pyrsia and Rust
Lastly, Stephen Chin and Joel Marcey, Director of Operations and Advocacy, Rust Foundation spoke how building Rust is the right choice for building security tools like Pyrsia. Joel spoke about the power of Rust highlighting examples of where the language excels and why Rust lang is the most beloved language by developers. Stephen showcased Pyrsia as an example highlighting how securing a software supply chain requires a secure(safe) language and that Rust was ideally suited to this use case.
Why we chose @rustlang for @PyrsiaOSS ? Listen to @steveonjava and @JoelMarcey talk about where #rust excels pic.twitter.com/ABg3erVW2n
— Sudhindra Rao (@sudhindraRao) October 25, 2022
We wrapped up the day with a CDF Project Maintainers’ Panel that included:
- CDEvents
- Spinnaker
- ShipWright
- Pyrsia
- Tekton
- Ortelius
We made our case for attracting contributors, highlighting our project goals, and getting inspired from the many communities. As I looked to over my shoulder at the projects that are already leading the charge in CD Foundation, I was looking at a lot of inspiration for efforts like Pyrsia to succeed. The questions from the audience as well as the deep discussion we were having showed me how much the community is engaged with the purpose of CD Foundation and its projects. It gave me further evidence that Pyrsia has found the a welcome home and has the opportunity to add to the ecosystem.
Check out all the CD Foundation open source projects >
This was a lot of fun! #community #opensource #cdsummit @CDeliveryFdn https://t.co/sRXQCaXJRs pic.twitter.com/u7pPdT563S
— Lori Lorusso @ LF Member Summit ❄️ 😈👩🏽💻💃🏽 (@LoriLorusso) October 25, 2022
Overall, this was a great avenue to talk about Pyrsia, drive awareness on how we can work together to solve supply chain security, and have the community get excited about Pyrsia joining the CDF.
Multiple people shared that they found Pyrsia exciting because of its difficult mission, as well as its ambitious goals of fixing the issues in the current supply chain. For the mandate of CD Foundation to succeed, they expect Pyrsia and similar projects to be the next step in CD maturity.
It’s a wrap for the #cdsummit @LoriLorusso pic.twitter.com/XZQK38EJkZ
— Sudhindra Rao (@sudhindraRao) October 25, 2022
The program of CD Summit was packed. There were talks from the Tekton team, ShipWright team, Ortelius team and initial release of CD Events, and talks from people sharing their experiences with CD. The whole day breezed by so fast and it felt like it should have lasted longer. At the happy hour after I spent time talking to the project owners and the audience – trying to replay the entire day as it happened.
If you did miss this event in person and would like to have the virtual experience of the event the CD Summit session recordings are now available on Youtube.
Thanks to the CD Foundation and the individuals who worked hard at making this such a welcome event!
Bonus
Check out Steve Chin and my Techstrong TV interviews on the last day of KubeCon. Stephen was focused on JFrog’s mission to release fast or die – but securely. Our new Advanced Security Pack addresses those issues head on. I spoke about Pyrsia and where our project fits in helping to secure the software supply chain.
Gettin’ his @TechstrongTV @ashimmy interview on @steveonjava @jfrog #kubecon pic.twitter.com/U3Uzgm2DHM
— Lori Lorusso @ LF Member Summit ❄️ 😈👩🏽💻💃🏽 (@LoriLorusso) October 28, 2022
Cheers to @sudhindraRao! Just finished talking @PyrsiaOSS with @TechstrongTV @ashimmy pic.twitter.com/mib4YwCkLy
— Lori Lorusso @ LF Member Summit ❄️ 😈👩🏽💻💃🏽 (@LoriLorusso) October 28, 2022
See you all next year!