Bringing Continuous Delivery to Open Source @ Continuous Delivery Summit
November 28, 2022
< 1 min read
Bringing Continuous Delivery to Open Source – Sudhindra Rao, JFrog
Open-source software plays an essential role in the supply chain of modern software development. Proprietary software is typically composed of 75% or more open-source dependencies. In open source software we rely on ad-hoc methods of software process and quality control.
A few of those ad-hoc methods have received much attention in the last few years – need of MFA on source repositories, need of signing every binary, need for verifying such signatures and building trust in open source packages.
In this talk we want to cover different tools that help in making these methods easy to implement and help you decide which ones fit your way of working. We will talk about the recent attacks on the open source software, SLSA framework, Sigstore, Notary, Pyrsia. We will also highlight how the Continuous Delivery of open source often does not receive the same attention and rigor as compared to proprietary software. We discuss how to apply this rigor and enjoy the same benefits with open source.
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/