►
From YouTube: Pyrsia - CDF's Newest Supply Chain Security Project
Description
Supply chain security is top of mind for organizations looking to avoid being victims to the next Solar Winds type of supply chain attack. Pyrsia, CDF's newest incubating project, seeks to address this issue by creating a decentralized package management network. Built-in Rust, Pyrsia's entire codebase will be open source, uses consensus for acceptance of packages to the network, and features an immutable transaction ledger. Learn about these components and more during our next CDF Meetup with the team behind Pyrsia.
A
A
We
are
a
punctual
group
here
at
the
CD
Foundation
online
Meetup.
Thank
you
for
everybody,
for
showing
up
on
time.
We
appreciate
your
punctuality.
I
am
Tracy.
Reagan
I
have
been
hosting
the
CD
CD
foundation's
online
Meetup.
For
quite
some
time.
We
took
a
Hiatus
and
just
had
one
or
two
last
year,
but
this
year
our
goal
will
be
to
have
a
monthly
one
and
we're
super
excited
to
have
Persia
as
our
first
one
for
January
of
2023..
A
For
those
of
you
who
have
been
following
the
CD
Foundation,
you
will
have
learned
that
Persia
is
the
newest,
open
source
project
that
is
incubating
at
the
CD
Foundation.
It
was
brought
to
us
by
J
frog.
A
For
me,
it's
an
interesting
project.
I
have
been
in
the
build
management
space
most
of
my
career
and
have
struggled
with
why
we
don't
have
a
better
way
to
really
manage
the
builds
Steve,
Steve,
Taylor
and
I
back
in
the
late
90s
started.
A
company
called
open
make
software
with
a
product
called
meister,
and
we
really
focused
on
creating
repeatable,
builds
and
being
able
to
track
the
source
code
that
goes
into
it.
Jfrog
has
taken
this
now
to
the
next
level,
and
that
is
what
Persia
is.
A
It's
really
shows
it's
a
good
first
step
in
securing
your
your
software
supply
chain,
in
particular
understanding
your
packages
and
open
source
that
you
can
assuming
and
on
that
I
am
going
to
going
to
introduce
sutendra
Rao.
He
is
I
would
say
he
is
the
The
Mastermind
behind
Persia.
He
manages
the
project.
Does
a
lot
of
coding
and
probably
is
the
most
involved
individual
in
this
project
on
the
planet
right
now
so
Hendra?
Why
don't
you
take
it
over
and
I'm
going
to
go
this
just
a
little
bit
of
housekeeping?
A
We
do
treat
treat
this
like
a
real
CD.
An
online
Meetup.
Everybody
on
here
is
able
to
talk.
So
if
you
want
to
raise
your
hand,
I'll
be
watching
it.
If
you
just
want
to
say,
hey
I
have
a
question:
please
do
that
so
or
just
post
a
question
out
on
the
chat
and
I'll
be
happy
to
make
sure
that
it
gets
answered.
So
don't
be
shy.
If
we
were
all
sitting
in
the
same
room,
I
know
you
wouldn't
be
shy.
A
B
B
Thank
you.
Thank
you
for
such
a
warm
welcome
and
I,
wouldn't
say:
I
I
wouldn't
go
for
this
thing.
I
Am,
The,
Mastermind,
I'm,
I'm,
probably
the
the
one
to
execute
it.
A
lot
of
things.
A
lot
of
ideas
do
come
from
Steve
chin,
who's,
sort
of
envisioned
this
and
took
some
of
the
learnings,
but
I'm
really
passionate
about
where
we
are
going
and
why
we
are
doing
it
and
thank
you
Tracy
for
giving
the
background
that
this
this
was
attempted
in
the
past.
B
People
have
had
similar
issues
in
the
past,
so
that
helps
me.
You
know
contextualize,
where
Persia
comes
from
just
a
just
a
couple
of
housekeeping
notes
before
we
get
started
on
the
talk,
since
this
is
like
a
Meetup
feel
free
to
turn
on
your
video
and
make
faces
to
tell
me
that
I'm
not
doing
well.
That's
fine!
If
you
want
to
use
emojis
on
the
chat,
give
me
that
feedback
I
I
love
that
we
can.
B
We
can
stop,
and
you
know,
readjust
and
and
like
Tracy
said:
don't
hesitate
to
just
call
out
and
ask
questions
okay.
So
let's
get
started
so
we
are
going
to
talk
a
lot
about
open
source
supply
chain
in
the
in
the
talk
that
the
presentation
that
I
have
I
promise,
a
few
things,
I
I'll
I'll,
say
happy
new
year
at
least
once
or
twice
you
you'll
you'll,
probably
see
some
superheroes.
B
Maybe
you
can
you
can
identify
with
one
or
many
of
them
and
I'm
hoping
that
the
problem?
We
are
we're
going
to
talk
about
the
Opera,
the
open
source
supply
chain.
It
resonates
with
you
and
you
you
are
facing
that.
If
you
have
not
faced
that,
then
you,
then
you
will
get
a
feel
for
the
for
what
is
happening
in
this
in
this
area
and
and
how
it
affects
real
people.
B
Okay,
but
I
guess
started
if
you,
if
you're
interested
in
following
me,
I'm
at
Sunil
on
Twitter.
B
So
let
me
present
the
the
state
of
supply
chain
today
and,
and
it
is
pretty
bleak
and
when
I
say
supply
chain
we
are.
We
are
all
aware
of
the
supply
chain
that
affects
us.
The
most
is
Amazon
packages
not
being
delivered
on
time
and
and
our
our
gift
taking
a
long
time,
and
it
has
been
two
plus
years
where
that
still
continues
to
be
a
problem
for
one
reason
or
the
other.
But
that
is
not
where
my
expertise
is.
B
My
expertise
is
in
the
other
area,
which
is
which
is
the
old
software
supply
chain
and
right
when
the
pandemic
hit
or
around
that
time.
This
was
the
most
talked
about
software
supply,
chain
attack
and
the
affected
parties
right,
and
this
has
affected
so
deeply
that
that
to
today,
a
a
ton
of
10
of
government
properties
are
may
still
be
vulnerable
to
to
this
attack.
B
That
was
exposed
during
this
during
this
breach,
where,
where
malicious
code
was
introduced
into
a
to
an
end
package,
and
that
package
was
shipped
or
you
know,
pushed
to
production
or
deployed
using
us
using
a
CI
mechanism,
a
CD
mechanism
and
and
some
of
that
people
know
where
it
is,
and
some
of
that
people
don't
know,
and
the
reason
it
happened
was
because
there
were
no
checks
and
balances
in
terms
of
how
that
binary
package
ended
up
with
those
vulnerabilities
and
and
some
actors,
men
in
the
middle
actors,
basically
compromised
at
an
injected
code
that
that
could
open
up
ports
and
and
allow
them
to
attack
those
systems
right
and
there's
a
lot
of
lot
being
said
about
this.
B
There
was
a
congressional
hearing
about
about
this
about
how
it
affected
and
some
of
the
things
that
the
CEO
of
solarwinds
said
at
the
time
resonated
with
with
the
community
in
general
and
Community
has
started
reflecting
on
what
it
can
do
to
to
prevent
similar
attacks
in
the
future
and
and
just
and
to
start
thinking
about
this
problem
in
a
different
way.
B
This
was
not
the
only
attack
way
back
in
2017
Equifax
had
a
data
breach,
and
this
was
because
they
did
not
hatch.
You
know
Apache
threats
to
the
latest
version,
which
had
the
vulnerability
fixed
and
even
today,
I
received
mailings
that
tell
me
that
my
data
or
my
address
is
from
or
home
address
is
from
that
time
are
still
out
there
and
people
know
who
I
am
and
they
send
me.
You
know
either
a
credit
card
request
or
you
know,
send
me
a
loan
application
and
so
on
right.
B
So
I
know
that
I
am
one
of
the
affected
party
and
I
know
that
many
millions
were
affected
because
of
that,
and
that's
because
the
supply
chain
was
not
keeping
the
software
up
to
date
and
not
not
keeping
track
of
what
is
what
is
being
deployed.
B
B
This
was
what
was
happening
in
in
the
software
supply
chain,
world
right
log4j,
our
our
favorite
logging,
two
was
compromised
and,
and
that
basically
hurt
the
entire
Community
and
when
I
say
entire,
it
is
actually
a
significant
part
of
the
community
that
uses
Java,
Java
or
Java
like
languages
that
run
on
Java
and
and
that
actually
taught
us
a
number
of
things.
B
These
vulnerabilities
fix
them,
release
them
and
make
sure
that
those
are
trustworthy
and-
and
actually
some
burnout
happened
for
these
developers
who
are
trying
to
you
know,
respond
to
these
attacks
or
to
this
vulnerability
rest
the
language
that
was
built
to
overcome
all
the
buffer
overflows
and
all
those
memory
issues
and
and
provide
much
tighter
control
over
how
memory
is
used,
which
is,
which
is
how
many
of
the
many
of
the
attacks
manifest
it's
one
or
somehow
they
caused
the
buffer,
overflow
or
memory
or
flow,
and
and
then
they
try
to
execute
code
that
they
like
right.
B
Rust.
Has
these
these
availabilities
and
this
one
is
this
one
is
just
typo
squatting,
whereas
where
is
where
the
name
is
changed
a
little
bit
and
they
introduce
code,
and
but
this
this
can
happen
to
real
software,
and
this
can
affect
your
supply
chain.
B
This
was
last.
This
was
this
year,
so
happy
New
Year.
This
is
what
is
happening
in
this
year
with
with
us
right
and
again.
This
is
again
there
are
service
attack.
If
you,
if
you're,
not
familiar
with
Hyper
package,
hyper
packages
is
a
dependency,
it
is
a
transitive
dependency
on
on
the
HTTP
package
that
that
rust
has
and-
and
so
it
is.
Basically,
anybody
who
is
trying
to
do
anything
with
with
the
internet
with
rust
is
affected
in
one
way
or
the
other.
We
still
don't
have
a
fix
for
it.
B
Although
people
have
people
now
know
about
it,
and
they
can
do
something
in
their
in
their
own
environment
to
provide
fixes
until
the
vulnerability
is
fixed
foreign,
and
how
easy
is
it
is
it
here
is
a
recipe
that
that
is
published
and
people
have
used.
This
and
attacks
have
manifested
with
this
recipe
you
can
take
over
the
ownership
of
of
by
of
libraries
or
open
source
software
and
just
do
whatever
you
like
with
the
community.
B
Similar
thing
happened
when
you
know
the
the
maintainer
of
faker.js,
you
know
got
got
disillusioned
about
how
software
is
being
used
and
open
source
and
how
how
much
effort
he
is
to
spend.
He
just
ripped
out
the
the
carpet
under
us
where,
where
he
replaced
the
code
of
faker.js,
with
with
basically
no
op
code,
which
was
not
useful
and
and
the
community
had
to
Spring
together,
come
together
and
and
build
a
fork,
and
now
that
is
the
one
that
they
agreed
to
support
right.
B
So
all
of
these
things
are
real.
This
is
happening,
and
this
is
this
affects
software,
which
is
now
everywhere,
and
these
examples,
I
have
are
just
the
tip
of
the
iceberg.
There
are
way
more
things
if
you
are
looking
at
if
you're
looking
at
the
CV
databases,
you'll
you'll
find
a
lot
more
a
lot
more
of
these
things
happening.
Some
of
them
have
limited,
you
know
radius
or
that
they
affect,
and
some
of
them
affect
deeply
and
more
widely
as
well.
B
So
the
question
that
that
people
come
up
like
ask
is:
who
do
you
trust?
Currently,
we
trust
ruby,
gems
in
Python,
Pi
Pi,
and
you
know
Maven,
Central
and
all
those
and
npm
to
to
give
us
the
packages,
but
is
that
enough?
Are
there
are
there
situations
where
you
know
and-
and
there
have
been,
where
you
know-
malicious
packages
have
they
have
been
checked
into
committed
to
these
through
through
through
verified
means
and
I
showed
you
that
even
those
means
can
be
attacked,
so
we
need.
B
So
essentially,
we
are
still
living
in
the
world
where
we
are
taking
a
thumb,
drive
from
the
sidewalk
and
plugging
it
into
our
production
systems,
and
today,
as
opposed
to
10
years
ago
or
15
years
ago
today,
those
production
systems
actually
affect
real
people,
even
more
so
because
our
Healthcare
data
is
on
it.
Our
energy
data
is
on
it,
you
know,
or
everything
runs
on
software,
so
this
is.
B
This
is
even
more
big
of
a
problem
today
and
so
just
giving
you
a
little
bit
of
highlight
into
what
has
happened
in
the
last
two
three
four
years.
A
number
of
things.
These
things
were
under
discussion
and
people
were
aware,
or
they
were
increasing
awareness,
but
a
lot
of
things
got
more
focused
since,
after
the
solarwinds
attack
there
has
been
an
executive
order
to
to
produce
to
to
produce.
You
know,
processes
and
practices
in
place
so
that
you
know
we
we
have.
B
We
know
what
is
going
on
with
that
software,
Supply
right
and
and
now
there
is
an
awareness
when
we
when
we
actually
go
to
communities.
They
actually
talk
about
software
bill
of
material,
they're,
they're,
aware
of
those
things
there
are,
there's
still
a
lot
more
education
to
do,
but
there
is
growing
awareness
of
of
these
tools
and
and
starting
they're,
starting
to
figure
out
how
to
put
them
in
in
practice.
B
You
know
how
these
software
attacks
happen
and-
and
here
is
here,
is
a
very
simplified
model
of
you
know
how
how
current
supply
chain
looks
like,
and
even
in
this
very
simple
model,
there
are
so
many
network,
what
you
call
parameters
that
can
be
attacked
and
and
the
network
can
be
taken
over
the
the
chain
can
be
taken
over
and,
and
it
is
bad
and
and
the
the
way
the
the
solarwinds
attack
happened
was
all
it
started
with
C,
where
this
modified
Source
control
after
it
was
committed,
and
then
it
it
went
through
the
supply
chain.
B
It
was
deployed
right,
but
any
of
these,
these
vectors
can
are
attack
vectors
and
we
need.
We
need
solutions
that
can
that
can
help
us
work
through
work
through
these
Arab
Breakers
and
stop
them.
B
So
what
do
we
need?
Actually?
So
at
jfrog
we
actually
are
very
passionate
about
devops
and
delivering
software,
and
we
believe
that
you
know
the
future
is
where
we'll
we'll
have
liquid
software,
where
it
is
updated.
Frequently,
it
is
as
fluid
as
liquid
is
right,
and
for
that
we
need,
we
need
something
that
is
automated.
B
B
We
need
sources
and
we
need
to
be
able
to
verify
that
information
in
a
way
that
that
we
entrust
and
attach
that
trust
certificate
and
and
carry
on
with
with
deployments,
and
we
need
something
that
that
is
dependable
and
we
which,
which
doesn't
you
know,
have
have
the
what
you
call
slas,
that
that
npm
had
where,
where
npm,
for
example-
and
this
is
just
an
example-
but
this
has
happened
with
other
repository
packages
as
well,
where
they
go
go
down
and
and
that
basically
stops
the
whole
supply
chain
right
and
we
can't
we
can't
have
that
so
so
we
are
looking
for
a
solution
that
can
provide
all
these
all
these
things
and
or
check
all
these
boxes.
B
So
let
me
allow
you
to
introduce
Persia
Persia
is,
is
a
a
project
that,
and
that
will
do
that,
will
do
all
of
these
things.
It
will
have
a
consensus
Bill
based
build
Network.
This
is
an
attempt
to
fix
the
issue
that
solar
winds
face
and
we'll
I'll
talk
a
little
more
about
it.
First
day.
We
also
have
a
provenance
log
that
you
can
query
and
automate
and
Persia
is
also
going
to
be.
Decentral
is
also
decentralized
so
that
you
know
single.
B
There
is
no
single
point
of
failures
and
and
no
network
partitions
that
that
allow
stop
the
supply
chains
from
from
delivering
to
the
production
right.
So
let's
dig
a
Little
Deeper.
B
So
by
bringing
these
these
these
ideas
together,
we
hope
to
build
a
secure,
a
reliable
and
open
network.
We
believe
that,
since
this
is
a
problem
that
affects
open
source-
and
we
have
we
have-
we
don't
have
a
solution
that
everybody
trusts
and
we
believe
that
this
is
something
that
the
community
should
take
over,
should
take
control
of
and
and
that's
how
we
can
build
trust
and
not
have
individuals
or
not.
B
Have
these
decisions
made
by
individuals
independently
and-
and
that
is
what
you
know-
bringing
these
all
together
will
bring
the
trust
in
the
network.
B
Where
does
the
name
Persia
come
from,
so
Persia
comes
from
a
a
historic
reference
where
Greek
armies
or
kingdoms
would
use
a
set
of
torches
to
communicate
of
impending.
You
know,
attacks
or
dangers,
and
they
used
to
do
this
from
mountaintops
and
they
had
a
code
to
to
figure
out
what
the
set
of
thoughts
is
being
lit
or
not
lit
meant,
and
we
thought
this
is
a
good
way
to
have
distributed
or
decentralized
communication
mechanism.
First,
he
has
a
decentralized.
You
know
package
registry.
B
So
this
this
will
be
a
good
metaphor,
and
this
will
be
a
good
name
for
Persia
for
the
project.
If
you
want
to
learn
more,
there's
there's
more
on
Wikipedia.
B
So
let's
look
a
little
bit
about
the
the
structure
of
Persia,
so
Persia
is
basically
built
on
a
peer-to-peer
network.
So
so
it
is,
it
does
not
rely
on
on
the
on
the
central
repository
structures
and,
and
the
network
is
resilient
to
any
any
network
failures.
It
will
have
high
availability
just
because
it's
based
on
peer-to-peer
and
because
it
is
based
on
peer-to-peer-
and
we
have
done
some
done
some
initial
inroads
into
this.
B
We
will
also
be
able
to
use
that
to
provide
you
if
throughput
so
imagine
that
you
want
a
really
large
large
binary
that
you're
trying
to
download
and
it
is
coming
all
the
way
away
from
Docker
Hub
and
you
have
to
rely
on
the
the
connection
to
Docker
Hub
you
have,
but
in
instead
of
that,
if
you
have
a
number
of
personal
nodes
that
are
that
are
near
you,
they
have
already
cached
it.
They
can.
B
They
can
stream
that
in
on
multiple
channels
to
you-
and
you
have
you'll-
have
that
same
binary,
much
faster.
B
The
other
aspect
that
Persia
allows
is
on
this
on
this
distributed.
Network
we
will
also
have,
and-
and
this
is
this
is
something
we
already
demoed-
and
it's
it's
starting
to
shake.
Take
more
shape
for
different
ecosystems
is
anytime
Persia,
so
so
anytime,
a
binary
is
added
to
Persia.
It
will
be
added
via
source,
so
Persia
you
can
submit
the
commit
hash
of
the
of
the
latest
version
of
lock4j,
for
example,
and
then
Percy
I
will
go
and
build.
B
That,
and
personally
I
will
pick
nodes
at
random
so
that
again
the
network,
the
attack
surface,
is
reduced
and
those
random
nodes
will
go
and
independently
build
them
in
in
efferable
environments,
produce
produce
results.
They
will
verify
those
results
to
make
sure
that
they
have
the
same.
Hence
we
we
really
want,
builds
to
be
reproducible
and
then
once
they
have
verified
it,
then
the
result
will
be
committed
to
the
network
and
that
binary
will
then
be
available
on
the
network.
B
Now
you
know
that
it
was
built
by
these
three
nodes
and-
and
it's
not
just
you're,
not
relying
on
you
know
it
works
on
this
one
developers
machine
that
developer
built.
It
and
you
know
published
it
to
Maven,
Central
or
ruby,
gems
or
whatever
right
so
now.
We
we
know
that
it
has
been
built
by
three
independent
systems,
and-
and
there
is,
there
is
more
trust
in
there.
B
We
have
a
CLI
that
allows
you
to
search
through
this.
You
can
make
your
own
decisions
saying
tell
give
me
the
latest
version
of
Lockport
J.
Tell
me
what
vulnerabilities
it
has
tell
me
if
they
were
fixed
and
tell
me
if
I
can
push
this
to
production
and
you
can.
You
can
write
automation
for
that.
You
can
pull
that
data
and
make
it
make
the
release
decisions
yourself
and
not
have
to
depend
on
somebody
saying
somewhere
that
oh
log4j
16.1
is
the
latest
and
greatest
you
can
you
can.
B
You
will
have
previous
versions
on
this
as
well,
and
then
you
can
decide
on
whether
you
are
ready
to
upgrade
when
not
ready
to
upgrade.
If
you,
if
you
don't
upgrade
what
what
are
the
repetitions,
all
that
information
will
be
on
the
slot,
and
this
is
powered
by
an
immutable
Ledger
which
runs
on
a
blockchain
and
and
is
distributed
across
all
the
net,
all
the
network
again
so
so
there.
It
is
tamper
proof.
So
once
it
is
written
there
it
will,
you
will
have
it
and
we'll
know.
B
If
you
know
anybody
has
tried
to
mess
with
that
information,
so
it
is
easy
to
install.
All
you
have
to
do
is
follow
the
instructions
on
the
quick
installation
we
have
installers
for
Mac,
OS,
Linux
and
and
windows
as
well,
and
you
can
St.
You
can
continue
to
use
the
same
tools
that
you
have
been
using
before.
So,
for
example,
we,
if
we
support
Docker
today
and
we
are-
we-
are
working
towards
supporting
Java.
B
We
have
a
prototype
implementation
for
Java,
but
you
will
continue
to
use
Docker
pull
image
and
then
what
firstly
I
will
do
is
it
will
sit
between
you
and
Docker
The,
Trusted
Docker
registry
and
pull
those
images
and
deliver
them
to
you
and
once
they
have
been,
they
have
been
pulled
once
on
the
network.
They
will
be
available
on
the
network
for
anyone
else
to
pull.
B
Whatever
comes
off
of
Persia
will
will
have
the
province
log
information,
so
you
can
verify
where
that
thing
came
from
think
think
of
the
same
way
in
in
the
in
this,
in
the
way
where
we
look
at
the
list
of
ingredients-
and
you
know
how
it
works,
processed,
whether
these
were
free-range
chickens
or
that
that
produce
the
eggs
and
how
how
it,
what
kind
of
additives
were
added.
All
of
that
information
will
be
in
the
province
a
lot.
B
So
now
you
know
whether
you
want
you
want
to
use
that
or
something
else
foreign
a
little
bit
about
how
the
how
this
software
is
coming
together.
We
already
have
a
an
integration
that
works
with
Docker,
so
you
can
pull
and
build
Docker
images.
We
are
working
towards
Maven
and
Gradle
integration.
B
Similarly,
we'll
have
we
have
an
API
that
allows
you
to
interact
with
the
interfaces
of
Persia
and
build
build
an
integration
for
the
language
of
your
choice.
So,
if
you're,
if
you
don't
find
something
that
that
you
are
interested
in,
please
flag
it
to
us
and
we'll
we'll
start
we'll
start
either
writing
things
down
so
that
you
can
develop
it
yourself
and
and
submit
submit
to
the
team.
We
are
encouraging
contributions
that
way,
and
we
can
also
help
you
build
that,
and
also
we
can.
B
So
there
are
a
few
things
that
that
we
have
assessed,
that
we
need
to
make
sure
that
the
security
model
is
intact
and
and
strong.
So
one
of
the
things
is
that
there
are.
There
are
ecosystems
where
it
is
possible
to
have
reproducible
bills,
and
there
are
ecosystems
where
it
is
not,
and
for
the
cases
where
the
reproducible
build
model
exists.
B
The
network
consensus
is
what
we
are
going
to
do
in
in
and
make
sure
that
it
is
rebuilt
on
percya
certified
and
you
have
all
the
provenance
information
for
for
bills,
that
or
for
packages
that
do
not
have
a
reproducible
model
like
Docker,
for
example.
It
is.
It
is
hard
to
build
that.
B
What
we,
what
we
are
doing
is
we
are
building
it
on
Persia
and
attaching
it
to
the
docker
image
and
and
verifying
by
testing,
to
see
if
there
are
any
differences
and
and
and
and
then
falling
back
on
the
trusted
registry.
So
we
are
relying
on
the
tested
Registries
to
give
us
the
the
certified
versions
and-
and
we
all
are
only
picking
the
open
source
verified
versions
of
of
those
images
instead
of
the
entire
registry.
B
So
that
keeps
that
keeps
the
attack.
Surface
low
and
also
you
know,
builds
builds
the
trust
and
when
we
get,
you
know,
requests
from
from
people
to
include
packages
that
are
not
already
on
Persia.
B
We
will
rely
on
the
the
multi-factor
authentication
and
other
verifications
that
repos,
like
GitHub
and
and
others
have,
and
then
we
will
also
invest,
invest
in
providing
extra
layer
of
security
and
we
are
investigating
using
both
a
six
store
and
notary
like
like
interfaces,
so
that
there
is
an
additional
layer
to
to
ensure
that
we
are
getting
the
source
from
the
right
place.
B
So
how
do
you
get
started?
It's
it's
really
simple!
Just
you
know
Advocate
install
Persia
if
you're
on
Linux
and
then
there
are
similar
installers
for
Mac
OSX.
You
can
do
Brew,
installers
here
and
and
windows
as
well,
and
you
don't
need
to
change
your
CI
CI
CD
scripts.
You
can
just
continue
to
use
Docker
pool
and
the
documents
will
now
be
delivered
faster
via
first
yeah.
B
Same
thing
will
hold
when
when
we
have
the
maven
integration
in
for
real,
we
do
have
a
prototype
which
we
are
welcome,
to
use
and
give
us
feedback.
C
I
can
I
can
kind
of
talk
to
it
right
now,
so
the
the
question
asked
to
do
with
from
Alan.
Let
me
go
ahead
and
read
it.
Many
open
source
developers
have
been
pushing
back
hard
on
the
supply
chain,
designation
as
being
fundamentally
the
wrong
way
to
look
at
dependencies
and
ownership
of
of
problems.
C
The
phrase
I
am
not
a
supplier
has
been
used
to
point
point
out
that
the
use
of
software
does.
That
also
include
the
resources
to
support
it,
and
this
is
kind
of
your
point
around
the
that
one
node
package
that
the
developer
finally
got
frustrated
and
wasn't
getting
any
credit
or
help,
and
he
just
abandoned
the
the
project
and
everybody
has
scrambled
on
that
front
because
you
use
so
widely.
C
So
the
basic
question
is:
is
there
anything
that
Percy
is
going
to
be
able
to
do
to
help
with
these
types
of
issues
where
you
have
open
source
project?
It's
maybe
one
person,
that's
doing
a
lot
of
the
work.
It's
you
know.
The
same
thing
happened
on
the
log
for
jside,
yeah
I,
think
there's
one
one
developer
that
was
responsible
for
log4j
and
he
basically
got
slammed
yep.
B
Yep
the
same
thing:
yes
and
then
the
same
thing
happened
with
the
faker.js
guys
like
I,
can't
I
can't
do
this.
I
have
a
life
and
and
I
don't
did
I,
have
any
Financial
benefit
from
supporting
picker,
so
he
he
basically
used
the
word
screw.
You
I,
don't
care
about
all
the
community
and
I'm
going
to
just
do
whatever
I
want
and
and
and
Persia
cannot
solve
that
problem
of
burnout.
What
per
se
can
solve,
though,
is
building?
So
let's
say
this
person
did
something
malicious
with
with
their
own
software
right.
B
First,
they
can
build
that
and
give
you
the
provenance
log
saying
that
taker.js
was.
You
know,
500
KB.
Yesterday
there
is
a
new
version
which
is
10
KV
right
now
you
have
the
tool
in
your
hand,
to
which
tells
you
that
there
is
something
missing,
there's
something
wrong.
You
can
stop.
What
happened
in
with
the
automation
is
people
deployed
it
into
their
testing
systems
and
things
just
stopped
working,
because
you
know
all
the
tests
that
needed
a
fake
user
and
a
fake
username
and
a
fake
user
profile.
B
B
Invest
in
Persia
make
Percy
other
thing
where,
where
you
can,
where
you
can
add
those,
add
those
abilities
and
support
this
as
a
community
project,
and
we
we
know
like,
for
example-
and
this
is
in
the
open
where
the
solar
winds
CEO
said.
We
need
to
build
three
infrastructures
which
are
similar
identical
to
to
verify,
which
are
identical
and
independent
to
verify
every
single
binary
from
now
on,
and
that's
what
they're
doing
and
what
what
we
are
saying
is:
let's
not
all
spend
money
in
building
those
individual
identical
systems
for.
B
Right
and
verify
our
own
software
supply
chain
system
and
that's
what
we
have
been
hearing
from
the
community
as
well
like
they.
They
try
to
invest
that
and
build
their
own
CI
CD
for
for
the
entire
supply
chain,
and-
and
there
are
there-
are
limits
in
in
terms
of
how
much
you
can
spend
and
the
the
output
you
will
get
so
Persia
Persia
aims
to
be
the
community
effort.
The
same
way.
B
We
we
have
put
all
the
community
fair
in
building
this,
these
open
source
software,
let's
make
sure
that
the
supply
chain
is
built
once
and
you
know
it's
trustworthy,
so
we
we
cannot
fix
the
problem
of
the
burnout
of
the
log4j
developer
because
that's
not
the
area
we
operate
in
or
we
we
can't
help
fund
fund
them,
and
that
has
to
come
through
community
and
other
efforts
and
where
more
people
as
they
get
affected,
come
together
and
say:
okay,
we
can't
have
one
person
being
the
core
committer
we
need
more,
and
maybe
we
can
support
them
and
there
are
other
other
ways
to.
B
You
know
help
these
people
who
are
actually
doing
good
work,
but,
and
maybe
they
can,
they
can
derive
some
monetary
benefit
and
keep
their
work-life
balance
and
Sanity
for
yeah.
But
first
you
can
help
with
the
other
side
of
it.
Yeah.
C
And
I
think
because
of
our
our
the
Persia
transparency
log,
the
Providence
log
that
you
can
attach
something
like
open
policy
agent
against
it
to
like.
You
said,
if
there's
a
case
where,
all
of
a
sudden,
we
have
a
big,
you
know
change
in
size
of
an
artifact
that
that
could
be
a
policy
that
we
want
to
go
and
investigate.
You
know.
D
I
just
noticed
the
mic
was
enabled,
so
let
me
I
put
a
suggestion
in
the
chat
and
it
puts
the
Q
a.
It
seems
to
me
if
you
built
a
reliable
tool
like
this,
and
you
know
great
great
plotted
some
credits
for
you
for
doing
this
they're,
you
have
all
the
tools
you
need
to
create
a
way
of
inverting
the
telescope.
D
If
you
will,
we
can
actually
create
reports
for
developers
of
things
that
depend
on
their
software
and
then,
of
course,
it's
up
to
the
digital
developer
to
go
to
whatever
large
corporation
and
say:
hey.
You
have,
you
know,
deployed
this
huge
piece
of
software,
that's
dependent
on
my
package
and
you
know
I
don't
want
to
explore
all
the
sociology
here,
but
you
know,
would
you
like
to
actually
participate,
so
the
tools
like
this
can
actually
help
with
both
directions
of
visibility.
C
And
one
thing
that
we
are
definitely
being
careful
about
is
not
to
provide
a
list
of
all
the
companies
in
the
world
that
are
using
log4j
to
a
hacker
to
go
ahead
and
say:
Here's.
Here's
your
list
of
companies
go
start
banging
on
their
door.
C
C
But
if
you
look
at
from
the
inside
the
company's
point
of
view,
looking
back
out
am
I
consuming
this.
We
would
be
able
to
answer
that
very
quickly.
D
Yes,
these
are
excellent
points.
I
I
just
think
there's
room
for
more
work
here,
for
example,
you
could
leave
it
in
the
hands
of
the
company
using
this
tool
to
say
hey.
Do
we
want
to
develop
a
relationship
with
the
with
event
developers?
We
we
depend
on
so
yeah.
B
I
I
will
give
I
I
think
we
are
jumping
to
my
next
slide,
not
just
this
one
where
we
actually
are
working
on
an
ID
integration,
and
we
have.
We
just
did
a
demo
last
week.
B
So
if
you're,
if
you
are
interested
Alan
and
would
like
to
see
how
it
is,
there
is
a
there's,
a
video
on
YouTube,
but
that
that
kind
of
is
a
way
to
put
the
power
in
the
hands
of
the
of
the
developer
and
they
can
see
within
their
ID
even
before
they
are
ready
to
use
it
per
second
give
all
this
prominence
log
information
to
to
them
in
in
their
ID
and
find,
and
they
can
find
out.
B
You
know
the
their
tertiary
dependencies
and
what
is
happening
there
and
whether
they
want
to
use
that
or
not
right.
So
that
is
one
way.
I
think
we
can
like
use
your
same
concept
of
of
giving
them
the
telescope,
but
now
it's
in
their
power
instead
of
us
telling
them
that
this
is
what
you're
doing
they
can
do
it
themselves
and
and
the
way
we'll
that
the
way
the
ID
integration
works
now
is.
B
It
just
looks
at
what
the
developer
has
running
on
their
own
own
system
and
gives
gives
them
some
Flags
to
act
on
right,
and
then
they
can
make
those
decisions.
So
putting
the
power
in
the
developers
is
totally
within
the
scope
of
Persia.
Now
how
how
we
manifest
it
is
depends
on
what
the
community
asks
for
and
how
we
move
forward
with
it,
but
yeah.
So
we
are
totally
aligned
in
in
that
way.
B
Any
other
questions
I
saw
one
more
person,
I,
don't
know.
Okay
Nito
did
you
have
a
question
that
you
wanted
to
just
blurt
out?
We
can
do
that
and.
B
Okay,
okay,
so
what
I
was
talking
about
is
you
know
how
we
are
building
Persia
and
what
what
we
have
so
far?
We
are
using
a
lipid
to
be,
which
is
the
framework
for
for
doing
peer-to-peer,
communication
and
data
transfer.
It
is
built
by
the
same
people
who
are
doing
itfs
the
interplanetary
file
system
and
it
is
open
source.
We.
B
Rust
version
of
that
and
it
works
really
well
for
us,
we
are
enlisting
and
we
are
investing
in
using
lfbft
for
a
real
consensus
mechanism
to
to
build
to
further
build
and
verify
we
we
are.
We
have
a
province
log
which
we
can
help.
You
do
all
these
things
that
are
more
automations
that
that
we
are
envisioning
are
coming.
You
can,
you
can
do
a
wider
search,
you
can
narrow
your
search
and
so
on.
We
have
started
building
binaries
on
the
network.
B
We
it
will,
it
will
be
slow
to
start,
but
but,
as
a
you
know,
gathers
team
will
have
more
and
more
finally
certified
offers
yeah
and
Happy
New
Year.
This
is
my
second
second
happy
New
Year.
We
have
the
an
ID
integration
coming
soon.
We
already
have
a
demo
version
committed
to
a
prototype
branch
that,
if
you
want,
if
you
are
brave
enough,
you
can
use
it
and
tell
us
how
things
are.
B
We
do
have
a
YouTube
channel
for
the
OSS
which,
where
we
put
all
these
videos
and
demos
so
that
people
can
come
in
and
engage,
we
are
already
using
open
source,
other
open
source
technology
and
committing
back
to
them.
We
sorry
sorry
and
we
we
found
issues
with
initial
implementations
of
P2P.
We
have
been
engaging
directly
with
them
and
sort
of
helping
them
fix
their
fix
that
and
sort
of
presenting
the
case
of
Persia.
Why
why
we
need
to
rely
on
that?
We
are
also
working
with
the
rust
Foundation.
B
Just
you
know
to
make
sure
that
we
get
the
support
that
we
need
in
terms
of
our
lust
trust,
learning
and
and
getting
the
right
support
in
terms
of
supporting
percia
going
forward.
B
Everything
that
we
are
doing
is
public.
If
you,
if
you
are
on
the
CDF
calendar,
you
can
find
our
meeting
invites
and
so
on.
You
can
also
find
all
of
that
information
on
our
website.
Persian
orio,
we
are
a
number
of
organizations
are
coming
together
to
contribute
to
the
infrastructure
that
we
need
to
host
this.
We
have
been.
We
have
been
sort
of
explaining
how
we
are
building
it.
B
So,
even
though
the
network
will
be
wide
and
spread
around,
we
still
have,
we
still
would
like
to
control
how
things
get
committed
and
certified,
and
that
will
be
controlled
by
via
what
we
are
calling
as
authoritative,
nodes
or
authority
nodes
and
those
those
will
come
from
the
from
from
the
core
organizations
that
are
participating
to
form
this
network.
B
So
it
won't
be
that
you
know
hundreds
and
thousands
of
nodes
are
trying
to
come
up
with
consensus,
as
it
is
in
the
case
of
you
know,
vanilla,
blockchain,
cryptocurrency
stuff,
and
we
and
we
and
we
don't
think
that
is
the
right
way
to
you-
know,
spend
Community,
Resources
and
and
burn
burn
energy,
and
it's
not
sustainable
either.
So,
if
you're
looking
for
us
to
ask
questions
or
or
engage,
find
us
on,
the
CD
Foundation
slack,
we
are,
we
are
on.
B
Github
obviously
find
us
on
GitHub
easy
to
find.
B
If
you
want
to
get
involved
without
writing
code
there's,
there
is
all
kinds
of
things
you
can
do
to
help
us
download
and
install
Persia
use.
Put
it
into
your
CI
flow,
join
team
meetings
and
bring
ideas
like
this
Alan.
Whenever
you,
you
feel
appropriate,
we
have
recordings
and
and
things
we
are
discussing
and
also
design
documents
out
there.
If
you
find
something
that
you
want
to
contribute
via
design,
we
would
welcome
that.
B
If
you,
if
you
know
a
lot
of
cryptography,
we
would
love
to
have
you
as
well,
not
the
cryptocurrency
side,
but
the
the
encryption
parts
and
and
parts
where
you
know
we
can
learn
from
how
that
side
of
the
world
works.
Now
we
have
some
expertise.
We
are
always
looking
for
people
to
you
know,
hold
a
mirror
to
us
and
tell
us
what
we
are
not
doing.
Well,
that
are
that
we
have.
We
have
a
bunch
of
first
good.
B
First
issues
you
can,
you
can
come
and
fix
and
they
they
don't
all
involve
writing
code.
If
that's
not
what
you
want
to
do,
you
can
help
us
in
many
ways
and
just
a
reminder
this
this
happened
last
year.
Well,
not
really
it's!
This
happened
two
three
weeks
ago,
whenever
we
talk
about
Persia
people
talk
about,
oh.
Why
is
why
signing
not
enough?
Why
is
signing
you
know,
there's
this
project?
You
know
that.
Does
that
designing
and
that
will
solve
all
the
problems.
Well
here
is
why?
B
Because
signing
can
be
taken
over
there
are
there,
are
you
know,
security
mechanisms
already
on
GitHub,
but
they
were
taken
over
and
after
was
compromised.
Octa
has
been
tightly
tight-lipped
about
how
much
they
they
were
compromised,
I
guess
to
protect
themselves
and
all
the
people
affected.
C
I
I
heard
it
was
the
it
was
the
whole
source
code,
repo,
the
private
repo
yeah
for
OCTA
was
was
compromised
exactly.
B
And
and
but
their
their
their
public
facing
PR's
restaurant
releases
have
been
that
you
know
not
much
was
compromised
and
they
got
it
under
control
within
hours,
but
you
know
what
happened
in
those
in
those
hours
right
once
you're
compromise
your
compliment,
your
data
is
out
there,
so
this
is
happening,
and
this
is.
This
is
one
of
the
reasons
why
we,
we
can't
just
stop
at
saying
that
you
know
we
have
secured
our
GitHub.
We
are
good.
B
B
So
just
you
know
some
statistics.
This
is
this
is
happening
even
more,
so,
even
even
during
the
pandemic.
This
was
this
was
going
up.
B
And
we
need
we
need
to
secure
it
now.
So,
if
you're
waiting
for
for
something
to
to
work
on
this
problem,
this
problem
needs
your
help.
Today,.
A
Thank
you
so
much
sahendra.
That
was
pretty
amazing
I.
You
know,
I
I
just
want
to
kind
of
point
out
that
we
when
I
say
we
it's
the
larger
I.T
Community
have
somewhat
ignored
security,
or
maybe
we
put
it
in
a
category
like
testing.
You
know
it's
the
red-headed
cousin
down
the
street
that
we
know
they're
there
and
we're
still
trying
to
remember
that
we
we
are
we've
got
to
to
give
them
love
and
attention
security.
It's
time
that
we
give
them
a
lot
of
love
and
attention.
They
absolutely
must.
A
We
must,
as
a
community,
start
thinking
about
how
to
address
the
security
issue,
we're
in
a
different
time
now,
and
it
has
to
be
included
in
all
of
what
we
do.
That
may
mean
that
you
have
to
update
your
CD
pipeline,
so
be
it
tools
like
this
and
other
tools
that
are
hitting
the
market.
Other
open
source
tools
are
there
to
start
solving
this
problem
and
it
it's
automation
is
key
and
it
means
that
the
CI
CD
pipeline
must
evolve.
A
We
have
to
really
start
thinking
about
ourselves
as
not
just
devops
but
devsecops,
and
that's
the
I'll
just
say
that
as
a
closing,
this
is
critical.
We
have
to
start
addressing
it
now,
foreign
and
if
there
are
no
other
questions,
I
want
to
thank
everybody.
Oh
there
is
one.
Let's
see
oh
no,
there
I
want
to
thank
everybody
for
coming
today.
This
will
be
posted
as
soon
as
possible,
up
on
the
CD
foundation's
YouTube
online
Meetup
site
and
if
you're
part
of
the
Meetup
Group
it
will
be.
The
link
will
be
sent
to
you.
A
If
you
have
your
teammates,
who
may
not
have
been
able
to
attend
but
need
to
understand
more
about
security
and
some
of
the
new
tools.
We
would
ask
that
you
pass
this
around,
so
folks
can
start
learning
and
Alan.
Thank
you
for
your
very
interesting
conversation.
A
We
appreciate
the
the
comments
and
the
the
dig
in
and
sahendra.
Thank
you
again.
You
did
an
excellent
job
and
thank
you
Steve
for
pitching
in.
A
We'll
see
you
next
month
watch
the
Meetup
for
announcements
about
the
next
month
Meetup.
Thank
you.