►
From YouTube: Stephen Chin, JFrog | KubeCon + CloudNativeCon NA 2022
Description
Stephen Chin, chair of the CD Foundation at JFrog, talks with Savannah Peterson & John Furrier at KubeCon + CloudNativeCon NA 2022 in Detroit, MI.
A
B
Great
I
mean
we're
coming
down
to
the
third
day,
we're
keeping
the
energy
going,
but
this
segment
is
going
to
be
awesome.
The
CD
Foundation
is
doing
amazing,
work
developers
are
going
to
be
running,
businesses
and
workflows
are
changing.
Productivity
is
a
top
conversation
and
you're
gonna
start
to
see
a
coalescing
of
the
communities
of
our
continuous
delivery,
and
it's
going
to
be
awesome
and.
A
C
No,
my
pleasure
I
mean
this
has
been
an
amazing
week,
quote
that
kubecon
with
all
the
announcements
all
of
the
people
who
came
out
here
to
Detroit-
and
you
know
fantastic,
like
just
walking
around
you
bump
into
all
the
right
people
here,
plus
we
held
a
CD
Summit
zero
day
event
and
had
a
lot
of
really
exciting
announcements.
This
week,
gotta.
B
Love
the
shirt
I
gotta
say
is
one
of
my
favorites
love
the
logos,
love
the
Love
The
Branding
that
project's
got
traction.
What's
the
news
in
the
CD
Foundation
I
tried
to
sneak
in
the
back
I
got
a
little
late
into
your
co-located
event
was
packed
everyone's
engaged.
It
was
really
look
really
cool.
Give.
C
Us
the
up
yeah,
you
know
so
we
we
had
a
really
really
powerful
event.
All
the
key
practitioners,
the
open
source,
leads
and
folks
were
there
and
one
of
one
of
the
things
which
I
think
we've
done
a
really
good
job
in
the
past
six
months
with
the
CD
Foundation
is
getting
back
to
the
roots
and
focusing
on
technical
innovation
right.
This
is
what
drives
foundations,
having
strong
projects
having
people
who
are
building
Innovation
and
also
bringing
in
and
new
innovation.
C
So
it's
a
it's
a
decentralized
package
repository
for
getting
open
source
libraries
and
it
solves
a
lot
of
the
problems
which
you
get
when
you
have
centralized
infrastructure,
you
don't
have
the
right
security
certificates,
you
don't
have
the
right
verification
of
libraries
and
these.
These
are
all
things
which
large
companies
provision
and
build
out
inside
of
their
infrastructure,
but
the
open
source
communities
don't
have
the
benefit
of
the
same
sort
of
really
really
strong
architecture.
A
lot
of
a
lot
of
the
systems
we
depend
upon.
A
C
Yeah
I
mean,
if
you
think,
about
the
systems
the
developers
depend
upon.
We
depend
upon
you,
know:
npm,
ruby,
gems,
Maven,
Central
yeah.
These
systems
been
around
for
a
while,
like
they
serve
the
community.
Well
right,
they're
well
supported
by
the
companies,
and
it's
it's
really
a
great
contribution
that
they
give
us.
But
every
time
there's
an
outage
or
there's
a
security
issue.
I
guess
guess
how
many
security
issues
that
our
research
team
found
at
npm
just
ballpark.
A
C
B
C
So
Persia
kind
of
shifts
the
whole
model.
So
when,
when
you
think
about
a
system
that
can
be
sustained,
it
has
to
be
something
which,
which
is
not
just
one
company.
It
has
to
be
a
set
of
companies,
be
vendor
neutral
and
be
decentralized.
So
that's
why
we
donated
it
to
the
continuous
delivery
foundation.
So
that
can
be
that
governance
body
which
which
makes
sure
it's
not
a
single
company.
It
has
to
use
modern
Technologies.
So
you
you
just
need
something
which
is
immutable,
so
it
can't
be
changed,
so
you
can
rely
on
it.
C
B
C
I
mean,
if
so
so,
if
you
think
about
most
devops
teams
and
big
companies,
they
support
hundreds
or
thousands
of
teams
and
an
hour
of
outage,
all
those
developers
they
can't
program.
They
can't
work
and
that's
that's
a
huge
loss
of
productivity
for
the
company.
Now,
if
you,
if
you
take
that
up
a
level
when
npm
goes
down
for
an
hour,
how
many
millions
of
man-hours
are
wasted
by
not
being
able
to
get
your
builds
working
by
not
being
able
to
get
your
code
to
compile
like
it's?
It's
like.
C
Exactly
on
whatever
you're
working
on,
that's
that's
the
fundamental
problem.
We're
trying
to
solve
is
it.
It
needs
to
be
on
a
like,
a
well-supported,
well
architected
peer-to-peer
network
with
some
strong
backing
from
big
companies.
So
the
company
is
working
on.
Persia
include
jfrog,
which
who
I
work
for
Docker
Oracle.
C
We
have
deploy
Hub
Huawei,
a
whole
bunch
of
other
folks
who
are
also
helping
out
and
when
you
look
at
all
of
those
folks,
they
all
have
different
interests,
but
it's
designed
in
a
way
where
no
single
party
has
control
over
the
network.
So
really
it's
it's
a
system.
You
you're,
not
relying
upon
one
company
or
One
logo,
you're,
relying
Upon,
A
well-architected,
open
source
implementation
that
everyone
can
rely
on.
It's.
B
Shared
software,
but
it's
kind
of
a
fault,
tolerant
feature
too.
It's
like
okay.
If
something
happens
here,
you
have
a
distributed
piece
of
decentralized
you're
not
going
to
go
down.
You
can
remediate
all
right.
So
where
does
this
go
next,
I
mean
because
we've
been
talking
about
the
role
developer,
this
needs
to
be
modern,
I
won't
say
modern
upgrade,
but
like
a
modern,
workflow
or
value
chain.
What's
your
vision,
how
do
you
see
that,
because
you're,
the
center
of
the
CD
Foundation
coming
together,
people
are
going
to
be
coalescing,
multiple.
A
C
C
So
now
you
can
get
CD
events
flowing
cleanly
between
your
your
continuous
delivery
and
your
observability,
and
this
extends
through
your
entire
devops
pipeline.
We,
we
all
need
a
standards
based
framework
for
how
we
get
all
the
disparate
continuous
integration,
continuous
Delivery,
observability
Systems,
to
to
work
together.
That's
also
high
performance,
it
scales
with
our
needs
and
it
kind
of
gives
you
a
future
architecture
to
build.
On
top
of
so
a
lot
of
the
companies
I
was
talking
with
at
the
CD
Summit
yeah.
C
So
we
have
two
graduated
projects.
Right
now
we
have
Jenkins,
which
is
the
first
graduated
project
now
tecton
has
also
graduated
and
I.
Think
this
shows
that
for
tecton
it
was.
It
was
time
the
very
mature
project,
great
support,
getting
a
lot
of
users
and
having
them
join
the
set
of
graduated
projects
in
the
continuous
delivery.
Foundation
is
a
really
strong
portfolio
and
we
have
a
bunch
of
other
projects
which
also
are
on
their
way
towards
graduation
feels.
C
So
cncf
is
a
great
Foundation.
It
has
a
very
large
umbrella
of
projects
and
it
takes
kind
of
that
big
umbrella
approach,
where
a
lot
of
different
efforts
are
joining
it.
A
lot
of
things
are
happening
and
you
can
get
good
traction,
but
it
produces
its
own
bottlenecks
in
process
having
a
foundation
which
is
just
about
continuous
delivery
caters
to
more
of
a
devops
professional
devops
audience.
I
think
this.
B
And
the
best
practices
too,
and
all
and
and
to
identify
the
issues,
because
at
the
end
of
the
day,
with
a
big
thing
that's
coming
out
of
this
is
velocity
and
more
developers
coming
on
board.
I
mean
this:
is
the
big
more
people
doing
more
Yeah?
Well,
yeah
I
mean
if
you
take
this
open
source,
Continuous
Thunder
away,
you
have
more
developers
coming
in,
they
be
more
productive
and
then
people
are
going
to
even
either
on
the
devops
side
or
on
the
straight
app.
B
The
website-
and
this
is
going
to
be
a
huge
issue
and
the
other
thing
that
comes
out
I
want
to
get
your
thoughts
on
is
the
supply
chain
issue
you
talked
about
is
hot
verifications
and
certifications
of
code.
Is
such
a
big
issue?
Can
you
share
your
thoughts
on
that
because
yeah,
this
is
becoming
I,
won't,
say
a
business
model
for
some
companies,
but
it's
also
becoming
critical
for
security.
That
code's
verified
yeah.
C
Okay,
so
I
I
think
one
one
of
the
things
which
we're
specifically
doing
with
the
Persia
project,
which
is
unique,
is
rather
than
Distributing.
For
example,
libraries
that
you
developed
on
your
laptop
and
compiled
there,
or
maybe
they
were
built
on
you-
know
a
runner
somewhere
like
Travis,
Ci
or
GitHub
actions.
C
All
the
libraries
being
distributed
on
Persia
are
built
by
the
authorized
nodes
in
the
network
and
then
they're
they're
verified
across
all
of
the
authorized
nodes.
So
you
you
have
a
the
basic
guarantee,
we're
giving
you
is
when
you
download
something
from
the
Persia
Network
you'll
get
exactly
the
same
binary
as
if
you
built
it
yourself
from
source.
B
C
C
So
if
you
built
with
the
same
source
and
then
you
went
through
that
same
process
a
second
time,
you
would
have
gotten
a
different
result,
which
was
a
malicious
right
yeah
and
it's
very
hard
to
take
a
binary
file
and
determine,
if
there's
malicious
code
in
it,
because
it's
not
like
source
code,
you
can't
inspect
it.
You
can't
do
a
code
audit.
C
I
think
we're
solving
a
key
part
of
this
with
Persia,
where
you're
freeing
open
source
projects
from
the
possibility
of
having
their
binaries
their
packages.
Their
end
reduces
tampered
with,
and
also
Upstream
from
this,
you
do
want
to
have
verification
of
PRS
people,
doing
code
reviews
making
sure
that
they're
looking
at
the
source
code
and
I
think
there's
a
lot
of
good
efforts
going
on
in
the
open
source
security
foundation.
So
I'm
also
on
the
governing
board
of
openssf
to.
B
C
C
A
B
I
mean
it's
really
kind
of
interesting
to
watch
some
different
demographics
of
the
developers
and
the
vendors
and
the
customers
on
one
hand,
if
you're
a
hardware
person
company
you
have
you
talk,
zero
trust,
your
software,
you
talk
trust,
so
your
trusted
code
and
you've
got
zero
trust.
It's
interesting,
depending
on
where
you're
coming
from
they're
all
trying
to
achieve
the
same
thing.
I
mean
zero
trust
makes
sense,
but
then
also
I
got
code.
I
want
trust,
trust
them
verified.
So
security
is
in
everything
now
so
code.
So
how
do
you
see
that
traversing
over?
C
C
Recruited,
but
when
you
look
at
them,
there's
like
two
main
classes
of
like
like
types
of
exploits
so
some
some
attacker
groups.
What
they're
looking
for
is
they're
looking
for
pulse
zero
days,
cves
like
existing
vulnerabilities,
that
they
can
exploit
to
break
into
systems,
but
there's
an
increasing
number
of
attackers
who
are
now
in
the
opposite
end
of
the
spectrum
and
what
they're
doing
is
they're
creating
their
own
exploits
so.
C
A
B
C
C
Creepy
all
the
dependency
injection
attack
and
what
happens
is
if
you,
if
you
don't,
have
the
right
sort
of
Security
package
management
guidelines
inside
your
company
and
it's
just
looking
for
the
latest
version
and
merging
multiple
repositories.
As
like
a
like,
a
single
View,
a
lot
of
companies
were
accidentally
picking
up.
The
latest
version,
which
was
out
in
npm
uploaded
by
Alex
Pearson,
was
the
one
who
did
the
the
attack
and
he
simultaneously
reported
bug
bounties
on
like
a
dozen
different
companies
and
netted
130k
wow.
C
B
And
we
have
shacker
ones
out
there.
You
got
a
bunch
of
other
services,
the
white
hat
hackers
get
the
bounties,
that's
really
important,
all
right.
What's
next,
what's
your
vision
of
this
show
as
we
end
cubecon?
What's
the
most
important
Story
coming
out
of
kubecon
in
your
opinion,
and
what
are
you
guys
doing
next.
C
B
A
C
She's
here
yeah
yeah
she's,
also
here
at
the
show,
and
when
you
think
about
it
you
know,
there's
always
there's
there's.
You
know
hundreds
of
announcements
this
week
a
lot
of
exciting
technology,
some
of
which
we
talked
about,
but
it's
it's
really
what
matters
is
the
community.
This
is
a
community
first
event
and
the
people
and
like
if
we're
giving
back
to
the
community
and
helping
Detroit's
kids
to
get
better
at
technology
to
get
educated.
I
think
that
it's
a
worthwhile
for
all
of
us
to
be
here.
A
B
B
A
I
I'm
absolutely,
and
it
just
goes
to
show
how
committed
sand
staff
is
to
community
putting
Community,
First
and
Detroit.
There's
been
such
a
celebration
of
Detroit
this
whole
week.
Stephen.
Thank
you
so
much
for
joining
us
on
the
show
best
wishes
with
the
CD
Foundation
John,
thanks
for
the
banter.
As
always,
and
thank
you
for
tuning
in
to
us
here-
live
on
thecube
in
Detroit,
Michigan,
I'm,
Savannah
Peterson
and
we
are
having
the
best
day.
I
hope
you
are
too.