Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Continuous Delivery Foundation / Software Supply Chain SIG / 23 Jun 2022
Continuous Delivery Foundation / Software Supply Chain SIG / 23 Jun 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Software Supply Chain SIG Meeting - June 23, 2022 (Project Pyrsia)

Description

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

A

Thanks for joining us, hello, so yeah, we can uh slowly get started and others could join on the way yeah. So, first of all thanks everyone for joining the meeting- and I believe some of you took part in taking our site committee meeting as well on tuesday and the project persia was discussed there as well, and actually I got to know uh sundhindra thanks to melissa on.

A

She introduced me to sundin a few weeks ago to have a presentation in our seats, and that was a good idea and that's why we have similar with us today, and that is the only topic on our agenda, because the discussions happening within toc and we will we may have doing this meeting- may change the may impact on this proof of concept idea as well.

A

So let's have the presentation from sudhindra and hopefully a demo, and then we can use the rest of the meeting for open conversation about how we can collaborate on software supply chain together and look for you know, potential opportunities per year as well. So I will stop sharing so feel free to start. Okay,.

B

um Thank you for having me here. I will share a slight deck. Are you able to see my my slide diapers here? Securing oh, it's just supply chain. Yes,.

C

Yes,.

B

Okay, great.

B

Okay, okay, um so uh this is a project that uh we have been working on uh at jfrog. We kicked it off um uh six months seven months ago and we have been. We have been since uh talking about this and sharing our ideas, and um now now we get get a chance to talk to you and see what you think about it and um see what your feedback on this is. uh So my name is a little bit about myself.

B

My name is sudeen rao I am at jfrog uh I uh I did um a lot of uh what you call what we called as partnership integrations and uh through through collaboration with steve steven chain. We sort of kicked off this idea about persia. We saw some gaps in the open source supply chain and and possible solutions. So here is um here is what we think about it and what we are doing.

B

Okay. um So if you look at the current state of uh supply chain, um it is, it is pretty uh uh grim um and when I, when I say supply chain, this, this supply chain also has its challenges given given what happened in the last two years, but we are not going to talk about this supply chain.

B

We are going to talk about the supply chain that affects uh what we do, which is the software supply chain, and- and if you, if you are in the software, well you you must have heard about the solarwinds uh software uh attack that happened and that keeps on that keeps people on their toes even today. That also has uh triggered an action from the federal government in the of the united states to to bring together people uh uh who are, who are experts in this field to actually solve this problem?

B

uh Well, so this is the problem. We are going to talk about um some examples of what has happened uh in the past.

B

I don't know if how many of you remember the famous equifax data breach, uh and this happened because they did not keep their apache struts up to date, so a vulnerability vulnerability was exploited and that has exp that has exposed millions of users of personal data, credit card information, etc, etc. Even today, I I know of people who receive mortgage or work all kinds of information based on their data that may have been breached um during this attack. So this still, this still affects and hurts people.

B

Another example which is very recent, um is the lock 4g lock, 4g vulnerability, lock for work for shell, uh which which has been in production for many many years and and this vulnerability has affected many many installed systems, um and if you are, if you are in this field, you see how many people actually are burned by this in terms of producing the fixes, putting patching the fixes in time and so on. So every time we don't do the right thing for our open source software, it hurts us really really badly.

B

Another example very recent may may time frame. uh This happened with the rust community, uh and this is this is a typo squatting attack. uh But these kinds of malicious attacks happen on the on the software supply chain which affect the open source systems and and then they affect install basis.

B

And here is a recipe of how a hacker can actually masquerade. uh Somebody somebody's you know expired domain and uh and take over their uh their maintainer uh credentials and then and then cause you know, cause damage. uh So every aspect of this supply chain needs to be secured, uh and, and if you look at a look at how we do it, we don't have, we don't have a good plan and whatever I shared so far, it's just the tip of the iceberg.

B

There are many many vulnerabilities which we don't talk about as much which don't get enough press which don't which are which are which kind of are hiding uh because they are not being exploited today uh and, and all of them are uh how they, how they are. You know exploiting the open source uh side of things. So what are we going to do about this?

B

uh We uh and and when we use this open source software? Currently, uh our our uh knee-jerk reaction is. Has it come from these? um You know central repositories that we have implicitly trust, uh but that is not enough. There have been situations when these uh these central repositories uh have been unavailable for hours together. Thus stopping just pass through production, there have been attacks that that have, uh you know, put this uh trust, uh a question, a question. This trust like. Should we even blindly trust this?

B

Do we need more trust mechanisms and- and there are people who are working on building better mechanisms to uh to prove this trust?

B

uh So, given all that current state of affairs is that uh we are picking software that you find on the sidewalk and sticking it into our production system, that is the state of affairs. We are living in right, which is pretty grim and we need. We need to do something about it to to seek to provide the trust that is missing to to secure the software supply chain.

B

uh So some work that has happened in the past uh in in the very recent actually after the solar news attack- and all of that is this- is this emphasis on building software bill of materials. There is also a white house executive order, which says: you know we need. We need tools and technologies so that this becomes easy.

B

This becomes uh transparent, and this is here, is a blog that uh that talks about um the software bill of materials there is, there are research groups that are working on actually uh putting putting a framework in place, and one of the frameworks you might find in literature is the salsa framework uh where, where they're talking about in details, how the software supply chain can be hacked, what are the areas that need attention how they are exploited?

B

uh What do you need to reinforce, etcetera, etcetera and here are here, are like the eight uh nine gates which you know or attack vectors uh in this very simple cd flow and, if you're doing real software development, you know that the ac, a typical cd flow, is much more complicated than this. It has much more air levers and inner out gates which, which means that there are more attack, vectors and more more places uh that that an attack can happen right uh at jfrog.

B

We talk about this vision that you know we we we need to be in the future where, where software is liquid and to make that possible, we need we need. We need a supply chain. That is automated. That can be implicitly trusted and that that is always available that you can depend on. You should not need to. You know, stop your flow to production, because one one uh element of that supply chain is is broken down down, not available, etc, etc.

B

Right, so that is what will relieve us from uh from the daily drudgery of figuring out, where this needs to be deployed, how it needs to be deployed, etc. uh So we need something that that allows that automation.

B

uh So allow us to present persia and- and uh we are calling calling this project which will which will provide you a consensus based, build network. It will provide you a provenance log and it will provide you the decentralization which is currently missing so that you, you can depend on it.

B

Let's dig a little deeper into into these right and what we intend to do is uh provide a a network of of system uh which is secure by design which is reliable and which is open, which is built in open source and built in. You know, in a way that uh that is not governed by the just one organization right, and that is what will bring. The trust is what we feel, and that is what will make it automatically trusted.

B

Here is a little bit about. You know how the word persia came into me uh and why we thought that is a good good idea to use for this project. So again in ancient greek warfare. They use this technique of communicating via a set of torches to signal of impending dangers, and it is a decentralized distributed communication mechanism and we thought that, since we are building something that is decentralized, uh that is a good metaphor um to call this project. So that's where persia comes about.

B

If you wanted to learn more I'll, send this uh this presentation along and you will have the links, um so you can learn more about it.

B

Yeah, so how does persia look like persia? uh The basis of persia is first, is it needs to be a distribution network and not a central location, because central locations are uh prone to uh single point of failures, uh so we we plan. We are. We are leveraging peer-to-peer technology so that computers can connect to each other and have that resilience across the network.

B

Using peer-to-peer technology allows for high availability, because multiple peers can stream that that same software to you faster, think, think bit torrent or similar technologies right and and thus you will get a higher throughput, so we are looking at persia as the decentralized package registry. So when you connect to it, you have you, have the power of this whole network uh to back you uh with whatever you are trying to build.

B

Persia will also contain uh a consensus based build network today. What happens is that a open source developer tells us that they have built a binary and committed it to npm or ruby gems or maven, central or whatnot, and it is based on a certain git shock and they might tell us using some some mechanism, which is not provable. It doesn't tell us that this binary has been produced by this git shop for sure there is no one-to-one link. uh If you, if you reflect on what happens in uh in in-house software development.

B

Actually you know the developer, who has built it. The developer also gives you the whole cd pipeline that the software has gone through, and hence you trust the binary that has come out on the other side and that you that you can deploy that trust is missing. So persia uh is working to provide that trust. So what what perceive will do is it will ask the open source developer to give us a commit hash, and then persia will uh randomly pick some nodes on the network to build them.

B

Build the binary uh independently and multiple nodes on the network will build that independently and and then verify it that the result was the same, so that so that then that can be actually used uh for uh for downloads. So that's what persia will provide. It will build a consensus network uh which will make sure that all this uh that the binary is uh is built from asia, that the uh open source developer is uh claiming.

B

So there will be this this, uh you know, trust automatically built because now you know where it came from where your, um uh where your uh open source library came from here, I, like an analogy. One of my colleagues bill manning, is using to describe open source supply chain. He talks about a cake. So when you are making a cake in the recipe you want to pick elements or ingredients, and you know you want to know where they came from. You want organic things or you want.

B

You know: free range, free range, animal products and so on right. We need that same trust to be to be put in this software, because this software potentially is going to also be part of some healthcare product that you're, using and and so on. Right. So we need. We need that emphasis, and that is what is missing and that's what persia wants to bring bring the transparency so that you can.

B

You can eat that cake and knowing where, where it was built, where the parts of it came from uh per se will also have something what we are calling as a provenance log. uh Today, when we look at open source library, we we can't ask these questions where it came from who built this. uh Was this really built by the open source developer or was there a malicious person coming in between and pushing uh pushing final binaries, which happened in the case of open uh solvents right? We don't have.

B

We don't, have a place to go and ask these questions if you want to uh build a build, a software bomb today, it is a month, many month, long process. I used to work on a kubernetes product for which we actually built the kubernetes binary in three months, because we have we have to keep uh up to date with the uh with with the kubernetes releases, but then it took us three more months to actually build the supply, the the s-bomb, because it was a manual hugely manual process.

B

So we want to get rid of that manual process. uh So per se, will provide this prominence log where you can ask this question, give me the list of dependencies and their transitive dependencies and so on. Right and then percy will also record. You know if there are vulnerabilities discovered. What is the link between the previous version, the vulnerability and the next version, and so on, so that you can make decisions based on that currently today? What happens? Is the release manager basically actively looks at that?

B

Does a manual process of thinking and then does it with this process. What, if we have? We had that uh information baked in into this log, where you know, okay, this vulnerability has been fixed in this version. It's ready to be deployed. You can just run it through your cd pipeline. If nothing fails, you can just deploy it and and remove the human element right and personally, the provenance log will provide all this information and and and also provide you know ways for you to build.

B

On top of that, so you you can build automation that suits your organization or the way you build software, so that uh so that you can make the put those decisions in place so and essentially what we want to ensure is persia is really easy to install and use so that you can, you don't have to change the way you are building software today, but still persia provides you.

B

The the added benefit that persei is promising, uh so you can use the persia, so persia will come with a uh its own command line uh interface, so you can use the persian command line interface to interact with the provenance log, to ask questions to fetch images. Look at the image look at look at the binaries and so on right, but it will also provide integration.

B

uh So we have built one integration with docker where, where you can continue to run the docker commands, but persia will will act as a as a proxy layer between docker and and your ci cd system, so that you don't need to change any of your docker commands and still get the benefit from persia. Persia will give you the benefits of downloads via peer-to-peer and and verification and the providence log. So that is our. That is our main goal uh and we have we do have.

B

uh Actually uh I do have a demo and I I'll do something better than that. um We have this demo. I have a. I have a youtube recording of it, uh but I won't. I won't be labeled here for the demo, but I'll tell you what the demo is about uh on the web on our website. We also have the script that allows you to run the demo, so you can experience uh persia uh and and give us feedback on what you think and I'll leave links for all this here.

B

But basically, what we have built so far is uh is the docker integration where, when you pull a docker image, you get you get the docker images via persia and have the benefit of not uh traversing the network.

B

Right and also, let's say you, you uh yeah, you are downloading large binaries you'll have the benefit of just downloading it from uh it from the persian world and without changing your ci system. The one thing that we learned when we were thinking about it and thinking through the design process and talking to uh talking to our users is that uh there are many many. uh There are many many more lines of code that you would have to change.

B

If you were to ask people to change their ci systems right, so we want to avoid that, and I have have people still continue to use, docker pull or go, update and uh and similar commands. So we'll build integrations in that in that way, so that it's transparent, yeah here is a demo link and I'll share that with you uh and uh okay. And then I want to talk a little bit about the um the architecture.

B

uh What and what it will contain um and then maybe I'll give you some stats about uh where this project is and then we'll open for questions. uh So essentially, persia will come uh come with uh with its own. uh What we are calling it as persian node, so you install the persian node and it will have. uh It will have the ability to integrate.

B

With uh with uh all these uh language platforms, we have started with docker, because when we started we looked at we we looked at the landscape and found out that you know, regardless of your language, use, you're, probably using docker, and that's probably where we should start so that we can get get a meaningful impactful software out there and get feedback from the from the community and also docker, who was our first partner, was really uh you know, excited about doing this and they gave us all the you know: technology help that we needed.

B

So what we have is is the docker integration. We are now building the java integration, which we contain maven and gradle uh and those and so on, we'll we'll start building uh integrations for other languages.

B

Having said that, we are not the experts in all these languages, the ones I mentioned docker we have help from rocker, conan jfrog maintains it. So we we sort of know how how to support the c plus plus community, but for all the others. We are looking from here for help from the community right and we want it to be driven by the community.

B

To tell us whether you know the apis that we are building are sufficient or they need to be modified or and how how that needs to be done and how it will will it work with uh with systems that are vastly different, like maven, ecosystem works differently than go ecosystem versus ruby ecosystem and so on. Right and we can, we can do our best guess work, uh but we would like um help from the community and that's what we are engaging with different communities and talking to different organizations to sort of contribute to this.

B

My sorry, my okay, when we looked at persia people asked us about you know what what is that? What is the security model? How do we know uh what we are building is trustworthy and how do we? uh How do we enforce that uh so we'll uh so there are. There are technologies that allow for reproducibility and that's what we will leverage uh when the language allows that and a simple network consensus would be enough.

B

In that case, when we have, when we have an unreproducible, uh build a situation um in case of java c, plus pluses, etc, we rely and docker. Also we will rely on the trusted registry. We will build the same and then verify with the trusted registry, whether the binaries match and and that's how that's, how we will ensure that that there is enough trust. uh Also, if there's a question about how do we take in uh open source libraries so that they are built right?

B

So, in that case, all of that comes from the source and will rely on the source like github and gitlab, who have who already have mechanisms to verify that the developers who they say are and and and they have they have the pgp keys to verify that they are actually committing what they are claiming they are committing.

B

So that's how we ensure that what comes in is good and that's how we ensure that what what we are actually committing to what we call the persian network is trustworthy um here here is how we're going to get started. You can install persia. There are some persia commands you can use. uh It is pretty um what you call simple right now, which tells you the state of node, whether you're connected to peers- and it tells you how many pairs you have connected and on your ci system.

B

The big thing is, you don't have to change anything on your css. You don't have to install anything. You continue to do docker pull, but when a docker pull happens, then it automatically um uh goes through the persian node. What you need to do is a configuration change where your docker uh docker client connects to the persian node instead of going doc directly to docker, and there are instructions uh in in the demo script as well.

B

A little bit of about what is inside, uh we, we are building all this in uh rust, uh because we want to support multiple operating systems that we want to engage as much as the community, with various uh various various flavors of linux or unix and windows as well.

B

We have uh we are relying on. We are using open source software already. We are using p2p, which is part of ipfs, which is another project which which has done a good job in distributing files on a large network and and we are using the rust implementation. In fact, we have actually discovered a few things in that trust implementation and have made comments back. So we don't want to keep things that we discover to ourselves. We want to give it back to the community.

B

We are using an immutable ledger to store store our provenance log, and we have. We have chosen a open source, uh blockchain implementation called lf uh to help to help us with the consensus on that. um So what we are working on- and we are- we have uh we presented this at uh uh at a recent event where we, where we uh shared, that we are building a providence log that will allow you to do a lot of this automation.

B

We are also building a uh the ability to stream large binaries uh over the over the peer-to-peer network, so that you know you can you can get multiple uh pieces of the binary stream to you and and thus have higher throughput, and then we are also building the infrastructure that will help you do the build part of it. The consensus build part of it uh here is how we started and where we are. If you want to find us, we have we are on.

B

We are on the openness of slack when we started, uh we are aiming to build a mvp or the first release um uh sometime this summer early summer, we're already collaborating with with projects. We have individual contributors as well as contributors from different orgs. We are also engaged with projects that are working in the similar field. Like six store, you may have heard uh or not, or no tribute to v2, where we want to integrate with them instead of rebuilding. That uh here is what we have done. uh We have since the beginning.

B

We have had all the all everything that we are doing in public. uh We we have a google drive which is shared with with you. When you join, uh we have public meetings, they are all recorded, you can join, uh you can listen to them uh and uh and give us feedback. uh We are running it as a typical agile project, so you can join uh our daily stand-up or you know our retrospective or uh our sprint planning to find out. What's going on.

B

We also have community face face-based meetings every two weeks to talk about where the architecture is going or where the project is going in general, etc. uh We are also uh engaging with the community via various uh you know, meetups and- and discussions like this- uh to to engage, get feedback and and move forward.

B

uh So if you would like to get involved, uh first thing go to our website. First, air.io really easy to remember, give us feedback either. You know, give us give us on uh the twitter handle, go to our github, give us feedback. There join any of the team meetings uh and uh if nothing else, you know tell your friends that we have this project going on and we are looking for people to get involved so to to summarize, you know, supply chain attacks are still still here uh before and after covet, they are still active.

B

The hackers are still active. uh Nsa nsa is still worried uh about the severity of these attacks and we need to do something about it, and persia is trying. Persia is one effort which is trying to make to change how we build open source software. So please join us.

B

And thank you I'll open it up for questions.

A

Thanks indra, I see a question from ankit.

B

Yeah ankit tell me.

C

uh So I uh so I just had you know like one question, uh so if I have you know, like my images in say, you know like amazon, uh will this also work like it seems like it works mostly with docker hub or maybe with you know, like artifactory store, I mean uh uh so like that's that's like that is the one question I have.

B

So so the one so uh what persia has built is built for open source and we want to so I I think when you say aws ecr, it is not the open source ones right, it is. It is the ones that are built by you. uh So on docker hub, we are only only pulling the images that docker themselves have certified and verified, uh and that's that's how we maintain the trust, so anything that is open source that has been again built by docker and published under the uh uh under the default.

B

uh Namespace is what you will have available with persia. Persia will not be able to integrate or pull images from something that is closed source, because one thing that persia needs is the is the git sha uh of of of the source so that you can pull it and build it independently.

C

Okay,.

B

So.

C

uh Sorry go ahead: yeah does that make sense, yeah yeah, uh uh so you know, like amazon, also has a public. You know like gallery today uh where we can also store. You know like open source.

D

Images.

C

Does.

A

That.

C

Work just.

B

So steve, do you want to dash.

D

Yeah yeah. Let me let me try to answer the question, and um so I I think that, like the way of thinking about this is um what the the backing store for persia is a a verified, build from source farm for open source projects.

D

um So you can't upload anything to the persian network. Like you can't um push images into the perseid network, you can only pull images which were built by the persian network from the peer-to-peer system.

D

So, even if you have an open ecr you could you could pull things from perseid down into your ecr instance, and you know, carry the signatures with them. um If you wanted to redistribute them via container registry, um but if you've pushed images into a into a um like, for example, ecr, even if you built them yourselves from open source, um the the guarantee on percy is everything coming from the persei network is built by this distributed, um verified, build from source infrastructure.

D

And it's not jfrog specific, so all the member companies will be running an instance of this, so jfrog docker, deploy hub is also a member company. Oracle is a member company future way. um Who's is one of the cdf sponsors and also huawei, um and we're welcome and we want more people to to join the project and and also run this infrastructure, but as a as an end user, using it you're you're, relying upon the builds of open source projects from these companies to be built, verified and that's the the provenance and the um like.

D

The the origin of the builds you're pulling.

D

Okay, does that answer your question.

C

uh Yes, yes,.

D

Okay, thank you.

B

Hey brett, I read your question is: is there plans for kubernetes support? Can you say more? What do you mean by? uh Is it other than pulling images for kubernetes or.

E

Yeah well, okay, so um we don't use docker we're phasing docker out of our pipeline, everything's gonna be kubernetes and so docker pull while that's great. It doesn't help us. um So I'm trying to figure out where this fits in my pipeline, and so what I heard was is that it's only for open source images right so now, you're telling now it sounds like these would be my base images right. So engine x, um uh you know whatever I'm pulling down um that I would normally get from docker. I o uh the docker hub.

E

um We don't in the future we! So we try not to pull images from docker hub because they rate limit on us and it breaks our cicd pipeline. um So we pull the images from docker hub, scan them and stick them in a private registry. So what I'm hearing is that what I would do with uh persia is. I would um use persia to pull these images from the persian network, scan them and then put them in my private repo and I'd have a much better um feeling about the the authenticity of the image.

D

Yeah does that sound about right, yeah? So to answer your initial question like yes, there is plans to um to include cube control and other kubernetes tools to add first class persia support for them um on. Unlike the use case scenario, I think you got that accurately. So, um first, when you pull things off the persian network, obviously you're not rate limited at all, um and so that's you don't run into the same issues you hit with, for example, pulling from docker hub.

D

It still is a best practice to especially if you're, using it for builds or an enterprise system to pull it into your own repository manager, and we have a command line tool for persia where you can directly buildings from the network, put them in a local folder kind of do what you want to with peer-to-peer images. So you could do your own integration via the the persia command line tool or for repository managers which support it.

D

um They should treat persia just like a an upstream remote repository, so it should be pretty straightforward to just swap out docker hub for persia as the upstream repository.

E

Okay, um so yeah, I mean we're in the process of I'm in the process of implementing salsa in our pipeline and we're shooting for level four. So we're talking sign provenance, zero trust. So I I'm gonna, pull the images down scan them.

E

You know create signed provenance for them and stick them in my registry and then I'm not going to use them unless I can verify that they're signed even internally, so um that's kind of what we're up to so. I was trying to see where this fits in. So it sounds like I use this for um populating. My internal repo yeah.

D

Exactly and I I think, you're the the guarantee you're getting by by pulling it off the person network in general. um We're working on phase two of this architecture now is um like, in the case of docker official images employing from docker hub you're, basically trusting docker as the only one who's built and verified these and um yeah.

D

So we we in general, we think you, you shouldn't you shouldn't trust us, you shouldn't trust jfrog, you shouldn't trust docker, but you should trust the aggregation of um many different companies which are building and verifying the same image. And, yes, um you know some large companies, like um you know, google, microsoft and others have their own internal, build from source farms where they they they do this, and they, of course, only trust themselves.

D

But um we we think that this sort of infrastructure should just be free available and something that all companies can rely upon. If it's a shared infrastructure, where it has a a trust model where you're not relying upon a single entity but you're, relying upon the majority of the consensus of all the companies involved,.

E

Yeah and I'm I'm super excited that you guys are seeing this because I have been mulling about having basically like a twin pipeline for my software, where I build my image in one pipeline and I build it in the other pipeline and then I compare the images and see if they're the same and um I've been thinking about it.

E

Now it's one of those ones where uh you know I have to have all these priorities to keep getting pushed on me and I got to get all this stuff done and the twin pipeline sounds like a nice to have and it's a lot of compute, but I'm. I appreciate the idea here and.

D

Yeah- and so I think, the other thing which which will come out of this, which should be helpful to you as well, is um we we plan all this a to be built on cd technology, cd foundation, technologies like um techton and cd events and on all open source and b. I think it should also, especially our build pipeline portion of the project should serve as a great reference architecture.

D

If you want to run your own, build from source internally and.

F

You.

D

Know either build open source projects or even internal closed source projects. I think it'll be a great reference architecture for that sort of infrastructure that you run yourselves cool.

B

Yeah, hey brett, so just if you're thinking about it, please please join us in one of our calls. We will take all kinds of input if you have a rough sketch of what you. What do you think is a good idea. What do you think is a bad idea. Please share that with us.

E

You don't have to contribute.

B

By lines of code, only you know what I say: okay, that's.

E

Cool um yeah, no, you know, I don't trust anybody anymore so and the more the more I've read the suspect, more paranoid. I get, and I haven't done anything to talk about security since uh january and I quit being an assist admin because I was tired of security and I went in the development now here. I am 15 years later right back where I was worried about security all the time so.

C

um But.

E

Yeah, that's pretty cool and it's written in rust. It makes it better right.

A

Yep.

A

So I I want to highlight something we have been discussing within the speech since the sea was formed around february or march, like we have been looking into how sig evans started working with the topics they have been working on, like this unstoppable the first one of the first things they have done is to bring up some kind of proof of concept, and that has been one of topics we have been discussing within our city as well.

A

It would make a lot of sense to look at persia to see like how we can. You know collaborate on that more concrete approach to these things, because, when you put persia in this type of you know pipeline using different uh cdf technologies, like you mentioned still, that may make it easier to grasp the details and the benefits of the project, and that could also perhaps become input to reference architecture. You mentioned.

D

Absolutely.

A

So anyone else- okay, andrew, has a question there.

D

Yeah, okay, so andrew's wondering if percy can also validate open source projects that aren't built into images like libraries. So we um we're planning support for a bunch of different programming languages and the intermediate build artifacts um so um with with oracle's our partner.

D

One of the first targets is going to be the java ecosystem, we're working with their build from source team and um they're they're interested to build as much of the java ecosystem um that we can reproduce and verify um as possible so that they can use it both for their internal purposes, but also open up to the world and have a more secure source. Repository for for java. Jars same applies to javascript, to um at pi pi to to go and to rust, of course, because we're building on top of rust.

D

um Now that said, student intervention just a little bit earlier, um so we we're going to build out as many validators as we can and um work with the open source community on these. But we, this is an area we need help with for folks who are experts in different language communities and and are interested to um to build a a um an integration point into into different ecosystems.

D

So I was chatting with um terry from sci code yesterday and um he's interested in specifically doing something in the pi pi space, because that's that's an area which he's very passionate about, um and we, I think we are looking for folks who are like super passionate about a particular ecosystem to be either our advocate or to to take a pass at doing an implementation of an api for a language, specific library. But from a persia architecture standpoint we can store different artifact types from different languages, but we want to do.

D

Is we want to make sure that when we say that we support ecosystem, that we have a good broad base of support such that it's it's easy for you to integrate with that system as a as a software developer, and also from ci cd systems and and build pipelines down the down? The stack.

F

Yeah, okay, thanks! I uh sorry did you were you gonna say something else yeah I I asked because um sass is majority a go shop um and I've noticed that one of the things that scares me even more than pulling random images off of docker is you know, finding an open source library. That's like man, this thing's really useful. I'm gonna throw this in and use it, and I haven't read every last line of code.

F

So that's why I was curious.

D

Yeah yeah so so go go is one of the ecosystems that we're planning to support. um I I think that it, it is something we actually use quite a bit at jfrog, so like x-ray, a lot of our products are written in golang.

D

We we chose rust for this project um because we wanted to make sure that we'd have more ability to do code, code, verification and reason about the security of the system, and I think, in terms of like modern languages, which are very security, focused rust is kind of leading the edge, but I mean goes a great language as well, and that was would have been our second choice for this implementation.

E

So um we've got a bunch of uh we've, got a bunch of npm crud running around and I think, like in the grand scheme of things, the scariest uh language that pulls random packages in off the internet has gotten to be npm so, and I think it was on the list. Is that going to be support.

D

Yeah yeah, we will support npm. Now, um speaking of security exploits most of the security exploits, are our research team finds are in npm um and there's there's multiple levels of of issues there? So um it's very easy to upload things um with no verification.

D

um They they don't. um They don't really lock down name spaces.

D

So it is very vulnerable to to typo squatting attacks to dependency injection attacks because they they they do zero verification of of your your namespace that you're uploading to- um and it's very easy- you know you think you know javascript is- is um just text, but it's very easy to obfuscate the code and hide malicious libraries which are impossible to reverse engineer.

D

If you don't have the original source it's built off of so again like doing doing your own verification of these is is almost impossible because of the obfuscation of the libraries you get out without the original source code and that provenance about exactly what you're getting.

E

Right, and so I can one of the things I can see persia fitting in for us- is it it ends up being a proxy before we pull stuff in and stick it in artifactory, because yeah we're we're a jfrog shop. um We helped.

D

Yeah, and so so from like an artifactory standpoint, it will just when we implement support for it. It will just be another repository option that you can choose so from that.

F

Standpoint.

D

It should be easy to set up and configure to pull from persia, and you could still pull images from other sources, but at least the ones you know pull from persia. You know the the provenance. You know that they're that exactly what you're getting is what you would get if you built it off source yourself.

E

Right, okay, um artifactory cloud, so we've been talking about going to artifactory cloud. I don't want to turn this into a jfrog meeting, but are you guys gonna have a way for perseus to integrate into your your cloud, offering.

D

Yeah I mean it's exactly the same product, so it would treat it. It would look like a remote repository in artifactory cloud, cool, yeah.

B

And I wanted to just make a comment because earlier also ankit mentioned, you know your your your jfrog, so artifactory integration is obvious. One thing I want to highlight is artifactory is meant for you to do run your business right, but what we notice is that we don't have the same emphasis uh that we have for in uh what homegrown software for open source, and that is what persia is trying to fix.

B

As jfrog, we will bring everything that we know about efficiently, storing artifacts and you know, indexing them and doing all the kinds of cool things that we are doing in terms of storing and retrieving artifacts. But this is not meant to default to artifactory or anything like that. This is meant to solve a problem for the open source community and which is why you'll see that you know we integrate with docker, because that is what is most used and so on, and its emphasis is on open source. Artifactory focuses more on.

B

You know your proprietary software, I would say.

E

Right, um we use artifactory to store our onboarded third-party libraries, which a lot of them are open source. So that's why I was going down that route. I'm just.

C

Trying to.

E

Get trying to figure out how this thing's gonna fit into our pipelines, because you know we're not producing open source software. We're producing. You know a product that we sell, but we use open source software, so um yeah, I'm just trying to figure out where we're gonna stick. This thing.

B

uh One of the one of the ways this might might get used in your your system is, if you, if you are to, were to run a small set of persian nodes, and if you are downloading the same things over and over, you could now rely on your set of persia nodes to get the throughput that you need without having to go all the way across the network and when a new library comes, then you can do that. Think about.

B

You know, think think about the same mechanism that you use today to you know, replicate your git repositories. We would like persia to act like that and give you that resilience as well excellent.

A

Okay, any other questions.

B

Now let us know if you have any other questions offline, I'll I'll. I put the presentation link on the hack md, uh which has all our contact information um as well.

A

Like we give action items to whoever joins to our uh fig meetings, can I do the.

D

Same thing,.

A

Now, uh if you go to the repository I linked on the chat, there is a presentations repository on github under cd foundation. We store all the presentations we get from uh projects there. I will create a folder there for spy chain and send the mail to you. So if you could export your slides in pdf.

B

Form.

A

And store them on apple, so we don't use the google doc link.

B

Oh! Yes! Yes! Yes, more than happy to do that.

A

Thanks and one last question uh follow-up of technology community meeting discussion, steve uh taylor, mentioned that you are thinking of proposing persia yes by opening a pull request. So.

B

We are working on that yeah, okay,.

A

So we should uh monitor the tlc report to see yeah.

D

Yeah so so we're working we're working on putting the pull requests in. I think what we can do is send a um an email out to the to the talk mailing list to let folks know when the poll request is available. Maybe use that as a thread to answer any questions that folks have about it and if, if we get good alignment and folks are in agreement, then you know ask folks to approve the pr.

A

Yeah yeah, okay, I I will follow the choose, my english, because the reason why I love asking this because if the request goes there, maybe keeping all the feedback on pulley pests would be good for historical purposes as well.

A

Otherwise, people need to find the mail thread on mail list and vice versa. So.

D

Yeah we could we could. We could do feedback on the pull request instead, so you want me to like send an email and then we direct people to the pull request to give feedback.

A

Yeah yeah yeah, it's like if they like. If they put their feedback directly on pull request, then it.

E

Yeah.

A

Okay, thanks a lot for this steve presenting this, it looks very interesting. I actually installed the project and tried that, and I I think that was something I mentioned to one of the comic members as well like we were looking for something like that last year, when docker hub introduced rate limiting and.

D

We, I don't remember what did.

A

We use, I think we used podman as a fallback solution which didn't work on ubuntu 18 or something so it looks pretty cool, but now it is a new project, so hopefully more things will be done within the project, yep. Okay.

A

So uh with that the next three things of our six should be on july 14th, but usually we take a break for six meetings, not just hours, but other successes are during july because people go for summer holidays. So I will send notifications on mail list and slack about the next meeting. If we are having the meeting on july 14th or not and depending on the response- and we can cancel those meetings- and we come in after that uh at a later date.

A

But again everyone, please look at qrc reports start watching the jose repo to see when uh persia pr heat start. Also, please subscribe to your's email list if you want to get notified via mail as well, and with that, thank you again, everyone for joining and if you are taking time off very nice summer whole day. If not, then we talk to we see each other in few weeks. Fine, thank you.

D

All right thanks thanks.

E

Everybody that's.

A

Cool.