TL;DR: It’s event season and our Chainguardians are speaking all over the northern hemisphere! Here are the latest updates on what we’ve been involved in when it comes to open source software security.
Community Leadership
Events
Our Chainguardians gave many talks since our last update post.
Mar 21-23: Montreal, Ottawa & Toronto Kubernetes Meetup, Wolfi - Adolfo García Veytia, Patrick Flynn & Tracy Miranda
Mar 22: InfoSys SBOM debate (virtual) - Tracy Miranda
Mar 22: Chainguard SLSA webinar - John Speed Meyers
April 7: Resilient Cyber: SBOMs & Software Supply Chain - John Speed Meyers joined Chris Hughes to talk SBOMs and more
KubeCon + CloudNativeCon EU - April 18 - 21 in Amsterdam
May 5: Building a Secure Supply Chain with Containers @ #WTFisSRE, London - Adrian Mouat
All the talks are available on this playlist on the CNCF YouTube Channel.
May 8 – 12: Open Source Summit North America, OpenSSF Day, cdCon + GitOpsCon, and SPDX 3.0 Tooling Mini Summit (Videos will be available soon).
Kubernetes
Congratulations to the Kubernetes project on its 1.27 release. This release had some unique challenges with the big shift to the Kubernetes registry and we were glad to be working with the rest of the community to help make it happen. Shout out to our guardians Adolfo García Veytia, Eddie Zaneski and Carlos Panato for your work here.
SLSA
SLSA 1.0 was announced at KubeCon + CloudNativeCon in Amsterdam in April.
“The evolution of SLSA since our original proof of concept in 2021 has been remarkable, positioning it as one of the most accessible frameworks for implementing software supply chain security practices today. The release of SLSA v1.0 represents a significant step forward in building trust between software consumers and producers, as it provides a well-established framework that outlines how software is protected and developed based on software supply chain security principles. At Chainguard, we are invested in advancing SLSA as a critical industry standard while adhering to its core principles to ensure the integrity of our offerings and the open-source community projects we maintain. We support the OpenSSF’s ongoing efforts to further develop SLSA, enabling more organizations and community projects to achieve their security objectives.” – Kim Lewandowski, Head of Product and Co-Founder, Chainguard
For more from the SLSA community on the news, read the OpenSSF announcement.
OpenVEX
The kickoff community meeting for OpenVEX as a new SIG under the OpenSSF vulnerability working group happened on April 3. Watch the recording.
If you’re interested in OpenVEX, sign up for the mailing list and join the project’s community meetings happening every other Monday. Check the OpenSSF calendar for the full details.
Wolfi/apko
Wolfi is being extremely well received by the ecosystem for its unique capabilities that help rid longstanding CVEs in base images.
In the past month, Wolfi went on a 3-city Canadian roadshow thanks to Adolfo García Veytia with help from Patrick Flynn (Chainguard), Tracy Miranda (Chainguard) and Kelsey Hightower (Google Cloud).
Wolfi Resources:
Sigstore
Chainguard contributed the Rekor search project to Sigstore at the end of March 2023. To help users unlock the security benefits of the Sigstore policy-controller, Chainguard also open sourced a new policy catalog that is compatible with the Sigstore policy-controller and can be adopted incrementally to improve the security of your software supply chain.
Last month, npm announced the public beta of end-to-end signing of npm packages using Sigstore. Read Tracy Miranda’s blog post: Making Javascript secure by default.
Read the most recent Chainguard blog posts on Sigstore:
Want more?
Check out the new Chainguard website and our open source page.
