Explore the critical importance of securing build platforms in software development during this 35-minute conference talk from the Linux Plumbers Conference. Delve into the growing concerns surrounding the software chain of trust and its impact on security, compliance, and reliability. Examine how Linux distributions mitigate trust decisions for consumers and the challenges in evaluating distribution trustworthiness. Learn about npm's adoption of SLSA and Sigstore for build provenance, and consider the complexities of applying similar techniques to distribution build platforms. Investigate the efforts of SUSE and Flatcar Linux in this area, along with their unresolved verification issues. Gain insights into potential solutions for Linux distribution build platforms, with a focus on OpenEmbedded/Yocto Project and proof-of-concept experiments in the yocto-autobuilder2 system.
Securing Build Platforms: Enhancing Trust in Software Distribution
Linux Plumbers Conference via YouTube
Overview
Syllabus
Securing build platforms - Joshua Lock
Taught by
Linux Plumbers Conference
Related Courses
-
Putting the Supply Chain Pieces Together: A Deep Dive into the Secure Software Factory
-
SLSA: Enhancing Software Supply Chain Security - More Than Just a Garnish for Your Pipelines
-
Securing Your Container Native Supply Chain with SLSA, GitHub and Tekton
-
SLSA Conformance - Understanding Build System Requirements and Trust Decisions
-
Zero Trust Supply Chains with Project Sigstore and SPIFFE
-
Bringing Provenance to Open Source - Lessons from Npm's Sigstore Integration
