Where Does Your Software Really Come From - Artifact Attestations and Open Source Verification
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Explore the critical issue of software component origins in this 36-minute conference talk by Trevor Rosen from GitHub. Delve into the challenges of identifying the true sources and build processes of open source library dependencies. Learn about GitHub's collaborative efforts with the open source community to address this problem through the development of Artifact Attestations. Discover how this new capability, now in public beta for all GitHub repositories, creates an unforgeable paper trail for open source software, verifiable using the gh CLI tool. Gain insights into GitHub's role in establishing a new signing authority for the open source world and its potential impact on fostering a culture of transparency in software provenance.
Syllabus
Where Does Your Software (Really) Come from? - Trevor Rosen, GitHub
Taught by
CNCF [Cloud Native Computing Foundation]