Explore the critical issue of software component origins in this 36-minute conference talk by Trevor Rosen from GitHub. Delve into the challenges of identifying the true sources and build processes of open source library dependencies. Learn about GitHub's collaborative efforts with the open source community to address this problem through the development of Artifact Attestations. Discover how this new capability, now in public beta for all GitHub repositories, creates an unforgeable paper trail for open source software, verifiable using the gh CLI tool. Gain insights into GitHub's role in establishing a new signing authority for the open source world and its potential impact on fostering a culture of transparency in software provenance.
Where Does Your Software Really Come From - Artifact Attestations and Open Source Verification
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Where Does Your Software (Really) Come from? - Trevor Rosen, GitHub
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
Bringing Provenance to Open Source - Lessons from Npm's Sigstore Integration
-
Growing the Chain: Trusting Build Provenance from Userspace
-
Building SLSA 3 Conformant Attestors for Artifacts Generated on GitHub
-
Authenticating Supply-chain Metadata - Building Remote Code Attestations on GitHub
-
Supply Chain Security in the Enterprise
-
Where Is the GUAC? - Understanding Artifact Composition in Software Supply Chains
