>>Good afternoon, brilliant humans, and welcome back to the Cube. We're live in Detroit, Michigan at Cub Con, and I'm joined by John Furrier. John three exciting days buzzing. How you doing? >>That's great. I mean, we're coming down to the third day. We're keeping the energy going, but this segment's gonna be awesome. The CD foundation's doing amazing work. Developers are gonna be running businesses and workflows are changing. Productivity's the top conversation, and you're gonna start to see a coalescing of the communities who are continuous delivery, and it's gonna be awesome. >>And, and our next guess is an outstanding person to talk about this. We are joined by Stephen Chin, the chair of the CD Foundation. Steven, thanks so much for being here. >>No, no, my pleasure. I mean, this has been an amazing week quote that CubeCon with all of the announcements, all of the people who came out here to Detroit and, you know, fantastic. Like just walking around, you bump into all the right people here. Plus we held a CD summit zero day events, and had a lot of really exciting announcements this week. >>Gotta love the shirt. I gotta say, it's one of my favorites. Love the logos. Love the love the branding. That project got traction. What's the news in the CD foundation? I tried to sneak in the back. I got a little laid into your co-located event. It was packed. Everyone's engaged. It was really looked, look really cool. Give us the update. >>What's the news? Yeah, I know. So we, we had a really, really powerful event. All the key practitioners, the open source leads and folks were there. And one of, one of the things which I think we've done a really good job in the past six months with the CD foundation is getting back to the roots and focusing on technical innovation, right? This is what drives foundations, having strong projects, having people who are building innovation, and also bringing in a new innovation. So one of the projects which we added to the CD foundation this week is called Persia. So it's a, it's a decentralized package repository for getting open source libraries. And it solves a lot of the problems which you get when you have centralized infrastructure. You don't have the right security certificates, you don't have the right verification libraries. And these, these are all things which large companies provision and build out inside of their infrastructure. But the open source communities don't have the benefit of the same sort of really, really strong architecture. A lot of, a lot of the systems we depend upon. It's >>A good point, yeah. >>Yeah. I mean, if you think about the systems that developers depend upon, we depend upon, you know, npm, ruby Gems, Mayn Central, and these systems been around for a while. Like they serve the community well, right? They're, they're well supported by the companies and it's, it's, it's really a great contribution that they give us. But every time there's an outage or there's a security issue, guess, guess how many security issues that our, our research team found at npm? Just ballpark. >>74. >>So there're >>It's gotta be thousands. I mean, it's gotta be a lot of tons >>Of Yeah, >>They, they're currently up to 60,000 >>Whoa. >>Vulnerable, malicious packages in NPM and >>Oh my gosh. So that's a super, that's a jar number even. I know it was gonna be huge, but Holy mo. >>Yeah. So that's a software supply chain in actually right there. So that's, that's open source. Everything's out there. What's, how do, how does, how do you guys fix that? >>Yeah, so per peria kind of shifts the whole model. So when, when you think about a system that can be sustained, it has to be something which, which is not just one company. It has to be a, a, a set of companies, be vendor neutral and be decentralized. So that's why we donated it to the Continuous Delivery Foundation. So that can be that governance body, which, which makes sure it's not a single company, it is to use modern technologies. So you, you, you just need something which is immutable, so it can't be changed. So you can rely on it. It has to have a strong transaction ledger so you can see all of the history of it. You can build up your software, build materials off of it, and it, it has to have a strong peer-to-peer architecture, so it can be sustained long term. >>Steven, you mentioned something I want to just get back to. You mentioned outages and disruption. I, you didn't, you didn't say just the outages, but this whole disruption angle is interesting if something happens. Talk about the impact of the developer. They stalled, inefficiencies create basically disruption. >>No, I mean, if, if, so, so if you think about most DevOps teams in big companies, they support hundreds or thousands of teams and an hour of outage. All those developers, they, they can't program, they can't work. And that's, that's a huge loss of productivity for the company. Now, if you, if you take that up a level when MPM goes down for an hour, how many millions of man hours are wasted by not being able to get your builds working by not being able to get your codes to compile. Like it's, it's >>Like, yeah, I mean, it's almost hard to fathom. I mean, everyone's, It's stopped. Exactly. It's literally like having the plug pulled >>Exactly on whenever you're working on, That's, that's the fundamental problem we're trying to solve. Is it, it needs to be on a, like a well supported, well architected peer to peer network with some strong backing from big companies. So the company is working on Persia, include J Frog, which who I work for, Docker, Oracle. We have Deploy hub, Huawei, a whole bunch of other folks who are also helping out. And when you look at all of those folks, they all have different interests, but it's designed in a way where no single party has control over the network. So really it's, it's a system system. You, you're not relying upon one company or one logo. You're relying upon a well-architected open source implementation that everyone can rely >>On. That's shared software, but it's kind of a fault tolerant feature too. It's like, okay, if something happens here, you have a distributed piece of it, decentralized, you're not gonna go down. You can remediate. All right, so where's this go next? I mean, cuz we've been talking about the role of developer. This needs to be a modern, I won't say modern upgrade, but like a modern workflow or value chain. What's your vision? How do you see that? Cuz you're the center of the CD foundation coming together. People are gonna be coalescing multiple groups. Yeah. >>What's the, No, I think this is a good point. So there, there's a, a lot of different continuous delivery, continuous integration technologies. We're actually, from a Linux Foundation standpoint, we're coalescing all the continued delivery events into one big conference >>Next. You just made an announcement about this earlier this week. Tell us about CD events. What's going on, what's in, what's in the cooker? >>Yeah, and I think one of the big announcements we had was the 0.1 release of CD events. And CD events allows you to take all these systems and connect them in an event scalable, event oriented architecture. The first integration is between Tecton and Capin. So now you can get CD events flowing cleanly between your, your continuous delivery and your observability. And this extends through your entire DevOps pipeline. We all, we all need a standards based framework Yep. For how we get all the disparate continuous integration, continuous delivery, observability systems to, to work together. That's also high performance. It scales with our needs and it, it kind of gives you a future architecture to build on top of. So a lot of the companies I was talking with at the CD summit Yeah. They were very excited about not only using this with the projects we announced, but using this internally as an architecture to build their own DevOps pipelines on. >>I bet that feels good to hear. >>Yeah, absolutely. Yeah. >>Yeah. You mentioned Teton, they just graduated. I saw how many projects have graduated? >>So we have two graduated projects right now. We have Jenkins, which is the first graduated project. Now Tecton is also graduated. And I think this shows that for Tecton it was, it was time, the very mature project, great support, getting a lot of users and having them join the set of graduated projects. And the continuous delivery foundation is a really strong portfolio. And we have a bunch of other projects which also are on their way towards graduation. >>Feels like a moment of social proof I bet. >>For you all. Yeah, yeah. Yeah. No, it's really good. Yeah. >>How long has the CD Foundation been around? >>The CD foundation has been around for, i, I won't wanna say the exact number of years, a few years now. >>Okay. >>But I, I think that it, it was formed because what we wanted is we wanted a foundation which was purpose built. So CNCF is a great foundation. It has a very large umbrella of projects and it takes kind of that big umbrella approach where a lot of different efforts are joining it, a lot of things are happening and you can get good traction, but it produces its own bottlenecks in process. Having a foundation which is just about continuous delivery caters to more of a DevOps, professional DevOps audience. I think this, this gives a good platform for best practices. We're working on a new CDF best practices Yeah. Guide. We're working when use cases with all the member companies. And it, it gives that thought leadership platform for continuous delivery, which you need to be an expert in that area >>And the best practices too. And to identify the issues. Because at the end of the day, with the big thing that's coming out of this is velocity and more developers coming on board. I mean, this is the big thing. More people doing more. Yeah. Well yeah, I mean you take this open source continuous thunder away, you have more developers coming in, they be more productive and then people are gonna even either on the DevOps side or on the straight AP upside. And this is gonna be a huge issue. And the other thing that comes out that I wanna get your thoughts on is the supply chain issue you talked about is hot verifications and certifications of code is such big issue. Can you share your thoughts on that? Because Yeah, this is become, I won't say a business model for some companies, but it's also becoming critical for security that codes verified. >>Yeah. Okay. So I, I think one of, one of the things which we're specifically doing with the Peria project, which is unique, is rather than distributing, for example, libraries that you developed on your laptop and compiled there, or maybe they were built on, you know, a runner somewhere like Travis CI or GitHub actions, all the libraries being distributed on Persia are built by the authorized nodes in the network. And then they're, they're verified across all of the authorized nodes. So you nice, you have a, a gar, the basic guarantee we're giving you is when you download something from the Peria network, you'll get exactly the same binary as if you built it yourself from source. >>So there's a lot of trust >>And, and transparency. Yeah, exactly. And if you remember back to like kind of the seminal project, which kicked off this whole supply chain security like, like whirlwind it was SolarWinds. Yeah. Yeah. And the exact problem they hit was the build ran, it produced a result, they modified the code of the bill of the resulting binary and then they signed it. So if you built with the same source and then you went through that same process a second time, you would've gotten a different result, which was a malicious pre right. Yeah. And it's very hard to risk take, to take a binary file Yep. And determine if there's malicious code in it. Cuz it's not like source code. You can't inspect it, you can't do a code audit. It's totally different. So I think we're solving a key part of this with Persia, where you're freeing open source projects from the possibility of having their binaries, their packages, their end reduces, tampered with. And also upstream from this, you do want to have verification of prs, people doing code reviews, making sure that they're looking at the source code. And I think there's a lot of good efforts going on in the open source security foundation. So I'm also on the governing board of Open ssf >>To Do you sleep? You have three jobs you've said on camera? No, I can't even imagine. Yeah. Didn't >>You just spin that out from this open source security? Is that the new one they >>Spun out? Yeah, So the Open Source Security foundation is one of the new Linux Foundation projects. They, they have been around for a couple years, but they did a big reboot last year around this time. And I think what they really did a good job of now is bringing all the industry players to the table, having dialogue with government agencies, figuring out like, what do we need to do to support open source projects? Is it more investment in memory, safe languages? Do we need to have more investment in, in code audits or like security reviews of opensource projects. Lot of things. And all of those things require money investments. And that's what all the companies, including Jay Frogger doing to advance open source supply chain security. I >>Mean, it's, it's really kind of interesting to watch some different demographics of the developers and the vendors and the customers. On one hand, if you're a hardware person company, you have, you talk zero trust your software, your top trust, so your trusted code, and you got zero trust. It's interesting, depending on where you're coming from, they're all trying to achieve the same thing. It means zero trust. Makes sense. But then also I got code, I I want trust. Trust and verified. So security is in everything now. So code. So how do you see that traversing over? Is it just semantics or what's your view on that? >>The, the right way of looking at security is from the standpoint of the hacker, because they're always looking for >>Well said, very well said, New >>Loop, hope, new loopholes, new exploits. And they're, they're very, very smart people. And I think when you, when you look some >>Of the smartest >>Yeah, yeah, yeah. I, I, I work with, well former hackers now, security researchers, >>They converted, they're >>Recruited. But when you look at them, there's like two main classes of like, like types of exploits. So some, some attacker groups. What they're looking for is they're looking for pulse zero days, CVEs, like existing vulnerabilities that they can exploit to break into systems. But there's an increasing number of attackers who are now on the opposite end of the spectrum. And what they're doing is they're creating their own exploits. So, oh, they're for example, putting malicious code into open source projects. Little >>Trojan horse status. Yeah. >>They're they're getting their little Trojan horses in. Yeah. Or they're finding supply chain attacks by maybe uploading a malicious library to NPM or to pii. And by creating these attacks, especially ones that start at the top of the supply chain, you have such a large reach. >>I was just gonna say, it could be a whole, almost gives me chills as we're talking about it, the systemic, So this is this >>Gnarly nation state attackers, like people who wanted serious >>Damages. Engineered hack just said they're high, highly funded. Highly skilled. Exactly. Highly agile, highly focused. >>Yes. >>Teams, team. Not in the teams. >>Yeah. And so, so one, one example of this, which actually netted quite a lot of money for the, for the hacker who exposed it was, you guys probably heard about this, but it was a, an attack where they uploaded a malicious library to npm with the same exact namespace as a corporate library and clever, >>Creepy. >>It's called a dependency injection attack. And what happens is if you, if you don't have the right sort of security package management guidelines inside your company, and it's just looking for the latest version of merging multiple repositories as like a, like a single view. A lot of companies were accidentally picking up the latest version, which was out in npm uploaded by Alex Spearson was the one who did the, the attack. And he simultaneously reported bug bounties on like a dozen different companies and netted 130 k. Wow. So like these sort of attacks that they're real Yep. They're exploitable. And the, the hackers >>Complex >>Are finding these sort of attacks now in our supply chain are the ones who really are the most dangerous. That's the biggest threat to us. >>Yeah. And we have stacker ones out there. You got a bunch of other services, the white hat hackers get the bounties. That's really important. All right. What's next? What's your vision of this show as we end Coan? What's the most important story coming outta Coan in your opinion? And what are you guys doing next? >>Well, I, I actually think this is, this is probably not what most hooks would say is the most exciting story to con, but I find this personally the best is >>I can't wait for this now. >>So, on, on Sunday, the CNCF ran the first kids' day. >>Oh. >>And so they had a, a free kids workshop for, you know, underprivileged kids for >>About, That's >>Detroit area. It was, it was taught by some of the folks from the CNCF community. So Arro, Eric hen my, my older daughter, Cassandra's also an instructor. So she also was teaching a raspberry pie workshop. >>Amazing. And she's >>Here and Yeah, Yeah. She's also here at the show. And when you think about it, you know, there's always, there's, there's, you know, hundreds of announcements this week, A lot of exciting technologies, some of which we've talked about. Yeah. But it's, it's really what matters is the community. >>It this is a community first event >>And the people, and like, if we're giving back to the community and helping Detroit's kids to get better at technology, to get educated, I think that it's a worthwhile for all of us to be here. >>What a beautiful way to close it. That is such, I'm so glad you brought that up and brought that to our attention. I wasn't aware of that. Did you know that was >>Happening, John? No, I know about that. Yeah. No, that was, And that's next generation too. And what we need, we need to get down into the elementary schools. We gotta get to the kids. They're all doing robotics club anyway in high school. Computer science is now, now a >>Sport, in my opinion. Well, I think that if you're in a privileged community, though, I don't think that every school's doing robotics. And >>That's why Well, Cal Poly, Cal Poly and the universities are stepping up and I think CNCF leadership is amazing here. And we need more of it. I mean, I'm, I'm bullish on this. I love it. And I think that's a really great story. No, >>I, I am. Absolutely. And, and it just goes to show how committed CNF is to community, Putting community first and Detroit. There has been such a celebration of Detroit this whole week. Stephen, thank you so much for joining us on the show. Best Wishes with the CD Foundation. John, thanks for the banter as always. And thank you for tuning in to us here live on the cube in Detroit, Michigan. I'm Savannah Peterson and we are having the best day. I hope you are too.

>>And welcome to the DockerCon cube cover here on the main stage. So HIRA RA development manager at J Frogg. Welcome to the cube. You guys have been on many times, uh, with J Frogg on the cube, great product you guys are doing great. Congratulations on all the six. Thanks for coming on the cube. >>Thank you. Thank you for having >>Me. So I'm really interested in talking about the supply chain, uh, package management, supply chain, and software workflow, huge discussion. This is one of the hottest issues that's being solved on by, with, with in DevOps and DevSecOps in, in the planet. It's all over the, all over the news, a real challenge, open source, growing so fast and so successful with cloud scale and with automation, as you guys know, you gotta ha you gotta know what's trusted, so you gotta build trust into the, the product itself. So developers don't have to do all the rework. Everyone kind of knows this right now, and this is a key solve problem you guys are solving. So I gotta ask you, what is the package management issue? Why is it such an important topic when you're talking about security? >>Yeah. Uh, so if you look at, uh, look at how software is built today, about 80 to 90% of that is open source. And currently the way we, the way we pull those open source libraries, we just, we just have blind trust in, in repositories that are central, and we rely on whatever mechanism they have built to, to establish that trust, uh, with the developer who is building it. And from, from our experience, uh, we have learned that that is not sufficient, uh, that is not sufficient to tell us that that particular developer built that end product and, uh, whatever code that they build is actually coming out in the end product. So we need, we need something to bridge that gap. We need, we need a trustworthy mechanism there to bridge that gap. And there are, there are a few other, uh, elements to it. >>Um, all these center depositories are prone to, uh, single point of failures. And, you know, in, we have all experience what happens when one of those goes down and how it stops production and how it, how it stops just software, uh, development, right? And we, what we are working on is how do we build a system where we, we can actually have, uh, liquid software as a reality and just continue to build software, regardless of all these systems of being live all the time, uh, and also have a, an implicit, uh, way of mechanism to trust, uh, what is coming out of those systems? >>You know, we've talked with you guys in the past about the building blocks of software and what flows through the pipelines, all that stuff's part of what is automated these days and, and, and important. And what I gotta ask you because security these days is like, don't trust anything, you know, um, here it's, you're, you're trusting software to be in essence verified. I'm simplifying, obviously. So I gotta ask you what is being done to solve this problem, because states change, you know, you got data, you got software injections, and you got, we got containers and Kubernetes right here, helping all this is on the table now, but what is currently being done to solve the problem? Cause it's really hard. >>Yeah, it is. It is a really hard problem. And currently, right, when we develop software, we have a team, uh, which, which we work with and we trust whatever is coming out of the team. And we have, we have a, um, what do you call certified, uh, pro production mechanism to build that software and actually release it to our customers. And when it is done in house, it is easy because we are, we control all the pieces. Now what happens when, when we are doing this with open source, we don't have that chain. We need that chain, which is independent. We just independent of where the software was, you know, produced versus where it is going to be used. We need a way to have Providence of how it was built, which parts actually went in, uh, making, uh, making the end product. Uh, and, and what are the things that we see are, are, are, uh, continuing, uh, uh, continuing evidences that this software can be used. So if there is a vulnerability that is discovered now, that is discovered, and it is released in some database, and we need to do corrective action to say that this vulnerability associated with this version, and there is no, there's no automated mechanism. So we are working on an automated mechanism where, where you can run a command, which will tell you what has happened with this piece of, uh, software, this version of it, and whether it is production worthy or not. >>It's a great goal. I gotta say, but I'll tell you, I can guarantee there's gonna be a ton of skeptics on this security people. Oh, no, I don't. I doubt it's always a back door. Um, what's the relationship with Docker? How do you guys see this evolving? Obviously it's a super important mission. Um, it's not a trend that's gonna go away. Supply chain software is here to stay. Um, it's not gonna go away. And we saw this in hardware and everyone kind of knows kind of what happens when you see these vulnerabilities. Um, you gotta have trusted software, right? This is gonna be continuing what's the relationship with DockerCon? What are you guys doing with dock and here at DockerCon? >>So we, when we actually started working on this project, uh, both Docker and, uh, J frog had had similar ideas in mind of how, how do we make this, uh, this trust mechanism available to anyone, uh, who wants it, whether they're, whether they're in interacting with dock hub or, or regardless of that, right. And how do we actually make it a mechanism, uh, that just, uh, uh, that just provides this kind of, uh, this kind of trust, uh, without, without the developer having to do something. Uh, so what we worked with, uh, with Docker is actually integrating, um, integrating our solution so that anywhere there, uh, there is, uh, Docker being used currently, uh, people don't have to change those, uh, those behaviors or change those code, uh, those code lines, uh, right. Uh, because changing hand, uh, changing this a single line of code in hundreds of systems, hundreds of CI systems is gonna be really hard. Uh, and we wanted to build a seamless integration between Docker and the solution that we are building, uh, so that, so that you can continue to do Docker pro and dock push and, but get, uh, get all the benefits of the supply chain security solution that we have. >>Okay. So let's step back for a minute and let's discuss about the pro what is the project and where's the commercial J Frogg Docker intersect take that, break that apart, just step out the project for us. What's the intended goals. What is the project? Where is it? How do people get involved and how does that intersect with the commercial interest of JRO and Docker? >>Yeah. Yeah. My favorite topic to talk about. So the, the project is called Peria, uh, Peria is, uh, is an open source project. It is, it is an effort that started with JRO and, and Docker, but by no means limited to just JRO and dock contributing, we already have five companies contributing. Uh, we are actually building a working product, uh, which will demo during, uh, during our, uh, our talk. And there is more to come there's more to come. It is being built iteratively, and, and the solution is basically to provide a decentralized mechanism, uh, similar to similar to how, how you, uh, do things with GI, so that you have, you have the, uh, the packages that you are using available at your nearest peer. Uh, there is also going to be a multi load build verification mechanism, uh, and all of the information about the packages that you're going to use will be available on a Providence log. >>So you can always query that and find out what is the latest state of affairs, what ES were discovered and make, make quick decisions. And you don't have to react after the fact after it has been in the news for a while. Uh, so you can react to your customer's needs, um, uh, as quick as they happen. And we feel that the, our emphasis on open source is key here because, uh, given our experience, you know, 80 to 90% of software that is packaged, contains open source, and there is no way currently, which we, uh, or no engineering mechanisms currently that give us that, uh, that confidence that we, whatever we are building and whatever we are dependencies we are pulling is actually worthwhile putting it into production. >>I mean, you really, it's a great service. I mean, you think about like all that's coming out, open source, open source become very social, too. People are starting projects just to code and get, get in the, in the community and hang out, uh, and just get in the fray and just do stuff. And then you see venture capitals coming in funding those projects, it's a new economic system as well, not just code, so I can see this pipeline beautifully up for scale. How do people get involved with this project? Cause again, my, my questions all gonna be around integration, how frictionless it is. That's gonna be the challenge. You mentioned that, so I can see people getting involved. What's what's how do people join? What do they do? What can they do here at Docker con? >>Yeah. Uh, so we have a website, Percy, I P yr S I a.io, and you'll find all kinds of information there. Uh, we have a GI presence. Uh, we have community meetings that are open to public. We are all, we are all doing this under the, uh, under the umbrella limits foundation. We had a boots scrap project within Linux foundation. Uh, so people who have interest in, in all these areas can come in, just, just attend those meetings, uh, add, uh, you know, add comments or just attend our stand up. So we are running it like a, like a agile from, uh, process. We are doing stand up, we are doing retrospectives and we are, we are doing planning and, and we are, we are iteratively building this. So what you'll see at Dr. Conn is, is just a, a little bit of a teaser of what we have built so far and what you, what you can expect to, uh, see in, in future such events. >>So thanks for coming on the queue. We've got 30 seconds left, put a quick plug in for the swamp up, coming up. >>Yeah. Uh, so we, we will talk a lot more about Peria and our open source efforts and how we would like you all to collaborate. We'll be at swamp up, uh, in San Diego on May 26th, uh, May 24th to 26th. Uh, so hope to see you there, hope to discuss more about Peria and, and see what he will do with, uh, with this project. Thank you. >>All right. Thanks for coming on the back to the main stage. I'm John cube. Thanks for watching. >>Thank >>You.