💬 @AlphaOmegaOSS talks about securing open source by scanning & repairing thousands of libraries at #OSSummit. Learn about how they tackles scaling, data handling, and unknown vulnerabilities. #OSSSecurity
💬 Join Fredrik and Radoslav to secure your software supply chain using GitHub’s Build Provenance API, SLSA attestations, Minder, and tools like Sigstore, TUF, and in-toto.
💡 If you're interested in Sigstore, join us for a demo at 11:30 at OpenSSF booth!
#OSSummit
⛓️ GitHub Artifact Attestations is now generally available
Create provenance and integrity guarantees to verify what you have built within GitHub Actions can be traced back to its source code
→ Meets SLSA v1.0 Build Level 2 requirements
https://t.co/rpcB07vOEM
@trishankkarthik #1 I like a helmet mounted light so I can point it at them and make sure they see me. I use "VIS 360° Pro Helmet Light".
#2 I've used the CYCLIQ cameras, but the mount broke and I never bothered putting it back on.
Proposal for a pattern of implementing "Trusted Publishing" for all package repositories. Besides improved security, this should make it easier for maintainers to publish their software by getting rid of the need to manage all those creds?" https://t.co/jIWmvPx4ON
@TheStalwart@tracyalloway@dsquareddigest As a consultant gathering requirements, 95% of the conversation tended to be about how things are supposed to happen, my job (and I though my value-added) was to ask, "And what do you do when things don't go as expected?".
SLSA just merged a _draft_ of the Source Track which takes SLSA beyond just builds. While there's still more work to do to get it out of draft it's great to see this progress. Many thanks to all the SLSA contributors for making this possible! https://t.co/cRptLMVjqw
Starting today, PyPI package maintainers can publish via Trusted Publishing from three additional providers:
- @gitlab
- @googlecloud
- @ActiveState
They join @github Actions to support publishing without long-lived passwords or API tokens.
https://t.co/TsRa31XOkv
@trishankkarthik@miljko@Mehdi_IR_DC Personally, the reason I'd chose business class is so that I can lie down and sleep. Vision Pro won't help me with any of that. If I'm going to be awake anyways then it doesn't really matter to me.
Obsessed with the new “make it more” trend on ChatGPT.
You generate an image of something, and then keep asking for it to be MORE.
For example - spicy ramen getting progressively spicier 🔥 (from u/dulipat)
@trishankkarthik I have no position on the h/g vs farmer diet, but I think the Repugnant Conclusion could offer one reason that _if_ h/g was better for individuals it could still be replaced by farming which _if_ worse for indiv. could still result in total higher 'happiness' across the pop.
Very excited to announce work that the https://t.co/JhJ5uLdAjV team has been doing in the past year to enable better C/C++ vulnerability management via OSV-Scanner!
Check out https://t.co/1Sv9EIQ3k3 for details.
Bingo! Signatures are empty attestations, or even Implicit Attestations where the subject and predicate are defined out of band by the context of how the signature was generated.
Explicit is better than implicit in security!