VMware OSPO Out and About: Looking Back at 2022

At long last: A year that felt closer to “normal.” In 2022, we took the first tentative steps into in-person conferences, taking selective advantage of eased travel and social restrictions to reconnect with the open source community and our VMware colleagues around the world. We still had plenty of people join us virtually, but it was so nice seeing everyone again!

In case you missed them (or if you weren’t able to attend your favorite open source and open source-adjacent conference this year), here’s a roundup of some of our team’s talks in 2022.

Peeling Back the Layers of Storage

Open Source Summit North America 2022

Better known to some as Warthog9, John Hawley talks through everything you need to know about storage, from hard storage to its most complex (and various) layers. Storage is easy to understand conceptually but very complicated to fully grasp. This presentation breaks down the “black magic” of storage in a topic that John presents again and again because of its importance.

What Makes a Build Reproducible?

Open Source Summit North America 2022

Reproducibility is just good engineering practice. Rose Judge and Joshua Lock make the case for ensuring reproducibility in their talk. With attacks on the software supply chain surging, developers should pay even more attention to defending against supply chain compromise. In this engaging presentation, Rose and Joshua define the three main interpretations of reproducibility to help guide you.

Firsthand Stories from Maintainers

GitHub/OpenSearch Maintainer Month

Rose Judge, a senior open source engineer, joined a panel discussion where the speakers shared their experiences as maintainers. For example, being an open source maintainer sometimes means stepping outside of GitHub and becoming a networker and a handshaker at conferences to drum up excitement about your project.

Work in Progress: Implementing PEP 458 to Secure PyPI Downloads

EuroPython 2022

EuroPython is a conference all about Python and celebrating its community. Kairo de Araujo shares the podium with Lukas Pühringer from NYU and discusses various topics around PEP 458, including package distribution and how to secure it to the update framework, Warehouse (the software that powers PyPI) and the integration journey.

How to Build Trustworthy AI with Open Source

Open Source Summit EU 2022

Open source engineers Diana Atanasova and Teodora Sechkova define trustworthy AI and discuss how it functions in practice. Now that AI has left the laboratory and is in use across industries and around the world, the stakes are higher than ever to build mature and trustworthy AI systems. Developers must follow principles like trusted AI, responsible AI, ethical AI and trustworthy AI to insert accountability into the machine lifecycle and improve the overall system. Check out this playback of their talk for a demo of an existing trusted AI ecosystem on an open source project.

Composing the Ultimate SBOM

Open Source Summit EU 2022

A software bill of materials is a well-known method of tracking vulnerabilities in open source software projects; however, many developers are using SBOMs inefficiently. Ideally, you should create SBOMs at the micro-level instead of inventorying software post-build. Security holes can spring at any component, so a sum-of-parts approach comprising multiple micro-SBOMs combined into a high-level SBOM is best practice. Sound confusing? Don’t worry! In this talk, Ivana Atanasova and Velichka Atanasova explain the holes of a post-build scan and demo the tools that can assist in the more thorough micro-SBOM method.

Secure Python Packaging & Release Using Continuous Deployment

Open Source Summit EU 2022

In this tutorial, Martin Vrachev demos common continuous deployment systems to release a Python project securely and easily. A Python open source packaging release is not always an organized and secure process. For instance, malicious actors can release malware on a maintainer’s account shockingly easily. Martin and his fellow presenter cover GitHub, Gitlab and Sigstore security features, emphasize the importance of build reproducibility, and demonstrate setting up PyPI automated deployment.

No Keys? No Problem: Why You Can Trust Sigstore Signatures

SigstoreCon North America

Sigstore is a free, transparent and community-operated code signing service. And it’s secure, too? Joshua Lock and his presentation partners describe how open source contributors must protect Sigstore’s public infrastructure to make a future with keyless signing a reality. Keyless signing is a boon to software supply chain security, an area currently under intense scrutiny. To show Sigstore in action, this talk also includes a demo that mimics a real-life compromise of critical components.

2022 Kubeflow User Survey

Kubeflow Summit 2022

Short on time but interested in hearing your Kubernetes peers’ thoughts on the community and Kubeflow software? In just 10 minutes, Anna Jung will break it all down for you and compare the results of this year’s Kubeflow User Survey with last year’s conclusions. Overall, Kubeflow is continuously evolving, and it’s our collective responsibility as a community to continually grow and improve it.

Cheers to 2023!

VMware open source engineers and contributors were busy this year and it was a pleasure to reconnect. We also got to know each other a bit better and learn more about how some of us got to this stage in our careers, what makes us tick and what makes us excited to run to our desks and contribute to the community every day.

Are you curious about where VMware will go in 2023? Rest assured that community will always be at the center of our efforts.

We can’t wait to see what we invent together next year!

Stay tuned to the Open Source Blog and follow us on Twitter for more deep dives into the world of open source contributing.


Leave a Reply

Your email address will not be published.