We, as an industry, need to pay closer attention to our software supply chain and begin talking about the potential of malevolent players gaining access to the backend of systems after a simple download and compile of the binaries.
At the recent San Diego KubeCon, VMware VP and Chief Open Source Officer Dirk Hohndel sat down for a conversation with Swapnil Bhartiya, founder and editor of emerging technology magazine The Fourth Industrial Revolution (TFiR). Their topic: the challenge of securing the open source software supply chain.
Dirk’s contention is that the software supply chain as it currently operates is highly problematic. That goes for the discussion around it, too. While nearly all open source leaders acknowledge the value of security, privacy, and safety, he observes, many are still recommending that we download and run potentially compromised binaries sourced from the Internet.
“This is not just a cloud-native, Docker problem,” Dirk adds, pointing out that it exists “throughout the modern app development environment, whether it’s JavaScript, PyPi or RubyGems, even homebrew on the Mac.”
Dirk and Swapnil discuss how the issue emerged from a period when people were closer to, and could therefore more reasonably trust, the sources of the code they built on. But what should we be doing today, when supply chains are growing longer and ever more complex? How do we create and share reusable binaries that we can audit? And what can we learn from how second generation Linux developers have addressed the problem?
Check out the conversation to hear Dirk’s take on best next steps for securing the open source supply chain, how VMware’s acquisition of Bitnami offers a model for creating a marketplace for trustable applications and container images, and why he still keeps active as an open source maintainer.