Podcast
Podcaster
Beschreibung
vor 4 Jahren
Guest Dan Lorenc Panelists Eric Berry | Justin Dorfman | Richard
Littauer Show Notes Hello and welcome to Sustain! The podcast where
we talk about sustaining open source for the long haul. Today, we
have a very special guest, Dan Lorenc, who is a Staff Software
Engineer and the lead for Google’s Open Source Security Team. Dan
founded projects like Minikube, Skaffold, TektonCD, and Sigstore.
He blogs regularly about supply chain security and serves on the
TAC for the Open SSF. Dan fill us in on how Docker fits into what
he’s doing at Google, he tells us about who’s running the Open
Standards that Docker is depending on, and what he’s most excited
for with Docker with standardization and in the future. We also
learn a little more about a blog post he did recently and what he
means by “package managers should become boring,” and he tells us
how package managers can help pay maintainers to support their
libraries. We learn more about his project Sigstore, and his
perspective on the long-term growth of the software industry
towards security and how that will change in the next five to ten
years. Go ahead and download this episode now to find out much
more! [00:01:09] Dan tells us his background and how he got to
where he is today. [00:03:08] Eric wonders how Docker fits into
what Dan is doing at Google and if he can compare Minicube and his
work with what the Docker team is trying to drive. He also compares
Kubernetes to Docker and how they relate. [00:06:13] Dan talks
about if he sees a shift of adoption in the sphere of what he’s
seeing, and Eric asks if he feels that local development with
Docker is devalued a little bit if you don’t use the same Docker
configuration for your production deploy. [00:08:49] Richard
wonders in the long-term, if Dan thinks we’re going to continually
keep making Dockers, better Kubernetes, or at some point are we
going to decide that tooling is enough. [00:10:35] We learn who’s
currently running the Open Standards that Docker is depending on
and Dan talks about the different standards. [00:12:13] Dan shares
how he thinks the shift towards open standards in particular with
Docker, influences open source developers who are in more smaller
companies, in SMEs, in medium-sized companies, or solo developers
out there who may not have the time to get involved in open
standards. [00:13:45] Find out what Dan is really excited about in
terms of Docker, with standardization or in the future that will
lead to a more sustainable ecosystem. [00:15:17] Justin brings up
Dan’s blog and a recent post he just did called, “In Defense of
Package Managers,” and in it he mentions package managers should
become boring, so he explains what he means by that. [00:18:01] Dan
discusses how package managers can help pay maintainers to support
their libraries. [00:22:03] Richard asks Dan if he has any thoughts
on getting other ways of recognition to maintainers down the stack
than just paying them. He mentions things that he loves that
GitHub’s been doing recently showing people their contribution
history. [00:23:46] Find out about Dan’s project Sigstore and what
his adoption looks like so far. [00:26:35] Richard wonders if Dan
thinks it’s a good idea to have that ecosystem depend upon a few
brilliant people like him doing this work or if there’s a larger
community of people working on security supply chain issues. Also,
who are his colleagues that he bounces these ideas off of and how
do we eliminate the bus factor here. Dan tells us they have a slack
for Sigstore [00:30:03] We learn Dan’s perspective on the long-term
growth of the software industry towards security in general, how
will that change over the next five to ten years, and how his role
and the role of people like him will change. [00:31:35] Find out
all the places you can follow Dan on the internet. Quotes
[00:10:14] “You kind of move past that single point of failure and
single tool shame that’s actually used to manage everything.”
[00:12:44] “So, they kind of helped contribute to the
standardization process by proving stuff out by getting to try all
the new exciting stuff.” [00:16:33] The “bullseye” release actually
just went on a couple of days ago which was awesome.” [00:17:04]
“It’s a problem because there’s nobody maintaining, which is a
really good topic for sustainability.” [00:24:46] “But nobody’s
doing it for open source, nobody’s signing their code on PyPy or
Ruby Gems even though you can.” [00:29:50] “These are not the Kim
Kardashians of the coding community.” [00:30:25] “Something that
we’ve been constantly reminding, you know, the policy makers
wherever we can, is that 80 to 90% of software in use today is open
source.” [00:30:51] “And even if companies can do this work for the
software that they produce if we don’t think of, and don’t take
care of, and don’t remember that these same requirements are going
to hit opensource at the very bottom of the stack, and we’re kind
of placing unfunded mandates and burdens on these repositories and
maintainers that they didn’t sign up for it.” [00:31:11] “So we’re
really trying to remind everyone that as we increase these security
standards, which we should do and we need to do, because software
is serious, and people’s lives depend on it.” Spotlight [00:32:32]
Eric’s spotlight is a game called Incremancer by James Gittins.
[00:33:35] Justin's spotlight is Visual Studio Live Share.
[00:34:04] Richard’s spotlight is the BibTeX Community. [00:35:03]
Dan’s spotlight is the Debian maintainers. Links SustainOSS
(https://sustainoss.org/) SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/) Dan Lorenc
Twitter
(https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Dan Lorenc Linkedin (https://www.linkedin.com/in/danlorenc) Dan
Lorenc Blog (https://dlorenc.medium.com/) Tekton
(https://tekton.dev/) Minikube (https://minikube.sigs.k8s.io/docs/)
Skaffold (https://skaffold.dev/) Open SSF (https://openssf.org/)
Open Container Initiative (https://opencontainers.org/) Committing
to Cloud Native podcast-Episode 20-Taking Open Source Supply Chain
Security Seriously with Dan Lorenc
(https://podcast.curiefense.io/20) “In Defense of Package Managers”
by Dan Lorenc
(https://dlorenc.medium.com/in-defense-of-package-managers-31792111d7b1?)
Open Source Insights (https://deps.dev/) GitHub repositories
Nebraska users
(https://github.com/search?q=location%3Anebraska&type=users)
CHAOSScast podcast (https://podcast.chaoss.community/) Sigstore
(https://www.sigstore.dev/) RyotaK Twitter
(https://twitter.com/ryotkak) Dustin Ingram Twitter
(https://twitter.com/di_codes?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Incremancer (https://incremancer.gti.nz/) Visual Studio Live Share
(https://visualstudio.microsoft.com/services/live-share/) Enhanced
support for citations on GitHub-Arfon Smith
(https://github.blog/2021-08-19-enhanced-support-citations-github/)
Debian (https://www.debian.org/) Debian “bullseye” Release
(https://www.debian.org/releases/bullseye/) Credits Produced by
Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr
at Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr at Peachtree Sound (https://www.peachtreesound.com/)
Special Guest: Dan Lorenc.
Littauer Show Notes Hello and welcome to Sustain! The podcast where
we talk about sustaining open source for the long haul. Today, we
have a very special guest, Dan Lorenc, who is a Staff Software
Engineer and the lead for Google’s Open Source Security Team. Dan
founded projects like Minikube, Skaffold, TektonCD, and Sigstore.
He blogs regularly about supply chain security and serves on the
TAC for the Open SSF. Dan fill us in on how Docker fits into what
he’s doing at Google, he tells us about who’s running the Open
Standards that Docker is depending on, and what he’s most excited
for with Docker with standardization and in the future. We also
learn a little more about a blog post he did recently and what he
means by “package managers should become boring,” and he tells us
how package managers can help pay maintainers to support their
libraries. We learn more about his project Sigstore, and his
perspective on the long-term growth of the software industry
towards security and how that will change in the next five to ten
years. Go ahead and download this episode now to find out much
more! [00:01:09] Dan tells us his background and how he got to
where he is today. [00:03:08] Eric wonders how Docker fits into
what Dan is doing at Google and if he can compare Minicube and his
work with what the Docker team is trying to drive. He also compares
Kubernetes to Docker and how they relate. [00:06:13] Dan talks
about if he sees a shift of adoption in the sphere of what he’s
seeing, and Eric asks if he feels that local development with
Docker is devalued a little bit if you don’t use the same Docker
configuration for your production deploy. [00:08:49] Richard
wonders in the long-term, if Dan thinks we’re going to continually
keep making Dockers, better Kubernetes, or at some point are we
going to decide that tooling is enough. [00:10:35] We learn who’s
currently running the Open Standards that Docker is depending on
and Dan talks about the different standards. [00:12:13] Dan shares
how he thinks the shift towards open standards in particular with
Docker, influences open source developers who are in more smaller
companies, in SMEs, in medium-sized companies, or solo developers
out there who may not have the time to get involved in open
standards. [00:13:45] Find out what Dan is really excited about in
terms of Docker, with standardization or in the future that will
lead to a more sustainable ecosystem. [00:15:17] Justin brings up
Dan’s blog and a recent post he just did called, “In Defense of
Package Managers,” and in it he mentions package managers should
become boring, so he explains what he means by that. [00:18:01] Dan
discusses how package managers can help pay maintainers to support
their libraries. [00:22:03] Richard asks Dan if he has any thoughts
on getting other ways of recognition to maintainers down the stack
than just paying them. He mentions things that he loves that
GitHub’s been doing recently showing people their contribution
history. [00:23:46] Find out about Dan’s project Sigstore and what
his adoption looks like so far. [00:26:35] Richard wonders if Dan
thinks it’s a good idea to have that ecosystem depend upon a few
brilliant people like him doing this work or if there’s a larger
community of people working on security supply chain issues. Also,
who are his colleagues that he bounces these ideas off of and how
do we eliminate the bus factor here. Dan tells us they have a slack
for Sigstore [00:30:03] We learn Dan’s perspective on the long-term
growth of the software industry towards security in general, how
will that change over the next five to ten years, and how his role
and the role of people like him will change. [00:31:35] Find out
all the places you can follow Dan on the internet. Quotes
[00:10:14] “You kind of move past that single point of failure and
single tool shame that’s actually used to manage everything.”
[00:12:44] “So, they kind of helped contribute to the
standardization process by proving stuff out by getting to try all
the new exciting stuff.” [00:16:33] The “bullseye” release actually
just went on a couple of days ago which was awesome.” [00:17:04]
“It’s a problem because there’s nobody maintaining, which is a
really good topic for sustainability.” [00:24:46] “But nobody’s
doing it for open source, nobody’s signing their code on PyPy or
Ruby Gems even though you can.” [00:29:50] “These are not the Kim
Kardashians of the coding community.” [00:30:25] “Something that
we’ve been constantly reminding, you know, the policy makers
wherever we can, is that 80 to 90% of software in use today is open
source.” [00:30:51] “And even if companies can do this work for the
software that they produce if we don’t think of, and don’t take
care of, and don’t remember that these same requirements are going
to hit opensource at the very bottom of the stack, and we’re kind
of placing unfunded mandates and burdens on these repositories and
maintainers that they didn’t sign up for it.” [00:31:11] “So we’re
really trying to remind everyone that as we increase these security
standards, which we should do and we need to do, because software
is serious, and people’s lives depend on it.” Spotlight [00:32:32]
Eric’s spotlight is a game called Incremancer by James Gittins.
[00:33:35] Justin's spotlight is Visual Studio Live Share.
[00:34:04] Richard’s spotlight is the BibTeX Community. [00:35:03]
Dan’s spotlight is the Debian maintainers. Links SustainOSS
(https://sustainoss.org/) SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/) Dan Lorenc
(https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Dan Lorenc Linkedin (https://www.linkedin.com/in/danlorenc) Dan
Lorenc Blog (https://dlorenc.medium.com/) Tekton
(https://tekton.dev/) Minikube (https://minikube.sigs.k8s.io/docs/)
Skaffold (https://skaffold.dev/) Open SSF (https://openssf.org/)
Open Container Initiative (https://opencontainers.org/) Committing
to Cloud Native podcast-Episode 20-Taking Open Source Supply Chain
Security Seriously with Dan Lorenc
(https://podcast.curiefense.io/20) “In Defense of Package Managers”
by Dan Lorenc
(https://dlorenc.medium.com/in-defense-of-package-managers-31792111d7b1?)
Open Source Insights (https://deps.dev/) GitHub repositories
Nebraska users
(https://github.com/search?q=location%3Anebraska&type=users)
CHAOSScast podcast (https://podcast.chaoss.community/) Sigstore
(https://www.sigstore.dev/) RyotaK Twitter
(https://twitter.com/ryotkak) Dustin Ingram Twitter
(https://twitter.com/di_codes?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Incremancer (https://incremancer.gti.nz/) Visual Studio Live Share
(https://visualstudio.microsoft.com/services/live-share/) Enhanced
support for citations on GitHub-Arfon Smith
(https://github.blog/2021-08-19-enhanced-support-citations-github/)
Debian (https://www.debian.org/) Debian “bullseye” Release
(https://www.debian.org/releases/bullseye/) Credits Produced by
Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr
at Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr at Peachtree Sound (https://www.peachtreesound.com/)
Special Guest: Dan Lorenc.
Weitere Episoden
34 Minuten
vor 9 Monaten
46 Minuten
vor 9 Monaten
40 Minuten
vor 9 Monaten
38 Minuten
vor 10 Monaten
Kommentare (0)
Melde Dich an, um einen Kommentar zu schreiben.