Date: Wed, 30 Mar 2022 02:31:52 +0000
<p>When is it safe to run software? When is it safe to drink orange juice? Are we a better judge of one or the other? <a href="https://twitter.com/torresariass">Santiago Torres-Arias</a> is an Assistant Professor at Purdue University, the team lead of the <a href="https://in-toto.io/">in-toto</a> project, and a contributor to <a href="https://theupdateframework.io/">The Update Framework</a>. He joins <a href="https://kubernetespodcast.com/about">Craig</a> to talk security in both physical and software supply chains.</p> <p>Do you have something cool to share? Some questions? Let us know:</p> <ul> <li>web: <a href="https://kubernetespodcast.com">kubernetespodcast.com</a></li> <li>mail: <a href="mailto:kubernetespodcast@google.com">kubernetespodcast@google.com</a></li> <li>twitter: <a href="https://twitter.com/kubernetespod">@kubernetespod</a></li> </ul> <h3 id="chatter-of-the-week">Chatter of the week</h3> <ul> <li><a href="https://en.wikipedia.org/wiki/Don%27t_Forget_the_Lyrics!_(American_game_show)"> Don’t Forget The Lyrics</a></li> <li><a href="https://www.youtube.com/watch?v=3JcmQONgXJM">Gettin’ Jiggy Wit It</a></li> <li><a href="https://genius.com/Will-smith-gettin-jiggy-wit-it-lyrics">Explained on Genius</a></li> <li><a href="https://www.reddit.com/r/TopGear/comments/5zkcs3/my_alltime_favorite_moment_clarkson_destroys_big/"> Will Smith on Top Gear</a></li> <li><a href="https://www.youtube.com/watch?v=myjEoDypUD8">The Oscars thing</a> (CW: violence, cuss words that Will Smith didn’t used to have to rap to sell records)</li> <li><a href="https://www.youtube.com/watch?v=NDN5PD00CpQ">He’s The Greatest Dancer</a> by Sister Sledge; written by Bernard Edwards and Nile Rodgers of Chic</li> </ul> <h3 id="news-of-the-week">News of the week</h3> <ul> <li><a href="https://blogs.cisco.com/datacenter/cisco-accelerates-hybrid-cloud-operations-with-innovations-from-intersight-hyperflex-and-ucs-x-series?oid=pstcsm028767"> New Cisco Intersight Kubernetes features</a></li> <li><a href="https://cloud.redhat.com/blog/introducing-red-hat-openshift-4.10">Red Hat OpenShift v4.10</a></li> <li><a href="https://harness.io/blog/news/chaosnative-is-joining-harness/">ChaosNative acquired by Harness</a></li> <li><a href="https://playfab.github.io/thundernetes/">Azure PlayFab launches Thundernetes</a> <ul> <li><a href="https://kubernetespodcast.com/episode/026-agones/">Episode 26, with Cyril Tovena and Mark Mandel</a></li> <li><a href="https://news.ycombinator.com/item?id=30811847">Hacker News commentary</a></li> </ul> </li> <li><a href="https://www.weave.works/blog/march-release-2022-03-trusted-delivery"> Weave GitOps v2022-03</a></li> <li><a href="https://qumulo.com/blog/qumulo-for-kubernetes/">Qumulo for Kubernetes</a></li> <li><a href="https://www.spectrocloud.com/news/spectro-cloud-closes-40m-series-b-round/"> SpectroCloud raises $40m</a></li> <li><a href="https://medium.com/pinterest-engineering/99-to-99-9-slo-high-performance-kubernetes-control-plane-at-pinterest-894bc8a964f9"> Pinterest: 99% to 99.9% SLO, high performance control plane</a></li> <li><a href="https://eng.uber.com/avoiding-cpu-throttling-in-a-containerized-environment/"> Uber: Avoiding CPU throttling in a containerized environment</a></li> </ul> <h3 id="links-from-the-interview">Links from the interview</h3> <ul> <li><a href="https://in-toto.io/">in-toto</a></li> <li><a href="https://theupdateframework.io/">The Update Framework</a></li> <li><a href="https://purdue.edu/">Purdue University</a> <ul> <li><a href="https://engineering.purdue.edu/ECE">Elmore Family School of Electrical and Computer Engineering</a></li> <li><a href="https://en.wikipedia.org/wiki/Purdue_Boilermakers">Purdue Boilermakers</a></li> <li><a href="https://engineering.purdue.edu/ECE/Academics/Undergraduates/UGO/CourseInfo/courseInfo?courseid=783&show=true&type=undergrad"> Open Source Software Senior Design Projects</a></li> </ul> </li> <li><a href="https://nyu.edu">NYU</a> <ul> <li><a href="https://engineering.nyu.edu/">Tandon School of Engineering</a></li> <li><a href="https://engineering.nyu.edu/faculty/justin-cappos">Justin Cappos</a></li> </ul> </li> <li><a href="https://pph.io/">PolyPasswordHasher</a></li> <li><a href="https://kubernetespodcast.com/episode/155-software-supply-chain-security/"> Episode 155, with Priya Wadhwa</a></li> <li><a href="https://wiki.debian.org/SecureApt">apt-secure for Debian packages</a></li> <li><a href="https://web.archive.org/web/20061208190156/http://www.keysigning.org/event/lca2006"> A keysigning</a> and <a href="https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9AE9B6E4DBF5ED67"> a signed PGP key</a></li> <li><a href="https://dl.acm.org/doi/10.5555/3361338.3361435">Farm to table attestation</a></li> <li><a href="http://www.luckysod.co.nz/farmcode.html">Potato tracking</a></li> <li><a href="https://www.cdc.gov/ecoli/2018/o157h7-11-18/index.html">An example of E. coli in lettuce</a></li> <li><a href="https://in-toto.readthedocs.io/en/latest/command-line-tools/in-toto-record.html"> in-toto record</a></li> <li><a href="https://www.youtube.com/watch?v=1-tMRxqMwTQ">Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack</a> by Trevor Rosen, Solarwinds</li> <li><a href="https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf"> Reflections on Trusting Trust</a> by Ken Thompson</li> <li><a href="https://www.datadoghq.com/blog/engineering/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto/"> Secure Publication of Datadog Agent Integrations with TUF and in-toto</a></li> <li><a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/"> US Executive Order on Improving the Nation’s Cybersecurity</a></li> <li><a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/13/readout-of-white-house-meeting-on-software-security/"> Readout of White House Meeting on Software Security</a></li> <li><a href="https://sigstore.dev">sigstore</a> <ul> <li><a href="https://blog.sigstore.dev/celebrating-1-000-000-entries-in-rekor-1950b7c150df"> in-toto is the second most used format for sigstore</a></li> </ul> </li> <li><a href="https://spiffe.io/">SPIFFE</a></li> <li><a href="https://slsa.dev/">SLSA</a></li> <li><a href="https://www.cncf.io/blog/2022/03/10/supply-chain-security-project-in-toto-moves-to-the-cncf-incubator/"> in-toto moves to incubation in the CNCF</a></li> <li><a href="https://blog.cloudflare.com/introducing-cfssl/">CFSSL</a></li> <li><a href="https://en.wikipedia.org/wiki/Math_rock">Math rock</a> <ul> <li><a href="https://www.youtube.com/watch?v=kCYVefhsjH0">Covet: “falkor”</a></li> <li><a href="https://www.youtube.com/watch?v=HVREIahLfp8">TTNG: +3 Awesomeness Repels Water</a></li> </ul> </li> <li><a href="https://www.birdoftheyear.org.nz/">Bird of the Year</a> <ul> <li><a href="https://www.birdoftheyear.org.nz/kea">The kea</a></li> <li><a href="https://www.youtube.com/watch?v=fBdvRCkCNfo">Breaking a police car</a></li> </ul> </li> <li><a href="https://twitter.com/torresariass">Santiago Torres-Arias</a> on Twitter and at <a href="https://badhomb.re/">badhomb.re</a></li> </ul>