Sigstore

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_451_Python_security_with_Seth_Larson.mp3 Show Notes Seth Larson XKCD PGP Signature Seth’s Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs

Josh and Kurt talk about a new to sign artifacts on GitHub. It’s in beta, it’s not going to be easy to use, it will have bugs. But that’s all OK. This is how we start. We need infrastructure like this to enable easier to use features in the future. Someday, everything will be signed by default. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_428_GitHub_artifact_attestation.mp3 Show Notes GitHub artifact attestation

Josh and Kurt talk about what the actual purpose of signing artifacts is. This is one of those spaces where the chain of custody for signing content is a lot more complicated than it sometimes seems to be. Is delivering software over https just as good as using a detached signature? How did we end up here, what do we think the future looks like? This episode will have something for everyone to complain about! ...

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_286_Open_source_supply_chain_with_Googles_Dan_Lorenc.mp3 Show Notes Dan’s Twitter Sigstore SLSA Framework