xz: 🔓Supply Chain Security is Still Hard: CNDO #58

xz: 🔓Supply Chain Security is Still Hard: CNDO #58

Newsletter

On this week's stream, Chainguard joins us to help build better base container images. Can we create images with *zero* CVEs?


🗓️ What's new this week

For months, we've been planning to have the Chainguard team back on the show to discuss their progress in making better base images with zero CVEs. Then, over the weekend, we learned that social engineering compromised a small but powerful utility called XZ Utils in multiple Linux distros (overview via the Verge).

It's an understatement to say this is a great week to have software supply chain security experts on the show.

We still don't know who added the rogue code, who they worked for, or how to prevent this type of supply chain attack in the future.  Ars Technica has a detailed breakdown.

Luckily, we don't typically use beta or bleeding edge versions of Fedora or Debian (and a few others) that aren't typically used as production servers... right? 😏

🔴 Live show: Building Secure Container Images

What does it take to build secure, minimal container images? Why is having this important for your underlying software stack? Dan Lorenc from Chainguard will join you, me, and Nirmal to walk us through Chainguard’s approach to building secure, minimal container images for popular open source software applications, languages, and libraries and how this approach helps developers get back to doing what they do best–BUILD–by removing the pesty pain of CVEs, laggy software updates and patches and more. Also now available on Docker Hub.

Building Secure Container Images (Ep 261)
What does it take to build secure, minimal container images? Why is having this important for your underlying software stack? Dan Lorenc from Chainguard is h…

Click the dinner bell 🔔 to get your reminder. You can also add it to your calendar here

👀 In case you missed last week's newsletter

Did you miss last week's newsletter? Read it here.