xz: 🔓Supply Chain Security is Still Hard: CNDO #58
Get CNDO Weekly
Cloud Native DevOps education. Bestselling courses, live streams, and podcasts on DevOps and containers, from a Docker Captain.
No spam. Unsubscribe anytime.
🗓️ What's new this week
For months, we've been planning to have the Chainguard team back on the show to discuss their progress in making better base images with zero CVEs. Then, over the weekend, we learned that social engineering compromised a small but powerful utility called XZ Utils in multiple Linux distros (overview via the Verge).
It's an understatement to say this is a great week to have software supply chain security experts on the show.
We still don't know who added the rogue code, who they worked for, or how to prevent this type of supply chain attack in the future. Ars Technica has a detailed breakdown.
Luckily, we don't typically use beta or bleeding edge versions of Fedora or Debian (and a few others) that aren't typically used as production servers... right? 😏
🔴 Live show: Building Secure Container Images
What does it take to build secure, minimal container images? Why is having this important for your underlying software stack? Dan Lorenc from Chainguard will join you, me, and Nirmal to walk us through Chainguard’s approach to building secure, minimal container images for popular open source software applications, languages, and libraries and how this approach helps developers get back to doing what they do best–BUILD–by removing the pesty pain of CVEs, laggy software updates and patches and more. Also now available on Docker Hub.
Click the dinner bell 🔔 to get your reminder. You can also add it to your calendar here.
👀 In case you missed last week's newsletter
Did you miss last week's newsletter? Read it here.