Session
Schedule FOSDEM 2020
Continuous Integration and Continuous Deployment

AMENDMENT How secure is your build/server?

a story of packages and trust
UB4.136
Patrick Debois
We have learned that we need to trust others, but as our parents used to say - don’t trust strangers. So we secure our production server more than ever. Yet, there is this no-man's land: “the build server”. We think it’s time to take a closer look at some of the good practices around securing builds & artifacts to improve our day to day level of trust. Please note that this talk replaces one entitled "Safe, gated and integrated GitOps for Kubernetes" that was due to have been given by Mohammed Naser, who unfortunately is now unable to present. We wish him a speedy recovery.

Development has changed over the years, from doing everything yourself to a 3rd party package for every function. Operations has changed too, running your own servers is now considered an exception. To the cloud! We have learned that we need to trust others, but as our parents used to say - don’t trust strangers. So we secure our production server more than ever.

Yet, in the middle sits this no-man's land: “the CI server”. We think it’s time to take a closer look at some of the good practices around securing builds & artifacts to improve our day to day level of trust.

With Marked Sherman statement “Development is now assembly” in mind, the talk will focus more on the package/artifact/repository aspect. Less on the app security inside the code itself or at the OS/Machine level.

This talk I will go into detail on:

How to verify trust of your dependencies: from metadata, binaries, and repositories

How to provide trust to others that build upon your software

How this ties into the concept of “reproducible builds”

How a practical “Software Bill of Material” looks

How the concepts of the “The Update Framework” (TUF) relate

How you can implement secure packaging policies

It will explain these topics using practical/code examples from the Node.js and Docker ecosystems. All this will be presented from the different viewpoints from “dev” , “sec” and “ops”.

Let’s take ownership of your trust , we are already responsible when things go wrong anyway.

Additional information

Type devroom

More sessions

2/2/20
Continuous Integration and Continuous Deployment
Kris Buytaert
UB4.136
Most organisations start their journey towards Continuous Delivery with their development teams, or often their web or mobile teams. I’ve seen many of these journeys fail because “ops” was not included in the picture. The organisation assumed DevOps didn’t need ops. So the team didn’t adapt, didn’t provide the right stacks, couldn’t support the tools. I’ve started a number of successful journeys with the ops teams doing Continuous Delivery of their infrastructure as code. They ...
2/2/20
Continuous Integration and Continuous Deployment
UB4.136
How can we listen to when new upstream software has been tested to the extent that we feel comfortable integrating it into our software? How can we communicate about new artifacts available for others to integrate? How can we see what has been integrated where? How can we achieve traceability across pipelines run on different tooling infrastructure? How can we visualize our pipelines to follow changes from source code to customer deployment? We will describe these challenges and show how we ...
2/2/20
Continuous Integration and Continuous Deployment
UB4.136
In this talk, the speakers will present their experiences about using Tekton - a cloud-native pipeline system - to test, release and continuously deploy itself.
2/2/20
Continuous Integration and Continuous Deployment
UB4.136
Modernizing the traveler information systems of an international railway and transportation company, including the modernization and renewal of traveler facing devices at the train stations. For a variety of devices ranging from 20-year-old x86 PC104 based embedded systems up to modern 64bit multi-core systems, a Buildroot based Linux system, and a custom application stack is being developed.
2/2/20
Continuous Integration and Continuous Deployment
Tracy Miranda
UB4.136
The Continuous Delivery Foundation was launched in 2019 as the new home to FOSS projects Jenkins, Jenkins, Spinnaker and Tekton. The foundation is also a community to advance adoption of CI/CD best practices and tools. This talk outlines the initiatives and ways to get involved so we can all work together to accelerate CI/CD adoption. Please note that this talk replaces one entitled "Infrastructure CICD with KubeVirt and Tekton" that was due to have been given by Tyler Auerbeck, who ...
2/2/20
Continuous Integration and Continuous Deployment
Viktor Farcic
UB4.136
Deployment strategies affect everyone, no matter whether we are focused only on a single aspect of the application lifecycle or we are in full control. The way we deploy affects the architecture, testing, monitoring, and many other aspects. And not only that, but we can say that architecture, testing, and monitoring affect the way we deploy. All those things are closely related and affect each other. We'll discuss different deployment strategies and answer a couple of questions. Is your ...
2/2/20
Continuous Integration and Continuous Deployment
Carlos Sanchez
UB4.136
Progressive Delivery makes it easier to adopt Continuous Delivery, by deploying new versions to a subset of users and evaluating their correctness and performance before rolling them to the totality of the users, and rolled back if not matching some key metrics. Canary deployments is one of the techniques in Progressive Delivery, used in companies like Facebook to roll out new versions gradually. But good news! you don't need to be Facebook to take advantage of it. We will demo how to create a ...