Supply chain security is the newest craze, and I can’t help but find myself also thinking about it. Also, we’re going to Japan!
Vacation Planning
Sienna and I bought our flights for a trip to Japan later this year, meaning we’re officially in vacation planning mode.
I’m in my early 30s and I’ve only left the country once, to Cancun on my high school senior trip. I’ve basically never taken a vacation that wasn’t visiting family or security conferences, neither of which particularly feel like a vacation. So I’m very excited about this trip, and I’m excited I get to share it with Sienna.
If you have any recommendations for an onsen that won’t give me a hard time for my whole upper body being covered in tattoos, please let me know!
Language Dependency Attestation
This week I’ve spent a good bit of time thinking about supply chain security, as a good chunk of the industry is doing. A few weeks ago I was thinking about how it would be interesting to basically run a premium package index for Python, where every package artifact could be cryptographically verified, with transparent build systems and build provenance.
Then I saw Homebrew’s build provenance announcement, and it renewed my interest in the idea. I started working on a python dependency wishlist, which covers more of my ideas for how to improve the safety and security of python’s package management systems, and which I’ll hopefully publish in the coming week or two.
Now, I don’t think it’s a good idea to run a business based on adding build provenance and “trust” into a language’s package ecosystem. I don’t doubt that you could get customers, and if you really love build systems and wrangling code that isn’t yours, maybe it would be worth it for you. But morally I don’t like the idea of a business that basically exists to add trust into an open source ecosystem. Why go through all the trouble of making more trustable package distribution only to wall it off from the public that would benefit from it.
On top of my moral quandary, I think there’s a closing window in this market of trust. More and more platforms are moving towards build provenance as a built in feature, which is fantastic. It’s how it should be. So not only would you have to build all your own build systems for basically every popular python package out there, but you’d have to do it before the ecosystem catches up. Then you’d have to find ways to stay ahead of the ecosystem.
Maybe I’m wrong, maybe this would be a good business to get into. But I can’t see myself doing it, even though I do really enjoy working on build systems.
What I’m Reading
Bruce Lee: Artist of Life
By Bruce Lee, John Little
ISBN: 978-0804832632Learn More
I haven’t made any significant progress in reading this week, but I don’t have much left to go until I’m finished with this book.
Interesting Links
- No links this week, I didn’t browse much.
Upcoming Projects
- BSides Las Vegas Talk - Pending feedback on CFP submission. (Due: N/A - Done)
- OWASP Global AppSec Training - (Due: N/A)
- Defcon 32 Call for Artists - Set list is done, most of the application is filled out, just pending writing my bio and getting a promo photo done up. (Due: 2024-06-01)
- Defcon 32 Call For Soundtrack - I’ve submitted my new song “Oh Dade”, produced by Mikal kHill. If it’s accepted, it will debut on the Defcon soundtrack. If it’s not accepted, I will release it the same day I find out it’s not accepted. (Due: N/A - Done)