The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
Please note: This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis.
Supply chain Levels for Software Artifacts, or SLSA (salsa) is a security framework to reason about and improve the integrity of released artifacts. SLSA (slsa.dev) is seeing increased adoption, both from industry and open source projects. Besides released artifacts, SLSA provenance attestation may also be generated for other types of "artifacts", such as vulnerability scanner results, SBOMs, etc. This allows the generation of trustworthy supply-chain metadata about arbitrary artifacts. Implementing a SLSA compliant attestor is, however, hard work, and requires expertise in both SLSA and the underlying platform used to build it. Come to this talk to learn about a recent extension of the SLSA framework that allows you to wrap existing tools (in the form of a binary, a GitHub Action or a container) into a SLSA compliant attestor, with minimal effort. We will show how SLSA builders for several package managers, such as npm and maven, are implemented with this framework. We will also report the lessons learned and the challenges we faced, in the hope it will help others in the field. At the end of this talk, attendees will have enough background to make their tool attest to their output using SLSA provenance.
Ian is an engineer at Google working on Supply Chain Security. Ian has been living in Tokyo since 2006 and has had various developer and operations roles throughout his career while staying active in the open-source developer community. Ian is a contributor to the SLSA framework and... Read More →
Asra is Software Engineer on the Google Open Source Security Team (GOSST) where she works on projects like Sigstore. She’s a maintainer of Sigstore’s Rekor, and The Update Framework’s go-tuf implementation. In previous times, she worked on Envoy, fuzzing, and privacy-preserving... Read More →
