in-toto, with Santiago Torres-Arias

When is it safe to run software? When is it safe to drink orange juice? Are we a better judge of one or the other? Santiago Torres-Arias is an Assistant Professor at Purdue University, the team lead of the in-toto project, and a contributor to The Update Framework. He joins Craig to talk security in both physical and software supply chains.

Do you have something cool to share? Some questions? Let us know:

• web: kubernetespodcast.com
• mail: kubernetespodcast@google.com
• twitter: @kubernetespod

Chatter of the week

• Don’t Forget The Lyrics
• Gettin’ Jiggy Wit It
• Explained on Genius
• Will Smith on Top Gear
• The Oscars thing (CW: violence, cuss words that Will Smith didn’t used to have to rap to sell records)
• He’s The Greatest Dancer by Sister Sledge; written by Bernard Edwards and Nile Rodgers of Chic

News of the week

• New Cisco Intersight Kubernetes features
• Red Hat OpenShift v4.10
• ChaosNative acquired by Harness
• Azure PlayFab launches Thundernetes
  • Episode 26, with Cyril Tovena and Mark Mandel
  • Hacker News commentary
• Weave GitOps v2022-03
• Qumulo for Kubernetes
• SpectroCloud raises $40m
• Pinterest: 99% to 99.9% SLO, high performance control plane
• Uber: Avoiding CPU throttling in a containerized environment

Links from the interview

• in-toto
• The Update Framework
• Purdue University
  • Elmore Family School of Electrical and Computer Engineering
  • Purdue Boilermakers
  • Open Source Software Senior Design Projects
• NYU
  • Tandon School of Engineering
  • Justin Cappos
• PolyPasswordHasher
• Episode 155, with Priya Wadhwa
• apt-secure for Debian packages
• A keysigning and a signed PGP key
• Farm to table attestation
• Potato tracking
• An example of E. coli in lettuce
• in-toto record
• Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack by Trevor Rosen, Solarwinds
• Reflections on Trusting Trust by Ken Thompson
• Secure Publication of Datadog Agent Integrations with TUF and in-toto
• US Executive Order on Improving the Nation’s Cybersecurity
• Readout of White House Meeting on Software Security
• sigstore
  • in-toto is the second most used format for sigstore
• SPIFFE
• SLSA
• in-toto moves to incubation in the CNCF
• CFSSL
• Math rock
  • Covet: “falkor”
  • TTNG: +3 Awesomeness Repels Water
• Bird of the Year
  • The kea
  • Breaking a police car
• Santiago Torres-Arias on Twitter and at badhomb.re