home.social

#slsa — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #slsa, aggregated by home.social.

  1. RE: mastodon.social/@7ASecurity/11

    💪 “urllib3's supply chain posture was described as exceptionally strong, with advanced compliance across SLSA Source, Build, and Provenance requirements. The project maintainers were helpful, responsive, and engaged throughout the audit, ensuring that 7ASecurity had the necessary access and information at all times”

    Excellent work @illiav and @quentinpradet! 👏

    #security #python #opensource #oss #supplychain #slsa

  2. I had to deal a bit with the "Supply-chain Levels for Software Artifacts" (SLSA) "standard":
    slsa.dev/

    IMO it's a joke, since they do not properly deal with threats from "Includ[ing] a vulnerable dependency (library, base image, bundled file, etc.)". They essentially say "A future version of this standard might deal with that":
    slsa.dev/spec/v1.2/threats

    This has been the main entry point of the past supply chain attacks (XZ backdoor, litellm, Shai-Hulud, ...). A supply-chain security standard that doesn't properly deal with vulnerabilities in dependencies completely misses the point. It's like installing alarms on your windows (to catch burglars trying to enter your home through the windows) when your front door doesn't have a lock.

    #SLSA #supplychain #supplychainsecurity #xzbackdoor #ShaiHulud #litellm

  3. I had to deal a bit with the "Supply-chain Levels for Software Artifacts" (SLSA) "standard":
    slsa.dev/

    IMO it's a joke, since they do not properly deal with threats from "Includ[ing] a vulnerable dependency (library, base image, bundled file, etc.)". They essentially say "A future version of this standard might deal with that":
    slsa.dev/spec/v1.2/threats

    This has been the main entry point of the past supply chain attacks (XZ backdoor, litellm, Shai-Hulud, ...). A supply-chain security standard that doesn't properly deal with vulnerabilities in dependencies completely misses the point. It's like installing alarms on your windows (to catch burglars trying to enter your home through the windows) when your front door doesn't have a lock.

    #SLSA #supplychain #supplychainsecurity #xzbackdoor #ShaiHulud #litellm

  4. I had to deal a bit with the "Supply-chain Levels for Software Artifacts" (SLSA) "standard":
    slsa.dev/

    IMO it's a joke, since they do not properly deal with threats from "Includ[ing] a vulnerable dependency (library, base image, bundled file, etc.)". They essentially say "A future version of this standard might deal with that":
    slsa.dev/spec/v1.2/threats

    This has been the main entry point of the past supply chain attacks (XZ backdoor, litellm, Shai-Hulud, ...). A supply-chain security standard that doesn't properly deal with vulnerabilities in dependencies completely misses the point. It's like installing alarms on your windows (to catch burglars trying to enter your home through the windows) when your front door doesn't have a lock.

    #SLSA #supplychain #supplychainsecurity #xzbackdoor #ShaiHulud #litellm

  5. I had to deal a bit with the "Supply-chain Levels for Software Artifacts" (SLSA) "standard":
    slsa.dev/

    IMO it's a joke, since they do not properly deal with threats from "Includ[ing] a vulnerable dependency (library, base image, bundled file, etc.)". They essentially say "A future version of this standard might deal with that":
    slsa.dev/spec/v1.2/threats

    This has been the main entry point of the past supply chain attacks (XZ backdoor, litellm, Shai-Hulud, ...). A supply-chain security standard that doesn't properly deal with vulnerabilities in dependencies completely misses the point. It's like installing alarms on your windows (to catch burglars trying to enter your home through the windows) when your front door doesn't have a lock.

    #SLSA #supplychain #supplychainsecurity #xzbackdoor #ShaiHulud #litellm

  6. Supply Chain Security на примере кофемашины: почему ваш код горчит

    Привет, Хабр! Меня зовут Максим Князев, старший системный инженер К2 Кибербезопасность . Сегодня я хочу поговорить об атаках на цепочки поставок на примере того, что все хорошо понимают и любят. Просто представьте, как вы заказываете эспрессо в проверенной кофейне. Зерна от известного обжарщика, бариста с опытом, кофемашина за миллион. И казалось бы, все идеально. Но потом выясняется, что кто-то подсыпал в зерна что-то лишнее еще на плантации. Вы не виноваты, кофейня не виновата, но пить это вы уже не хотите. В разработке происходит ровно то же самое, только в роли зерен здесь выступают npm-пакеты. Плантация превращается в GitHub, а подозрительные примеси представляют собой вредоносный код в легитимном релизе. И вы узнаете о проблемах не по вкусу, а по инциденту в проде. Давайте продолжим это сравнение под катом и разберемся, как не испортить компоненты, из которых складывается современная кибербезопасность.

    habr.com/ru/companies/k2tech/a

    #supply_chain_security #безопасность_цепочки_поставок #sbom #devsecops #open_source #npm #кибербезопасность #уязвимости #slsa #разработка_по

  7. Supply Chain Security на примере кофемашины: почему ваш код горчит

    Привет, Хабр! Меня зовут Максим Князев, старший системный инженер К2 Кибербезопасность . Сегодня я хочу поговорить об атаках на цепочки поставок на примере того, что все хорошо понимают и любят. Просто представьте, как вы заказываете эспрессо в проверенной кофейне. Зерна от известного обжарщика, бариста с опытом, кофемашина за миллион. И казалось бы, все идеально. Но потом выясняется, что кто-то подсыпал в зерна что-то лишнее еще на плантации. Вы не виноваты, кофейня не виновата, но пить это вы уже не хотите. В разработке происходит ровно то же самое, только в роли зерен здесь выступают npm-пакеты. Плантация превращается в GitHub, а подозрительные примеси представляют собой вредоносный код в легитимном релизе. И вы узнаете о проблемах не по вкусу, а по инциденту в проде. Давайте продолжим это сравнение под катом и разберемся, как не испортить компоненты, из которых складывается современная кибербезопасность.

    habr.com/ru/companies/k2tech/a

    #supply_chain_security #безопасность_цепочки_поставок #sbom #devsecops #open_source #npm #кибербезопасность #уязвимости #slsa #разработка_по

  8. Supply Chain Security на примере кофемашины: почему ваш код горчит

    Привет, Хабр! Меня зовут Максим Князев, старший системный инженер К2 Кибербезопасность . Сегодня я хочу поговорить об атаках на цепочки поставок на примере того, что все хорошо понимают и любят. Просто представьте, как вы заказываете эспрессо в проверенной кофейне. Зерна от известного обжарщика, бариста с опытом, кофемашина за миллион. И казалось бы, все идеально. Но потом выясняется, что кто-то подсыпал в зерна что-то лишнее еще на плантации. Вы не виноваты, кофейня не виновата, но пить это вы уже не хотите. В разработке происходит ровно то же самое, только в роли зерен здесь выступают npm-пакеты. Плантация превращается в GitHub, а подозрительные примеси представляют собой вредоносный код в легитимном релизе. И вы узнаете о проблемах не по вкусу, а по инциденту в проде. Давайте продолжим это сравнение под катом и разберемся, как не испортить компоненты, из которых складывается современная кибербезопасность.

    habr.com/ru/companies/k2tech/a

    #supply_chain_security #безопасность_цепочки_поставок #sbom #devsecops #open_source #npm #кибербезопасность #уязвимости #slsa #разработка_по

  9. Supply Chain Security на примере кофемашины: почему ваш код горчит

    Привет, Хабр! Меня зовут Максим Князев, старший системный инженер К2 Кибербезопасность . Сегодня я хочу поговорить об атаках на цепочки поставок на примере того, что все хорошо понимают и любят. Просто представьте, как вы заказываете эспрессо в проверенной кофейне. Зерна от известного обжарщика, бариста с опытом, кофемашина за миллион. И казалось бы, все идеально. Но потом выясняется, что кто-то подсыпал в зерна что-то лишнее еще на плантации. Вы не виноваты, кофейня не виновата, но пить это вы уже не хотите. В разработке происходит ровно то же самое, только в роли зерен здесь выступают npm-пакеты. Плантация превращается в GitHub, а подозрительные примеси представляют собой вредоносный код в легитимном релизе. И вы узнаете о проблемах не по вкусу, а по инциденту в проде. Давайте продолжим это сравнение под катом и разберемся, как не испортить компоненты, из которых складывается современная кибербезопасность.

    habr.com/ru/companies/k2tech/a

    #supply_chain_security #безопасность_цепочки_поставок #sbom #devsecops #open_source #npm #кибербезопасность #уязвимости #slsa #разработка_по

  10. From #ContainerDays London to Barcelona: big thanks to the #DevOps BCN #Meetup for having me!

    I revisited my talk on moving beyond imperative #Docker builds toward #Declarative, #Reproducible and #Secure #OCI #Containers with #Nix:
    Hermetic, network-isolated builds, clearer dependency graphs, better layer reuse across images, and a stronger supply-chain story (#SBOM + #SLSA provenance).

    You can find the slides, transcript and more information at my website: arik-grahl.de/talks/devops-bcn

  11. From #ContainerDays London to Barcelona: big thanks to the #DevOps BCN #Meetup for having me!

    I revisited my talk on moving beyond imperative #Docker builds toward #Declarative, #Reproducible and #Secure #OCI #Containers with #Nix:
    Hermetic, network-isolated builds, clearer dependency graphs, better layer reuse across images, and a stronger supply-chain story (#SBOM + #SLSA provenance).

    Slides, transcript and more information at my website: arik-grahl.de/talks/devops-bcn

    Photography by @robertspang

  12. 🚀 NEW on We ❤️ Open Source 🚀

    Electric sheep need defenders. 🐑🔐 Brett Smith explores how SLSA helps secure the software supply chain, translating EO 14028 into a roadmap for resilient pipelines.

    Read the article: allthingsopen.org/articles/sup

    #WeLoveOpenSource #SLSA #FOSS #Cybersecurity #DevSecOps #PolicyAsCode

  13. 🌟 New OpenSSF Project Spotlight 💃

    In this interview, SLSA Steering Committee member Tom Hennen (Google) breaks down how SLSA is helping organizations strengthen trust across the software supply chain.

    Watch the full Project Spotlight:
    🔗 youtube.com/watch?v=gdYlSuH5Srs

    #OpenSSF #SLSA #OSSSecurity

  14. 🚨 The AI wave is here, and with it comes a new cybersecurity battleground.

    Discover how open source tools like #Sigstore, and #SLSA-based frameworks can help close these gaps and build more resilient AI systems.

    Read the blog and learn how to get involved: openssf.org/blog/2025/08/12/se

  15. New to OpenSSF or thinking about getting involved? We've got you. 💡

    This blog by Ejiro and Sal introduces all our working groups, tools, and projects like #sigstore, #SLSA, and #OpenSSFScorecard.

    Start here 👉 openssf.org/blog/2025/08/08/fr

  16. Join Harsh Thakur (Civo) & Saiyam Pathak (Loft Labs) as they talk about practical steps for achieving #SLSA compliance:

    ✔️ Generating SBOMs & provenance
    ✔️ Keyless attestations with cosign
    ✔️ Hermetic builds with Buildkit

    📍 #SOSSCommunity Day India

  17. Join Harsh Thakur (Civo) & Saiyam Pathak (Loft Labs) as they talk about practical steps for achieving #SLSA compliance:

    ✔️ Generating SBOMs & provenance
    ✔️ Keyless attestations with cosign
    ✔️ Hermetic builds with Buildkit

    📍 #SOSSCommunity Day India

  18. Join Harsh Thakur (Civo) & Saiyam Pathak (Loft Labs) as they talk about practical steps for achieving #SLSA compliance:

    ✔️ Generating SBOMs & provenance
    ✔️ Keyless attestations with cosign
    ✔️ Hermetic builds with Buildkit

    📍 #SOSSCommunity Day India

  19. Join Harsh Thakur (Civo) & Saiyam Pathak (Loft Labs) as they talk about practical steps for achieving #SLSA compliance:

    ✔️ Generating SBOMs & provenance
    ✔️ Keyless attestations with cosign
    ✔️ Hermetic builds with Buildkit

    📍 #SOSSCommunity Day India

  20. Join Harsh Thakur (Civo) & Saiyam Pathak (Loft Labs) as they talk about practical steps for achieving #SLSA compliance:

    ✔️ Generating SBOMs & provenance
    ✔️ Keyless attestations with cosign
    ✔️ Hermetic builds with Buildkit

    📍 #SOSSCommunity Day India

  21. 🌈 👩‍⚖️ 👨‍💼 ‍💼 🌈 Very pleased to see this in print! The outcome of research by Steven Vaughan, Ben Weil and I on the experiences of LGBT+/Queer barristers within the heteronormative and masculinist environment of the Bar of England and Wales. What seems to be at stake in being an 'out' professional, how that gets navigated, and what it might cost. The possible forms of Professionalism: Credibility and the performance of queer sexualities among barristers in England and Wales. doi.org/10.1111/jols.12408

    #lgbt #queer #lawyers #barristers #professionalism #lgbthistorymonth #sociolegal #slsa

  22. Wondering whether users of (by ) and (slsa-verifier) would have opinions on how to best make use of these verification tools when downloading binaries for use in container images?

    I started a StackOverflow discussion here with more details, since I'm new to playing around with these toolchains:

    stackoverflow.com/beta/discuss

  23. @dolmen Many systems are based on #bootstrapping and #reproducableBuilds
    bootstrappable.org/
    reproducible-builds.org/
    en.wikipedia.org/wiki/Bootstra

    These ensure that the build system integrity cannot be tampered with. One example of such system is openbuildservice.org/

    Here's a great read on the topic from #SUSE : documentation.suse.com/sbp/ser

    Generally Supply-chain Levels for Software Artifacts (#SLSA) framework is a great resource on this topic: slsa.dev/ #cybersecurity #infosec

  24. slsa-github-generator v2 now uses upload/download-artifact v4, so I can update those in all the Pallets projects. Turns out the publish workflow for most projects didn't need any changes at all. Only MarkupSafe, with multiple build jobs, needed a little change to use different upload names and combine their downloads. github.com/pallets/markupsafe/ #Python #Flask #MarkupSafe #GitHub #SLSA

  25. To explain, we have #SLSA signatures that verify the build was done automatically by #GitHub as instructed, *and* we have traditional #gpg signatures with private keys only known to maintainer(s) that verify a maintainer actually triggered the built and locally reproduced it…
    Given they both validate, you automatically achieve reproducible builds _and_ #SLSA validity.

    One caveat: This was only easy, because our build process is essentially one command (git archive).

    github.com/PrivateBin/PrivateB

  26. The way this works, is, essentially, quite easy: the whole build process is documented in the same repository, builds are automated via CI/CD and all that is, to reach best support, done in an environment that prevents tampering and (crucially) is *out of your control*.

    Then you get #SLSA v3: slsa.dev/get-started#slsa-3 (quite easy with GitHub Actions)

  27. Note on all the #xz drama, there are some technical solutions for such #supplychainattack that can make such an attack way harder, at least to hide the code in tarballs etc.

    slsa.dev/ e.g. is a solution. Combined with reproducible builds, it ensures that a software artifact is built exactly from the source given in a source repository, with the possibility to prove that and no way for any maintainer to tamper with (in the highest level).

    #slsa #infosec #security #linux #backdoor

  28. I've decided to try my hand at speaking at IT Security conferences: I've got one rejected CFP so far, but today I proposed another for BSides Boulder:

    "Preventing SolarWinds 2.0: #SLSA isn't gonna save you".

  29. has finalised the releases of the January updates - jdk 8u402, 11.0.22, 17.0.10 and 21.0.2.
    This is the first JDK21 release to include AIX and Linux/s390x platforms, and the release is build level 3 compliant on Linux and macOS platforms.
    adoptium.net/blog/2024/01/ecli

  30. Beach safety for humans in a more-than-human world
    Have drones at the beach, repel birds

    Beachgoers are warned with larges signs of a drone operating at Sawtell beach. The warning posters for the aerial operations states that they have the rationale to keep human beings safe. The unmanned aerial vehicle makes an irritating buzzing sound while flying over the heads of beachgoers.

    The beauty of Sawtell beach is usually to share the ambience with shorebirds, birds of prey and little terns. With the loud gadget droning up and down the beach no bird or endangered shorebird was visible or audible. The scarecrow in the sky, the jet skis and car on the sand make sure the beach is just for one species alone.

    Drones are disturbing critically endangered shorebirds in Moreton Bay, creating a domino effect
    theconversation.com/drones-are

    Human safety, The Civil Aviation Safety Authority
    casa.gov.au/knowyourdrone

    Sawtell - Threatened Shorebirds. The Threatened Shorebirds program shares the plight of these incredible shorebirds, including Little terns, Pied oyster catchers and Beach stone curlews
    coffsharbour.nsw.gov.au/Eventb

    #Sawtell #SawtellBeach #UAVs #regulation #drones #gadgets #CASA #SLSA #SurfLifeSaving #safety #IndustrialisedBeaches #birds #Shorebirds #ThreatenedShorebirds #wildlife #ShareTheBeach

  31. If I could pick one software supply chain security thing for people to look at in the new year, it would be the Secure Supply Chain Consumption Framework. It describes in detail how to manage risk associated with software dependencies.

    I consider this more important than SBOMs or SLSA.

    Check it out! github.com/ossf/s2c2f

    #sbom #slsa #s2c2f

  32. My colleague Scott Fryer gave a talk at this year's @EclipseFdn 's on 's secure development practices, what we've done and what we're going to do going forward. It covers , , , binary and keeping a heterogeneous project's infrastructure secure with

    If some of those buzzwords have piqued your interest (or you want to know what they are) checkout his video: youtube.com/watch?v=mpEKUnX84UQ

  33. Looking back on 2022, among other things I will remember this as the year in which I spent a *lot* of time explaining topics like software supply chain security, #SLSA, the NIST #SSDF, etc, to people at other companies whom I would have devoutly hoped, given their jobs/products, would not need me to explain any of it.
  34. Je commence par un talk sur #SLSA, #Sigstore et #Kyverno, présenté par Mohamed Abdennebi (Sfeir).

    J'ai beaucoup aimé ce talk parce que ça m'a donné *enfin* un bon exposé sur la théorie (les différentes briques à mettre en œuvre pour monter une défense contre les attaques de type "software supply chain") mais aussi la pratique, avec des workflows GitHub Actions et des policy Kyverno pouvant servir de base pour ses propres projets.

    youtube.com/watch?v=cWpC96J05g

  35. secure supply chains alone secure software do not make