 Welcome to theCUBE's coverage of KubeCon EU 2024, live from Paris, France. Join hosts Savannah Peterson, Dustin Kirkland, and Rob Stratche, as they interview some of the brightest minds in cloud native computing. Coverage of KubeCon cloud native con is brought to you by Red Hat, CNCF, and its ecosystem partners. The CUBE's coverage of KubeCon EU 2024 begins right now. Good afternoon, cloud community, and welcome back to Paris, where we're here at KubeCon cloud native con. My name is Savannah Peterson, joined by my fabulous analyst co-host, Rob Stratche. Rob, day two, middlely afternoon, energy's still high. Very high, and just how the community is coming together around understanding how the supply chain needs to work, and things of that nature, which is so important, especially with security being front and center in so many organizations' minds, but I think it starts with how you understand the assets in there as well, which is great that we are bringing on these guests to have it, yeah. I want to have a little tea up. Please welcome, Feynman and Toddie, thank you so much for being here with us. How's the show going for you guys? Pretty good, thank you. Yeah, you had a big day. You had Azure day, you've got, the community is buzzing. We're going to be talking about a project specifically. I'm excited. We've talked a lot about the ecosystem, but we haven't really actually dug super deep in some projects, so tell us, get everybody oriented on the Notary Project. Toddie, I'll open with you. Yeah, so Notary Project is actually what we intend to do is really provide tooling for supply chain security. So we started with containers, right? So right now we can sign containers. We kind of got two releases actually in the last six months. So it took us a while to get to the first release, but now we are actually picking up speed and getting much faster and getting features out. But we're looking actually to extend this to not only signing, but other functionalities that are very essential for the supply chain security for not only containers, but other software. So we have quite a few features coming up. Ooh, we might have to get you to preview some of those. Oh yeah, certainly. Very curious. Actually, why not? Let's just talk about it. What's on the roadmap? On the roadmap is, first we want to actually start signing other stuff, not only containers, right? So we figure out the container stuff, we want to sign now S-bombs, you've heard of S-bombs. We want to sign normal binaries. Ideally what we would like to do is to also sign our own CLI with Notary. We need to figure out how to bootstrap that, but it's cool, right? The other big thing that we are looking is really, we started engaging with the in-toto community and looking at how we can incorporate at the stations and provide tooling for that. So those are the two big things that we are looking to do over the maybe next six to 12 months. It's an exciting time with the project. Oh yeah. Fabian, how many contributors are on the project? Three. How many contributors are there? There are more than one hundred contributors in total. But actually, we have three major contributors. Comes from Microsoft, from Amazon, AWS, from Docker. Yeah. We are- Just a couple brands. Just a couple brands people may have heard of, you know. Yeah, diverse community. Yeah. And we welcome everyone to join us to engage with the project, to learn and to contribute to the project. What type of contributors are you looking for to come in? People who understand certain aspects of binaries or what kind of talent are you looking for to come in and help you? We are looking for coders. Yeah. Well, everybody is right. Everybody else. I can't think of anyone else thinking of maybe some developers. But do they have a specific background that is helpful to this project, to Notary project? No, I was joking. But yeah, so for example, if you have background in security, you will be actually very happy to have you. But we are looking, so we are engaged very often with LFX mentorship program. So, Taiman actually, he drives that. So, writing documentation or making small changes. So, that's been actually pretty great. Why don't you tell us a little bit more about that? Yeah. I mean the- The mentorship program. Yeah, mentorship program is actually the mentorship program for students. You know, this program was initiated by CNCF by Linux Foundation. They set up this program to connect the students with the open source communities and provide the opportunities for students to engage with the community, with the open source projects. So, CNCF and the Linux Foundation will pay for those students and they will get their virtual internship in the open source community. So, it's a win-win project for the open source communities and for the students. That's great. I got to tell my son who's that ASU getting his comp side degree that he needs to reach out because that sounds like a great place to get started and learn so much about how things are built and really get to interact with some people who are doing some wonderful work not only within the communities but at their companies as well. I would assume that that's part of the attraction to that mentorship program. Yeah. And I love it. I'm glad you're giving back. I mean, this community is so collaborative. We're seeing it's government, it's individual contributors, it's large enterprise. Let's talk a little bit about open source and the enterprise adopters of the Notary Project. Certainly, yeah. We can talk from Microsoft point of view but we cooperate very well with AWS which is strange, right? Because how come? We are supposed to be competitors. That's not the case. We are using actually both companies are using Notary Project as the foundation for their kind of supply chain security. We are implementing services on top that use actually Notary Project and the library is there to sign, verify. AWS does the same, right? Docker also has a good participation. They are looking, so each company has maybe some differences in how they are implementing it but the core is the binaries that actually come from the project itself. Our strategy on the Microsoft side is to really provide this as part of Azure. So we would like to have smooth workflow inside Azure. Ideally, we don't even want the developers to know that this is happening. This should happen behind the scenes because why do they need to go and constantly say I need to sign this thing? I need to sign this thing? If that happens behind the scenes, everything will be signed, everything will be secured. It will be less friction and everybody will be happy. Is the Notary Project working with some other projects like you mentioned, S-Bombs? Yeah. We're going to have on the GM from OpenSSF later today. It's actually next. Actually, yeah. Well, actually a good lineup, right? Well, security all afternoon. It's like you're a professional or something. Yes, but so how do you work with these other projects that are maybe doing the S-Bombs when maybe you were talking about signing S-Bombs potentially in the future, but when I think of S-Bombs and the software bill of materials, I want to understand, is everything in that container has it been signed and verified? Is that really where the Notary Project comes in? Is it helps with that? Yes. That is actually a good scenario that you're describing. But like other communities that we work with, like Auras is another community which is in sandbox right now. Auras initiated all the work around OCI artifacts and Notary built on top of that work. So Auras and Notary cooperate pretty well, as well as OCI and Notary Project, OCI and Auras. So it's a very good collaboration between those three communities. Then we have other things like, for example, Harbor. So Harbor, they incorporated functionality inside their registry to recognize Notary Project signatures and make it more prominent in their UI. So, which kind of adds to the security stuff. We have quite a few other projects that we are, as I mentioned, right now we started engaging with InToto. We had also some conversations with Turf. I don't know how we will work with them because we are still kind of in design phase and understanding what the scenarios that we want to enable. But yeah, it's been pretty good collaboration and looking for more. Because it would seem like, if I'm going down a path of making deployments, I want to basically know that it's been signed so maybe I'm a company and I want to make sure that as part of it, to your point, it's transparent but a non-signed container doesn't get out into my production environment. And I would assume that that's where you're seeing some of the feedback. I mean, even within Microsoft. Yeah, actually I can give another story about recent news. You know, we have been also collaborating with some top cloud providers and also the open source publishers, software publishers. Recently we have been collaborating with Speednami which is one of the biggest software publishers on Docker Hub. They recently leveraged notation to sign and verify container images and OCL effects on Docker Hub to make sure the users are able to verify the integrity and authenticity of the software. I think this is very similar to the website users who want to verify the website trust and the source of the website while the HTTPS certificate, the CA certificate. This is how notation provides the value to those software publishers. Yeah, I'll give you another place, I think you can go with this is like, and we've, because AI is so prominent. You're just full of ideas today, I love it. If you look at being able, I know I'm full of ideas. I'm just going to throw out stuff. I'm just going to hang out today, this is awesome. But going and signing actual models, because as more come in and knowing where they came from and attestation and all of that, seems like it could be at a good place longer term as well. Are you seeing people trying to push down that route? Yes, actually we are seeing people signing AI models is the new key on the block, like everybody's doing it, but they want to sign everything, like we have, for example, teams, they want to sign scripts, they want to sign in Microsoft, we have the PowerShell team is approaching us, can we sign the PowerShell modules with Notary Project, all these things. Coming back to your question about verifying another project that we collaborated pretty well with was Kiverno, and yesterday we did a very cool demo, actually, how you can sign with the commercial product, like Benify, and verify with open source product, like our project, like Kiverno, so that worked very smoothly together. Go ahead. We just kind of talked about it a little bit, but I'm curious what some of the other software supply chain trends you might be seeing, because there's obviously a lot of different companies engaging with the Notary Project. The trends, one of the things that I think will be big is really the station work, and we're really happy that actually we have this kind of work that we are starting with in Toto. We have a lot of customers asking us about the stations, they won't actually, for anything that is happened with, let's say, piece of software when it goes through the whole supply chain, they would like to say, okay, in this point, I have a station. That's the one thing, the next thing that comes is, everybody wants to know, yeah, now I will create these at the stations, but how do I know what is happening? Can I go and query somewhere? So if you think about, let's say, Guac, for example, as another open source project, how can we use Guac to go and query all the stations that we are creating constantly as part of the supply chain, so those are the things that we see when we talk with customers. So I'm impressed because you guys are working with a lot of other projects. What would be your advice to other projects that are out there on how they can cooperate? Because one of the things I see is there's a lot of overlap or partial overlap in some projects, and some projects don't necessarily talk to each other. What would your advice be to other projects when they're seeing, so they don't reinvent the wheel in their own way? Any thoughts, Feynman, or? I think, you know, at Notary Project, we not only deliver the CLI tours, we also have the extensibility for the tours, for the libraries, so for those organizations, enterprises, and open source communities, I would suggest that they can consider how can they leverage the existing capabilities, especially the plug-in framework that we delivered in the industry, in the community, and how can they leverage the framework to extend the signing and verification capabilities and integrate with their ecosystem. Then they should not, they do not need to reinvent the wheels. Yeah, Kevin? No, it makes sense. I think because you said you built off the sandbox, I can't remember which one it was. Oras, oras, yeah. And I look at that and I say that's impressive because I think, again, you're in incubation, they're in sandbox, so when do you think you get to graduate it? Oh, that's actually, we're looking forward to that because we just actually started counting of how many, for example, we are adopters we have, and we were impressed because we didn't know about some of them, and now we met people here on the floor, and they're like, oh, I tried that, and I plan to use it, which like, we didn't know about that, so that is actually, we may graduate faster than we think of, but we are hoping maybe in about year, year and a half that we have enough actually momentum that we can apply for graduation. Yeah. That's so exciting. Yes, it is. All right, that brings us to our final question. I'm going to ask both of you. Fabian, I'll start with you. What do you hope, next time we have you on the show, what do you hope you can say that you can't say today about the project or in general, about the ecosystem? I would say graduation. Yeah, I had a feeling that might be the case, but yeah. Yeah, what was my vision is that I would expect most of the enterprise and open source communities can leverage the tool and extend their software supply chain security by leveraging the framework that Notre Project provides to the industry. So I would expect more and more contributors, especially those enterprise level contributors join the community and help us and collaborate with us to move the project maturity way forward and finally make it be a sense of incubating project. I love it. Anything to add, Tati? I would like actually to be here with a customer who can tell us how they can use like, all of those names and projects that we mentioned today and implement their supply chain. So that will be my wish for next time. We're here for it. We look forward to welcoming you both back. Thank you so much for being on the show with us today. It's absolutely fantastic. Rob, wonderful questions as always. Just thrown out of ideas. You're just your rainmaker over here. I love it. It's fantastic. And thank all of you for tuning in to our coverage here in Paris at KubeCon CloudNativeCon. My name's Savannah Peterson. You're watching theCUBE, the leading source for enterprise tech news.