 Hi, this is your host BlinBhartia and we are here at Open Source Summit in Vancouver. Today we have with us Billy Lynch, software engineer at Chain Guard. Billy is great to have you on the show. Yeah, thank you. Happy to join. First of all, let's talk about your involvement with the Continuous Delivery Foundation or, you know, Chain Guard's involvement with these foundations. You know, at Chain Guard we do a bunch of different software supply chain security, our goal is to make software supply chain secure by defaults. So, yeah, we've been super involved with a few CDF projects, namely Tecton over the years. I am on the governing board for Tecton as well as a maintainer for Tecton chains and just generally involved in the Tecton project in general. The Continuous Delivery Foundation, you know, they recently announced that, you know, that a six-door support for Tecton, you know, is kind of exiting the experimental phase. What does that mean, not only for the project but also for the community? I'm also a maintainer on some six-door projects as well, so I help maintain the get signed project as well as make contributions to other six-door as well. So, like, I'm in an interesting position where I am both involved in Tecton and involved in six-door, so there's just a very natural relationship to join those together. We've been seeing a ton of adoption on six-door in open source communities. So, we've seen adoption, you know, GitHub just announced recently NPM provenance. That's going into public beta. PyPy supports signing Python packages with six-door. Six-door itself has provided the cosign tool for container signing, and so being able to bring the benefits of six-door in artifact signing into Tecton as part of our software supply chain story in order to have verifiable provenance is sort of a great feature for both Tecton and also just another great example of seeing six-door out in the wild. Can you talk about what is driving this adoption because the Kubernetes and all those folks are also embracing it, so. Yeah, so I think there's been a huge focus on software supply chain security, you know, in recent years, especially after Lock for J and all of that, and, you know, part of the challenge is like when we have our software artifacts, it's very hard to answer the question like where did they come from and how were they built. So, to be able to then answer the question like, oh, am I vulnerable to this particular, you know, library or version or, you know, things like that. So half part of the problem is we just don't have that data available in many cases today. So what we're seeing with a lot of this effort for build provenance and artifact provenance is being able to have that metadata and have that be cryptographically signed so we can have trust in where that comes from. So that's really where chains tries to make its impact of tying those, okay, you know, our build processes say they produce these artifacts, but how are they produced and being able to have a signature that ties it back to the individual build execution itself. Since we are talking about open source supply chain security, we started talking about it a couple of years ago also when Biden administration, they came up with the executive order and a lot of other initiatives also happened. Of course, you know, all those vulnerabilities also happened. Where are we today when it comes to, are we still in the early phase of, you know, education, awareness, or we are in the phase where companies understand it and they just need to help with the tool or, you know, cultural change? I think people are aware of the problem, but having that in practice is still a bit of a challenge for a lot of people because you see a lot of scanning tools that will generate S-bombs, but then the question is how accurate are they? You know, so being able to integrate S-bombs and generation into the broader ecosystem, I think, is largely important. And, you know, we're trying to definitely push the needle at Schengard as well. What are your thoughts on when we look at the modern tech stack, you know, all the cloud-oriented technologies, things are already getting very complicated, and things are very, very complex, and which kind of, you know, when you're adding, you know, more tools where you will realize that a lot of companies, they are wasting a lot of resources, not adding value to their businesses, but, you know, all the plumbing. So do you feel that this complexity affects security, or you think that, hey, you know, complexity is part of it, you have to just figure out a way, because complexity should not, it's not going to go away. But we have to help companies by lowering the barrier of entry so they don't, you know, they can happily, you know, embrace these technologies. I think if we do things well, a lot of these securities, these security tools, and a lot of this information just becomes a sort of invisible layer. You know, it's sort of the classic infrastructure problem if you're doing your job well, no one notices. And that's where I would love to get to. And I think that's one of the things I really like and appreciate about Six Store, is that, you know, we want to lower that barrier of entry for signing. So I think some of the challenges we've seen with signing in keys is, you know, how do you make sure that everyone is protecting their keys properly, making sure that they're encrypted, rotated, you're keeping track of them, knowing when they're used, handling revocation. And one of the really nice things about Six Store and Keyless signing is that you remove some of that complexity around having to do that management and automate that away. And so I think sort of more solutions in that sort of in that direction, where we can lower that barrier of entry and make it simpler. And people don't need to think about these things. I think we are making progress towards that. And I think that that's a trend I'll probably continue. Since we are talking about, you know, the challenges that organization face, tools are there, you know, but sometimes it also, tools itself is not enough, you need to have right culture within organizations also. So what advice do you have for organizations so they can kind of improve their security posture, they can better leverage the tools, and also the resources which could be human resources available to them. I think with Six Store, we're seeing a ton of tooling just out of the box, supporting, you know, different aspects of supply chain. So, you know, you see things like cosine, things like get sign that users can use themselves to start signing their artifacts. Also in Six Store, there's things like policy controller that allow you to define policies on the things you actually sign. So it's not enough to just sign things and then see if there's a signature. You also want to have policy enforcement to say, you know, are these things coming from the places I expect? Are they being signed by, you know, the things that I, you know, want them to be signed by? So I think there's a little bit of, you know, developer education, like, you know, what tools are available, things like that. And then you also have things like chains that will try to just automate these. And, you know, chains is just something that, you know, watches your tecton pipelines and will generate that prominence automatically for you. So the idea is like, you know, maybe as a cluster administrator or operator, you would, you are aware of that and care about that. But if all you're doing is just running bills, like that's just something that happens, you know, under the hood and you just get for free. And I think as more ecosystems and tooling adopt these processes. Yeah, I think it's great to know that they're there and to take advantage of them because I know personally, I've actually used tecton provenance because tecton itself actually signs all of our releases with six store and we actually have the full bill provenance. And I've actually used that myself to go back and be like, Oh, what actually happened for this build? How was it built? Where was it built from? What were the dependencies? So it's always there if you need to, you know, access that and get that more data. But nine times out of 10, it's just, you know, extra metadata that only the tooling really cares about. Billy, thank you so much for taking time out today and sit down with me and of course talk about tecton and six store and also, you know, where the projects are heading. Thanks for sharing those insights. And I would love to have you back on the show whenever there is a update in these projects. Yeah, I'd be glad to. Thank you.