 Hey everyone, we're back. What a great day this has been here for us at the open source summit Linux foundation open source Summit here in Austin, and I couldn't think of a better person to end our day with them my friend Stephen chin Stephen is of course with Jay frog. He has a lot of hats. He wears over there But we're gonna talk today specifically about an open source project that Stephen has been Shepherding is that a good word? Yeah, I mean it's it's my bad idea So I take responsibility for good or bad. He's taking responsibility and that's not a bad thing The name of the project is on his shirt here. It's called persia. So it's not Persia. It's persia and And Stephen what let's start that what what's persia about? So I I think the question is why persia why why before we get to why persia? I think it's what persia. Okay, let's let's do what and we'll quickly go into why so what what we're building with persia is we're building a decentralized package repository that will will essentially give you all the capabilities you're used to getting from from Docker hub from may have been central from pi pi from npm, but in a vendor neutral Decentralized infrastructure We're also you can rely upon it having a very high level of security Because we're building everything from source which we provide to to the end users. I love this idea Why did it take so long? It's a hard problem. Yeah, no, it is a hard problem. Right, but we've built plenty of repositories Yeah, so so I think one of the things I think we all know this from working in DevOps and the the Repository spaces there are dozens of different integrations with upstream languages technologies package managers and They they all they're very specific to the language. They have different benefits. They have different ways of approaching Immutability versioning How you handle conflicts with upstream dependencies and while that's that's great that we have all this, you know Unique infrastructure it makes it very hard to have a high level of security to evolve the ecosystem And frankly a lot of the package managers which have been around for a long time suffer from some inherent security risks which you use just by using them in the central repositories which they rely upon So I've got two Comments thoughts that's like your thoughts on on this number one. I've wondered for a long time Why we wouldn't have one repo to rule them all why do we need this United Nations of repos? for every damn language even With all due respect even within JFrog every year I go to swamp up or one of the jet and that we oh We're just announcing artifact three for go artifact three for this language artifact three Why can't we have one repository to rule them all? Yeah, so I think I think it's a it's an interesting problem. So For example Artifactory what one of the things which we're known for is being the Switzerland of DevOps. Yep So Artifactory speaks every repository manager every different format. There's over 30 different formats We just announced binary Swift protocol support It's very very hard work to to build something which Integrates across different languages different ecosystems and to understand all these different domains and do it well And I think that's one of the problems. We're trying to solve with Percy. It's not just a JFrog project We're collaborating with Docker. We're collaborating with Oracle. We're collaborating with deploy hub and Future way and Huawei. So we have a Why a growing a wide and growing set of companies which are contributing to the project and we all have our own Gauls in terms of like languages ecosystems platforms Secure build technologies. We're bringing to the table But I think when when we do this together as companies and we build a decentralized infrastructure on Technologies which are next generation web 30 and scalable then this really helps us to to solve the problem and to Fundamentally secure this critical piece of infrastructure for open source. So look when I hear you talking about Multiple companies being allowed to me. This is crying out for a foundation. So What what's been the thought around making Percy a part of a foundation? Yeah, so I think that Obviously when you have an open-source project like this we want it to be a full open-source stack we want it to be vendor neutral and A great place for this is the the Linux foundation in general I mean Linux foundation does a great job of this you can see this with the number of vendors involved in CNCF involved in all the other efforts which they have and I think where we were kind of landing with Persia is a big part of our focus and like the current phase two infrastructure we're building is this verified build infrastructure to build from source to binaries It's sitting on top of tecton. It's sitting on top of CD events. It's using a bunch of the technologies which are part of the CD foundation and As a project we're thinking it's really good alignment with the continuous delivery foundation Okay, we actually just this morning we chatted with the technical oversight committee Got a really good response from them And I think that that's progressing well and hopefully will be part of a vendor neutral foundation soon to further advance the project because I think that gives this Neutrality which we need to become a standard absolutely. That's great news You know look you and I Stephen talk all the time right CD foundation is it's about two years old now And it went through a time where you know the initial leadership moved on they recently put a new Chair in and and some new board members and it seems to have revitalized CDF and Look it's part of the Linux Foundation, right? So you know, you know, you know I mean the CD foundation fundamentally has some really really strong projects Spinger tecton Jenkins Absolutely that with a new leadership Fatih is joining as the general manager, right? Also, I'm the chair of the governing board There's a bunch of new folks coming in to the marketing committee and proposing projects So I think this is this is kind of like a renaissance of the CD foundation where it's going through another transformation and the the new projects coming in are Broadening the portfolio from being pure continuous delivery technologies to bridging out to security to observability Everything you would need to build an end-to-end DevOps platform entirely an open source technologies love it. I Like there's another reason I think at the end of the day from how you're describing Persia It's not just about security It really is about how do we how do we? decentralize our I digress, but I went up to see Linus's Keynote this morning one of the things I guess I knew but I didn't know was that not only did he Start Linux right create a Linux, but he created get right, and it's pretty cool when you think about it and I'm The idea of having a decentralized repo like this, I don't know if it was something he envisioned When they did get all those years ago or not, but I it's so much there's so much that can be done there Yeah, and it could be set free that's at you know You can set these repos free to some level. No, no, I think I think a good parallel to that is Like one of the ways which I've described people that the level of change and innovation going into Persia Mm-hmm is it's it's essentially get for binaries, right? We're building the the decentralized Switzerland of binaries so that now you can get all of your secure Verified packages from this decentralized infrastructure and something else which Linus Torvald said in his keynote this morning as well was that they're seriously looking at rust Not really for building device drivers, but for doing some Linux kernel developments and we we made the same Assessment when we started the Persia project and are actually building the entire project in rust Because it gives you we believe today the best high performance Verifiable language where you Can you can have a higher level of security guarantee on the code? You're writing then if you built it and for example like C C plus go and other tech well look Today's choices around languages are nearly infinite Today rust may look like a really good one Five years from now three years from now something cool comes out and you kick yourself I wish I could pour it to that You know you say that but most languages we're using today have been around for 20 plus years, so Yeah, most languages we're using but when it's like the compiler technology and the tool chain and like getting things to the level where You can build production grade software is it's it's a decade of investment on any of the languages we're using today and The languages people are most relying on like Python Java our old job I've been around for a long time But it does seem like every graduate student going for their PhD designs their own language or something It's all another story. I want to I want to so first I want to wish you a lot of luck with person When do you know pressure? But what do you think we might hear? Some news on this CD foundation and yeah, so I mean in terms of the project you can already go and try it Persia that oh I owe the peer-to-peer system is entirely functional. We have a backing Authorized server which will give you with our partner docker official docker images off the persia network great, which is awesome We're working with the CD foundation to Apply for incubating status, so we're very hopeful But of course, you know we want to go through the right technical vetting process there And I think that the new stuff I mentioned kind of this phase to work On our verified build infrastructure should be ready by the end of the year, so we're moving aggressively, but doing it in a Collaborative Six months is not a lot. All right. Let me switch gears with you So I've been listening all day to people talk about supply software supply chain security and I I just wonder why we haven't put more Emphasis on the repo Organizers to clamp down on knowingly out-of-date insecure vulnerable Artifacts or code or whatever that their repo contains Right If you know I get that there's a freedom issue here All right if someone wants to use this old version because they have a good reason for using it knowing of the insecurities in it So be it but why aren't we doing a better job of warning people that hey? Don't use this unless you have a really good reason Okay, so I think that First of all, this is a hard problem and there is a lot of discussion efforts going into it And I I think you can categorize the type of work going into it into three buckets so one set of work is going into shoring up the the current central repositories and There's a there's a great working group that's part of open SSF, which is dedicated towards this They they have a plan which both companies are currently investing in which requires some funding to improve For example signatures of people submitting to central repositories having like more secure namespacing and Verification of domains and there's a whole bunch of things which are either Inconsistently or or not well applied from a security standard for central repositories The second class of things which I think is important for this is security disclosures so Different security research firms and we've been doing this a lot from our security research team at JFrog Both research vulnerabilities. They disclose vulnerabilities first to the the person who's responsible or owns the asset Which is vulnerable. So in a lot of our recent disclosures have been Basically Malware or Problems in central repositories. We we found a exploit Targeted at Azure developers, which was in npm Where they specifically checked in packages with the Azure namespace left off It's essentially a typo squatting attack. Yeah, they got a lot of hits on this And we reported it and had them polled before it became an issue But like you need vulnerability research teams who are looking for this and helping to remediate it And I think that the third one getting back to the Persia project is Frankly, we we need a next-generation infrastructure, which is Secure by I don't think the repos were built for that particular. Yeah, so so the fundamental the fundamental table stakes are Do you have secure validation? Are you building from source and and can you verify and build a build materials off of it? And That that's not true today of all the central repositories agreed Hey, man, we're about out of time. Is there anything we missed on this? No, no I mean this is this has been a great conversation I mean, I've been enjoying open the open source summit here in Austin And I would say that for folks watching, you know, join us out here next year because this is an amazing event Just the networking the interactions the sessions are great, too I'll be honest the ones I've been able to jump in on but I'll also just mention that it is Tomorrow and Thursday and there is a virtual that they're but yeah, absolutely, you know streaming this virtual You can check that out too as I've mentioned earlier. Anyway, Stephen. Thank you so much Quick shout out also next month. It's next month. Yeah, Yala Devox in Tel Aviv July 18th We will be there. I think we're gonna be doing our thing there. Actually, I'm on a panel there But we're also broadcasting and hope to see you there