 Good afternoon, brilliant humans, and welcome back to theCUBE. We're live in Detroit, Michigan, at KubeCon, and I'm joined by John Furrier. John, three exciting days buzzing. How you doing? That's great. I mean, we're coming down to the third day, we're keeping the energy going, but this segment's going to be awesome. The CD Foundation is doing amazing work. Developers are going to be running businesses and workflows are changing, productivity is the top of conversation, and you're going to start to see a coalescing of the communities for our continuous delivery, and it's going to be awesome. And our next guest is an outstanding person to talk about this. We are joined by Steven Chin, the chair of the CD Foundation. Steven, thanks so much for being here. No, no, no, my pleasure. I mean, this has been an amazing week, both at KubeCon, with all of the announcements, all of the people who came out here to Detroit, and, you know, fantastic. Like, just walking around, you bump into all the right people here. Plus, we held a CD Summit zero day event and had a lot of really exciting announcements this week. Got to love the shirt. I got to say, it's one of my favorites. Love the logos, love the branding. That project's got traction. What's the news in the CD Foundation? I tried to sneak in the back. I got a little laid into your co-located event. It was packed. Everyone's engaged. It was really, it looked really cool. Give us the update. What's the news? So, we had a really, really powerful event. All the key practitioners, the open source leads and folks were there. And one of the things which I think we've done a really good job in the past six months with the CD Foundation is getting back to the roots and focusing on technical innovation. Right, this is what drives foundations, having strong projects, having people who are building innovation and also bringing in new innovation. So, one of the projects, which we added to the CD Foundation this week, is called PERSIA. So, it's a decentralized package repository for getting open source libraries. And it solves a lot of the problems which you get when you have centralized infrastructure. You don't have the right security certificates. You don't have the right verification of libraries. And these are all things which large companies provision and build out inside of their infrastructure. But the open source communities don't have the benefit of the same sort of really, really strong architecture. A lot of the systems we depend upon. It's a good point, yeah. Yeah, I mean, if you think about the systems that developers depend upon, we depend upon, you know, NPM, RubyGems, MavenCentral. These systems have been around for a while. Like they serve the community well, right? They're well supported by the companies. And it's really a great contribution that they give us. But every time there's an outage or there's a security issue, I guess how many security issues that our research team found at NPM? Just ballpark. 74. So there are... There's got to be thousands. I mean, there's got to be a lot of tons of them. They're currently up to 16,000. Whoa! Vulnerable, malicious packages in NPM. And... Oh my gosh. That's a drawing number even. I know it was going to be huge, but holy moly. So that's a software supply chain in action right there. So that's open source. Everything's out there. How do you guys fix that? Yeah, so Persea kind of shifts the whole model. So when you think about a system that can be sustained, it has to be something which is not just one company. It has to be a set of companies be vendor neutral and be decentralized. So that's why we donated it to the Continuous Delivery Foundation. So that can be that governance body which makes sure it's not a single company. It has to use modern technologies. So you just need something which is immutable. So it can't be changed. So you can rely on it. It has to have a strong transaction ledger so you can see all of the history of it. You can build up your software, build materials off of it. And it has to have a strong peer-to-peer architecture. So it can be sustained long-term. Steven, you mentioned something I want to just get back to. You mentioned outages and disruption. You didn't say just use the outages. But this whole disruption angle is interesting. If something happens, talk about the impact to the developer. Are they stalled? Inefficiencies create, basically disruption. No, I mean, so if you think about most DevOps teams and big companies, they support hundreds or thousands of teams and an hour of outage. All those developers, they can't program, they can't work. And that's a huge loss of productivity for the company. Now if you take that up a level, when MPM goes down for an hour, how many millions of man-hours are wasted by not being able to get your builds working, by not being able to get your codes to compile? Like it's... Yeah, I mean, it's almost hard to fathom. I mean, everyone's, it's stopped. It's literally like having the plug pulled. Exactly. That's the fundamental problem we're trying to solve, is it needs to be on a well-supported, well-architected peer-to-peer network with some strong backing from big companies. So the companies working on Persea include JFrog, which who I work for, Docker, Oracle, we have Deploy Hub, Huawei, a whole bunch of other folks who are also helping out. And when you look at all of those folks, they all have different interests, but it's designed in a way where no single party has control over the network. So really, it's a system you, you're not relying upon one company or one logo, you're relying upon a well-architected open-source implementation that everyone can rely on. That's shared software, but it's kind of a full-tolerant feature too. It's like, okay, if something happens here, you have a distributed piece of it decentralized, you're not going to go down, you can remediate. All right, so where does this go next? I mean, because we've been talking about the developer developer, there's needs to be a modern, I won't say modern upgrade, but like a modern workflow or value chain. What's your vision? How do you see that? Because you're in the center of the CD Foundation coming together, people are going to be coalescing multiple groups, what's your vision? I think this is a good point. So there's a lot of different continuous delivery, continuous integration technologies. We're actually from a Linux Foundation standpoint, we're coalescing all the continuous delivery events into one big conference. You just made an announcement about this earlier this week. Tell us about CD events, what's going on? What's in the cooker? Yeah, and I think one of the big announcements we had was the 0.1 release of CD events. And CD events allows you to take all these systems and connect them in an event, scalable event-oriented architecture. The first integration is between Tecton and Captain. So now you can get CD events flowing cleanly between your continuous delivery and your observability. And this extends through your entire DevOps pipeline. We all need a standards-based framework for how we get all the disparate continuous integration, continuous delivery, observability systems to work together that's also high performance, it scales with our needs and it kind of gives you a future architecture to build on top of. So a lot of the companies I was talking with at the CD Summit, they were very excited about not only using this with the projects we announced but using this internally as an architecture to build their own DevOps pipelines on. I bet that feels good to hear. Yeah, absolutely. Yeah, you mentioned Tecton, they just graduated. I saw, how many projects have graduated? So we have two graduated projects right now. We have Jenkins, which is the first graduated project. Now Tecton has also graduated and I think this shows that for Tecton it was time, the very mature project, great support, getting a lot of users and having them join the set of graduated projects in the continuous delivery foundation is a really strong portfolio. And we have a bunch of other projects which also are on their way towards graduation. Feels like a moment of social proof, I bet, for you all. Yeah, I know, it's really good. Yeah, how long has the CD foundation been around? The CD foundation has been around for, I want to say the exact number of years, few years now, but I think that it was formed because what we wanted is we wanted a foundation which was purpose built. So CNCF is a great foundation. It has a very large umbrella projects and it takes kind of that big umbrella approach where a lot of different efforts are joining it, a lot of things are happening and you can get good traction but it produces its own bottlenecks in process. Having a foundation which is just about continuous delivery caters to more of a DevOps professional DevOps audience. I think this gives a good platform for best practices. We're working on a new CDF best practices guide. We're working with use cases with all the member companies and it gives that thought leadership platform for continuous delivery, which you need to be an expert in that area. And the best practices too and to identify the issues because at the end of the day with the big thing that's coming out of this is velocity and more developers coming on board. I mean, this is the big trend. More people doing more, yeah. Well, yeah, I mean, if you take this open source continuous thunder away, you have more developers coming in and they'll be more productive and then people are going to either on the DevOps side or on the straight app to the website and this is going to be a huge issue and the other thing that comes out that I want to get your thoughts on is the supply chain issue you talked about is hot. Verifications and certifications of code is some big issue. Can you share your thoughts on that? Because this is becoming, I won't say a business model for some companies but it's also becoming critical for security that codes verify. Yeah, okay. So I think one of the things which we're specifically doing with the Persia project, which is unique is rather than distributing, for example, libraries that you developed on your laptop and compiled there or maybe they were built on a runner somewhere like Travis CI or GitHub Actions, all the libraries being distributed on Persia are built by the authorized nodes in the network and then they're verified across all of the authorized nodes. So you have a, the basic guarantee we're giving you is when you download something from the Persia network you'll get exactly the same binary as if you built it yourself from source. So there's a lot of trust. And transparency. Yeah, exactly. And if you remember back to kind of the seminal project which kicked off this whole supply chain security like whirlwind, it was solar winds. And the exact problem they hit was the build ran, it produced the results, they modified the code of the result in binary and then they signed it. So if you built with the same source and then you went through that same process a second time you would have gotten a different result which was a malicious tree. Right, yeah. And it's very hard to take a binary file and determine if there's malicious code in it because it's not like source code, you can't inspect it, you can't do a code audit. It's totally different. So I think we're solving a key part of this with Persia where you're freeing open source projects from the possibility of having their binaries, their packages, their end reducers tampered with. And also upstream from this, you do want to have verification of PRs, people doing code reviews, making sure that they're looking at the source code. And I think there's a lot of good efforts going on in the open source security foundation. So I'm also on the governing board of OpenSSF. Do you sleep? You have three jobs. You've said it on camera. I can't even imagine. Didn't you just spin that out from the open source secures? Is that the new one? Yeah, so the open source security foundation is one of the new Linux foundation projects. They have been around for a couple of years, but they did a big reboot last year around this time. And I think what they really did a good job of now is bringing all the industry players to the table, having dialogue with government agencies, figuring out what do we need to do to support open source projects? Is it more investment in memory safe languages? Do we need to have more investment in code audits or security reviews of open source projects? And all of those things require money investments, and that's what all of the companies, including Jay Frog, are doing to advance open source supply chain security. I mean, it's really kind of interesting to watch the different demographics of the developers and the vendors and the customers. On one hand, if you're a hardware person, company, you talk zero trust, your software, you talk trust. So you're trusted code, and you got zero trust. It's interesting, depending on where you're coming from, they're all trying to achieve the same thing. I mean, zero trust makes sense, but then also, I got code, I want trust, trust and verify. So security is in everything now, so code. So how do you see that traversing over? Is it just semantics or what's your view on that? The right way of looking at security is from the standpoint of the hacker. Because they're always looking for- Well said, very well said. New loopholes, new exploits, and they're very, very smart people. And I think when you- Some of the smartest, yeah. Yeah, I work with, well, former hackers now, security researchers. They converted, they recruited. But when you look at them, there's like two main classes of like types of exploits. So some attacker groups, what they're looking for is they're looking for holes. Zero days, CVEs, like existing vulnerabilities that they can exploit to break into systems. But there's an increasing number of attackers who are now at the opposite end of the spectrum. And what they're doing is they're creating their own exploits. So they're, for example, putting malicious code into open source projects. Like getting- Little Trojan horse status. Yeah, they're getting their little Trojan horses in. Or they're finding supply chain attacks by maybe uploading a malicious library to NPM or to PyPy. And by creating these attacks, especially ones that start at the top of the supply chain, you have such a large reach. It's just going to say it could be a whole, it almost gives me chills as we're talking about it. The systemic integration could just be gnarly. Nations' data attackers, like people who want to do serious damage or do it. Engineered hack. I said they're highly funded, highly skilled. Exactly. Highly agile, highly focused. Yes. Teams, not into teams. Yeah, so one example of this, which actually netted quite a lot of money for the hacker who exposed it, was, you guys probably heard about this, but it was an attack where they uploaded a malicious library to NPM with the same exact namespace as a corporate library. And so what happens is called a dependency injection attack. And what happens is if you don't have the right sort of security, package management guidelines inside your company, and it's just looking for the latest version of merging multiple repositories as like a single view, a lot of companies were accidentally picking up the latest version, which was out in NPM, uploaded by Alex Spearson was the one who did the attack. And he simultaneously reported bug bounties on like a dozen different companies and netted 130K. Wow. So like these sort of attacks that they're real, they're exploitable, and the hackers who are finding these sort of attacks now in our supply chain are the ones who really are the most dangerous. That's the biggest threat to us. Yeah, and we have hacker ones out there. You got a bunch of other services. The white hat hackers get the bounties. That's really important. All right, what's next? What's your vision of this show as we end KubeCon? What's the most important story coming out of KubeCon in your opinion, and what are you guys doing next? Well, I actually think this is probably not what folks would say is the most exciting story of KubeCon, but I find this personally the best is... I can't wait for this now. So on Sunday, the CNCF ran the first kids day. Oh. And so they had a free kids workshop for underprivileged kids for local people in the Detroit area. It was taught by some of the folks from the CNCF community. So Arun, Eric Han, my older daughter, Cassandra's also an instructor, so she also was teaching a Raspberry Pi workshop. Amazing. And she's here. Yeah, yeah, she's also here at the show, and when you think about it, there's hundreds of announcements this week. A lot of exciting technology, some of which we've talked about, but it's really what matters is the community. This is a community first event. And the people, and if we're giving back to the community and helping Detroit's kids to get better at technology, to get educated, I think that it's a worthwhile for all of us to be here. What a beautiful way to close it that is such, I'm so glad you brought that up and brought that to our attention. I wasn't aware of that. Did you know that was happening, John? No, I didn't know about that. Yeah, no, that was. And that's next generation too. And what we need, we need to get down into the elementary schools. We got to get through the kids. They're all doing robotics club anyway in high school. Computer science is now a sport. Well, I think that if you're in a privileged community, though, I don't think that every school is doing robotics, and that's why. Cal Poly and the universities are stepping up. And I think CNCF's leadership is amazing here. And we need more of it. I mean, I'm bullish on this. I love it. I think that's a really great story. No, I am absolutely. And it just goes to show how committed CNCF is to community, putting community first. And Detroit, there's been such a celebration of Detroit this whole week. Stephen, thank you so much for joining us on the show, Best Wishes with the CD Foundation. John, thanks for the banter as always. And thank you for tuning in to us here. Live on theCUBE in Detroit, Michigan, I'm Savannah Peterson, and we are having the best day. I hope you are too.