10-26, 11:15–11:40 (Europe/Berlin), Main stage
The current software supply chain has become convoluted. We've migrated from virtual machines to containers - but at the end of the day, we're still shipping systems.
Warpforge is paving the way to greatly improved security of software supply chains through increased auditability, while uncoupling ability to build software from network dependencies and the accompanying latency.
Introduction
We've achieved technological symbiosis - for the majority of people our devices are digital extensions of our minds, and when something has that level of information about us - it needs to be secure while being understandable.
Computers require integrity and infrastructure needs resilience. Most critical infrastructure is computerised, scenarios like this are where the stakes are highest. For our systems to be integral and resilient requires two things:
- All-encompassing control of what software is present
- The ability to audit and verify that software is what it says on the tin
Challenges in Software Integrity and Security
There’s a library for this, another for that - developing software is becoming more modular! But we’ve hit a bottleneck in how we ship it.
Packaging formats proliferate, and neither building nor distributing software to end-users is easy anymore. Greater numbers of components going into any software build process only makes this more complicated. Utilisation of shared libraries during deployment also results in complexity and the balkanisation of packaging systems and distros alike, where despite the best of intentions, no one can share their work or ship their products without repackaging.
It’s time to revist some basics. Can we share more with less, by utilising simpler formats? Can we manage things more consistently, by building a solid general foundation? Can we go beyond blind trust in version numbers, establishing truth and precision, all while reducing the wrangling of chaotic dependency chains and breaking free from shipping entire systems?
We hope so. Introducing Warpforge.
Warpforge addresses the proliferation of tool and format challenges by attaching simple filesystem snapshots and transport to a decentralised package database API, integrating this with containers for execution of builds and test environments. Warpforge uses content addressing throughout these systems to make them precise, and secure.
Together, these systems increase transparency, reliability, and explainability. They enable developers to have better control over their software supply chain, leading to more robust and secure software development practices.
The Vision of Warpforge
By establishing truth through hash trees, and making them easy to use in hermetic (containerised) environments, we can create an environment providing:
- Supply chain security, everywhere
- True reproducibility for software builds
- Increased portability of software
- Enabling rapid forking and building of software
- Making dependency trees portable
- Reducing the impact of poor network availability on build ability
As part of this, to make it easier to compose systems of more easily isolated packages, we introduce a major overhaul to how our packages approach dynamic linking, in the form of Zapps: gloriously robust, and the secret ingredient to making Warpforge workable & appealing.
By being language and toolchain agnostic, we can bring these benefits to the masses, all while doing our bit to achieve parity across languages and toolchains, lowering the bar to entry and making mass-adoption easier all around.
May comes from a software development and cyber security background, with an interest in how infrastructure and software supply chains can be made both simpler and more secure.