DEVOPS WEEKLY ISSUE #613 - 25th September 2022
Several posts on the topic of supply chain security this week, from critiques of published guidance, dependency security and interesting new tooling to help with container supply chain concerns.
StackHawk sponsors Devops Weekly
Adding security testing to the development lifecycle means deploying to production the right way the first time. Watch a StackHawk demo to see how you can use automated testing to avoid roadmap disruptions and slowdowns.
https://sthwk.com/watch-a-demo
News
I’m a big fan of counter arguments. This post takes an opposing view of GitOps, but more generally explores a classic operations argument of push vs pull.
https://thenewstack.io/does-the-gitops-emperor-have-no-clothes/
Lots of talk of software supply chain security at the moment (and in this week’s newsletter), but this post discusses where the supply chain metaphor breaks down for open source software.
https://iliana.fyi/blog/software-supply-chain/
EC2 was one of the first AWS services, and there are now quite a few different ways of managing access to an EC2 instance, as covered in this post.
https://blog.symops.com/2022/09/22/ec2-access/
A good look at dependency security challenges with GitHub Actions.
https://devopsjournal.io/blog/2022/09/18/Analysing-the-GitHub-marketplace
A large scale migration to a platform like Kubernetes is just the start. This post explores what came next for one large organisation, and some of the challenges
https://medium.com/blablacar/be-lean-go-far-leveraging-kubernetes-for-an-elastic-right-sized-platform-bc1179c4c784
A critique of a recent US Government publication on Securing the Software Supply Chain, aimed at developers. Security is important, but it’s not the only important thing, and tensions between government and commercial interests are likely be become more of a theme I expect.
https://swagitda.com/blog/posts/securing-the-supply-chain-of-nothing/
A good reminder of the power of open source and community development, especially when it comes to low level infrastructure components like this example.
https://blog.gregor.com/adding-one-library-and-one-line-and-so-much-other-work-140cdd9efaf4
Events
WTF is Next for Developer Experience? Join this free virtual panel with Crystal Hirschorn, Hannah Paine and Suhail Patel on Tue 27 Sept, 14:00 CEST. And don’t forget to bring your questions!
https://bit.ly/3Sr99QX
Tools
Wolfi is a new lightweight GNU software distribution, a Linux (un)distribution intended to solve supply chain security problems in container environments.
https://github.com/chainguard-dev/wolfi-os
https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro