Background Principle Solutions Architect, experienced in software supply chain security, migrating applications into Docker containers using CI/CD pipelines, Kubernetes, and a variety of CNCF tools. Member of the Docker Captains Program, OCI Maintainer, and member of various CNCF and OpenSSF groups. Prior experience in enterprise systems management, configuration management, monitoring solutions, Linux administration, automation, and shell scripting. Skills Environments: Linux/UNIX (Debian, U...| Brandon Mitchell
$ whoami Brandon Mitchell - Position: Open source developer / semi-retired - Languages: Go, yaml, shell - Author: regclient, olareg, and many more - Maintainer: Open Container Initiative (OCI) - Organizations: Docker Captain - Hobbies: Cycling, sailing, backpacking Quick links: Resume GitHub Mastodon LinkedIn| Brandon Mitchell
Go made a promise to developers. Code that was written today would always compile with newer versions of Go.And so far, they’ve kept that promise. But for developers of software that is maintained, they’ve also broken that promise. The language can now change, and Go changes its behavior based on the version defined in the go.mod file of a project. So if you don’t want to update your program to follow the new behavior of the language, you can keep your go.mod version aligned with that o...| Blog Posts on Brandon Mitchell
Open Source Software (OSS) has an onboarding and a retention problem. These problems are connected, but it’s not clear which is the cause versus the effect. Much of this is based on a conflict of goals and personalities between the different types of OSS contributors. Student The student is looking to leverage their OSS contributions as part of their eduction and to enhance their resume. Students tend to ask for lots of support from maintainers because they are frequently not users of the p...| Blog Posts on Brandon Mitchell
The financial industry has a concept of “know your customer” to prevent financial fraud. The concept is that fraudsters do not want transactions linked back to their identity. There’s a similar push happening in Open Source security, to verify the identities of contributors before allowing their commits. The suggestion is that this could prevent an xz style attack by requiring in person verification, such as a pgp key signing meeting.| Blog Posts on Brandon Mitchell
Reproducible builds are an idealistic solution to many supply chain security challenges I see today. They eliminate an entire chain of attacks, from a compromised build infrastructure (see SolarWinds) to a compromised artifact distribution. But they are only a piece of the solution, and they are rarely implemented today. Here’s my take on what a complete solution would look like, and why no one is doing it. Theoretical Solution An end-to-end solution needs multiple checks at each point alon...| Blog Posts on Brandon Mitchell
Open Source Developer, OCI Maintainer, Docker Captain, Cyclist, Backpacker, Sailor| Brandon Mitchell
A simple typo of ghcr.io to ghrc.io would normally be a small goof. You’d typically get a 404 or similar error, finally work out the issue, fix it, and move along. But in this case, that typo appears to be doing something very malicious, stealing GitHub credentials. What’s ghcr.io? First, a quick bit of background. ghcr.io is an OCI conformant registry for container images and OCI artifacts used by a lot of projects. It’s part of GitHub and is a very popular image and artifact repositor...| Brandon Mitchell