A software bill of materials is the idea that we can define and document exactly what goes into a system. We look at governance today and SBOMs as we put it together, both from a software and an operation side.
Tag Archives: Software
Hashicorp BSL vs OSS License Discussion
Hashicorp made a license change into a BSL, a business license which is not open source that allows or makes code available, but instead restricts the use of Hashicorp products to people who are effectively paying customers or enterprise customers.
If you’re embedding or repackaging the software or competing with Hashicorp, you are prohibited from using it. We spent this podcast looking into why, how, and what implications there were, as well as historical precedents.
References
* www.runtime.news/hashicorp-closes-a-door/
* opentf.org
* blog.gruntwork.io/the-future-of-te…pen-ab0b9ba65bca
* spacelift.io/blog/spacelift-lat…t-on-hashicorp-bsl
* ir.hashicorp.com/news-releases/ne…results-fiscal-0
* www.hashicorp.com/license-faq#comp…uct-bsl-coverage
* www.linkedin.com/posts/rhirschfel…7665233920-MxcP/
Photo by BİLAL KARADAĞ: www.pexels.com/photo/yk-1-17939409/
Transcript: otter.ai/u/ZjTzZZiYh_dXri3rSk…?utm_source=copy_url
Making SBOM A Reality
Software bills of materials are one of the most critical, modern software development practices that people should be doing but don’t. They have significant impacts in improving security, provenance, reproducibility, and license compliance.
The benefits of having a good software bill of materials in our technology industry are incredibly high, both as a producer and a consumer. And yet, this is one of those places where I feel like we have really fallen behind.
Transcript: otter.ai/u/J3VtBLiQMAuZgfMCOz…?utm_source=copy_url
Image: www.pexels.com/photo/photo-of-mo…culpture-3810915/
Migrating Long Term Applications
How should we think about migrating legacy workloads to new infrastructure and modernize them?
The group addresses this question methodically incuding how databases get linked, how they get used, how they get migrated, how important it is to maintain languages and what it would take to migrate in language. In the end, we look back on that conversation apply lessons learned to what we are building today,
This is absolutely essential because new designs will become tomorrow’s legacy! We’ll be struggling to migrate those in 10 or 15 years too. So everything we can learn helps prevent that cycle.
Transcript: otter.ai/u/sHB8507KjZlZPBMToBUCEKjPVQY
Photo: www.pexels.com/photo/man-and-wom…tainside-8968077/
Rob’s Hot Take:
Hello, I’m Rob Hirschfeld, CEO and co-founder of RackN, providing a hot take on the January 25th discussion about migrating legacy applications to the cloud. While the topic may seem limited, the reality is that today’s legacy was once a cutting-edge application, underscoring the importance of designing with future migrations in mind. The key challenges identified in the conversation were complexity and coupling, emphasizing the need for clean, referenceable APIs to facilitate smoother migrations. To delve into these insights further, listen to the full episode on January 25th and join the ongoing discussions at the2030.cloud.
Resolving Software Dependency Chains
Dependency chains are complex and fragile when you’re depending on software, hardware cloud services that go away or change. In this conversation, we really examine the challenge of having dynamic vendor relationships and what we can do to fix and protect our environments.
It’s really hard to fix what can be vulnerable when it also changes your software supply chain at any moment! And that can impact any device in your infrastructure!! We work through that problem means in practical terms.
Transcript: otter.ai/u/mwpwVINGYfkQ5F5IERXgsM2oHsA
Photo: www.pexels.com/photo/focused-kid…d-puzzle-5063480/
Rob’s Hot Take:
Rob Hirschfeld, CEO and co-founder of RackN and host of the Cloud 2030 Podcast, reflects on the January 11th DevOps lunch and learn focused on managing dependencies in technology. The discussion reveals a critical realization that the interconnected and short lifecycle of technology components results in a near certainty of repercussions when patching or updating one part of the infrastructure. Hirschfeld highlights the serious security and continuity risks associated with unmaintained projects, emphasizing the need for improved visibility and management of software dependency graphs. He encourages listeners to explore the comprehensive conversation at the2030.cloud for insights into addressing these challenges.
Software Supply Chains [#Log4Shell]
Our scheduled topic was supply chains generally, but the Log4Shell vulnerability dominated the discussion. We dove into the challenge of patching and fixing a library that is literally in nearly every device or service for years and years.
That led us to supply chains in the context of software, and specifically Java Log4j. This is a critical topic and our conversation about it was very thoughtful. We really covered the angles of what it takes to produce and maintain a supply chain for software. Then we discussed alternatives and things to consider when you building anything: software products or physical products in which embedded systems and components impact your designs.
Transcript: otter.ai/u/CJ8pYF1La6tetFasqZhEojo_zoY
Image: www.pexels.com/photo/carton-cont…-in-rows-6294430/
Rob’s Hot Take:
Rob Hirschfeld, CEO and co-founder of RackN and host of the Cloud 2030 Podcast, reflects on the December 16th discussion centered around the supply chain, particularly focusing on Log4j and software components. He underscores the importance of understanding the provenance of software components and emphasizes the necessity of maintaining a robust patch and update process, especially considering embedded systems like Java. Hirschfeld advocates for a shift in mindset towards viewing software as an ongoing process rather than a static deliverable, inviting listeners to explore the insightful discussion further at the2030.cloud.
Securing Software Supply Chains
Today we talked about supply chains, but mainly security and the security aspects of supply chains because we have a very serious challenges here.
We have made software and on boarding software for developers so easy, but haven’t put the same efforts in how to manage production systems! The team really talked about what it takes to build production systems that respect security, supply chains, dependency graphs, and inclusion in a way that cross teams.
It’s an incredibly important topic, and it is the foundation of any successful supply chain hardening effort.
Transcript: otter.ai/u/6zfld2gBpZMSGT8Vk_1Ka3pWtN0
Image: www.pexels.com/photo/light-city-…traffic-10390684/
Is Open Source Working?
Is open source driving innovation? And Is it a necessary component of Right to Repair and ownership? Are there commercial drivers where people want those open capabilities?
We transition into a deeper conversation about what’s going on with open source. Is it being innovative? Who is leading? How is it working?
Transcript: otter.ai/u/vto0yPpBuZtqngkc_zqMDp9J39M
Photo by Jeffrey Czum from Pexels [ID 4118958]
Joe Duffy at Pulumi on Modern Infrastructure as Code Systems
Joining us this week is Joe Duffy, CEO and Co-Founder of Pulumi.
About Pulumi
Pulumi’s Modern Infrastructure as Code platform provides superpowers for teams to manage any cloud using their favorite languages. Organizations of all sizes, from startups to the Global 2000, have chosen Pulumi for their cloud transformation and modernization needs. Pulumi is based in Seattle, venture-backed and founded by Microsoft, Amazon, and Google software veterans in 2017
Software is Not Eating the World, it’s Dying
Rob Hirschfeld and Stephen Spector talk about the Software industry and how SaaS and other trends are killing the traditional software solution based on installation and management in your own data centers.
This is our 100th Podcast for L8istSh9y!