- 101
- 33 218
PackagingCon
เข้าร่วมเมื่อ 22 ก.ย. 2021
The official channel of PackagingCon - the conference with the mission to bring different software package management eco-systems together: from Python’s pip to Rust’s cargo to Julia’s Pkg, from Debian apt over Nix to conda and mamba, and from vcpkg to Spack we hope to have many different approaches to package management at the conference.
Find more on packaging-con.org
Find more on packaging-con.org
Lightning Talks Day 2 & Closing session | PackagingCon 2023
Devbox: reproducible project-based environments or why global packages considered harmful - Mike Landau
We’ll talk about the tradeoffs of global vs project based package managers and introduce Devbox by jetpack.io, a powerful open-source tool that leverages nix to create portable, reproducible environments.
Package management analysis in the OSS Review Toolkit - Sebastian Schuberth
Analyzing the dependencies as declared by package managers is the first step towards creating SBOMs or to query known vulnerabilities for software projects. This talk gives an overview over the abstractions done in the OSS Review Toolkit to support more than 25 package managers and the challenges in modelling their different behaviors and resolution processes.
Poetry's dependency resolver and its environment-independent lockfile - Randy Döring
Poetry is a quite popular tool for dependency management and packaging of Python projects. A prominent feature of Poetry is the generation of an environment-independent lockfile. This means that it does not matter if the lockfile has been created on Linux or Windows, with Python 3.8 or Python 3.11 and so on, it will be the same and suitable for each possible environment.
Reverse Engineering Package Registries In The Middle Of Nowhere - Samuel Cochran
There are many different package registries in different ecosystems. We rely on them so much now that we take them for granted. But how do they work, and what’s inside? This talk explores what makes package registries tick, and how to mirror them with integrity. We'll focus on Rubygems, but touch on NPM (JavaScript/Node), Hex (Elixir), Homebrew (macOS), Ubuntu (Debian) and Fedora (RPM).
Untangling Software Supply Chain sBO(O)M - Daniel Liszka
Software Bill Of Materials (SBOMs) are booming (or sBO(O)Ming) today, becoming a backbone of many Software Supply Chain security and compliance efforts. This session will cover the speakers' real-world experiences when they created their own SBOM format and put it in production long before SBOM became a thing. We will talk about SBOM basics, formats, and industry standards, showcase three stages for SBOM management (collection/producers, distribution/storage, and analysis/consumers), walk you through various rapidly growing tools from each category, and discuss strategies for building your own built-to-your-spec solution.
We’ll talk about the tradeoffs of global vs project based package managers and introduce Devbox by jetpack.io, a powerful open-source tool that leverages nix to create portable, reproducible environments.
Package management analysis in the OSS Review Toolkit - Sebastian Schuberth
Analyzing the dependencies as declared by package managers is the first step towards creating SBOMs or to query known vulnerabilities for software projects. This talk gives an overview over the abstractions done in the OSS Review Toolkit to support more than 25 package managers and the challenges in modelling their different behaviors and resolution processes.
Poetry's dependency resolver and its environment-independent lockfile - Randy Döring
Poetry is a quite popular tool for dependency management and packaging of Python projects. A prominent feature of Poetry is the generation of an environment-independent lockfile. This means that it does not matter if the lockfile has been created on Linux or Windows, with Python 3.8 or Python 3.11 and so on, it will be the same and suitable for each possible environment.
Reverse Engineering Package Registries In The Middle Of Nowhere - Samuel Cochran
There are many different package registries in different ecosystems. We rely on them so much now that we take them for granted. But how do they work, and what’s inside? This talk explores what makes package registries tick, and how to mirror them with integrity. We'll focus on Rubygems, but touch on NPM (JavaScript/Node), Hex (Elixir), Homebrew (macOS), Ubuntu (Debian) and Fedora (RPM).
Untangling Software Supply Chain sBO(O)M - Daniel Liszka
Software Bill Of Materials (SBOMs) are booming (or sBO(O)Ming) today, becoming a backbone of many Software Supply Chain security and compliance efforts. This session will cover the speakers' real-world experiences when they created their own SBOM format and put it in production long before SBOM became a thing. We will talk about SBOM basics, formats, and industry standards, showcase three stages for SBOM management (collection/producers, distribution/storage, and analysis/consumers), walk you through various rapidly growing tools from each category, and discuss strategies for building your own built-to-your-spec solution.
มุมมอง: 145
วีดีโอ
Lightning Talks Day 1 | PackagingCon 2023
มุมมอง 136ปีที่แล้ว
emscripten-forge, a conda-forge like distribution for WASM in the browser - Thorsten Beier The advent of WebAssembly has transformed web application development, empowering developers to harness the potential of low-level languages like C and C in the browser environment. Emscripten-Forge, a conda-based distribution, closely resembling conda-forge, is designed to cater specifically to WebAssemb...
Explainability in Spack concretization - Gregory Becker | PackagingCon 2023
มุมมอง 113ปีที่แล้ว
Modern package managers often use logic solvers (SAT, ASP, SMT, CDCL, etc) for dependency resolution. Logic solvers are highly efficient at solving NP-complete problems, but often give very little information when a solve is impossible. This talk explains the solver methods used in Spack to introduce legible error messages for users, including generating full causality chains for facts involved...
WinGet and Chocolatey: A Real-World Look at Package Management Tools on Windows - Paul Broadwith
มุมมอง 675ปีที่แล้ว
Talk by Paul Broadwith at PackagingCon 2023. In this talk, I look at the two common package managers on Windows and explore their commonly used features in a real-world context. WinGet and Chocolatey are compared a lot. There is a LOT of marketing and fluff articles and blog posts written about WinGet with little real-world practicality. The landscape is being skewed and becoming a place where ...
Package Managers, Software Security and Functional Safety | PackagingCon 2023
มุมมอง 173ปีที่แล้ว
Talk at PackagingCon 2023 by Maximilian Huber and Gary O'Neall. The software supply chain has been an increasingly vulnerable target due to the downstream users of open source software not being aware that they are using compromised or vulnerable components. Log4Shell and SolarWinds are just two prominent examples of supply chain attacks causing significant damage to a large population of downs...
“Our stuff” - how to protect users from package compromise with RSTUF | PackagingCon 2023
มุมมอง 132ปีที่แล้ว
Talk at PackagingCon 2023 by Kairo de Araujo and Lukas Pühringer. For many years the Update Framework (TUF) has been a prime reference for secure package delivery and updates. Despite its popularity, integration with existing package managers remains a challenging task. Enter RSTUF: This new OpenSSF project has taken on the challenge to provide a generic TUF application, which primarily focuses...
Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines - Elad Pticha
มุมมอง 75ปีที่แล้ว
Talk by Elad Pticha at PackagingCon 2023. Cloud computing adoption is increasing, and organizations have an increasing need to secure their access to cloud resources. Traditional access control mechanisms such as access tokens, while still widely used, are insufficient to protect against modern threats. Even if the least-privilege principles are preserved, these tokens could leak and expose you...
Learning to Predict Build Outcomes - Harshitha Menon | PackagingCon 2023
มุมมอง 53ปีที่แล้ว
The complexity of software has been increasing, where a typical application relies on tens or even hundreds of packages. The task of finding compatible versions and configuring builds for these packages poses a significant challenge. This talk introduces a method in which we leverage cutting-edge AI technology and advanced package management methodologies to address the challenges of managing s...
Gotta Go Fast - Kat Marchán | PackagingCon 2023
มุมมอง 232ปีที่แล้ว
An exploration of various techniques modern package managers are using, or could use, to optimize package management and make things GO REAL FAST. I've noticed over the years that optimization techniques could be mutually beneficial across many package managers, but the matrix of which PM supports what is fairly sparse: we usually only find out about new techniques from talking to each other, o...
Build provenance for package registries - Philip Harrison | PackagingCon 2023
มุมมอง 86ปีที่แล้ว
Lessons learned from adding build provenance to the npm registry: linking npm packages back to their originating source code and build instructions using cloud CI/CD, Sigstore and SLSA. Adding build provenance to a package registry is not a small undertaking, but it adds a major security capability in that packages can be transparent about what they contain and how they were built. This talk wi...
Secure packaging for AI models - Mihai Maruseac & Laurent Simon | PackagingCon 2023
มุมมอง 181ปีที่แล้ว
AI models (especially LLMs) are now being released at a never seen before frequency. At the same time, supply chain attacks increase YoY by more than 700%. Coupling these two facts together reveals a shocking perspective: it is very possible for bad actors to infect unsuspecting host that want to benefit from the AI explosion. Fortunately, by drawing analogies between training AI models and bui...
Quality Assurance for 20,000+ packages in GNU Guix - Christopher Baines | PackagingCon 2023
มุมมอง 569ปีที่แล้ว
A deep dive in to GNU Guix and new tooling to help maintain and improve the quality of Guix packages, while at the same time increasing the number available. This talk will introduce GNU Guix, a general purpose free software package manager and distribution of the GNU system. While Quality Assurance and Continuous Integration are established terms when it comes to software, their meaning when a...
Build your own SLSA 3+ provenance builder on GitHub Actions - Adam Korczynski | PackagingCon 2023
มุมมอง 293ปีที่แล้ว
Supply chain attacks have increased YoY by more than 700%. High profile attacks like those against SolarWinds or Codecov have exposed the kind of supply chain integrity weaknesses. Supply-chain Levels for Software Artifacts (SLSA) is a set of incrementally adoptable guidelines to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA v1.0 specifications were released...
Securing your Package Ecosystem with Trusted Publishing - William Woodruff | PackagingCon 2023
มุมมอง 115ปีที่แล้ว
This talk will provide a developer-minded introduction to "trusted publishing," an OpenID Connect-based authentication scheme that PyPI has successfully deployed to reduce the need for (and risk associated with) manual configured API tokens. Thousands of packages (including many of Python's most critical packages) have already enrolled in trusted publishing, improving the overall security postu...
BuildXYZ: Automatic on-demand dependency dispenser - Ryan Lahfa | PackagingCon 2023
มุมมอง 71ปีที่แล้ว
Have you ever pondered why our software projects have README to explain how to install them? That's because it can be hard to automate the installation of the dependencies of a project. In this work, we will challenge and explore the actual difficulty behind why do we still need READMEs and human instructions to install native dependencies for projects, via a research project, called BuildXYZ, ...
Flakes: Nix Unshackled - Graham Christensen | PackagingCon 2023
มุมมอง 9Kปีที่แล้ว
Flakes: Nix Unshackled - Graham Christensen | PackagingCon 2023
Bzlmod: the package manager for Bazel - Yun Peng | PackagingCon 2023
มุมมอง 612ปีที่แล้ว
Bzlmod: the package manager for Bazel - Yun Peng | PackagingCon 2023
Helping an Ecosystem Fade Away - Samuel Giddins | PackagingCon 2023
มุมมอง 74ปีที่แล้ว
Helping an Ecosystem Fade Away - Samuel Giddins | PackagingCon 2023
Universal packages, powered by WebAssembly Interfaces - WAI - Christoph Herzog | PackagingCon 2023
มุมมอง 298ปีที่แล้ว
Universal packages, powered by WebAssembly Interfaces - WAI - Christoph Herzog | PackagingCon 2023
Streaming optimized scientific software installations on any Linux distro with EESSI
มุมมอง 127ปีที่แล้ว
Streaming optimized scientific software installations on any Linux distro with EESSI
Wolfi: Building a New Linux (Un)distro - Adrian Mouat | PackagingCon 2023
มุมมอง 772ปีที่แล้ว
Wolfi: Building a New Linux (Un)distro - Adrian Mouat | PackagingCon 2023
What's in a name(space)? - Adam Harvey | PackagingCon 2023
มุมมอง 106ปีที่แล้ว
What's in a name(space)? - Adam Harvey | PackagingCon 2023
Shared Objects and Content Addressing: a Survey of Techniques - Eric Myhre | PackagingCon 2023
มุมมอง 43ปีที่แล้ว
Shared Objects and Content Addressing: a Survey of Techniques - Eric Myhre | PackagingCon 2023
Ensuring Runtime Reproducibility in the Python Ecosystem - Jaime Rodríguez-Guerra |PackagingCon 2023
มุมมอง 99ปีที่แล้ว
Ensuring Runtime Reproducibility in the Python Ecosystem - Jaime Rodríguez-Guerra |PackagingCon 2023
Rebuilding Trust: Asserting Integrity in Language Package Ecosystems - Matthew Suozzo | PackagingCon
มุมมอง 83ปีที่แล้ว
Rebuilding Trust: Asserting Integrity in Language Package Ecosystems - Matthew Suozzo | PackagingCon
Probabilistic Package Builds: Guiding Spack's Concretizer with Predicted Build Outcomes
มุมมอง 64ปีที่แล้ว
Probabilistic Package Builds: Guiding Spack's Concretizer with Predicted Build Outcomes
Transparent compromise-resilience: How to bootstrap trust for the open-source ecosystem
มุมมอง 141ปีที่แล้ว
Transparent compromise-resilience: How to bootstrap trust for the open-source ecosystem
Python at Bloomberg - Pradyun Gedam | PackagingCon 2023
มุมมอง 157ปีที่แล้ว
Python at Bloomberg - Pradyun Gedam | PackagingCon 2023
Python Resolution Evolution: Decoupling Metadata from Downloads in Pip - Danny McClanahan
มุมมอง 159ปีที่แล้ว
Python Resolution Evolution: Decoupling Metadata from Downloads in Pip - Danny McClanahan
How we used Rust to modernize the conda ecosystem - Bas Zalmstra | PackagingCon 2023
มุมมอง 830ปีที่แล้ว
How we used Rust to modernize the conda ecosystem - Bas Zalmstra | PackagingCon 2023
the cat distracted me :'D
zerotonicks
Ccongratulations, Lorena !
it seems that every guix dev has a long hairy beard lol. Makes Richie Guix more cannon.
Useful material!
Xerotoonics
I have to say that, of all the talks I saw at PackagingCon this year, this was the most memorable one. So poignant and thought-provoking. Thank you for sharing this, Samuel Giddins.
Can you link to the article?
I bet they didn't get zero-tunics lol
Nice comparison between these two package manager, and yes good talk !
Good talk. Love the combination of explaining concepts and showing concrete examples.
what about drivers?
למה אין עוד צפיות?! זו פיסת תוכנה מדהימה!
'promosm' ☀️
I appreciate you creating debbuild. It took me about two days to create a unique Debian package, and it was challenging. It's difficult for someone like me to transition from the RPM world to the Debian packaging system.
Dissapointed that there wasn't even a single demonstration of how to use this!
Wished I could understand what he is saying.
Awesome tool
Really interesting research. It is missing an important measure though. In addition to Time Lag and Version Lag, you should also be measuring Activity Lag. For example, in our repository, we are on the latest version of many of our Java dependencies. We should feel good about that, right? Nope! Some of them are over 10 years old even though we are on the latest version. We even have some that are over 15 years old. If a library hasn't been released in X years (where X is your comfort level, mine is X=5), it is probably a dead project and should not be used. Activity Lag = date(now) - date(ideal). As Ahmed states though about lag in general, the big problem with this is in the transitives. How can we remove that 10 year old library if it is 5 levels deep in our dependency graph. Life is hard.
23 minutes talk and not a single word on how to actually use this thing!!
Currently I've been attempting to do this as our code base is built in an disconnected environment (air gapped) before release. Unfortunately the documentation for how to actually do this is really spotty and I've been unable to actually do it.
Hi, How can i get the python modules installed while building a unikernel Image. I want to run a small application using unikernel.. but have to do some pip installs. Can you please provide some input.
Awesome and super excited for rust and guix , would like a video on rust development on guix using emacs
I enjoyed that, thank you.
Great content. The delivery could be improved, such as highlighting the set of supply chain concerns/attacks and then highlighting the features of go mod that prevent this attach. It felt partially like an intro to go mod supplemented with some security aspects.