Security of Go Modules and DevOps for Developers

Talk 1: Security of Go Modules and Vulnerability Scanning in GoCenter

Go 1.13 introduced important security features to Go Modules including a checksumdb. Deep Datta from JFrog will explain how this works and provide info on other tools that keep modules secure. He will review GoCenter’s vulnerability scanning capabilities so developers can check for security issues or known vulnerabilities

As background, when a developer creates a new module or a new version of an existing module in Go 1.13, a go.sum file included in the module creates a list of SHA-256 hashes that are unique to that module version. That go.sum file is then sent to Google’s official checksum database where it is stored and used to verify that modules haven’t been tampered with when accessed later by a GOPROXY. This helps keep the integrity of packages intact. In this talk, Deep will go over the behavior of the checksum database, how it protects Go modules, and how the merkle-tree works.

About the Speaker

Deep Datta is a Product Manager with JFrog managing the GoCenter - The Central Go Modules Repository. He has a passion for helping people join open source communities and loves encouraging diversity in tech and. Before JFrog he helped build and manage open source programs at Indeed and Benetech.org.

Talk 2: DevOps for Developers (or maybe against them?!)

"DevOps" is the operations people’s crafty plan to make developers do other people's work, but we are smart enough to see right through this naive rebranding trick!

Baruch suggests you think about it: we, the developers, have written all the code. It passes all the tests; it obviously works, and works well (Are we a little proud? We are!); so we are DONE.

Now, out of the blue, a bunch of "thought leaders" (all with an operations background, mind you!) are trying to tell us that we have to learn YAML, Docker, Kubernetes and Terraform to deploy our software because suddenly it is our concern?!

In this talk, we'll discuss why developers do or don’t need DevOps. We'll consider arguments made by DevOps visionaries and see whether they hold water. Hopefully, by the end of the talk, we'll understand whether DevOps really helps developers to deploy better code to production more often, or if it is just another scam made up by marketing and evangelists.

This is a fun and provocative talk. I am starting with claiming that developers have no incentives to do any DevOps and will work my way to explain why although there is some truth in that, it doesn't' really matter. The business must commit to DevOps and once the business committed, everyone has to be on-board.

About the Speaker

Baruch Sadogursky (a.k.a JBaruch) is the Head of DevOps Advocacy and a Developer Advocate at JFrog. His passion is speaking about technology. Well, speaking in general, but doing it about technology makes him look smart, and 19 years of hi-tech experience sure helps. When he’s not on stage (or on a plane to get there), he learns about technology, people and how they work, or more precisely, don’t work together.

He is a co-author of the Liquid Software book, a CNCF ambassador and a passionate conference speaker on DevOps, DevSecOps, digital transformation, containers and cloud-native, artifact management and other topics, and is a regular at the industry’s most prestigious events including DockerCon, Devoxx, DevOps Days, OSCON, Qcon, JavaOne and many others. You can see some of his talks at jfrog.com/shownotes