Dan Lorenc @lorenc_dan Twitter profile

Pinned Tweet

Dan Lorenc

@lorenc_dan

10 months

Big week for @chainguard_dev !

49

16

285

Last Seen Profiles

@DanPainter

@qseokmin

@WhyNotKayDee

@WWE

@juicyda_problem

@bubblesartcraft

@hirun_inka15330

@zOutlaaw

@iiminaoko44005

@RokumaR16

@nuriiamoreeno_

@gawif

@shoyocute

@Gr33dyGoddess

@BriceMatthews5

@Some1ind1

@mono_o65

@StaMag_Cafe

@kash_dolll

@MoulsecoombSch

@ChelaSangria

@khalafz1

@OdessaHighGolf

@ItiraflarEnsest

@NaufalHasani

@ThugLifeJMac

@DragonDreamsNft

@ahmed121786

@tanu_unat_

@DrRaWanAhMed2

@Bembeng378

@Dulzura_pao

@dhqqwwww

@Jamfrens

@bokeplokalmalam

@zahaando

Dan Lorenc

@lorenc_dan

1 year

Too soon?

103

575

6K

Dan Lorenc

@lorenc_dan

9 months

Your CTO showing the team he can still "get his hands dirty" and debug a production issue.

26

170

2K

Dan Lorenc

@lorenc_dan

1 year

I'm so mad about this.

9to5Google

@9to5Google

1 year

Google Domains shutting down, assets sold and being migrated to Squarespace by @technacity

164

207

868

51

183

2K

Dan Lorenc

@lorenc_dan

1 year

if you’re not rolling your own compiler I don’t trust you compilers have to be one of the most easy things to implement and they're such a core component to any service. Own your compiler.

61

57

1K

Dan Lorenc

@lorenc_dan

5 years

Instead of SemVer, I propose RealVer It has three parts, referred to as X.Y.Z. X: Name/number marketing decided. Y: Number of releases since leadership decided we needed a refresh and new name. Z: Number of times we screwed up the last release.

13

324

939

Dan Lorenc

@lorenc_dan

3 years

Is there a word for when you make a piece of software that probably isn't really ready for production use, then forget about it, then someone comes along and builds a critical production system on top of it without asking?

221

48

938

Dan Lorenc

@lorenc_dan

2 years

@d_feldman Think bigger! There's gotta be someone that took two faang jobs simultaneously and now has two severance packages.

3

13

825

Dan Lorenc

@lorenc_dan

2 years

The core problem is that k8s allows us to treat containers as cattle, but images are still treated as pets. "Mom, I want this new image!" "Who's gonna take care of it?" "Me!" "You're gonna feed it and walk it and scan it for CVEs?" "Uh huh!" "Even when it's raining?" "Sure..."

15

120

589

Dan Lorenc

@lorenc_dan

1 year

Engineer's hierarchy of needs

27

58

539

Dan Lorenc

@lorenc_dan

3 years

Funding OSS is a hot topic today! I got to spend a lot of time over the last two years working on paying OSS maintainers at @Google . We spent a few million dollars and funded some relatively high profile work, in addition to a lot of smaller projects. A 🧵on problems I saw!

11

133

465

Dan Lorenc

@lorenc_dan

2 years

HAVE YOU HEARD OF NIX? ITS A PURELY FUNCTIONAL DECLARATIVE REPRODUCIBLE PACKAGE MANAGER. ALL UPDATES ARE ATOMIC AND YOU JUST HAVE TO LEARN HOW TO OPERATE THE CLI WHICH IS KIND OF LIKE GIT EXCEPT THE HARD PARTS. IT HAS A CUSTOM LISP DIALECT TOO I CANT BELIEVE YOU HAVENT TRIED IT!

17

69

444

Dan Lorenc

@lorenc_dan

3 years

It feels strange to leave a job this fun, but Oct 1 is my last day at Google after 9 years. I'm going to try a startup. OSS/Supply Chain Security has been the most fun I've had. I'll miss Google, but I'm staying in the space so I'm not going too far. Same team, new company!

71

5

421

Dan Lorenc

@lorenc_dan

5 months

I spent a few years at Google and the OSSF literally trying to give money to OSS maintainers, and I can confidently say funding won't fix these problems. We had more money than we could possibly give away. This is not a funding problem, sorry. These takes are wrong and

40

30

376

Dan Lorenc

@lorenc_dan

1 year

The problem with supply chain security in a nutshell.

13

51

334

Dan Lorenc

@lorenc_dan

3 years

Maybe the real generics were the interface{}'s we made along the way.

6

37

329

Dan Lorenc

@lorenc_dan

1 year

Oh wow they just keep getting worse. If you send kill -9 to your database server as a root user it might have reduced availability!!!!

PostgreSQL

@PostgreSQL

1 year

News: CVE-2020-21469 is not a security vulnerability

5

30

128

18

35

324

Dan Lorenc

@lorenc_dan

2 years

Is anyone really sure that @golang actually added generics vs. just putting them in the documentation so people would stop complaining?

24

15

315

Dan Lorenc

@lorenc_dan

9 months

Happy "785 CVEs in the Node.js Image" Sunday Everyone!

5

46

304

Dan Lorenc

@lorenc_dan

2 years

CVE deep dive! Today I'll look at how scanners work rather than a CVE. I'll focus on how they find packages, because that's the first step in looking for CVEs. I'll show a blind spot scanners have with many popular docker images, and how you might be missing a LOT of vulns.

13

67

301

Dan Lorenc

@lorenc_dan

2 years

Today I'm really proud to announce @chainguard_dev 's second product, and our Series A financing. It's not going to be easy to secure these supply chains, but we're going to be here for awhile!

Chainguard raises $50M in Series A to make software supply chain secure by default, introduces...

Chainguard secures $50M Series A to revolutionize software supply chain security with new, secure container base images.

www.chainguard.dev

54

35

284

Dan Lorenc

@lorenc_dan

2 years

The worst argument in software ever: "Why did you make a new thing instead of using my existing one?" Friend, the Bell Labs folks already wrote everything in the 1970's. All software today is a poorly written imitation of something Rob Pike and Ken Thompson did 50 years ago.

14

42

282

Dan Lorenc

@lorenc_dan

2 years

Jenkins is the Craigslist of CI/CD tools. Everyone will slap fancier UIs on and target niches, but Jenkins will still be there, looking exactly the same, deploying everything. Including Craigslist, and the Jenkins competitors.

19

29

267

Dan Lorenc

@lorenc_dan

2 years

The strangest thing about Google's two week hiring pause is that they announced it. The hiring process is so long that candidates wouldn't have noticed anyway.

5

7

257

Dan Lorenc

@lorenc_dan

2 years

My pet peeve: people talking about "patching" containers!

8

26

226

Dan Lorenc

@lorenc_dan

10 months

JUST ONE MORE CRD. PLEASE JUST ONE MORE CRD BRO. BRO PLS JUST ONE MORE OPERATOR WE NEED TO BE DECLARATIVE. JUST ONE. ONE MORE. BRO PLS. JUST ONE MORE YAML. TRUST ME JUST ONE MORE AND IT'S DONE. BRO PLEASE JUS-

10

19

219

Dan Lorenc

@lorenc_dan

1 year

A meme a day keeps the auditor away!

13

44

217

Dan Lorenc

@lorenc_dan

5 months

Wow

14

43

214

Dan Lorenc

@lorenc_dan

3 years

Patch your software. The root cause here was running Kubernetes v1.8.4 (released Nov. 2017!!!) and runc 1.0.0-rc2 (released Oct. 2016!!!). Both of these were ***years*** past their security fix EOL.

Justin Cormack

@justincormack

3 years

Cross tenant attack on Azure containers via runc, kubernetes

1

38

138

8

53

207

Dan Lorenc

@lorenc_dan

3 years

Containers... Signed... With yubikeys????? @projectsigstore yubicosign!!! Coming soon to a registry near you!

6

60

205

Dan Lorenc

@lorenc_dan

3 years

All of tech twitter today after the Docker pricing changes:

5

43

202

Dan Lorenc

@lorenc_dan

1 year

@allanfriedman Haha it is, but I'm pretty sure the original is a joke too.

6

0

199

Dan Lorenc

@lorenc_dan

8 months

I fully believe both of these are truths: * Code review is a good required practice for every software team * Every great piece of software started with a single, massive code dump written by a single person without code review

9

11

200

Dan Lorenc

@lorenc_dan

2 years

I feel bad for everyone that doesn't believe 10X engineers exist. I've been lucky enough to work with dozens of them in my career. The one thing that sets them all apart is the ability to single-handedly eat two pizzas in one sitting.

16

9

197

Dan Lorenc

@lorenc_dan

2 years

My hobby: running container scanners on containers provided by security vendors. Today's victim, Cloud Workstations (just announced today by Google): When you start the environment, it shows you the URL to the container running all your software!

1

33

176

Dan Lorenc

@lorenc_dan

1 year

I'd like to announce a return to our regularly scheduled meme content.

1

24

169

Dan Lorenc

@lorenc_dan

2 years

Devops is easy? Of course that's your contention. You're a 2nd year compsci student. You just got finished setting up your 1st server, Arch probably. You're gonna be convinced of that until you get to Nix next month. Then you're going to be talking about declarative systems.

11

20

164

Dan Lorenc

@lorenc_dan

2 years

There's not going to be an easy answer here folks.

5

30

165

Dan Lorenc

@lorenc_dan

3 years

I finally get to share big news today: @chainguard_dev 's seed funding, and some updates on our team/plans! See more on our blog: The TC article: Or in video form, @kimsterv on the @PopcastPop :

Chainguard lands $5M to help companies secure their software supply chains | TechCrunch

By late last year, the alarm bells were just starting to ring. Researchers discovered that Russian spies had months earlier burrowed deep into the

techcrunch.com

37

21

163

Dan Lorenc

@lorenc_dan

2 months

I'm not saying this is a supply chain attack, but I will say that the behavior is indistinguishable from what someone trying to perform a supply chain attack in the future would do.

Sam Goodwin

@samgoodwin89

2 months

Possible supply chain attack happening in the web ecosystem right now all under the guise of supporting node 0.4. Does this GitHub action allow ljharb to inject back doors? Replacing setup-node is very suspicious behavior.

30

46

495

2

17

163

Dan Lorenc

@lorenc_dan

11 months

Everyone else: backwards compat is hard @_rsc : there are 17 edge cases. I invented new technology for 4 of them. We can do 10 more with just hard work and careful automation. I tricked Rob Pike into fixing the final 3. Go's progress in the last 2 years has been jaw dropping.

1

10

157

Dan Lorenc

@lorenc_dan

1 year

Happy Monday to all the YAML engineers out there!

11

30

140

Dan Lorenc

@lorenc_dan

1 year

Am I reading it right that rust is effectively governed by an ad-hoc, private group chat? And this was supposed to be an improvement?

15

8

140

Dan Lorenc

@lorenc_dan

9 months

Startup founder trying to explain their "ARR math" to a VC.

3

10

134

Dan Lorenc

@lorenc_dan

1 year

I really appreciate the support from other founders, all of our amazing investors, and of course the team at @chainguard_dev today as we dealt with the nightmare at SVB.

12

1

136

Dan Lorenc

@lorenc_dan

2 years

In software we like to say we're standing on the shoulders of giants. But they're actually more like treadmills that are stacked on top of each other all moving at different speeds and if you don't keep updating everything you'll get thrown off the back.

4

24

131

Dan Lorenc

@lorenc_dan

3 years

Finally some good news for anyone worried about supply chain security! I've started a new company with some of the best teammates I've ever worked with. We'll be at @KubeCon_ next week if you want to chat!

Chainguard ⛓️

@chainguard_dev

3 years

We are thrilled to announce our new company: Chainguard, Inc. We are just getting started, but if you are interested in improving your software supply chain security, we would love to hear from you!

48

45

292

18

11

130

Dan Lorenc

@lorenc_dan

2 years

I can't agree more with this post: "Security: OIDC is better than secrets"

The future of Kubernetes – and why developers should look beyond Kubernetes in 2022

Kubernetes is ubiquitous in container orchestration, and its popularity has yet to weaken. This does, however, not mean that evolution in the container orchestration space is at a stand-still.

www.eficode.com

4

30

129

Dan Lorenc

@lorenc_dan

1 year

Thank you @golang

6

13

125

Dan Lorenc

@lorenc_dan

3 years

🎉🎉🎉 Aaaand we're here! @projectsigstore cosign is officially 1.0! 🎉🎉🎉

Release v1.0.0 · sigstore/cosign

Cosign 1.0! This is the first production ready, non-pre-release version of the cosign tool! Huge thanks to the entire sigstore community! Enhancements BREAKING: The default HSM key slot is now &qu...

github.com

Dan Lorenc

@lorenc_dan

3 years

🚨 @projectsigstore cosign 1.0 is one week away! 🚨 Try it out today on any @OCI_ORG compatible registry. This includes support for: - @Yubico PIV devices - cloud KMS ( @googlecloud , @Azure and @AWS ) - @SPDXTeam / @CycloneDX_Spec SBOMs - #wasm , and more!

2

14

51

3

44

113

Dan Lorenc

@lorenc_dan

2 years

This is just a guess because no one I know has ever seen it happen

5

112

Dan Lorenc

@lorenc_dan

3 years

Really struggling to remember all of those use cases I wanted Go generics for as soon as they became available.

5

108

Dan Lorenc

@lorenc_dan

2 years

Big week coming up @chainguard_dev ! Four awesome team members starting tomorrow, we're announcing a product we've been working incredibly hard on, and we're all getting together for a company wide summit!

7

4

111

Dan Lorenc

@lorenc_dan

4 months

This is my favorite thing on the Internet today:

Introducing Artifact Attestations–now in public beta

Generate and verify signed attestations for anything you make with GitHub Actions.

github.blog

3

25

112

Dan Lorenc

@lorenc_dan

3 years

It really feels like some kind of dam has broken for @projectsigstore . We've seen RFCs/proposals/prototypes for almost all large language package managers pop up, and the @kubernetesio release integration is underway. 2022 is going to be great for supply chain security!

2

18

110

Dan Lorenc

@lorenc_dan

2 years

It's awesome to see a long-term plan play out! The very first thing we signed was distroless, almost exactly 1 year ago, because it's the start of the k8s supply chain. Today, all of k8s 1.24 is signed w/ @projectsigstore !

Making the Internet more secure one signed container at a time

Posted by Priya Wadhwa, Jake Sanders, Google Open Source Security Team With over 16 million pulls per month, Google’s `distroless` base imag...

security.googleblog.com

3

33

109

Dan Lorenc

@lorenc_dan

9 months

Is it a bad sign if the lead investor for our Series B has a disclaimer that says "all tweets sent under duress" on his twitter profile, and the only tweet he's ever sent is announcing our Series B? Asking for a friend.

11

2

109

Dan Lorenc

@lorenc_dan

3 years

Another reason for why your CI system should be treated like a production system. We don't use bearer tokens/long-lived secrets anywhere else, why is it still ok in CI? Workload identity/ambient credentials have been here for years, it's time to start using them in CI too.

5

24

109

Dan Lorenc

@lorenc_dan

2 years

1

21

106

Dan Lorenc

@lorenc_dan

11 months

This go layout guidance is probably the most on-brand thing ever. Provide no real opinions, wait for the community to settle on a few standard patterns, then publish a blog saying they're all wrong and tell everyone what to do instead:

Organizing a Go module - The Go Programming Language

go.dev

7

13

108

Dan Lorenc

@lorenc_dan

2 years

PSA: this is the week where the US daylight savings time doesn't move, but most of Europe does. Enjoy the calendar confusion during every open source community meeting this week!

7

23

106

Dan Lorenc

@lorenc_dan

2 years

@sama I still think time zones are gonna matter a lot here.

4

0

103

Dan Lorenc

@lorenc_dan

2 years

It doesn't have to be this way!

5

22

104

Dan Lorenc

@lorenc_dan

5 months

@dopplershift We paid someone to focus on adding Rust support to the Linux kernel for several years, and it worked. That's why Rust is now in the kernel. The node.js team was struggling with their vulnerability backlog, so we got them full-time consultants to focus on security while they

3

7

104

Dan Lorenc

@lorenc_dan

1 year

@grhmc It's all lies

5

10

105

Dan Lorenc

@lorenc_dan

6 months

I'm honestly confused, how is it ok for a graduated CNCF project to only ship a release under an enterprise license from a single vendor?

15

10

104

Dan Lorenc

@lorenc_dan

1 year

Today's terrifying finding - a docker image with over a billion pulls that contains a go binary last built with Go 1.16. Scanners can't parse dependency info out of here because it's so old, so they just don't show anything. The dependencies were last updated 2 years ago!

17

9

104

Dan Lorenc

@lorenc_dan

2 years

Another Saturday, another 11 high sev CVEs in the latest Debian images, according to @GrypeProject The noise here and difference between scanners are incredible. How do you actually respond to these? Every scanner shows completely different results.

9

18

102

Dan Lorenc

@lorenc_dan

3 years

Here we go, Rust in the Kernel: Amazing job making this happen @0xjosh @I_S_R_G @ProssimoISRG

2

33

101

Dan Lorenc

@lorenc_dan

11 months

I'm sorry conference organizers.

10

13

102

Dan Lorenc

@lorenc_dan

3 years

After tomorrow, @chainguard_dev will have officially doubled in size from 5 to 10 team members!

10

2

100

Dan Lorenc

@lorenc_dan

1 year

They did it! The opentf repo is now public:

GitHub - opentofu/opentofu: OpenTofu lets you declaratively manage your cloud infrastructure.

OpenTofu lets you declaratively manage your cloud infrastructure. - opentofu/opentofu

github.com

6

22

100

Dan Lorenc

@lorenc_dan

2 years

Oh wow, @projectsigstore is coming to Maven Central: "Sigstore is literally designed to solve this problem with elegance and runtime properties that are especially appealing in common Java development and CI environments." Nice work @sonatype !

Maven Central and Sigstore

central.sonatype.org

5

34

99

Dan Lorenc

@lorenc_dan

4 months

I think I figured it out finally - WASM is just Lua for hipsters.

15

9

96

Dan Lorenc

@lorenc_dan

9 months

The state of OSS vulnerability management:

4

11

97

Dan Lorenc

@lorenc_dan

1 year

@ResilientCyber Once I started with artisanal silicon I never went back.

5

0

95

Dan Lorenc

@lorenc_dan

3 years

How it started, how it's going.

11

0

95

Dan Lorenc

@lorenc_dan

1 year

PSA: Fedramp says that you have to file a POAM for **every** finding from your container scanners.

10

7

95

Dan Lorenc

@lorenc_dan

1 year

Sorry FIPS friends.

4

6

93

Dan Lorenc

@lorenc_dan

2 years

"Let's Encrypt is bad actually, because now attackers can encrypt their websites too" is not a take I expected to hear today.

13

3

89

Dan Lorenc

@lorenc_dan

2 years

Sigstore is awesome, but a common misconception is that it actually solves supply chain security problems by itself. Sigstore just attempts to provide functional, accessible PKI. PKI is a prerequisite for solving the actual problems. Sigstore is really just an enabler.

3

19

90

Dan Lorenc

@lorenc_dan

4 years

Did you know SSH can sign files? And you can look up public keys on GitHub? This post explains a simple PKI already on most computers, that already has public keys for most people on GitHub: Thanks to @damienmiller for implementing this!

5

41

91

Dan Lorenc

@lorenc_dan

2 years

Everyone betting on Kubernetes being replaced is dramatically underestimating the inertia being created by the CKA/CKS/CKAD exams. 70k people registered for the CKA in 2021 alone, almost doubling from 2020. Source:

14

20

91

Dan Lorenc

@lorenc_dan

2 years

Sigstore is now GA!

Sigstore project announces general availability and v1.0 releases

Sigstore is a standard for signing, verifying, and protecting open source software. Today, the Sigstore community announced the general availability o

opensource.googleblog.com

2

38

90

Dan Lorenc

@lorenc_dan

3 years

Welcome @AWS as an @projectsigstore friend! From @rothgar : "Amazon supports signed container images through ECR and ECR Public registries. We sign many of our officially published container images using cosign such as Karpenter"

2

20

89

Dan Lorenc

@lorenc_dan

3 years

Sigstore: "I can verify this tarball was signed by yourname @youremail .com" Sisgtore+TUF: "I can verify this tarball is packageXYZ @v1 .2.3 and is the latest version, according to the maintainers of packageXYZ"

2

18

90

Dan Lorenc

@lorenc_dan

2 years

HUGE NEWS for @npmjs and @projectsigstore !

New request for comments on improving npm security with Sigstore is now open

Supply chain attacks exploit our implicit trust of open source to hurt developers and our customers. Read our proposal for how npm will significantly reduce supply chain attacks by signing packages...

github.blog

1

25

88

Dan Lorenc

@lorenc_dan

1 year

The first version of our @chainguard_dev image for the @googlecloud SDK is available, and the results are kinda staggering. 553MB vs. 2.87GB! 0 CVEs vs. 591! Try it at !

4

14

86

Dan Lorenc

@lorenc_dan

2 years

🚀 Just a few small announcements, including a new Linux (un) distro, the GA of Chainguard Enforce, and the new Chainguard Academy! 🚀

Chainguard ⛓️

@chainguard_dev

2 years

THE WAIT IS OVER⚡️ Introducing... 🐙 Wolfi, the 1st #Linux (un)distro designed w default security measures 🎓 Chainguard Academy, the 1st interactive edu platform dedicated to software security 🪄 Enforce GA

60

102

287

9

20

86

Dan Lorenc

@lorenc_dan

5 months

Trying to get CI working on a new repo.

7

6

86

Dan Lorenc

@lorenc_dan

2 years

It's crazy to see how widespread @projectsigstore has become so quickly. Fully Supported: @OCI_ORG containers @golang binaries @MavenApache java projects @ThePSF python packages Git commits! In Progres: @npmjs packages! @conan_io C++ packages! @rubycentralorg gems!

2

18

85

Dan Lorenc

@lorenc_dan

2 years

This. @dinodaizovi framed it best when he said that most insider risk programs would be better framed as insider protection programs. Employees become less attractive targets for attackers if they don't have complete root access to the entire company.

Ian Coldwater 📦💥

@IanColdwater

2 years

If phishing a single employee can lead to everything in your infrastructure being compromised that easily, that employee is not to blame

65

2K

11K

2

20

86

Dan Lorenc

@lorenc_dan

2 years

Goats

8

1

85

Dan Lorenc

@lorenc_dan

8 months

The more time I spend learning about how anything else works the more I realize how good @golang actually is.

8

9

84

Dan Lorenc

@lorenc_dan

2 years

Oh wow, finally! ed25519 is an approved NIST digital signature standard:

Announcing Issuance of Federal Information Processing Standard (FIPS) 186-5, Digital Signature...

This notice announces the Secretary of Commerce's approval of Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS). FIPS 186-5 specifies three techniques for the...

www.federalregister.gov

2

28

85

Dan Lorenc

@lorenc_dan

2 years

Shit, wrong context

Chainguard ⛓️

@chainguard_dev

2 years

Summarize Kubernetes in 3 words or less🍿

197

9

82

3

6

82

Dan Lorenc

@lorenc_dan

5 months

@dopplershift Yeah, the model that was most effective was hiring people full time for 1+ years. But that requires the project to have a long, significant roadmap and the maintainers need to not have other jobs at the same time. It's a tradeoff and these opportunities are more rare than you'd

18

1

85

Dan Lorenc

@lorenc_dan

3 years

The @OCI_ORG recently approved a new annotation to specify the base image that an image was built on. This might seem tiny, but @ImJasonH wrote why this is so useful: If you maintain a container build tool, please set this annotation!

4

27

84

Dan Lorenc

@lorenc_dan

2 years

Wow, the new coverage support in Go 1.20 is going to be amazing: We all test in prod anyway, Go is going to make it even easier to find out how much we do :)

3

12

82

Dan Lorenc

@lorenc_dan

3 years

My relationship with complicated signing formats:

7

8

81