Skip to main content
Category

Blog

Announcing the CDF Security SIG

By Blog, Staff

By Kay Williams

Security SIG Chair

10/4/2019

Hey everyone, I am excited to announce the formation of the Security SIG –  the CD Foundation’s first Special Interest Group (SIG)! The Security SIG began as a lightning talk at the first CD Summit in Barcelona this past May, and progressed to a formal proposal in August. In September it was adopted by the Technical Operating Committee (TOC).

The charter for the Security SIG is to provide a neutral home for discussion around designs, specifications, code and processes to enable security across the software supply chain. Topics of interest include the following:

  • Observability – enabling actions performed while writing code, compiling, testing, and distributing software to be manifest and verifiable.
  • Policy – enabling consumers of software to specify and implement policy over consumed software.
  • Inventory – enabling administrators to inventory and audit software used within their organizations.
  • Runtime Security– enabling detection and prevention of software tampering at runtime.
  • Vulnerability Communication – providing mechanisms for breaches in the integrity of software to be communicated and remediated.
  • Vulnerability Recovery – providing mechanisms for consumers to recover from compromised or untrusted software.

Membership in the Security SIG is open to the public. Here are some details:

Communication

Meetings

All are welcome to join the mailing list and attend meetings. We look forward to building a more secure future together!

Sincerely,

Kay

CDF Openness Guidelines

By Blog, Staff

CDF is an open source technical community where technical project collaboration, discussions, and decision-making should be open and transparent. Please see our CDF TOC principles, for more background on CDF values.

Design, discussions, and decision-making around technical topics of CDF projects should occur in public view such as via GitHub issues and pull requests, public docs, public mailing lists, conference calls at which anyone may participate (and which are normally published afterward on YouTube), and in-person meetings events. This includes all SIGs, working groups, and other forums where portions of the community meet.

This is particularly important in light of the Linux Foundation’s Statement on the Huawei Entity List Ruling. (Note that CDF is part of the Linux Foundation.) Our technical community operates openly and in public which affords us exceptions to regulations other closed organizations may have to address differently. This open, public technical collaboration is also critical to our community’s success as we navigate competitive and shifting industry dynamics. Openness is particularly important in any discussions involving encryption since encryption technologies can be subject to Export Administration Regulations.

If you have questions or concerns about these guidelines, I encourage you to discuss it with your company’s legal counsel and/or to email info@cd.foundation.

Thank you.

Jenkins X joins the CDF

By Blog, Staff

By James Strachan, Co-founder of Jenkins X and Distinguished Engineer, CloudBees

This is a contributed blog from co-founder of Jenkins X on the project becoming apart of CDF. Originally published on the Jenkins X Blog.

We are thrilled to announce that Jenkins X will be joining the Continuous Delivery Foundation as one of the founding projects. The Continuous Delivery Foundation (CDF) is a brand new sub-foundation of the Linux Foundation and will be dedicated to advancing the practice of continuous delivery and nurturing an ecosystem of interoperable tools for software delivery.

Jenkins X is just over a year old but has been growing rapidly as the CI/CD solution for modern cloud applications on Kubernetes. Jenkins X automates CI+CD for Kubernetes using the best of breed OSS tools such as Jenkins, Tekton, Prow, Skaffold, Kaniko and Helm. The CDF will be a sibling foundation to the Cloud Native Computing Foundation (CNCF) which hosts Kubernetes amongst others. CDF will have its first event, CDF Summit, on May 20th alongside KubeCon Barcelona. We always love to work closely with other communities, and this will continue at scale within the CDF.

“I’m really excited to see the formation of the CDF – it’s starting with some of the most popular best-of-breed open source tools in the CI/CD space,” said James Strachan, co-founder of Jenkins X and distinguished engineer, CloudBees. “I’m looking forward to increased collaboration between us all to help accelerate the open source CI/CD landscape.”

Jenkins X started life under the Jenkins umbrella. In CDF, Jenkins X will be a distinct project from Jenkins which means some changes, such as having a Jenkins X Technical Steering Committee. These changes will happen gradually as we transition to CDF over the coming weeks. Normal development work will continue as usual.

We are excited about all the new possibilities that being part of the CDF will bring. We look forward to new initiatives and welcoming everybody to get involved with the project.

Jenkins is Joining the Continuous Delivery Foundation

By Blog, Staff

By Kohsuke Kawaguchi, Creator of Jenkins and CTO at CloudBees

This is a contributed blog from the creator of Jenkins on the project becoming part of CDF. Originally published on the Jenkins Blog.

Linux Foundation, along with CloudBeesGoogle, and a number of other companies, today launched a new open source software foundation called Continuous Delivery Foundation (CDF.) The CDF believes in the power of continuous delivery, and it aims to foster and sustain the ecosystem of open-source, vendor neutral projects.

Jenkins contributors have decided that our project should join this new foundation. This discussion happened over the time span of years, actually, but a relatively succinct summary of the motivations are here.

Now, as an user, what does this mean?

  • First, there will be no big disruption/discontinuity. The same people are still here, no URL is changing, releases will come out like they’ve always been. We make the decisions the same way we’ve been making, and pull requests land the same way. Changes will happen continuously over the period of time.
  • This is yet another testament to the maturity and the importance of the Jenkins project in this space. With a quarter million Jenkins running around the globe, it’s truly rocking the world of software development from IoT to games, cloud native webapps to machine learning projects. It makes Jenkins such an obvious, safe choice for anyone seeking open heterogeneous DevOps strategy.
  • The CDF creates a level playing field that is well-understood to organized contributors, which translate into more contributors, which results in a better Jenkins, faster. Over the past years, the Jenkins project has been steadily growing more structures that provide this clarity, and this is the newest step on this trajectory.
  • Any serious dev teams are combining multiple tools and services to cover the whole software development spectrum. A lot of work gets reinvented in those teams to integrate those tools together. Jenkins will be working more closely with other projects under the umbrella of the CDF, which should result in better aligned software with less overlap.
  • Our users are practitioners trying to improve the software development process in their organizations. They get that CI/CD/automation unlocks the productivity that their organizations need, but that’s not always obvious to their organizations as a whole. So our users often struggle to get the necessary support. The CDF will advocate for the practice of Continuous Delivery, and because it’s not coming from a vendor or a project, it will reach the people who can lend that support.

So I hope you can see why we are so excited about this!

In fact, for us, this is an idea that we’ve been cooking for close to two years. I don’t think I’m exaggerating much to say the whole idea of the CDF started from the Jenkins project.

A lot of people have done a lot of work behind the scene to make this happen. But a few people played such instrumental roles that I have to personally thank them. Chris Aniszczyk for his patience and persistence, Tyler Croy for cooking and evolving the idea, and Tracy Miranda for making an idea into a reality.

Spinnaker Sets Sail to the Continuous Delivery Foundation

By Blog, Staff

By Andy Glover, Director of Delivery Engineering, at Netflix

This is a contributed Blog from our Premier founding member Netflix on the donation of Spinnaker to CDF. Originally Posted on the Netflix Technology Blog.

Since releasing Spinnaker to the open source community in 2015, the platform has flourished with the addition of new cloud providers, triggers, pipeline stages, and much more. A myriad new features, improvements, and innovations have been added by an ever growing, actively engaged community. Each new innovation has been a step towards an even better Continuous Delivery platform that facilitates rapid, reliable, safe delivery of flexible assets to pluggable deployment targets.

Over the last year, Netflix has improved overall management of Spinnaker by enhancing community engagement and transparency. At the Spinnaker Summit in 2018, we announced that we had adopted a formalized project governance plan with Google. Moreover, we also realized that we’ll need to share the responsibility of Spinnaker’s direction as well as yield a level of long-term strategic influence over the project so as to maintain a healthy, engaged community. This means enabling more parties outside of Netflix and Google to have a say in the direction and implementation of Spinnaker.

A strong, healthy, committed community benefits everyone; however, open source projects rarely reach this critical mass. It’s clear Spinnaker has reached this special stage in its evolution; accordingly, we are thrilled to announce two exciting developments.

First, Netflix and Google are jointly donating Spinnaker to the newly created Continuous Delivery Foundation (or CDF), which is part of the Linux Foundation. The CDF is a neutral organization that will grow and sustain an open continuous delivery ecosystem, much like the Cloud Native Computing Foundation (or CNCF) has done for the cloud native computing ecosystem. The initial set of projects to be donated to the CDF are Jenkins, Jenkins X, Spinnaker, and Tekton. Second, Netflix is joining as a founding member of the CDF.  Continuous Delivery powers innovation at Netflix and working with other leading practitioners to promote Continuous Delivery through specifications is an exciting opportunity to join forces and bring the benefits of rapid, reliable, and safe delivery to an even larger community.

Spinnaker’s success is in large part due to the amazing community of companies and people that use it and contribute to it. Donating Spinnaker to the CDF will strengthen this community. This move will encourage contributions and investments from additional companies who are undoubtedly waiting on the sidelines. Opening the doors to new companies increases the innovations we’ll see in Spinnaker, which benefits everyone.

Donating Spinnaker to the CDF doesn’t change Netflix’s commitment to Spinnaker, and what’s more, current users of Spinnaker are unaffected by this change. Spinnaker’s previously defined governance policy remains in place. Overtime, new stakeholders will emerge and play a larger, more formal role in shaping Spinnaker’s future. The prospects of an even healthier and more engaged community focused on Spinnaker and the manifold benefits of Continuous Delivery is tremendously exciting and we’re looking forward to seeing it continue to flourish.  

Introducing the Continuous Delivery Foundation, the new home for Tekton, Jenkins, Jenkins X and Spinnaker

By Blog, Staff

By Dan Lorenc and Kim Lewandowski, DevOps at Google Cloud

This is a contributed blog from our Premier founding member Google on the donation of Tekton and Spinnaker to CDF. Originally published on the Google Open Source Blog.

We’re excited to announce that Google is a founding member of the newly formed Continuous Delivery Foundation (CDF). Continuous delivery (CD) is a critical part of modern software development and DevOps practices, and we’re excited to collaborate in a vendor-neutral foundation with other industry leaders.

We’re also thrilled to announce the contribution of two projects as part of our membership: Tekton, and in collaboration with Netflix, Spinnaker. These donations will enter alongside Jenkins and Jenkins X, providing an exciting portfolio of projects for the CDF to expand upon.

Continuous Delivery Foundation

Currently, the continuous integration/continuous delivery (CI/CD) tool landscape is highly fragmented. As companies migrate to the cloud and modernize their infrastructure, tooling decisions become increasingly complicated and difficult. DevOps practitioners constantly seek guidance on software delivery best practices and how to secure their software supply chains but gathering this information can be difficult. Enter the CDF.

The CDF is about more than just code. Modern application development brings new challenges around security and compliance. This foundation will work to define the practices and guidelines that, together with tooling, will help application developers everywhere deliver better and more secure software at speed.

At a foundation level, the CDF will help make CI/CD tooling easier. And at a project level, Tekton helps address complexity problems at their core. We will team up with the open source community and industry leaders to design and build the critical pieces common to CI/CD systems.

Tekton

Tekton is a set of shared, open source components for building CI/CD systems. It provides a flexible, extensible workflow that accommodates deployment to Kubernetes, VMs, bare metal, mobile or even emerging use cases.

The project’s goal is to provide industry specifications for pipelines, workflows, source code access and other primitives. It modernizes the continuous delivery control plane by leveraging all of the built-in scaling, reliability, and extensibility advantages of Kubernetes, and moves software deployment logic there. Tekton was initially built as a part of Knative, but given its stand-alone power, and ability to deploy to a variety of targets, we’ve decided to separate its functionality out into a new project.

Today, Tekton includes primitives for pipeline definition, source code access, artifact management, and test execution. The project roadmap includes adding support for results and event triggering in the coming months. We also plan to work with CI/CD vendors to build out an ecosystem of components that will allow you to use Tekton with existing tools like Jenkins X, Knative and others.

Spinnaker

Spinnaker is an open source, multi-cloud continuous delivery platform originally created by Netflix and jointly led by Netflix and Google. It is typically used in organizations at scale, where DevOps teams support multiple development teams, and has been battle-tested in production by hundreds of teams and in millions of deployments.

Spinnaker is a multi-component system that conceptually aligns with Tekton, and that includes many features important to making continuous delivery reliable, including support for advanced deployment strategies, and Kayenta, an open source canary analysis service.

Given Google’s significant contributions to both Tekton and Spinnaker, we’re very pleased to see them become part of the same foundation. Spinnaker’s large user community has a great deal of experience in the continuous delivery domain, and joining the CDF provides a great opportunity to share that expertise with the broader community.

Next Steps

To learn more about the CDF, listen to this week’s Kubernetes Podcast from Google, where the guest is Tracy Miranda, Director of Open Source Community from our partner CloudBees.

If you’d like to participate in the future of Tekton, Spinnaker, or the CDF, please join us in Barcelona, Spain, on May 20th at the Continuous Delivery Summit ahead of KubeCon/CloudNativeCon EU. If you can’t make it, don’t worry, as there will be many opportunities to get involved and become a part of the community.

We look forward to working with the continuous delivery community on shaping the next wave of CI/CD innovations, alignments, and improvements, no matter where your applications are delivered to.