bureado

This is a collection of resources supporting the idea that provable runtime security guarantees for agents can be intrinsically bound to agent identity, perhaps as part of a broader representation of "intent", or in a tiered trust model. TEEs, hypervisor-enforced isolation, hardware roots of trust and several Linux security primitives are instrumental to get there. We curate some of the most promising references to date including applied technologies in agent frameworks, research and risk/mitigation-focused literature on this topic.

Agent runtime security

Risk/mitigation literature that discusses the importance of agent runtime security includes:

• SAFE-MCP
• CoSAI's MCP Security document
• [OWASP Top 10 for Agentic Applications](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026

bureado

• High level introductions:
  • The three levels of confidential computing | Edgeless Systems
    • Edgeless' entire wiki (as well as the docs for several of their OSS products) are highly recommended for additional reading; you might want to start with Use cases
  • Why Should I Trust Your Code? | annotated by JMP (readwise.io)
  • Common-Terminology-for-Confidential-Computing | annotated by JMP (readwise.io)
  • CCC-A-Technical-Analysis-of-Confidential-Computing-v1.3_unlocked | annotated by JMP (readwise.io)
• Video: Mark Russinovich's [Confidential Computing Elevating Cloud Security and Privacy](https://www.youtube.com/watch?app=desktop&v=H1TWoebepa

bureado

#!/bin/bash

# Also see: https://gist.github.com/bureado/16df777c1f9883ef919a5cc0c30eaba3

case "$1" in
 init)
    # Install dependencies
    sudo apt update && sudo apt install jq auditd -y
    # Start auditd
    sudo systemctl start auditd.service

bureado

#!/bin/sh

# Video: https://www.youtube.com/watch?v=Rv4ZlbMb1pE&list=PL9GzfK3UKP1vOcUkp3ayByoBY2pT641YN&index=3

# Usage: ./hash-to-buildinfo.sh <.deb package>
# Works with deb packages obtained from a Debian archive
# Assumes rekor CLI is in ./

# This all exists because https://unix.stackexchange.com/a/612931
# https://unix.stackexchange.com/a/673157

bureado

#!/bin/sh

# See: https://hackmd.io/@aeva/draft-gitbom-spec
# Also see: https://gist.github.com/bureado/0e4b53e90ac1263b7c5ed908dbe2cb50

# Today I would look at witness, tracee, and many others.

# TODO: make sure $BUILDDIR is a --git-dir
BUILDDIR=$1
TIMEOUT=5

bureado

Conceptual SBOM model for an APT-based Linux distribution

This is a draft of an entirely exploratory learning exercise to generate SBOMs from first principles that can accompany an APT-based Linux distribution, which in this context is either a disk or a container image obtained from any source including runtime instances, packaged images, debootstraps, etc. Input and comments welcome: Twitter and also on the CNCF, CycloneDX, CDF, Sigstore and other Slacks.

Status

Here's the current version of the output (SPDX) which features:

• Identifying information for the primary component (at this time, the debian:latest container image)
• purl identifiers for each binary package in the image

bureado

Here's a list of DebConf20 sessions I'm looking forward to. Make sure you check out the Streams, video archive or, eventually, YouTube!

• how to use 'apt-repos' to inspect multiple apt repositories
• DUE - A container manager for building things that aren't Debianized (and things that are).
• Building Linux distributions for fun and profit
• What comes after Open Source?
• [What's new in the Linux kernel (and what's missing in Debian)](https://debconf20.

bureado

What I'll be tracking at FOSDEM 2020

Saturday

• Containers and security main track from 14h thru 17h50 in K.1.105 (La Fontaine) particularly 14h-14h50 and 17h-17h50
• Containers devroom from 10h30 through 1900 in UD2.208 (Decroly) particularly:
  • FOSDEM 2020 - Lazy distribution of container images 10h55
  • FOSDEM 2020 - Supervising and emulating syscalls 13h20
  • Maybe FOSDEM 2020 - Below Kubernetes: Demystifying container runtimes
• FOSDEM 2020 - Linux memory management at scale 14h10

bureado

The Apache Way

Adapted from Briefing: The Apache Way

The Apache Way is not One Way. Every Apache project is unique and every member describes their experience with their own words. But here are some attributes that everyone in Apache embraces.

People

Apache is made of people, not organizations. Contributions are voluntary and all votes weigh the same. A strong community can always make good code better.

bureado

Tips & tricks para contribuir a #kubernetes-docs-es

¿Por dónde empiezo?

Este documento no sustituye los lineamientos de estilo y procedimientos formales del proyecto. Te sugerimos las siguientes lecturas previas:

• Primero, lee el README. Está en castellano y cubre la mayor parte de las preguntas frecuentes.
• También puedes leer la Guía de Estilo (en inglés) de Kubernetes, y la que corresponde a community
• Dale un vistazo a las slides de KubeCon EU y la charla en YouTube