November 3, 2019. 6 minutes read

Securely distributing and signing WebAssembly modules using OCI and TUF

Attacks on software repositories happen all the time, and any future WebAssembly repository and client tooling should be prepared to mitigate these attacks. In this article we will explore a minimum security model for WebAssembly registries and client tooling based on The Update Framework, and how to integrate this model when distributing WebAssembly modules using OCI registries.

October 13, 2019. 5 minutes read

Distributing WebAssembly modules using OCI registries

WebAssembly (WASM) is a binary instruction format for a stack-based virtual machine. In familiar terms, WASM is used as a compilation target for various programming languages (C, C++, Rust, or Golang, for example), generating a compact binary with a known format. Mozilla Developer Network describes WebAssembly as having huge implications for the web platform — it provides a way to run code written in multiple languages on the web at near native speed, with client apps running on the web that previously couldn’t have done so.

Read more

September 17, 2019. 4 minutes read

Cross platform GitHub Action for downloading, extracting, and adding tools to path

Ever since I started to use GitHub Actions, one of the tasks I copy and pasted the most contained the following steps: download a file or an archive containing a statically compiled tool extract if it is an archive copy the target tool to a directory in the path And after an embarrassing number of tries, my jobs would contain a step that would resemble the following (taken from an actual GitHub Action):

Read more

September 5, 2019. 13 minutes read

The state of CNAB: Part 2 - CNAB Registries

In this series, we explore the state of the Cloud Native Application Bundles (CNAB) specifications, and do a deep dive into the distribution of bundles, and security and attestation.

© Radu M 2021