MM
Mihai Maruseac
@mihaimaruseac
Staff SWE @ Google
California
Supply chain security @ Google OSS Security Team. Previously TensorFlow Security & OSS (@ Google); Haskell+differential privacy+ML @ LeapYear. https://mihai.page
19 Posts
White paper on securing the supply chain of AI-powered applications
We are happy to publish a (50 pages long) whitepaper on how we're thinking on securing the AI supply chain both internally and for OSS. This is a culmination of nearly a year of thinking about this space, from people working on AI or security, across multiple Google PAs. Given tha This was supposed to be the 6th year of all green tiles but I missed slightly more than a week of them. Still, it made no difference, it's the 6th year of monotonically increasing number of OSS contributions and I think this matters more than just having all tiles green. My talk at PackagingCon 2023 (Berlin) got published to YouTube: I recommend watching the entire playlist, and let me know if you're interested more into the ML supply chain. Looking forward to seeing you at the AI/ML working group under OpenSSF and/or on the repository itself. How do you react to vulnerabilities? Do you wait until a scanner picks it up (O(weeks))? Do you grep SBOMs (assuming you follow the EO)? Why not use GUAC and get answers fast? Both blast radius and an update plan so once the patch drops you can patch. See our blog post How much of this math (in nice animation) you know? For the past month and a score of days I have been working on a single blog post (in my free time, between hikes, Zelda, etc.). Today I can finally publish the gargantuan article and promise that future ones will be shorter. What is it about? Graph databases. I wanted to test thei You still have the opportunity to be among the first 1000 people to star GUAC on GitHub :) Do you need a telescope to understand the nebulous cloud of dependencies and supply chain metadata associated with your projects? GUAC is this telescope and now we only need 50 more stars to 1k What is the impact of the power profiles on a latop? After some days of experimentation, I now have an answer. You could say I spent days testing a thing instead of reading about it in a few minutes, but the numbers are more interesting. Analogies, like Taylor series expansions, are useful only on a limited domain around a point. PS: This is also an analogy. GUAC is now v0.1
Dependencies, dependencies, dependencies. Each one can bring other dependencies and this makes understanding the software supply chain be the same level of difficulty as understanding the universe. We now have a telescope for this: GUAC, a project that has been in development for Vancouver and OSS NA were so great that last Saturday I broke my GitHub streak. 2050 days in total. It's time I pick a new daily habit :) Today is the day where you find out where is the GUAC, what it can do for you, how it can help answer supply chain security question. If you are at #ossummit ( #ossna ), join us at 3:10pm. We have guac, chips and GUAC. Slightly more than 100 hours left until the GUAC talk at OSS NA. See you on Friday! Meanwhile, you can look at the repository and star accordingly: Continuing reading through VDGF. This time: the metric, and the hyperbolic plane and disk. Finally wrote the post about the limit from Arnold from VDGF: Announcing OSS NA talk about GUAC
Join us on next Friday as Open Source Summit North America (OSS NA) for a talk about GUAC (Graph for Understanding Artifact Composition) -- the telescope into the software supply chain! We are preparing a beta release for GUAC so the talk will have lots of new features and integr Posted all my social profiles on a single blog page to prove ownership. Now linking back to that from (most of) all these profiles: Did I hear correctly that NixOS is 20 years old? Well, here's my article about how it is the perfect distro for me:
