The internet is built on trust, for example you trust that what you're reading right now is from me, Lewis Denham-Parry, on his laptop somewhere in the world sometime in the past. But how can you trust that? How do you know that this hasn't been tampered with? How can you trust the authenticity of Lewis, and have there been any updates since this was written due to changes in context?

These problems are similar to what we have in software today, from source code, to build, to release and ultimately running in production. What dependencies do we have in our software? What happens when we find a CVE? How do we trust that the build hasn't been tampered with? Or as we like to call it, Supply Chain Security.

This talk will bring you up to speed with recommended best practices to build trust today that others can use to build on in the future. We'll look at technologies around Sigstore to help build trust, the SLSA framework to articulate best practices, and case studies to see where this could have helped others in the past and who are currently using it today.

This talk is aimed at people who have trusted others and want to make it easier for others to trust them.