Guest post from Christian Rebischke, Site Reliability Engineer at avency and CNCF GSoC Intern

As every year the Cloud Native Computing Foundation (CNCF) has participated in the Google Summer of Code program, where students from all over the world contribute to CNCF’s landscape. I am Christian Rebischke, a 27 year old Master student from Germany (TU Clausthal) and I would like to take you with me on my journey through the Google Summer of Code program over the last months.

I have been active on Github since 2013 and although I have participated in various projects like the Linux distribution Arch Linux, I have never really contributed a bigger amount of code. Most of my contributions were either focused on my own repositories or were smaller fixes or documentation enhancements. When I saw the Google Summer of Code announcements I hesitated a long time. I thought I would not be good enough, because I was lacking experience with bigger projects. A few people I met in the Internet Relay Chat (IRC) encouraged me to just try it. What could go wrong? Hence I thought I should give it a try. It was maybe the last chance, because I have nearly finished my Master degree. So I decided to go all-in and applied with three projects.

All of these projects were projects inside of the CNCF, because my dream job is a Site Reliability Engineering position. The projects I have applied to were Prometheus, Flux and In-Toto. I have worked with Prometheus, I knew a little bit about Flux, but I did not hear so much about In-Toto. Actually, I just applied by coincidence. It got suggested to me again by some friends in the IRC. I knew that In-Toto is related to the reproducible builds efforts of Linux Distributions, because we at Arch Linux are going through the same process, but I never really had a closer look on the project. In the end, it turned out that I got accepted for In-Toto. So it happened, that I have started my journey in the CNCF In-Toto Slack channel in May 2020.

The first tasks I have been working on for the community bonding period, have been getting to know the In-Toto specification and getting used to the main objective of my upcoming internship. The project In-Toto was born as a research project at the New York University Campus at the Secure Systems Lab under Professor Justin Cappos. In-Toto focuses on secure supply chains, the idea is that every step in a software supply chain should be verifiable. Starting with signed commits, going over build servers and continuous integration or continuous deployment to the end user who is unpacking the software. In-Toto solves this objective via defining links. These links are files in JSON format and they testify which person or machine did a particular step in a software supply chain. These link files are then signed with a signing key owned by the corresponding developer or in case of an automated process a machine.

My task has been to port this functionality from the In-Toto Python implementation to the Go implementation. I started with reading the In-Toto specification fixing smaller issues (mostly spelling issues or inconsistencies between the specification and its implementations) in it and submitting small pull requests to the Go implementation. The pull requests have been mostly related to cleaning up smaller issues found by go-lint and having a look on stalling existing pull requests.

In June 2020 I finally started having a first look on the main objective. Due to my prior work, I got already more confident with the code base, thus I started with bigger adjustments. For communication, we used the CNCF In-Toto slack channel and Github’s comment functionality in issues and pull requests. This worked pretty well for us, even under the circumstances that some of my mentors live in another time zone. The time zone has been even a benefit for us, because early on I could talk with my mentor in Europe, and later I could ask my mentors in the US for direct feedback.

This distributed the work equal and no mentor got too much distracted from their own objectives. We spend some great time hacking together on the pull request. The feedback has been always on point and I really enjoyed working with the community. I think I even never attended such a professional and friendly community in my time contributing to open source projects. The final pull request can be found on Github.

Moreover, I wrote a blog article about the technical details, challenges, and experience with my mentors in my blog. The blog article has been also my final submission for the Google Summer of Code program. I have passed it. My personal highlights of the Google Summer of Code participation at CNCF have been finding a smaller issue in the Go crypto library and attending my first Kubecon. Sadly Kubecon was online-only due to the Covid-19 outbreak, but I still enjoyed every minute of it and I even found some other interesting projects to work on in the future, like TUF (The Update Framework). I have already submitted my first pull request to the TUF Go implementation and I plan to keep working on the In-Toto Go implementation. The In-Toto Go implementation has been the project I was always looking for. Finally, a project that unites my personal highlights of open source: An awesome, friendly, and helpful community, a do-able challenge that helps me to grow, and a project with a higher purpose. I could not be happier.