I am a software developer in Ubuntu Foundations team.
Distroless container images are ultra-small images that only include an application and its runtime dependencies without additional libraries or utilities. They have a smaller footprint and attack surface but require additional effort to identify dependencies and build the distroless image. Chisel is a new tool that automates building distroless containers from Ubuntu. It uses a library of reusable slices - specific file subsets of the Debian packages for creating ultra-small runtime file systems. We will provide an overview of the tool and its configuration, demonstrate the tool in action, and talk about the challenges of building a chiselled image for a complex runtime such as Java.
US Federal agencies purchasing software or hardware, that is based on cryptography algorithms, mandate that it be FIPS (Federal Information Processing Standards) 140-2/140-3 certified under the Cryptography Module Validation Program. While commercial distributions of Linux and the native cryptography modules are FIPS certified, a language runtime like Java faces a unique challenge. The Java Cryptography Architecture lets users configure “cryptography providers”, which are implementations of a well-defined service provider interface for cryptography, for use in their applications. The absence of any such “open-source FIPS provider” under the OpenJDK project has led to fragmentation in the “Java and FIPS” space . Different commercial distributions of Java have adopted unique and proprietary FIPS solutions, leaving no room for collaboration.
In this session, we will walk through some information that describes the current state of the “Java and FIPS” world, we will share some of our FIPS plans for Java on Ubuntu, and seek feedback from the audience on a what could be good approaches to foster collaboration in this space.