Dan Lorenc’s Post

View profile for Dan Lorenc, graphic

Software Supply Chain Security

As we approach the year end, I thought I’d do a hot takes for 2025 thread! Let’s start with the things I’m bullish on. I’m betting on huge progress on rust in the kernel. This has been years unfolding, and in 2024 it reached mainline and drivers are now getting built in rust. This is going to explode and more parts are going to be written in Rust for memory-safety, performance, and familiarity for a new wave of kernel devs. I’m also excited for two other new tools that are two letters each - jj and uv. jj is a new source code management system that has somehow managed to perfectly thread the needle between by being git-compatible and interoperable while also presenting a new, and IMO, much more sane model for working with branches, and diffs. Don’t get me wrong - git is amazing, but it still presents an incredibly high learning curve full of pitfalls for users that don’t need to know about DAGs and merkle trees and dirty states. I think jj will reach double digit percentage of git usage in 2025. uv is a new python package and project manager that unifies all the best parts of all of the existing tools. It manages virtualenvs, packages, tools, and even Python itself. Python package management has been an everchanging nightmare of tools that conflict with other tools since I first started programming 15+ years ago, and uv is the first exciting, modern replacement for all of these that I’ve seen. It’s already grown to ridiculous usage since it was first released, I’m betting on 40% adoption next year. Time for the things I’m bearish on. If you follow me already, these won’t be new. First, still no sboms. Sorry. They’re regulatory-driven in the worst way possible and a checkbox requirement at best that add no value to vuln management. I hope the new administration focuses on things that matter and really move the needle across their policy agenda in cyber. They’re not going to happen. Also, no Fair Source. Some companies might try it as they move away from OSS or realize those licenses were never right for them, but we’re not going to see a meaningful community form around it or any large projects that matter start with it from day 1. Finally, no server-sie WASM. It might continue to see adoption in the extensibility/plugin space, but we’re not going to see people switch away from containers or serverless for it. The WASI P1/P2 nonsense and component model mess are overengineered, design-by-commitee standards that don’t help real world use cases, and the Bytecode Alliance shenanigans took all the wind out of the community before it could reach critical mass. A few other random predictions: Another xzutils but worse. We all got very lucky here and this probably wasn’t the first attempt and definitely won’t be the last. Nothing will change in OSS sustainability, OSS is fine and will still be fine. People will still whine when companies use free software to make money. And of course, 2025 will be a big year for Chainguard!

Ofir Cohen

CTO of Container Security @ Wiz

3d

I tend to agree with WASM for servers, it is not a panacea and is not suited for any type of a workload. I get overwhelmed and confused by the marketing and buzz around that. Solomon Hykes recently said that to change Docker / containers you’d have to change Linux and I don’t see that happening in the near future. Istio had the most aggressive marketing I’ve seen in CNCF and k8s but it does solve a real challenge. Compliance being number one probably (hey you wanna sell to those DoD and fed now don’t you or perhaps you do find real value in mTLS?), container networking security second and traffic shaping -e.g. metrics driven canary rollouts and progressive delivery third.

You would elevate to legendary status if you could convince the DoD that software bill of materials (SBOMs) are no longer a good approach to either vulnerability management or Authority to Operate (ATO) requirements gathering as part of the risk management framework (RMF). Great post.

Liam McConnell

BDR @ Chainguard | Container & Software Supply Chain Security

3d

Have to agree with the xz utils bit for sure unfortunately. Only a matter of time..

Chris H.

CEO @ Aquia | Chief Security Advisor @ Endor Labs | 2x Author | Veteran | Advisor

3d

I endorse this message. I suspect we will see a much lighter approach in terms of regulatory driven cyber requirements (for better or worse).

Luke Hinds

Co-founder and CTO at Stacklok

3d

You guys killed it in 2024, Inspirational. Let's hope for a 2025 of more up and to the right. I am with you on WASM, I was very bullish in 22/3, but the posix capability is long off where it needs to be. Going to check out uv, been on poetry for a while, but uv sounds like substantially more. jj too. Happy holidays

🐙to the 🌖

Ofir Cohen

CTO of Container Security @ Wiz

3d

I’m glad to see non-AI predictions on my feed. I think what Go got right from the go get is the source-first module proxy approach. Dagger is following suit somewhat repenting for the Docker sins. However, the context in Python is different. Go is primarily used for backend, (distributed) systems programming, web servers and CLIs whereas Python is used (amongst other things) in ML, AI, DS and has dependencies on numpy and CUDA and system-level dependencies hence conda, so the ecosystem is challenging. I still haven’t wrapped my head around venvs/virtualenvs and the recent Python3 upgrades on Mac require more typing to do simple stuff like installing packages (the long cryptic message). An unopinionated language took a very opinionated and frustrating decision for super simple stuff.

Hugo Pinheiro

Building frameworks using open source that enable people and teams to work efficiently @ NinjaCat | SRE - Fully remote

3d

Agree, although wasm does enable some cool things to run on the browser like https://supabase.com/blog/postgres-new , devs/ops are also getting a bit frustrated on how expensive cloud providers are becoming so I can see something like https://linuxcontainers.org/incus/ and https://www.cloudhypervisor.org/ become more popular onprem especially with the big VMware migration that's happening.

Julian Dunn

Product management leader, investor, advisor

3d

Thanks for the pointer to jj. I’ve been waiting years for something to come along and succeed git, or at least fix all the sharp edges in it.

Like
Reply
Joel Krooswyk

Federal CTO @ GitLab | DevSecOps and AI Thought Leadership

3d

Totally agree with you on the Rust uptake. It continues to surge in adoption from kernel to Chromium to Windows…

See more comments

To view or add a comment, sign in

Explore topics