Episode 397: Software Bill of Materials with Workbrew

29 January 2025

Interviewed by Mac Admins Podcast

The team at Workbrew has been focused on getting into full production, and they’ve gotten a huge head of steam going in 2024. They’re with us today to talk about SBOMs.

Show transcript

0:00 This week's episode of the Mac Admins Podcast is brought to you by Kanji.
0:04 Imagine an AI assistant that speaks your language and knows your Apple fleet inside and out.
0:12 Meet Kai, Kanji's groundbreaking AI assistant for device management.
0:17 It can give you insights on the state of your devices in Kanji in response to conversational questions.
0:23 You can ask Kai anything, which devices don't have FileVault enabled, or how many iPad devices have been updated to iOS 18.
0:33 You will get immediate answers and custom reports built for you whenever you need it.
0:37 Kai empowers every team member in IT with analyst-led insights, freeing you from more creative and strategic work.
0:46 You can request an invitation to experience Kai at kanji.io forward slash Kai.
0:53 That's K-A-N-D-J-I dot I-O forward slash K-A-I.
1:00 Thanks again to Kanji for sponsoring this episode of the Mac Admins Podcast.
1:04 Hello and welcome to the Mac Admins Podcast.
1:16 I'm your host, Tom Pridge.
1:17 And Marcus, is it snowing where you are or is that just me?
1:20 It's definitely just you.
1:22 It is most definitely not snowing.
1:24 I am wearing shorts, which doesn't happen very often.
1:27 Oh, you lucky, lucky, lucky man.
1:29 I don't know.
1:30 It is freezing here.
1:31 I may be lucky that people who are seeing my knees, not so lucky.
1:33 Well, fair.
1:36 Small price to pay.
1:37 So what's it like where you are, Tom?
1:38 Well, so I'm up in the mountains of West Virginia.
1:42 And the state motto here is, of course, wild and wonderful.
1:46 And I will agree with the wonderful part.
1:48 Maybe the wild part.
1:49 Okay.
1:50 Maybe a little bit less.
1:51 We've gotten about six inches of snow, which I understand doing the metric math is like 15 centimeters.
1:55 Does that sound close to right?
1:58 It's a fair amount of snow-ish.
2:00 It's more snow than I have.
2:02 And yeah.
2:03 And so I was going to say, it has caused me to still be here.
2:07 We'd intended to leave this morning and go home.
2:10 And I'd be recording this from the studio.
2:12 But with the snow coming and the snow coming a lot, I was going to say, we've gotten that six inches of snow in the last three hours.
2:20 Roads being what they are, we decided to stay up in the mountains another day.
2:24 So I was going to say, the conditions for sledding are incredible.
2:28 I even attempted skiing and didn't die, for which I think a lot of people are both, one, surprised, and two, a little grateful.
2:39 But I was going to say, it's the winter holiday season here.
2:42 We're having a blast.
2:43 Awesome.
2:44 Well, I'm just trying to think of a segue to go from skiing and snow into software bill of materials.
2:52 And I think that's about as good a segue as I can do.
2:57 I think we have done that as about as good a segue as we can come.
3:00 So we've got two incredible guests this week.
3:03 Our friends from Work Brew are back.
3:04 John Britton, Mike McQuaid, welcome back to the MacAdmin's Podcast.
3:08 Thanks for having us.
3:09 Thanks.
3:10 And so it's been a little while since we talked.
3:13 We talked last in March of 2024.
3:15 How have things been going for Work Brew?
3:17 You guys have really made a splash over the last year.
3:19 Yeah.
3:20 I mean, we've been incredibly busy, hard at work.
3:23 Kind of the biggest news that we have is a couple of months ago, back in November, we launched Work Brew 1.0.
3:29 We have a slew of new features, including a free plan for unlimited devices and unlimited features, which gives Mac admins the easiest way possible to deploy brew to every device in their fleet and get full visibility into all of the packages that are installed.
3:43 And, you know, today's topic, SBOM, software bill of materials, knowing what's installed on your devices is pretty important.
3:50 So we're really excited about that.
3:52 The other big announcement that we made back in November was our seed funding.
3:57 So we raised $5 million in seed funding.
3:59 And just last week, we completed our SOC 2 Type 1 certification.
4:04 So we're, you know, coming along really well.
4:07 The team is growing.
4:08 So that would have been easy, straightforward, I'm guessing.
4:13 Everything I know about SOC 2 compliance, it's just a walk in the park.
4:16 I'd actually let Mike comment on that.
4:19 Yeah.
4:20 I'm the one who did most of the legwork on that.
4:24 It was, you know what?
4:26 It was not as bad as I was expecting it to be, put it that way.
4:29 And I felt like I learned some things through the process.
4:33 So there we go.
4:34 That's the, yeah, I guess.
4:36 Congratulations.
4:37 Yeah.
4:39 And last time that we spoke with you all back in March, we were kind of in a position of private beta.
4:44 We were working with early customers that were just really trying to get feedback about how they're using brew and what kind of help they needed.
4:51 And we've really kind of gotten to a rhythm with our customers and found that, you know,
4:55 there is a problem here.
4:57 We kind of understand it pretty well and we're able to give people solutions that they're looking for.
5:01 So that feels really good.
5:02 You know, when we were talking last time, it was still kind of a nascent idea of like, what exactly is this thing?
5:09 What are people trying to do?
5:10 So that's been really great as well.
5:13 I don't know if Mike, you want to share anything about some of the developments on the product side, you know, stuff that's new, but, you know, that's kind of where we're at now.
5:21 I mean, on the product side, we're basically just continue.
5:24 The nice thing about being a small company with a small but very effective team is we ship features very, very quickly, which is very nice.
5:33 It's nice to be able to be so responsive.
5:35 I guess it's this nice, what do you call it, mutual cycle in software development as we've got more customers and people getting interested in people using it, like the product gets better.
5:45 We listen to feedback.
5:46 We fix things.
5:47 We improve things.
5:48 There you go.
5:49 So, yeah, I guess at the higher level, we're just essentially like exposing more of the parts of kind of working with homebrew that people maybe aren't aware of.
5:57 Like there's these things called brew files that we kind of essentially it's a way of kind of dealing with homebrew in a more declarative fashion where instead of saying brew install this, brew update this, whatever, you can say, okay, here's the state I want to be in and then let homebrew figure out how to do that.
6:14 So, we found that's been quite a nice match.
6:16 We call that kind of default packages.
6:18 So, you can go and assign, okay, these particular machines, I want to have these packages installed and these services upgraded and commands run and stuff like that.
6:27 So, that's been kind of one of our bigger features that's been released more recently on the workbrew side.
6:31 And, yeah, on the homebrew side, it's the normal kind of we've had since we were last on the podcast.
6:37 We've got macOS Sequoia.
6:39 I'm sure you folks have talked all about that.
6:41 So, yeah, so not too bad on the homebrew side.
6:44 Getting a few bits and pieces working there.
6:46 There was some usual Apple fun on the workbrew side where some documented stuff.
6:53 I'm sure a bunch of listeners to this dealt with this as well where they had a UID range that was supported for creating groups.
7:00 And then in Sequoia, they changed the range and some commands output the old range and some output the new range.
7:07 And, yeah, that was a lot of fun getting that all smoothed over.
7:12 But, you know, we're in a good place now.
7:13 And, yeah, just various security and performance improvements on the homebrew side as well.
7:17 Those are two big focuses there right now.
7:19 My Sun Scout Trooper would refer to that as type 2 fun.
7:24 You know, not the easy, you know, enjoyable type, but the type that is fun in retrospect.
7:29 You know, the other thing that I think would be really super interesting to hear is that, you know, the last time we talked, you guys were both new to the Mac admins community.
7:42 You've had a really busy year this year.
7:44 I think we ran into each other at Penn State.
7:47 You know, I heard you were at Mac DevOps.
7:50 How has it gone being part of the community over the last year?
7:53 So I have a long background working in kind of developer communities, mostly on API-focused products.
8:00 And I've been in this position before of being kind of the new entrant into an established community.
8:05 And I have to say that the Mac admins community is outstanding in its level of being welcoming and kind of the infrastructure that you all have built.
8:14 Just having the foundation is very, like, so helpful.
8:18 There's that Mac admins Slack channel.
8:20 You know, our kind of entrance into this community was last March when we joined the Mac admins podcast.
8:25 And every single one of those events that I've been to, I've had dozens of people come up to me and just say, hey, we heard about you on the Mac admins podcast.
8:32 It was really great, you know, to have that interview and to chat.
8:35 And I just can't say thank you enough to, you know, all of the individuals in the community, but also all of the organizers and the people behind kind of the foundation that make this community thrive, you know, so well.
8:47 You know, as you mentioned, I was at Mac DevOps Vancouver.
8:51 I was at PSU.
8:52 I was at JNUC.
8:53 And the other thing that I came to conclude is that there are so many great events that it's actually impossible to be at them all.
9:00 You know, some of them are happening at the same times on the other side of the world from each other.
9:03 And so, yeah, we're really enthusiastic about being part of the community and participating in any way we can.
9:08 And it's been outstanding.
9:11 The thing I found sort of fascinating and very enjoyable as well is, I guess, like John, being in a bunch of communities over the years, then the really nice thing about the Mac admins community is it seems like it's actually one community rather than, you know, in so many of these ecosystems, it's, you know, you've got the Jamf people over here or the Kanji people over here.
9:28 And they don't really talk to each other and they're all using different tools.
9:30 And I feel like it's a really nice, like, sign of this community of how much everyone seems to share information across their different parts of the ecosystem.
9:40 But it's kind of in one place and one group of people who identify in the same sort of way.
9:45 So what you're saying is we need a good schism to sort of separate the community and create tension and all of those sorts of things.
9:51 No.
9:52 Yes.
9:53 I've definitely seen that happen elsewhere.
9:56 But when the Mac admin Slack came out, there was a real moment there where people were insisting that IRC was the way to go.
10:07 And it looked like there was going to be that fragmentation.
10:10 But it's been fantastic to see that pretty much everyone has come along for the ride and stayed, you know, we argue like cats and dogs about everybody's particular opinions and choices.
10:24 But I think we're drawn together because we enjoy that arguing rather than thinking that it divides us.
10:30 Our love for insisting that we're right and everybody else is wrong is probably what brings us together.
10:37 Love to hear it.
10:41 So we're here to talk about software bill of materials today.
10:46 So do you want to give us a basic primer on what an S-BOM is?
10:49 I'll take a stab at this.
10:51 So, you know, for me, I think that the kind of high level view of what a software bill of materials or an S-BOM is, is kind of like, if you use an analogy, the nutrition facts on the food you buy at the grocery.
11:04 It's a index key that tells you what comprises the software that you're consuming, producing, distributing, selling, whatever it might be.
11:15 And it's really valuable because it gives you, you know, insight to know what exactly the components are.
11:23 I mean, you know, we're both from kind of the open source free software, you know, background.
11:29 And one of the kind of key benefits of using open source or using, you know, free software is that you can see what's inside.
11:37 And it's a fact of life that you can't always see what's inside of all of the software that we consume.
11:41 But with S-BOMs, we can kind of help to surface some of that stuff so that you have a better way to know what's going on, what comprises it.
11:51 On the, like, more technical end, I think there are, you know, there are various different formats and there's different kind of, you know, requirements of what they might entail.
12:00 But I think that's a good high level view.
12:01 And so, really, it's just a listing of applications or binaries that might be part of those applications.
12:07 So, hey, we're using these developer tools.
12:10 These developer tools also include things like curl and, you know, an SSL or an SSH config and an SSL config and, you know, a bunch of other different pieces of that that are underlying tools that represent part of that.
12:24 Does that seem pretty fair?
12:25 I'd say so.
12:28 Mike, what do you think on the, you know, depth of S-BOMs?
12:33 Well, I think the interesting thing with S-BOMs is, like, John's done a great explanation already of almost what they are and how they look, you know, as a standard format.
12:43 But I guess it's worth thinking as well, like, why, to take a step back, why do they even exist?
12:48 Why do we care, right?
12:50 And I think the open source example is a nice one to sort of start with, where, you know, if you're thinking of homebrew or a Linux package manager or whatever it may be, you can go and generally find some website or run some tool and be like, okay, this depends on this, depends on this, depends on this.
13:05 And you see this nice little chain of, like, all the things that go down in the software, right?
13:10 And unless you're actually, like, someone who's packaging software for a living, you might not really care about that list other than why does all this stuff have to be installed every time I want to just install the thing that I want to use.
13:21 But it's thinking about, I guess, two big things would be, like, licenses and vulnerabilities.
13:27 So on the licensing front, if you're using, like, essentially every company is, at this point nowadays, some amount of open source software, unless you're a hardcore open source licensing nerd, like I proudly am, you know, I'm from an era of open source where everyone cared about these things, maybe a little bit too much.
13:48 But it's being aware of, like, okay, am I using MIT license software or BSD license software or GPL software?
13:55 Is it GPLv2 or GPLv3?
13:57 Because all those things, it may be fine for you to use all of those in your application, but all of them have slightly different requirements on what that means as someone who builds and distributes that application.
14:09 So you need to be able to know, okay, what licenses am I using here?
14:12 On the vulnerability side, generally, kind of vulnerabilities and versions kind of map one-on-one.
14:17 And again, you know, back in the kind of pre-internet era where we're all shipping software on CDs or whatever, it was fine.
14:27 You know, you picked a version of a library, you shipped that version, and unless people's houses are starting on fire, that's the version you should ship forever.
14:34 Whereas now, you can't do that, right?
14:36 You have to be keeping track of all the software, all the versions, all the vulnerabilities, and making, and if there is a vulnerability, being like, okay, what software versions that I have does that affect?
14:47 Who do I need to notify?
14:48 What do I need to do to change?
14:50 What version do I upgrade to?
14:51 How do I upgrade to that version?
14:52 And all of this stuff.
14:53 So basically, there's this kind of, the expression I would use is the software supply chain of this idea of this very large chain of software, all of which is kind of built on each other.
15:05 And if you're a company, again, many, maybe even most software companies are building software that is used by other companies that use other software, so your vulnerabilities affect potentially other things up and down in that chain.
15:18 So SBOMs are kind of a standardized way of essentially being like, okay, what's in my software?
15:22 How can I tell other people what's in my software, and how can they find out?
15:26 An efficient way for lawyers and auditors to monetize free open source software, I'm guessing, as well.
15:34 I'm glad you raised the, well, because that's the other side of this stuff that is interesting, is that there's been, I can't remember who it was, I'm sure we could put it in the show notes, but there was an open source maintainer who wrote a post last year who said, I believe it was titled something along the lines of I am not your software supply chain, where it's like, hey, well, there's all these requirements and people are saying these are the things that kind of software projects need to do.
15:57 But, you know, I do this in my evenings and weekends, and I have no interest in being your supply chain or providing your SBOMs or whatever.
16:04 The nice thing is, over in Homebrew and Workbrew land, we have, you know, Homebrew, when you install things, you can get SBOMs for all the software you've installed, we kind of generate that for you.
16:15 But then in Homebrew, obviously, sorry, in Workbrew land, like, we are more than happy to provide those levels of guarantees of like, and our tooling and our software exists to let you know, rot is running on your machines, what is the software that goes into building the software.
16:31 So we are very happy to oblige when others may not be.
16:35 Well, and I think this gets into a really interesting part of the questions for how what SBOMs are for, and how organizations need to think about them.
16:43 You know, I was going to say, well, I was going to ask the very pointed question, how are organizations using SBOMs?
16:49 And it feels like, you know, tracking, you know, the presence of software on your machines has one set of value, which is, you know, tremendous for a lot of organizations.
17:00 But are there other utilizations that are super important for us to think about as we look at SBOMs generally?
17:06 I think they've, they've essentially filled this hole as being a nice data interchange format, where because we have a standard way of defining this stuff, it basically provides people, I guess, Marcus mentioned kind of auditors, like, I think we're still in relatively early days of SBOMs, where I think the main thing they're being used for is this kind of idea of
17:29 tracking, okay, what has gone into making this software that I have here.
17:34 But over time, I would not be surprised if we're seeing more and more tools that essentially are using SBOMs primarily as their kind of import and output format, so that we can have a standardized way of saying, hey, what is the software I'm using and not using and all that type of thing.
17:49 Because, so at GitHub, I worked a while ago at a thing called GitHub Enterprise, and they, as they went through their own compliance processes and stuff like that, they realized,
17:59 hey, we need to provide an SBOM for GitHub Enterprise.
18:02 And the nice thing about stuff like that is it's like a lot of these tools, day one, pretty much at Workbrew, I was, I installed all the same tooling that GitHub used.
18:13 And then when we kind of went to raise financing and we had people who were coming and saying, hey, can you tell us what software you're using?
18:20 Hey, we know this is probably going to take you a few weeks to give us the exact versions and everything like that.
18:25 So no, no, I can do that for you in like two minutes, right?
18:28 So that's the other side of this stuff, is it's one of the things, like many other areas of tech, where it's unfortunately going to become an additional requirement of how we build software.
18:38 It's just getting this stuff sorted.
18:40 And it's much easier if you get that stuff sorted earlier in the software development process, rather than later being like, oh, I have a thousand libraries, and I'm going to have to figure out a way to track them all and handle them all.
18:52 Just for like an example of real world use case, you know, I talked to a lot of people in the Mac admins kind of role.
18:58 And especially I talked to a lot of folks who work in regulated industries, healthcare, finance, insurance, government.
19:06 And, you know, like Mike said, you know, licensing is a big part of it, vulnerabilities, but also intellectual property.
19:13 And so I've seen these highly regulated organizations where they use SBOMs essentially as a filter list to permit or reject new dependencies from their software ecosystem that their developers might be pulling in, in an automated fashion.
19:28 So they might know that certain libraries use IP that they don't want in their tool chain, or they might know that certain libraries or certain licenses are not allowed in their tool chain.
19:39 And so they're building kind of automated tooling around this using SBOMs as kind of the underlying infrastructure as well.
19:46 And I think we've seen as we're recording right now, we're in the midst of the TikTok apocalypse, which sort of highlights in a way that it's really important to know exactly what it is you're dealing with, with software, because there may, you may be using something that is not allowed in a particular region for, you know, political, social, whatever reasons.
20:13 You know, CapCut is a great tool for, you know, social media video editing, which unfortunately, because it's made by ByteDance, means it's against the law to use in the United States as we record this.
20:24 It's Sunday, January 19th.
20:26 I'm not to put too fine a date on it, but, you know, we're in an evolving state of play, you know, with a lot of these licensing agreements.
20:33 And so knowing what your, what your own SBOM is for your organization is very helpful when it comes time, when you have to deal with questions from legal or from security on, well, what part of this, you know, TikTok apocalypse is, you know, is going to affect our business?
20:52 Are we going to rapidly have to retool?
20:54 Are we going to have to, you know, figure out a new pathway for some of our social media editors, for example?
21:00 A lot of organizations have one of those these days who may or may not be having to switch to iMovie or God help them clips.
21:09 But, you know, there's, there are all sorts of, of ways to actually handle that.
21:15 But also, also just not having to get dragged into lots of meetings about these things as well.
21:22 As you just mentioned, the ability to say, oh no, we have all that information.
21:26 We can give that to you is a lot better than anything.
21:30 You know, getting invited to five discussion groups to work out how we're going to approach this problem.
21:35 The MacAdmins podcast is brought to you by 1Password.
21:40 Imagine your company's security for a moment.
21:42 Think about it a bit like the campus at a university.
21:45 Chemistry department over here, economics over there, and a big student union all surrounded by a quad.
21:51 Those nice brick paths are your company-built infrastructure, like IT-approved apps and managed employee identities.
21:57 But, of course, there's always a well-worn path outside those nice walkways, isn't there?
22:02 A shortcut worn through the grass with a gap in the hedges that shows where everyone actually walks.
22:07 Those are your unmanaged devices, your shadow IT apps, and contractor identities that don't quite fit the usual path.
22:13 Most security tools only work on those happy brick paths, and a whole lot of security problems take place on the shortcuts.
22:20 1Password Extended Access Management is the first security solution that brings all the unmanaged devices, apps, and identities under your control.
22:29 It ensures that every credential is strong and protected, every device is known and healthy, and every app is visible.
22:36 1Password Extended Access Management solves the problems traditional IM and MDM can't.
22:41 It's security for the way we work today, and it's now generally available to companies with Okta and Microsoft Entra, and in beta for Google Workspace customers.
22:50 I've been a 1Password customer for the better part of a decade now, and I just can't imagine life without it.
22:56 I just got a new machine for work, and it was the first thing I put on there after I got it.
23:01 1Password's award-winning password manager is trusted by millions of users and over 150,000 businesses from IBM to Slack.
23:08 And now they're securing more than just passwords with 1Password Extended Access Management.
23:12 Secure every app, device, and identity, even the unmanaged ones, at 1password.com slash macadminspodcast, all lowercase.
23:21 That's 1password.com slash macadminspodcast.
23:25 And thanks to our friends at 1Password.
23:27 So, you know, we talked a little bit about the format of the object, you know, the SBOM itself takes on a specific format.
23:35 What does an SBOM actually mean to a security organization in that state or to an IT team in that state?
23:41 So the thing that I hear over and over again talking to IT managers and security managers is that one of the biggest challenges they face is disability, just knowing what's going on.
23:52 And this can be true of, you know, your software dependency stack.
23:56 It can be true of your endpoints.
23:58 It can be true of your infrastructure.
23:59 It can be true of your CI.
24:00 You know, all the different components in your, you know, information systems, just knowing what's going on is an incredibly difficult challenge.
24:10 And so what SBOMs do in some of those cases is makes it possible to just be able to know what the differences are, know what has changed over time, and manage that change, right?
24:23 If you don't know what's going on, you can't manage it.
24:26 You know, maybe this is a little bit tongue-in-cheek, but there is a bit of box ticking that goes on with this as well.
24:31 You know, you often hear from the lawyers.
24:33 You hear from the, you know, compliance or risk departments.
24:36 And what it really is is it's just – it's a good practice to be able to know that you can answer the question if it's asked, right?
24:45 And so, you know, like you were just saying before, that if the lawyers come to you and ask, like, hey, what's in this, is it a three-week ordeal for you to figure out or is it a two-minute kind of easy-to-do thing?
24:59 And then I think, like, the actual use cases kind of fall into, you know, two buckets, proactive and reactive.
25:07 So proactive is kind of what I was just talking about.
25:09 It's like take your vitamins, know what's going on, be able to talk, you know, in an informed way about what's happening and monitor change.
25:17 But then when an incident happens – so we've had numerous security incidents over the years.
25:22 Like I think last time when we were on the podcast, we talked about the XE vulnerability.
25:27 And, you know, with SBOMS, you can know what of your systems are vulnerable immediately and know how to respond to those things.
25:35 So, you know, I think that that's a lot of how it's being used right now.
25:39 And then I guess, like, kind of a third bucket is just inter-organizational kind of operations.
25:46 So we have a lot of, you know, vendor approvals that we have to go through.
25:51 Being able to say to another company that's a customer or a partner, you know, we know what's going on in our IT systems is very valuable.
26:01 And it helps build trust between different organizations as well.
26:03 What about – you know, we've spoken about software that's installed on your machine or libraries you're using.
26:09 What about when the software is outside of your organization?
26:14 So, you know, software as a service and SaaS tools.
26:18 How does that affect SBOMS?
26:20 I think it's one of those things where currently you're not generally in a situation where you can go to all of your vendors and be like, hey, I want to see all your SBOMS for everything you're running, right?
26:33 That's not – I mean, that might be a world in which we get to.
26:37 Certainly, I'm aware that the U.S. kind of compliance changes around the SBOMS and the kind of – at least the – I think, again, at time of recording, current administration's executive orders around this stuff mean that that might be a future we end up with.
26:54 But I think in reality, it's more the stuff that they're trying to push is less the idea of we're sending these lovely JSON files to each other and more this idea of like, look, you've got to track your dependencies and licenses and stuff, right?
27:10 You need to be aware, right?
27:13 It's the type of thing of – again, to use a horrific metaphor, right?
27:17 It's getting people to like, look underneath their car before they drive off to make sure there's nothing sleeping under there.
27:24 Not because they're like, there will always be an animal sleeping under your car, but the idea of like, if you look, then we're going to avoid some problems, right?
27:33 For every 10 people you make look, maybe only one of them needed to, but they're going to solve these things.
27:40 And again, I think it depends on the part of the ecosystem you're in because, again, from – if you're in open source land and GitHub land and all this type of stuff, then it's like, hey, we've got – using Homebrew as an example, right?
27:55 Like Homebrew has – itself doesn't generate sbomb files for the application itself and what goes into Homebrew.
28:04 But we have, okay, here's our gem file.lock because we're in Ruby land or package.json for NPM-related stuff.
28:12 Then we have Dependibot, which goes on a daily or weekly basis, like checks all the versions and updates them to the newest version and submits a pull request and then submits emergency pull request if there's a security vulnerability.
28:24 And that's all hooked up to people's compliance databases and stuff like this.
28:27 So I think, like, sbombs are part of that piece that fits into that wider ecosystem of basically being like, hey, make sure you're doing all this stuff properly.
28:36 Make sure, as I mentioned earlier, you're aware of your licenses.
28:39 Make sure you're aware that you're not running on some horribly unstable version of something.
28:44 Or make sure that when you do get some vulnerability in XZ, we mentioned before, like iTerm, I think that was a relatively big one in the last few months, that you know how to be able to say, okay, I know what version I'm on.
28:58 I know who's running that version.
29:00 And I can get my whole fleet updated sooner or later.
29:03 And I think that's when it comes increasingly more over to, like, Mac admins on IT folks is, again, it's less about sbombs in the file format, but more about, like, okay, thinking about the software that you're providing on your systems and how you can kind of keep track of that and keep everything up to date.
29:20 Well, in that vein, right, like, if we're really supposed to be thinking about what's on our devices, if we're supposed to be thinking about, you know, what's the version that we got, how did it get there, all of those things, what kind of things should Mac admins be asking vendors, for example, when they're adding new software to be ahead of these kinds of security challenges?
29:39 Because the last thing you want to do, I mean, anytime you add to your sbomb, it's one more thing you've got to keep updated.
29:44 It's another thing that you've got to keep aware of.
29:47 It's another thing that you've got to kind of, like, have in the back of your mind as part of that process.
29:52 So what kind of things should you be asking your vendors in terms of, like, hey, how do you guys build what you build?
29:58 I think what you want to be, you know, rather than a specific question, you know, hey, ask these two or three questions, it's what you need to evaluate, right?
30:08 And what you're really evaluating for is maturity of software or supply chain management, right?
30:13 So if you're evaluating a vendor and you want to know, you know, is this a vendor that I can trust, it's not as much do they use this format or that format, do they use this tool or that tool, but do they have some rigor around how they manage, you know, what's in and what's out in their systems, whether it's the software that they build or their endpoints or all those different things.
30:34 And I would also, you know, add to that, that it's not just about the vendor, but how does it impact your software supply chain management, right?
30:41 So what's your process?
30:42 And I've talked to, you know, folks in all different kinds of organizations from, you know, small startups to Fortune 500s to regulated businesses.
30:52 And they all have different, you know, needs and different requirements around what level of management they need in this stuff.
31:00 But, you know, at a base level, it's things like, do you know, do you track, you know, what components are being used in your projects, on your endpoints and whatnot?
31:08 Do you have any way to cross-reference that with vulnerabilities?
31:12 Are you able to respond to vulnerabilities and in what timeline, right?
31:17 Unfortunately, many of these conversations I have with, you know, folks who are interested in Workbrew, they'll come on and they'll say, you know, our process for a vulnerability happening is we heard there was vulnerability.
31:29 We go into Jamf, we write some custom script, we deploy it to all our devices, we run it.
31:34 That script tells us with like a 90% confidence whether or not any of the hosts have the vulnerability.
31:39 And then we have to, you know, build our own kind of process for patching it.
31:42 You know, in the more sophisticated places, they might have another tool that they use for patching.
31:46 But, you know, you want to be looking into how do they manage responding to those vulnerabilities.
31:52 And then also kind of the last thing I would think about is, is there a process for accepting changes into your software buildings, into your supply chain?
32:02 That doesn't mean that every company needs to have a process that's heavy-handed, that involves lots of paperwork.
32:09 But I've spoken to some organizations where they essentially warn all of their software engineers.
32:16 They say, hey, look, we care a lot about, you know, what goes into our product.
32:19 We want to think twice about introducing new dependencies.
32:21 Whenever you add a new dependency, we want to make sure that you do these evaluations.
32:24 We leave it up to the software engineer to do the evaluation, but they train them on how to evaluate software to make sure it's a good dependency.
32:31 You know, some heuristics you can use when you're evaluating the software is how frequently is it updated?
32:35 Are there any known vulnerabilities?
32:37 When those vulnerabilities happened, how long was it before a patch was available?
32:41 And this is something that your team can do as they're introducing new software into your, you know, into your organization to evaluate it.
32:48 And so going back to your original question, it's like, what should we be asking?
32:52 I think it's what, this is how you should evaluate this stuff for a potential vendor that you're bringing in and also how you present yourself to others or how you manage your supply chain.
33:01 So let's turn to WorkBrew now.
33:03 So how does WorkBrew fit into this world of SBOMs?
33:07 I think there's two ways of looking at how we sort of fit in.
33:10 So one is the, essentially, the kind of homebrew side of the equation.
33:16 So if you're someone who either themselves or people in your fleet that you're organizing as a Mac admin, you have anyone running homebrew, then essentially, all this conversation we had before about, okay, what versions are people running?
33:33 How do I upgrade them?
33:35 What do I do with this vulnerability?
33:36 How do I know whether there are vulnerabilities?
33:38 Essentially, WorkBrew just solves that for you, right?
33:41 So we give you all the packages you've got on all the machines.
33:45 You can see them in aggregate fashion.
33:47 You can see what are the known vulnerabilities that we have from the kind of special vulnerability data that we pulled from many sources and mapped to homebrew applications.
33:56 And then you can upgrade all those packages and all those machines in a single click.
34:00 And coming fairly soon, like, you can just say automatically, if there's a vulnerability of this level or whatever,
34:07 I want you to automatically upgrade on those machines.
34:09 So that's one side of the equation.
34:11 The other side, I guess, is what John was saying about, like, if you're an organization thinking, what is even your process, right?
34:20 Like, to upgrading things.
34:22 So it might be that you deal with some great vendors and they are just like, oh, yeah, whenever we have vulnerability, we'll just push you out and auto-update.
34:30 And that will auto-update on all the machines and no one will be able to use the application until they have auto-updated if it's critical vulnerability or whatever.
34:38 Wonderful.
34:39 Or it might be you have some vendors who they don't have a built-in auto-updater.
34:43 You had to do some use auto-package or whatever to repackage it in a way that works for you and all this type of stuff.
34:50 And then all of a sudden it becomes, oh, like, this is maybe a multi-day effort when we have some critical vulnerability.
34:57 And Workbrew can help you on that side by almost essentially pushing more of this stuff through Homebrew.
35:03 So you could use Workbrew to distribute more of this software so that essentially then if you're distributing the software on the machine, you know, even stuff that we might not associate with Homebrew like Visual Studio or Google Chrome or whatever it may be.
35:19 And that's a way of installing these packages.
35:21 Then you can use everything I said before, get all the information you want from Workbrew, get all the packages and stuff like that.
35:29 And then when you get a vulnerability, you can then push that out and upgrade all your fleet in a way that is as simple to do as it would be with any other Homebrew package.
35:37 This week's episode of the Mac Admins podcast is also brought to you by iAmazing, the world's favorite iPhone manager.
35:49 Have you ever felt your MDM configurations leave much to desire when setting up fleets of iPhones, iPads and more?
35:55 Say hello to iAmazing Profile Editor, the smarter way to take control of your Apple device configurations.
36:03 Navigate the most extensive Apple settings catalog effortlessly with an intuitive graphical interface and powerful deep search.
36:12 Ensure your configurations are tamper-proof with built-in profile signing.
36:19 Deploy with confidence, backed by extensive in-app documentation and integrated validation tools.
36:25 Take your device management to the next level with iAmazing Profile Editor, the free, powerful tool from the iAmazing Enterprise Suite.
36:35 Download it today and experience the difference at iAmazing.com slash profile hyphen editor.
36:44 With Workbrew now out of beta and into 1.0 land and beyond, you've got a bunch of new integrations that are out.
36:51 You know, as I was going to say, I looked and saw a couple up on your website.
36:54 So what can you do with Workbrew through these integrations for, say, mobile device management and other tools?
37:02 Yeah, so the first thing I would say is that there are two different kind of levels of MDM support that we have.
37:09 The first thing is when you deploy Workbrew to your fleet, you can deploy it with any MDM.
37:15 If your MDM is capable of deploying a PKG file, you're going to be able to deploy Workbrew with it.
37:22 We do have a deeper integration with several MDMs, Jamf, Kanji, Fleet, and Simple MDM, where we do inventory management through the MDM as well.
37:33 And I expect in the future we'll be adding additional functionality that we'll be able to pull from your MDM.
37:39 But for now, it's inventory management.
37:41 What I mean by inventory management is that part of the story of Workbrew is we want to give you the easiest way possible to deploy Brew.
37:49 Whether it's your developers or other end users who you want to have a standard way to deploy and deliver software and update and patch.
37:56 Or if it's you want to give your software engineers the ability to pull the dependencies that they need.
38:02 We've heard over and over again from Mac admins that it's challenging to get Brew out onto the fleet.
38:07 There's lots of different ways to do it.
38:09 There's the famous GitHub gist that lots of people use as like a Jamf policy.
38:13 And we really just want the best and easiest way to install Brew to be with Workbrew.
38:18 So you take the Workbrew PKG, you put it into your MDM, everything's up and running.
38:23 And add to that, you get full visibility into everything for free.
38:27 Unlimited devices, unlimited users.
38:29 Now, on the deeper integrations, the inventory management, playing along with that keeping it easy,
38:38 we don't have end user accounts for the people who have the devices.
38:44 So the only people who get Workbrew accounts are your IT and security folks,
38:48 the people who are managing Workbrew at the company-wide level.
38:51 And what this means is that there's no sign-up process for your end users.
38:54 There's no login process.
38:56 There's no fiddling with keys or anything like that.
38:59 It's totally transparent, very, very easy to get them up and running.
39:02 But also for admins, it's not that easy to manage a fleet of devices.
39:08 And the more devices you have, the harder it gets if you just can look at the serial number.
39:12 And so what we've done with the deeper MDM integrations is Workbrew will pull all of your inventory data based off of serial number from your MDM.
39:20 So when you get up and running, you can install on hundreds or thousands of devices in an afternoon and have full visibility and know which device belongs to which person.
39:30 So that's some of the MDM integration that we have right now.
39:34 We have had some requests about integrations, mostly around sharing data to third-party kind of integrators.
39:43 So that's like we want an integration with Splunk or we want an integration with some other logging tool or alerting tool or pager duty.
39:52 And so our answer to that has been that we built a data export feature that has, you know, JSON and CSV and, you know, different format support.
40:01 And we've also built an API that, you know, we have web hooks and we can send events out to those users.
40:06 So, you know, there's a little bit of self-service around some of those integrations, but we have an answer to some of that now.
40:11 And so where do folks go if they want to request an integration, like, for example, with another MDM that isn't currently documented or part of the product?
40:21 What's the best way for them to speak to someone about that?
40:24 Absolutely.
40:26 So if you go to our website, we have a page that is called Works with Workbrew.
40:31 So it's just workbrew.com slash works dash with.
40:34 And from that page, you can see all the integrations, but you can also request adding a new integration, whether that's, you know, if you're a representative of a company that would like to integrate with us, that's a great way to get in touch with us to do that.
40:45 Or if you're a customer who would like to see an integration added, you can.
40:47 I know, for example, there are several product managers.
40:51 There's some MDMs that listen to this podcast.
40:53 I would encourage all of them to give you guys a ring.
40:55 We'd be happy to talk to them.
40:56 Because I think that there's a lot of deep.
40:58 Now, are they happy to talk to you?
41:04 I was going to say some PMs are very, very closed about their roadmap.
41:08 And I totally get that.
41:09 I can respect that.
41:10 But I would definitely consider folks interested in that.
41:13 One of the things I think I'd love to ask around, you know, Brew, generally speaking, is that we think about it for command line functionality.
41:19 We think about it for tools like Carl or, you know, SSH or any number of other things along those lines.
41:24 But it's not just for that, though, is it?
41:26 It's also for applications?
41:28 Yeah, I think Mike is probably the best person to talk about this.
41:32 He can talk about the difference between formula and casks and kind of how all that stuff fits in.
41:38 Yeah, so this is actually a nice trip down history lane in some ways for Homebrew.
41:42 Because Homebrew started off supporting just, it was focused primarily on command line interface tools or, like, databases or whatever stuff.
41:52 You're going to run, install in your terminal, run it in your terminal.
41:55 And eventually someone kind of thought, hey, like, this seems like a nice way of installing, like, potentially other software as well.
42:03 So they made this little thing called Homebrew Cask, which was, like, an unofficial, like, third-party thing.
42:08 And over time, like, more and more people ended up using both, basically, and then we integrated it in.
42:12 So now, nowadays, Homebrew has all the kind of beer methodology.
42:17 Some people hate it, but we're, in some ways, we're too far down this rabbit hole to ever see the light of day again at this point, unfortunately.
42:25 So Homebrew has formula, which are, I guess, in the beer metaphor, you know, the formula.
42:31 Because Homebrew was originally building everything from source.
42:33 That was your idea of almost, like, the description of how the beer is made, the description of how the package is made.
42:37 So, like, you have formula, so that's how you install your CLIs, open-source software, or whatever.
42:43 And you have casks.
42:44 And casks are this idea of, like, wrapping software provided by a third-party vendor.
42:50 So that could be anything from 1Password, Google Chrome, VS Code, whatever.
42:55 So the nice thing about casks is some people might be like, okay, well, okay, I can just install all that stuff outside of Homebrew.
43:02 Yeah, like, if I want to install MySQL and it's got, we mentioned dependency earlier, like, 20 dependencies.
43:08 Okay, I'm not going to go and manually download all this open-source software and build it from scratch on my machine.
43:13 But, like, I can just go to, you know, the Google Chrome website and click a few buttons and have that installed.
43:20 And that's great.
43:21 I imagine, you know, this is the Mac Edmonds podcast, after all.
43:24 I imagine the Mac Edmonds amongst us are already thinking, like, well, actually, like, you kind of want to be able to automate that stuff.
43:31 And really, we want a PKG file and all this type of stuff.
43:34 And basically, that's essentially what casks give you, which is the way I like to look at it is the brew install Google Chrome that you can do, for example.
43:44 Essentially, you now have one API to install 10,000 pieces of different software, right?
43:50 You want to install 1Password, you want to install Cursor, you want to install whatever it may be on your machine.
43:55 You can essentially do that all through the same interface.
43:58 And we mentioned earlier the kind of brew files, brew files, they support formulas and casks and various other bits and pieces.
44:06 You can actually even install stuff from the Mac App Store through there as well.
44:09 So what this means, if you kind of join all this stuff together, if you're someone who, like me, is obsessed with automating everything, perhaps unnecessarily to high degrees,
44:21 then you can have, like, one little file, which I have, which essentially describes all the software that's installed on my machine.
44:28 And if I were to throw my MacBook out my window, and you give me a new MacBook, I would have all that software installed on my machine again, probably within about 10 minutes.
44:35 Because it's all using Homebrew or the Mac App Store or whatever, and you can automate it and describe, here's everything that I want to be installed.
44:44 And obviously, from our perspective in Workbrew land as well, we see this as being a huge opportunity for people who are deploying software across many, many different machines and fleets and customizing things per users.
44:56 Because, okay, it's nice for Mike to have highly optimized a process that every two to four years saves me a couple of hours of my time.
45:06 But if you're doing this on 100, 1,000, 10,000 Macs, and you're having to define the software on each machine in a different way, and you want it to be up-to-date,
45:15 then I personally still think there's no better way of doing that than with Homebrew.
45:21 Well, yeah, and getting to brew files, I mean, you know, I say this because I'm on an iPad this week because I baptized my laptop unexpectedly this week.
45:28 And so it's off at Apple being repaired.
45:31 Boy, you know, the thing I, the genius was like, you know, hey, do you have a backup of your data?
45:38 And I was like, yes, and I still don't necessarily want to have to reprovision my entire device.
45:44 So, I mean, if it could come back the way it went out, that would be amazing.
45:49 But, you know, being able to know with some degree of comfort that between what's in my iCloud account, what's in Monkey, and what's in my MDM,
45:59 I can deploy those things out and get into a state, a declared state of good operation is probably the most comfortable thing I could have said in that moment.
46:10 I don't know what state my backup's in on that system because I haven't had to think about it in a long time.
46:16 I'm going to care a lot about the restore when that machine comes back from Apple.
46:22 But knowing that I could easily, you know, just get back the key resources because I know how to declare that state of machine compliance is so helpful.
46:35 The other bit that I find fascinating, it's this intersection between, you know, to quote a certain tech luminary, the intersection between Mac admins and developers.
46:47 And for Mac admins, the developers were always the, you know, the troubled child that you had to deal with because they had lots of very strong opinions about how their device should be set up, how it should be managed, wanting control for very good reasons often that, you know, they needed it this way to be able to work efficiently.
47:08 And, you know, they have their people who are into automation and they need their automations that they have to work really well.
47:15 So, having a way that Mac admins can allow the developers to have that degree of control, but then also providing back that visibility and certainty and also doing it using the tools that the developers trust and are familiar with.
47:30 I know, Tom, I'm guessing you've had situations before where you've had to go and explain to developers, okay, so you're used to doing things this way.
47:38 So, we're going to bring in these tools called something you've never heard of before that's going to look after that for you.
47:43 And that always goes well, doesn't it?
47:45 That's usually when the pitchforks and the torches come out of their desk drawer.
47:51 I don't know how they keep a lit torch in their desk drawer, but they usually do.
47:56 And, yeah, I was going to say showing up with an alternative package manager for, you know, for system use is, you know, usually the kind of thing that causes uproar, revolt, and possible deposition.
48:10 For the stereotypically introverted folks, you can really bring developers out of their shell pretty quickly by suggesting something like this.
48:23 Yes, you will definitely get to know everything about that developer very, very fast.
48:29 You know, you say this thing that, like, you know, the developers are the problem, you know, the problem child in this relationship.
48:37 We definitely have had a lot of conversations with, you know, IT and security folks.
48:42 And what's great, what I love about this community is, like, you could have this mindset of it's such a pain.
48:48 But actually, what most of these folks, the Mac admins have, is they totally understand that it's all about the productivity for the end user, and they want to give them the best possible solution.
48:59 And it's really actually not, like, a big fight between them, even though it sometimes is presented that way.
49:06 Generally, they understand and they want to give, you know, the best experience possible within the guardrails of what is legally allowed or what's within their compliance department requirements or risk department.
49:18 So, yeah, it's just like another case of, you know, this community being great.
49:21 Yeah, for me personally, I think the other thing is a lot of people in, on both sides, in the developer side of the Mac admin side, have been told for a long time that this is some sort of zero-sum game.
49:33 And essentially, you have to pick between high levels of compliance and high levels of security or giving the developers everything they want.
49:39 And I think, for me, with somewhat with Homebrew in the past and very much with Workbrew now, I guess I just refuse to accept that those things are opposing forces.
49:50 I think you can deliver, which I think we have and are through Workbrew, the highest class of developer experience while at the same time providing absolutely everything the security and IT department need.
50:02 And I refuse to see the idea that, like, one party has to lose out of this.
50:06 And I think this is where I feel for both sides, because I think they've been put in these discussions where, in the past, they have had to pick a side and say, okay, either the Mac admin gets a bad time and the developers are allowed to run right using whatever they want, or the developers get told, hey, you've got all these projects you have to ship by the end of the year.
50:24 And by the way, you're going to have to do it with one hand tied behind your back now.
50:27 And no, we can have great tools that are, you know, world class from the security and developer perspective, I think.
50:33 So it's a bit like the SBOM discussion that, you know, these, you know, arguments that we're set up to have can actually be, oh, yeah, that's a solved problem.
50:44 We can sort that out.
50:46 Move on.
50:47 Let's now tackle operating system updates, because that's also a solved problem.
50:55 Right?
50:59 This week's episode of the Mac Ammons podcast is also brought to you by SmallStep.
51:06 Remember Skep?
51:08 Yeah, that tire fire of a protocol for device certificates.
51:12 It's basically a password system for your devices.
51:15 And we all know how secure those are, right?
51:18 Not exactly the rock solid foundation you want for your company's security.
51:24 But what if I told you there was a better way to lock down your company devices, a way to guarantee that only your devices access your most sensitive stuff, code, financials, customer data, the whole shebang.
51:37 Enter SmallStep.
51:39 They saw the limitations of Skep and decided to do something about it.
51:43 They worked with Apple and Google to create a new IETF standard called Acme device attestation.
51:51 This isn't just another security product.
51:54 It's a fundamental shift in how we think about device identity.
51:58 Acme DA leverages the hardware already built into your devices.
52:03 Secure enclaves.
52:04 TPM chips.
52:05 Strong stuff.
52:06 No more passwords.
52:08 Just secure.
52:09 Verifiable device identity.
52:12 Imagine this.
52:13 A new employee gets a laptop.
52:15 It automatically enrolls itself.
52:17 Gets the right certificates.
52:19 Secure access to everything they need.
52:22 No more Skep headaches.
52:23 Just smooth, automatic security that works everywhere.
52:27 macOS, Windows, even Linux.
52:30 SmallStep makes life easier for IET2 with centralized management, automation, and seamless integration.
52:38 Less troubleshooting, more innovating.
52:41 SmallStep is the leader in high assurance device identity.
52:45 They're trusted by companies of all sizes to protect their most valuable assets.
52:50 Ready to take control?
52:51 Visit smallstep.com slash macadmins and lock down your devices today.
52:59 Thanks again to SmallStep for sponsoring this episode of the MacAdmins Podcast.
53:03 You know, like a lot of new products, you know, early adopters oftentimes provide great feedback about additional functionality they'd love to see.
53:12 What are some of the common requests that you're hearing from people trying out WorkBrew now?
53:16 I love this so much.
53:17 We get tons and tons of requests.
53:20 And what's been great about it is most of it is in the same direction.
53:24 You know, we get the same requests over and over and over again.
53:27 So I'll start with a couple that we actually have already addressed.
53:30 So one of the most frequent ones was default packages.
53:32 Everybody had been asking us, hey, is there going to be a way that we can, you know, by default install these 20 packages on devices for our data science team or our customer service team or engineers or, you know, whatever group it might be.
53:48 And like Mike was saying before, he built brew files into WorkBrew and you can do that.
53:51 Another one that we got a lot was about an API.
53:54 We have an upcoming, you know, API.
53:57 I don't know.
53:58 Mike can probably say whether or not it's shipped to production yet, but it's very close to being shipped to production if it's not already.
54:05 And then on the upcoming kind of things that people have been asking about, automation is one that comes up over and over again.
54:13 Right now within the WorkBrew product, we will service information to you in real time, but making changes generally requires human intervention.
54:22 And that mostly comes from not wanting to disrupt the developer experience.
54:25 We don't want a situation where things are getting updated under a developer's, you know, without them knowing just because an automation is set up.
54:34 And so we want to give finer grain control around when those automations might run.
54:38 We talked a little bit before about integrations.
54:41 We've had a lot of requests for different types of integrations, whether it's MDMs or if it's, you know, logging tools or alerting tools or things like that.
54:48 Another one is private taps.
54:51 Oftentimes, so I'll start with what is a tap.
54:54 In homebrew speak, a tap is a repository of packages that can be installed.
55:00 So homebrew has two official taps, homebrew core and homebrew cask that Mike talked about earlier.
55:05 Those are for open source tools and binaries provided by vendors that are managed by the homebrew project.
55:11 But anybody can create a tap and make available any arbitrary software.
55:14 And so when it comes to, you know, managing your software supply chain, taps are a very important part of that.
55:20 You know, if you can insert whatever tap you want with whatever software in it, you don't know what might be coming in.
55:26 And often customers will ask us for private taps and say, hey, we want a way to control what's going out to our endpoints.
55:35 And they might ask for it for the wrong reason.
55:37 They might ask for it because they want to limit the available software to those machines.
55:41 But the real reason why it's useful is actually to distribute your own internal software.
55:45 So a private tap is valuable.
55:47 Say you have a bunch of command line tools that you've built for internal processes.
55:51 You can put them into a tap and make them available to your entire organization.
55:54 One of the challenges with that, though, is authentication to the tap.
55:58 So let's say you're in an environment where you have 5,000 MACs.
56:01 Every single one of those 5,000 MACs needs to have an authentication token that can connect to your tap to keep it private.
56:07 And managing that is difficult.
56:08 So with Workbrew, we're making a way that, you know, you can do that without having to manage the opportunity.
56:13 And then the last one, which is the most frequently requested functionality, is an allow list.
56:19 And I saved the best for last because I kind of wanted to tee it up for Mike so he can talk a little bit about, you know, kind of how we see allow lists with regard to developer experience.
56:30 Because it's a very easy kind of knee-jerk reaction when folks see our product to say, hey, how can I make it so only the software that I want to allow people to install is available?
56:40 And, you know, that's what people are asking for, but may not be actually solving the problem.
56:47 So, Mike, maybe you want to talk a little bit about allow lists and what we've heard and what we've kind of come to.
56:52 Yeah, so I think, as John said, allow lists are a very interesting problem because they seem like a fairly obvious thing, particularly if we're looking at it from a Mac admin perspective, right?
57:03 Of, okay, well, I decide what is installed on my user's machine.
57:07 I maybe don't give them admin rights or Mac App Store rights or whatever it may be.
57:10 So, in that applications folder, I essentially have a allow list of the things that they have there.
57:17 So, I just want to do the same thing for my developers using Homebrew, right?
57:20 Easy.
57:22 Unfortunately, not very easy because what happens is, I mentioned earlier, a good kind of introduction to this conversation when we're talking about SBOMs and you have these kind of dependencies that go all the way down.
57:33 So, we have, you know, what we would in Homebrew call the dependencies for an application, which is everything that it relies on to get its job done.
57:42 But then, also, those dependencies may themselves have dependencies, and we call that recursive dependencies because you end up having to recurse all the way down that tree.
57:51 And then, you call the reverse dependence when you have something that has something that depends on it.
57:57 So, it all gets kind of relatively easy from an allow list perspective if you assume, which is a reasonable assumption, that all software is static and you will only ever need one version for the rest of time.
58:08 Sadly, the way that the software world works, and I say this particularly as someone who builds software, unfortunately, there is sometimes a need to release more than one version of a given piece of software.
58:20 And when that happens, when you have this dependency tree, as I mentioned earlier, if you have an allow list, well, what happens when something underneath you gets updated?
58:31 Because there's a critical update there.
58:32 Do you say, okay, that thing can update and then nothing else can update?
58:37 But then, that thing updating then breaks other things unless they also get updated.
58:41 And then, some things have to be updated and then other things can't be updated.
58:44 And basically, you end up with this kind of nightmare that keeps people like package maintainers and homebrew up at night of trying to figure out how to resolve all these things.
58:55 And one of the nice things about being a homebrew maintainer is knowing that you are solving these problems for people in this way.
59:02 So, essentially, what we've ended up with in Workbrew is that we get people who ask for the allow list.
59:09 And what we talk about is, okay, like, instead of, as us technology people want to do, instead of, like, jumping straight to the solution, let's hear about what are the problems you're having, right?
59:20 And those problems are like, well, we need to control, we need to know what people have installed, we need to have the ability to get them on the latest versions, we need to respond to vulnerabilities quickly, we can't just have everyone installing anything, we don't know what versions are vulnerable or not, we don't know what software is vulnerable or not.
59:35 And we have generally found, like, if we can go to these people and say, well, actually, we can give you everything that you need, and that you want from an allow list, but without having to have the micromanagement that will involve for you with that allow list, does that solve your problem?
59:53 And we're finding that that does solve the problem for those folks.
59:56 And we're building it from that perspective.
59:58 And again, this goes back to what I was saying before, where that idea of we say, okay, we either optimize for the security perspective, we have the allow lists, or we optimize for the kind of developer experience, and we let them install whatever they want.
1:00:14 Again, I reject either of those poles of the spectrum.
1:00:18 And I think that we can have something where everyone gets what they want here, right?
1:00:22 But it might just be that it's not exactly what everyone went into the conversation thinking that they wanted.
1:00:28 The challenge around allow list is when there's regulatory frameworks that think that they're a fantastic idea, and that they're achievable, which is also a fantastic idea.
1:00:40 You know, I like to throw it back to people, we mentioned this before about feature requests, because it's not even just, you know, updating all of the tools further down the dependency list.
1:00:52 It's also those dependencies changing.
1:00:53 And so, see that feature request you had over there, would it surprise you to know that that required additional tools to be included to be able to achieve that?
1:01:03 And so, the people, you know, who are saying we need this to be static and not to be changed are also the same people who like new things and additional functionality, because we're all, you know, wanting nice things.
1:01:16 So, you know, being able to frame that in what's actually going on and how complex this is to achieve and why it's something that you actually need tools to help you make this a better experience, rather than just something you can tick a box in some sort of management tool and make everything stop.
1:01:39 I think this is what I love about dealing with the Mac admins community here is that, you know, we in Workbrew and in Homebrewland have a reasonable amount of support on Linux and Windows through WSL.
1:01:51 But, you know, Mac land is our, that's our original home and that's where we kind of take a lot of our ethos from, like Apple's way of doing things.
1:02:00 And I think that's the nice thing about when you deal with Mac admins, because they get this, right, is that, like, it doesn't fly to say to your users of macOS, by the way, we're going to support macOS 12 for the next 10 years.
1:02:14 And then in a decade, we'll evaluate which is the next best version of macOS.
1:02:18 No, like, most of your users, most of the time, are going to want to upgrade their OS every year, right?
1:02:24 And I've been in environments where the IT team or whoever's responsible for those macOS updates are saying, hey, you can actually kind of upgrade for the, you know, until six months after a major release is out.
1:02:36 And anyone who likes Apple devices gets very grumpy, right?
1:02:40 Because turns out you probably, as I have, bought on the hype train with various new features.
1:02:46 And if you hear all the stuff about Apple intelligence and then say, oh, I now can't touch any of these features, even the purely on device ones that have no meaningful privacy implications.
1:02:58 I can't touch any of these features for six months because a team over there says that I can't have it, right?
1:03:03 Like, the best people I've worked with in this community know that, like, hey, you need to be able to provide this.
1:03:09 Maybe not on day one.
1:03:10 Maybe that's unrealistic in a large organization.
1:03:12 But, you know, you need to be able to provide some of this stuff to the people in the timescales they expect.
1:03:18 And I think that's what I loved about what you were saying there, Mark, is that I think that's the balancing out there is it's figuring out how can we give people what they want and at the same time meet all our regulatory requirements.
1:03:30 Or you're like Tom, whose machine has taken a bath and he may have to get a new one.
1:03:34 And the new one won't run Snow Leopard, sadly, Tom.
1:03:38 You're going to have to take a step down in operating system stability and quality.
1:03:44 Alas.
1:03:46 Maybe they'll run Mojave.
1:03:48 Maybe we can get a Mojave machine for me.
1:03:52 So, what can we expect?
1:03:54 You know, 2024 sounds like it's been a pretty big year for work, Bruce.
1:03:57 So, what can we expect for 2025?
1:03:59 We have a lot planned for 2025.
1:04:02 You know, just going off of what we were just talking about with allow lists, the way that we're approaching trying to solve that problem on the product front is using approval workflows.
1:04:13 So, rather than saying, here's a defined list of what's allowed up front, going back to the original conversation around SBOMs, the idea is that how can we help an organization have good governance around when they add things to their software dependency list, their software supply chain onto their endpoints, and make it so it's as easy as possible for their end users to do that within the framework that's set by the organization.
1:04:38 So, as I had mentioned, you know, some of these organizations that we talk to, you know, have policies where they just have their engineers evaluate the risk and then accept it.
1:04:45 And there's no formal process or documentation or anything around that.
1:04:50 And so, I think that with Workbrew, we'll be able to help folks get a level of hygiene around managing their dependencies and around managing what they're installing on their machines very easily with very little negative impact on usability or developer experience.
1:05:08 So, that's one thing that we're really focused on.
1:05:12 Another thing that I think is going to be coming in 2025 that we're, you know, very excited about is more functionality for the developers.
1:05:20 So, when we started Workbrew, you know, Mike's been involved in Homebrew for 15 years, more or less.
1:05:27 And Homebrew is well-loved and well-liked.
1:05:31 And so, we really set out to, you know, build the multiplayer features.
1:05:34 You know, that's what Workbrew is.
1:05:36 It's how do you use Homebrew, you know, for an entire team and also how do you make Homebrew more consumable to somebody who might not be an end-user developer and make it valuable to them.
1:05:45 And so, I think in 2025, another one of our big focus areas is how can we build more functionality for teams that are using Homebrew that's more focused on the developer experience rather than on IT, you know, the Mac admin and the security experience, but also helping to improve that.
1:06:01 And that will come with a lot of improvements on the free product as well.
1:06:05 A couple other things that I've been thinking about, you know, I don't want to say that we're definitely doing this, but we've heard it come up quite a bit, which is, you know, what's the intersection of Workbrew and, you know, DevOps, configuration as code?
1:06:18 As you know, we have default packages.
1:06:20 They use a brew file.
1:06:21 You know, there could be a world where we say, hey, the way that we handle some of this stuff is around using, you know, version control systems, using a code management system with those files and making it so that it's more of a configuration of code or DevOps operation.
1:06:37 And then, you know, we've met a lot of folks in this community from MSPs and from other vendors, and so we're going to do as much as we can to get connected with those folks.
1:06:48 So if you're an MSP service provider and you think this is interesting, you can always reach out to me and also, you know, kind of as we said before, anybody who's building an MDM or works with an MDM, we want to make sure that this tool works with them really well.
1:07:00 And then lastly, I want to be at as many of the Mac admins community events as we can.
1:07:05 So that'll be me.
1:07:06 That'll be Mike.
1:07:07 That'll be my co-founder, Vanessa.
1:07:08 We have some new folks joining the team as well.
1:07:11 So we're just going to be out there, you know, listening to what you all have to say and trying to, you know, help solve your problems.
1:07:16 So you're going to aim for the Mac admins grand slam in 2025 of making every Mac admins conference around the globe?
1:07:27 I don't know.
1:07:30 Well, there's some of them that are on the same days.
1:07:32 That's the problem.
1:07:33 I can't get to all of them, right?
1:07:34 I think it was, what's the one in, I think it's in Sweden?
1:07:38 Yeah, Max's admin and JNUC were at the same time.
1:07:42 Yeah, so I had the very hard choice that I had to go to one and not the other, and I really wanted to go to Max's admin, and I ended up going to JNUC.
1:07:50 I hope that I can go next year.
1:07:51 They're separate weeks this year, so you don't have to be Phil Collins at LiveAid taking a concord between continents.
1:07:59 Continents to be able to achieve that.
1:08:03 And I might suggest, Mike, I don't know if you want to add anything else on kind of the end user developer experience for 2025 or potentially anything related to Homebrew in 2025.
1:08:17 I'll start off with Homebrew.
1:08:18 I guess Homebrew has reached this kind of slightly funny place as a project where, like, every big feature that we've kind of talked about over the years, we've pretty much done them all at this point.
1:08:31 So, essentially, my Homebrew product roadmap at this point is driven mainly off of people both on the internet and respected community members and nerd friends I have who send me things on iMessage of, like, what are their haters hating about the most, right?
1:08:51 And generally, people complain about Homebrew being slow.
1:08:54 So, that was one of our big focuses last year.
1:08:57 It's going to be one of our big focuses this year as well.
1:09:01 Like, we're going to try and work on more parallelization around downloading and stuff like that, which should make at least the experience of I install a thing and it is already a lot quicker.
1:09:15 On the Workbrew side, John mentioned some of the kind of developer-focused stuff we're doing.
1:09:20 It's still in kind of more experimental stages there.
1:09:23 We hope to have more stuff to talk about kind of by the middle of the year.
1:09:26 But, essentially, one of the main problems we're focusing on is, I mentioned earlier, kind of, you know, if you're in the Ruby ecosystem, you've got gem files and gemfile.lock.
1:09:36 And if you're in the, you know, Node.js ecosystem, package.lock and all this type of stuff.
1:09:42 Essentially, if you're working with Homebrew, I mentioned the brew files, but we actually unshipped the brew file, sorry, the lock file support in brew files because they were kind of complex because they were a lock file that you essentially were just telling you what the state was rather than giving you any ability to control that.
1:10:01 And a big problem that we've seen a lot of folks in the developer space say is, like, hey, like, okay, being on the latest version of everything all the time may work for some people with Homebrew.
1:10:12 But, actually, in a lot of teams, the way you expect to work with most language package management ecosystems is to say, hey, I want to be on these versions of all these things and keep me on those versions until I say otherwise.
1:10:24 So, thank you very much.
1:10:25 And John mentioned the kind of configuration as code stuff earlier.
1:10:29 So, we're basically working on some stuff in that area, basically.
1:10:32 The idea of giving more ability to have control over what versions you're running of your software in Homebrew in your various projects that you're working on.
1:10:41 And that will be a free Workbrew feature that we kind of will release for people.
1:10:46 One of the nice, again, things with, like, Homebrew and Workbrew is that some of these things, people might be like, well, why didn't Homebrew solve this?
1:10:54 Or why is this in Workbrew and not in Homebrew?
1:10:56 And there's a bunch of the features that people have been asking for in Homebrew for a long time, like that, where the Homebrew folks said a long time ago and continue to say now, like, we don't have the bandwidth to support this, right?
1:11:07 Like, we need someone, like a business or whatever, to step up and say, provide the ability for this functionality because we as a bunch of volunteers don't have that.
1:11:18 And that's been a nice thing that we've been able to do with more and more things in the Homebrew ecosystem where we can say, hey, the first big one was MDM, right, where the Homebrew folks are like, hey, no thanks, don't want to support this.
1:11:31 So, we can say, hey, on the Workbrew side, we can do this.
1:11:34 And, yeah, I expect that to grow more this year and in future as Workbrew evolves.
1:11:39 That's awesome.
1:11:41 We just want to take a minute to thank our wonderful list of Patreon backers who help us get these episodes out to you every week.
1:11:52 So, a huge thank you to Weldon Dodd, Graham Gilbert, Bill Smith, Justin Holt, Daniel McLaughlin, Chad Swadow, Tim Sutton,
1:12:02 Stefan Weinstein, our friends over at Command Control Power,
1:12:06 Seb Nash, Will O'Neill,
1:12:08 Jose Farah, Nate Sinahal,
1:12:11 Tim Purford,
1:12:12 Tobias Linder,
1:12:13 Adden Berg,
1:12:14 Hamlin Crouson,
1:12:16 Stu McDonald,
1:12:17 Jeffrey Compton,
1:12:18 Anoush Dovill,
1:12:20 Melvin Vives,
1:12:21 Bill Seitz,
1:12:22 Mike Boylan,
1:12:23 Rick Goody,
1:12:25 Adam Selby,
1:12:26 Dwan Maas,
1:12:27 Pax,
1:12:28 Julian Reddick,
1:12:30 Tim Camps,
1:12:31 Scott Blake,
1:12:32 and Tony Honorati.
1:12:34 Thank you so much for being a Patreon backer of the MacAdmins Podcast.
1:12:41 One of the rich traditions here on the MacAdmins Podcast is that of the bonus question.
1:12:46 You know, the bonus question is often frivolous, and this year is no exception.
1:12:51 What in your world needs an equivalent to an S-bomb, but for something other than software?
1:12:57 You know, we talked a little bit about the nutritional label, and that that has its own value.
1:13:04 You know, what are you thinking in terms of, you know, you need a detailed understanding of, you know, the internals of some organization.
1:13:13 John, I'll let you go first.
1:13:14 This is complicated.
1:13:16 You know, I think that there is maybe, are you talking about in my life or in?
1:13:24 Your whole life doesn't even have to be tech.
1:13:27 Okay, cool.
1:13:28 Yeah, I mean, I think like one of them, I would say, is probably just stuff.
1:13:34 Like, I have this habit of collecting things and never getting rid of them.
1:13:39 And it's not usually like big stuff.
1:13:40 It's like, you know, for example, I love to keep all the tickets to like every concert I go to and my flight tickets and stops and stuff like that.
1:13:47 I just have boxes and boxes of that stuff that I just like, I'll organize that someday.
1:13:51 I don't even know what's in there anymore.
1:13:53 Like, if I had like a beautiful inventory that told me everything and I could easily locate it and know what it was and why I had it, that would be like incredibly valuable to me.
1:14:03 I love that.
1:14:04 I think that's spectacular.
1:14:05 I, you know, I've been using Flighty for the last couple of years as I've done a lot more flying.
1:14:11 And I feel like that's my equivalent for like flights that I've taken or the boarding passes and other things like that.
1:14:17 It does a really nice like year-end summary of all the places you've gone and how much time you've spent in the air and all of those things.
1:14:25 I think it's pretty neat.
1:14:26 What did they call that trend?
1:14:27 It was like in the 2000s when you like kept all the data about everything.
1:14:30 Do you know what I'm talking about?
1:14:31 Oh, yeah, yeah.
1:14:33 It is.
1:14:34 Oh, shoot.
1:14:36 It's at the tip of my tongue.
1:14:38 I love that kind of stuff, though.
1:14:40 Where you're just like logging.
1:14:42 It's like quantified self or something like that.
1:14:44 Yeah, quantified self.
1:14:45 So, yeah, my like kind of, you know, thing that I do in that space is just logging all the places that I go.
1:14:51 So I used to live in New York City.
1:14:53 I was part of the New York City tech scene back in the early days when Foursquare came on.
1:14:57 I still use one to this day.
1:14:59 And I've used it every day of my life for like 15 years.
1:15:02 So I have, you know, an incredible catalog of all the places I've ever been all over the world, which I love.
1:15:07 I am the mayor of my coffee shop.
1:15:09 I'm just saying.
1:15:11 That hasn't been relevant for 20 years.
1:15:14 Almost.
1:15:15 But that is neither here.
1:15:17 I find that keeping that sort of information is a much better way of remembering the things you've done and the events you've had rather than just, you know, holding up a phone and trying to take photographs of everything.
1:15:28 I like to keep the memories and the imagery inside my head and just have those sort of, like you were saying, concert tickets or, you know, boarding passes or, you know, the lanyards from conferences, those sorts of things that just trigger those memories.
1:15:45 And S-bomb would help to not have to dig through, you know, enormous plastic tubs of stuff.
1:15:56 So, you know, the S-bomb can definitely stand for stuff.
1:16:01 What about you, Mike?
1:16:03 Stuff, bill of materials.
1:16:05 I love that.
1:16:08 I guess I guess I'm going to be cheeky and have sort of two.
1:16:11 So, the one that I feel like already exists is, I don't know how many of you are gamers or whatever, but there's a website if you're building a PC called PCportpicker.com, where you can basically like bind together all of the Lego pieces that are a modern gaming PC.
1:16:30 So, that's fun for almost like having an S-bomb of like what's in my PC and being able to share them and see other people's or whatever.
1:16:37 The one I would really like is the guys who are on video can see I've got some instruments behind me that are somewhat defunct since I had children and no longer have time to play them.
1:16:50 But like I would really love, particularly when I was trying to do a lot more covers of music, if I could have an S-bomb for a given song where it could be like, okay, this track was made in Logic.
1:17:00 This is the guitar the guy used.
1:17:03 This is the strings he used.
1:17:04 This is the effects pedals.
1:17:06 Like having that breakdown.
1:17:07 And it's funny because, again, in tech, like I feel like I can see Tom happily noddling away.
1:17:14 Like a lot of tech people get this and I say this to like music people and they're like, dude, why do you care?
1:17:20 Like just it sounds good, right?
1:17:21 Like why do you need to know like what pedals they used and what compressor plug-in they put in Logic or whatever?
1:17:27 I'm with you on that.
1:17:28 I was literally the other day looking at some, you know, there are some amazing fellow nerds out there who have documented this going through Stone Rose's songs and documenting what John Squire was doing,
1:17:40 which particular model of MIDI verb he had and, you know, the next step from that is that then means that we can create plug-ins for, you know,
1:17:49 whilst you have the collection like I do of all of these vintage instruments and the original effects, you know,
1:17:57 it's you don't get the time to go in and settle that up and plug it in,
1:18:02 but we have these amazing digital modelers where you can just feed that in and mess about for an hour and pretend that you're in a stadium somewhere
1:18:11 and that, you know, I'm actually a competent musician or anything like that.
1:18:15 So absolutely with you on that.
1:18:17 And it also is a nice way of justifying buying more instruments, equipment, everything like that, which we all need.
1:18:27 It's not just tech.
1:18:29 We all need an, I don't know about an excuse, a justification to ourselves for adding to the pile of stuff.
1:18:37 But what I'm suggesting is that we go even more like S-bombs and that we actually have, you know, not just,
1:18:45 it's lovely that those people have made those websites trying to document this markets,
1:18:49 but what I'm proposing is that some US president makes an executive order.
1:18:53 This is required.
1:18:54 Absolutely.
1:18:55 When I buy an album, I should be able to see the bill of materials for every single track on that album.
1:19:01 I need the details.
1:19:02 That's my right as a listener of music.
1:19:05 More of those, please.
1:19:06 Exactly.
1:19:07 That's what we need.
1:19:08 The nutrition facts of the album.
1:19:09 And we could get jobs as auditors.
1:19:11 I'm here for it.
1:19:12 If a particular distortion pedal is deprecated and we need to revitalize that, you know,
1:19:20 plug in a new distortion pedal, rebuild the track, soared.
1:19:24 Marcus, how about you?
1:19:27 What are you looking for?
1:19:28 For me, there was a discussion.
1:19:30 We're having some folks on Mac Admin Slack.
1:19:33 And I've realized, you know, whenever I go traveling, I'm about an hour away from the airport.
1:19:39 And there's usually that moment about justice we've gotten on the freeway, either in my own car or on Uber,
1:19:45 where it's like, did I pack X?
1:19:49 And the number of times I've pulled over onto the service road in the freeway to go and check my bag to go,
1:19:56 yes, in fact, I do have that.
1:19:58 But to be able to do a live S-bomb of what is in my luggage and, most importantly,
1:20:03 what is not in my luggage, to be able to make that decision where,
1:20:07 is it easy to turn around and get the thing I don't have?
1:20:10 Or is this something I can just, you know, acquire when I get there?
1:20:14 Or just think about something else rather than what's in my freaking luggage.
1:20:19 So that's it for me.
1:20:21 What about you, Tom?
1:20:27 Well, you know, my choice may be a little controversial, but, you know, we've made jokes in the United States for years
1:20:35 that our politicians should wear NASCAR suits with all the patches of the, you know,
1:20:40 the people that are supporting their campaigns and that have contributed to their PACs and all of those things.
1:20:47 I am all for this.
1:20:48 I think that that is exactly what you should do.
1:20:50 Right now in the media, there's frequently, it's, you get the person's name and it's their party affiliation in the state that they're from.
1:20:58 And, you know, I would love to see, give me the, on the chyron, I mean, it was going to say, it's a moving chyron.
1:21:05 It's not like the old days.
1:21:06 Give me the dynamic list of the top 10 people that donated to the last election.
1:21:11 And let's see what that looks like.
1:21:16 Because I think that would be a truth in lending kind of situation that I think would be very, very valuable.
1:21:23 Especially, you know, now, here we are.
1:21:26 I was talking with some friends today about, of course, the TikTokpocalypse, which is, it seems to be going and ongoing all at once.
1:21:35 We don't know where this is going to land.
1:21:36 But, you know, all of the different reasons why this was a really good idea, terribly, terribly, terribly executed.
1:21:46 And I think that, you know, understanding, you know, some of the other things that may weigh into their decision-making process would be a helpful thing.
1:21:55 So, that's my thought.
1:21:57 I will accept your letters at devnull at macadminspodcast.com.
1:22:02 Please address them appropriately.
1:22:04 I will give them all the due consideration there, that they aren't.
1:22:11 Mike, John, thank you both so much for spending the last hour with us.
1:22:15 It's been absolutely incredible talking with you guys about Workbrew.
1:22:18 We wish you guys nothing but the best this season.
1:22:19 Hope to see you guys.
1:22:21 Now, I was going to say, Mike, I'll give you a special invite because I know you're in Edinburgh.
1:22:24 Four hours south of you, you know, five hours, I guess, in Brighton is Macad in the middle of May this year.
1:22:30 May 14th through 17th.
1:22:32 If you guys happen to come up for that, I'd love to see your beers on me.
1:22:35 So, or we'll find some good music to go watch and that'll be even better.
1:22:39 So, come join us.
1:22:41 Thank you both so much for joining us today.
1:22:43 It's been such a pleasure to have you.
1:22:44 Thanks so much for having us.
1:22:46 It's great to be back and look forward to the next time.
1:22:48 Thanks for having us.
1:22:49 For sure.
1:22:50 And open invite.
1:22:51 If you've got something fun to talk about, we'd love to talk about it.
1:22:54 So, that's fantastic.
1:22:55 Thanks so much to our wonderful sponsors this week.
1:22:58 That's our friends at Kanji, 1Password, iMazing, and SmallStep.
1:23:02 And thanks, everybody.
1:23:03 We'll see you next time.
1:23:05 See you later.
1:23:06 The MacAdmins Podcast is a production of MacAdmins Podcast, LLC.
1:23:21 Our producer is Tom Bridge.
1:23:23 Our sound editor and mixing engineer is James Smith.
1:23:26 Our theme music was produced by Adam Kudiga the first time he opened GarageBand.
1:23:31 Sponsorship for the MacAdmins Podcast is provided by
1:23:34 the MacAdmins.org Slack, where you can join thousands of MacAdmins in a free Slack instance.
1:23:39 Visit MacAdmins.org.
1:23:41 And also by Technolutionary, LLC.
1:23:43 Technically, we can help.
1:23:45 For more information about this podcast and other broadcasts like it,
1:23:49 please visit Podcast.MacAdmins.org.
1:23:52 Since we've converted this podcast to APFS,
1:23:55 the funny metadata joke is at the end.

Mike McQuaid

Episode 397: Software Bill of Materials with Workbrew