Artifact attestation are indeed another solution based on https://www.sigstore.dev/ . I still think Asfaload is a good alternative, making different choices than sigstore:
- Asfaload is accountless(keys are identity) while sigstore relies on openid connect[1], which will tie most user to a mega corp
- Asfaload ' backend is a public git, making it easily auditable
- Asfaload will be easy to self host, meaning you can easily deploy it internally
- Asfaload is multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected
- validating a download is transparant to the user, which only requires the download url, contrary to sigstore [2]
So Asfaload is not the only solution, but I think it has some unique characteristics that make it worth evaluating.
Yes, that's why I aim to make the checks transparant to the user. You only need to provide the download url for the authentication to take place. I really need to record a small demo of it.
With the recent incidents affecting Trivy and litellm, I find it extremely useful to have a guide on what to do to secure your release process.
The advices here are really solid and actionable, and I would suggest any team to read them, and implement them if possible.
The scary part with supply chain security is that we are only as secure as our dependencies, and if the platform you’re using has non secure defaults, the efforts to secure the full chain are that much higher.
I have been using OMZ for the last 8 years but recently made the switch to plain zsh with :
- starship for a better prompt
- Claude ported plugins I was using from omz (extract, sudo)
- custom written aliases that were muscle memory
- zoxide for the a command
So far that has been a great move, my terminal tab feel snappy again. One thing I miss (but I’m sure I could find a way to replace it) is `cd ….´
I'd argue ASML's moat isn't the machine itself but the ecosystem: Carl Zeiss optics, decades of supplier relationships, institutional knowledge.
This is clearly a significant achievement, but does anyone with semiconductor experience have a sense of how far "generates EUV light" is from "production-ready tool"?
This isn't a moat ASML can keep for long though. There can be alternatove technologies to achieve the same goal. So far only China has that incentive. The real problem is process scaling is slowing down. How many more generations of lithography machines will ASML design? Probably not many. This means there will be no edge left in 5 or 10 years, as eventually brute force will work and China will achieve the same lithography resolution.
Till that point, they are just going all in with cheap coal + solar, so even if they use older machines and run longer exposure times, even if they achieve lower yields and toss away a lot of the dies, they are still economically competitive. At the end cheap enery solves a lot of the issues.
Nowhere close, but pace now seems faster than estimated, i.e. original western estimate is they won't even get EUV prototype up until 2030s.
Right now their chips are already "economically" competitive, as in SMIC is starving on 20% margins vs ASML/TSMC/NVIDIA getting gluttonous on 50-70%, at least for enterprise AI. Current scarcity pricing = litho costs borderline rounding error, 1500 Nvidia chip flips for 30000, 6000 huawei chip flips for 20000. The problem is really # of tools access and throughput. They can only bring in so many expensive ASML machines, including smuggling, which caps how much wafers they can afford to toss at low yield. They figure out domestic DUV to 2000 series and throughput is solved.
Hence IMO people sleeping on Huawei 9030 on 5nm DUV SAQP, still using ASML DUV for high overlay requirement processes, domestic DUV to fill rest. But once they figure out SAQP overlay, which will come before EUV, they're "set". For cost a 300m-400m ASML EUV, PRC can brrrt tools at BOM / cost plus margin. Think 40 domestic DUVs and associated infra for price of one ASML EUV to run 8x lines with 30% yield and still build 2x more chips normalized for compute that they can run on cheap local energy to match operating costs. Then they have export shenanigans like bundle 5nm chips with renewable energy projects and all of sudden PRC data center + energy combo deals might be globally competitive with 3/2nm. Deal with our shitter chips for now, once they deprecate we give you something better when our processes narrows gap, and you have bonus power to boot because some jurisdictions, building grid is harder than building fabs.
How does one even smuggle an ASML machine? I'd assume the machine stops working if the GPS position doesn't compute, at end of life I wouldn't expect ASML to allow these devices nor their components to end up on the second hand market, I'd expect the future transfers to require continued permission of ASML, much like weapons distribution.
The machines live indoors, far from being able to see GPS signals. Sure, you could require that there be an antenna run to the roof, but you can spoof that stuff.
The thing that helps prevent smuggling of ASML machines is that a) there are few of them (i.e., people would notice), b) it requires tremendous effort to move them at all, let alone without anyone noticing.
Considering that these tools are installed in seismically active areas [0], the last thing a customer would want is for the tool to zeroise itself because of an earthquake.
These machines are not like John Deere tractors. If you own the hardware, you own it. They won't be connected to internet. Security first!
Smuggling part is happening on the old machines before EUV. There's a lot of them available on the second hand market thanks to Europe and US keep shutting down their old fabs. I don't think any DUV machine is smuggled. Even if they physically smuggled one, you need a team of ASML engineers to set it up and calibrate. You can guess what ASML will do in this case.
By the way, let's don't forget: ASML doesn't have any problems with China. They are incredibly annoyed with US and Dutch governments. This is potentially the biggest market they are missing out. Even then, they won't tolerate a summugling operation.
The US is close to having that incentive, if the rift between the US and Europe keeps widening. The Netherlands has one lever, but damn it's a long one.
ASML develops and ships their machines at the pleasure of Uncle Sam because the USA licensed them the tech and remains a crucial part of the supply chain intentionally. It's not a lever. It's a partnership that is mutually beneficial and neither side can really ruin the other without damaging themselves.
ASML will instantly stall at that point. The EUV light sources are built in the US under US export control regulation. No EUV light source means no ASML EUV machine. I get that some European chest-beating sounds good because there's not very much tech in Europe, but this is an intentional transnational supply chain. It's no accident that the US chose ASML to develop this tech rather than Canon or Nikon. Close ally deep within the US military shield from nearby air bases.
The biggest losers from any such actual attempt by Europe will be Western Europe and the US.
I really like that Europeans are starting to be more patriotic. It's good to see. It's also fortunate that European leaders are aware of Europe's position and role in geopolitics.
An alternative manufacturer, but not a supplier, no.
The US exerts sufficient control over ASML that this will not happen without NATO ending. And the end of NATO (which would be a geopolitical shift more profound than the Fall of the Berlin Wall) and a replacement with some Chinese EUV light source risks the scuttling of all ASML facilities and devices. This is vapor above a coffee cup.
The scenario I'm imagining is in fact the US further destabilizing NATO, in which case Europe wouldn't feel bound by any of the agreements we've made with Americans. Failing that, I don't think any of what was said above is relevant.
ASML owns the company that builds the light source. They acquired it, it's a US company, which is why US export controls apply, that's all. If needed, they could replicate the subsidiary in the EU.
This is too far from correct for any correction to be anything but a full restatement of the facts. Moving the tech over requires US approval. Listen, the Dutch are not going to risk it. Even if they were, ASML would not risk it because all of their customers wouldn't buy anything from a company that's on the EAR Entity List (which is where they'd end up if they tried this without the US allowing it) without US approval. I don't get why people are saying this stuff. It's like saying "Oh yeah, so you divide by zero and then multiply both sides and ta-da". Like, the whole statement is nonsensical.
To enable the whole thing to work you'd need the US to have shrunk to the equivalent of Canada in influence. I'm not saying that's impossible, but in that scenario, the Dutch might well be trying to keep Russians out of Amsterdam and the Turks out of Germany rather than trying to pull an IP heist on the Americans.
You can buy an e-book on Kindle and Amazon still controls what you do with it, right? ASML's ownership of Cymer is like that, except it's the US instead of Amazon.
Specifically control is related to the Foreign Direct Product Rule, where in which the US claims jurisdiction over any foreign product containing 25% or more of US-origins (Cymer, etc)
I think Europe is bluffing that they can go their own way. They can't. They won't try. Europe has been whining that they're going to catch up since the 80s, but they've yet to do it.
If you didn't care about exposure time, you could build 2nm chips with brute-force electron beam lithography. But the limited throughput confines EBL to research and very low-volume applications. ASML's EUV-based processes are what permit industrial-level scaling, ultimately because parallel beams of electrons repel each other while parallel beams of photons don't.
I don't personally understand why suitable EUV light sources are so hard to build, but evidently, they are. It sounds like a big deal if China is catching up in that area.
They can do 7nm and 5nm. Multiple patterning basically. I don't know when it doesn't scale anymore. Moat likely 4x patterning is the max you want to do.
They are "extracting" optical devices from other machines, imagine how desperate they are for this "machine".
As I ironically said in another comment, all you need is a retired Chinese ex employee at Zeiss.
Nothing can stay private or secret forever, and they have the money and people to achieve that. Even if it takes them another 5 years to reach what we have today.
> I bet the ex employee doesn't even have to be Chinese.
That bit struck me as naive, given the instances of Americans who aren't Chinese nationals, or even ethnically Chinese at all, caught committing actual espionage on behalf of China.
Given the current high prices for chips and memory due to "AI" artificial resource scarcity, the world will welcome the additional chip production from China.
Having this kind of outage on a friday after what happened last month though is not a good thing... Props to them for getting back up so quickly but come on, these kinds of outages were not a thing a while back.
That single incident drops their uptime to four nines. Combine it with other recent incidents and they’re probably at three nines. That’s amateur level.
GitHub Code Search has too many quirks compared to the zoekt powered alternatives (cs.android.com, cs.bazel.build) which feel far more intuitive.
I wish Microsoft would invest more in improving it - especially since Sourcegraph can't search private repositories, leaving GitHub's tool as the only real option for many codebases.
None of Google's public source search engines (android, chromium, bazel) use Zoekt. They use Google's web indexing technology adapted for trigrams, which was mostly developed to support their massive internal monorepo, but exposed for a few of their major open source projects too.
You can index private repos with Sourcegraph, but it's a paid feature ($19/mo/user+).
[0] https://docs.github.com/en/actions/how-tos/secure-your-work/...
reply