The Stack Overflow Podcast

Trust as a service for validating OSS dependencies

Nov 14, 2023

Craig, co-founder and CEO of Stacklok, discusses trust and validation of OSS dependencies. They introduce Trusty and MINDER, two projects that enhance package security. AI is used to recommend alternative packages and promote security practices.

12:49

Creator website

Episode guests

Craig

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The traditional currency of CVEs is no longer effective, and the community needs to improve security practices and connect source of origin to artifact for better security posture.

Stack Lock has developed Trusty and Minder to provide developers with unique insights, automate security processes, and ensure better security posture.

Deep dives

The Pain Point Six-Store Addressed

Six-Store was created to address the lack of easy signing and publishing of provenance information associated with a package. It aimed to provide a deterministic view of package production, including the source and context.

Introduction

2min

Trust, Validation, and the Risks to Open Source Dependencies

5min

Analyzing OSS Dependencies with Data Science and Introducing Trusty and MINDER

3min

Using AI to Recommend Alternative Packages and Promote Security Practices

3min

ICYMI, listen to part one of this conversation.

Craig is the cofounder and CEO of Stacklok, which helps developers and open-source communities build safer software, secure the supply chain, and choose safer dependencies. Stacklok’s free-to-use service, Trusty, employs a statistical analysis of author/repo activity and a package’s source of origin to assess its trustworthiness.

Craig cofounded the Kubernetes project, an open-source system for automating deployment, scaling, and management of containerized applications.

Craig is on LinkedIn.

Stack Overflow user mprivat earned a well-deserved Lifeboat badge by answering Abstract class extending concrete classes.