Craig McLuckie

The Toolhive team just shipped semantic search for MCP tool calling. Reduce tool pollution and drive performance. Check it out: dev.to/stacklok/cut-t…

🚀 NEW on We ❤️ Open Source 🚀 Discover how AI is reshaping developer workflows and security! Craig McLuckie (@cmcluck), co-creator of Kubernetes, shares insights on tackling AI risks and introduces Minder. 🎥 Watch now: buff.ly/4199peP #WeLoveOpenSource #Cybersecurity

.@StackLokHQ Donates Minder Security Project to @openssf | By @sjvn #OpenSource @cmcluck thenewstack.io/stacklok-donat…

On 8/29, we found malicious code in @pypi package "invokehttp." This package raised red flags due to inconsistencies in its metadata and the absence of any verified connection to its claimed GitHub repository. Full analysis here: stacklok.com/blog/cross-pla… #cybersecurity #malware

Honored to be a Rising Star ⭐ in Forbes 2024 Cloud ☁️ 100. This list is impressive, and we’re excited to be part of the cloud’s future. 🎉 Grateful for the recognition @BessemerVP @Forbes @SalesforceVC @cloud100 bit.ly/4fsf2tv #Cloud100 #RisingStar

@TrustyPkg and @StackLokHQ threat hunter @0xpoppaea discovered a North Korean state actor exploit. cool post-analysis by Poppy as always stacklok.com/blog/north-kor…

Thanks to @ADALogics for doing a security audit recently for Minder! They analyzed our threat model and vulnerable code patterns, so that we can make Minder even more secure. stacklok.com/blog/securing-… #cybersecurity

Pinning actions and container images to digests is a security best practice, but tedious to do. The new #oss Frizbee GitHub Action makes automating this process easier. stacklok.com/blog/new-frizb… #appsec #github

Happy #KuberTENes! #k8s co-founder @cmcluck reflects on lessons learned about building large-scale #OSS projects from his work building k8s with @brendandburns, @jbeda, and the rest of the team at @googlecloud. stacklok.com/blog/all-i-rea…

Minder is a a nice way to integrate increasingly rich security capabilities into your project with an OSS based, free-to-use service. Do give it a try and let us know what you think!

📺 ICYMI: Our co-founder @cmcluck #OpenSourceSummit NA Keynote is available!📺 "I truly believe that the open source portfolio is one of the great treasures of humanity...and so we owe it to our communities and ourselves to make sure that as this ecosystem changes, as new disruptive tools are approaching, as hostile actors are operating in new ways, we're positioned to navigate this in a mature and sustainable way." youtu.be/iUJKKQgn5rs

The gated CVE blocking along with the fix recommendation rule in github.com/stacklok/minder is something I am particular fond of:

Great post that explains why signatures and attestations matter for software security. For example, @projectsigstore can create tamper-proof paper trails linking an artifact back to CI. (And thx for the shout-out about our work to help operate sigstore's public good instance!)

@StackLokHQ Free as in beer. Not free as in puppy. :)

For #opensource maintainers with projects spanning 20+ repos, it's often manual and time-consuming to manage repo configuration. We built a policy template in Minder to automate this—you can customize it and apply it to your repos for free: cloud.stacklok.com

OSS: Where an idea you have in the midst of the lockdown from your shed come office, ends up securing huge swathes of the software. Nice to see @StackLokHQ get a nod towards efforts put into helping run the @projectsigstore public infra along with maintaining the code itself.

(2/2) Our second announcement: Minder Cloud! Having high-quality intelligence about open source packages is only as useful as an organization’s or a community’s ability to drive policies that shape developer behavior. That’s why we launched the open source software security platform Minder last November, as a way to apply and continuously enforce policies across the software delivery lifecycle. Today, we are launching Minder Cloud, a fully managed version of Minder that makes it easier for open source developers and communities to set up and enforce policies to help them produce safer, more sustainable software. To that end, we have committed to making Minder Cloud free forever for use on public repositories. Read more and get started with Minder Cloud here: bit.ly/4aynMv4

(1/2) 👋 We made some big announcements today at the #OSSummit. Here's the first. Today, we're introducing the OSS Trust Graph, a way to model trust in #opensource ecosystems. It maps the connections between open source contributors and projects, and, through our “proof-of-diligence” algorithm, uses that data to build an understanding of the relative safety and sustainability of those projects. We think this Trust Graph can help in two ways: 1) Identifying malicious activity. We can’t say with confidence that the OSS Trust Graph would have uncovered the XZ vulnerability, but we believe it’s a step in the right direction. We know that the hostile actors’ introduction of many relatively unknown “sock puppet” accounts would have driven down the score of the project. While there would be a fair amount of activity, the introduction of relatively unknown individuals all contributing to the same project would lower the project’s score, providing a signal to the community. 2) Identifying open source projects that need support. Through changes in scoring, the OSS Trust Graph could help us understand when high-contributing maintainers leave a high-scoring and widely used project, leaving it vulnerable to being abandoned or to a hostile takeover. Likewise, it could help identify high-scoring projects with a low number of high-scoring maintainers that could benefit from additional support and funding. Read more about this and sign up for private beta access here: bit.ly/3w6y5HH

The Good, Bad and Ugly for GenAI by @cmcluck at #OSSummit The Good: More productive maintainers The Bad: New vulnerabilities and methods of exploitation The ugly: Increasing pressure on communities Path forward for #opensource producers and consumers

New post on what happens after you add a control plane and local storage for observability: you get 1000x the telemetry when it matters. mattklein123.dev/2024/04/17/100…