We are an innovative startup founded by the creators of Kubernetes, Sigstore and the folks who bootstrapped foundations such as the CNCF and OpenSSF.
Our mission is to revolutionize the software industry by providing a secure and trustworthy software supply chain. With our deep expertise in open-source technologies and commitment to enhancing software security, we are seeking a highly skilled and motivated individuals in multiple roles.
* Senior FrontEnd Engineer
* Senior Site Reliability Engineer
* Staff Product Manager
* Staff Security Software Engineer
* Staff Site Reliability Engineer
* Staff Software Engineer - Core Platforms and OSS
Yep, currently gpt-3.5-16k or gpt-4. We wrote the example prompts in a relatively Llama-compatible way though (we actually started building this onto Llama 1 before switching to OpenAI as default), and make few assumptions about the LLM so it's easy to switch out. Mostly this is waiting behind us adding an option to pass in any LLM, and we're planning to add support for this.
Generally, we leave the LLM up to the user -- if OpenAI or Google is a no-go, then you probably are anyway in the territory of self-hosting or even self-training your LLM, which means you're fine setting up your own inference endpoints as well.
I view rich and non-rich people equally. Many are moral, many others are corruptible. Among the latter, it’s harder (more expensive) to corrupt a non-rich person
Stacklok is a startup focused on software supply chain security, founded by the co-founder of kubernetes and myself (Luke Hinds, founder of sigstore)
We are also look for a staff data scientist and a senior / staff SRE, but don't have the roles up just yet. You can reach me on luke@stacklok.com , but no recruiters (you will end up in the blocked folder).
Cycling doesn't directly cause loss of bone mineral density. Ride as much as you like.
The issue is that some people use cycling as their only form of exercise. For bone health you need to mix in other high impact exercises such as running and weightlifting.
The Root CA is generated by the sigstore community (five folks, two from academia). Right now github exchanges an OIDC token for a sigstore root chained cert.
GitLab are currently adding themselves, to have the same capability (several other providers are there as well).
Extinguish what exactly? Are people publishing packages to anywhere other than npm, and maybe GitHub? Microsoft already owns both of those, so there is nothing to extinguish.
It's not clear what you're worried about, and I'm skeptical you can articulate it, because it makes no sense.
And I say this as someone who is an extremely paranoid anti-corporate crusader, just like I imagine you are. But in this instance, your worry is misplaced.
- build on the record of supply chain compromises in npm to justify a provenance system
- establish yourself as one of the trusted authorities on establishing provenance
- spread fear and doubt about untrusted software
- become the trusted source and supplier of software
- open source becomes synonymous with untrusted software, basically malware
- in microsoft we trust
I think microsoft's land grab over open source software was pretty clearly established when they bought github and the general attitude of "they're nice now, it'll be fine" is going to be judged harshly in the future. Or I'm a paranoid crank with a misplaced mistrust of microsoft, who didn't declare "linux is a cancer" or anything like that.
I understand that line of thinking, but what land are they grabbing? They already possess all of it through npm and GitHub.
Do you think they intend to exclude caches like yarnpkg.com as insecure? I don't see how they would do that, since (1) your cache is a local config variable, not part of package.json, so there's no static analysis that could mark packages downloaded through Yarn as insecure, and (2) all of the key signature metadata is publicly available, so any cache or alternative package manager can implement the same provenance features as npm.
Or are you worried about EEE of the upstream source repositories and CI runners, eg "only packages built through GHA platform can contribute provenance data to npm registry?" I guess I could see that as a more reasonable fear, but as someone else explained to you, it's also unfounded (at least for now - which is maybe your argument), and GitLab is currently working on their own implementation. But even if they tried that, then you could still publish and consume packages from another registry if you wanted to. And I'd like to think that if Microsoft made a hostile move like that, we could count on package managers like yarn to pull provenance data from other sources.
Budimir Šobat (Croatia) at 56 years old no less!