Stacklok is a startup focused on software supply chain security, founded by the co-founder of kubernetes and myself (Luke Hinds, founder of sigstore)

We are also look for a staff data scientist and a senior / staff SRE, but don't have the roles up just yet. You can reach me on luke@stacklok.com , but no recruiters (you will end up in the blocked folder).

stacklok is a series A round startup in the supply chain security space, co-founded by the founders of kubernetes and sigstore.

Currently seeking mostly engineering roles. front end (react) and backend (go / gprc).

This is full time remote, but only hiring from EMEA to the East Coast of the US.

The issue is that some people use cycling as their only form of exercise. For bone health you need to mix in other high impact exercises such as running and weightlifting.

The Root CA is generated by the sigstore community (five folks, two from academia). Right now github exchanges an OIDC token for a sigstore root chained cert.

GitLab are currently adding themselves, to have the same capability (several other providers are there as well).

https://github.com/sigstore/fulcio/pull/1097

It's not clear what you're worried about, and I'm skeptical you can articulate it, because it makes no sense.

And I say this as someone who is an extremely paranoid anti-corporate crusader, just like I imagine you are. But in this instance, your worry is misplaced.

- build on the record of supply chain compromises in npm to justify a provenance system

- establish yourself as one of the trusted authorities on establishing provenance

- spread fear and doubt about untrusted software

- become the trusted source and supplier of software

- open source becomes synonymous with untrusted software, basically malware

- in microsoft we trust

I think microsoft's land grab over open source software was pretty clearly established when they bought github and the general attitude of "they're nice now, it'll be fine" is going to be judged harshly in the future. Or I'm a paranoid crank with a misplaced mistrust of microsoft, who didn't declare "linux is a cancer" or anything like that.

Do you think they intend to exclude caches like yarnpkg.com as insecure? I don't see how they would do that, since (1) your cache is a local config variable, not part of package.json, so there's no static analysis that could mark packages downloaded through Yarn as insecure, and (2) all of the key signature metadata is publicly available, so any cache or alternative package manager can implement the same provenance features as npm.

Or are you worried about EEE of the upstream source repositories and CI runners, eg "only packages built through GHA platform can contribute provenance data to npm registry?" I guess I could see that as a more reasonable fear, but as someone else explained to you, it's also unfounded (at least for now - which is maybe your argument), and GitLab is currently working on their own implementation. But even if they tried that, then you could still publish and consume packages from another registry if you wanted to. And I'd like to think that if Microsoft made a hostile move like that, we could count on package managers like yarn to pull provenance data from other sources.

That's because you have OSA (obstructive sleep apnea). I (OP) have central sleep apnea, there is no obstruction, its related to the nervous system. I am already very lean (I run ultra marathons as a hobby).

Moreover it could easily be coupled with the sensors and soft required to work as a sleep analyzer, in order to help diagnose central apnea vs obstructive apnea, etc.

> 30% of YC companies exposed through SVB can’t make payroll in the next 30 days.

https://twitter.com/garrytan/status/1634286688922132481?s=20