Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
Browse our latest blog posts, view videos from our team, and more.
Stacklok is announcing the launch of two new capabilities to help detect and prevent supply chain attacks that build on tools like sigstore. Over time, we believe these capabilities will help mitigate newly emerging techniques that are threatening the health of open source ecosystems.
The OSS Trust Graph is an implementation of the Proof-of-Diligence algorithm created at Stacklok. Proof-of-Diligence (PoD) provides a robust mechanism to model trust, quality and maintainability in open source ecosystems. This blog post provides details on the reasoning behind the algorithm, how it is implemented, and how it can be used.
The recent CVE 2024-3094 (the XZ vulnerability exposed by Red Hat on March 29, 2024) has sparked many discussions here at Stacklok and discussions with our friends in the community. We see a sea change in how hostile actors are operating.