Join us

ContentUpdates and recent posts about Sigstore..
 Activity
ishanupadhyay
@ishanupadhyay started using tool GitHub Actions , 6 days, 11 hours ago.
 Activity
ishanupadhyay
@ishanupadhyay started using tool Flask , 6 days, 11 hours ago.
 Activity
ishanupadhyay
@ishanupadhyay started using tool FastMCP , 6 days, 11 hours ago.
 Activity
ishanupadhyay
@ishanupadhyay started using tool Docker , 6 days, 11 hours ago.
 Activity
ishanupadhyay
@ishanupadhyay started using tool Argo CD , 6 days, 11 hours ago.
 Activity
ishanupadhyay
@ishanupadhyay started using tool Amazon Web Services , 6 days, 11 hours ago.
News FAUN.dev() Team Trending
kala
@kala shared an update, 6 days, 13 hours ago
FAUN.dev()

NanoClaw + Docker Sandboxes: Secure Agent Execution Without the Overhead

#Docker ...  #Isolati...  #MicroVM  #docker  #NanoCla... 
NanoClaw Claude Code Docker

NanoClaw integrates with Docker Sandboxes to enhance AI agent security through strong isolation and transparency. This collaboration focuses on enabling secure and autonomous operations for AI agents within enterprise environments.

585 views  
Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 6 days, 14 hours ago
FAUN.dev()

The real cost of random I/O

Therandom_page_costwas introduced ~25 years ago, and its default value has remained at 4.0 since then. Recent experiments suggest that the actual cost of reading a random page may be significantly higher than the default value, especially on SSDs. Lowering therandom_page_costmay not always be the be.. read more  

The real cost of random I/O
Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 6 days, 14 hours ago
FAUN.dev()

Interview with Thomas Wouters - release Manager for Python

The interview traces Python's core evolution. It starts with addingaugmented assignment(+=) and thePEP 203debates. Arguments followed. Nested scopeslanded viafuture imports. Maintainers repackagedelementtree/xmlplususingpath. asynciorose and supplantedTwisted. Python moved toyearly releases... read more  

Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
varbear
@varbear shared a link, 6 days, 14 hours ago
FAUN.dev()

Things I miss about Spring Boot after switching to Go

The author migrated fromJava/Spring BoottoGolang. Spring bundlesSecurity,Data,Actuator, and auto-wiring. Go prefers minimalist libraries and explicit wiring. It produces static binaries, instant startup, lower memory use, and nativegoroutineconcurrency. Spring needs JVM startup and GC tuning... read more  

Things I miss about Spring Boot after switching to Go
Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.