Hacker News new | ask | show | jobs
by jacques_chester 824 days ago
Not at Chainguard but I've watched their growth.

I think this comes down to audience. To a lot of engineers it's just like ... "OK, that's nice. What else?"

But for security teams in large enterprises, Chainguard is like manna from heaven. They immediately understand what is really being sold: the elimination of enormous amounts of compulsory toil due to upgrading vulnerable software -- or having to nag other teams to do it.

It's a bit like visiting the site of a medical devices manufacturer. I probably don't know what the device does, but the target audience sure do.
3 comments
ravedave5 824 days ago
I just heard of this today and I was like OMG this will save me so. much. time. chasing engineers and teams and creating work around for dumb stuff that the base images refuse to fix because it's a "false positive". I unfortunately HAVE to fix all high CVEs, regardless of peoples opinions.
link
candiddevmike 824 days ago
> But for security teams in large enterprises, Chainguard is like manna from heaven. They immediately understand what is really being sold: the elimination of enormous amounts of compulsory toil due to upgrading vulnerable software -- or having to nag other teams to do it.

Explain to me how Chainguard helps with this. Everywhere I've worked, this process has very specific needs depending on the companies internal and regulatory requirements. Chainguard may help with proof of origin/base imaging, but it doesn't do much beyond what container registries and tools like dependabot/snyk/dependency track already provide (not saying they're directly related), which doesn't really reduce that much toil.

link
dlor 824 days ago
The big ones that help are SBOMs, STIGs, FIPS, and CVE reduction. The images and the paperwork we provide make it so they can be dropped in to even the most regulated environments without toil.

Most of our customers use them for FedRAMP or IL 5/6 stuff out of the box.

link
jacques_chester 824 days ago
It doesn't eliminate all toil, but it eliminates a lot. At least their customers think so.
link
candiddevmike 824 days ago
As someone who has been watching Chainguard since they were "spun out" of Google, they started out trying to be the defacto container supply chain security company, realized everyone else was already doing that and well ahead of them, and have done a few pivots trying to find PMF. I think they've found more success being consultants, which is probably not what they hoped for.
link
dlor 824 days ago
I can confirm our business is roughly 0 percent consulting and that it's 100% selling these hardened images.
link
mistrial9 824 days ago
I turn away immediately at religious terminology being reused verbatim for commercial environments
link
jacques_chester 824 days ago
I'm an atheist, for what it's worth.

If it helps, substitute "Darmok and Jalad at Tanagra" instead.

link