Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreichw32xbbz3eu7wjfnmvirlardug4enaj7yuxgunrhfn3mgptl4iy",
    "uri": "at://did:plc:46ti67tc37qcmwp2vaynk6fq/app.bsky.feed.post/3mi22mbzsy372"
  },
  "path": "/2026/03/27/chainguard.html",
  "publishedAt": "2026-03-27T11:52:59.562Z",
  "site": "https://ral-arturo.org",
  "tags": [
    "Chainguard",
    "Chainguard Images",
    "SBOM",
    "provenance attestation",
    "Debian LTS project"
  ],
  "textContent": "A few months ago, in June 2025, I joined Chainguard, a company focused on software supply chain security. This post is a reflection on how I got here, what I’ve been doing, and why this role feels like a natural fit for my interests in Linux and open source technology.\n\n## The company and its mission\n\nChainguard’s mission is to make the software supply chain secure by default. The company is built around the idea that the software we all depend on — from operating system packages to container base images — carries hidden risk in the form of vulnerabilities, unverified provenance, and untrusted build processes.\n\nThe company is perhaps best known for Chainguard Images: a catalog of minimal, hardened container base images that are continuously rebuilt and kept free of known CVEs. Each image is accompanied by a signed SBOM (Software Bill of Materials) and a verifiable provenance attestation, making it possible to cryptographically verify what went into a given image and how it was built.\n\nChainguard has an extensive catalog of software, and maintaining it up-to-date and CVE-free is a significant engineering challenge.\n\n## What I do\n\nI joined the Chainguard Sustaining Engineering team as a Senior Software Engineer. We are responsible for maintaining packages and images in the software catalog up-to-date and CVE-free. The core of the business, basically.\n\nWe focus on the horizontal dimension of the catalog (pretty much all packages and images).\n\nWith +30,000 packages and +2,000 images, this is indeed an interesting task.\n\nMy role as Debian Developer, and my experiencie in the Debian LTS project was extremely valuable when joning this new team.\n\n## Looking ahead\n\nSoftware supply chain is truly a deep topic, gaining more and more relevance every day, especially as new technologies emerge and get adopted everywhere.\n\nSince early in my career, I saw a recurrent problem of how companies, enterprises, or even governments, relate to and consume open source software, in a reliable, secure way. I believe Chainguard is doing the right things in the ecosystem, and I’m happy to be participating in the effort.",
  "title": "Arturo Borrero González: New job at Chainguard",
  "updatedAt": "2026-03-27T08:00:00.000Z"
}