If you’re wondering what Craig McLuckie is doing since leaving Heptio and VMware behind… well, he’s not living full time in the Kubernetes world anymore, but he heads a startup that’s very much involved in open source issues.
“I think for me there’s the journey. I always believe you never want to be selling out, you want to be buying in. I, authentically, bought into the vision of of bringing a new kind of cloud native computing capability to the VMware ecosystem.”
I was on a Zoom talking with Craig McLuckie who in 2014, along with Joe Beda and Brendan Burns, had started the Kubernetes project while working at Google. Two years later, in 2016, Kubernetes was outpacing Swarm, Docker’s established container orchestration tool, and McLuckie and Beda had left Google to start Kubernetes-focused Heptio.
Two years after that, VMware bought Heptio for a $550 million, with McLuckie and Beda both going along for the ride — Beda as a principle engineer and McLuckie as VMware’s vice president of research and development. Four years later, in 2022, VMware was purchased by Broadcom and Beda and McLuckie both walked.
Beda left first, not long after the sale was announced, and currently lists himself as semi-retired on LinkedIn. McLuckie stuck around until the sale closed.
“I think there’s a there’s a sort of time for everything,” he said. “I think the opportunity to work with Broadcom would have brought some interesting opportunities, things that I would personally have grown from and learned from. But it was also a good opportunity for me to reflect on what I wanted to do and what I valued, and to take some time to process everything that had happened through the years.
“As we moved towards the close, it became clear to me that the thing I love doing is building companies from the ground up,” he added. “I know that’s really my passion.”
Life After VMware
On Monday, McLuckie will be a speaker at the All Things Open conference in Raleigh. He’ll be taking the main stage in the big Ballroom at the Raleigh Convention Center to give one of the opening keynote addresses, and immediately following the keynotes he’ll give a presentation in the conference’s “security” track. That talk will build on his keynote.
He’ll be speaking as the co-founder and CEO of Stacklok, a startup that emerged from stealth last year with $17.5 million in funding. That the startup is an open source company should come as no surprise, considering that McLuckie, Beda, and Burns have been credited with convincing Google to release the software as open source.
“I love working in the open source ecosystem,” McLuckie told me. “I’m naturally a kind of creative soul and there’s nothing more rewarding and nourishing to create than a company and a startup.”
It’s not much of a surprise that McLuckie wanted to lead a new company, as that seems to be common among tech entrepreneurs. What might be surprising is that his new startup, where he’s both co-founder and CEO, is focused on security instead of Kubernetes. His co-founder and CTO is Luke Hinds, the founder of the Sigstore project, the code signing and verification service which is a central component of the Linux Foundation’s Open Source Security Foundation.
The decision to create another startup was made at about the same time that Broadcom finalized its acquisition of VMware. While there was much lamenting at the time on how Broadcom’s actions were squandering the goodwill that VMware had built with its embrace of Heptio and other open source properties it acquired, McLuckie was looking ahead instead of focusing on the past.
“For me, it wasn’t so much what was happening at Broadcom — there’s no story to tell there,” he said. “It was just a moment in time when I got to reflect on what I really wanted to do, and the thing that I’m really attracted to is innovating in the open source ecosystem.”
“I spent some time trying to be a stay at home dad and and thinking about that, but also taking the time to really think about where the the key gaps were — like what the open source community needs the most,” he said. “That’s what really led me to some of the ideation around Stacklok.
A Pivotal Decision
That ideation centered around the realization that there was a weak link in the open source supply chain that was largely being ignored.
“As part of my job as VP of R&D at VMware, I had an opportunity to be pretty central to VMware’s investments in the open source ecosystem,” he said. “When we acquired Pivotal, it came with some really great, really interesting, open source technology. Obviously, things like Cloud Foundry as an ecosystem was vibrant and interesting and had a lot of really passionate customers, but it also got me closer to development technologies with the acquisition of Spring, and the Spring Framework which underpins a large portion of the world of Java applications.”
The thing that got to him, he said, was the realization that whether developers were aware of it or not, using technologies such as Spring requires a great deal of trust.
“The Spring team puts a lot of time and effort and work into creating effective packages that are secure and have a lot of great operating attributes, then hands those packages off to a package manager like Maven Central, and that package manager then hands them off to to developers. But no one’s really asking questions like, what happens if a negative or a hostile actor gets themselves into the loop? How would you know? How would you discover that?”
About the same time that McLuckie was having these thoughts, the software supply chain began to prove that his fears were valid. There was the Colonial Pipeline ransomware attack, which resulted in gas and oil deliveries being shut down throughout the southeast; and SolarWinds, which affected as many as 18,000 organizations after malware was planted inside SolarWinds’s Orion network management software.
There were others, too many to mention, and enough to prompt President Biden to issue an executive order dealing with software supply chains during his first full month in office in 2021, and which continues to be an ongoing concern for his administration.
Battening Down the Software Supply Chain
To make a long story short, McLuckie’s realizations — and the fact that his fears were actually manifesting in the real world — eventually led him to partner with Hinds to launch Stacklok, which earns it keep by helping enterprises increase security by paying attention to the lineage of the software they’re using.
In the process, the startup has developed a couple of tools that developers and companies can use to help keep track of software supply chain issues.
One of these products is Minder, an open source platform that provides a set of checks and policies that development teams can use to manage their security posture and certify security practices to downstream users. The other, which can be integrated with Minder, is Trusty, a free web app for vetting open source packages to determine that they’re authentic, actively maintained, and not malicious.
“Open source is, and will continue to be, a critical enabler for the world, but the world is getting more dangerous,” McLuckie said. “It’s undeniably true that there are people who mean harm that are participating in the ecosystem and are creating things that look good, but which are increasingly malicious over time.
“It’s not a world where your developers should just stop, give up, go home, and stop writing code — that’s never going to happen,” he added. “But it does behoove the community to pay attention to this type of threat.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment