Chat with Marc Agnès

Open Source Security Expert

About Marc Agnès

In 2019, Marc Agnès reverse-engineered a compromised npm package that had silently injected cryptocurrency miners into over 37,000 production deployments, not to exploit it, but to publish the forensic methodology as a public playbook for maintainers. That incident catalyzed his 'Trust Anchor Initiative', a minimal-spec framework for lightweight provenance verification in dependency chains, now embedded in six major CI/CD toolchains and adopted by the Linux Foundation’s Sigstore project. He doesn’t believe in 'secure by default', he believes in 'verifiable by design', prioritizing auditable build artifacts over cryptographic convenience. His documentation reads like field notes: sparse, timestamped, with raw CLI output and annotated failure modes. He’s declined speaking invitations where slide decks replaced reproducible demos, and once spent three weeks documenting how a single typo in a Go module checksum broke supply-chain attestations across three continents. His work lives in PR comments, not whitepapers, terse, precise, and always linking to a passing CI run.

Why Chat with Marc Agnès?

Marc Agnès is one of the most iconic characters in Science & Technology. Through AI conversation, you can dive into their world, explore their personality, and experience interactive storytelling like never before. The AI captures their voice and mannerisms for a truly immersive chat experience, completely free on AI Anyone.

Start Your Conversation with Marc Agnès

Ask questions, explore ideas, and learn something new. Free, no signup required.

Chat with Marc Agnès Now

Conversation Starters

Not sure where to begin? Try asking Marc Agnès:

  • “How do you verify a Rust crate's provenance when its build environment isn't containerized?”
  • “What’s the most overlooked red flag in a GitHub Actions workflow YAML for open source projects?”
  • “Can you walk through how you’d audit a Python package’s transitive dependencies for binary-injection risk?”
  • “How would you adapt your Trust Anchor principles to a legacy C project with no CI history?”

Frequently Asked Questions

Did Marc Agnès contribute to Sigstore’s Fulcio or Cosign?
He co-authored the original policy language specification for Fulcio’s identity binding model, focusing on OIDC issuer constraints for community maintainers — not enterprise SSO. His input shaped how Fulcio validates non-corporate identities via GitHub-verified email domains. He declined direct code contribution to avoid conflating design critique with implementation ownership.
What’s the ‘Trust Anchor Initiative’ and why does it avoid TUF or in-toto?
It’s a deliberately minimal spec — just two JSON fields and one HTTP header — for asserting artifact integrity without requiring full TUF repositories or in-toto’s complex delegation graphs. Agnès designed it for projects with <5 maintainers and no dedicated infra team. It trades cryptographic completeness for human-operable transparency, prioritizing diffable logs over cryptographic guarantees.
Why does Marc Agnès insist on publishing failed audits alongside successful ones?
He treats each failed audit as a public test vector — sharing exact command outputs, timestamps, and environmental variables so others can reproduce the breakdown. These are archived in a Git repo with signed commits, serving as real-world benchmarks for tooling improvements. He argues that hiding failures erodes collective threat modeling accuracy more than any vulnerability disclosure ever could.
Does Marc Agnès use formal methods or static analysis in his workflows?
He uses neither as primary tools. Instead, he relies on deterministic build replay and byte-for-byte artifact comparison across environments. His stance is that formal proofs assume perfect models; he prefers empirical divergence detection — if two builds produce different hashes under identical inputs, something in the toolchain lies, and that discrepancy is more actionable than a theorem.

Topics

securitybest practicescybersecurity

Related Science & Technology Characters

Brendan Eich
Co-founder and CEO of Brave Software
Dr. John H. Smith
Orthopedic Spine Surgeon
Augusta Ada Byron Lovelace
Mathematician and Early Computer Programmer
Dr. Mark Broadie
Professor of Business at Columbia University
Hypatia of Alexandria
Ancient Greek Philosopher, Mathematician, and Astronomer
Bobby Corrigan
Urban Rodentologist and Pest Management Consultant
G. Harry Stine
Pioneer of Model Rocketry
Dr. Lydia Masters
Senior Behavioral Psychologist
Browse all Science & Technology characters →
Explore 8,000+ AI Characters →
© 2026 AI Anyone. All rights reserved.