Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the importance of sustainable practices in the open source community. Brian tells us how organizations can reduce their footprint and contribute to a more balanced ecosystem. The package repositories cannot continue to be the world’s CDN. Episode Links Brian Fox Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship Brian’s Blog Atlantic Council - Avoiding the success trap: Toward policy for open-source software as infrastructure This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Join us for a conversation with Foxboron (Morten Linderud) and Anthraxx (Levente Polyak), members of the Arch Linux security team. We talk about the difficulties of maintaining a Linux distribution, the challenges of handling CVEs, and the dedication of volunteers who keep the open-source community working (and how overworked those volunteers are). We explain what makes Arch a little different, how they approach their security process, and what sort of help they would love to see in the future. ...

I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you’re a seasoned cryptographer or just curious about the future of secure communications, this episode offers insights and stories. Don’t miss out on learning how OpenSSL is still shaping the future of cryptography. ...

In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the growth and innovation of Python, fostering an ecosystem for developers worldwide. Everything funding open-source projects to organizing community events, discover the initiatives that make the Python Software Foundation a force for positive change in the tech world. Episode Links Deb’s Linkedin Python Core Devs talk about the GIL Whither Python? Dr. Russell Keith Mcgee talks about Python’s history, including how the shift from 2 to 3 went. Python: The Documentary, an origin story the recently released documentary about the origins of Python Donate to the PSF as an individual Donate to PSF as a company This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex information systems. From hospitals to universities and even the banking sector. Mercator helps manage and protect vast networks by creating dynamic, comprehensive maps that replace outdated Excel sheets. Join us as we explore the challenges and innovations in information security and the impact of Mercator on various industries. ...

In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhancements fortify your systems against vulnerabilities, ensuring a secure and resilient infrastructure. Join us as we explore the security advancements that make Talos Linux not only a super easy way to run Kubernetes, but also a very secure way. Episode Links Talos Linux Andrey This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

The Register recently published a story titled Putin on the code: DoD reportedly relies on utility written by Russian dev. They should be ashamed of this story. This poor open source developer is getting beat up now to score some internet points. It’s very upsetting. But anyway, let’s look at some receipts. If you’re not real smrt, it seems like pointing out an open source project is written by one person in a country you don’t like is a bad thing. It could be. But it also could be the software running THE WHOLE F*CKING PLANET is written by one person. In a country. But we have no idea which country. It’s not the same person mind you, but it’s one person. ...

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the role of community engagement and automated tools in addressing these discrepancies. It’s a great paper and a fantastic discussion. ...

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale open-source repository, offering a glimpse into the future of secure software distribution. Tune in to learn how these advancements are shaping the landscape of open-source development. ...