There was recently a really good thread about the Copy Fail vulnerability between Will Dormann and Greg K-H. The TL;DR is that vulnerability reporting and disclosure is in a weird state of flux. This discussion got me wondering what’s going on, and I think we’re seeing the extremes emerging of how vulnerabilities have always worked. The middle of the bell curve has been removed. There are three groups in this story. The Security Researchers, the Companies, and Open Source developers. In the above discussion Will is a security research (one of the best I’ve ever seen). Greg is part of open source. There isn’t a great company representative, but that’s OK. ...

given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil. ...

Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad’s FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it’s also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future. ...

Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It’s a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it’s really not that hard to put some plans together. It’s easy to over-plan, David gives some great tips on getting started with our planning for an eventual incident. ...

Josh talks to Paul McCarty of Open Source Malware about … open source malware. Paul explains why there aren’t many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It’s a fun discussion with a lot of new and interesting problems we all have to deal with. Episode Links Paul McCarty Open Source Malware Open Source Malware Blog This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

It’s been a rough couple of weeks for open source There have been some high profile attacks like the TeamPCP events. Anthropic has a new model that’s going to create more security vulnerabilities than anyone can count. The number of security bug reports is going through the roof. AI slop is running rampant through GitHub. And let’s not even try to count all the hot takes from the LinkedInIstas. It’s clear we should never trust open source again, but we should trust someone on linkedin whose company is built on top of all open source and uses AI to do everything. This feels like animal farm but the animals have all been replaced with frozen burritos. All burritos are equal, but some burritos like my linkedin posts! ...

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren’t very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it’s so hard to create a new ecosystem as well as some of the reasons we don’t see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems. ...

Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foundation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It’s not cheap or easy, but he’s getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey. ...

Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work. ...