OpenSourceSecurity

Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL. And as one would expect, there are plenty of folks who think this is the best idea ever, and a bunch worried this will be the event that destroys modern civilized society. Today there’s not really a good place to track what is or isn’t end of life software. There are some datasets being worked on but they’re very new, and it’s “yet another dataset” we will all have to figure out. CVE could be a place to track details like this, but it’s not a simple conversation. ...

I met Gary Kramlich a few years ago at the CypherCon security conference and we now chat on signal about open source things. When I started Open Source Security I knew he was one of the people I wanted to talk to about what it looks like to keep a project, codebase, and community alive for more than a decade. Gary is the lead developer of the Pidgin chat program. You can find him at reaperworld.com ...

I had a discussion with Thomas Depierre about his experience with safety and how safety concepts can apply to the field of security. Thomas is an experienced SRE with a background in safety, he has thoughts into how people prevent disasters constantly, often without realizing it. You can find his blog at Software Maxims An audio version of this disucssion is also available in podcast format. Look for “Open Source Security” wherever you get your podcasts. ...