Security

Josh and Kurt revisit Episode 77, which was named “npm and the supply chain” but was a discussion about the incident we all know now as “leftpad”. We didn’t understand what was happening at the time, but this would become an event we talk about for years to come. It’s shocking how many of the things we discuss are still completely valid five years later. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_374_The_event_we_called_left-pad_Episode_77_remaster_part_1.mp3 Show Notes Episode 77 – npm and the supply chain

This is the second part of remastering Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It’s a fun show and it’s shocking how many of these security themes are still relevant today. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_373_HHGG_security_Episode_42_remaster_part_2.mp3 Show Notes Original Episode 42 Part 1

The podcast is on a hiatus for a little while due to some personal matters, but that creates an opportunity to remaster some fun old episodes. These shows are REALLY hard to listen to at the current quality (tools and talent has come a long way in the last few years). This is a remaster of Episode 42 which is all about the security in the Hitchhiker’s Guide to the Galaxy movie. It’s a fun show and it’s shocking how many of these security themes are still relevant today. ...

Josh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a few years ago, but our needs have changed. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_371_-_pip_install_is_the_tool_we_deserve_but_not_the_tool_we_need.mp3 Show Notes One Does Not Simply ‘pip install’ Dag Wieers RPM Webfinger GitHub repo

Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it’s mostly one person. It’s hard to imagine how this all works sometimes and this lack of understanding can create challenges. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_370_Open_Source_is_bigger_than_you_can_imagine.mp3 Show Notes Josh’s blog on the size of NPM One In Two New Npm Packages Is SEO Spam Right Now Linux Kernel power distribution graph

Josh and Kurt talk about OpenAI having a bug in ChatGPT, then they tried to blame open source. It didn’t go very well. In this episode Josh and Kurt argue a lot, maybe someday we’ll know who was the least wrong. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_369_OpenAI_broke_ChatGPT_then_tried_to_blame_open_source.mp3 Show Notes ChatGPT Tweet ChatGPT Blog redis bug

Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it’s doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future. ...

Josh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There’s a lot to unpack in this one. There’s a lot of happenings going on in the world of open source. We are seeing governments paying attention to open source like never before, change is coming and everything is going to change. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_367_Open_source_will_never_be_the_same.mp3 Show Notes ipmitool Repository Archived, Developer Suspended By GitHub Elixir: Docker now charges open source orgs $300

Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it’s normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it’s coming to an end. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_366_Software_liability_is_coming.mp3 Show Notes LTT millenial pause The perverse incentive of vulnerability counting National Cybersecurity Strategy

Josh and Kurt talk to Thomas Depierre about his “I am not a supplier” blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There’s too many topics to even list. The whole episode is an epic adventure through modern open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_365_I_am_not_your_supplier_with_Thomas_Depierre.mp3 Show Notes Thomas on Mastodon I am not a supplier The Treachery of Images (Ceci n’est pas une pipe) Atlantic Council report The Field Guide to Understanding ‘Human Error’ Google wants new rules for developers working on ‘critical’ projects Roads and Bridges:The Unseen Labor Behind Our Digital Infrastructure Sovereign Tech Fund