VulnCon 2025 is over. I didn’t go. A bunch of people have asked me why, and rather than keep my answer to a small group, I thought it would make sense to write something public about it all. The TL;DR is I went to a different conference that I thought was a better use of my time. The conference I went to was Cyphercon and BSides Milwaukee. They are regional conferences in Wisconsin. Good people, great shows, a lot of fun and learning. Yeah, it was technically the week before VulnCon, but I lack the fortitude to do two conferences back to back. Some people can, I tip my hat to those folks. I’m not one of them. I should be clear though, this isn’t the only reason. I also don’t think VulnCon should exist (more on that at the end). ...

Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag’s work shows how automated checks can catch breaking changes before they’re released, potentially saving projects from unexpected failures and making dependency updates less painful across the entire Rust ecosystem. Episode links Predrag’s Mastodon Predrag’s Blog “We never update unless forced to” — cargo-semver-checks 2024 Year in Review cargo-semver-checks issue 5 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I got to chat with Lars about a new CI/CD system he’s been working on called Ambient. It sounds really cool and does some very clever things today, with even more things planned in the future. We also spend some time discussing a project he works on called Radicle, a distributed Git forge. It feels like having decentralized infrastructure might be more important than it’s ever been, for some reason. ...

When William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton. Episode links William’s Mastodon Yubico FEITIAN Token2 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

When Luis Villa said he was willing to talk to me about the CRA I knew it would be a great conversation. The number of actual lawyers who also work on open source issues isn’t a large number. Luis is one of those people and he has a ton of knowledge and insight he’s willing to share. Open source legal issues are especially weird because the very nature of the open source license was to hack copyright to give us more rights instead of less. So what did Luis have to tell us about the CRA? ...

I recently sat down with Brian Fox, CTO and co-founder of Sonatype, about a report they recently published about malware in open source ecosystems. This is something that’s not a surprise to anyone paying attention, but there are some things Sonatype is doing in this space that’s very clever. I’ve known Brian for a long time so it was a treat to catch up and see what they found, and what it means for the future. ...

In the world of open source software, we often celebrate the code, the contributors, and the collaboration. But beneath the surface lies a world unknown to most. It’s not a secret, it’s just not something most of us pay attention to, the foundations that drive some of the open source projects. I had the opportunity to discuss this with Dr. Kelly Masada, who has served as president of the Open Information Security Foundation (OISF) for over 12 years. OISF is the organization behind Suricata, the very capable and well known open source network analysis and threat detection software. ...

If you use GitHub, you probably have “forked” a repo more times than you can count. It’s super common and the ideal way you can interact with a git repository you don’t control. But the idea of forking in open source can have another meaning, a far more interesting meaning. It’s when you take the open source project, and create a new open source project based on the first. It’s not as simple as clicking a button. The process is complicated and is a ton of corner cases. ...

When I started Open Source Security HeroDevs reached out and asked if I wanted to have a chat. I was pretty interested in this discussion because the work HeroDevs does today is very similar to the work I did at Red Hat for a decade. While what they work on is a bit different than the sort of things we shipped in a Linux distribution, the basic idea is still the same. ...

When I started Open Source Security I knew one of those topics that could use more attention was the security of CI/CD systems. All the talk about securing the supply chain seems to almost exclusively focus on the development stage as well as the deployment stage. It seems like there’s not enough attention happening to the build stage (spoiler: most of the successful attacks have happened at this stage). When François Proulx reached out to chat about CD/CD systems, I couldn’t say yes fast enough. ...