It’s a new year and time for some changes to the opensourcesecurity.io website.
This site initially was meant to be the home of general open source security content, and has carried the name “Open Source Security” since 2018. Much of the content hosted here has been from the Open Source Security Podcast, it’s time to wrap up the podcast to put the focus back on Open Source Security (dot io).
Let’s cut to the headline before explaining the motivation for the change.
What’s changing
Kurt and Josh have decided it’s time to be done with the podcast, it was a great run and we had a blast doing it, but it was time for us to go our seperate ways. Starting in 2025 this site will be Josh working to uncover open source security topics. The focus will be on the work behind development, usage, and news.
If open source powers 80% of all applications now, why isn’t there more real actual information about how it’s being created and used more securely. Most of the guidance seems to be “just security harder” or an ad for something some company is doing.
There’s a lot of good work happening that doesn’t get attention because there’s no marketing department behind it, they don’t have a developer relations team posting on LinkedIn every couple of hours. Let’s find those people and teams then learn what they do and how they do it.
The plan is to start talking to the people of open source, focusing on the real things that do and don’t work. The goal is to hear from the people doing the work, they know what’s up, they have a lot to teach us.
Open source didn’t win because of marketing, it won because the people who work on it do amazing things. We just have to listen. Well, and also find them, and then convince them to talk to us.
The format is no longer just a podcast. Everything will be published as audio, YouTube videos, and text - not just a text transcript, more like a blog post of actual details of the discussion
Instead of opinion based discussions about security topics, Let’s hear about how open source folks are making things more secure for their particular projects or communities.
And lastly, I need your help. The open source people doing the work don’t have marketing departments or publicists. Many are too shy or too humble to reach out. If you know someone I should talk to, please let me know. The contact details are on the Contact Us page.
If you just had the thought pop into your brain: “but the open source work I’m doing isn’t interesting”, we should probably chat. There are a lot of things happening in the open source universe, if you’re doing open source work, even if it’s not directly security related, there are lessons in there for us security nerds. Drop me a note.
As things get started the release schedule will be a bit random. It will probably take a few weeks for everything to start moving, but watch this space, great things are coming!
Why the change?
The open source security podcast started back in 2016. The world was very different then. Open source was very different. Podcasting was also very different.
It’s time to move away from a show focused on two people talking about general topics and turn it into something that’s focused on the people making it all work, and how that can help everyone else, remember it’s 80% of everything now. We don’t need more opinions about open source, we’re drowning in opinions about open source. What we need is to hear from the people who have figured it out already. It’s a silent group that the modern world is built on top of. And they’re smart.
An audio only show isn’t the future either. A podcast in 2016 was hard to make happen and video was out of the question unless you had a huge budget. That’s not the case anymore. There are more people than ever learning things from YouTube every day. Some people prefer a podcast (I do), and some like to read a blog post. Let’s go where the people are and give them what they want.
I also think there is something to be said about the independent open source model that’s worked for Open Source Security in the past. When you’re not trying to chase sponsors or cash flush industries, it allows for different sorts of conversations.
There is a lot of money in open source from companies and foundations. I’m not saying the big companies and foundations aren’t doing good work, many are. I mean, they’re also doing some things I don’t really like too, but that’s OK, you can’t please everyone. But their messaging is often focused on things that pay their bills, and rightly so. I want to create a place that can focus on work that might not seem as exciting as something like Kubernetes or Sigstore, but is possibly having even more impact.
It won’t be easy, it’s going to be a lot of work, and things will be chaotic. But that’s OK. This is a topic I care deeply about, I think this is a service the community should have. And one thing I do know how to do is produce a weekly show. Time for something new, I’m very excited and I am very serious that if you know someone we should be talking to, let me know. All they have to do it show up, I’ll take care of the rest.
Josh’s contact details can be found on the Contact Us page.