Linux

Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It’s easy to claim just because source code being available doesn’t matter. But the reality is when source code is needed, it can make a huge difference for everyone working together, just like we saw with xz. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_456_What_if_XZ_happened_to_a_company_The_openness_of_open_source.mp3 Show Notes Lindt admits chocolate may not be ‘expertly crafted’ in class-action lawsuit battle Mitchell & Webb - Needlessly ambiguous terms

Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There’s a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_455_Wordpress_plugin_security.mp3 Show Notes Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch Kurt’s Plugin

Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it’s becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_444_Open_Source_and_End_of_Life.mp3 Show Notes Chrome dumped support for Ubuntu 18.04 – but it’ll be back Linus Torvalds talks AI, Rust adoption, and why the Linux kernel is ’the only thing that matters’ Pidgin backdoor

Updated 2025-01-16: Since writing this post, there’s now a vulnerability focused discord you can join to discuss vulnerabilities. You can join with this link If you follow the vulnerability world, 2024 is starting to feel like we’ve become trapped in the mirror universe. NVD collapsed, the Linux kernel is generating a huge number of CVE IDs, CISA is maybe enriching the CVE data, and the growth rate of CVE is higher than its ever been. It feels like we’re careening off a cliff in the clown car where half the people are trapped inside trying to get out, and the other half are laughing at the clown honking its nose. ...

Josh and Kurt talk about a blog post about frozen kernels being more secure. We cover some of the history and how a frozen kernel works and discuss why they would be less secure. A frozen kernel is from when things worked very differently. What sort of changes will we see in the future? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_430_Frozen_kernel_security.mp3 Show Notes Kurt’s strange coffee Why a ‘frozen’ distribution Linux kernel isn’t the safest choice for security

Josh and Kurt talk about a sudo replacement going into systemd called run0. It sounds like it’ll get a lot right, but systemd is a pretty big attack surface and not everyone is a fan. We shall have to see if this ends up replacing sudo. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_427_Will_run0_replace_sudo.mp3 Show Notes Conan O’Brien on Hot Ones Lennart’s Mastodon thread xkcd automation

Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_417_Linux_Kernel_security_with_Greg_K-H.mp3 Show Notes Greg K-H Linux Kernel is a CNA Machine learning and stable kernels Bug reporting for Linux

Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It’s a lively discussion all about the past, present, and future of open source LTS. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_408_Does_Kubernetes_need_long_term_support_fixed.mp3 Show Notes Why Kubernetes needs an LTS Linux gives up on 6-year LTS kernels, says they’re too much work

Josh and Kurt talk about filing bugs for software. There’s the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can’t. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it’s something that can be actionable. ...

Josh and Kurt talk about the recent FAA NOTAM outage. Keeping legacy things running for long periods of time is really hard to do, this system is no different. It’s also really hard to upgrade many of these due to corner cases and institutional knowledge. There aren’t any great answers here, but we do ask a lot of questions about long running tech. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_359_The_NOTAM_outage_and_other_legacy_technology.mp3 Show Notes NOTAM outage AIX is not dead IBM Linux commercial Apple A/UX How NOT To Implement the POSIX Standard, Featuring Windows NT iSH Hand Made Vacuum Tubes