Open-Source

Josh talks to Hans-Christoph Steiner about F-Droid, the Free and Open Source Android App Repository. The way F-Droid works looks a lot like a Linux distribution which has some interesting security challenges, but also some great security benefits. Hans walks us through the current state of open app repositories and also what the future currently looks like. There are more open phones than ever before, but there are also more challenges than ever before. Hans breaks it all down in an easy to understand way. ...

Josh talks to Kat Cosgrove about a how companies should be treating open source more like their critical infrastructure than free stuff. Kat has a ton of knowledge about how the interactions between companies and open source communities can work well, or not work at all. Kat’s time on the Kubernetes Release Team. We touch on how a project like Kubernetes is super successful, while another, Ingress NGINX, was not. It’s a super insightful discussion with a ton of lessons and advice for everyone. ...

There was recently a really good thread about the Copy Fail vulnerability between Will Dormann and Greg K-H. The TL;DR is that vulnerability reporting and disclosure is in a weird state of flux. This discussion got me wondering what’s going on, and I think we’re seeing the extremes emerging of how vulnerabilities have always worked. The middle of the bell curve has been removed. There are three groups in this story. The Security Researchers, the Companies, and Open Source developers. In the above discussion Will is a security research (one of the best I’ve ever seen). Greg is part of open source. There isn’t a great company representative, but that’s OK. ...

given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil. ...

Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad’s FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it’s also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future. ...

It’s been a rough couple of weeks for open source There have been some high profile attacks like the TeamPCP events. Anthropic has a new model that’s going to create more security vulnerabilities than anyone can count. The number of security bug reports is going through the roof. AI slop is running rampant through GitHub. And let’s not even try to count all the hot takes from the LinkedInIstas. It’s clear we should never trust open source again, but we should trust someone on linkedin whose company is built on top of all open source and uses AI to do everything. This feels like animal farm but the animals have all been replaced with frozen burritos. All burritos are equal, but some burritos like my linkedin posts! ...

Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work. ...

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there’s some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it’s broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn’t break everything. It’s a great report and great discussion. ...

I posted a graph on LinkedIn. It showed that of the 10 million open source projects tracked by ecosyste.ms, more than half haven’t been updated in two years. I didn’t suggest old was bad or good, but I got a number of replies about most of this software is “done” so it’s fine. We don’t have any evidence either way, I’m unwilling to make any claims about the numbers (yet, I’m working on it). This got me wondering what it would mean for software to be “done”. Which then led to the question is anything ever done? It’s a lot harder to figure this out than I had expected. ...

If you’re of a certain age, you probably remember the essay The Cathedral and the Bazaar. The TL;DR was that old open source was the cathedral of exclusive developers and groups. Then the Bazaar showed up (which was the Linux Kernel for example) and that freed us from the shackles of the cathedral. Except if we look at how things evolved, it wasn’t actually a bazaar. It was a bunch of roadside churches that are now megachurches. But there is still a bazaar, and it’s holding up our modern infrastructure. ...