Open-Source

It’s been a rough couple of weeks for open source There have been some high profile attacks like the TeamPCP events. Anthropic has a new model that’s going to create more security vulnerabilities than anyone can count. The number of security bug reports is going through the roof. AI slop is running rampant through GitHub. And let’s not even try to count all the hot takes from the LinkedInIstas. It’s clear we should never trust open source again, but we should trust someone on linkedin whose company is built on top of all open source and uses AI to do everything. This feels like animal farm but the animals have all been replaced with frozen burritos. All burritos are equal, but some burritos like my linkedin posts! ...

Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work. ...

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there’s some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it’s broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn’t break everything. It’s a great report and great discussion. ...

I posted a graph on LinkedIn. It showed that of the 10 million open source projects tracked by ecosyste.ms, more than half haven’t been updated in two years. I didn’t suggest old was bad or good, but I got a number of replies about most of this software is “done” so it’s fine. We don’t have any evidence either way, I’m unwilling to make any claims about the numbers (yet, I’m working on it). This got me wondering what it would mean for software to be “done”. Which then led to the question is anything ever done? It’s a lot harder to figure this out than I had expected. ...

If you’re of a certain age, you probably remember the essay The Cathedral and the Bazaar. The TL;DR was that old open source was the cathedral of exclusive developers and groups. Then the Bazaar showed up (which was the Linux Kernel for example) and that freed us from the shackles of the cathedral. Except if we look at how things evolved, it wasn’t actually a bazaar. It was a bunch of roadside churches that are now megachurches. But there is still a bazaar, and it’s holding up our modern infrastructure. ...

Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the challenges of semantic versioning, supply chain security, and AI-generated code. If you’re new or old to the world of open source dependencies, there’s something to learn from this chat. Episode Links Jamie Tanna Versioning: We Did It To Ourselves XKCD Workflow This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Josh discusses the TARmageddon vulnerability with Alex Zenla, CTO of Edera. In this episode, we explore the discovery of the TARmageddon vulnerability. It’s especially interesting because it’s Rust, but also involves multiple end of life crates. Alex shares the story of how Edera managed to figure all this out (it was not simple). Hard problems are still hard, but there’s a lot of lessons in this one. Episode Links Alex Zenla TARmageddon This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I keep seeing commentary about AI making open source dependencies obsolete. The idea is that instead of using an open source dependency, the AI will just write all the code you need. No more need for that random person in Nebraska. They can finally take a well deserved break! Some people think this is inevitable, some think it’s hogwash. I like to take the stance of disliking everything equally. But to better understand all of this, let’s break it up into a few possible outcomes. There are 4 basic things that could happen if we take these arguments to their ridiculous extremes. ...

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the role of community engagement and automated tools in addressing these discrepancies. It’s a great paper and a fantastic discussion. ...

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale open-source repository, offering a glimpse into the future of secure software distribution. Tune in to learn how these advancements are shaping the landscape of open-source development. ...