Episode 343 – Stop trying to fix the open source software supply chain

Josh and Kurt talk about a blog post that explains there isn’t really an open source software supply chain. The whole idea of open source being one thing is incorrect, open source is really a lot of little things put together. A lot of companies and organizations get this wrong. Show Notes

Episode 333 – Open Source is unfair

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It’s mostly unfair to developers if you look at the big picture. ShowContinue reading “Episode 333 – Open Source is unfair”

Episode 314 – The Linux Dirty Pipe vulnerability

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source. Show Notes DirtyContinue reading “Episode 314 – The Linux Dirty Pipe vulnerability”

Episode 312 – The Legend of the SBOM

Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented. Show Notes Questioning SBOMs Rezilion Log4j diagram David A WheelerContinue reading “Episode 312 – The Legend of the SBOM”

Episode 306 – Open source isn’t broken, it’s an experience

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker WillContinue reading “Episode 306 – Open source isn’t broken, it’s an experience”

Episode 298 – David A Wheeler discusses the OpenSSF

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats,Continue reading “Episode 298 – David A Wheeler discusses the OpenSSF”

Episode 295 – Open source security isn’t free

Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. Show Notes UAParser.js CISA announcement