Open-Source

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_298_David_A_Wheeler_discusses_the_OpenSSF.mp3 Show Notes David A Wheeler Episode 14 – David A Wheeler: CII Badges Sigstore joins the OpenSSF OpenSSF Technical Working Groups NPM requires MFA LISH Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_295_Open_source_security_isnt_free.mp3 Show Notes UAParser.js CISA announcement

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren’t a help desk. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_285_Open_source_owes_you_nothing.mp3 Show Notes Emacs closes 45% of bugs UVI Tesla investigation UK COVID spreadsheet

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_279_The_audacity_of_Audacity_When_open_source_goes_rogue.mp3 Show Notes SGDQ Paper Mario Paper Mario Arbitrary Code Execution explained Freenode Audacity acquired by Muse Group Audacity fork

Josh and Kurt talk about the question “what is open source?” Why do we think it’s broken today, and what sort of ideas about what should come next. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_259_What_even_is_open_source_anymore.mp3 Show Notes OSI Bruce Perens Post Open Source Josh’s community blog post Corey Doctorow Uber Twitter thread

I wrote a blog post about looking back, and I have a bit of snark in there where I talk about slowing down the future. I wanted to explain this a bit more and give everyone some food for thought around how we used to do things and how we should do them moving forward. There are groups and people that exist to slow things down. Sometimes that’s on purpose for good reasons, sometimes it’s on purpose for bad reasons, sometimes it’s not on purpose at all. ...