Open-Source

Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It’s mostly unfair to developers if you look at the big picture. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_333_Open_Source_is_unfair.mp3 Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that’s “healthy”? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_325_Is_one_open_source_maintainer_enough.mp3 Show Notes OpenSSF TAC Issue 101

Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3 Show Notes Probably fake 7-Zip

Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There’s almost no way a bug like this could be found outside of open source. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_314_The_Linux_Dirty_Pipe_vulnerability.mp3 Show Notes Dirty Pipe Writeup

Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_312_The_Legend_of_the_SBOM.mp3 Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism

Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_306_Open_source_isnt_broken_its_an_experience.mp3 Show Notes Developer corrupts colors and faker Will Wright Pee Internet Anonymity

Josh and Kurt talk to David A. Wheeler about everything OpenSSF. The Open Source Security Foundation is part of the Linux Foundation, and there are 6 OpenSSF working groups. David does a great job explaining how the OpenSSF works and what the 6 working groups are doing. The working group are (in no particular order): Identifying Security Threats, Security Tooling, Best Practices, Vulnerability Disclosures, Digital Identity Attestation, Securing Critical Projects. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_298_David_A_Wheeler_discusses_the_OpenSSF.mp3 Show Notes David A Wheeler Episode 14 – David A Wheeler: CII Badges Sigstore joins the OpenSSF OpenSSF Technical Working Groups NPM requires MFA LISH Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

Josh and Kurt talk about Josh’s electric car and new job. We then talk about the recent UAParser.js malware incident. There have been a lot of calls to do more to secure open source, but nobody seems to have any concrete proposals or suggestions to fund any of these activities. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_295_Open_source_security_isnt_free.mp3 Show Notes UAParser.js CISA announcement

Josh and Kurt talk about open source bugs. What happens if a project decides to close most of their bugs? Nothing really. Bug trackers aren’t a help desk. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_285_Open_source_owes_you_nothing.mp3 Show Notes Emacs closes 45% of bugs UVI Tesla investigation UK COVID spreadsheet

Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it? https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_279_The_audacity_of_Audacity_When_open_source_goes_rogue.mp3 Show Notes SGDQ Paper Mario Paper Mario Arbitrary Code Execution explained Freenode Audacity acquired by Muse Group Audacity fork