An eclipse in the clouds

Eclipse Foundation SBOMs with Mikael Barbero

In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation’s role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies involved in implementing security best practices across a diverse range of projects, as well as the foundation’s proactive approach to navigating security regulations and compliance. This is some great security work happening for open source projects. ...

October 20, 2025 · Josh Bressers
A collection of boxes with various names on them all

Actually finding vulnerabilities using AI with Joshua Rogers

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you’re a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It’s a very sane and realistic conversation about what AI tools can and can’t do, and how humans should be interacting with these things. ...

October 13, 2025 · Josh Bressers
A collection of boxes with various names on them all

Sustaining Package Repositories with Brian Fox

Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the importance of sustainable practices in the open source community. Brian tells us how organizations can reduce their footprint and contribute to a more balanced ecosystem. The package repositories cannot continue to be the world’s CDN. Episode Links Brian Fox Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship Brian’s Blog Atlantic Council - Avoiding the success trap: Toward policy for open-source software as infrastructure This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

October 6, 2025 · Josh Bressers
door-sign-1607503_1920

Episode 259 - What even is open source anymore?

Josh and Kurt talk about the question “what is open source?” Why do we think it’s broken today, and what sort of ideas about what should come next. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_259_What_even_is_open_source_anymore.mp3 Show Notes OSI Bruce Perens Post Open Source Josh’s community blog post Corey Doctorow Uber Twitter thread

February 22, 2021