More Open Source Security episodes

The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer thumbnail

The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer

Published 9 Mar 2026

Duration: 33:34

OpenSSL 3.0 is criticized for increased complexity, performance issues, and insufficient progress in testing and memory safety, sparking debate over its adoption and the need for alternative cryptographic libraries.

Episode Description

Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenge...

Overview

The podcast highlights concerns from the Python Cryptographic Authority about OpenSSL 3.0, emphasizing challenges such as increased API complexity, internal code obscurity, performance regression, and stagnation in critical areas like testing and memory safety. The transition to OpenSSL 3.0 is criticized for diverging from user expectations and reflecting broader industry frustrations with its design and implementation. The discussion also notes that alternatives like LibreSSL, BoringSSL, and AWS LC prioritize different goals, such as simplicity or performance, while exploring how Rusts memory-safe code and efficient parsing could enhance cryptographic safety and performance.

The podcast underscores the importance of formal verification to ensure cryptographic reliability and the need for cross-platform consistency in cryptographic APIs. It stresses that long-term improvements in cryptographic libraries must balance usability, security, and performance, avoiding over-reliance on OpenSSL for future advancements like post-quantum cryptography. Collaborative efforts are highlighted as essential to address these challenges and drive sustainable progress in cryptographic software development.

Recent Episodes of Open Source Security

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

25 May 2026 Vulnerability disclosure with Casey Ellis

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

More Open Source Security episodes