More Open Source Security episodes
Published 6 Apr 2026
Duration: 36:08
Challenges in package management across ecosystems demand standardization to address fragmentation in naming, versioning, and dependencies, interoperability gaps between system-level and language-specific tools, SBOM scanner inconsistencies, and cross-ecosystem complexity, urging collaboration on shared specs and protocols despite cultural and practical barriers.
Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosys...
The podcast explores challenges in package management across diverse software ecosystems, emphasizing the need for standardized practices and interoperability. Key issues include the fragmented nature of package repositories and metadata, which vary significantly between systems like NPM, PyPI, and Go modules. Ecosystems such as Zig face hurdles in integration with existing tooling, hosting platforms, and security standards like S-BOM (Software Bill of Materials), requiring repeated development efforts for each new language or manager. The discussion highlights how standalone package systems, such as Zigs, struggle to align with external tools and security protocols, creating barriers to adoption and complicating dependency tracking.
The podcast also underscores the complexity of cross-ecosystem dependencies, including inconsistencies in naming conventions, versioning, and the handling of system-level components like C libraries. SBOM scanners are critiqued for inconsistent results due to differing approaches to dependency inclusion and parsing, while the lack of universal standards exacerbates security and reproducibility challenges. Proposals for improvement include adopting standardized metadata formats, leveraging protocols like the Language Server Protocol (LSP) for package management, and promoting cross-ecosystem collaboration. The conversation stresses the importance of shared infrastructure and governance to reduce redundancy and address systemic issues, advocating for long-term coordination to create a more unified and reliable package management landscape.
18 May 2026 F-Driod the open app store with Hans
F-Droid, an open-source Android app store modeled on Linux distributions, emphasizes security and transparency through source-code verification, contrasting with fragmented alternatives and corporate control, while addressing Android's ecosystem challenges and efforts to preserve open-source principles.
11 May 2026 Open source is critical infrastructure with Kat Cosgrove
Maintaining open source infrastructure is critical to prevent security risks from neglected projects, highlighting the need for sustainable funding, corporate collaboration beyond financial support, and systemic reforms to address coordination challenges, dependency fragility, and vulnerabilities.
4 May 2026 How to actually test a disaster plan with David Bernstein
A three-part disaster recovery framework emphasizing simplicity, clear roles, and collaboration, utilizing structured testing via HSEEP, real-world validation, and continuous improvement through exercises, while addressing pitfalls and balancing realism with psychological safety.
27 Apr 2026 Open Source Pledge with Vlad-Stefan Harbuz
Challenges in open source sustainability include undervaluing maintainers, dependency tracking issues, fragmented tooling, burnout, governance flaws, and paradoxical tool sustainability, necessitating financial support, sustainable governance, and collective action for long-term project viability.
20 Apr 2026 Building a plan for disaster with David Bernstein
Adaptive emergency management and disaster recovery demand dynamic strategies, structured frameworks like ISO 22301/NIST, cyclical preparedness, stress testing, stakeholder alignment, and resilience through collaboration and continuous learning to tackle evolving digital and physical risks.