More Open Source Security episodes
Published 6 Apr 2026
Duration: 36:08
Challenges in package management across ecosystems demand standardization to address fragmentation in naming, versioning, and dependencies, interoperability gaps between system-level and language-specific tools, SBOM scanner inconsistencies, and cross-ecosystem complexity, urging collaboration on shared specs and protocols despite cultural and practical barriers.
Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosys...
The podcast explores challenges in package management across diverse software ecosystems, emphasizing the need for standardized practices and interoperability. Key issues include the fragmented nature of package repositories and metadata, which vary significantly between systems like NPM, PyPI, and Go modules. Ecosystems such as Zig face hurdles in integration with existing tooling, hosting platforms, and security standards like S-BOM (Software Bill of Materials), requiring repeated development efforts for each new language or manager. The discussion highlights how standalone package systems, such as Zigs, struggle to align with external tools and security protocols, creating barriers to adoption and complicating dependency tracking.
The podcast also underscores the complexity of cross-ecosystem dependencies, including inconsistencies in naming conventions, versioning, and the handling of system-level components like C libraries. SBOM scanners are critiqued for inconsistent results due to differing approaches to dependency inclusion and parsing, while the lack of universal standards exacerbates security and reproducibility challenges. Proposals for improvement include adopting standardized metadata formats, leveraging protocols like the Language Server Protocol (LSP) for package management, and promoting cross-ecosystem collaboration. The conversation stresses the importance of shared infrastructure and governance to reduce redundancy and address systemic issues, advocating for long-term coordination to create a more unified and reliable package management landscape.
30 Mar 2026 Open Source Security at scale with Michael Wisner
The Alpha Omega Project addresses open-source security by targeting leverage points like Node.js and Python ecosystems, advocating for systemic solutions, dedicated security roles, sustainable funding, and registry infrastructure improvements to counter fragmented practices and downstream risks.
23 Mar 2026 2026 State of the Software Supply Chain with Brian Fox
The State of the Software Supply Chain Report underscores explosive open source growth (10T annual downloads) paired with critical challenges like malware proliferation (1.2M malicious packages), unresolved vulnerabilities (65% unaddressed), infrastructure strain, AI's dual role in risk (hallucinations) and potential (MCP systems), and urgent needs for improved tools, policies, and cost management amid regulatory and scalability pressures.
16 Mar 2026 MCP and Agent security with Luke Hinds
The text explores AI agent security risks like prompt injection and open-source vulnerabilities, emphasizing the No-NO project's kernel-based sandboxing with a deny-by-default model, hardware enclaves, and Rust-driven efficiency, alongside layered defenses, restricted commands, and collaborative efforts to tackle evolving threats like social engineering and insecure coding practices.
9 Mar 2026 The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer
OpenSSL 3.0 is criticized for increased complexity, performance issues, and insufficient progress in testing and memory safety, sparking debate over its adoption and the need for alternative cryptographic libraries.
2 Mar 2026 Rust coreutils with Sylvestre Ledru
A modern rewrite of Unix command-line tools using Rust aims for memory safety, performance, and maintainability while achieving high compatibility.