More Open Source Security episodes

Package management challenges with Andrew Nesbitt thumbnail

Package management challenges with Andrew Nesbitt

Published 6 Apr 2026

Duration: 36:08

Challenges in package management across ecosystems demand standardization to address fragmentation in naming, versioning, and dependencies, interoperability gaps between system-level and language-specific tools, SBOM scanner inconsistencies, and cross-ecosystem complexity, urging collaboration on shared specs and protocols despite cultural and practical barriers.

Episode Description

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosys...

Overview

The podcast explores challenges in package management across diverse software ecosystems, emphasizing the need for standardized practices and interoperability. Key issues include the fragmented nature of package repositories and metadata, which vary significantly between systems like NPM, PyPI, and Go modules. Ecosystems such as Zig face hurdles in integration with existing tooling, hosting platforms, and security standards like S-BOM (Software Bill of Materials), requiring repeated development efforts for each new language or manager. The discussion highlights how standalone package systems, such as Zigs, struggle to align with external tools and security protocols, creating barriers to adoption and complicating dependency tracking.

The podcast also underscores the complexity of cross-ecosystem dependencies, including inconsistencies in naming conventions, versioning, and the handling of system-level components like C libraries. SBOM scanners are critiqued for inconsistent results due to differing approaches to dependency inclusion and parsing, while the lack of universal standards exacerbates security and reproducibility challenges. Proposals for improvement include adopting standardized metadata formats, leveraging protocols like the Language Server Protocol (LSP) for package management, and promoting cross-ecosystem collaboration. The conversation stresses the importance of shared infrastructure and governance to reduce redundancy and address systemic issues, advocating for long-term coordination to create a more unified and reliable package management landscape.

Recent Episodes of Open Source Security

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

25 May 2026 Vulnerability disclosure with Casey Ellis

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

More Open Source Security episodes