More Open Source Security episodes
Published 27 Apr 2026
Duration: 34:56
Challenges in open source sustainability include undervaluing maintainers, dependency tracking issues, fragmented tooling, burnout, governance flaws, and paradoxical tool sustainability, necessitating financial support, sustainable governance, and collective action for long-term project viability.
Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about tryi...
The podcast explores challenges in open source software maintenance, emphasizing the need for financial and systemic support for contributors. It highlights the Open Source Pledge, an initiative encouraging companies to pay $2,000 annually per full-time equivalent developer they rely on, to sustain open source maintainers. However, implementation faces hurdles, including difficulties in identifying maintainers, ineffectiveness of platforms like GitHub Sponsors, and debates over equitable funding models. The discussion also addresses broader issues like the undervaluation of open source labor, the ethical and social dimensions of collaboration, and the sustainability of projects reliant on single maintainers or unmanaged dependencies.
Technical and governance challenges are central, with problems in tracking binary dependencies (e.g., in Python packages) and the risks of unattributed security vulnerabilities. Tools like Thanks.dev and custom solutions offer partial remedies but lack scalability. The podcast underscores the vulnerability of open source projects due to burnout, limited governance structures, and the "bus factor" riskprojects dependent on a single contributor. Maintainers often struggle with balancing community expectations, personal well-being, and unpaid labor, while employers and users are urged to recognize their critical role. Systemic solutions, such as shared governance models, research funding for sustainability tools, and institutional support, are proposed to address these issues.
The conversation also critiques the tension between open source ideals and corporate practices, including the "market mentality" of expecting free fixes and the need for companies to prioritize long-term investment in open source. It stresses the importance of collective action, transparency in contributor dynamics, and fostering sustainable ecosystems to ensure the longevity of critical technologies. The discussion reflects a call for rethinking how open source is valued, maintained, and supported, both financially and structurally, to prevent burnout, neglect, and security risks.
15 Jun 2026 Sustaining Open VSX with Mike and Thabang
Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.
8 Jun 2026 Hacking your CI/CD with Francois Proulx
Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.
1 Jun 2026 Open source verification with Sal Kimmich
Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.
25 May 2026 Vulnerability disclosure with Casey Ellis
The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.
18 May 2026 F-Driod the open app store with Hans
F-Droid, an open-source Android app store modeled on Linux distributions, emphasizes security and transparency through source-code verification, contrasting with fragmented alternatives and corporate control, while addressing Android's ecosystem challenges and efforts to preserve open-source principles.