More Open Source Security episodes
Published 27 Apr 2026
Duration: 34:56
Challenges in open source sustainability include undervaluing maintainers, dependency tracking issues, fragmented tooling, burnout, governance flaws, and paradoxical tool sustainability, necessitating financial support, sustainable governance, and collective action for long-term project viability.
Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about tryi...
The podcast explores challenges in open source software maintenance, emphasizing the need for financial and systemic support for contributors. It highlights the Open Source Pledge, an initiative encouraging companies to pay $2,000 annually per full-time equivalent developer they rely on, to sustain open source maintainers. However, implementation faces hurdles, including difficulties in identifying maintainers, ineffectiveness of platforms like GitHub Sponsors, and debates over equitable funding models. The discussion also addresses broader issues like the undervaluation of open source labor, the ethical and social dimensions of collaboration, and the sustainability of projects reliant on single maintainers or unmanaged dependencies.
Technical and governance challenges are central, with problems in tracking binary dependencies (e.g., in Python packages) and the risks of unattributed security vulnerabilities. Tools like Thanks.dev and custom solutions offer partial remedies but lack scalability. The podcast underscores the vulnerability of open source projects due to burnout, limited governance structures, and the "bus factor" riskprojects dependent on a single contributor. Maintainers often struggle with balancing community expectations, personal well-being, and unpaid labor, while employers and users are urged to recognize their critical role. Systemic solutions, such as shared governance models, research funding for sustainability tools, and institutional support, are proposed to address these issues.
The conversation also critiques the tension between open source ideals and corporate practices, including the "market mentality" of expecting free fixes and the need for companies to prioritize long-term investment in open source. It stresses the importance of collective action, transparency in contributor dynamics, and fostering sustainable ecosystems to ensure the longevity of critical technologies. The discussion reflects a call for rethinking how open source is valued, maintained, and supported, both financially and structurally, to prevent burnout, neglect, and security risks.
4 May 2026 How to actually test a disaster plan with David Bernstein
A three-part disaster recovery framework emphasizing simplicity, clear roles, and collaboration, utilizing structured testing via HSEEP, real-world validation, and continuous improvement through exercises, while addressing pitfalls and balancing realism with psychological safety.
20 Apr 2026 Building a plan for disaster with David Bernstein
Adaptive emergency management and disaster recovery demand dynamic strategies, structured frameworks like ISO 22301/NIST, cyclical preparedness, stress testing, stakeholder alignment, and resilience through collaboration and continuous learning to tackle evolving digital and physical risks.
13 Apr 2026 Open Source Malware with Paul McCarty
Open Source Malware (OSM) addresses the gap in detecting intentional malicious open-source components by cataloging threats, de-obfuscating code, extracting indicators of compromise, and providing post-incident data, while tackling challenges like persistent malicious packages, limitations of traditional tools against interpreted languages, fragmented collaboration, AI risks, and the need for improved CI/CD security, audit tools, and balanced AI-human oversight.
6 Apr 2026 Package management challenges with Andrew Nesbitt
Challenges in package management across ecosystems demand standardization to address fragmentation in naming, versioning, and dependencies, interoperability gaps between system-level and language-specific tools, SBOM scanner inconsistencies, and cross-ecosystem complexity, urging collaboration on shared specs and protocols despite cultural and practical barriers.
30 Mar 2026 Open Source Security at scale with Michael Wisner
The Alpha Omega Project addresses open-source security by targeting leverage points like Node.js and Python ecosystems, advocating for systemic solutions, dedicated security roles, sustainable funding, and registry infrastructure improvements to counter fragmented practices and downstream risks.