Josh Bressers
Open Source Security
Open Source Security is a media project to help showcase and educate on open source security. Our goal is to give the community a platform educate both developers and users on how open source security works. There's a lot of good work happening that doesn't get attention because there's no marketing department behind it, they don't have a developer relations team posting on LinkedIn every two hours. Let's focus on those people and teams then learn what they do and how they do it. The goal is to hear from the people doing the work, they know what's up, they have a lot to teach us. We just have...
Author
Josh Bressers
Category
Podcast website
Latest episode
Jul 6, 2026
Where to listen?
Podcasts in the app Replaio Radio Coming soonPodcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts
Episodes
Rust Foundation Maintainers Fund with Lori and Niko 06.07.2026 32:46
Josh chats with Lori Lorusso and Niko Matsakis about the Rust Foundation Maintainers Fund. This is a new project the Rust Foundation has create to help fund Rust maintainers. It's a great discussion where Lori and Niko cover all the ways they expect to fund the maintainers which is never as easy as one initially expects. Funding open source is a huge topic right now, it sounds like the Rust Founda...
AIBOM, CBOM, and HBOM with Allan Friedman 29.06.2026 34:38
Josh chats with Allan Friedman about all things Bill of Materials. Allan did a ton of work to help turn SBOM into what it is today. He has many thoughts and ideas around the new types of BOMs, a concept he's calling the OmniBOM. Allan is always fun to chat with and he brings a ton of knowledge and advice. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2...
Packagist and Composer security with Jordi Boggiano 22.06.2026 34:48
Josh welcomes Jordi Boggiano the lead maintainer of Composer and Packagist to explain the truckload of security features they've recently added. Packagist is the PHP package registry, Composer is the dependency manager for PHP. Recently the people behind these projects have added a number of security features that will improve the security of the entire ecosystem. Jordi explains it all to us and g...
Sustaining Open VSX with Mike and Thabang 15.06.2026 36:53
Josh welcomes Mike Milinkovich and Thabang Mashologu from the Eclipse Foundation to talk about their new managed Open VSX registry. This is the first open source package registry to create a commercial operation for large company users to help fund the registry. We discuss how we got here, what's actually going on, and why this commercial approach is working. Everyone knew this day would come, and...
Hacking your CI/CD with François Proulx 08.06.2026 35:37
Josh welcomes back François Proulx to talk about the absolute madness in the CI/CD universe right now. We also learn about François' new project SmokedMeat which is a tool to help you hack your own CI/CD. When Josh spoke to François a year ago, the world was a very different place than it is today. François has a ton of knowledge about how we got here and what we can do moving forward. Boost Secur...
Open source verification with Sal Kimmich 01.06.2026 31:54
Josh chats with Sal Kimmich about the current state of everything, and what we can expect next. Sal has some incredible insight into what we can expect to see due to the current wave of security bugs and incidents. There are some new features we will need in both our hardware and software to ward off the state of things. Since those features are years away, what we need in the short term is shorin...
Vulnerability disclosure with Casey Ellis 25.05.2026 37:49
Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a Bugcrowd founder. There are few people with more experience and insight into how a security vulnerability should be handled, and why the explosion of AI is making all this much harder than it's ever been before. While finding vulnerabilities is easy,...
F-Droid the open app store with Hans 18.05.2026 36:47
Josh talks to Hans-Christoph Steiner about F-Droid, the Free and Open Source Android App Repository. The way F-Droid works looks a lot like a Linux distribution which has some interesting security challenges, but also some great security benefits. Hans walks us through the current state of open app repositories and also what the future currently looks like. There are more open phones than ever bef...
Open source is critical infrastructure with Kat Cosgrove 11.05.2026 38:01
Josh talks to Kat Cosgrove about a how companies should be treating open source more like their critical infrastructure than free stuff. Kat has a ton of knowledge about how the interactions between companies and open source communities can work well, or not work at all. Kat's time on the Kubernetes Release Team. We touch on how a project like Kubernetes is super successful, while another, Ingress...
How to actually test a disaster plan with David Bernstein 04.05.2026 34:58
Josh and David finish up the disaster recovery and emergency planning trilogy. In this one David tells us how to test the plan he told us how to build in the last episode. There are some great ideas in this one about how to test the process not the people. How to construct the plan, and even some tips to go from a plan to some actual real world testing. It's another episode filled with great and p...
Open Source Pledge with Vlad-Stefan Harbuz 27.04.2026 34:56
Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad's FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really i...
Building a plan for disaster with David Bernstein 20.04.2026 39:19
Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It's a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it's really not that hard to put some plans together. It's easy to over-plan, David gives some great tips on getting st...
Open Source Malware with Paul McCarty 13.04.2026 38:23
Josh talks to Paul McCarty of Open Source Malware about ... open source malware. Paul explains why there aren't many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It's a fun discussion with a lot of new and interesting problems we all have to deal with. The show notes an...
Package management challenges with Andrew Nesbitt 06.04.2026 36:08
Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren't very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it's so hard to create a new ecosystem as well as some of the reasons we don't see a C language ecosystem. Andrew has a ton of i...
Open Source Security at scale with Michael Winser 30.03.2026 42:30
Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foundation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It's not cheap or easy, but he's getting it done. We spend a lot of the time discussing package registries, which are a huge topic....
2026 State of the Software Supply Chain with Brian Fox 23.03.2026 35:48
Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there's some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it's broken), and we discuss the challenge of upg...
MCP and Agent security with Luke Hinds 16.03.2026 35:36
Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke's new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it's so hard to secure them. It's not impossible, but it's not simple either. We end the show by discussing some of the more human aspects to secur...
The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer 09.03.2026 33:34
Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenges posed by modern OpenSSL. We discuss the statement and their relationship with OpenSSL. We chat about some of the current features in cryptography, as well as some of what's coming in the future. It's a fun conversation that hits on a lot of great p...
Rust coreutils with Sylvestre Ledru 02.03.2026 31:06
Josh talks to Sylvestre Ledru about the Rust coreutils project. We've been using GNU coreutils for decades now, and the goal of Rust coreutils is to rewrite these utilities in Rust. The primary reason isn't security, it's to modernize the code and attract new contributors. Sylvestre discusses with quite pleasant relationship with the GNU coreutils developers, some of the challenges in the project....
Goose and the Agentic AI Foundation with Brad Axen 23.02.2026 29:53
Josh chats with Brad Axen from Block about his creation Goose as well as the Agentic AI Foundation (AAIF). I am quite skeptical of many AI claims, but Brad has a very pragmatic view about where things are today and where we might see them head. Donating Goose to the AAIF is great news as well as seeing MCP and AGENTS.MD in the foundation. We discuss how to deal with the problem of raising up junio...
The Global Vulnerability Intelligence Platform with Olle E. Johansson 16.02.2026 34:24
Josh chats with Olle E. Johansson about the Global Vulnerability Intelligence Platform (GVIP). It's no secret the current vulnerability systems are reaching a breaking point. Olle is one of the few people with a long term vision instead of trying to just fix the short term problems. His GVIP ideas are very good, but it's a community effort and needs our help. Give it a listen and if it sounds inte...
Digital Sovereignty and Nextcloud with Frank Karlitschek 09.02.2026 32:26
Josh talk to the founder and CEO of Nextcloud, Frank Karlitschek about digital sovereignty. There's a lot of attention lately around digital sovereignty and often that conversation also includes Nextcloud. Frank tells us all about how Nextcloud works, how it can be used to free your data, and has some great insight into what decentralization already looks like and what it could look like soon. The...
The Art of Crisis Management with David Bernstein 02.02.2026 35:32
Josh talks to David Bernstein about the world of crisis management and business continuity. David is a certified emergency manager and tell us about preparing for both digital and physical disruptions. Everything is IT now, so the way we think about disaster preparedness is changing. We talk about understanding risks, creating plans, and the role of practice in the world of crisis management. This...
WTF is a passkey with William Brown 26.01.2026 1:02:55
William Brown is back! This time Josh chats with him about Passkeys. WTF are they? A Passkey is a form of multi factor authentication, but it's not super obvious what that really means. William does a fantastic job explaining what a Passkey is, how we got to where we are today with Passkeys. He shares a ton of explanations about the whole world of authentication along the way. Some of this stuff i...
All about Suricata with Victor Julien 19.01.2026 32:11
Josh discusses Suricata with Victor Julien, the founder and lead developer of the project. Victor explains the history of the project, its impact on cybersecurity, and the community that keeps it all running. Challenges like encrypted traffic and the evolution of open-source projects. Victor even gives us a glimpse into what he sees as the future of the project. There's a lot to learn about Surica...
Similar podcasts
Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.