Josh Bressers
Open Source Security
Open Source Security is a media project to help showcase and educate on open source security. Our goal is to give the community a platform educate both developers and users on how open source security works. There's a lot of good work happening that doesn't get attention because there's no marketing department behind it, they don't have a developer relations team posting on LinkedIn every two hours. Let's focus on those people and teams then learn what they do and how they do it. The goal is to hear from the people doing the work, they know what's up, they have a lot to teach us. We just have...
Author
Josh Bressers
Category
Podcast website
Latest episode
Jul 6, 2026
Where to listen?
Podcasts in the app Replaio Radio Coming soonPodcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts
Episodes
Episode 411 - The security tools that started it all 15.01.2024 29:27
Josh and Kurt talk about a grab bag of old technologies that defined the security industry. Technology like SELinux, SSH, Snort, ModSecurity and more all started with humble beginnings, and many of them created new security industries. Show Notes SELinux AppArmor SSH ModSecurity Snort Nmap Nessus What comes after open source
Episode 410 - Package identifiers are really hard 08.01.2024 31:52
Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not. Show Notes OpenSSF CISA response purl CPE OmniBOR SWID
Episode 409 - You wouldn't hack a train? 01.01.2024 35:35
Josh and Kurt talk about how some hackers saved the day with a Polish train. We delve into a discussion about how we don't really own anything anymore if you look around. There's a great talk from the Blender Conference about this and how GPL makes a difference in the world of software ownership. It's sort of a dire conversation, but not all hope is lost. Show Notes Polish manufacturer accused of...
Episode 408 - Does Kubernetes need long term support? 25.12.2023 32:15
Josh and Kurt talk about a story asking for a Kubernetes LTS. Should open source projects have LTS versions? What does LTS even mean? Why is maintaining software so hard? It's a lively discussion all about the past, present, and future of open source LTS. Show Notes Why Kubernetes needs an LTS Linux gives up on 6-year LTS kernels, says they're too much work
Episode 407 - Should Santa use AI? 18.12.2023 36:23
It's the 2023 Christmas Spectacular! Josh and Kurt talk about what would happen if Santa starts using AI to judge which children are naughty and nice. There's some fun in this one, but it does get pretty real. While we tried to discuss Santa using AI, the reality is this sort of AI is coming for many of us. AI will be making decisions for all of us in the near future (if it isn't already). While l...
Episode 406 - The security of radio 11.12.2023 34:41
Josh and Kurt talk about a few security stories about radio. The TETRA:BURST attack on police radios, spoofing GPS for airplanes near Iran, and Apple including cellular radios in the macbooks. The common thread between all these stories is looking at the return on investment for security. Sometimes good enough security is fine, sometimes it's not worth fixing certain security problems because the...
Episode 405 - Modding games isn't cheating and security isn't fair 04.12.2023 31:47
Josh and Kurt talk about Capcom claiming modding a game is akin to cheating. The arguments used are fundamentally one of equity vs equality. Humans love to focus on equality instead of equity when we deal with most problems. This is especially true in the world of security. Rather than doing something that has a net positive, we ignore the details and focus on doing something that feels "right". S...
Episode 403 - Does the government banning apps work? 27.11.2023 35:04
Josh and Kurt talk about the Canadian Government banning WeChat and Kaspersky. There's a lot of weird little details in this conversation. It fundamentally comes down to a conversation about risk. It's easy to spout nonsense about risk, but having an honest discussion about it is REALLY complicated. But the government plays by a very different set of rules. Show Notes Canada bans WeChat, Kaspersky...
Episode 402 - The EU's eIDAS regulation is a terrible idea 20.11.2023 30:29
Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it's currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea. Show Notes Mozilla site Root CA mailing list UK eIDAS regulation EFF statement on eIDAS Fixed X...
Episode 401 - Security skills shortage - We've tried nothing and the same thing keeps happening 13.11.2023 40:09
Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of s...
Episode 400 - When can the government hack a victim? 06.11.2023 32:17
Josh and Kurt talk about a proposed Dutch proposal that would allow the intelligence services to hack victims of adversaries they are in the process of infiltrating. The purpose of this discussion isn't to focus on the Dutch specifically, but rather to discuss the larger topic of government oversight. These are all very new concepts and nobody knows how things should work. Show Notes Dutch hacking...
Episode 399 - Curl, Security, and Daniel Stenberg 30.10.2023 37:53
Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project. Show Note...
Episode 398 - Is only 11% of open source maintained? 23.10.2023 36:49
Josh and Kurt talk about Sonatype's 9th Annual State of the Software Supply Chain. There's a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that's true? Does it really matter? Show Notes Sonatype report ecosyste.ms GNOME libcue flaw Reality 2.0 supply chain episode
Episode 397 - The curl and glibc vulnerabilities 16.10.2023 34:25
Josh and Kurt talk about a curl and glibc bug. The bugs themselves aren't super interesting, but there are other conversations around the bugs that are interesting. Why don't we just rewrite everything in Rust? Why can't we just train developers to stop writing insecure code. How can AI solve this problem? It's a marvelous conversation that ends on the very basic idea: we already have the security...
Episode 396 - CLAs are bad, Mkay? 09.10.2023 35:26
Josh and Kurt talk about contributor license agreements (CLAs). CLAs used to be seen as a necessary evil, but they're almost certainly bad now. We're seeing CLAs being abused, it's clear now anything controlled by a CLA won't be open source forever. Show Notes A Theory of Joint Authorship for Free and Open Source Software Projects Bruce Perens: What Comes After Open Source
Episode 395 - Uncertainty, trust, and security 02.10.2023 33:47
Josh and Kurt talk about uncertainty. There are a bunch of stories in the news lately that really just boil down to uncertainty. Uncertainty is incredibly dangerous for everyone. We are afraid of uncertainty, and often don't really understand why it is. Trust is like a currency and uncertainty erodes trust faster than almost anything else. Show Notes Unity's license mess Godot Meta and Salesforce...
Episode 394 - The lie anyone can contribute to open source 25.09.2023 35:48
Josh and Kurt talk about filing bugs for software. There's the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can't. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it's something that can be actionable. Show Notes L...
Episode 393 - Can you secure something you don't own? 18.09.2023 33:47
Josh and Kurt talk about the weird world we live in how where we can't control a lot of our hardware. We don't really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It's a very strange problem we experience now. Show Notes Boots theory MGM cybersecurity issue shuts down slot machines and ATMs i...
Episode 392 - Curl and the calamity of CVE 11.09.2023 46:25
Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's...
Episode 391 - The Wordpress 100 year disaster recovery problem 04.09.2023 39:11
Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think about 100 years of disaster recovery. Show Notes WordPress is now selling 100-year domains Danish ransomware 15-Minute City The Year Without Pants
Episode 390 - Rust shipping binaries doesn't matter 28.08.2023 39:19
Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn't also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn't really have anything to do with secur...
Episode 389 - What would HashiCorp do? 21.08.2023 42:16
Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn't the first and won't be the last time we see this, but it's very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward. Show Notes Josh's BSidesLV talk Hacker News marked site as malware HashiCorp license change A...
Episode 388 - Video game vulnerabilities 14.08.2023 32:40
Josh and Kurt ask the question what is a vulnerability, but in the framing of video games. Security loves to categorize all bugs as security vulnerabilities or not security vulnerabilities. But the reality nothing is so simple. Everything is a question of risk, not vulnerability. The discussion about video games can help us to better have this discussion. Show Notes Colossus bug Minecraft Heist
Episode 387 - Enterprise open source is different 07.08.2023 34:04
Josh and Kurt talk about the difference between what we think of as traditional open source, and enterprise software projects that have an open source license. They are both technically open source, but how the projects work is very very different. Show Notes CentOS Stream PR The Most Prolific Packager For Alpine Linux Is Stepping Away
Episode 386 - We are watching web 2.0 burn 31.07.2023 31:41
Josh and Kurt talk about a new Google proposal that would add DRM for the web. All the ad driven companies seem to be acting very strangely, there's probably a reason for this. The way ads used to pay for content is changing, but a lot of these giant companies don't know how to adapt. It's going to be very interesting times in the near future. Show Notes Web Environment Integrity Hacker News Threa...
Similar podcasts
Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.