Open Source Security Podcast Josh Bressers & Kurt Seifried

Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn't producing anything actionable, but getting involved is very actionable, and very much how open source works.
Show Notes CISA: Continued Progress Towards a Secure Open Source Ecosystem Whitehouse: Administration Cybersecurity Priorities for the FY 2026 Budget

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to understand what's going on before we can plausibly discuss solutions. If you're an open source project that needs to put things on pause, or even walk way, that's OK.
Show Notes CocoaPods Vulnerabilities Could Hit Apple, Microsoft, Facebook, TikTok, Snap and More The Expense of Unprotected Free Software Long-term maintenance of PCRE2 #426

Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch.
The node-ip bug is a very different story. The relationship between users and open source developers is one experiencing more strain now than we've ever seen. It's a weird conversation and we don't have good answers. Security in general is a collection of unsolvable problems.
Show Notes Qualys security advisory Hacker News Discussion Security Cryptography Whatever Dev rejects CVE severity, makes his GitHub repo read-only

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here to stay.
Show Notes Polyfill supply chain attack hits 100K+ sites OpenSSF Scorecard

Josh and Kurt talk about three wangles of responsibility. We start with a story about a bike theft ring, bike theft doesn't usually get any attention, but this one is special. Then we ask why it seems like everyone is getting hacked, it's because they have to tell us now. And finally we have a story about the huge number of unreported vulnerabilities in open source projects. This statistic probably affects all software, but there's some numbers for open source specifically.
Show Notes The West Coast’s Fanciest Stolen Bikes Are Getting Trafficked by One Mastermind in Jalisco, Mexico $5 million worth of stolen tools recovered thanks to Apple's AirTag — 12 secret storage facilities had around 15,000 construction tools Vulnerability fixes in plain sight: How your scanners are missing hundreds of vulnerabilities

Josh and Kurt talk about a new proposal from OpenSSH to add a timeout to penalize clients misbehaving. But this then brings up the typical security conversation of "if it's not perfect we shouldn't do it". Trying new things is a good thing, even if something fails, we learn a lesson that we can use in the future.
Show Notes OpenSSH introduces options to penalize undesirable behavior Hacker News comments