Open Source Security

William Brown is back! This time Josh chats with him about Passkeys. WTF are they? A Passkey is a form of multi factor authentication, but it's not super obvious what that really means. William does a fantastic job explaining what a Passkey is, how we got to where we are today with Passkeys. He shares a ton of explanations about the whole world of authentication along the way. Some of this stuff is basically magic. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-01-passkey-william-brown/

Josh discusses Suricata with Victor Julien, the founder and lead developer of the project. Victor explains the history of the project, its impact on cybersecurity, and the community that keeps it all running. Challenges like encrypted traffic and the evolution of open-source projects. Victor even gives us a glimpse into what he sees as the future of the project. There's a lot to learn about Suricata in this one. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-01-suricata-victor-julien/

Josh talks to Gergely Nagy (algernon) about his tool Iocaine. Iocaine creates a maze to trap scraping bots in a world a fake pages they cannot escape. algernon tells us how Iocaine effectively traps bots by serving them endless loops of nonsensical URLs and web pages. It's an extremely clever tool that's designed to be completely hidden from normal users, but not hidden to the scrapers. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-01-iocaine-algernon/

Josh chats with Xe Iaso, the creator of Anubis the web AI firewall. We discuss how Anubis is tackling bots and scrapers. The discussion around the scrapers is fascinating and challenging, these things are everywhere and don't behave very nicely. There's also discussion about running a successful open source project. Xe has a lot of experience to share with us, you're going to learn something new with this one. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-01-anubis-xe/

Josh talk to Dirkjan and Joe about Rustls (pronounced rustles), a Rust-based TLS library. Dirkjan and Joe are developers on Rustls. We talk about the history that got us to this point. The many many challenges in writing a TLS library (Rust or not). We also chat about some of what's to come. Rustls has an OpenSSL compatibility layer which makes is a really interesting project. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-rustls-dirkjan-joe/

Josh welcomes back Daniel Thompson explore the rather silly question of whether Santa Claus needs to be compliant with the Cyber Resilience Act (CRA). This episode was intended to be silly, but it ended up being an incredibly interesting conversation. Daniel explained a great deal about how the CRA works and how it could apply to Santa Claus. The TL;DR is even if he's giving out free stuff, the CRA almost certainly applies. Daniel also fills us in on his book (you can email Josh to enter into a drawing for a copy), and his work on web browsers for the CRA. It's an incredibly informative discussion. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-daniel-thompson-santa-cra/

Josh has a chat with Gabriele Columbro, Executive Director of the Fintech Open Source Foundation and General Manager of Linux Foundation Europe. We of course discuss the Cyber Resilience Act (CRA), the evolving landscape of open source regulation, and the collaborative efforts of major foundations. Open source is everywhere, but there's also a ton of work to do now. Gabriele has really good insight into where things are today and where they are heading in the future for open source and regulation. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-lfeu-gab/

Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the challenges of semantic versioning, supply chain security, and AI-generated code. If you're new or old to the world of open source dependencies, there's something to learn from this chat. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-renovate-jamie

Josh discusses the TARmageddon vulnerability with Alex Zenla, CTO of Edera. In this episode, we explore the discovery of the TARmageddon vulnerability. It's especially interesting because it's Rust, but also involves multiple end of life crates. Alex shares the story of how Edera managed to figure all this out (it was not simple). Hard problems are still hard, but there's a lot of lessons in this one. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-tarmageddon-alex/

In this episode Seth Larson gives us a cornucopia of topics relating to Python security. Seth discusses the Python Software Foundation's decision to reject a significant grant NSF. Diversity is a big deal to python, so this was a no brainier. We discuss the upcoming PyCon US conference, featuring a new security track that fosters collaboration between developers and security experts. Josh is a huge fan of having a security track at developer conferences. And we close on a paper about zip and tar archives Seth wrote. It seems like we should have zip and tar security figured out by now, but we don't. Thankfully Seth is working on it. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-python-security-seth-larson/

Josh talks to Richard Hughes about the world of firmware. We cover how Richard's journey from developing the ColorHug led to the creation of the Linux Vendor Firmware Service (LVFS), changing how firmware updates are managed for nearly every Linux user. Updating firmware has always been dicey, and on Linux it used to be impossible. Richard helps us understand how this all works and how we can all help out. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-lvfs-richard-hughes/

Josh chats with Charlie Erickson, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-npm-charlie/

In this episode, Josh and Otto dive into the world of Debian packaging, exploring the challenges of supply chain security and the importance of transparency in open source projects. They discuss Otto's blog post about the XZ backdoor and how it's a nearly impossible attack to detect. Otto does a great job breaking down an incredibly complex problem into understandable pieces. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-xz-debian-otto/

In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation's role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies involved in implementing security best practices across a diverse range of projects, as well as the foundation's proactive approach to navigating security regulations and compliance. This is some great security work happening for open source projects. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-eclipse-sbom-mikael-barbero/

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you're a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It's a very sane and realistic conversation about what AI tools can and can't do, and how humans should be interacting with these things. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-ai-joshua-rogers/

Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the importance of sustainable practices in the open source community. Brian tells us how organizations can reduce their footprint and contribute to a more balanced ecosystem. The package repositories cannot continue to be the world's CDN. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-sustaining-repos-brian-fox/

Join us for a conversation with Foxboron (Morten Linderud) and Anthraxx (Levente Polyak), members of the Arch Linux security team. We talk about the difficulties of maintaining a Linux distribution, the challenges of handling CVEs, and the dedication of volunteers who keep the open-source community working (and how overworked those volunteers are). We explain what makes Arch a little different, how they approach their security process, and what sort of help they would love to see in the future. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-09-arch-foxboron-anthraxx/

I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you're a seasoned cryptographer or just curious about the future of secure communications, this episode offers insights and stories. Don't miss out on learning how OpenSSL is still shaping the future of cryptography. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-09-openssl-hana-anton/

In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the growth and innovation of Python, fostering an ecosystem for developers worldwide. Everything funding open-source projects to organizing community events, discover the initiatives that make the Python Software Foundation a force for positive change in the tech world. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-09-psf-deb-nicholson/

In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex information systems. From hospitals to universities and even the banking sector. Mercator helps manage and protect vast networks by creating dynamic, comprehensive maps that replace outdated Excel sheets. Join us as we explore the challenges and innovations in information security and the impact of Mercator on various industries. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-09-mercator-didier-barzin/