Josh Bressers

OK open source security nerds, I need your help

I have a podcast youtube show thing called Open Source Security

https://opensourcesecurity.io/

I'm always looking for guests. Back when I changed formats in January I had a pretty large list of people sent to me as suggestions. I've made it through the list (it took me 10 months)

If you know someone (or are someone) doing open source security work I would love a suggestion. DMs are open and there are other contact things on the website

I especially like guests who are unsung heroes

Open Source Security

Open Source Security
Oct 8 at 11:44pmWeb
Show threadSheogorathOct 8

@joshbressers I mean, I would love to hear you talk with @GossiTheDog about all the crazy things he keeps track off.

Or maybe https://github.com/zpavlinovic who works a lot on govulncheck. Should be up your alley given the security scanning aspects ;)

I've tried to find a good angle on Home Infrastructure/Homelab security since we last talked but still haven't found the right focus yet. It easily explodes into sidetracks.

Maybe these suggestions help. :)

zpavlinovic - Overview

zpavlinovic has 10 repositories available. Follow their code on GitHub.

GitHub
Show threadAstraLumaOct 9
@joshbressers how about @soatok or @hipsterelectron ?
Show threadJosh TriplettOct 9
Walter Pearce, from Rust, would be a great candidate. He has a broad spectrum of interests and a huge amount of security expertise in various areas, and could give interesting perspectives on security from a large Open Source project with both standard and novel security challenges.
Show threadall-inclusive gender resortOct 9
@joshbressers
Not sure if the rubygems debacle has settled enough, but I'd love to hear you chat with someone involved in that at some point!
Show threadJosh BressersOct 9
@carol I'm not sure I have the fortitude to tackle that one just yet :)
Show threadall-inclusive gender resortOct 9
@joshbressers fair :)
Show threadTanukiOct 9
@joshbressers yes you should interview @yossarian
Show threadyossarian (1.3.6.1.4.1.55738)Oct 9

@Tanuki @joshbressers he did! https://opensourcesecurity.io/2025/2025-05-securing-github-actions-william-woodruff/

(I’d be happy to be back on it whenever though, but 5 months seems short lol)

Securing GitHub Actions with William Woodruff

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away. Episode Links William Zizmor This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Open Source Security
Show threadJosh BressersOct 9

@yossarian @Tanuki

You should totally come back sometime soon. Your work in many different areas is propping up a lot of our open source infrastructure

Show threadBillOct 9
@joshbressers Has anyone recommended @dildog or any of the other #Veilid team members? (I'm technically a team member, but you really wanna talk to someone with their fingers in the guts. I just make words.)
Show threadJosh BressersOct 9

@Sempf @dildog

I tried to lure @thegibson onto the show to talk about Veilid, but he totally ghosted me :)

But yes, I would love to talk about Veilid

Show threadBillOct 9
@joshbressers Recently, @thegibson admitted to being overwhelmed (which is true, the dood does everything) so you might have just fallen through the cracks. Lemme ping the discord and see if I can drum someone up.
Show threadJosh BressersOct 9
@Sempf @thegibson Epic!
Show threadDirkjan OchtmanOct 9
@joshbressers I think I suggested one of the rustls maintainers last time? @ctz
Show threadJosh BressersOct 10

@djc @ctz

From what I can see, that's the two of you :)

You can play paper rock scissors, or both are welcome. Let me know!

Show threadDirkjan OchtmanOct 10
@joshbressers @ctz both sounds fun!
Show threadSylvestreOct 9
@joshbressers Christian Holler for Javascript and ipc fuzzing. I can introduce you to him.
Show threadJosh BressersOct 9
@sylvestre I would love an intro!
Show threadJinnaOct 9
@joshbressers
@firstyear might be fun for a rant on OSS passkeys 🥲
Show threadFirstyearOct 9
@jinna @joshbressers Funny you say this, I've actually already been on the show about this! Though I'd be happy to come back and talk more about webauthn, kerberos, ldap, or anything oss auth in general.
Show threadLuxanoOct 9
@firstyear @jinna @joshbressers which episode was that, my brain tells me that I have listed to it but I can not find it anymore.
Show threadFirstyearOct 9

@Luxano @jinna @joshbressers https://opensourcesecurity.io/2025/2025-03-fido_auth_william_brown/

Here you go!

FIDO authentication with William Brown

When William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton. Episode links William’s Mastodon Yubico FEITIAN Token2 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Open Source Security
Show threadLuxanoOct 9
@firstyear @jinna @joshbressers thanks
Show threadJosh BressersOct 9
@firstyear @jinna You're welcome back anytime!
Show threadFirstyearOct 9
@joshbressers @jinna We need to think of a topic to chat about then!
Show threadJosh BressersOct 9
@firstyear @jinna how about “what the hell is a passkey” :)
Show threadFirstyearOct 10
@joshbressers @jinna Oh which definition do you want, there are like 5 🤣
But yeah, could be a fun one to talk about.
Show threadJosh BressersOct 10
@firstyear @jinna Right, that's the fun :)
Show threadFirstyearOct 10
@joshbressers @jinna Send me an email then and we can work something out :)
Show threadJosh BressersOct 10

@firstyear @jinna

Sent!

I'm looking forward to being confused to death :)

Show threadMorten LinderudOct 9
@joshbressers
Holger Levsen, lead for reproducible builds. Chris Lamb might be interesting to interview there.
@mjg59 for Secure Boot and TPMs
@vathpela for Secure Boot.
@alexmurray Ubuntu security team
@msmeissn OpenSUSE Security Team
@filippo age, cryptography, transparency logs
@jas For hardware security, reproducible builds
@mdeslaur Ubuntu security
@thesamesam Gentoo security team
@hexa NixOS security team
@sangy Supply Chain Security research and state-of-the-art
Show threadMorten LinderudOct 9
@joshbressers
Also sent the post to the IRC channel with other distro security teams. Not sure if I can find everyone on mastodon :)
Show threadJosh BressersOct 9
@Foxboron This is a marvelous list, thanks!
Show threadClemensOct 9

@joshbressers You already had OpenSSL on, so I'm not sure I could add much more than what they have already said (I'm the product owner of the RHEL crypto team).

But maybe @RezzaBuh would be up to talk about either certification, or upcoming EU regulations like NIS2?

Show threadJosh BressersOct 9

@neverpanic @RezzaBuh

I'm adding you to the list too. While I did just talk to OpenSSL, I think a chat about what managing crypto in a distro looks like would be interesting

Show threadJaroslav "Řezza" ŘezníkOct 9
@joshbressers @neverpanic very nice idea!
Show threadJaroslav "Řezza" ŘezníkOct 9
@neverpanic @joshbressers anytime, we can figure out some open source compliance topic!
Show threadThomas DepierreOct 9
@joshbressers I have said before and I will say it again. @ekuber should be there, because he probably did more for FOSS security than the whole security industry :)
Show threadJosh BressersOct 9

@Di4na @ekuber I remember you telling me this, and I clearly didn't write it down last time :)

But I did this time!

Show threadÓlafur Jens SigurðssonOct 9
@joshbressers how about someone from #qubesos or #openbsd?
Show threadHenryOct 9
@joshbressers Perhaps @lattera from https://hardenedbsd.org/ ?
HardenedBSD

Show threadTheTomasOct 9
@joshbressers Open Source Nerds... on Youtube... find the misconception!
Show threadpinkOct 9
@joshbressers maybe not necessarily security related but nevertheless important for device security: @hughsie
Show threadJosh BressersOct 9
@pink @hughsie His work on fwupd is super security related I would say :)
Show threadDanny GroveOct 9
@joshbressers perhaps @lrvick
Show threadAnton LivajaOct 9
@groved @joshbressers @lrvick he does a lot of work on supply chain security, reproducible builds, boot security, secure enclaves, hardware based attestation etc
Show threadTrisOct 9
@joshbressers @kees on kernel hardening or chromium :P
Show threadTrisOct 9
@joshbressers can't go wrong with @bluca on run0, systemd-homed and other systemd related tool :P
Show threadTrisOct 9
@joshbressers @micahflee on Dangerzone maybe?
Show threadKentOct 9
@joshbressers How about Kurt? I miss his witty remarks and the occasional pothole 😇
Show threadottOOct 10
@joshbressers hit up @zeek
Show threadottOOct 10
@joshbressers besides @zeek there is https://malcolm.fyi, I messaged them in the zeek slack, maybe they would be interested
Malcolm

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm
Show threadJamie TannaOct 11
Would you be interested in hearing from any of the Renovate maintainers? (either freelance maintainers or paid maintainers at Mend)
Renovate Docs

Renovate documentation.

Show threadJosh BressersOct 11

@www.jvt.me

It's a super interesting problem, I think it would be a great discussion