sjvnClose enough.
| Podcast | https://opensourcesecurity.io/ |
| Web | https://bress.net |
| Cookies? | Yes please |
| TTY | 1 |
| Signal | joshbressers.01 |
Josh Bressers
- 2.6K Followers
- 878 Following
- 795 Posts
VP of Security at Anchore - Podcaster (http://opensourcesecuritypodcast.com http://hackerhistory.com) - Blogger (http://opensourcesecurity.io) - He/Him
This week I had a chat with Michael Winser about securing open source at scale
We recorded prior to the events of the last few weeks, everything Michael talks about with securing our infrastructure is spot on
We touch on package repositories, Alpha Omega, foundations, and more. Michael is doing some really interesting work
Open Source Security at scale with Michael Winser
Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It’s not cheap or easy, but he’s getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.
daniel:// stenberg://
Don’t trust, verify
Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains. Attacks are omnipresent With every source code commit and … Continue reading Don’t trust, verify →
I wrote this up in a bit more detail in a clickbait titled article
Eulogy for open source
Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.
Annika Backstrom@joshbressers i'm switching to closed-source corporate software, which is famously bug- and vulnerability-free
I love the hot takes that this Trivy debacle will be the end of open source
Heartbleed didn't kill open source
Log4Shell couldn't get the job done
xz tried and failed
This won't kill it either
Free is too good of a deal
Kees CookWe can remove strncpy() from the Linux kernel finally! I did the last 6 instances, and dropped all the implementations:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v7.0-rc2/strncpy
Over the last 6 years working on this, there were 362 commits by 70 contributors. The folks with more than 1 commit were:
211 Justin Stitt <[email protected]>
22 Xu Panda <[email protected]>
21 Kees Cook <[email protected]>
17 Thorsten Blum <[email protected]>
12 Arnd Bergmann <[email protected]>
4 Pranav Tyagi <[email protected]>
4 Lee Jones <[email protected]>
2 Steven Rostedt <[email protected]>
2 Sam Ravnborg <[email protected]>
2 Marcelo Moreira <[email protected]>
2 Krzysztof Kozlowski <[email protected]>
2 Kalle Valo <[email protected]>
2 Jaroslav Kysela <[email protected]>
2 Daniel Thompson <[email protected]>
2 Andrew Lunn <[email protected]>
Thank you to all of you! (And especially to Justin Stitt who took on the brunt of the work.)
Matthew GarrettBlog post about my #bsidessf talk on using SSH certificates for git signing: https://codon.org.uk/~mjg59/blog/p/ssh-certificates-and-git-signing/
SSH certificates and git signing
When you’re looking at source code it can be helpful to have some evidence indicating who wrote it. Author tags give a surface level indication, but it turns out you can just lie and if someone isn’t paying attention when merging stuff there’s certainly a risk that a commit could be merged with an author field that doesn’t represent reality. Account compromise can make this even worse - a PR being opened by a compromised user is going to be hard to distinguish from the authentic user.
Jacques ChesterI watch this video far more than I should have to
