| Podcast | https://opensourcesecurity.io/ |
| Web | https://bress.net |
| Cookies? | Yes please |
| TTY | 1 |
| Signal | joshbressers.01 |
Axios supply chain attack is interesting, partly because I'm not seeing NEARLY the traffic I'd expect to the C2 domain.
I expect some absolute chad caught it early and negotiated a very effective sinkhole.
I clearly need to start a wall of “trusted publishing would have prevented this” incidents
Edit: but not axios, maybe! Looks like that one may be full maintainer account compromise.
The npm axios package was compromised. You know the drill
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
This week I had a chat with Michael Winser about securing open source at scale
We recorded prior to the events of the last few weeks, everything Michael talks about with securing our infrastructure is spot on
We touch on package repositories, Alpha Omega, foundations, and more. Michael is doing some really interesting work
Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It’s not cheap or easy, but he’s getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.
Software and digital security should rely on verification, rather than trust. I want to strongly encourage more users and consumers of software to verify curl. And ideally require that you could do at least this level of verification of other software components in your dependency chains. Attacks are omnipresent With every source code commit and … Continue reading Don’t trust, verify →
I wrote this up in a bit more detail in a clickbait titled article
Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.
I love the hot takes that this Trivy debacle will be the end of open source
Heartbleed didn't kill open source
Log4Shell couldn't get the job done
xz tried and failed
This won't kill it either
Free is too good of a deal
Ian Campbell 🏴
yossarian (1.3.6.1.4.1.55738)
daniel:// stenberg://
sjvn
Annika Backstrom