Notices by Josh Bressers (joshbressers@infosec.exchange)

There's a discord server a bunch of vulnerability nerds hang out in I run. We'll be talking about what's happening with #CVE for the foreseeable future (good, bad, and ugly)

Everyone is welcome to join, feel free to lurk, ask questions, or suggest ideas

https://discord.gg/gSCrXxMuPx

@gregkh @TheNewStack @badger @sjvn

Working to fix the CVE problems should be applauded

But we need to keep in mind there are open source projects that are one person who spends two hours every other Saturday

Expecting that person to become a CNA is 🍌

They should be able to control their CVE data also, but today they can't

@sjvn @TheNewStack

Ugh, please don't normalize "every open source projects needs to be a CNA"

Most open source projects don't have the resources to be a CNA and shouldn't need to be a CNA

Curl and the Kernel became CNAs because the CVE process is broken

This episode #OpenSourceSecurity talks to @sheogorath about forking open source projects

It's a lot more complicated than you think it is, and Sheogorath has some first hand experience from one of the most complicated forks I've ever seen in HedgeDoc

It's a fun chat filled with lessons

https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/

I had a chat with @grimmy on #OpenSourceSecurity about maintaining an open source project for more than 20 years (Gary maintains Pidgin)

It's a fun conversation that brought back many memories as well as some lessons for everyone involved in open source

https://opensourcesecurity.io/2025/01-open_source_maintenance_with_gary_kramlich/

Being on the "Top 10 CVE assigners of 2025" list probably isn't something fortinet is very excited about :)

Now that 2025 is here, it's time to wind down the #osspodcast

It was a fun run, but it was time to be done.

I have a new project I'm calling "Open Source Security" (the domain is too good to not do something with it)

I want to chat with people securing the use and creating of open source. I explain a lot more in the blog post (which also has audio)

If you're one of these people, let me know! There are a lot of lessons for us all, and the people doing the best work aren't being listened to

https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/

@bagder @pluralistic the solution is obviously more AI

It’s the one trick THEY don’t want you to know!!!

@sethmlarson Ooohhh, actually, I wonder if it's the fault of @ecosystems

They had some data issues around that time I think

@sheogorath @sethmlarson

Goodness no. This is pretty confusing stuff, the questions help me double check I'm not missing something

I appreciate the questions

@sheogorath @sethmlarson

I will accept that as the spike, but there are over 2 years of 1000 (give or take) removals per month, then it drops to 100

Hey @sethmlarson

I'm doing some investigation on how often the various ecosystems are removing packages. Do you know why PyPI had this decrease in the number of removed packages in the middle of May?

@ligniform So most of that 80% have dependencies

One thing I'm very interested in are the lone wolf packages, that depend on nothing and nothing depends on them

@ligniform That's the ultimate goal

One of the wild problems is the hilarious number of things that have 0 dependents (it's like 80% of open source packages)

I'm doing some data analysis on open source dependency relationships this evening (quite the exciting Sunday night!)

There are more Ruby GEMS with 5 dependents (the number of packages that depend on this one) than there are with 2

No other open source ecosystem has this pattern

Lately reality seems to be some sort of cosmic battle between the onion and black mirror

@carol @effinbirds These are fantastic!

@siliconshecky the wheel weaves as the wheel wills

Command injection is the new SQL injection

@kyle A hoodie that also turns into a backpack partially intrigues me, but also feels like the most Bay Area thing ever. Where I live it's cold, I need the hoodie :)

I think I'll go with EFF, you're quite right, anytime I can toss them some cash, it's money well spent