Notices by Josh Bressers (joshbressers@infosec.exchange)

OK open source security nerds, I need your help

I have a podcast youtube show thing called Open Source Security

https://opensourcesecurity.io/

I'm always looking for guests. Back when I changed formats in January I had a pretty large list of people sent to me as suggestions. I've made it through the list (it took me 10 months)

If you know someone (or are someone) doing open source security work I would love a suggestion. DMs are open and there are other contact things on the website

I especially like guests who are unsung heroes

@ryanc @lemonlolita the lower decks tuvix episode is solid gold. You should watch it after this

The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting. So I wrote a blog post about it

An absolutely ridiculous amount of open source is one person projects. I have the data to prove it

https://opensourcesecurity.io/2025/08-oss-one-person/

@adamshostack This post has been living for free in my head for a few days

The part I'm most pondering is how not just anyone can build a bridge. We have a very defined field for who is allowed to design and build bridges

And when it does fail, there are incredibly detailed investigations

And those investigations end up changing the rules for future bridges (and might even result in existing bridges getting an upgrade)

While in cybersecurity, I think we are basically at the "random person build bridge out of stuff they found in the woods" stage of bridge building

It's also worth noting, it took hundred (probably thousands) of years to get to the place we are with bridge building

There's a discord server a bunch of vulnerability nerds hang out in I run. We'll be talking about what's happening with #CVE for the foreseeable future (good, bad, and ugly)

Everyone is welcome to join, feel free to lurk, ask questions, or suggest ideas

https://discord.gg/gSCrXxMuPx

@gregkh @TheNewStack @badger @sjvn

Working to fix the CVE problems should be applauded

But we need to keep in mind there are open source projects that are one person who spends two hours every other Saturday

Expecting that person to become a CNA is 🍌

They should be able to control their CVE data also, but today they can't

@sjvn @TheNewStack

Ugh, please don't normalize "every open source projects needs to be a CNA"

Most open source projects don't have the resources to be a CNA and shouldn't need to be a CNA

Curl and the Kernel became CNAs because the CVE process is broken

This episode #OpenSourceSecurity talks to @sheogorath about forking open source projects

It's a lot more complicated than you think it is, and Sheogorath has some first hand experience from one of the most complicated forks I've ever seen in HedgeDoc

It's a fun chat filled with lessons

https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/

I had a chat with @grimmy on #OpenSourceSecurity about maintaining an open source project for more than 20 years (Gary maintains Pidgin)

It's a fun conversation that brought back many memories as well as some lessons for everyone involved in open source

https://opensourcesecurity.io/2025/01-open_source_maintenance_with_gary_kramlich/

Being on the "Top 10 CVE assigners of 2025" list probably isn't something fortinet is very excited about :)

Now that 2025 is here, it's time to wind down the #osspodcast

It was a fun run, but it was time to be done.

I have a new project I'm calling "Open Source Security" (the domain is too good to not do something with it)

I want to chat with people securing the use and creating of open source. I explain a lot more in the blog post (which also has audio)

If you're one of these people, let me know! There are a lot of lessons for us all, and the people doing the best work aren't being listened to

https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/

@bagder @pluralistic the solution is obviously more AI

It’s the one trick THEY don’t want you to know!!!

@sethmlarson Ooohhh, actually, I wonder if it's the fault of @ecosystems

They had some data issues around that time I think

@sheogorath @sethmlarson

Goodness no. This is pretty confusing stuff, the questions help me double check I'm not missing something

I appreciate the questions

@sheogorath @sethmlarson

I will accept that as the spike, but there are over 2 years of 1000 (give or take) removals per month, then it drops to 100

Hey @sethmlarson

I'm doing some investigation on how often the various ecosystems are removing packages. Do you know why PyPI had this decrease in the number of removed packages in the middle of May?

@ligniform So most of that 80% have dependencies

One thing I'm very interested in are the lone wolf packages, that depend on nothing and nothing depends on them

@ligniform That's the ultimate goal

One of the wild problems is the hilarious number of things that have 0 dependents (it's like 80% of open source packages)

I'm doing some data analysis on open source dependency relationships this evening (quite the exciting Sunday night!)

There are more Ruby GEMS with 5 dependents (the number of packages that depend on this one) than there are with 2

No other open source ecosystem has this pattern

Lately reality seems to be some sort of cosmic battle between the onion and black mirror