538 episodes
- Josh welcomes Mo Duffy from Red Hat to chat about project Lightwell. The idea is to leverage the resources and understanding Red Hat has built up over the years to help deal with the deluge of vulnerability reports that are overwhelming open source projects. Mo does a really good job of explaining why this is fundamentally a people problem, not a technology problem. But it's a people problem we can probably use technology to help. It will be interesting to see where Lightwell goes in the next few years.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-07-lightwell-mo-duffy - Josh chats with Lori Lorusso and Niko Matsakis about the Rust Foundation Maintainers Fund. This is a new project the Rust Foundation has create to help fund Rust maintainers. It's a great discussion where Lori and Niko cover all the ways they expect to fund the maintainers which is never as easy as one initially expects. Funding open source is a huge topic right now, it sounds like the Rust Foundation has some great ideas.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-07-rfmf-lori-niko - Josh chats with Allan Friedman about all things Bill of Materials. Allan did a ton of work to help turn SBOM into what it is today. He has many thoughts and ideas around the new types of BOMs, a concept he's calling the OmniBOM. Allan is always fun to chat with and he brings a ton of knowledge and advice.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-06-allan-omnibom - Josh welcomes Jordi Boggiano the lead maintainer of Composer and Packagist to explain the truckload of security features they've recently added. Packagist is the PHP package registry, Composer is the dependency manager for PHP. Recently the people behind these projects have added a number of security features that will improve the security of the entire ecosystem. Jordi explains it all to us and gives a glimpse of what's coming next.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-06-packagist-security-jordi - Josh welcomes Mike Milinkovich and Thabang Mashologu from the Eclipse Foundation to talk about their new managed Open VSX registry. This is the first open source package registry to create a commercial operation for large company users to help fund the registry. We discuss how we got here, what's actually going on, and why this commercial approach is working. Everyone knew this day would come, and it looks like the Eclipse Foundation got this one right.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-06-openvsx-mike-thabang/
More Technology podcasts
Trending Technology podcasts
About Open Source Security
Open Source Security is a media project to help showcase and educate on open source security. Our goal is to give the community a platform educate both developers and users on how open source security works.
There's a lot of good work happening that doesn't get attention because there's no marketing department behind it, they don't have a developer relations team posting on LinkedIn every two hours. Let's focus on those people and teams then learn what they do and how they do it. The goal is to hear from the people doing the work, they know what's up, they have a lot to teach us. We just have to listen.
Podcast websiteListen to Open Source Security, The Vergecast and many other podcasts from around the world with the radio.net app

Get the free radio.net app
- Stations and podcasts to bookmark
- Stream via Wi-Fi or Bluetooth
- Supports Carplay & Android Auto
- Many other app features
Get the free radio.net app
- Stations and podcasts to bookmark
- Stream via Wi-Fi or Bluetooth
- Supports Carplay & Android Auto
- Many other app features


Open Source Security
Scan code,
download the app,
start listening.
download the app,
start listening.
Open Source Security: Podcasts in Family





















