Open Source Security

Josh welcomes back Daniel Thompson explore the rather silly question of whether Santa Claus needs to be compliant with the Cyber Resilience Act (CRA). This episode was intended to be silly, but it ended up being an incredibly interesting conversation. Daniel explained a great deal about how the CRA works and how it could apply to Santa Claus. The TL;DR is even if he's giving out free stuff, the CRA almost certainly applies. Daniel also fills us in on his book (you can email Josh to enter into a drawing for a copy), and his work on web browsers for the CRA. It's an incredibly informative discussion. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-daniel-thompson-santa-cra/

Josh has a chat with Gabriele Columbro, Executive Director of the Fintech Open Source Foundation and General Manager of Linux Foundation Europe. We of course discuss the Cyber Resilience Act (CRA), the evolving landscape of open source regulation, and the collaborative efforts of major foundations. Open source is everywhere, but there's also a ton of work to do now. Gabriele has really good insight into where things are today and where they are heading in the future for open source and regulation. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-lfeu-gab/

Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the challenges of semantic versioning, supply chain security, and AI-generated code. If you're new or old to the world of open source dependencies, there's something to learn from this chat. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-renovate-jamie

Josh discusses the TARmageddon vulnerability with Alex Zenla, CTO of Edera. In this episode, we explore the discovery of the TARmageddon vulnerability. It's especially interesting because it's Rust, but also involves multiple end of life crates. Alex shares the story of how Edera managed to figure all this out (it was not simple). Hard problems are still hard, but there's a lot of lessons in this one. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-tarmageddon-alex/

In this episode Seth Larson gives us a cornucopia of topics relating to Python security. Seth discusses the Python Software Foundation's decision to reject a significant grant NSF. Diversity is a big deal to python, so this was a no brainier. We discuss the upcoming PyCon US conference, featuring a new security track that fosters collaboration between developers and security experts. Josh is a huge fan of having a security track at developer conferences. And we close on a paper about zip and tar archives Seth wrote. It seems like we should have zip and tar security figured out by now, but we don't. Thankfully Seth is working on it. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-python-security-seth-larson/