Sudo Show 35: Busting Open Source Security Myths

Eric and Brandon sit down and look into some of the biggest security myths around Open Source software and one by one debunk them right on the show!

Destination Linux Network
Sudo Show Website
Sponsor: Bitwarden
Sponsor: Digital Ocean
Sudo Show Swag

Contact Us:
DLN Discourse
Email Us!
Sudo Matrix Room

Heartbleed
Sophos: Venom Virtual Machine Escape Bug
Tidelift Blog: More than Half of Maintainers Have Quit or Considered Quitting, and Here’s Why
Jaeger Tracing
Article: Measure the Health of Open Source Communities

Open Source Security Foundation (OpenSSF)
Article: Google Releases New Open Source Seucirty Software Program Scorecards
GitHub: OSSF Scorecard
LFX Insights

Tidelift
Open Collective

Chapters

00:00 Intro
00:42 Welcome
01:14 Sponsor - Bitwarden
02:40 Sponsor - Digital Ocean
03:42 OSS Has Vulnerabilities
07:45 Free means cheap
14:53 Heartbleed Bug
20:25 Open Source is Amature
24:29 OpenSSF Scorecard
33:07 Wrap Up

Thank you so much for the forum shout out @brandon

I’ll do everything I can to make that a reality and there’s a lot of helpful people here.

On project scoring…

I think the benefits are undeniable, not just in picking the right projects but also identifying the ones that may need a boost but i’m also very worried about it at the same time.

For example, depending on who’s doing the scoring it’s a very easy way to crush GitLab or any lesser used alternative to GitHub now or in the future by simply not including their data.

There’s also the line between “feature complete” and “abandoned” that can be very hard to parse even for humans especially for very small programs.

It could also produce weird incentives such as development strictly for the sake of “looking alive” (see: Winchester Mystery House) and dealing with Issues in a way best suited to the algorithm, not the benefit of those concerned.