Itโs really hard for OSS projects too. Imagine a leaked GH access token from a project maintainer who is not responding, and who is not an employee because OSS isnโt a company. How do you the project get that token revoked? You canโt. You have to de-list the maintainer from your GH org.
27.07.2025 17:11 โ ๐ 2 ๐ 1 ๐ฌ 0 ๐ 0
Tricky thing is when people have built their own automation (predating Actions), using CI/CD tools and services, making for something other than a โpure GitHubโ implementation. ๐ฌ
26.07.2025 20:10 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
That said: prevention > detection, as always
26.07.2025 17:48 โ ๐ 8 ๐ 0 ๐ฌ 0 ๐ 0
Also, speaking for myself, hurray for watchful, diligent security folks detecting things before vandals could fix their syntax error.
26.07.2025 17:47 โ ๐ 14 ๐ 0 ๐ฌ 2 ๐ 1
โAll this to prove one thing: that vulnerable workflows canโt keep a secret.โ
This was true in 2023 as it is now. You have to make sure you scope down GitHub access tokens.
26.07.2025 17:29 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
From my POV, the most important message for everyone who is doing the hazardous work of developing software in public on platforms like GitHub: you have to pay *close attention* to GitHub token permission scoping.
Itโs not well known outside of security research circles how often GitHub tokens leak.
26.07.2025 17:26 โ ๐ 27 ๐ 7 ๐ฌ 3 ๐ 0
Project Definition | Linux Foundation Documentation
You can see what's on the menu of legal services when you set up a project here... LF Projects LLC is generally for software projects, Joint Development Foundation Projects, LLC is generally for standards development...
docs.linuxfoundation.org/lfx/project-...
22.07.2025 19:58 โ ๐ 2 ๐ 0 ๐ฌ 0 ๐ 0
Home - LF Projects, LLC
LF Projects, LLC Policies LF Projects, LLC is a Delaware series limited liability company (โLF Projectsโ). Projects of LF Projects (โProjectsโ) are established as separate โseriesโ of LF Projects. In....
It's a corporate holding structure of the Linux Foundation, used as the owner of intellectual property, etc.
A committed community of maintainers doesn't have a LLC registered in Delaware that can hold trademarks... This is infrastructure Linux Foundation provides.
lfprojects.org
22.07.2025 19:49 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
Valkey is maintained by the Valkey maintainers, not by a neutral foundation. Linux Foundation provides the tent, but without committed maintainers the tent is empty.
The thing that keeps the power of any one company in check isn't the Linux foundation, it's a committed community of mutual interest.
22.07.2025 19:44 โ ๐ 4 ๐ 0 ๐ฌ 0 ๐ 0
Open Source Is Too Important To Dilute
The definition of "open source" is quietly eroding. When these lines blur, trust breaks โ and open source doesnโt work without trust.
There's much to agree with in Dan's piece on defending the definition of Open Source. On details, I quibble.
"Today, Valkey is maintained by a neutral foundation, ensuring no one company can take it away from open source."
Linux Foundation doesn't maintain Valkey. thenewstack.io/open-source-...
22.07.2025 19:38 โ ๐ 1 ๐ 0 ๐ฌ 2 ๐ 0
A ghost nightlight with the word Kiro
Thrilled for the launch of @kiro.dev today! We started with two main ideas that led to Kiro's spec-driven development features:
1) AI can help us build better products through rapid prototyping
2) Devs can declare their app's requirements to get better results from AI, close to production-grade code
14.07.2025 19:58 โ ๐ 12 ๐ 2 ๐ฌ 0 ๐ 0
Hello,
I hope this message finds you well.
As part of our ongoing efforts to comply with the EU Cyber Resilience Act (CRA), we are currently conducting a cybersecurity risk assessment of third-party software vendors whose products or components are integrated into our systems.
To support this initiative, we kindly request your input on the following questions related to your software product "libcurl" with version 7.87.0. Please provide your responses directly in the table below and do reply to all added in this email,
It has officially begun. The CRA info request counter is no longer at zero.
11.07.2025 07:44 โ ๐ 42 ๐ 90 ๐ฌ 15 ๐ 3
OH: "And so, it begins."
11.07.2025 16:56 โ ๐ 7 ๐ 1 ๐ฌ 0 ๐ 0
The CVE... The "disputed" tag is on the record, which is the system working as designed.
www.cve.org/CVERecord?id...
09.07.2025 17:26 โ ๐ 1 ๐ 0 ๐ฌ 0 ๐ 0
This is not an adventure that FOSS maintainers should have to endure, in my opinion.
Unfortunately The Rules don't prohibit allocating a CVE for an identified weakness that was never in a released Product...
www.cve.org/resourcessup....
09.07.2025 17:23 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
I think itโs more Red Hatโs business model than any of the firms listed above.
And those who know the history of libxml2 (and friends like libxslt) know that Red Hat funded a lot of its development, directly and indirectly, via employing DV.
23.06.2025 14:51 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
I do not like this timeline.
22.06.2025 00:38 โ ๐ 6 ๐ 1 ๐ฌ 0 ๐ 0
While there is much more that industry can do, and NEEDS to do, we should recognize that in the past Google has directly sponsored libxml2 development.
It's not *just* been Project Zero sending vulnerability disclosures to the maintainer.
gitlab.gnome.org/GNOME/libxml...
21.06.2025 23:08 โ ๐ 5 ๐ 0 ๐ฌ 0 ๐ 0
The innovation of piped water and sewer systems had an enormous impact on public health and economic growth.
It's infrastructure that we generally take for granted in developed industrialized nations.
20.06.2025 18:44 โ ๐ 5 ๐ 0 ๐ฌ 0 ๐ 0
A dimension of open source software supply chain risk management that we don't discuss enough...
โฌ๏ธ
17.06.2025 17:37 โ ๐ 5 ๐ 0 ๐ฌ 1 ๐ 0
#hugops to all that operate, no matter who you work for.
12.06.2025 20:35 โ ๐ 2 ๐ 0 ๐ฌ 0 ๐ 0
"Producing new artifacts every time a problem like that happens is not sustainable technically and as a community. It feels like we're trying to solve organizational issues from a pure technical perspective, and this rarely works." - Spring maintainer in 2020...
And yet, in 2025...
12.06.2025 03:29 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
"I'd suggest sharing your experience with your security team and security vendor: if developers need to consider switching development stack completely [by abandoning Spring] because tools and processes raise false positives[...], there's a broader problem that needs to be addressed."
๐ฏ this!
12.06.2025 03:28 โ ๐ 0 ๐ 0 ๐ฌ 1 ๐ 0
Not all Foundations are the same.
11.06.2025 22:57 โ ๐ 1 ๐ 0 ๐ฌ 1 ๐ 0
Anonymous CVS Access Returns
I feel so old.
lists.gnome.org/archives/gno...
11.06.2025 02:19 โ ๐ 5 ๐ 0 ๐ฌ 1 ๐ 0
GNOME Has a New Infrastructure Partner: Welcome AWS! โ The GNOME Foundation
Oh the _feels_ when reading this announcement!
I was one of the GNOME projectโs first sysadmins, back in the days of a single CVS server running on a machine hosted at Red Hatโs office.
Itโs amazing to see their journey to the cloud!
foundation.gnome.org/2025/06/10/g...
11.06.2025 02:15 โ ๐ 6 ๐ 0 ๐ฌ 1 ๐ 0
Co-founder & CTO of Vulnetix
Bits of Cyber @ Substack
Co-Founder at Zentropi. Formerly Head of Trust & Safety at OpenAI, of Community Policy at Airbnb, and of Content Policy Facebook. Strictly cold takes.
Security things, photography things, whisk(e)y things.
Evertonian | DC United | Washington Capitals
Denver, CO
Breaking AI. Building @zenitysec, lead @owaspnocode, columnist @DarkReading
Market Insights at GitHub l recovering analyst (ex RedMonk, Gartner) | 331 ppm | Irish in Edinburgh | Rugby (Munster, Edinburgh by season ticket)
#Meta production engineer working on #Linux userspace, longtime #Fedora contributor, #Debian maintainer
#Midwest #USA transplant, lay monastic, mostly harmless
avatar: bespectacled man wearing a CentOS T-shirt
background: Fedora 39 GNOME night wallpaper
Code Gardener. Wrangler of the Unusual. Roller Derby referee. AWS Hero. PyPI Maintainer. Shakshuka lover. he/him
https://miketheman.dev
Hacker โช@apache.orgโฌ
Product Owner @ Red Hat
Distributed and Storage Systems. Apache Cassandra Committer and PMC member. Author of Database Internals. Mountain person. http://databass.dev/
catgirl shaped object
"A cat is valued for companionship and its ability to kill vermin."
Principal Developer Advocate for AWS Batch, one-time bioinformatics HPC guy, coffee lover
โข 45+ years of computing
โข Founder #LinuxingInLondon Britain's largest free educational & inclusive Linux group
โข Wikipedian
โข #Linux desktop specialist
โข I code, give talks and do training too!
โข IT Manager, I talk Mainframes
Yelling into the camera for @AWSCloud Welcome to some cloud and retro tech tweets. โ ๐พ Opinions and ... skeets(?)... are my own! (he/him)
https://rup12.net
:wq!
๐ฅ๏ธ๐๐ดโโ๏ธ๐ฒ
sft.01 on Signal
I write curl. I don't know anything.
[bridged from https://mastodon.social/@bagder on the fediverse by https://fed.brid.gy/ ]
Mostly posts about gummi bears, space probes, and Ruby.
OSS contributor, maintaining Nokogiri, SQLite3, Rails::Html::Sanitizer, Mechanize, and more in the Ruby ecosystem.
Working at 37signals. Former Shopify, VMware, Pivotal, Bloomberg, various startups.
Software engineer - Windows kernel, emulation, build systems - dad - hobby hardware/embedded tinkerer - sometime ham KC0NID - left-leaned LDS, LGBTQ+ ally - he/him
My views aren't my employer's, ofc
daskunkee.net (sorry my CSS sucks on mobile)
Consultant, developer, evangelist, gardener. Co-founder of SBOMEurope.eu. Team lead of OWASP Transparency Exchange API (Projekt Koala). Member of CycloneDX industry working group, OWASP SBOM Forum. IETF and much more.
Director of Cybersecurity @eff.org
Co-founder of @stopstalkerware.bsky.social
These opinions are my own, not my employersโ
I did a TED talk once
Attorney, father, Peloton addict, writer, and Eternal Keeper of the Final Word
Check out my novel "Everything Can Change" available on Amazon.
