The XZ backdoor discovered last month has reignited discussions about the security of OSS.

In this 5x5, we brought together Tobie Langel, [email protected], æva black, Stewart Scott, and CRob to discuss its implication for the OSS community. ⬇️

dfrlab.org/2024/05/01/the…

Had a great time on this podcast, catching up with old colleagues and talking about #opensource security and community!

It's time to return to the #BiohackingVillage at DEF CON! Bring your secure #medicaldevices , or elevate the event as a sponsor. Let's push the boundaries of cybersecurity and medical technology together!
#Cybersecurity #hackers #HealthTech #defcon32
Smith+Nephew USA, CanonMedical

1. In a landmark ruling, the United States 4th Circuit Court of Appeals rules 'gender identity is a protected characteristic,' and that state coverage bans on trans care are unconstitutional.

This will have far-reaching impacts.

Subscribe to support my journalism. Let's dig in.

A new, episode of the My Open Source Experience Podcast is now live!

PhilRobb and I are chatting with æva black about #security in #opensource , challenges, good practices and more!

Catch the episode on YouTube (youtube.com/@MyOpenSourceE…) or through RSS (feeds.acast.com/public/shows/6…)

every time you meet or exceed the bars they set they magically become no longer legitimate. it’s almost like the whole thing was an entirely arbitrary gatekeeping exercise and the only way to win is not to play

Rob Underwood the biggest issue, honestly, is that people have taken for granted the gains that open source has made - and its future - and don't realize that both are under threat.

but there are signs - tiny ones, so far - that maybe that's changing. or could.

BREAKING: The Swedish parliament passed a law lowering the age required for people to legally change their gender from 18 to 16. apnews.com/article/sweden…

The XZ Utils compromise highlights the urgent need for software manufacturers to sustain the open source ecosystems they depend on. Read my teammates Jack Cable & æva black's blog on how Cybersecurity and Infrastructure Security Agency is approaching open source with a #SecureByDesign mindset: go.dhs.gov/JHf

CISA's æva black and Jack Cable say the XZ Utils supply-chain incident highlights need for more investment: 'Companies consuming open source software must contribute back — either financially or through developer time — to ensure a sustainable ecosystem.' cisa.gov/news-events/ne…

CISA advisors Jack Cable and æva black describe in our latest blog how we are responding to the XZ Utils compromise and how every tech manufacturer should take a #SecureByDesign approach to securing open source software: go.dhs.gov/JHf

The xz attack was not because it was open source. The attack failed because it was open source. The way this attack works for non-open source is the attacker spends 2 years getting an agent hired by contract software development vendor, they sneak it in, nobody finds out.

i can't believe i have to say this but the takes where people are saying 'money won't solve OSS sustainability' ... they are saying something extremely narrow - so much so that it is barely worth saying

If you're looking for my takes on the xz exploit and addressing maintainer burnout/sustainable FOSS development, I gotchu over on masto: cloudisland.nz/@ehashman/1121…

Linux doesn't need antivirus. In fact the malware just comes bundled in your core packages sometimes, as a treat.

On Transgender Day of Visibility, I think about how often visibility is granted to transgender people but not a voice.

How many newspapers, TV networks, legislative chambers, and more grant trans people 'visibility' but no agency.

How our stories are so rarely told by us.

“A legal name policy would have prevented this—“

Public details of the xz hack mirror what so many #opensource maintainers have been worried about because most tech stacks are deeply dependent on volunteerism — so, burn out is a security concern.

Responsible Consumers
must be
Sustainable Contributors