podcast January 21, 2022

Who’s going to pay to fix open source security? (Ep. 409)

Are occasional disasters among widely used open source projects inevitable, or can we find a way to better fund maintainers and security?
Avatar for Ben Popper
Director of Content

On today’s episode, we chat about the corruption of color.js and faker.js, open source libraries widely used across GitHub and NPM. We explore some of the organizations trying to find ways to better fund and secure open source software and unpack the possibility that these kinds of disruptions will only become more common in the future.

Will no one think of the maintainers? As The New Stack points out, watching millions of projects fail because of a bug in an open source library has become common enough that  we shrug and reply, “Told you so.” It’s gotten so bad, big tech companies are visiting the White House to discuss the issue as a matter of national security.

There is a great post up on the Stack Overflow blog examining  this issue, but it’s not about color.js, it’s about Log4J.  Traffic to questions on this logging library grew more than 1000% percent after the recent revelations about a new vulnerability. 

Also discussed in this episode: cryptographer and Signal creator Moxie Marlinspike stepped down from his role as CEO of the encrypted messaging service.  That’s news, but he actually made bigger waves in tech circles with an unrelated blog post detailing  his first experience with Web3. Spoiler alert: it’s not as decentralized or divorced from Web2 as you might have thought.

You can find Cassidy Williams on Twitter and her website.

Ben Popper can be found on Twitter here.

Ryan Donovan can be found on Twitter, or writing for the Stack Overflow blog.

TRANSCRIPT

Tags: ,

Related

Stack Overflow podcast logo
podcast March 8, 2022

Who says HTML and CSS aren’t real programming? (Ep. 421)

Welcome to the new Stack Overflow podcast. For our relaunch episode, the home team covers code scanning for security vulnerabilities in open-source registries, whether high-profile skills training programs from Google and Amazon really address systemic inequity in tech (spoiler: probably not), and how a James Bond character sparked Matt’s interest in security.
Avatar for Eira May
Content Writer