Seth Larson

2 months ago

Seth Larson
2 months ago

Why is security work unlike any other contribution to an open source project?

We need to re-think the tight association between maintainers and security work if we want sustainable open source security.

#opensource #oss #security #supplychain

Open Source Security work isn't “Special”

I gave this keynote at OpenSSF Community Day NA 2025 in Denver, Colorado. There will be a YouTube video recording available at a later date. This talk was given as the Security-Developer-in-...

^{sethmlarson.dev}

in reply to Seth Larson

daniel:// stenberg://

in reply to Seth Larson 2 months ago

while maintainers are often not security experts, I think a challenge is that security for your particular project often requires a lot of domain specific expertise that not just "any random security person" has, and in fact might more or less require the maintainer(s) to be involved in the security process anyway...

This entry was edited (2 months ago)

in reply to daniel:// stenberg://

Seth Larson

in reply to daniel:// stenberg:// 2 months ago

Definitely, that's a challenge too. I don't think we can completely hand over security to other contributors, we have to think about backwards compatibility, performance, releases, and all of that.

I think having maintainers "in-the-know" about other contribution types is necessary too, to varying extents (docs, community, governance, funding, etc).

This entry was edited (2 months ago)

⇧

Seth Larson

Seth Larson 2 months ago • •

Open Source Security work isn't “Special”

daniel:// stenberg://

Seth Larson

Seth Larson
2 months ago