Package management challenges with Andrew Nesbitt

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren't very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it's so hard to create a new ecosystem as well as some of the reasons we don't see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-04-ecosystems-andrew/

Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foundation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It's not cheap or easy, but he's getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-michael-winser/

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there's some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it's broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn't break everything. It's a great report and great discussion. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-SOTSSC-Brian-Fox/

Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke's new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it's so hard to secure them. It's not impossible, but it's not simple either. We end the show by discussing some of the more human aspects to security and how history may be repeating itself with security folks laughing at new users who don't know any better. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-mcp-agent-luke/

Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenges posed by modern OpenSSL. We discuss the statement and their relationship with OpenSSL. We chat about some of the current features in cryptography, as well as some of what's coming in the future. It's a fun conversation that hits on a lot of great points. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-cryptography-alex-paul/

Josh talks to Sylvestre Ledru about the Rust coreutils project. We've been using GNU coreutils for decades now, and the goal of Rust coreutils is to rewrite these utilities in Rust. The primary reason isn't security, it's to modernize the code and attract new contributors. Sylvestre discusses with quite pleasant relationship with the GNU coreutils developers, some of the challenges in the project. What Ubuntu using this by default meant, and also gives us some things to watch for in the future. It's a super fun discussion about why Rust is not only awesome, but also the future. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-rust-coreutils-sylvestre-ledru/

Josh chats with Brad Axen from Block about his creation Goose as well as the Agentic AI Foundation (AAIF). I am quite skeptical of many AI claims, but Brad has a very pragmatic view about where things are today and where we might see them head. Donating Goose to the AAIF is great news as well as seeing MCP and AGENTS.MD in the foundation. We discuss how to deal with the problem of raising up junior developers, challenges of AI PRs, and some thoughts on how to get started if you're interested in AI development. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-02-goose-aaif-brad-axen/

Josh chats with Olle E. Johansson about the Global Vulnerability Intelligence Platform (GVIP). It's no secret the current vulnerability systems are reaching a breaking point. Olle is one of the few people with a long term vision instead of trying to just fix the short term problems. His GVIP ideas are very good, but it's a community effort and needs our help. Give it a listen and if it sounds interesting, come help us out! The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-02-GVIP-olle-johansson/

Josh talk to the founder and CEO of Nextcloud, Frank Karlitschek about digital sovereignty. There's a lot of attention lately around digital sovereignty and often that conversation also includes Nextcloud. Frank tells us all about how Nextcloud works, how it can be used to free your data, and has some great insight into what decentralization already looks like and what it could look like soon. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-02-nextcloud-frank-karlitschek/

Josh talks to David Bernstein about the world of crisis management and business continuity. David is a certified emergency manager and tell us about preparing for both digital and physical disruptions. Everything is IT now, so the way we think about disaster preparedness is changing. We talk about understanding risks, creating plans, and the role of practice in the world of crisis management. This is a super interesting universe and Dave was very patient and kind. I learned a lot and can't wait for Dave to come back. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-02-crisis-management-david-bernstein/