#openssf — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #openssf, aggregated by home.social.
-
OSSGuard — one CLI to scan your project and tell you exactly which OpenSSF security practices are missing: Scorecard, SLSA, SBOM, Sigstore, and more.
Works with Python, Go, JS, Rust, Java, C/C++.
pip install ossguard
brew install kirankotari/tap/ossguard
npx ossguardhttps://github.com/kirankotari/ossguard
#OpenSSF #SupplyChainSecurity #DevSecOps #OpenSource #DevOps #Python #Node #Golang #Community
-
@BrideOfLinux I enjoyed your article – thanks. Discovered three months after publication via <https://vermaden.wordpress.com/2026/05/04/valuable-news-2026-05-04/>.
Just one thing:
"… Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?"
I 'm not certain. The roadmap at <https://openssf.org/about/> begins:
"The OpenSSF strategy is outlined across three key areas:
We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader. …"
There's much more than a roadmap – and I didn't attempt to digest the charter (it's difficult to read, with the watermark) – it's difficult to tell why the OSSF was established, and so on. I don't doubt that the Foundation does great work, there's just a lot to take in. @openssf
In the case of sudo: I imagine that the media was a catalyst for change. Some time between mid-February and 3rd March, the plea for sponsorship disappeared:
― <https://web.archive.org/web/20260215044031/https://www.millert.dev/>
― <https://web.archive.org/web/20260305141311/https://www.millert.dev/>.
(I recall reading the article in The Register, which was discussed in Reddit <https://old.reddit.com/r/programming/duplicates/1qwsvh9/sudos_maintainer_needs_resources_to_keep_utility/>, and so on.)
-
@BrideOfLinux I enjoyed your article – thanks. Discovered three months after publication via <https://vermaden.wordpress.com/2026/05/04/valuable-news-2026-05-04/>.
Just one thing:
"… Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?"
I 'm not certain. The roadmap at <https://openssf.org/about/> begins:
"The OpenSSF strategy is outlined across three key areas:
We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader. …"
There's much more than a roadmap – and I didn't attempt to digest the charter (it's difficult to read, with the watermark) – it's difficult to tell why the OSSF was established, and so on. I don't doubt that the Foundation does great work, there's just a lot to take in. @openssf
In the case of sudo: I imagine that the media was a catalyst for change. Some time between mid-February and 3rd March, the plea for sponsorship disappeared:
― <https://web.archive.org/web/20260215044031/https://www.millert.dev/>
― <https://web.archive.org/web/20260305141311/https://www.millert.dev/>.
(I recall reading the article in The Register, which was discussed in Reddit <https://old.reddit.com/r/programming/duplicates/1qwsvh9/sudos_maintainer_needs_resources_to_keep_utility/>, and so on.)
-
@BrideOfLinux I enjoyed your article – thanks. Discovered three months after publication via <https://vermaden.wordpress.com/2026/05/04/valuable-news-2026-05-04/>.
Just one thing:
"… Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?"
I 'm not certain. The roadmap at <https://openssf.org/about/> begins:
"The OpenSSF strategy is outlined across three key areas:
We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader. …"
There's much more than a roadmap – and I didn't attempt to digest the charter (it's difficult to read, with the watermark) – it's difficult to tell why the OSSF was established, and so on. I don't doubt that the Foundation does great work, there's just a lot to take in. @openssf
In the case of sudo: I imagine that the media was a catalyst for change. Some time between mid-February and 3rd March, the plea for sponsorship disappeared:
― <https://web.archive.org/web/20260215044031/https://www.millert.dev/>
― <https://web.archive.org/web/20260305141311/https://www.millert.dev/>.
(I recall reading the article in The Register, which was discussed in Reddit <https://old.reddit.com/r/programming/duplicates/1qwsvh9/sudos_maintainer_needs_resources_to_keep_utility/>, and so on.)
-
@BrideOfLinux I enjoyed your article – thanks. Discovered three months after publication via <https://vermaden.wordpress.com/2026/05/04/valuable-news-2026-05-04/>.
Just one thing:
"… Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?"
I 'm not certain. The roadmap at <https://openssf.org/about/> begins:
"The OpenSSF strategy is outlined across three key areas:
We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader. …"
There's much more than a roadmap – and I didn't attempt to digest the charter (it's difficult to read, with the watermark) – it's difficult to tell why the OSSF was established, and so on. I don't doubt that the Foundation does great work, there's just a lot to take in. @openssf
In the case of sudo: I imagine that the media was a catalyst for change. Some time between mid-February and 3rd March, the plea for sponsorship disappeared:
― <https://web.archive.org/web/20260215044031/https://www.millert.dev/>
― <https://web.archive.org/web/20260305141311/https://www.millert.dev/>.
(I recall reading the article in The Register, which was discussed in Reddit <https://old.reddit.com/r/programming/duplicates/1qwsvh9/sudos_maintainer_needs_resources_to_keep_utility/>, and so on.)
-
@BrideOfLinux I enjoyed your article – thanks. Discovered three months after publication via <https://vermaden.wordpress.com/2026/05/04/valuable-news-2026-05-04/>.
Just one thing:
"… Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?"
I 'm not certain. The roadmap at <https://openssf.org/about/> begins:
"The OpenSSF strategy is outlined across three key areas:
We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader. …"
There's much more than a roadmap – and I didn't attempt to digest the charter (it's difficult to read, with the watermark) – it's difficult to tell why the OSSF was established, and so on. I don't doubt that the Foundation does great work, there's just a lot to take in. @openssf
In the case of sudo: I imagine that the media was a catalyst for change. Some time between mid-February and 3rd March, the plea for sponsorship disappeared:
― <https://web.archive.org/web/20260215044031/https://www.millert.dev/>
― <https://web.archive.org/web/20260305141311/https://www.millert.dev/>.
(I recall reading the article in The Register, which was discussed in Reddit <https://old.reddit.com/r/programming/duplicates/1qwsvh9/sudos_maintainer_needs_resources_to_keep_utility/>, and so on.)
-
🔖 The latest issue of my #newsletter is out, issue 010.
Stories from reviving #Expressjs & reimagining #Lodash, secure publishing on #npm, why #OSS doesn’t fail because of code, backlog updates & #OpenSSF #Scorecard ✨
-
🌟 New OpenSSF Project Spotlight 💃
In this interview, SLSA Steering Committee member Tom Hennen (Google) breaks down how SLSA is helping organizations strengthen trust across the software supply chain.
Watch the full Project Spotlight:
🔗 https://www.youtube.com/watch?v=gdYlSuH5Srs -
Financial services run on open source, and #OpenSSF is helping make it more secure.
At #OSFF, our community is leading sessions on:
🔹 OSPS Baseline
🔹 CVE & vulnerability data
🔹 AI security📖Read the blog: https://openssf.org/blog/2025/10/09/building-security-in-open-source-for-financial-services-openssf-at-osff/
-
Revue de presse de l’April pour la semaine 39 de l’année 2025 https://linuxfr.org/news/revue-de-presse-de-l-april-pour-la-semaine-39-de-l-annee-2025 #souveraineté_numerique #revue_de_presse #Île-de-france #windows_10 #microsoft #Internet #autriche #openssf
-
via @dotnet : New Trusted Publishing enhances security on NuGet.org
https://ift.tt/FWdNpaR
#TrustedPublishing #NuGet #GitHubActions #Security #ShortLivedKeys #APIkeys #SoftwareDevelopment #OpenSSF #NuGetCommunity #SecurePublishing #DevOps #CI #Cont… -
The 6 challenges your business will face in implementing MLSecOps https://www.helpnetsecurity.com/2025/08/20/mlsecops-security-challenges/ #Artificialintelligence #machinelearning #Expertanalysis #cybersecurity #Expertcorner #Don'tmiss #Hotstuff #software #OpenSSF #opinion #News
-
Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed https://www.helpnetsecurity.com/2025/05/16/cybersecurity-skills-framework-linux-foundation/ #TheLinuxFoundation #cybersecurity #framework #OpenSSF #News
-
📊 The OpenSSF Scorecard keeps improving! With 7.6K installs and 3.4K repositories displaying badges, it’s become an essential tool for open source security. 📥 Get the full details in the Annual Report: https://hubs.la/Q0318XDQ0
#OSS #OpenSSF #Scorecard -
🔄 Back In Time is seeking help to create its own #OpenSSF #Scorecard
This is a #GoodFirstIssue
📋 Details in the issue:
🔗 https://github.com/bit-team/backintime/issues/1993#security #Backup #BackInTime #FOSS #OpenSource #Sustainability @openssf
-
#Sigstore creator, #Chainguard CEO, #OpenSSF TAC member and Season 1 guest Dan Lorenc returns to the #ITOps Query podcast to discuss the year in #opensource and #cybersecurity. Topics range from #softwaresupplychain management, hardening #containerimages and #SBOMs in limbo to #openproduct companies and business models, including his own company's shift in focus this year. Plus: a look ahead to #SecOps and #AI in 2025. #yearinreview #2024yearinreview
-
📅 Happening today at Open Source Summit Japan: Hitachi presents on the OpenSSF Scorecard, exploring supply chain attacks and xz utilities. Learn more about OpenSSF Scorecard: https://openssf.org/projects/scorecard/
#OSSummit #OpenSSF #Scorecard -
My #OSHcamp presentation for those struggling with the screen https://www.slideshare.net/slideshow/showing-that-you-care-about-security-for-your-open-source-hardware-project/271275092
-
One-third of dev professionals unfamiliar with secure coding practices https://www.helpnetsecurity.com/2024/07/19/devs-secure-coding-practices/ #softwaredevelopment #TheLinuxFoundation #software #training #OpenSSF #report #survey #News #code
-
Open sourcerers say suspected #xz-style attacks continue to target #maintainers
#SocialEngineering patterns spotted across range of popular projects
Higher-ups at the #OpenJS Foundation and #OpenSource Security Foundation (#OpenSSF) believe the attempt to plant a #backdoor into #Linux's xz data compression library "may not be an isolated incident" given their recent observations.
https://www.theregister.com/2024/04/16/xz_style_attacks_continue/ -
Open Source Security (#OpenSSF) and #OpenJS Warn of Fake #Maintainers Targeting #JavaScript Projects
Alarming #socialengineering attacks target critical #opensource projects! Learn how to protect your project and the open-source community from takeovers. https://www.hackread.com/openssf-fake-maintainers-target-javascript-projects/ #itsec #cybersecurity #supplychain -
Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the #xz #backdoor:
https://www.openwall.com/lists/oss-security/2024/04/16/5
Noteworthy:
- #OpenSSH implemented systemd notification
- #systemd moves to dlopen(3) for some dependencies
- another detailed timeline at https://research.swtch.com/xz-timeline
- similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF -
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/#OpenSSF #OpenJS #SocialEngineering #FOSS #Projects #TakeOver
-
This exemplifies the unique network of human beings in and around Open Source that makes it so _resilient_.
With OSS, people are curious. They are empowered to take a peek under the hood. To share what they find with others. To ignore organizational and architectural boundaries.
#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux #SOSSCommunity
-
Free and Open Source software communities are anything *but* “fragile” in light of recent failed attacks.
They are smart. They are vigilant. They are resilient.
But they also need support from institutions given the resources attackers may have.
#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux #SOSSCommunity
-
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
XZ Utils cyberattack likely not an isolated incident
#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux
https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers
-
Today and tomorrow I'll join the third #OSPOlogyLive Europe in #Apeldoorn (part presentations, part roundtable sessions) to help organizations navigate Open Source Program Offices operations and management in European regions. OSPOlogy Live is hosted by the #OSPO at the Dutch Tax and Customs Administration (#Belastingdienst) and co-organized with #LFEurope, #InnerSource Commons Foundation, Foundation for Public Code, #LFEnergy, #OpenChain, #SPDX, #CHAOSS, #TODOGroup and #OpenSSF projects.
-
🎉 OpenSSF Scorecard Monitor version 2.0.0-beta7 is out!.
Simplify #OpenSSF #Scorecard tracking in your organization with automated #markdown and #JSON reports, plus optional #GitHub issue #alerts.
Check it out:
https://github.com/marketplace/actions/openssf-scorecard-monitor -
"TACOS, in addition to being delicious, are now getting a new meaning as a framework for evaluating and attesting to the secure #software #development practices of open source packages....TACOS is grounded in the #NIST #SSDF, and draws from the #OpenSSF Scorecard project and the Center for Internet Security Software Supply Chain Security Guide as well"
Interesting,, and certainly named with the typical #FOSS adherence to decorum.
-
Guide to implementing a coordinated vulnerability disclosure process for open source projects - #openssf #ossf #security #vulnerabilty #cybersecurity https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
-
Guide to implementing a coordinated vulnerability disclosure process for open source projects - #openssf #ossf #security #vulnerabilty #cybersecurity https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
-
Guide to implementing a coordinated vulnerability disclosure process for open source projects - #openssf #ossf #security #vulnerabilty #cybersecurity https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
-
Guide to implementing a coordinated vulnerability disclosure process for open source projects - #openssf #ossf #security #vulnerabilty #cybersecurity https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
-
Guide to implementing a coordinated vulnerability disclosure process for open source projects - #openssf #ossf #security #vulnerabilty #cybersecurity https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
-
Concise Guide for Developing More Secure Software - #ossf #cybersecurity #softwaredevelopment #guideline #howto #openssf https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme
-
Concise Guide for Developing More Secure Software - #ossf #cybersecurity #softwaredevelopment #guideline #howto #openssf https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme
-
Concise Guide for Developing More Secure Software - #ossf #cybersecurity #softwaredevelopment #guideline #howto #openssf https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme
-
Concise Guide for Developing More Secure Software - #ossf #cybersecurity #softwaredevelopment #guideline #howto #openssf https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme
-
Concise Guide for Developing More Secure Software - #ossf #cybersecurity #softwaredevelopment #guideline #howto #openssf https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Concise-Guide-for-Developing-More-Secure-Software.md#readme
-
Come share knowledge among #OSPO's at the two day #OSPOlogy Live 🇳🇱 #event 23-24 January in Amsterdam. Focus on Program and signup at https://community.linuxfoundation.org/events/details/lfhq-ospology-european-chapter-presents-ospologylive-share-learn-netherlands/ #OpenSource event hosted at #Alliander and co-organized with #TODOGroup, #LFEnergy, #OpenChain, #SPDX, #CHAOSS #InnersourceCommons and #OpenSSF.
-
Ein neues Tool der Open Source Security Foundation prüft in Open-Source-Projekten auf GitHub kontinuierlich die Einhaltung der Security Best Practices.
Allstar: Sicherheitsregeln in GitHub-Projekten automatisiert durchsetzen
