What's in the SOSS? An OpenSSF Podcast

Jack Cable of CISA and Zach Steindler of GitHub Dig Into Package Repository Security

Nov 26, 2024

Jack Cable, a senior technical advisor at CISA specializing in open source software security, and Zach Steindler, a principal engineer at GitHub focused on supply chain security, dive into the critical topic of package repository security. They discuss the significance of secure package management in the open-source ecosystem and highlight their recently published best practices guide. Their conversation includes insights on trusted publishing, community engagement for newcomers, and the lighthearted debate on personal tech preferences, showcasing their expertise and camaraderie.

23:44

Episode guests

Zach Steindler

Jack Cable

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Package repositories are vital for open source software, impacting security and integrity across various sectors including critical infrastructure.

The development of the 'Principles for Package Repository Security' document outlines best practices to enhance repository security through collaborative efforts and voluntary participation.

Deep dives

Importance of Package Repositories

Package repositories are essential components of the open source software ecosystem, functioning as the key systems through which users download software, such as NPM and PyPI. These repositories handle vast quantities of software downloads daily, making them crucial for developers and users worldwide. The security of these repositories directly impacts the integrity of the software used across diverse sectors, including critical infrastructure. Recognizing this, organizations like CISA prioritize efforts to bolster the security measures of package repositories to ensure the safety of open source software consumption.

Intro

3min

Securing Package Repositories in Open Source

9min

Enhancing Software Security Through Trusted Publishing

5min

Light-hearted Rapid-Fire Preferences in Food and Technology

2min

Entering Open-Source and Cybersecurity

5min

CRob discusses package repository security with two people who know a lot about the topic. Zach Steindler is a principal engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group. Jack Cable is a senior technical advisor at CISA. Earlier this year, Zach and Jack published a helpful guide of best practices called “Principles for Package Repository Security.”

00:48 - Jack and Zach share their backgrounds
02:59 - What package repositories are and why they’re important to open source users
04:17 - The positive impact package security has on downstream users
07:06 - Jack and Zach offer insight into the "Prinicples for Package Repository Security" document
11:18 - Future endeavors of the Securing Software Repositories Working Group
17:32 - Jack and Zach answer CRob’s rapid-fire questions
19:31 - Advice for those entering the industry
21:28 - Jack and Zach share their calls to action

Episode links:

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

What's in the SOSS? An OpenSSF Podcast

Jack Cable of CISA and Zach Steindler of GitHub Dig Into Package Repository Security

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Package Repositories

Collaboration for Security Best Practices

Future Directions and Community Engagement

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

What's in the SOSS? An OpenSSF Podcast

Jack Cable of CISA and Zach Steindler of GitHub Dig Into Package Repository Security

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Package Repositories

Collaboration for Security Best Practices

Future Directions and Community Engagement

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights