Open Source Security Improvements by Maintainders

I'm thrilled to finally announce that urllib3 was part of the GitHub Secure Open Source Fund (Session 3)! Fellow maintainer Quentin Pradet and I spent time hardening the security posture of one of Python's most-downloaded libraries. From formalizing our Security Policy to implementing advanced repository hardening, this session allowed us to focus on the "boring but critical" work that keeps the global software supply chain safe. Check out my latest blog post: https://lnkd.in/ds72uJYS

Securing 🔐 Open Source Projects that underpin today’s digital supply chain is absolutely critical. A single vulnerability can create a massive blast radius because almost every modern production system, from AI and mobile to cloud and embedded workloads, ultimately depends on open source components. Participating in advanced security training alongside the maintainers of globally 🌎 critical open source projects such as Python, Pandas, SciPy, Node.js, LLVM, Jenkins, and more was not only a privilege but also a significant professional recognition. Nina Polshakova and I shared more about the experience here: https://lnkd.in/eVMJNRbe Grateful to the GitHub Secure Open Source Fund for the opportunity to contribute to this important work.

The GitHub Secure Open Source Fund has played a pivotal role in enhancing the security of 67 critical AI-stack projects, driving faster fixes and promoting resilience within the open source ecosystem. What stood out to me was the proactive approach taken to strengthen the software supply chain amidst increasing security challenges. How do you think security investments in open source will shape the future of AI development?

Modern software runs on open source and securing the AI software supply chain is a shared responsibility and requires sustained investment. Mayfield is proud to support that mission as a sponsor of the GitHub Secure Open Source Fund. When those projects aren’t secure, the impact spreads through package registries, cloud environments, transitive dependencies, and into production systems. In the AI Agentic era, vulnerabilities can propagate far faster than traditional software failures. It isn’t just about stopping breaches, it’s about giving developers the confidence that the tools and infrastructure they rely on (training pipelines, CI/CD systems, and runtime environments) are built on resilient, trustworthy foundations. cc GitHub (Gregg Cochran, Kevin Crosby), Mayfield (Irving Hsu, Shivani Gupta, Gamiel Gran, Eleanor Aldersley) https://lnkd.in/gZ47Vv4n

The GitHub Secure Open Source Fund has successfully aided 67 critical AI-stack projects in improving security and enhancing the open source ecosystem. I found it interesting that such initiatives not only accelerate fixes but also foster resilience in software development. How do you think we can further strengthen the security of open source projects in the AI domain?

The GitHub Secure Open Source Fund has made significant strides in strengthening the security of 67 critical AI projects. I found it interesting that these efforts not only accelerated fixes but also fostered resilience within the open source ecosystem. What strategies do you think are essential for securing the AI software supply chain and ensuring effective collaboration among maintainers?

This insightful article discusses how The GitHub Secure Open Source Fund has supported 67 critical AI-stack projects in enhancing their security and resilience. I found it interesting that such collaborative efforts not only accelerate fixes but also strengthen the entire open source ecosystem. Given the rise of AI technologies, how do you think we can further ensure the integrity of our software supply chains?

🔥 CocoIndex is proud to be part of GitHub Secure Open Source Fund Session 3 -- among other 67 amazing open source projects, to formalize our commitment and accelerate our security practice with guidance from GitHub Security Lab and community experts. At CocoIndex, we've always believed that the strength of open source stays in its community and the shared goal of building transparent, robust, and reliable infrastructure for everyone. We're grateful to GitHub and the entire cohort for this experience -- and we're committed to carrying these practices forward, not just in our own project, but by sharing what we've learned with the broader AI infrastructure community. https://lnkd.in/eJWXj27q

The GitHub Secure Open Source Fund has successfully assisted 67 critical AI-stack projects in accelerating fixes and bolstering open source resilience. I found it interesting that these efforts highlight the importance of community collaboration in enhancing software security. How can we further support open source projects to ensure a secure AI future?

If you're making any decisions on software for your organisation - particularly open source - I highly recommend this read: https://lnkd.in/dBguCvay Comprehensively covers the foul play from MinIO - which might just be the worst bait-and-switch in open source history. So much that could be quoted, but this is a standout (regarding pattern recognition for these trends): "For engineering teams evaluating open source dependencies, the MinIO saga suggests a few practical questions: - Who funds this project, and what do they expect in return? - Is the project governed by a foundation, or controlled by a single company? - What’s the licence history? Has it changed before? - Are there viable alternatives if this project changes direction? - Could you build from source if distribution channels disappeared? None of these questions would have saved you from MinIO’s specific trajectory. But they might help you see the next one coming."