In this episode, John Kjell, Director of Open Source at TestifySec, discusses his involvement in various open source projects and the intricacies of maintaining such projects. John sheds light on his work with the CNCF and OpenSSF, and the impact of tools like Witness, Archivista, and SLSA. He outlines the challenges maintainers face, especially around security, and offers insights into balancing professional and personal responsibilities. John also explores the significance of community, inclusivity, and a secure developer identity in open source ecosystems.

00:00 Introduction and Guest Background
01:20 Maintainer Burnout and Security Challenges
04:41 Balancing Multiple Projects and Personal Life
07:15 Security Risks in Smaller Projects
10:13 Developer Identity and Reputation
19:37 Open Source Origin Story and Community Involvement
24:11 Optimism for the Future of Open Source Security

Resources:

Enhancing Open Source Security: Introducing Siren by OpenSSF – Open Source Security Foundation

Security at Every Step: Why Software Supply Chains Are Critical

Guest: John Kjell is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before TestifySec, John was an engineering leader at VMware, helping to bring supply chain security features to the Tanzu Application Platform.