Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
Tag

Open Source

Jun 25
Love0

OpenSSF Newsletter – June 2025

By Newsletter

Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves. 

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance. 

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✨GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✨Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✨From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✨Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✨OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

 

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

  • ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
  • HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
  • SiliconAngle“Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
  • Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
  • IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
  • SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

Jun 17
Love0

What’s in the SOSS? Podcast #33 – S2E10 Bridging DevOps and Security: Tracy Ragan on the Future of Open Source

By Podcast

Summary

In this episode of What’s in the SOSS, we sit down with longtime open source leader and DevOps champion Tracy Ragan. From her early days with the Eclipse Foundation to her current work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF, Tracy shares her journey through the ever-evolving world of open source security.

We dig into the importance of configuration management, what DevSecOps really means, and how projects like the OpenSSF Scorecard and Ortelius help make our software supply chains more transparent and secure. Plus, we tackle the education gap between security pros and DevOps engineers — and how we can bridge it.

If you’re curious about building more secure pipelines or just want to geek out about SBOMs and OpenSSF Scorecard, this episode is for you.

Conversation Highlights

00:25 – Welcome + Tracy’s Open Source Origin Story
02:00 – Early Days at the Eclipse Foundation
03:10 – DevOps + DevSecOps: Why It Matters
04:20 – Explaining the DevOps “Factory Floor”
06:00 – DevOps Pipelines as Security Data Engines
07:50 – What Is the OpenSSF Scorecard?
09:30 – Ortelius: Aggregating DevOps + Security Insights
11:20 – The DevOps Budget Problem + Exposing Insecure Packages
13:00 – Why DevRel Is Critical for DevOps Security Education
15:40 – Crossing the Divide Between DevOps and Security Teams
16:10 – Rapid Fire: Editors, Mascots & Spicy Food
17:30 – Final Call to Action + How to Get Involved

Transcript

CRob (00:25.07)
Welcome, welcome, welcome to What’s in the SOSS. The OpenSSF podcast where we talk to the amazing people that help make this open source ecosystem for the benefit of everybody. Today we have a real treat: friend of the show Tracy Ragan is here to talk with us about several topics near and dear to her heart. But Tracy before we dive into the exciting technology, can you maybe give us a little bit of information about your open source origin story?

Tracy Ragan
man, which one? When I first started getting involved in open source was the Eclipse Foundation. The Eclipse Foundation was my first foundation in open source and was really the beginning of me understanding what open source was and why it’s important. This was during my Open Mac software days and I think IBM was looking for a woman to be in the room.

To be honest. one of them reached out to me and said, hey, we need somebody technical to add to this board. Would you be interested? And I said, sure. So I went on an honesty of, I always think I was number five or six on the original Eclipse board. I actually even did the help doing the interview and chose Mike as our fearless leader. So I’ve been doing open source for some time, really, and been on these boards for a good part of my career.

CRob
That’s awesome. And it’s like super helpful being able to steer a significant part of the ecosystem through that board membership.

Tracy Ragan (02:07.234)
Yeah, and open source boards are a beast of their own to be quiet on. Because they get so big, and that’s good, but sometimes it can be bad and it can be hard to navigate, but it seems to always work out.

Right.

CRob (02:21.038)
That’s great. So you’ve been doing open source for quite some time and what types of projects are you engaged with more frequently this time right now?

Tracy Ragan
So, you know, I keep my foot in two realms. One foot is in the open source security foundation and the other is in the continuous delivery foundation. I’m a DevOps person. That’s who I am. I have been doing configuration management and whatever you want to call it over the years has gone through so many ridiculous acronyms. But when we really boil it down, it’s still configuration management and getting code from Code to Cloud, let’s just call it that. So I lead an open source project at the Continuous Delivery Foundation called Ortelius, and we’re going to talk a little bit about that. But I also try to keep involved in the open source of the OpenSSF as much as I can. And of course, I get involved in things like the Security Tooling Working Group.

I’m working with Ryan Ware over there too, because that really falls into my area of expertise, right? If it has the word tooling, I’m interested. Because I’m a DevOps person, you know? Is there something I should be adding to my DevOps practice? And then I’ve been involved in DevRel and I’m on the marketing committee and I help lead some of the initiatives at the OpenSSF is working on. But really where my heart is is in between, it sits in between DevOps and open source security. And we can call that DevSecOps if you want, we could all call it DevOSSOps. So that’s what I’ve been working on for the last four years.

CRob (04:21.805)
To go a little bit off script since you opened the door for our audience. Could you maybe explain a little bit more about DevOps and kind of why it’s important for open source communities to have this capability?

Tracy Ragan
So we all have a factory floor that we run. moving code from, if we talk about the software supply chain, let’s just talk about it from that perspective. We are pulling in packages, whether it be an enterprise piece of enterprise code or open source code or something the government’s writing, we pull in these packages, these transitive dependencies that we don’t necessarily understand. We just know we have to have them.

And that’s the way life is. We’ve built this ginormous, I like to call it a Death Star of open source packages and dependencies that we use. We’ve done that over the course of the last 15 years, and we’re not going back. So DevOps, the idea of continuously integrating and continuously deploying code out to end user consumers. We won’t identify what that consumer is. It could be a developer consuming your code, or you could be delivering software to an end user that’s running a mortgage application. When we do that, we have traditionally focused on just being able to execute build and deploy scripts, which is really important.

Gathering the information from the build and deploy scripts is really critical right now in where we are right now in tracking vulnerabilities. Because it shows two things. The build scripts, if we’re doing an SBOM, and please do, shows us the packages we’re consuming. And the deploy script shows where we’re deploying them. So the DevOps, you know, the DevOps pipeline is important, but the data that it generates is critical right now, absolutely critical. So we should all be doing some level of DevOps, but in my mind, we should all be gathering the DevOps information and making it actionable. So we have a lot to do in terms of evolving where we are in the CI, CD world and the continuous delivery foundation and where we believe this kind of technology, how it should evolve.

In my mind right now, we have so many things that we’re working on. AI is chasing us. We have vulnerabilities we’re worrying about. And right now, we haven’t done a whole lot to evolve the DevOps pipeline. So that’s why I talk about it as much as I can. Because that’s where we’re going to find vulnerabilities and fix them. Otherwise, we’re not going to do that.

CRob
Absolutely. And to bridge these two worlds, you recently helped write a blog about our OpenSSF Scorecard, which is a tool that consumers can use to kind of understand the security qualities of software. Could you maybe talk a little bit about your blog and what you were trying to educate folks about?

Tracy Ragan
So we have several really awesome tools at the OpenSSF, one of which is one of the first ones that we came out with. Jamie Thomas kind of spearheaded this called the OpenSSF Scorecard. And what it does is it goes through and it evaluates your repo on certain characteristics.

if I can think about them, dependency management, security configuration, your quality of your code, access control, documentation, if you’re using a CI-CD tool, if you have actions, security practices. And it gives a score for each of those areas to try to define what the… This is the closest we’ll have to compliance in the open source community. Compliance is critical.

Tracy Ragan (08:26.754)
but how do you enforce compliance? But one way is we can evaluate it. So OpenSS Scorecard, I have found to be a very interesting project and as I have pointed out, one of the first of the OpenSSF, which doesn’t mean it was new and it needed extra work. It is about as complete as you can get for doing compliance around open source repos. So…

We at Ortelius, so Ortelius is an open source project incubating at the Continuous Delivery Foundation. We started incubating there before the OpenSSF was formed. And what we do is we gather all that critical DevOps data from the pipeline. Okay, so we like to call us an evidence store. And part of what we gather is the OpenSSF Scorecard.

So if you’re a consumer and you want to know the score of the packages that your application is consuming, Ortelius can provide that information to you. And not only that, what it does is it aggregates. So if you’re working in a decoupled architecture, you’ve got 100 containers that you’re building, and each one of those containers has code, and each one of those containers have an OpenSSF Scorecard, and the packages within them have a scorecard.

We’re aggregating that data up to the logical application level so that you begin seeing what you’re consuming at the time that you consume it. Now there are a lot of tools out there that help manage open source packages. The secure software development framework tells us we should have a repo of the packages that we want to make sure that people are not using and people are the ones that we are approved to be using, but they still need their scorecard. We still need to understand that. And to be quite honest, not every organization out there is using a repo that tracks your open source that you’re using. What can we, you know, the way we looked at the problem was what can we do to, you know, most DevOps engineers don’t have budget.

They have no budget authority. In fact, I’ve seen a t-shirt that says that, no budget authority, right? So what can we do to make open source more secure through open source? Well, OpenSSF scorecard is one of those ways. And one way to see it, because it’s hard to aggregate this information unless you try to dig down to every package and look at their scorecard, is to expose it.

And by exposing it, we are showing people that the packages that they’re consuming, are they trying to be compliant or not? And unfortunately, CRob, most of them are not trying to be compliant yet. And I don’t want to be like, you know, I go to hockey a lot. And one of the things you do at hockey, if you get a penalty, you do shame, shame, shame. But in a way, you know, if you’re looking at Ortelius and you’re seeing all these packages with a zero scorecard value,

We’re kind of exposing it. And I would like to be able to, you know, we could evolve a scorecard to say, you know, let’s highlight the packages that have a seven or a six and above. Because to be quite honest, it’s a test to be able to achieve it. But every single one of those in that test, except for maybe, I think fuzzing can be really, really hard, is totally doable.

And I would encourage any open source community or if you have a package that you’re managing, know, give it a scorecard, go through it. It’s not hard to install. It’s going to start tracking things. But then when you go to have to do all the things that it’s tracking, it’s much more difficult to comply. But we need you to do that at this point in time.

CRob (12:27.64)
So you touched a little bit about your involvement with our DevRel community and it kind of touches into DevOps. Why is DevRel important and how does it help us encourage things like scorecard use?

Well, to be quite honest, I think the person who’s doing the best DevRel right now is Mr. Wheeler with all of his education, right? Education is what we need to do right now. David has done an amazing job of getting his education out on cybersecurity. DevRel has been in OpenSSF for me. It’s been really hard. And one of the reasons is because the tools, this is where I see the disconnect.

The tools that the OpenSSF is creating, and we have created a bunch. There’s SBOM tools. There’s a ton of new open source projects. They need to be consumed by the DevOps professional, because many of them are command line driven. They have to be executed for every workflow, like an SBOM, for example.

But on the flip side, to be quite honest, I talk to DevOps engineers all the time and they haven’t even thought about what it would look like to add a SBOM to the pipeline. We don’t have that big of an adoption of many of the security tools that’s coming out of the OpenSSF and it’s hard to keep track. It’s hard to know what they do. And it’s hard to update DevOps. Jenkins workflows or a CircleCI workflow, whatever tool you’re using, it’s hard to update those workflow files.

Tracy Ragan (14:11.884)
And there’s a lot of them. There’s thousands of them.

So if you’re in a monolithic environment and you want to add an S-bomb to your workflow, that’s fairly easy. But if you’re in a decoupled Kubernetes microservice container environment, you’ve got a lot of work to do to do some simple things like an S-bomb, much less scorecard. So these conversations are really important to the DevOps. We need to educate the DevOps engineer. It’s not necessarily just educating the developer.

We push so much stuff on the developers lap, even though the education that’s coming out of OpenSSF is great. However, we’ve got to do the same thing now for DevOps engineers.

CRob
Absolutely. initiatives like DevRel can help provide that education and give a forum where folks can talk through some of these issues, correct?

Tracy Ragan
Yes, but oftentimes what I have found that in our, in security dev rel, we’re almost, we’re in an echo chamber. So when we talk about security, we get people who are interested in security and they like to talk about SBOMs. It’s probably our favorite thing to do. But the one thing that we’re not doing is getting DevOps engineers to talk about SBOMs and why they’re important.

Tracy Ragan (15:40.524)
So somehow we have to cross the divide and we have to get a handshake between these two organizations. And you know what? It’s not just within the Linux Foundation with the CDF and the OpenSSF. It’s in every single company I have ever spoken to, there is a divide between these two teams.

Tracy Ragan
Well, I look forward to collaborating with you to try to see how we can help adjust that. Let’s move on to the rapid fire part of our interview. Are you ready for rapid rapid fire? Got a couple of wacky questions for you. First off, very contentious. Vi or Emacs.

Yes.

Tracy Ragan (16:12.642)
WRAP

Tracy Ragan (16:24.94)
V.I.

CRob
Excellent. And to be clear, there are no wrong answers. Just some answers are better than others. Like VI.

Tracy Ragan
Yeah, I mean, I wouldn’t even know what to do with anything else except for brief. Remember brief? I used to love brief. wow. Yes.

CRob
Yeah, that’s a blast from the past. Tabs or spaces?

Tracy Ragan
spaces.

CRob (16:51.022)
Very popular answer. What’s your favorite open source mascot?

Tracy Ragan
Well, you know, how could you not love the goose?

CRob
Excellent, and our last question, mild or spicy food?

Tracy Ragan (17:11.937)
You know, when I first moved to New Mexico, I only ate mild food. And now I love spicy. It took me 20 years, but I finally started eating spicy food. So spicy now. That red chili taught me better.

CRob (17:31.49)
Nice. I love green chili. Thank you. And as we wind up for the interview here, do you have a call to action to our audience where they might be able to pick up some of these ideas or participate and collaborate to help move these wonderful projects forward?

Tracy Ragan
You know, I would say if you’re a security professional, to go sit down and talk to a DevOps engineer and really understand how they see the world. And take the time to say, could you show me what it would take to add an SBOM to a single pipeline? And if you’re a DevOps engineer, start taking a look at some of the tooling that’s coming out of the OpenSSF.

The Continuous Delivery Foundation did start a SIG recently called the CI/CD Cybersecurity. And what we’re doing is we’re going through every single, we’re starting with a secure software development framework and we’re going through all the tasks and we’re identifying the task by number that needs to be added to the DevOps workflow. And we’re adding open source tools that you can use to achieve that task. So.

If you’d like to get involved in that as a DevOps engineer and learn more about these things, look up the CD Foundation’s CI/CD Cybersecurity SIG, because it’s becoming an education for all of us to go through that process.

CRob
That sounds amazing. I look forward to checking that out. Tracy, thank you for your time today and thank you for everything you do for developers and DevOps folks and cyber people. We really appreciate all of your contributions to open source and thank you for joining us today.

Tracy Ragan (19:17.08)
Thank you, it’s my pleasure.

CRob
Well, happy open sourcing everybody. That’s a wrap.

Like what you’re hearing? Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, AntennaPod, Pocket Cast, or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it. Check out the newsletter for open source news, upcoming events, and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight, and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS.

May 20
Love0

What’s in the SOSS? Podcast #31 – S2E08 Cybersecurity Framework Launch

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob interviews Clyde Seepersad from the LF Education Department. They discuss Clyde’s journey into open source, the role of LF Education in supporting the community, and the importance of cybersecurity education. They also delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

Conversation Highlights

00:00 Introduction to Open Source and LF Education
02:59 Clyde’s Journey into Open Source
05:54 The Role of LF Education in Open Source
09:00 Cybersecurity and the Global IT Cyber Skills Framework
11:59 Framework Development and Industry Collaboration
15:13 Continuous Learning and Community Engagement

Transcript

Intro Music (00:00)

Clyde Seepersad (00:02)
Five years ago, eight years ago it was “What are these container things and how are they going to make a difference?” Fifteen years ago it was “What is this hypervisor and how’s it going to make a difference?” We’re having a moment now where there’s this combination of security’s super important in every single aspect.

CRob (00:20)
Welcome back to What’s in the Sauce, the OpenSSF’s podcast where we talk to interesting people that are involved in open source development and standards and supporting our amazing communities. And this is the season two we’re quite excited to have graduated on to the next level. I’m CRob, I’m one of your hosts here at the OpenSSF.

I’ve had the pleasure to be involved with this community for just under five years and I get this amazing chance to interview some amazing, interesting luminaries. And today we have a real treat. We have Clyde from the LF Education Department and they specialize in helping people understand.

open source tools and methodologies and techniques. So, Clyde, can you give us maybe a few minutes of your open source origin story and kind of explain a little bit about what LF Education does?

Clyde Seepersad (01:19)
Thanks, CRob. I’m excited to be here. I’m excited to have education be talked of as a luminary because often when we do materials, people start looking very intently at their toes and hoping that somebody else will do it. Always happy to get a platform to encourage more folks to come on in. The water is fine. I am sort of a latecomer to open source. I’ve been involved for the past 10 years or so and was off on the dark side doing my thing.

And one day a headhunter called up and said, we have this interesting opportunity. We think you’d be good for it. And at the time I was in Austin, Texas. And I thought, well, know, Austin is not that big a town. It was great to meet extra people. We’ve scheduled a 20 minute coffee and no harm, foul. And it took two and a half hours to wrap up the conversation because we just kept going and I kept thinking, I had no idea that dot, dot, dot.

And so I left that meeting, went home, told my wife that the coffee I had told her about ended up being a two and a half hour conversation and I was going to leave my job and go do this non-profit thing that she had never heard about and that I had only barely heard about several hours earlier. And it just…

CRob (02:35)
must have been some great coffee.

Clyde Seepersad (02:37)
It was good coffee. I think it got cold several times. So the refresh cycle on the coffee was good, which, you know, is important. And, It’s just been such a phenomenal ride, right? Obviously, we’re recording this, whatever, 10 days after the deep seek drop, and cool things just keep happening in collaboratively developed spaces, which is, maybe not ever was thus, but certainly ever will be thus. I think that is the new way that stuff gets done. And of course, one of our big priorities along with everybody else on planet Earth in the last few years has been the security space and trying to think about what more could and should we all be doing.

CRob (03:18)
Mm hm. So a lot of people might not be aware that the Linux Foundation has a whole group dedicated towards training and education. So maybe could you talk a little bit about your group and kind of the things that you all do for the community and our members?

Clyde Seepersad (03:33)
Technical folks like to work on technical problems, right? They like to spin up new projects. They like to work on road maps and get from beta versions to release candidates to GA to one to two to X. Some of them like to go to meetups and connect with other folks. Not terribly many like to step back and think about how will I onboard the next person who isn’t currently super excited about this. And I think that’s where this team shows up as we say, as we show up and we say, listen, we can help you with the instructional design. We can help you with the development of quizzes, with the multimedia, with the video, with the, you know, the multilingual stuff, with the production value, with the sort of mapping out of the process, with the handling of the tools that author the content.

If we, if you can work with us, because the one thing we’re not as experts in, fill in the blank, right? There’s a thousand projects at the LF. A lot of what seems scary in terms of putting education together and not just putting it together, but importantly, getting it into the hands of the right people quickly is what we can do. And so that’s what I like to brag on this team is we’re doing a lot of things that aren’t central to any one open source project or initiative, but we’re bringing a set of skills and capabilities that you typically don’t find in kind of the core maintainer community, but they’re very complimentary and we can say, we’ve got all the folks and the tools and the processes to do all the stuff that makes your, know, makes your hair hurt. Let’s work with you. Let’s work with you to get the story out. And importantly, let’s get the story out not just to the people who are already excited and way down the weeds in the GitHub repo.

Let’s get the story out to the next folks out there who, if you ask the question, and I always say to the team, the most important question we can help folks answer is what is that tech and why do I care? And that is very much about, you know, what are these technologies? What did they do that were impossible yesterday, was much easier to do, was able to do in a way that is more cost effective because it’s a shared license. Because that’s where we help, but that’s where we can really help is to bring new people into these ecosystems.

CRob (05:53)
So thinking back of your journey with the LF Education crew, what are some of the timely topics? Like what are some of the most requested things or what are you all working on? What’s your priority lately?

Clyde Seepersad (06:06)
Well, you’ll be shocked to hear that AI is on the list.

CRob (06:13)
You’re right I am shocked.

Clyde Seepersad (06:14)
Pretty much the only two topics I hear currently are security and AI. Five years ago, eight years ago, it was what are these container things and how are they going to make a difference? 15 years ago,it was what is this hypervisor and how is it going to make a difference?
And then you get the most specialized conversations and things like networking. But I think it is definitely true that we’re having a moment now where there’s this combination of security is super important in every single aspect and trying to figure out what exactly the Gen.ai future is going to look like and where we never ever have a junior software developer ever again because, quote, GitHub is pretty good at first pass stuff. You know, I think there’s a series of really active conversations around trying to envision what our future is going to look like. And both those components are front and center.

CRob (07:09)
Very nice. Well, one of the things that you and I have been collaborating on most recently is the global IT cyber skills framework. Could you maybe talk a little about where this idea came from and kind of what you’re intending to do with this project?

Clyde Seepersad (07:25)
Sure, and really appreciate all the support you’ve provided on this. It really started with a very simple observation, which is, as I listen to folks talking about cybersecurity, a lot of what the pattern we kept hearing was there are specific job functions and areas of responsibility related to cybersecurity that everybody wants to be very focused on. So whether that is intrusion detection, pen testing, there’s a lot of specialized focus on cyber. And it’s a little bit like the Sherlock Holmes story where the key clue was the dog that didn’t bark. What about all the people who aren’t cyber security specialists? They’re app developers, they’re network people, they’re database admins, getting up every morning thinking about where the latest vulnerability is going to come from. But they have not been part of the conversation.

And so I think that’s really what we’re trying to do here is to say, we have to find a way to make everybody who touches these systems part of the conversation on cybersecurity and make it easy for them to figure out what their part in the broader strategy is. security is not something you can inspect in at the end, right? It has to be there from the get-go. And that has not been…a big part of the conversation, which is not surprising when the fire is hot as you put in the water on the most immediate source of the flames, but you’re not paying as much attention yet as to where the fuel load is building up. And so think that’s really what we’re trying to, hoping to catalyze is a broader conversation around just how extensive the concept of cybersecurity is when you think about all these different roles in technology. And so it’s great that we’ve started with the specific folks that are in a CISO’s office, but we have to make sure we don’t stop there.

CRob (09:32)
Yeah, I love that kind of looking at the framework, the fact that we looked at many different job types and kind of thought about it from somebody’s career at the beginning of their career, they needed to have certain experiences. And as you evolve and kind of get more, you level up, so to speak, there’s more increasingly complex tasks that you’re asked to do with. you talk a little bit about – just give us kind of a sneak peek into the framework and kind of what went into some of this thinking.

Clyde Seepersad (10:01)
Yeah, think we, there were two things we were trying to make sure that we use as our North Star. The first was it had to be easy to use. We have to make it easy for people to have this conversation. So how can we develop something that is not intimidating, easy to use, people can see their way to the end goal where they’re using it. And the second is, can we make something that is not a special snowflake, that is industry agnostic, that’s geography agnostic? Because what you, and to have those two things be true, and you know, we worked with hundreds of folks who volunteered their time and expertise on this. Where we ended up was saying, to make it easy, we have to have it be, simple for folks to figure out where different people in their organization might slot in. So how can we group like with like? And so we went through this exercise with a group of experts and then validated it through a large form field study survey in the field. And we ended up with 14 or 15 job categories or job families.

Clyde Seepersad (11:23)
That’s not to say that there aren’t people out there who straddle lines, and there will always be, but we felt pretty good about having these categories as sort of people who are grouped together. So things like network specialists, things like database administrators, things like software developers as distinct from app developers, so smartphones. And then from a career perspective, as you alluded to, CRob, there’s this concept that there are things you need to know when you’re just starting out.

And there’s more things you need to know when you start taking more individual responsibility and yet there are more things you need to know, especially as you take on managerial responsibility and start supervising the works of others. And so what we ended up with, if you envision sort of a two by two framework, a set of job families where we have examples, we can help people visualize, oh yeah, I’ve got folks in that box. And then this continuum of experience where newer folks, there’s topics and we’re very, you the topics are quite specific and so they’re somewhat opinionated, but we wanted it to not be a hand wavy feel good.

We wanted people to be able to look into that framework, see things they violently agreed with, maybe see some things they violently disagree with because maybe it’s not relevant and that’s okay, right? It’s very much meant to be a alaqaat, Kanban style. I like this, I want to use it. I don’t like that, I want to take it out. I think this is missing because I’m in industry X and I want to add it in. But I think we’re hoping that the concept of it’s a simple framework. You can print it on one page. It’s a way to start and then make it your own. Make it relevant to your department. Make it relevant to your industry. Move stuff left, move stuff right, blend stuff between buckets, but use it as a accelerant, right? Instead of staring at the blank white board. This is the collective wisdom of hundreds of folks who spent decades in this space – stand on their shoulders, right? Use it as a jumping off point.

CRob (13:20)
I loved the kind of practitioner perspective that the framework brought. Could you maybe talk about, I know we’ve had some conversations with other folks within the ecosystem. How does this work alongside or complement other similar efforts?

Clyde Seepersad (13:37)
Yeah, I think our view is that this is meant to be a entry point for people to think about cybersecurity for their broad audiences and not to replace. There are some very good, more specialized frameworks that already exist out there, right? So you have things like SOFIA, you have things like the NICE framework. And our take was we look around and we listen.

And those are not being as used, used as much and implemented as much as you might have thought. I think part of the reason is they’re so sophisticated and there’s so much detail that they’re a little maybe intimidating if you’re starting kind of at the, at the, at the starters pistol. And so we’re envisioning this really as a gateway exercise to say, here’s a way that you could start. It’s not saying that it’s fully comprehensive of everything you’d ever think of, but it’s saying these are the lowest common denominator pieces, right?

And so it’s a discrete, easy to wrap your head around, printed on a page starting point. And hopefully what we see is that once people start their journey, they gravitate towards some of these bigger frameworks that already exist according to what makes sense for their organization, for their industry, for their geography. And so we’re very much seeing this as complimentary of frameworks that are more specialized that exist, really as a way to get more folks far enough down the path that they start using those frameworks with confidence.

CRob (15:14)
I love the effort. I’m really looking forward to kind of unleashing this and sharing it with the broader ecosystem and then starting to the devils in the details. I want to start building my own little Kanban board and kind of mapping out my journey and seeing what I and others might want to start exploring education wise next.

Clyde Seepersad (15:33)
Yeah, and that’s exactly what we’re hoping to happen, right? This is going to be a publicly available royalty free resource sponsored by OpenSSF and the LF. We want everybody to use it. We want companies, we want education providers to use it. And importantly, we want this to be an ongoing effort. So, you we’ve had a ton of people volunteer their time and expertise to get to V1. We’re very much intending to have this be an ongoing effort where we’re constantly reviewing this, you know.

At least twice a year stepping back and saying, is this still right? Because the one thing that we know is true is yesterday’s threats are not tomorrow’s threats, right? So we cannot have these be static. We have to constantly be asking ourselves, is this still relevant? Is there something else that we need to add? Because that’s the only way that you can really, if we’re trying to get people to think holistically about the security implications up and down the food chain, we have to help them keep track of stuff as it evolves. And so I think one of the beauties of doing this collaboratively is we do have the ability and the intention to continue revving, right? Just like any release schedule, right? That the 2026 version is gonna go look different and the second half of 2025 version might look different.

CRob (16:50)
Excellent. Well, let’s move on to the rapid fire part of the conversation. All right. I got a couple of wacky questions. I just want your first answer right out of the gate. What’s your favorite open source mascot?

Clyde Seepersad (17:06)
You know, it’s still Tux. It’s just, you know, I’ve got a dozen of them on my desk and it’s an oldie but a goodie.

CRob (17:19)
Excellent. Good, good, Spicier mild food.

Clyde Seepersad (17:23)
I grew up in the Caribbean, so definitely spicy.

CRob (17:30)
Ooh, that’s spicy. Excellent. What’s your favorite adult beverage?

Clyde Seepersad (17:34)
Rum and Coke.

CRob (17:35)
Classic. I love that as well. So as we wrap up here, what advice might you offer someone that’s just getting into, whether it’s open source development or cybersecurity, how can you help them start their journeys?

Clyde Seepersad (17:50)
You know, the key thing I say to folks anymore is that the world has really changed. Even when I started my career, you could pick a spot and say, I wanted to be an X. I wanted to be a database person. I wanted to be a Cisco switch person. I wanted to be an Oracle person. Because we used to have these long runways of technology staying pretty stable.

And that’s just not true anymore. I think everybody should be coming into tech and even those of us who’ve been in it should be thinking about it as an ongoing journey of lifelong learning. You’ve got to stay on your toes. The thing that made you successful three years ago probably is not going to be the thing that makes you successful this year. And so committing to this idea that it’s your responsibility to figure out the things you’re passionate about and learn them and implement them and stay on this sort of continuous journey.

That’s going to be what the foreseeable future looks like, is all of us just cross-skilling, up-skilling, feeling like we’re always slightly behind, but making that commitment to our own learning and development.

CRob (18:58)
I like to learn something new every day. And finally, what call to action do you want to give the community right now? What actions can people take to help make the world a little bit better place?

Clyde Seepersad (19:09)
Yeah, I would say for everybody who touches a tech stack, step back and start inventorying where do you think in your day-to-day job you could do one thing better that would narrow or close a security gap. We all have goals and the targets we’re trying to meet and we’re on the treadmill. Take a moment to step back.

Get off the goals treadmill. Try to find one thing, one thing that you can do better that helps narrow the surface, the attack surface, and find a way to make that happen.

CRob (19:52)
Excellent. Well, thank you. Sage advice learned over your journey. Thank you, Clyde, for coming today and sharing about the IT skills matrix and about LF education.

Clyde Seepersad (20:03)
Thanks so much for having me, CRob

CRob (20: 05)
Cheers

Outro Music (20:05)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

May 06
Love0

What’s in the SOSS? Podcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter

By Podcast

Summary

In this special episode of What’s in the SOSS?, we welcome Stacey Potter, the new Community Manager at the Open Source Security Foundation (OpenSSF). Stacey shares her winding journey from managing operations at a vitamin company to becoming a powerful advocate and connector in the open source world. We explore her community-first mindset, her work with CNCF and Platform Engineering Day, and her passion for inclusion and authenticity. Whether you’re curious about how to get started in open source or want insight into how community shapes security, this episode is for you.

Conversation Highlights

00:00 – Welcome + Introduction
01:34 – Stacey’s Origin Story in Open Source
03:18 – Discovering Community Management at Weaveworks
04:19 – Projects and Evolution Across CNCF and Beyond
06:13 – Co-Chairing Platform Engineering Day
10:15 – Being Openly Queer in Open Source
13:38 – What Stacey Hopes to Bring to OpenSSF
16:23 – Rapid Fire Round
17:53 – Final Thoughts

Transcript

Intro music (00:00)

Stacey (00:02): “It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community – I have always felt embraced here, these spaces have empowered me to show up fully as myself”

Yesenia (00:021)
Hello and welcome to What’s in the SoSS? Open SSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experiences and wisdom. So Yessenia, I’m one of our hosts and today we have a special announcement and introduction. I am talking to OpenSSF’s Community Manager, Stacey Potter. Welcome to the open source community. Stacey, please introduce yourself to the audience.

Stacey Potter (00:48)
Hey, everyone. Thanks, Yesenia. So I’m super happy to be here. I just joined and think this is week four that we’re recording this right now. So by the time this gets posted, I might have been here for a little bit longer. But I am the new community manager here at OpenSSF. So I am here to facilitate events. I’ll be managing budgets in the background. And in general, just promoting the foundation and all of our technical initiatives. So super stoked to be here. Can’t wait to meet everybody either in person, online, in Slack, et cetera. So super happy.

Yesenia (01:25)
Super, super happy to have you and we’ll kick it off with our first question. Tell us about your journey in the open source world and just what sparked your curiosity.

Stacey Potter (01:34)
Yeah, so honestly, my path into software was more a result of circumstance than intention. I transitioned into the industry a little bit later in my career. Before that, I was working as an operations manager at a small family-run vitamin company based out of Oakland, California. And after I left that role, I applied for an office manager position at a San Francisco startup focused on what we now call Software Composition Analysis or SCA. Though I don’t even know if it was called that back then in 2009. And at the time, our tagline was something like open source software security for enterprises or something like that. I think a lot of people will know our main competitor, which was Black Duck Software. But we were just a tiny little startup having fun in San Francisco.

And that role was really like my first exposure to the world of open source, but not in a really direct way because I wasn’t working with it. And I almost felt like we were kind of pulling open source out of enterprises or making it more restrictive in certain ways. Cause it was like we were bringing to light all the open source licenses and if you should or shouldn’t use them in an enterprise, right? So it felt a little ambiguous, right?

But I spent seven years there working with the CEO and gradually kind of moved through different roles at that company. I was great about working at a startup. I was the sales operations manager. And then later I transitioned into marketing. And then that company got acquired and I stayed on for a couple more years doing marketing things. And then I transitioned out of there in 2019 and went to Weaveworks where I feel like my true journey with open source really began. I started working at Weaveworks and as a community manager at that point, transition from marketing went into community management. Thanks to general good faith in my boss at the time, which was Tama Nakahara. She’s amazing and an amazing mentor. And she was like, I have marketing, you’re fine. You’re personable. You’ll be great as a community manager and really took me under her wing and taught me everything I needed to know. And learning all about Flux and Flagger in that CNCF ecosystem and really being embraced within those communities was where I feel like it really truly began.

Yesenia (04:09)
Nice. It’s nice little journey to start and then just what brought you here now to OpenSSF? Did you come from there or have you explored other open source projects that you would like to mention?

Stacey Potter (04:19)
Yeah. So Flux and Flyer were my true introduction. Been in and around the CNCF for a while. After Weaveworks, I went to Dynatrace and worked on the Open Feature project and the Kept project, which are both CNCF projects as well. Super great communities there as well. And then after Dynatrace, I went to Stacklok, which is another startup. And they had a project called Minder, which we donated to the OpenSSF. And I had kind of heard musings of the OpenSSF when I was kind of in that CNCF ecosystem before, but didn’t really know a whole lot about it. And when I worked at StackLock, kind of became more familiar with the community. We donated that project. I went through the entire process of like what donating a project looks like within the OpenSSF ecosystem. So that was fun and interesting.

Yesenia (05:11)
Interesting.

Stacey Potter (05:18)
And yeah, that’s StackLock like switched positions. It kind of is going a different route now. And so I came to OpenSSF just almost a month ago, not quite a month ago, so three weeks ago now. And yeah, that’s how I got here.

Yesenia (05:31)
That’s amazing. Here you are. Perfect. Yeah, it sounds like a good experience exposure with community building and open source projects for CNCF and OpenSSF, which are big, big organizations when it comes to open source. So very interesting, very interesting indeed. So we’ll move on to the next question. This is during my online recon, we’ll say, consented recon. I discovered you are the co-chair of Platform Engineering Day. Can you share with the audience what this is, what the event is, and what excites you the most about working with this community?

Stacey Potter (06:13)
Yeah, absolutely. So Platform Engineering Day, mean, well, as internal developer platforms, IDPs, really help dev teams move faster by giving them tools and frameworks that they need, right? So Platform Engineering Day is all about sharing real world tips on building great internal platforms, not just the tech, but the people and the processes as well, right? So it’s a chance for platform folks from all different job titles and job roles to trade stories, lessons, and ideas on making the dev experience awesome. So what excites me about working in this community? I think there’s just so many passionate people involved in this space. I know Platform Engineering Day has become kind of this buzzy word of late, right?

Yesenia (07:11)
Marketing.

Stacey (07:13)
Exactly. But I mean, to the people who are in it, they, from my perspective, as I’ve gotten involved in it, they’re super passionate folks, right? And they really want to make this experience, you know, as good as they can. But after chatting with Paula Kennedy, who is my co chair, and Abby Bangser, whom I got to know through an old Weavework’s colleague, we felt the need for not just a bunch of tech talks on the topic. But really, we wanted to provide, as I said before, a place where platform engineers, product managers, solutions architects, and other folks could come together and share lessons learned in building and managing internal platforms, measuring platform maturity and improving these golden paths and the developer experience as a whole.

Yesenia (08:04)
Nice, do you want to do a quick plug on when the next platform engineering day is?

Stacey Potter (08:08)
Well, it’s a colo with KubeCons. So if you’re going to the next KubeCon, which I believe is North America in Atlanta, Georgia, for all those folks who are outside of the States, I’m sorry, that you may or may not be able to come here based on a number of different things. But we’re trying to do it co-located in general with KubeCons, because it kind of fits there and makes sense. And we’ve had a great response so far, right? The first one, we got more CFPs than any other co-located event had ever gotten at any KubeCon, colo event before. And I think we had hundreds and hundreds of folks in the seats listening to all these great talks. And I’ll also just highlight the platform’s working group within the CNCF too. This is a great team of people working on all things platform related. And if you’re interested in learning more about platform engineering in general, the platforms working group within the CNC app is really a great place to go.

Yesenia (09:15)
Yeah, I didn’t know that it was in KubeCon. I’m hoping to go my first year this year in Atlanta.

Stacey Potter (09:21)
Yeah. Yeah. I think Paris was our debut. Yeah. Yeah. Right. Not bad. And we just had our last one in London. Yeah.

Yesenia (09:24)
Hmm, that’s a good debut. Fashion debuted there. there you go.

Stacey Potter (9:31)
We’re so fashionable. Who knew?

Yesenia (09:36)
Talking about fashionable. During my cyber roots, I found your GitHub profile, which I loved and made me giggle and smile in several locations. But you noted you’re queer and for recording purposes, AF. I’d love to hear your perspective on how this has transformed your journey and influenced you being involved in these open source communities and anything you want to share with the audience.

Stacey Potter (10:15)
Sure. So being openly queer in tech and the open source space has been a pretty powerful part of my journey, I guess, in retrospect. It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community, regardless of what the, I guess, we’re going to call it difference is for whomever is coming into your community.

I think something I’ve been lucky to experience in the Kubernetes and cloud native and broader open source ecosystems is that welcomeness, that feeling of belonging. I’ve never felt like I didn’t belong here, right?

Yesenia (10:45)
Yeah.

Stacey Potter (10:48)
Which I think is pretty special. I mean, it’s a privileged place to be, I think in certain ways too, right? Like I am a cis white woman, right? But I present as butch and I’m you know, that’s my that’s what I call myself, right? That’s how I identify. And some people could be put off by that. But I have always felt embraced here. And, you know, like these spaces have empowered me to show up fully as myself, which has not only boosted my confidence, but also allowed me to connect with and, you know, mentor, I guess, others navigating similar paths, whether that’s being queer or being a woman or whatever.

I think visibility matters and I found that authenticity can be a bridge, right? Whether it’s in a code review, which I don’t do by the way, community calls or just, you know, contributing to projects that reflect shared values that you have, right?

Yesenia (11:48)
Yeah, it’s great because that’s the underlying foundation of open source. It’s just a community of anyone that can come in and contribute and make a project, move a project and make it successful and gave me a little bit of goosebumps there as you were speaking on that one. But because I feel the same when it comes to like the open source space is just they’re very welcoming. Every time folks are like, I’m just so scared. I’m like, trust me, don’t just go ask the questions. Like this is the place to ask the technical quote unquote “this is a dumb question…”

Stacey Potter (12:15)
Yeah, and I mean, they’re just so happy. What I have found is everyone in these communities is just so happy for people to notice them to want to get involved in the first place, right? Like they’re so stoked that you’re there. Like whatever your skill set is, they’re willing to bring you into the fold, right? They’ll make it work.

Yesenia (12:22)
Yeah.

Yesenia (12:41)
We’ll figure it out.

Stacey Potter (12:41)
You don’t need to know how to code, right? Work on docs, work on…community management, promote our events, like make us a poster or a cool logo or I mean, there’s so many different ways you can contribute if you don’t write code. I don’t write code and this is my job now. I would have never thought, right? Yeah.

Yesenia (13:00)
Yeah. Who would have thunk it? Yeah, I haven’t written code in such a long time. I write for my own like fun, so I don’t lose the skill. You know, it’s like riding a bike. I’m hoping it’s like riding a bike that you never forget, but I forgot because once again, short term memory issues.

Stacey Potter (13:12)
Yeah, right, right.

Yesenia (13:17)
Ah, this is great. Moving on to the next. You are the newest member of OpenSSF. I’m sure other folks have been hired, so I’m sorry if there’s anybody that’s newer, but as far as his recording, this is what I know. And now the Community Manager, what would you like to see in the upcoming months with the impact you plan to ripple through this ecosystem?

Stacey Potter (13:38)
Wow, that’s a big question. So as the newest member of the OpenSSF team and like you said, the community manager here, I’m really excited to help grow and connect this vibrant ecosystem. In the coming months, I think I want to focus on making it easier and more inviting for people to get involved. Whether you’re seasoned security pro or just a curious first timer, I think a lot of people don’t even know that we exist maybe – the OpenSSF. So I think just awareness in general is also something that I’d like to help promote. But know, like smoothing out the onboarding journey, launching programs like the Ambassador Initiative. I think there’s been a lot of talk internally about trying to ramp that up and get that going and supporting mentorships that help contributors thrive. I’d love to see more stories, more collaboration across projects within the OpenSSF and externally within other communities like maybe CNCF, since that’s where my prior history is, right? And more representation from folks who may not traditionally see themselves in the security space. OpenSSF already has amazing technical initiatives. My goal is to amplify the voices behind them, create inclusive pathways into our work and build bridges to other communities who share our mission. So whether it’s through meetups, events, or even just a warm welcome in Slack, I want everyone to feel like there’s a place for them here.

Yesenia (15:15)
I love it. You’re full of the goose bumps today. I love that warm welcome on Slack. You had mentioned the ambassador program. I personally haven’t heard of it. Is there any, I know you guys are just, it’s in the works. Anything you want to share about it.

Stacey Potter (15:29)
Well, it’s gonna be a top priority for me as soon as I sort of get my feet, find my feet here, right? It’s only week four. But it’s definitely a priority that we want to get this out as soon as possible. And there’s already been so much work done before I came. So it’s getting me up to speed and then, yeah, I’m just super excited. think it encourages more people to join sort of.

Yesenia (15:37)
Yeah

Stacey Potter (15:56)
Also celebrating those who have made us who we are so far as well. But then, you know, lots of people would love to become an ambassador that don’t know how to get started or things like that, right? And bringing more people into the fold.

Yesenia (16:09)
Love it, love it. Well, I look forward to seeing the announcement news and learning more about that. So for those folks listening, hopefully it’s released. Hopefully it’s in the works by the time you listen to this. All right, cool. We’re going to move over to the rapid fire. I just make noises because I don’t get, Krobe’s a fancy noise maker. So we’ll go with the flow with whatever my ADHD brain decides to do. And our first question, Disney or Pixar?

Stacey Potter (16:40)
Pixar for sure. I used to live like around the corner from Pixar, so, and I’ve always been a huge Pixar fan, but this is an acquired Pixar, so they’re one and the same now,

Yesenia (16:52)
In my heart, are they really?

Stacey Potter (16:55)
Yeah, no, in our hearts we know the truth, but Pixar, yeah.

Yesenia (17:02)
Dark or light mode?

Stacey Potter (17:05)
Dark.

Yesenia (17:06)
Dark as my soul.

Stacey Potter (17:09)
Black is the night.

Yesenia (17:11)
Cats or dogs? as she takes a sip of coffee.

Stacey Potter (17:15)
Both. I have two cats and a dog, and they’re all amazing. I love them both for very different reasons.

Yesenia (17:22)
Yeah, I can’t choose between my five, so.

Stacey Potter (17:26)
Oh wow. That’s a lot.

Yesenia (17:29)
Alright, this next question and it may cause chaos to our listeners, alright? Linux Mac or Windows?

Stacey Potter (17:38)
Well, I’m a non-coder, so, and I’m a Mac gal.

Yesenia (17:44)
Mac, there it is. Well, there you have it folks. It’s another rapid fire. Any last minute advice or thoughts for the audience you’d like to share?

Stacey Potter (17:53)
Well, I’ll do some shameless plugging of our upcoming events because I’d love to connect with you all in real life and these events are great places for our community to get together and share ideas and progress on the capabilities that make it easier to sustainably secure the open source software on which we all depend. You can find all of these listed on our website at openssf.org/events

So, we’re going to be hosting some upcoming events:

  • We’ve got Community Day Japan (in Tokyo) on June 18 – which is a colo event after KubeCon’s main event
  • CD North America will be in Denver on June 26 (as a colo event after Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • CD India is August 4 in Hyderabad Co-located with KubeCon + CloudNativeCon India
  • CD Europe will be in Amsterdam on August 28 (Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • And Open Source SecurityCon is November 10 (colo event pre-KubeCon NA) which is a new event that fosters collaboration and shares innovation in cloud native security and open source software security. The Call for Proposals for this one opens mid May – so be on the lookout for that.

We’ll also be attending & sponsoring events for the remainder of the year as well:

  • We’re sponsoring, and thus have a booth at Open Source Summit North America in June (Colorado) Europe August 25-27
  • Blackhat & DefCon in Vegas in early August
  • We’re sponsoring, and thus have a booth at Open Source Summit Europe August 25-27
  • Sponsoring Open Source in Finance Forum in NYC October 21-22

I can’t wait to meet you all. I’m super excited to be here. And if you join us in Slack, please say hi. If you have any interest in any of our projects, I just encourage you to just jump in, right? Say hello. And usually that’s all it takes to get a really warm welcome from anyone in this community. And I look forward to working with all of you.

Yesenia (20:16)
There you have it from Stacey Potter. Thank you for your impact and contributions to our open source communities. I’m looking forward to the impact that you’ll have and how your ripple effects the open SSF being a part of it. Stacey, I appreciate your time and thank you.

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved