Josh talks to Michael Wisner about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It's not cheap or easy, but he's getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.

The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-03-michael-wisner/

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there's some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it's broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn't break everything. It's a great report and great discussion.

The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-03-SOTSSC-Brian-Fox/

Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke's new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it's so hard to secure them. It's not impossible, but it's not simple either. We end the show by discussing some of the more human aspects to security and how history may be repeating itself with security folks laughing at new users who don't know any better.

The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-03-mcp-agent-luke/