Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Rust Tokio Dependency Security Review

Tokio is the async runtime underneath most production Rust. A supply chain review of Tokio and the crates that orbit it — dependencies, CVE history, and what changes across versions.

Aug 22, 20246 min read
Open Source Security

Gradle Version Catalogs Security

Gradle version catalogs centralise dependency versions in one file. The security payoff is concrete: auditability, uniform enforcement, and a single PR gate.

Aug 18, 20245 min read
Open Source Security

Go Toolchain Distribution Security

The Go toolchain directive can automatically download and run a different compiler version than the one your developers installed, which is convenient, reproducible, and worth understanding as a supply chain surface.

Aug 14, 20246 min read
Open Source Security

OSS Trademark Policies: Security Angle

Trademarks matter in open source security because they are the signal of authentic origin. When trademark policies fail, typosquatting, impostor forks, and compromised builds follow.

Aug 10, 20247 min read
Open Source Security

GraalVM Native Image Supply Chain

GraalVM native images change the supply chain story in ways that most SBOM tooling has not caught up with yet. Here is what gets baked in, what gets stripped out, and what still needs to be tracked.

Jul 20, 20247 min read
Open Source Security

rust crates.io Security Model Reviewed

A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.

Jul 14, 20246 min read
Open Source Security

Maintainer Burnout: Security Implications

Exhausted maintainers are not just a welfare problem. They are a security problem. Burnout is a precondition for social engineering, delayed patches, and hostile takeovers.

Jul 8, 20247 min read
Open Source Security

Go Checksum Verification Patterns

go.sum and the Go checksum database are among the most rigorous integrity mechanisms in any language ecosystem, and the verification patterns around them deserve to be understood and used well.

Jul 5, 20247 min read
Open Source Security

Commercial OSS License Shifts: An Analysis

From MongoDB to HashiCorp, commercial open source vendors have repeatedly relicensed away from OSI-approved licenses. The pattern reveals a fundamental tension between sustainability and freedom.

Jun 25, 20246 min read
Open Source Security

NuGet Central Package Management Security

Central Package Management pulled NuGet's multi-project version chaos into a single source of truth. The security implications run deeper than the ergonomics suggest.

Jun 22, 20246 min read
Open Source Security

PyPI API Token Scopes: An Audit Guide

PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem event. A practical audit guide for security teams.

Jun 22, 20246 min read
Open Source Security

npm Package Takeover: The Summer 2024 Wave

Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.

Jun 20, 20245 min read
Open Source Security (Page 27) — Supply Chain Security Blog | Safeguard