Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Rust Tokio Dependency Security Review
Tokio is the async runtime underneath most production Rust. A supply chain review of Tokio and the crates that orbit it — dependencies, CVE history, and what changes across versions.
Gradle Version Catalogs Security
Gradle version catalogs centralise dependency versions in one file. The security payoff is concrete: auditability, uniform enforcement, and a single PR gate.
Go Toolchain Distribution Security
The Go toolchain directive can automatically download and run a different compiler version than the one your developers installed, which is convenient, reproducible, and worth understanding as a supply chain surface.
OSS Trademark Policies: Security Angle
Trademarks matter in open source security because they are the signal of authentic origin. When trademark policies fail, typosquatting, impostor forks, and compromised builds follow.
GraalVM Native Image Supply Chain
GraalVM native images change the supply chain story in ways that most SBOM tooling has not caught up with yet. Here is what gets baked in, what gets stripped out, and what still needs to be tracked.
rust crates.io Security Model Reviewed
A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.
Maintainer Burnout: Security Implications
Exhausted maintainers are not just a welfare problem. They are a security problem. Burnout is a precondition for social engineering, delayed patches, and hostile takeovers.
Go Checksum Verification Patterns
go.sum and the Go checksum database are among the most rigorous integrity mechanisms in any language ecosystem, and the verification patterns around them deserve to be understood and used well.
Commercial OSS License Shifts: An Analysis
From MongoDB to HashiCorp, commercial open source vendors have repeatedly relicensed away from OSI-approved licenses. The pattern reveals a fundamental tension between sustainability and freedom.
NuGet Central Package Management Security
Central Package Management pulled NuGet's multi-project version chaos into a single source of truth. The security implications run deeper than the ergonomics suggest.
PyPI API Token Scopes: An Audit Guide
PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem event. A practical audit guide for security teams.
npm Package Takeover: The Summer 2024 Wave
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.