The security of open-source software is a growing concern, especially as dependencies and regulations become more complex, making it essential to understand how to manage software supply chains effectively. 

In this episode, we sit down with Michael Winser, Co-Founder at Alpha-Omega and Security Strategy Ambassador at Eclipse Foundation, and Jarek Potiuk, Member of the Security Committee at the Apache Software Foundation, to discuss the challenges of securing Airflow’s dependencies, the evolving landscape of open-source security and how contributors can help strengthen the ecosystem.

 

Key Takeaways:

(02:43) Jarek quit his full-time engineer position and uses Airflow as a freelancer. 

(04:32) Michael finds happiness in having meaningful work with open-source security.

(07:01) Software supply chain security focuses on correctness, integrity and availability.

(08:44) Airflow’s 790 dependencies present a unique security challenge.

(09:43) Airflow’s security team has significantly improved its vulnerability response.

(10:22) The transition to Airflow 3 emphasizes enterprise security readiness.

(16:20) The ‘Three Fs’ approach: fix it, fork it, or forget it.

(18:45) Dependency health is often more critical than fixing known vulnerabilities.

(23:32) The ‘Three Fs’ in action. 

(26:26) Open-source contributors play a key role in supply chain security.

Resources Mentioned:

Michael Winser -

https://www.linkedin.com/in/michaelw/

Jarek Potiuk -

https://www.linkedin.com/in/jarekpotiuk/

Apache Airflow -

https://airflow.apache.org/

Apache Software Foundation | L