Airflow Beach Cleaning - Supply Chain Security with Community in Mind
CVE/FIRST VulnCon 2025 · Main Stage
In this compelling talk from VulnCon, Michael Windsor, co-founder of Alpha Omega, and Jarrick, an Apache Airflow maintainer, shed light on a pragmatic and community-focused approach to securing the open-source supply chain. Moving beyond the daunting "Pacific garbage patch" of vulnerabilities, they advocate for "beach cleaning"—a targeted strategy to improve security for specific, high-impact open-source projects and their upstream dependencies. The core of their methodology centers on human connection, direct engagement, and a clear understanding of economic incentives.
AI review
A competent, well-intentioned talk on open-source supply chain security that earns its slot by being honest about what works and what doesn't. The 'beach cleaning' metaphor is useful, the Fix/Fork/Forget framework is transferable, and the XZ Utils framing is appropriate context rather than cheap clout-chasing. The case studies — particularly Chroner moving to Pallet Echo and the Flask-to-FastAPI migration — are concrete and show real decisions with real tradeoffs. What holds this back from a 4 is that none of this is genuinely novel to anyone who's been paying attention to supply chain…