Beste Open Source Security Podcasts (2025)

1
Closing session of All Systems Go! 2025 (asg2025) 2:22

4h ago2:22

2:22

Closing session of All Systems Go! 2025Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/DR8ELH/

1
Closing session of All Systems Go! 2025 (asg2025) 2:22

4h ago2:22

2:22

Closing session of All Systems Go! 2025Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/DR8ELH/

1
Closing session of All Systems Go! 2025 (asg2025) 2:22

4h ago2:22

2:22

Closing session of All Systems Go! 2025Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/DR8ELH/

1
One Boot Config to Rule Them All: Bringing UAPI Boot Specification to Legacy BIOS (asg2025) 24:59

4h ago24:59

24:59

The UAPI Boot Loader Specification defines conventions that let multiple operating systems and bootloaders share boot config files. So far, only systemd-boot implements it - and it’s UEFI-only by design.As a result, hybrid UEFI/BIOS images require maintaining (and keeping in sync) two sets of bootloader configs: one for systemd-boot, and one for a …

1
OS as a Service at Meta Platforms (asg2025) 25:30

4h ago25:30

25:30

I overview how OS management is done at Meta. We run millions of Linux servers and we have to make sure that OS gets updated on all of them in a given period of time. To do that we developed several products: MetalOS (Image based version of CentOS), Antlir (image builder) and Rolling OS Update (a service that keeps a set of DNF repos in sync with u…

1
One Boot Config to Rule Them All: Bringing UAPI Boot Specification to Legacy BIOS (asg2025) 24:59

4h ago24:59

24:59

The UAPI Boot Loader Specification defines conventions that let multiple operating systems and bootloaders share boot config files. So far, only systemd-boot implements it - and it’s UEFI-only by design.As a result, hybrid UEFI/BIOS images require maintaining (and keeping in sync) two sets of bootloader configs: one for systemd-boot, and one for a …

1
OS as a Service at Meta Platforms (asg2025) 25:30

4h ago25:30

25:30

I overview how OS management is done at Meta. We run millions of Linux servers and we have to make sure that OS gets updated on all of them in a given period of time. To do that we developed several products: MetalOS (Image based version of CentOS), Antlir (image builder) and Rolling OS Update (a service that keeps a set of DNF repos in sync with u…

1
OS as a Service at Meta Platforms (asg2025) 25:30

4h ago25:30

25:30

I overview how OS management is done at Meta. We run millions of Linux servers and we have to make sure that OS gets updated on all of them in a given period of time. To do that we developed several products: MetalOS (Image based version of CentOS), Antlir (image builder) and Rolling OS Update (a service that keeps a set of DNF repos in sync with u…

1
One Boot Config to Rule Them All: Bringing UAPI Boot Specification to Legacy BIOS (asg2025) 24:59

22h ago24:59

24:59

The UAPI Boot Loader Specification defines conventions that let multiple operating systems and bootloaders share boot config files. So far, only systemd-boot implements it - and it’s UEFI-only by design.As a result, hybrid UEFI/BIOS images require maintaining (and keeping in sync) two sets of bootloader configs: one for systemd-boot, and one for a …

1
What's up with test.thing (asg2025) 25:20

5h ago25:20

25:20

`test.thing` is a VM runner which targets guests using an API defined by systemd. It started after a conversation at devconf about turning `mkosi qemu` into a library. A quick intro.~~composefs is an approach to image-mode systems without the disk images. Files are stored in a de-duplicated content-addressed storage with integrity guaranteed throug…

1
What's up with test.thing (asg2025) 25:20

5h ago25:20

25:20

`test.thing` is a VM runner which targets guests using an API defined by systemd. It started after a conversation at devconf about turning `mkosi qemu` into a library. A quick intro.~~composefs is an approach to image-mode systems without the disk images. Files are stored in a de-duplicated content-addressed storage with integrity guaranteed throug…

1
Yocto's hidden gem: OTA and seamless updates with systemd-sysupdate (asg2025) 26:33

5h ago26:33

26:33

Updates are a critical piece of managing your fleet of devices. Nowadays, Yocto-based distributions can utilize layers for well-established update mechanisms. But, did you know that recent releases of Yocto already come with a simple update mechanism?Enter systemd-sysupdate: a mechanism capable of automatically discovering, downloading, and install…

1
Yocto's hidden gem: OTA and seamless updates with systemd-sysupdate (asg2025) 26:33

2h ago26:33

26:33

Updates are a critical piece of managing your fleet of devices. Nowadays, Yocto-based distributions can utilize layers for well-established update mechanisms. But, did you know that recent releases of Yocto already come with a simple update mechanism?Enter systemd-sysupdate: a mechanism capable of automatically discovering, downloading, and install…

1
Yocto's hidden gem: OTA and seamless updates with systemd-sysupdate (asg2025) 26:33

5h ago26:33

26:33

Updates are a critical piece of managing your fleet of devices. Nowadays, Yocto-based distributions can utilize layers for well-established update mechanisms. But, did you know that recent releases of Yocto already come with a simple update mechanism?Enter systemd-sysupdate: a mechanism capable of automatically discovering, downloading, and install…

1
What's up with test.thing (asg2025) 25:20

5h ago25:20

25:20

`test.thing` is a VM runner which targets guests using an API defined by systemd. It started after a conversation at devconf about turning `mkosi qemu` into a library. A quick intro.~~composefs is an approach to image-mode systems without the disk images. Files are stored in a de-duplicated content-addressed storage with integrity guaranteed throug…

1
A terminal for operating clouds: administering S3NS with image-based NixOS (asg2025) 34:54

6h ago34:54

34:54

S3NS is a trusted cloud operator that self-hosts Google Cloud infrastructure in France, targeting the SecNumCloud certification, the most stringent Cloud certification framework. SecNumCloud includes strict legal and operational constraints. To manage these systems securely and reproducibly, we’ve built a family of dedicated administration terminal…

1
A terminal for operating clouds: administering S3NS with image-based NixOS (asg2025) 34:54

3h ago34:54

34:54

S3NS is a trusted cloud operator that self-hosts Google Cloud infrastructure in France, targeting the SecNumCloud certification, the most stringent Cloud certification framework. SecNumCloud includes strict legal and operational constraints. To manage these systems securely and reproducibly, we’ve built a family of dedicated administration terminal…

1
A terminal for operating clouds: administering S3NS with image-based NixOS (asg2025) 34:54

6h ago34:54

34:54

S3NS is a trusted cloud operator that self-hosts Google Cloud infrastructure in France, targeting the SecNumCloud certification, the most stringent Cloud certification framework. SecNumCloud includes strict legal and operational constraints. To manage these systems securely and reproducibly, we’ve built a family of dedicated administration terminal…

1
UKI, composefs and remote attestation for Bootable Containers (asg2025) 42:50

6h ago42:50

42:50

With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.Using composefs and fs-ve…

1
UKI, composefs and remote attestation for Bootable Containers (asg2025) 42:50

3h ago42:50

42:50

With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.Using composefs and fs-ve…

1
UKI, composefs and remote attestation for Bootable Containers (asg2025) 42:50

6h ago42:50

42:50

With Bootable Containers (bootc), we can place the operating system files inside a standard OCI container. This lets users modify the content of the operating system using familiar container tools and the Containerfile pattern. They can then share those container images using container registries and sign them using cosign.Using composefs and fs-ve…

1
Leveraging bootable OCI images in Fedora CoreOS and RHEL CoreOS (asg2025) 25:51

1d ago25:51

25:51

In last year's ASG!, bootc and bootable containers were introduced. In this talk, we'll go over what changed since last year, and how Fedora CoreOS and RHEL CoreOS are leveraging bootable containers to reduce maintenance and increase sharing.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.al…

1
Introducing ue-rs, minimal and secure rewrite of update engine in Flatcar (asg2025) 24:20

2h ago24:20

24:20

Introduce ue-rs, a fresh project that aims to be a drop-in reimplementation of update engine, written in Rust.The goal of ue-rs is to have a minimal, secure and robust implementation of update engine, required by A/B update mechanism of Flatcar Container Linux. Just like the existing update engine, it downloads OS update payloads from a Nebraska se…

1
Leveraging bootable OCI images in Fedora CoreOS and RHEL CoreOS (asg2025) 25:51

1d ago25:51

25:51

In last year's ASG!, bootc and bootable containers were introduced. In this talk, we'll go over what changed since last year, and how Fedora CoreOS and RHEL CoreOS are leveraging bootable containers to reduce maintenance and increase sharing.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.al…

1
Introducing ue-rs, minimal and secure rewrite of update engine in Flatcar (asg2025) 24:20

1h ago24:20

24:20

Introduce ue-rs, a fresh project that aims to be a drop-in reimplementation of update engine, written in Rust.The goal of ue-rs is to have a minimal, secure and robust implementation of update engine, required by A/B update mechanism of Flatcar Container Linux. Just like the existing update engine, it downloads OS update payloads from a Nebraska se…

1
Leveraging bootable OCI images in Fedora CoreOS and RHEL CoreOS (asg2025) 25:51

2h ago25:51

25:51

In last year's ASG!, bootc and bootable containers were introduced. In this talk, we'll go over what changed since last year, and how Fedora CoreOS and RHEL CoreOS are leveraging bootable containers to reduce maintenance and increase sharing.Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about this event: https://cfp.al…

1
Introducing ue-rs, minimal and secure rewrite of update engine in Flatcar (asg2025) 24:20

6h ago24:20

24:20

Introduce ue-rs, a fresh project that aims to be a drop-in reimplementation of update engine, written in Rust.The goal of ue-rs is to have a minimal, secure and robust implementation of update engine, required by A/B update mechanism of Flatcar Container Linux. Just like the existing update engine, it downloads OS update payloads from a Nebraska se…

1
container-snap: Atomic Updates from OCI Images using Podman’s Btrfs Driver (asg2025) 22:46

2h ago22:46

22:46

Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed **container-snap**, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system'…

1
container-snap: Atomic Updates from OCI Images using Podman’s Btrfs Driver (asg2025) 22:46

2h ago22:46

22:46

Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed **container-snap**, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system'…

1
Dirlock: a new tool to manage encrypted filesystems (asg2025) 26:27

2h ago26:27

26:27

In the Linux world there are several tools and technologies to encrypt data on a hard drive, most falling into one of two categories: block device encryption (like LUKS) or stacked filesystem encryption (like EncFs or gocryptfs). This presentation will introduce Dirlock, a new tool that belongs to a third category: native filesystem encryption, usi…

1
Dirlock: a new tool to manage encrypted filesystems (asg2025) 26:27

2h ago26:27

26:27

In the Linux world there are several tools and technologies to encrypt data on a hard drive, most falling into one of two categories: block device encryption (like LUKS) or stacked filesystem encryption (like EncFs or gocryptfs). This presentation will introduce Dirlock, a new tool that belongs to a third category: native filesystem encryption, usi…

1
container-snap: Atomic Updates from OCI Images using Podman’s Btrfs Driver (asg2025) 22:46

7h ago22:46

22:46

Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed **container-snap**, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system'…

1
Dirlock: a new tool to manage encrypted filesystems (asg2025) 26:27

7h ago26:27

26:27

In the Linux world there are several tools and technologies to encrypt data on a hard drive, most falling into one of two categories: block device encryption (like LUKS) or stacked filesystem encryption (like EncFs or gocryptfs). This presentation will introduce Dirlock, a new tool that belongs to a third category: native filesystem encryption, usi…

1
Forget zbus, zlink is the future of IPC in Rust (asg2025) 38:14

3h ago38:14

38:14

Last year, Lennart Poettering of the systemd fame, [gave a presentation](https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-) at this very same conference, where he introduced Varlink, a modern yet simple IPC mechanism. He presented a case for Varlink, rather than [D-Bus](https://en.wikipedia.org/wiki/D-Bus) to be the future of Inter-proces…

1
Forget zbus, zlink is the future of IPC in Rust (asg2025) 38:14

2h ago38:14

38:14

Last year, Lennart Poettering of the systemd fame, [gave a presentation](https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-) at this very same conference, where he introduced Varlink, a modern yet simple IPC mechanism. He presented a case for Varlink, rather than [D-Bus](https://en.wikipedia.org/wiki/D-Bus) to be the future of Inter-proces…

1
pidfd: What have we been up to? (asg2025) 39:28

8h ago39:28

39:28

File descriptors for processes on Linux have been available for quite some time now. Userspace has adapted them widely.Over the last two years or so we've extended the abilities of pidfds significantly. This talk will go over all the new features and deep dive into their implementation and usage.Licensed to the public under https://creativecommons.…

1
pidfd: What have we been up to? (asg2025) 39:28

3h ago39:28

39:28

File descriptors for processes on Linux have been available for quite some time now. Userspace has adapted them widely.Over the last two years or so we've extended the abilities of pidfds significantly. This talk will go over all the new features and deep dive into their implementation and usage.Licensed to the public under https://creativecommons.…

1
Forget zbus, zlink is the future of IPC in Rust (asg2025) 38:14

8h ago38:14

38:14

Last year, Lennart Poettering of the systemd fame, [gave a presentation](https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-) at this very same conference, where he introduced Varlink, a modern yet simple IPC mechanism. He presented a case for Varlink, rather than [D-Bus](https://en.wikipedia.org/wiki/D-Bus) to be the future of Inter-proces…

1
pidfd: What have we been up to? (asg2025) 39:28

2h ago39:28

39:28

File descriptors for processes on Linux have been available for quite some time now. Userspace has adapted them widely.Over the last two years or so we've extended the abilities of pidfds significantly. This talk will go over all the new features and deep dive into their implementation and usage.Licensed to the public under https://creativecommons.…

1
Privilege delegation for rootless containers, what choices do we have? (asg2025) 21:43

4h ago21:43

21:43

Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality.While looking for a solution to deploy virtiofsd in an unprivileged contai…

1
CentOS Proposed Updates: Bridging the Gap between development and production (asg2025) 25:32

4h ago25:32

25:32

CentOS Stream is especially suited for production deployments. In these environments it's often common to develop improvements to distribution packages and want to contribute them upstream. Unfortunately, until very recently that required one to then maintain their own build and deployment pipeline for the packages, at least until the changes made …

1
CentOS Proposed Updates: Bridging the Gap between development and production (asg2025) 25:32

9h ago25:32

25:32

CentOS Stream is especially suited for production deployments. In these environments it's often common to develop improvements to distribution packages and want to contribute them upstream. Unfortunately, until very recently that required one to then maintain their own build and deployment pipeline for the packages, at least until the changes made …

1
CentOS Proposed Updates: Bridging the Gap between development and production (asg2025) 25:32

4h ago25:32

25:32

CentOS Stream is especially suited for production deployments. In these environments it's often common to develop improvements to distribution packages and want to contribute them upstream. Unfortunately, until very recently that required one to then maintain their own build and deployment pipeline for the packages, at least until the changes made …

1
Privilege delegation for rootless containers, what choices do we have? (asg2025) 21:43

9h ago21:43

21:43

Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality.While looking for a solution to deploy virtiofsd in an unprivileged contai…

1
Privilege delegation for rootless containers, what choices do we have? (asg2025) 21:43

4h ago21:43

21:43

Going for minimal containers with restricted system calls and unprivileged users is the usual Kubernetes approach these days, and it works great for most web apps. However, the development of more complex infrastructure extensions frequently hinders application functionality.While looking for a solution to deploy virtiofsd in an unprivileged contai…

1
Modernizing GNOME (asg2025) 31:54

5h ago31:54

31:54

GNOME has collected some very old code over the years. During the recent GNOME 49 release, we've made some drastic cleanups. Most visibly, we've dropped support for X11 and gained many dependencies on systemd. Let's explore some of the what and why for these changes!Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about t…

1
New Linux Kernel Coredump Infrastructure (asg2025) 41:04

10h ago41:04

41:04

Coredumping on Linux has long been a nightmare. Currently two modes are supported:(1) Dumping directly into a file somewhere on the filesystem.(2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd.For simplicity I'm mostly ignoring (1). There's probably still some users of (1) out the…

1
New Linux Kernel Coredump Infrastructure (asg2025) 41:04

5h ago41:04

41:04

Coredumping on Linux has long been a nightmare. Currently two modes are supported:(1) Dumping directly into a file somewhere on the filesystem.(2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd.For simplicity I'm mostly ignoring (1). There's probably still some users of (1) out the…

1
New Linux Kernel Coredump Infrastructure (asg2025) 41:04

5h ago41:04

41:04

Coredumping on Linux has long been a nightmare. Currently two modes are supported:(1) Dumping directly into a file somewhere on the filesystem.(2) Dumping into a pipe connected to a usermode helper process spawned as a child of the system_unbound_wq or kthreadd.For simplicity I'm mostly ignoring (1). There's probably still some users of (1) out the…

1
Modernizing GNOME (asg2025) 31:54

10h ago31:54

31:54

GNOME has collected some very old code over the years. During the recent GNOME 49 release, we've made some drastic cleanups. Most visibly, we've dropped support for X11 and gained many dependencies on systemd. Let's explore some of the what and why for these changes!Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/about t…

Podcasts, die es wert sind, gehört zu werden

Open Source Security Podcasts

Podcasts, die es wert sind, gehört zu werden

Kurzanleitung