Mikael Barbero
Head of Security @ Eclipse Foundation
We build our computers (systems) the way we build our cities: over time, without a plan, on top of ruins — Ellen Ullman
- Reposted by Mikael BarberoLet's do this. www.youtube.com/watch?v=KtQ9...
- Reposted by Mikael Barberotoday’s one-sentence horror: sudo has been largely maintained by a single person for ~30+ years
- Reposted by Mikael Barbero+10000 the safety rules to manage this new ecosystem isn’t here yet and is critical. We’ll need safe ways to share these new artifacts (skills, plugins, MCP …)
- Reposted by Mikael BarberoFrom curl | bash off the internet… …to docker run some random image… …to /plugin install in coding agents. Same vibes, bigger blast radius. Supply chain management for plugins, anyone? :)
- Reposted by Mikael BarberoThis is an insightful but deeply upsetting article about why everyone in the US feels poor, and why the current political situation emerges as a direct result. www.yesigiveafig.com/p/part-1-my-...
- Reposted by Mikael Barbero[This post could not be retrieved]
- Reposted by Mikael BarberoSo I wrote a thing redmonk.com/jgovernor/on...
- The recording is available and, as expected, it is exceptionally good! It will genuinely ignite (or re-ignite) your enthusiasm for being an engineer! Thank you, @bcantrill.bsky.social www.youtube.com/watch?v=Cum5...
- Single most desirable feature from Supply Chain Security PoV
- Immutable releases announced at GitHub Universe! Once tagged, releases can’t be changed. No more worrying about malicious actors swapping out assets or moving tags. Single-use version tags with signed attestations. This is the supply chain protection open source really needs 🔒 #GitHubUniverse
- I had a great time chatting with @josh.bressers.name! Go check out what’s happening on the security front at the Eclipse Foundation (@eclipse.org)
- I chat with @mikael.barbero.tech about security happenings at the Eclipse Foundation My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
- And it gets even worse when the metrics are averages rather than percentiles!
- I can’t wait for the video of this one, the deck is already so bonkers! Love it! Also, no mention of LLM ;)
- Slides for my #taloscon2025 keynote, "The Complexity of Simplicity" (video to come): speakerdeck.com/bcantrill/th...
- 🎙 Just wrapped a fantastic conversation with @josh.bressers.name. We dive deep into enhancing open source security and how we do it at the @eclipse.org Can't wait for you to hear the full episode, coming soon!
- Episode will be available at opensourcesecurity.io
- Reposted by Mikael BarberoTo implement robust mitigations across Geomys, I did a survey of open source project compromises in 2024/2025. Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided. words.filippo.io/compromise-s...
- Reposted by Mikael Barbero🏷️ Reason #3.7.2 why it's critical to clearly and publicly define your #OpenSource project #Governance, for code, distributions, trademarks, and domain names. And, of course, not breaking norms and cosplaying a public charity while bowing to a sole sponsor over the community. 😢
- Reposted by Mikael BarberoThe future of digital innovation depends on sustainable #opensource infrastructure. Learn how businesses can help ensure long-term sustainability in #EclipseFdn Executive Director Mike Milinkovich’s latest blog: hubs.la/Q03Kz6D50 #PreserveOpenSource #SoftwareSupplyChain #OpenSourceResponsibility
- Reposted by Mikael Barbero#OCX26 is where the future of open source takes shape. Do you want to be part of it? As an #OCX26 sponsor, you get to align your brand with the communities shaping tomorrow’s tech all in one place. 👉 Get the prospectus or get in touch with our team directly: www.ocxconf.org/event/2026/b...
- Reposted by Mikael BarberoThe Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting So I wrote a blog post about it An absolutely ridiculous amount of open source is one person projects. I have the data to prove it opensourcesecurity.io/2025/08-oss-...
- Reposted by Mikael BarberoStand by this: www.politico.com/newsletters/...
- Reposted by Mikael Barbero🇺🇸Happy Fourth of July🇺🇸 This year, I'm wearing my 𝐑𝐞𝐬𝐢𝐬𝐭 shirt to show my patriotism. I'm reading the declaration of independence as I always do on this occasion. Several of King George's offenses against the colonies resonate this year. Here they are, verbatim:
- Iwata Satoru was an unconventional CEO. In all the best ways that could imply!
- Reposted by Mikael BarberoI will be damned if I allow a bunch of Confederate-waving January 6th apologists give the American people a lecture on flag waving. There is ZERO reason to enter an argument about patriotism with people who still worship traitors to America 150+ years later. They. Are. Breaking. The. Law.
- Reposted by Mikael Barbero🗓 On 4 June, the ORC community was represented by some of its members in the CRA Expert Group meeting hosted by @ec.europa.eu We’re grateful to @ec.europa.eu for facilitating this discussion and to everyone involved. @j-rico.bsky.social @tobie.bsky.social @mikael.barbero.tech @apache.org
- Reposted by Mikael Barbero📢 Calling developers, users, and committers! The Eclipse Foundation Security team is offering a new security training focused on vulnerability management and related subjects. Register for Day 2 (June 10 on 4PM CEST): eclipse.zoom.us/meeting/regi... ➡️ blogs.eclipse.org/post/marta-r...
- Reposted by Mikael BarberoOn June 3rd and 10th with my colleagues from the Eclipse Foundation we will be running a free security training on vulnerability management and related subject. More details and registration links on blogs.eclipse.org/post/marta-r...
- Reposted by Mikael Barbero🔒 Master vulnerability management! Our security training on 3 June and 10 June covers CVE reporting, embargoes, dependency evaluation, and SBOMs. 📅 Day 1: eclipse.zoom.us/meeting/regi... 📅 Day 2: eclipse.zoom.us/meeting/regi...
- Reposted by Mikael BarberoRubio publicly criticizing an ally for cracking down on right-wing extremism. And Germany hitting back. We are in a new world
- Reposted by Mikael BarberoThe days of Google Docs are ending; we enter the age of Docs, made by France's Interministerial Directorate for Digital Affairs and Germany's Center for Digital Sovereignty of Public Administration. We need more governments to collaborate on public software projects to achieve digital sovereignty.
- Reposted by Mikael BarberoBREAKING. From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
- Reposted by Mikael Barbero[This post could not be retrieved]
- Nailed it :D
- Tariffs xkcd.com/3073
- Reposted by Mikael BarberoVulnCon is a quite unique conference focus on software (and not only) vulnerability management. It is happening at the beginning of April and I will be speaking twice.
- Reposted by Mikael Barberodead
- Reposted by Mikael BarberoThis is inaccurate. There is no known vulnerability with Signal's core tech. The memo was discussing phishing attempts, which Signal has worked to mitigate. And it was hastily reported. It's important not to spread misinfo that can confuse people into moving away from meaningfully private comms.
- Reposted by Mikael Barbero👀 New report from RL: While #OSS risks are not going away, attack trends show third-party commercial software presents the greatest risk to the enterprise. Learn more: www.reversinglabs.com/blog/hidden-... #SoftwareSupplyChainSecurity #AppSec #DevSecOps #Dev
- Reposted by Mikael Barberoits amazing how chatgpt knows everything about subjects I know nothing about, but is wrong like 40% of the time in things im an expert on. not going to think about this any further
- Claude Malhuret, always up to the challenges!
- if you haven't seen this already, it's absolute fucking fire - every word. youtu.be/QIK9vbQRwBQ?...
- Reposted by Mikael Barbero🌍 The first CRA Expert Group meeting was held in Brussels in February with the goal of turning the CRA into action. This group will advise the Commission on issues such as the “implementation guidance” and advice for the implementation of the CRA. Learn how to get involved: buff.ly/4kddwOh
- Reposted by Mikael BarberoBeing able to drop a quarterly US GDP prediction by 5.1% from +2.3% to -2.8% in a single week is one of the most impressive economic developments in the history of the world.
- Reposted by Mikael BarberoTrudeau: "He talked about banking again today in a tweet, which doesn't make any sense because 16 banks are currently active in Canada holding about $113b worth of assets in this country... what he wants is to see a total collapse of the Canadian economy, because that'll make it easier to annex us."
- Reposted by Mikael Barbero[Not loaded yet]
- Reposted by Mikael Barbero
- Reposted by Mikael Barberoif literally anyone involved stopped to think about this for more than two seconds, they might realize it’s based on the idea that all mistakes can be fixed. which is wrong. which is why move fast and break things should never be used anywhere near a government, where mistakes kill people.
- Reposted by Mikael Barbero-= We hoped we never had to do this but here we are and we now have to do this. =- American trans humans are under threat and like in 1930s Germany, they now have to GTFO of their home country. We have decided we need to collect some information on the possible ways out. So we made a wiki.
- Reposted by Mikael BarberoEuropean standardisation organisations and ENISA join for the 9th #Cybersecurity Standardisation Conference on 20 March. Registration is first come, first served. #ORCWG is speaking on the panel “Overarching cybersecurity by standards." www.enisa.europa.eu/events/cyber... #cybersecurity #CRA
- Reposted by Mikael BarberoReports indicate that cybercriminals are exploiting the Windows DLL side-loading technique using the legitimate jarsigner.exe executable to propagate malware, found in Java distributions like #EclipseTemurin. @mikael.barbero.tech addresses this in a new statement: blogs.eclipse.org/post/mika%C3...
- Reposted by Mikael BarberoWe’re excited to announce that the Sovereign Tech Fund is supporting two key initiatives to improve security and transparency in the Java ecosystem with the @eclipsefdn.bsky.social
- Reposted by Mikael BarberoIf you manufacture, maintain, or steward open source software that is used in products with digital elements within the European Union, the Cyber Resilience Act (CRA) will affect you. Not sure how you'll be impacted? Check out this CRA FAQ: bit.ly/4hwiaV5
- Reposted by Mikael BarberoFirst meeting of the CRA Expert Group in Brussels! Mikael Barbero & Tobie Langel, representing the Eclipse Foundation, contributing to key discussions on CRA-related topics. It was a productive first session, setting the stage for important discussions ahead. #CyberResilience #OpenSource
- Reposted by Mikael BarberoJan Kowalleck, Sarah Hoffmann, @hugovk.dev, @mklu.bsky.social, Stefan Eissing, & Denis Ovsienko are the Sovereign Tech Fellowship's first cohort. Please join us in welcoming these six maintainers to the @sovereign.tech Agency’s one-year pilot program to support critical digital infrastructure 1/2
- Reposted by Mikael BarberoWrapping up day 1 of #FOSDEM, featuring great sessions and community-building! Be sure to stop by our booth tomorrow at K level 2, Stand 15! #ItsInOurCode #opensource @fosdem.bsky.social
- Reposted by Mikael BarberoMeta says almost 100 journalists and activists were targeted with spyware from Israeli company Paragon Solutions using a zero-click vuln in WhatsApp. If you use an iPhone, enabling Lockdown Mode prevents this from working. www.theguardian.com/technology/2...
- Reposted by Mikael BarberoGood news for Java developers! Central now validates OpenSSF sigstore signatures as part of publishing. If you’re already signing your artifacts with Sigstore, you’ll now get real-time validation feedback in the Central Publisher Portal. Read more details here: www.sonatype.com/blog/central...
- This is disgusting. I am glad that I no longer work for one these Big Tech companies. www.washingtonpost.com/technology/2...
- Reposted by Mikael BarberoDepressingly funny
- Reposted by Mikael BarberoWe're kicking off 2025 by joining the Bluesky user community! We're excited to share release updates, news, events, milestones and other happenings across the ASF and #opensource ecosystem here.
- Reposted by Mikael Barbero✨ The Open Regulatory Compliance WG brings together industry, SMEs, research, and #opensource foundations to work with governments on specs that help industry meet regulations while supporting open source projects and the software supply chain. #orcwg hubs.la/Q030jxKR0
- Reposted by Mikael BarberoLearn about the foundation's key security achievements of 2024 and initiatives we’ll focus on this year in a new article by the Eclipse Foundation’s Head of Security, @mikael.barbero.tech 📖 Dive deeper into this topic: hubs.la/Q0308WJV0 #opensource #security
- Reposted by Mikael Barbero🎙 Don't miss the #orcwg first in-person meeting focused on the implementation of the EU CRA. This hands-on workshop will focus on vulnerability management, the CRA’s attestation program and its potential to help make open source more sustainable. www.eventbrite.com/e/orc-wg-wor...
