Mikael Barbero
@mikael.barbero.tech
Head of Security @ Eclipse Foundation
We build our computers (systems) the way we build our cities: over time, without a plan, on top of ruins — Ellen Ullman
We build our computers (systems) the way we build our cities: over time, without a plan, on top of ruins — Ellen Ullman
Single most desirable feature from Supply Chain Security PoV
Immutable releases announced at GitHub Universe!
Once tagged, releases can’t be changed. No more worrying about malicious actors swapping out assets or moving tags.
Single-use version tags with signed attestations. This is the supply chain protection open source really needs 🔒
#GitHubUniverse
Once tagged, releases can’t be changed. No more worrying about malicious actors swapping out assets or moving tags.
Single-use version tags with signed attestations. This is the supply chain protection open source really needs 🔒
#GitHubUniverse
October 29, 2025 at 7:39 AM
Single most desirable feature from Supply Chain Security PoV
I had a great time chatting with @josh.bressers.name! Go check out what’s happening on the security front at the Eclipse Foundation (@eclipse.org)
I chat with @mikael.barbero.tech about security happenings at the Eclipse Foundation
My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
Eclipse Foundation SBOMs with Mikael Barbero
In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation’s role in enhancing the security posture of open source projects, the imp...
opensourcesecurity.io
October 20, 2025 at 2:38 PM
I had a great time chatting with @josh.bressers.name! Go check out what’s happening on the security front at the Eclipse Foundation (@eclipse.org)
And it gets even worse when the metrics are averages rather than percentiles!
You’re (probably) measuring application performance wrong.
Humans have a strong bias for throughput.
"I can handle X requests per second."
Real capacity engineers use response-time curves.
Humans have a strong bias for throughput.
"I can handle X requests per second."
Real capacity engineers use response-time curves.
October 18, 2025 at 7:14 AM
And it gets even worse when the metrics are averages rather than percentiles!
I can’t wait for the video of this one, the deck is already so bonkers! Love it! Also, no mention of LLM ;)
Slides for my #taloscon2025 keynote, "The Complexity of Simplicity" (video to come): speakerdeck.com/bcantrill/th...
The Complexity of Simplicity
Talk given at TalosCon in Amsterdam on October 17, 2025. Video to come.
speakerdeck.com
October 17, 2025 at 9:56 AM
I can’t wait for the video of this one, the deck is already so bonkers! Love it! Also, no mention of LLM ;)
🎙 Just wrapped a fantastic conversation with @josh.bressers.name. We dive deep into enhancing open source security and how we do it at the @eclipse.org
Can't wait for you to hear the full episode, coming soon!
Can't wait for you to hear the full episode, coming soon!
October 16, 2025 at 4:18 PM
🎙 Just wrapped a fantastic conversation with @josh.bressers.name. We dive deep into enhancing open source security and how we do it at the @eclipse.org
Can't wait for you to hear the full episode, coming soon!
Can't wait for you to hear the full episode, coming soon!
Reposted by Mikael Barbero
To implement robust mitigations across Geomys, I did a survey of open source project compromises in 2024/2025.
Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided.
words.filippo.io/compromise-s...
Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided.
words.filippo.io/compromise-s...
A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises
Project compromises have common root causes we can mitigate: phishing, control handoff, and unsafe GitHub Actions triggers.
words.filippo.io
October 10, 2025 at 2:34 PM
To implement robust mitigations across Geomys, I did a survey of open source project compromises in 2024/2025.
Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided.
words.filippo.io/compromise-s...
Three root causes dominate: phishing, control handoff, and unsafe GitHub Actions triggers. All three can be systematically avoided.
words.filippo.io/compromise-s...
Reposted by Mikael Barbero
🏷️ Reason #3.7.2 why it's critical to clearly and publicly define your #OpenSource project #Governance, for code, distributions, trademarks, and domain names.
And, of course, not breaking norms and cosplaying a public charity while bowing to a sole sponsor over the community. 😢
And, of course, not breaking norms and cosplaying a public charity while bowing to a sole sponsor over the community. 😢
After listening to about a dozen first-hand accounts, I’ve published what I know about the RubyGems takeover.
Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover
Ruby Central recently took over a collection of open source projects from their maintainers without their consent.
joel.drapper.me
September 25, 2025 at 12:22 PM
🏷️ Reason #3.7.2 why it's critical to clearly and publicly define your #OpenSource project #Governance, for code, distributions, trademarks, and domain names.
And, of course, not breaking norms and cosplaying a public charity while bowing to a sole sponsor over the community. 😢
And, of course, not breaking norms and cosplaying a public charity while bowing to a sole sponsor over the community. 😢
Reposted by Mikael Barbero
The future of digital innovation depends on sustainable #opensource infrastructure.
Learn how businesses can help ensure long-term sustainability in #EclipseFdn Executive Director Mike Milinkovich’s latest blog: hubs.la/Q03Kz6D50 #PreserveOpenSource #SoftwareSupplyChain #OpenSourceResponsibility
Learn how businesses can help ensure long-term sustainability in #EclipseFdn Executive Director Mike Milinkovich’s latest blog: hubs.la/Q03Kz6D50 #PreserveOpenSource #SoftwareSupplyChain #OpenSourceResponsibility
September 23, 2025 at 3:04 PM
The future of digital innovation depends on sustainable #opensource infrastructure.
Learn how businesses can help ensure long-term sustainability in #EclipseFdn Executive Director Mike Milinkovich’s latest blog: hubs.la/Q03Kz6D50 #PreserveOpenSource #SoftwareSupplyChain #OpenSourceResponsibility
Learn how businesses can help ensure long-term sustainability in #EclipseFdn Executive Director Mike Milinkovich’s latest blog: hubs.la/Q03Kz6D50 #PreserveOpenSource #SoftwareSupplyChain #OpenSourceResponsibility
Reposted by Mikael Barbero
#OCX26 is where the future of open source takes shape. Do you want to be part of it?
As an #OCX26 sponsor, you get to align your brand with the communities shaping tomorrow’s tech all in one place.
👉 Get the prospectus or get in touch with our team directly: www.ocxconf.org/event/2026/b...
As an #OCX26 sponsor, you get to align your brand with the communities shaping tomorrow’s tech all in one place.
👉 Get the prospectus or get in touch with our team directly: www.ocxconf.org/event/2026/b...
September 3, 2025 at 8:00 AM
#OCX26 is where the future of open source takes shape. Do you want to be part of it?
As an #OCX26 sponsor, you get to align your brand with the communities shaping tomorrow’s tech all in one place.
👉 Get the prospectus or get in touch with our team directly: www.ocxconf.org/event/2026/b...
As an #OCX26 sponsor, you get to align your brand with the communities shaping tomorrow’s tech all in one place.
👉 Get the prospectus or get in touch with our team directly: www.ocxconf.org/event/2026/b...
Reposted by Mikael Barbero
The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
Open Source is one person
The Register recently published a story titled Putin on the code: DoD reportedly relies on utility written by Russian dev. They should be ashamed of this story, and the company behind the ambulance ch...
opensourcesecurity.io
August 28, 2025 at 1:41 AM
The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
Reposted by Mikael Barbero
Stand by this: www.politico.com/newsletters/...
February 19, 2025 at 4:42 PM
Stand by this: www.politico.com/newsletters/...
Reposted by Mikael Barbero
🇺🇸Happy Fourth of July🇺🇸 This year, I'm wearing my 𝐑𝐞𝐬𝐢𝐬𝐭 shirt to show my patriotism. I'm reading the declaration of independence as I always do on this occasion. Several of King George's offenses against the colonies resonate this year. Here they are, verbatim:
July 4, 2025 at 5:51 PM
🇺🇸Happy Fourth of July🇺🇸 This year, I'm wearing my 𝐑𝐞𝐬𝐢𝐬𝐭 shirt to show my patriotism. I'm reading the declaration of independence as I always do on this occasion. Several of King George's offenses against the colonies resonate this year. Here they are, verbatim:
Iwata Satoru was an unconventional CEO. In all the best ways that could imply!
July 3, 2025 at 7:00 AM
Iwata Satoru was an unconventional CEO. In all the best ways that could imply!
Reposted by Mikael Barbero
I will be damned if I allow a bunch of Confederate-waving January 6th apologists give the American people a lecture on flag waving.
There is ZERO reason to enter an argument about patriotism with people who still worship traitors to America 150+ years later.
They. Are. Breaking. The. Law.
There is ZERO reason to enter an argument about patriotism with people who still worship traitors to America 150+ years later.
They. Are. Breaking. The. Law.
June 11, 2025 at 1:21 AM
I will be damned if I allow a bunch of Confederate-waving January 6th apologists give the American people a lecture on flag waving.
There is ZERO reason to enter an argument about patriotism with people who still worship traitors to America 150+ years later.
They. Are. Breaking. The. Law.
There is ZERO reason to enter an argument about patriotism with people who still worship traitors to America 150+ years later.
They. Are. Breaking. The. Law.
Reposted by Mikael Barbero
🗓 On 4 June, the ORC community was represented by some of its members in the CRA Expert Group meeting hosted by @ec.europa.eu
We’re grateful to @ec.europa.eu for facilitating this discussion and to everyone involved.
@j-rico.bsky.social @tobie.bsky.social @mikael.barbero.tech @apache.org
We’re grateful to @ec.europa.eu for facilitating this discussion and to everyone involved.
@j-rico.bsky.social @tobie.bsky.social @mikael.barbero.tech @apache.org
June 5, 2025 at 10:25 AM
🗓 On 4 June, the ORC community was represented by some of its members in the CRA Expert Group meeting hosted by @ec.europa.eu
We’re grateful to @ec.europa.eu for facilitating this discussion and to everyone involved.
@j-rico.bsky.social @tobie.bsky.social @mikael.barbero.tech @apache.org
We’re grateful to @ec.europa.eu for facilitating this discussion and to everyone involved.
@j-rico.bsky.social @tobie.bsky.social @mikael.barbero.tech @apache.org
Reposted by Mikael Barbero
📢 Calling developers, users, and committers! The Eclipse Foundation Security team is offering a new security training focused on vulnerability management and related subjects.
Register for Day 2 (June 10 on 4PM CEST): eclipse.zoom.us/meeting/regi...
➡️ blogs.eclipse.org/post/marta-r...
Register for Day 2 (June 10 on 4PM CEST): eclipse.zoom.us/meeting/regi...
➡️ blogs.eclipse.org/post/marta-r...
June 4, 2025 at 11:03 AM
📢 Calling developers, users, and committers! The Eclipse Foundation Security team is offering a new security training focused on vulnerability management and related subjects.
Register for Day 2 (June 10 on 4PM CEST): eclipse.zoom.us/meeting/regi...
➡️ blogs.eclipse.org/post/marta-r...
Register for Day 2 (June 10 on 4PM CEST): eclipse.zoom.us/meeting/regi...
➡️ blogs.eclipse.org/post/marta-r...
Reposted by Mikael Barbero
On June 3rd and 10th with my colleagues from the Eclipse Foundation we will be running a free security training on vulnerability management and related subject.
More details and registration links on blogs.eclipse.org/post/marta-r...
More details and registration links on blogs.eclipse.org/post/marta-r...
Announcing Security Training on Vulnerability Management, SBOM and related subjects
Do you want to know more about
blogs.eclipse.org
May 30, 2025 at 3:35 PM
On June 3rd and 10th with my colleagues from the Eclipse Foundation we will be running a free security training on vulnerability management and related subject.
More details and registration links on blogs.eclipse.org/post/marta-r...
More details and registration links on blogs.eclipse.org/post/marta-r...
Reposted by Mikael Barbero
🔒 Master vulnerability management! Our security training on 3 June and 10 June covers CVE reporting, embargoes, dependency evaluation, and SBOMs.
📅 Day 1: eclipse.zoom.us/meeting/regi...
📅 Day 2: eclipse.zoom.us/meeting/regi...
📅 Day 1: eclipse.zoom.us/meeting/regi...
📅 Day 2: eclipse.zoom.us/meeting/regi...
May 26, 2025 at 8:20 AM
🔒 Master vulnerability management! Our security training on 3 June and 10 June covers CVE reporting, embargoes, dependency evaluation, and SBOMs.
📅 Day 1: eclipse.zoom.us/meeting/regi...
📅 Day 2: eclipse.zoom.us/meeting/regi...
📅 Day 1: eclipse.zoom.us/meeting/regi...
📅 Day 2: eclipse.zoom.us/meeting/regi...
Reposted by Mikael Barbero
Rubio publicly criticizing an ally for cracking down on right-wing extremism. And Germany hitting back. We are in a new world
May 2, 2025 at 8:39 PM
Rubio publicly criticizing an ally for cracking down on right-wing extremism. And Germany hitting back. We are in a new world
Reposted by Mikael Barbero
The days of Google Docs are ending; we enter the age of Docs, made by France's Interministerial Directorate for Digital Affairs and Germany's Center for Digital Sovereignty of Public Administration.
We need more governments to collaborate on public software projects to achieve digital sovereignty.
We need more governments to collaborate on public software projects to achieve digital sovereignty.
France and Germany unveil Docs, a homegrown alternative to Google Docs
The Trump administration has set out to drastically reshape the relationship between the US and Europe. In response, Brussels is scrambling to adapt to this new reality,...
www.techspot.com
April 21, 2025 at 2:25 PM
The days of Google Docs are ending; we enter the age of Docs, made by France's Interministerial Directorate for Digital Affairs and Germany's Center for Digital Sovereignty of Public Administration.
We need more governments to collaborate on public software projects to achieve digital sovereignty.
We need more governments to collaborate on public software projects to achieve digital sovereignty.
Reposted by Mikael Barbero
BREAKING.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
April 15, 2025 at 5:23 PM
BREAKING.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
Reposted by Mikael Barbero
move slowly and build things
April 7, 2025 at 4:19 PM
move slowly and build things
Nailed it :D
April 8, 2025 at 12:21 AM
Nailed it :D
Reposted by Mikael Barbero
VulnCon is a quite unique conference focus on software (and not only) vulnerability management. It is happening at the beginning of April and I will be speaking twice.
March 14, 2025 at 3:23 PM
VulnCon is a quite unique conference focus on software (and not only) vulnerability management. It is happening at the beginning of April and I will be speaking twice.
Reposted by Mikael Barbero
