OpenSSF Community Day North America 2025

Forget what you think you know about immutable tags, perfect dependency graphs, and those supposedly foolproof lock files. We'll get down to the nitty-gritty of open source security, giving you real-world insights to keep your projects safe. For example, did you know that one package url (or “purl”) can map to many different packages? Trying to find consistency in cross-ecosystem names and identifiers is a hard problem! And how can we meaningfully report vulnerabilities if we don’t even have a consistent way to identify packages?

We can talk about vulnerabilities in transitive dependencies, but what even are your dependencies? A package doesn’t uniquely map to one set of dependencies – depending on your build flags or operating system, you can end up with arbitrarily many dependency graphs for one package.

We break open source security down to first principles by challenging the assumptions that we’ve all built upon, to hopefully resolve to a more consistent vision of the open source.

Number 5 will shock you!