The GitHub Podcast

In this episode guest host Greg Cochran from the GitHub Secure Open Source Fund brings together four maintainers who are helping secure the open source projects we all depend on: Christian (Log4j/Log4Shell), Carlos (GoReleaser), Michael (EVCC), and Camila (ScanAPI) to unpack what it really looks like to level up security in critical OSS.They share how the Fund’s three-week security sprint, ongoing check-ins, and tight-knit community helped them move from “we don’t know what we don’t know” to concrete wins: hardened GitHub Actions pipelines, incident response plans, better reporting processes, and SBOMs that actually include dependency licenses. They also talk candidly about asking “dumb” questions in a trusted space and the ripple effect when one project’s security posture improves across its dependents. Finally, the group dives into AI security: using fuzzing, GitHub Copilot, and tools like the Secure Code Game both to find vulnerabilities faster and to keep up with attackers who now have AI on their side too.Links mentioned in the episode: GitHub Secure Open Source Fund overviewAnnouncing GitHub Secure Open Source FundInside the breach that broke the internet: The untold story of Log4ShellLog4j / Log4Shell video (castle interview with Christian)EVCC – open source EV charging & energy management GoReleaser – release engineering automationScanAPI – automated API testing & live documentationGitHub Security LabSecure Code Game (GitHub Security Lab)GitHub Copilot – AI coding assistant Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Abby sits down with Angie Jones, VP of Engineering at Block, live at GitHub Universe to talk about Goose, Block’s open source AI agent and reference implementation of the Model Context Protocol (MCP). Angie shares how Goose went from an internal tool to an open source project that lets the community drive features like multimodel support, and how Block’s 12,000 employees across 15+ job functions (not just engineers) now use agents every day. They dig into practical, non-hype uses of AI agents: detecting when students are struggling, triaging open source issues, segmenting 80k+ sales leads, and even letting a salesperson “vibe code” a feature on the train. Angie also talks about trust and control when giving AI access to codebases, why developers are tired of flashy demos, and how her new AI Builder Fellowship is designed to support the next generation of native AI builders. Links mentioned in the episode: https://angiejones.techhttps://github.com/block/goosehttps://github.com/blockhttps://github.com/modelcontextprotocolhttps://github.com/features/copilothttps://testautomationu.applitools.comhttps://www.selenium.devhttps://playwright.devhttps://www.cypress.iohttps://code.visualstudio.comhttps://www.salesforce.comhttps://github.com/martinwoodward/pyfluff Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

In this episode, recorded live at GitHub Universe 2025, Andrea sits down with Frank “Frenck” Nijhof, a GitHub Star and project lead for Home Assistant, one of the most active open source projects on the platform. They unpack how millions of households run privacy-first automations locally (no cloud required), why the Open Home Foundation exists to prevent vendor lock-in and e-waste, and how this famously welcoming community scaled to 21k+ contributors. Frank also shares insights about the development of “Assist,” an open, local-first voice assistant (with optional AI), as well as the new “Home Assist Green” hardware device, plus practical ways non-coders can meaningfully contribute to the project, too.Links mentioned in the episode:https://github.com/frenckhttps://www.home-assistant.iohttps://www.home-assistant.io/greenhttps://www.home-assistant.io/voicehttps://www.home-assistant.io/assisthttps://www.esphome.iohttps://github.com/home-assistanthttps://www.raspberrypi.com Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Andrea and Kedasha sit down with data whisperer Jeff Luszcz, one of the wizards behind GitHub’s annual Octoverse report, to unpack this year’s biggest shifts. They get into why TypeScript overtook Python on GitHub, how AI-assisted “vibe coding” and agentic workflows are reshaping everyday engineering, and what it means that more than one new developer joins GitHub every second. From 1.12B open source contributions and 518M merged PRs to COBOL’s unexpected comeback, global growth (hello India, Brazil and Indonesia), and “security by default” with CodeQL and Dependabot, this episode turns the numbers into next steps for your career and your open source projects.Links mentioned in the episode:https://octoverse.github.comhttps://github.com/jeffrey-luszczhttps://github.com/features/copilothttps://codeql.github.comhttps://docs.github.com/code-security/dependabothttps://docs.github.com/code-security/secret-scanning/introduction/about-secret-scanninghttps://www.typescriptlang.orghttps://www.python.orghttps://nextjs.orghttps://vitejs.devhttps://marketplace.visualstudio.com/items?itemName=GitHub.copilothttps://www.home-assistant.iohttps://code.visualstudio.comhttps://github.com/explore Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

In this episode of the GitHub Podcast, Abby sits down with Felix Reda, Director of Developer Policy at GitHub, and Christian Grobmeier, a longtime Log4J maintainer, to reflect on the aftermath of the Log4Shell vulnerability and how it reshaped open source funding. They discuss the creation of Germany’s Sovereign Tech Fund, the challenges and opportunities funding brings to open source projects, and what it takes to build sustainable and resilient developer communities. The conversation highlights the major lessons learned from these events, from managing resources and community health to navigating government and industry support. Read more about Log4Shell and watch the full story over on the GitHub blog.Links mentioned in the episode:https://sovereigntechfund.de/https://okfn.de/https://prototypefund.de/https://www.opentech.fund/https://nlnet.nl/https://github.blog/2022-05-09-introducing-the-github-secure-open-source-fund/https://dripapp.org/https://ghost.org/https://ttcmap.ca/ Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.