Opens in a new window
The Heartbeat of the Kernel: Why Upstream is the Ultimate Security Strategy with Greg Kroah-Hartman
30 June 2026

The Heartbeat of the Kernel: Why Upstream is the Ultimate Security Strategy with Greg Kroah-Hartman

What's in the SOSS? An OpenSSF Podcast

About

What does it feel like to wake up and realize your weekend passion project is now the critical infrastructure powering the planet? In this episode of What’s in the SOSS?, CRob sits down with Linux kernel maintainer and open source icon Greg Kroah-Hartman. Greg takes us on a journey from his early days writing firmware for printer and hospital ATMs to managing the relentless, everyday engineering task of maintaining the Linux kernel over decades. He breaks down the realities of modern kernel security, dismantles the myth that maintainers know every single vulnerability exploit , and details how looming global regulations like the EU's Cyber Resilience Act (CRA) are shifting the compliance burden onto vendors. If your organization uses Linux, Greg has a simple, urgent message for you: stop fearing change, build your testing infrastructure, and update your systems. 

Chapters:

    00:03 - Welcome: Host CRob introduces Linux kernel legend Greg Kroah-Hartman.01:04 - From Printers to Richard Stallman: Greg shares his origin story in embedded engineering and his introduction to free software.  02:00 - The Weekend Driver and the Dopamine Hit: How a quick weekend project turned Greg into a lifelong kernel contributor.04:20 - Realizing Linux is Critical Infrastructure: The moment the telcos and banks moved in, signaling that Linux was everywhere.05:28 - 2005: The Year the Kernel Grew Up: Implementing stable releases, the security team, and the rule to never break user space.07:05 - What People Get Wrong About Kernel Security: Linus's mantra that "a bug is a bug," and the reality of handling 35 fixes a day.09:32 - The Historic Fear of Updating: Why lagging behind for "stability" is actually incurring massive risk.12:17 - Global Regulation and the Cyber Resilience Act (CRA): How upcoming laws are changing vendor responsibility and why the open source community is exempt.13:51 - How OpenSSF is Reducing the Burden: Applauding the cross-ecosystem collaboration that protected maintainers from onerous drafts.17:05 - Pay Your Employees to Contribute: Greg’s best piece of advice for downstream enterprises relying on open source.18:39 - Inside the Kernel Security Alias: How the ad-hoc security team handles triage and assigns CVEs.21:11 - The CVE Numbers Game: Why the kernel ranks #2 in CVE creation and the trouble with automated severity scores.25:39 - We are Already There: AI Slop and Static Analysis: Greg addresses the recent surge of AI-generated bug reports and patches.31:20 - Rapid Fire Round: Spicy food, coffee, Star Wars, and the ultimate call to action. 

Episode links:

    Greg Kroah-Hartman’s LinkedIn pageThe Linux Foundation CRA Stewards PlaybookOpenSSF Global Cyber Policy Working GroupThe Linux Kernel Archive (Keep your systems current with the latest stable kernel releases)The Value of Open Source SoftwareAdditional ResourcesGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn