Episode 108

Sarah Gran and Josh Aas: Sustainable Digital Infrastructure with Memory Safe Code


February 11th, 2022

42 mins 36 secs

Your Hosts
Special Guests

About this Episode


Sarah Gran | Josh Aas


Richard Littauer | Justin Dorfman

Show Notes

Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. We are super excited to have two guests today, Sarah Gran and Josh Aas, who both work for ISRG, the Internet Security Research Group which consists of three projects: Let’s Encrypt, Divvi Up, and Prossimo. Sarah is a VP of Communication and fundraising for ISRG, and Josh is the Executive Director at ISRG. They are both working on Prossimo to bring memory safe code to critical digital infrastructure, which they will explain more in depth today. We also learn about some other projects they are investing in this year, and Sarah and Josh share some positive things they’re really excited about happening in 2022 with Prossimo. Go ahead and download this episode now to find out more!

[00:02:03] We find out what ISRG is and how they choose which projects to focus on.

[00:04:53] Josh explains the difference between Prossimo and Rust.

[00:07:07] Josh and Sarah explain why memory allocation is so important.

[00:10:33] Justin wonders if Log4j is on their radar in terms of funding, if that’s something ISRG can help them with, and how that has brought more attention to memory safe languages.

[00:13:03] We hear about the relationship ISRG has with the Linux Foundation.

[00:15:21] Sarah shares what they’ve done so far to make the Prossimo project sustainable.

[00:18:21] We find out what the budget is for running ISRG, and how they make that budget for what they are trying to accomplish.

[00:22:40] Josh tells us about using Linkerd if you’re looking for memory safety in that space.

[00:24:40] Besides working on major projects that have had massive impacts like he had with Let’s Encrypt, Josh shares things that have been difficult for him this year.

[00:27:02] Josh explains how Cloudflare deals with DDoS attacks, and if there’s been any open line of communication with NginX.

[00:29:55] Josh and Sarah detail what they’re doing to get the word out about Prossimo which includes four criteria they use to decide what they’re going to engage with.

[00:33:18] We hear about some projects they are investing in this year, such as Rustls, Linux kernel, and NTP.

[00:35:07] What are Sarah and Josh most excited about happening in 2022?

[00:41:35] Find out where you can follow Josh, Sarah, and Prossimo online.


[00:04:05] “We just like to do a lot research about what we’re doing. We’re not a throw it at the wall and see what sticks organization.”

[00:12:05] “From my perspective in communications and fundraising, I think this is a great moment for us to help people understand that memory safety isn’t at the crux of Log4j.”

[00:14:31] “Rising tides raises all ships.”

[00:25:27] “We have a huge amount of history that tells us C++ code is not safe.”

[00:29:25] “I really hope that ten years from now, the number one web server is not written in C, that cannot happen, we can’t allow that to happen. Popular web servers written in C need to go.”

[00:36:37] “We can have a plan to boot OpenSSL off the internet. That’s a dream of mine and I think that’s an achievable goal.”


  • [00:38:09] Justin’s spotlight is Twitter communities.
  • [00:38:33] Richard’s spotlight is Karl Becker.
  • [00:39:14] Sarah’s spotlight is Crowdin.
  • [00:40:43] Josh’s spotlight is Qubes OS.



Support Sustain