Supporting Open Source Software

[Tarakiyee]

Long time watcher of LTT, but first time poster! Was really excited when I saw a clip from the WAN show about my day to day work (supporting FOSS projects). It's such an important tech issue, and I'm glad to see LMG using their platform to raise awareness of it. I felt the need to add some additional context, hopefully it's not too much in the weeds, also there are several facets and I'm not sure which to tackle first, but I'll try my best for those interested! 

 

The news item in question was "Google calls on White House to protect open-source software projects"! While I agree with Luke on taking the big tech companies call with a healthy dose of skepticism, particularly when it comes to their motivations, I think some important aspects where missed in the discussion, such as the need for more public (i.e. government) funding for supporting open source software, and primarily the issue of supply chain attacks, and I'll address those two first because they're tied.

 

What are supply chain attacks? The simple explanation is that FOSS projects these days rely on lots of libraries that's in repositories. Some libraries also use other libraries, so some FOSS libraries maybe used by hundreds of thousands of projects, and it may be nested so many times, you don't even realize you rely on it.  Many malicious actors online these days don't just look for vulnerabilities in specific software projects, and instead focus on these often used libraries, because if you manage to find a vulnerability there, you're able to compromise tons of projects. Solarwind is a recent example of how effective this class of attacks is, but there are tons of examples (https://blog.sonatype.com/what-constitutes-a-software-supply-chain-attack).

 

Why do we need public funding? Because the scale of the issue is so big that everyone needs to pitch in, first of all. Secondly, while companies could be doing more (some of them are trying, see https://openssf.org/), you can't trust companies to develop or protect FOSS projects for the public good, or support projects with the best of intentions. Finally, this isn't a problem you can just throw money at, you need a vibrant civil society infrastructure that supports project maintainers and gives them the tools they need to succeed (disclaimer: I work for such an organisation) and encourage new maintainers to take on the mantle of securing FOSS projects. These organisations are often funded by a variety of both public, private funding and donations. It truly takes a village for open source to work (please keep donating to your favorite projects!)

 

I could go on for hours on this topic but I think I shared what I wanted to share for now, hope to see more coverage of this, it really helps me do my day to day work when media organisations like LMG raise awareness of these issues, so just wanted to say how grateful I am!

 

PS: One more relevant but sad news story that happened recently that I thought would be share worthy was this one, I'll just add it here without context, because honestly I don't think I can give it context: https://arstechnica.com/information-technology/2022/01/foss-developer-who-nuked-his-apps-embraced-qanon-theory-involving-aaron-swartz/