How do we handle security and sustainability of open source communities? Is it possible to identify the next log4j? #43
anajsana
started this conversation in
Community Proposals
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Context
This came from the last TODO Touchpoint Zoom Chat. People's names and organization affiliation have been anonymized following the Chatam House Rule:
We have OpenSSF scorecard https://github.com/ossf/scorecard
— one project I know — the CHAOSS risk assessment group is doing this type of work.
I know Github was kicking around ways and mechanisms as well. Sort of moving beyond the charity model of Sponsors today
W/r/t proactive outreach for OSS & security, I just sent this to our CEO this week…
Open Source Software: The open source program, as part of its work in shepherding xxxx’s public open source presence, has documented responsible disclosure processes for anyone who engages with our repositories. This means, any security issues with our open source projects will be funneled through our existing xxxx .com process. To facilitate this, we've also begun the process of gathering owners for each open source repository so that security issues can be fixed in a timely manner. This is particularly important in the current security climate (log4j, et al) wherein the supply chain of software we use is under scrutiny. This foundational work will allow us to roll out a program to ensure any known security issues with the dependencies of our open source projects will be raised with the appropriate owners and closed quickly.
The FOSS Contributor Fund report/manual: https://github.com/indeedeng/FOSS-Contributor-Fund/blob/main/Investing_in_Open_Source-FOSS_Contributor_Fund.pdf
That's largely what Core Infrastructure Initiative was trying to do in the aftermath of heartbleed
It seems like there’s two factors, the project health/state itself, but also each individual company’s reliance on a particular project.
So maybe a common fund (just for this) would be harder to get companies to contribute to.
I had forgotten about CII.
Yup and a peer enlightened me to challenges I didn’t really appreciate between GitHub sponsors and open collective around taxes. Lots of complexity in this transfer of funds
I previously worked for open source collective and am on the board — as a fiscal host for projects, OSC is designed to alleviate tax and legal complexity.
What I would say is don’t make perfect the enemy of the good. Lots of good resources out there on a simple sustainability model (pro, issues, releases, etc) so apply that to the top 100 projects (long tail included)
prior to the recent issues, who would normally think of their logging library as "critical infrastructure"? It turns out, all nearly all the code can be critical if it's got a bad enough bug
Even places like https://isitmaintained.com/project/marak/colors.js
Probably not the first prio, not
Yup I am avoiding “criticality” as it tends to be the top of the stack. Walk the dependants tree
We could say phrase it as "mission critical" or relevant for products/business
Beta Was this translation helpful? Give feedback.
All reactions