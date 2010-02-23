from the still-milking-log4j-for-politics dept.
The Atlantic Council has published a policy report entitled "Avoiding the success trap: Toward policy for open-source software as infrastructure". It addresses the idea of Open Source Software (OSS) as essential infrastructure. OSS differs from physical infrastructure yet supports critical functions, provides dependable services, offers subtle and often unseen service delivery, and functions through decentralized control.
This report aims to develop tangible example policies for the United States and European Union to support OSS as infrastructure and point policymakers toward existing policy vehicles that government can readily modify and adopt to better support and engage with the OSS ecosystem. The report does not seek to make definitive statements about what open source is or is not through these analogies. Rather the goal is to capture a snapshot of its most essential features and most consequential participants. Any of the analogies can be extended far past usefulness, and policymakers should approach each keeping in mind the essential truth that, while all models are wrong, some (including, we believe, these) are useful, nonetheless. Before diving into the analogies though, this report looks to discuss the open-source ecosystem as it is, highlighting key principles and addressing common misconceptions.
[...] None of this report reflects a belief that OSS is inherently insecure, but rather that it is uniquely central to modern digital systems and that relationships with the OSS community are necessarily, and substantively, different than those government has grown accustomed to with industry and industry within itself. Sustainable use emphasizes the user responsibility for much of the risk associated with software use, including OSS, and addresses OSS-specific features of development and contribution possibly only with open-source code. Addressing systemic risk is an important step for policy efforts to support the security and sustainability of OSS projects with an accurate picture of the considerable interdependency between code bases. Finally, governments must step up to support OSS as the infrastructure that it is. These resources should come alongside expanded private sector support and can manifest in targeted formats as well as a more general support model, the OSS Trust. OSS is infrastructure, and the provision of support for it as such will permit more rapid adoption and considerable innovation in even critical domains of economic and government activity.
So it seems that the establishment continues to turn its jaundiced eye towards software development.
(2023) Opinion: FOSS Could be an Unintended Victim of EU Security Crusade
(2022) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone
(2022) Open Source Community Sets Out Path to Secure Software
Open source community sets out path to secure software:
The open source community has presented a 10-point plan to improve the security and resilience of its software, bringing together more than 90 executives from 37 organisations, alongside US government officials, at a summit in Washington DC.
[...] OpenSSF executive director Brian Behlendorf added: "What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."
The 10-point plan, which can be read in full on OpenSSF's website, is as follows:
- To deliver baseline secure software development education and certification;
- To establish a public, supplier-neutral, objective-metrics-based risk assessment dashboard for 10,000 widely used open source software (OSS) components;
- To accelerate the adoption of digital signatures on OSS releases;
- To eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages;
- To establish an OpenSSF-backed incident response team to help open source projects respond to vulnerability disclosures;
- To improve the ability of maintainers and experts to discover new vulnerabilities in open source projects;
- To establish a programme of third-party code audits and remediation for up to 200 of the most-critical OSS components;
- To coordinate industry-wide data sharing to improve how the community goes about determining what the most-critical OSS components actually are;
- To improve the adoption of software bill of materials (SBOM) tooling and training;
- And finally, to enhance the 10 most-critical OSS build systems, package managers and distribution systems with improved supply chain security tools and practices.
Commenting on the plan, Mike Hanley, chief security officer (CSO) at GitHub, said: "Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain.
Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone:
With deep sadness, EFF mourns the loss of our friend, the technologist, activist, and cybersecurity expert Peter Eckersley. Peter worked at EFF for a dozen years and was EFF's Chief Computer Scientist for many of those. Peter was a tremendous force in making the internet a safer place. He was recently diagnosed with colon cancer and passed away suddenly on Friday.
The impact of Peter's work on encrypting the web cannot be overstated. The fact that transport layer encryption on the web is so ubiquitous that it's nearly invisible is thanks to the work Peter began. [...]
While encrypting the web would have been enough, Peter played a central role in many groundbreaking projects to create free, open source tools that protect the privacy of users' internet experience by encrypting communications between web servers and users. Peter's work at EFF included privacy and security projects such as Panopticlick, HTTPS Everywhere, Switzerland, Certbot, Privacy Badger, and the SSL Observatory.
His most ambitious project was probably Let's Encrypt, the free and automated certificate authority, which entered public beta in 2015. [...]
By 2017 it had issued 100 million certificates; by 2021, about 90% of all web page visits use HTTPS. As of today it has issued over a billion certificates to over 280 million websites.
[...] Peter left EFF in 2018 to focus on studying and calling attention to the malicious use of artificial intelligence and machine learning. He founded AI Objectives Institute, a collaboration between major technology companies, civil society, and academia, to ensure that AI is designed and used to benefit humanity.
FOSS could be an unintended victim of EU security crusade:
Opinion: The European Union has a commendable love for the safety of its citizens. Armed with the keys to a market of 300 million of the world's richest consumers, the EU has merely to scent danger to bravely regulate. Food, consumer goods, financial markets and data processing: if it can bite the punter, the EU has a legal muzzle to hand.
[...] The EU has now turned its attention to cybersecurity and more especially the lack thereof. It's certainly dangerous enough to merit attention. A proposed Cyber Resilience Act (CRA) making its way through Brussels says that for "products with digital elements" to be allowed on the EU market, manufacturers have to demonstrate they follow best practice in four areas. These are improving the security of a product through the whole life cycle, following a coherent cybersecurity framework to measure compliance, demonstrate transparency about cybersecurity efforts, and lastly to make sure customers can use products securely.
Which sounds fair enough, considering some of the horrors visited upon us in the past – and today. Cheap "smart" electronics running out-of-date Android that nobody's patched since Noah? Phones studded with "I bring you the best wishes of the People's Liberation Army" mystery-meat bloatware? Big name, big ticket office software that keeps making headlines for all the wrong reasons? Who could argue with bringing these into line?
There are just two questions that need to be answered: will the proposed regulations do the job they set out to do, and what effect will they have on the market? Here, it's not so much the devil in the details as the entire population of all seven layers of Dante's Inferno.