Yesterday we explained to you, as a result of the threat by the creator of Apache PLC4X to stop maintaining said software package if he could not find the means to finance his work, that this was just one more case among several recent examples that reveal that open source project developers they start to get fed up they want the companies that benefit from their free work to start pitching in.
Now, we know that the serious security problem caused by the lack of human and material support for the developers of critical open source projects has really caught the attention of the upper echelons following the spread of the Log4Shell vulnerability.
The White House sits the Administration, the Big Tech industry and pro-open source entities at the same table
So much so that the Biden Administration itself has revealed that a summit was held yesterday at the White House to discuss the problem. In the pertinent statement, he explains the reason for his interest in the development of ‘open source’ software:
“Most major software packages include open source, including software used by the national security community. Open source software brings unique value and unique security challenges, due to its breadth of use and the number of volunteers responsible for its ongoing security maintenance.
Summit participants reveal the variety of interests involved in this issue
- big tech companies: Google, Amazon, Apple, Facebook/Meta, IBM, Microsoft, Cloudflare, Akamai, VMWare, Oracle.
- Entities linked to the field of free software: Linux Foundation, Apache Software Foundation, Open Source Security Foundation, GitHub, RedHat.
- US federal departments and agencies: Defense, Commerce, Energy, Homeland Security, Cybersecurity and Infrastructure Security Agency, National Institute of Standards and Technology, National Science Foundation, Office of Science and Technology Policy, etc.
The discussion focused on three issues, according to the White House itself:
- Vulnerability Prevention in code and ‘oepn source’ software packages.
Process improvement to find defects and correct them [?] how to prioritize the most important open source projects and establish sustainable mechanisms to keep them.
- Shorten response time to distribute and deploy fixes.
A few hours before participating in the meeting, Mike Hanley, head of security at GitHub, posted an article on his corporate blog with thoughts on the subject of the meeting:
“Open source code vulnerabilities can have a global ripple effect on the billions of developers and services that depend on it. […] We’ve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, security, and reliability of entire systems in the blink of an eye.
This is not a new problem, as we saw with Heartbleed, but recent events have highlighted two ways the tech industry can come together and help: There must be a collective effort to secure the software supply chain [y] We need to better support open source maintainers to make it easier for them to secure their projects.”
It is good that one of the world’s great powers realizes that what ‘four geeks’ do in their spare time is actually the basis of the world’s technological infrastructure, especially when it comes to Internet servers. It is even better to see that he begins to act accordingly.