The price for software security and maintainer burnout
2022 started reminding us that software security is a problem not only for open source packages. At the same time, “how to remunerate open source maintainers?” is a question with impossibly numerous answers: we need focus to find different solutions for different problems.
Lots of security issues packed in a few weeks: December 2021 saw the Log4j package knocked down by a nasty bug. In January 2022 we witnessed an act of self-sabotation by a maintainer of two NPM packages. On New Year's Day a bug in Microsoft Exchange ruined the celebrations for many system administrators. Very different scenarios that confirm how complex and fragile our IT infrastructure is. With open source software so popular, shipped in millions of software packages, the open source communities risk becoming a punching bag for problems it cannot necessarily solve.
The disgruntled developer of the NPM packages blasted against the evil corporations “stealing” his work before vandalizing his own packages. It sounded like he suddenly realized the meaning of Open Source and wanted out. Unfortunately we’ve also heard in the past big corporations complaining about even bigger corporations free-riding their code. The debate risks spiraling down a path opposing open source developers against “evil forces” in a pointless finger pointing game.
In a detailed white paper destined to the White House, the Apache Software Foundation (ASF) wrote “We can't fix open source supply chain issues by focusing exclusively on the upstream producer”. In the recommendations the ASF asks, among other things, businesses to contribute back.
It’s then up to the open source communities to help businesses contributing back, because it’s far from trivial. Not every project has the same engagement rules, some maintainers are more amenable to newcomers than others. How and why to contribute to an open source project ties with the debate about the financial sustainability of open source development. Projects like Krita, Blender, Libre Office are very different from libraries like Log4J, color.js or platforms like Kubernetes. Talking about sustainability of each of those communities will require a different approach.
Meanwhile we can celebrate the happy story of GnuPG: its maintainers announced in January that they don’t need donations anymore since they found more stable sources of funding thanks to a new business model and a solid customer base.
There will be more crises with open source software at the center and before jumping to discussing solutions, let’s analyze the situation critically and avoid considering “open source” a single problem space. Discuss this and other topics with me during OSI's informal office hours on Fridays.
Executive Director, OSI
In this month's Open Source Initiative Newsletter:
- 2021 OSI Membership Campaign Recap
- [email protected]: Helping students embrace the power of Open Source
- CodeSee: Why they support the OSI
- ClearlyDefined is clearly making progress
- OSI in the news: Maffulli comments in TechCrunch
Meet OSI at SCALE 19x
We'll be at SCaLE 19X – the 19th annual Southern California Linux Expo – March 3-6, 2022 in Pasadena, CA. Register here!
Starting 2022 with over 1,300 new members!
We did it! We’re welcoming 1,354 new members to the Open Source Initiative. The membership drive we launched at the end of 2021 surpassed our expectations. These new members are mostly “free” members and don’t have voting rights until they become full members.
The campaign was the first of its kind: we introduced a new membership level with a zero cost, experimented with a purpose-built minisite and offered the new members customized badges which proved to be popular. We've also tested Plausible.io to track the campaign results without invading users’ privacy.
[email protected]: Helping Students Embrace the Power of Open Source
The Rochester Institute of Technology (RIT) not only offers a minor in free and open source software and free culture, but it also recently created an official Center of Excellence called [email protected] It’s dedicated to fostering the collaborative engine for faculty, staff, and students working on open source projects. The goal is to discover and grow the footprint of RIT’s impact on all things open across many disciplines, both within the university and beyond. This includes open source software, open data, open science, open hardware, and open educational resources and creative commons licensed efforts, which collectively they refer to as Open Work.
Mike Nolan, Assistant Director at [email protected] and Django Skorupa, Strategic Designer, walked POSI participants through their work, and you can watch their presentation and read more here.
CodeSee: Why we support the OSI
CodeSee offers a developer tool called Maps, built to help developers and teams visually understand codebases. Maps are auto-syncing code diagrams, with features designed to drive collaboration, improve code reviews, reduce onboarding friction, and more. In September 2021, CodeSee launched OSS Port—a space for open source project maintainers and contributors to connect and collaborate, with the ability to use CodeSee Maps to easily onboard new developers and guide code reviews. Maps is forever-free to use on open source projects.
Each member of the CodeSee team has a history in open source. Guided by a collective connection to the community, CodeSee is committed to advancing its progress through a series of initiatives. For starters, CodeSee Maps is forever-free to use on open source projects and is an integral part of our open source community, OSS Port. In addition, CodeSee maintains an open source sponsorship program, providing financial support to a select number of OSS projects so they can focus on continued development. And of course, we also sponsor the Open Source Initiative to uphold its work in stewarding the Open Source Definition.
Read more about what CodeSee had to say about open source here.
ClearlyDefined is clearly making progress
As a reminder, ClearlyDefined is a repository of information about free and open source software (FOSS). You can turn to ClearlyDefined when you want to locate source information for a version (e.g., Git commit), verify licenses, and catch up on vulnerability notifications—all in one place.
ClearlyDefined premiered in 2017. Since then, the community has reached several milestones, including these recent achievements:
Support for Go components. If you use Go modules, you can now retrieve their license definitions using ClearlyDefined. For more information about how to do this, please see our documentation.
A redesign of the ClearlyDefined user interface with a focus on usability and accessibility. This redesign should be deployed before the end of 2021.
The community continues to complete curations and contribute code. A recent contribution from Qing Tomlinson fixed a long standing issue with characters in PyPi definition coordinates.
In this new year, the ClearlyDefined community will be planning its road map and user stories for the 2022. We’d also like to thank Bloomberg for their contribution to Clearlydefined. Please join in and contribute to a very worthwhile cause that benefits the entire open source community. Learn more and join us at: https://clearlydefined.io/
Read more about how the ClearlyDefined community has been busy the past month here.
OSI in the news
When is open source not open source? Executive Director Maffulli comments on Harness.io’s latest product release in TechCrunch.
And a huge shoutout to our new sponsor
Are you interested in sponsoring or partnering with the OSI? Please see our Sponsorship Prospectus. Contact us at [email protected]ource.org to find out more about how your organization can promote open source development, communities and software.