The Linux Foundation Initiates “World of Open Source” Research Series

May 16, 2022

Key executives to discuss the state of open source initiatives at KubeCon Europe this week

VALENCIA, Spain, May 16, 2022 — The Linux Foundation, a global nonprofit organization enabling mass innovation through open source, today launches the World of Open Source research series with its initial focus on the European community. The initiative will be championed by LF Research in collaboration with several European distribution and research partners. Furthermore, key executives of the Linux Foundation and partners will be speaking at KubeCon in Valencia, Spain this week as they kickstart the research series and meet with the extended open source and cloud native communities.

The Supporting the Flourishing European Open Source Ecosystem birds-of-a-feather session will be hosted on Thursday,19 May at 14:30 CEST by Gabriele Columbro (Executive Director of FINOS), Hilary Carter (VP, Linux Foundation Research), Astor Nummelin Carlberg (CEO, OpenForum Europe), and Matthew Dunderdale (Delivery Principal, Scott Logic). KubeCon Europe is one of the largest open source developer events hosted on the continent each year.

“FINOS is one of the most globally distributed entities under the Linux Foundation and we are truly excited to support this deep research initiative backed by so many respected institutions across the EU, UK, and Switzerland“, said Gabriele Columbro, Executive Director of FINOS. “A clear European perspective will enhance how we forge deeper collaboration across the FINOS community and will shed new light on cross-border challenges like cybersecurity and sustainability that are important to the Linux Foundation and the open source ecosystem at large.”

“Scott Logic is a UK-based consultancy who, alongside our peers, have greatly benefited from the plethora of open source tools and technologies that have recently emerged. However, our collective reliance on open source can reveal the sometimes fragile nature of community-run digital commons. We are delighted to partner with Linux Foundation to better understand the state of open source in Europe“, said Colin Eberhardt, CTO of Scott Logic. “Armed with the research findings, our goal is to ensure everyone can capitalize on the amazing innovations happening within open source and that our ‘digital commons’ are sustained for the long-term”.

“OpenForum Europe is pleased to partner with the Linux Foundation to promote this timely research series and upcoming survey on the state of open source in Europe. Open source software has already been shown to boost the European economy by between EUR 65 to 95 billion annually and to have positive effects on the number of startups and SME growth. As the EU and its Member States continue to invest in digital transformation, better understanding will allow the EU to further benefit from the innovative power of open source software.”

About the World of Open Source Research series

The World of Open Source series will explore the state of open source from a global perspective, focusing on government, enterprise, and non-profit initiatives. The research initiative kicks off on Wednesday, 18 May with a “World of Open Source: 2022 Europe Spotlight” survey.

The European open source survey will investigate ecosystem-wide trends, including: (1) the size and scope of the open source communities in the region, (2) the motivation for contributions to open source, (3) opportunities and challenges in the private and public sector engagement in open source, and (4) the landscape for consumption and adoption of open source technologies and best practices, such as open source program office (OSPO) formation. This project will seek to understand key opportunities for collaboration and perceived challenges in the European open source community across sectors for decision-makers and influencers alike.

Funded by the Linux Foundation, this research will be led by LF Research in collaboration with FINOS, LF Training & Certification, and LF Public Health. Additional support will be provided by several organizations across the non-profit, for-profit, and academic sectors including: Codemotion, Esade, Friedrich Alexander University, Institut de Govern i Polítiques Públiques (IGOP) de la Universitat Autònoma de Barcelona, OpenForum Europe, Sailboard, Scott Logic, TU/Berlin, TU/Eindhoven, TODO Group Europe Chapter, Università di Roma Tre, and the University of Southampton.

This research further expands the Linux Foundation’s investment in fostering a flourishing local European ecosystem which already supports critical intra- and inter-region open source collaborations, training, and events. The Linux Foundation will reveal the survey results at Open Source Summit Europe, in Dublin, Ireland, to be hosted 13 – 16 September.

Additional Resources

Attend the Birds of a Feather session at KubeCon in Valencia (Spain) on Thursday, 18 May at 14:30 CEST to learn more about the “World Of Open Source” research series
Contact us about Linux Foundation activities in Europe
Register for Open Source Summit Europe

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Dan Whiting
+1 202-531-9091
dwhiting@linuxfoundation.org

The post The Linux Foundation Initiates “World of Open Source” Research Series appeared first on Linux Foundation.

The Open 3D Foundation Announces Latest Enhancements to Open 3D Engine, Invites O3DCon ‘Call for Proposals’

Jason Perlow

May 13, 2022

Newest release introduces performance and usability improvements, and marks welcome of O3DCon speaker proposals and discussion suggestions due July 15

SAN FRANCISCO, May 13, 2022 – The Open 3D Foundation (O3DF), home of a vibrant, diverse community focused on building a first-class, open source engine for real-time 3D development, has released 22.05, the latest version of the Open 3D Engine, with a focus on performance, stability and usability enhancements.

With over 1,460 code merges, this new release offers several improvements aiming to make it easier for developers to build 3D simulations for AAA games and various applications across robotics, AI, metaverse, digital twin, automotive, healthcare, and more. Significant advancements include core stability, installer validation, motion matching updates, user-defined property (UDP) support for the asset pipeline, and automated testing advancements.

Artists can focus on bringing their visions to life using the tools they feel most comfortable with, such as Blender or Autodesk® Maya®. The Open 3D Engine (O3DE) can now integrate user-defined properties (UDP) metadata into its asset pipeline from source assets so that scene-building and asset-processing logic can be customized using this metadata. UDP metadata can be assigned in content creation tools to store custom properties for mesh, light, animation, and other elements to power asset generation workflows for O3DE.

Animation artists can now utilize motion matching, a data-driven animation technique that synthesizes motions based on existing animation data and current character and input contexts to deliver photorealistic experiences. This feature, introduced as an experimental gem, includes a prefabricated character example that can be controlled using a gamepad.

Other improvements include:

Simpler customization of the render pipeline is now possible using a new set of APIs. Examples of gems that currently exploit this capability include Terrain, LyShine and TressFx. Developers can now re-use Material Types much more easily.Developers can now control the spawning of player-controlled, networked entities using an improved interface, a capability that is essential for building multiplayer games.Automated tests now verify that an installer build is valid, and ensures that all of the steps within the build are successfully executed. These tests are run nightly for O3DE, and have been designed so that anyone can plug them into their quality verification process.

The 22.05 Release marks the Open 3D Engine’s first major release of 2022. Releases occur on a bi-annual cadence, in the first half and second half of each year. The next release is scheduled for October 2022, which will coincide with the Open 3D Foundation’s flagship conference, O3DCon.

To learn more about this release and all of its features, read the release notes, or join the community on Discord. You can download the 22.05 Release today.

O3DCon Call for Proposals Now Open

The Open 3D Foundation also announced the call for proposals (CFPs) for its annual flagship conference, O3DCon. On October 18-19, 2022, in Austin, Texas, technology leaders, independent 3D developers, and the academic community spanning the 3D landscape will come together to share ideas, discuss hot topics and help shape the future of open 3D development across a variety of industries and disciplines. O3DCon will be presented as a hybrid event—attendees can join and participate in person or virtually. Workshops and pre-registration will be held on October 17, a day ahead of the actual conference events.

With over 25 member companies since its public announcement in July 2021, the Open 3D Foundation boasts a healthy, thriving community, adding Microsoft as its latest member. Other premier members include Adobe, AWS, Huawei, Intel and Niantic. The O3D Engine averages up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos.

“I’m proud of the O3DE community’s focus on core stability while delivering new capabilities aimed to simplify and enhance 3D development for developers around the globe,” said Royal O’Brien, Executive Director of O3DF and General Manager of Games and Digital Media at the Linux Foundation. “I’m also incredibly excited about the opportunity O3DCon offers in bringing together diverse minds to collaborate on advancing the state of open 3D development across so many industries.”

Proposals to speak at O3DCon are being accepted now through Friday, July 15, 2022, at 11:59 pm PDT. All those interested are invited to submit proposals. Those who have submitted proposals will be notified of a decision by Tuesday, August 2. Learn more and submit your proposal today.

Submission types requested include:

Lightning talksSession presentationsBirds-of-a-feather discussionsPanel discussionsHands-on workshops/training

The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II

May 13, 2022

10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M

WASHINGTON, DC – May 12, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to to reach a consensus on key actions to take to improve the resiliency and security of open source software.

Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House’s National Security Council. Today’s meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity.

The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future.

A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel;, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.

This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.

KEY QUOTES

Jim Zemlin – Executive Director, Linux Foundation: “On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself. This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF): “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:

“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure. Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software. The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress. We are appreciative of all participants’ work on this important issue.”

Atlassian

Adrian Ludwig, Chief Trust Officer

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”

Cisco

Eric Wenger, Senior Director, Technology Policy, Cisco Systems

“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”

Dell

John Roese, Dell Technologies CTO

“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open-source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open-source software community, to our supply chain and to our national security.”

Ericsson

“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.

“As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”

GitHub

Mike Hanley, Chief Security Officer

“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain. As home to 83M developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and npm, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab.

“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”

Google

Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow

“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”

IBM

Jamie Thomas, Enterprise Security Executive

“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”

Intel

Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group

“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”

Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution

“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”

JFrog

Stephen Chin, Vice President of Developer Relations

“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.”

JPMorgan Chase

Pat Opet, Chief Information Security Officer

“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”

Microsoft

Mark Russinovich, CTO, Microsoft Azure

“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”

OWASP Foundation

Andrew van der Stock, Executive Director

“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.”

Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators

“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.”

SAP

Tim McKnight, SAP Executive Vice President & Chief Information Security Officer

“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.

“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”

Sonatype

Brian Fox, CTO of Sonatype and steward of Maven Central

“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.”

Wipro

Andrew Aitken, Global Head of Open Source

“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.

“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams.

“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”

KEY BACKGROUND

Three Goals of the 10-Point Plan

Securing Open Source Security Production

Make baseline secure software development education and certification the new normal for pro OSS developers
Establish a public, vendor-neutral, objective-metrics based risk assessment dashboard for the top 10,000 open source components.
Accelerate the adoption of digital signatures on software releases
Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.

Improving Vulnerability Discovery and Remediation

Accelerate discovery of new vulnerabilities by maintainers and experts.
Establish the corps of “volunteer firefighter” security experts to assist open source projects during critical times.
Conduct third-party code reviews (and any necessary remediation work) of 200 of the most-critical open source software components yearly
Coordinate industry-wide data sharing to improve the research that helps determine the most critical open source software.

Shorten ecosystem Patching Response Time

Software Bill of Materials (SBOM) Everywhere – improve SBOM tooling and training to drive adoption
Enhance the 10 most critical open source security build systems, package managers, and distribute systems with better supply chain security tools and best practices.

The 10-Point Plan Summarized (available in full here)

Security Education Deliver baseline secure software development education and certification to all.
Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
Digital Signatures Accelerate the adoption of digital signatures on software releases.
Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
SBOMs Everywhere Improve SBOM tooling and training to drive adoption.
Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Media Contact

Edward Cooper
openssf@babelpr.com

The post The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II appeared first on Linux Foundation.

Linux network services: How to start, stop, and check their status

May 12, 2022

Learn how to use the systemd command to manage your network services.

Read More at Enable Sysadmin

How to set up Nginx on OpenShift and AWS ROSA

May 11, 2022

Use OpenShift’s Source to Image (S2I) to create a web application on OpenShift, with or without a cloud platform such as Red Hat OpenShift on AWS (ROSA).

Read More at Enable Sysadmin

Brian Behlendorf Testifies on Open Source Software Security to the US House Committee on Science and Technology

May 11, 2022

This post originally appeared on OpenSSF’s blog.

On Wednesday, May 11, 2022, Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.

A copy of Brian’s written remarks are below and linked here (PDF). Visit the Committee’s website to view a recording of the hearing.

Also testifying at the hearing were:

Ms. Lauren Knausenberger, Chief Information Officer, Department of the Air Force
Ms. Amélie Erin Koran, Non-Resident Senior Fellow, The Atlantic Council
Dr. Andrew Lohn, Senior Fellow, Center for Security and Emerging Technology, Georgetown University

May 9th, 2022

The Honorable Eddie Bernice Johnson, Chairwoman
The Honorable Frank Lucas, Ranking Member
Committee on Science, Space, and Technology
2321 Rayburn House Office Building
Washington, DC 20515-6301

Dear Chairwoman Johnson, Congressman Lucas, and distinguished members of the Committee on Science, Space and Technology,

Thank you for your invitation to address you today, and the opportunity to share with you the work being done within the Open Source Security Foundation and the broader open source software community to raise the level of security and trustworthiness of open source software.

What are the consequences of insecure open-source software and what is industry as a whole, and the Open Source Security Foundation in particular, doing to tackle such Vulnerabilities?

Open source software (“OSS”) has become an integral part of the technology landscape, as inseparable from the digital machinery of modern society as bridges and highways are from the physical equivalent. According to one report, typically 70% to 90% of a modern application “stack” consists of pre-existing OSS, from the operating system to the cloud container to the cryptography and networking functions, sometimes up to the very application running your enterprise or website. Thanks to copyright licenses that encourage no-charge re-use, remixing, and redistribution, OSS encourages even the most dogged of competitors to work together to address common challenges, saving money by avoiding duplication of effort, moving faster to innovate upon new ideas and adopt emerging standards.

However, this ubiquity and flexibility can come at a price. While OSS generally has an excellent reputation for security, the developer communities behind those works can vary significantly in their application of development practices and techniques that can reduce the risk of a defect in the code, or in responding quickly and safely when one is discovered by others. Often, developers trying to decide what OSS to use have difficulty determining which ones are more likely to be secure than others based on objective criteria. Enterprises often don’t have a well-managed inventory of the software assets they use, with enough granular detail, to know when or if they’re vulnerable to known defects, and when or how to upgrade. Even those enterprises who may be willing to invest in increasing the security of the OSS they use often don’t know where to make those investments, nor their urgency relative to other priorities.

There are commercial solutions to some of these problems. There are vendors like Gitlab or Red Hat who sell support services for specific open source software, or even entire aggregate distributions of OSS. There are other vendors, like Snyk and Sonatype, who sell tools to help enterprises track their use of OSS and flash an alert when there is a new critical vulnerability in software running deep inside an enterprise’s IT infrastructure.

However, fighting security issues at their upstream source – trying to catch them earlier in the development process, or even reduce the chances of their occurrence at all – remains a critical need. We are also seeing new kinds of attacks that focus less on vulnerabilities in code, and more on the supply chain itself – from rogue software that uses “typosquatting” on package names to insert itself unexpectedly into a developer’s dependency tree, to attacks on software build and distribution services, to developers turning their one-person projects into “protest-ware” with likely unintended consequences.

To address the urgent need for better security practices, tools, and techniques in the open source software ecosystem, a collection of organizations with deep investments into the OSS ecosystem came together in 2020 to form the Open Source Security Foundation, and chose to house that effort at the Linux Foundation. This public effort has grown to hundreds of active participants across dozens of different public initiatives housed under 7 working groups, with funding and partnership from over 75 different organizations, and reaching millions of OSS developers.

The OpenSSF’s seven working groups are:

Best Practices for Open Source Developers: This group works to provide open source developers with best practices recommendations, and easy ways to learn and apply them. Among other things, this group has developed courseware for teaching developers the fundamentals of secure software development, and implement the OpenSSF Best Practices Badge program.
Securing Critical Projects: This group exists to identify and help to allocate resources to secure the critical open source projects we all depend on. Among other things, this has led to a collaboration with Harvard Business School to develop a list of the most critical projects.
Supply Chain Integrity: This group is helping people understand and make decisions on the provenance of the code they maintain, produce and use. Among other things, this group has developed a specification and software called “SLSA”, for describing and tracking levels of confidence in a software supply chain.
Securing Software Repositories: This group provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories, which are key points of leverage for security practices and the promotion to developers of more trustworthy software.
Identifying Security Threats in Open Source Projects: This group enables informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. For example, it is developing a database of all known security reviews of OSS.
Security Tooling: This group’s mission is to provide the best security tools for open source developers and make them universally accessible. Among other activities, this group has released code to better enable a security testing technique called “fuzzing” among open source projects.
Vulnerability Disclosures: This group is improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication. For example, this group has produced a Guide to Coordinated Vulnerability Disclosure for OSS.

There are also a series of special projects under the OpenSSF worthy of special mention:

Project sigstore: an easy-to-use toolkit and service for signing software artifacts, ensuring that the software you are holding is the same as what the developer intended, addressing a wide array of supply chain attacks.
The Alpha-Omega Project: an effort to systematically search for new vulnerabilities in open source code, and work with critical open source projects to improve their vulnerability handling and other security practices.
The GNU Toolchain Initiative: this effort supports the build ecosystems for perhaps the most critical set of developer libraries and compilers in the world, the GNU Toolchain, as a means to ensure its safety and integrity.

All the above efforts are public-facing and developed using the best practices of open source software communities. Funding from our corporate partners goes towards supporting the core staff and functions that enable this community, but all the substance comes from voluntary efforts. In some cases funds flow to assist with specific efforts – for example, recently the Alpha-Omega project decided to allocate funding towards the NodeJS community to augment its security team with a part-time paid employee and to fund fixes for security issues.

The Linux Foundation has also begun to adapt its “LFX” platform, a set of services designed to support the open source communities hosted by the Foundation, to incorporate security-related data such as vulnerability scans from Snyk and BluBracket, along with information from the OpenSSF Best Practices Badge program and the OpenSSF Security Scorecards initiative, to provide a unified view of the security risks in a particular collection of open source code, and what maintainers and contributors to those projects can do to improve those scores and reduce those risks. We expect to see more kinds of risk-related data coming into a unified view like this, helping developers and enterprises make better decisions about what open source components and frameworks to use, and how to reduce risk for those components they depend upon.

Guiding all of this is a deep conviction among the OpenSSF community that while there are many different ways in which security issues manifest themselves in the OSS ecosystem, every one of them is addressable, and that there are lots of opportunities for investment and collective action that will pay a return many times over in the form of lower risk of a future major vulnerability in a widely-used package, and lesser disruption if one is discovered.

Other efforts at the Linux Foundation include “Prossimo”, an effort focused on moving core Internet-related services to “memory-safe” languages like Rust, Go, or Java, which would eliminate an entire category of vulnerabilities that other languages allow too easily. Another is the SPDX standard for Software Bill of Materials (“SBOMs”), addressing the needs identified by White House Executive Order 14028 in a vendor-neutral and open way.

This is by no means a comprehensive list of all such efforts in the OSS ecosystem to improve security. Every OSS foundation either has a security team in operation today or is scrambling to identify volunteers and funding to establish one. There is a greater emphasis today than I’ve seen in my 30 years of using and contributing to OSS (since before it was called OSS) on the importance of such efforts. Clear metrics for progress are elusive since we lack clear metrics for evaluating software risk; in fact developing ways to measure and represent that risk is a key priority for OpenSSF. We will never see a time when open source software is free from security defects, but we are getting better at determining the tools and techniques required to more comprehensively address the risk of vulnerabilities in open source code. Scaling up those tools and techniques to address the tens of thousands of widely used OSS components and to get them more quickly updated remains a challenge.

How can the Federal government improve collaboration with industry to help secure open-source software?

I’ll focus here on principles and methods for collaboration that will lead to more secure OSS, and then for question 3 on specific opportunities to collaborate on.

First, focus on resourcing long-term personal engagements with open source projects.

Over the last few years, we have seen a healthy degree of engagement by the Federal government with OSS projects and stakeholders on the topic of improving security. The push established by Executive Order 14028 for the adoption of SBOMs aligned nicely with the standardization and growing adoption of the SPDX standard by a number of OSS projects, but it was aided substantially by the involvement of personnel from NIST, CISA, and other agencies engaging directly with SPDX community members.

Often the real secret to a successful OSS effort is in the communities of different stakeholders that come together to create it – the software or specification is often just a useful byproduct. The Federal government, both through its massive use of open source code and the role that it traditionally performs in delivering and protecting critical infrastructure, should consider itself a stakeholder, and like other stakeholders prioritize engagement with upstream open source projects of all sizes. That engagement need not be so formal; most contributors to open source projects have no formal agreement covering that work aside from a grant of intellectual property in those contributions. But as they say, “history is made by those who show up.” If the IT staff of a Federal agency (or of a contractor under a Federal contract) were authorized and directed to contribute to the security team of a critical open source project, or to addressing known or potential security issues in important code, or to participating in an OpenSSF working group or project, that would almost certainly lead to identifying and prioritizing work that would result in enhanced security in the Federal government’s own use of open source code, and likely to upstream improvements that make OSS more secure for everyone else.

Second, engage in OSS development and security work as a form of global capacity building, and in doing so, in global stability and resilience. OSS development is inherently international and has been since its earliest days. Our adversaries and global competitors use the same OSS that we do, by and large. When our operating systems, cloud containers, networking stacks and applications are made to be more secure, there are fewer chances for rogue actors to cause disruption, and that can make it harder to de-escalate tensions or protect the safety of innocent parties. Government agencies in France, Taiwan, and more have begun to establish funded offices focused on the adoption, development, and promotion of OSS, in many ways echoing the Open Source Program Offices being set up by companies like Home Depot and Walmart or intergovernmental agencies like the WHO. The State Department in recent years has funded the development of software like Tor to support the security needs of human rights workers and global activists. The Federal government could use its convening authority and statecraft to bring like-minded activities and investment together in a coordinated way more effectively than any of us in the private sector can.

Third, many of the ideas for improving the security of OSS involve establishing services – services for issuing keys to developers like Project sigstore does, or services for addressing the naming of software packages for SBOMs, or services for collecting security reviews, or providing a comprehensive view of the risk of open source packages. Wherever possible, the Federal government should avoid establishing such services themselves when suitable instances of such services are being built by the OSS community. Instead of owning or operating such services directly, the Federal Government should provide grants or other resources to operators of such services as any major stakeholder would. Along similar lines, should the Federal government fund activities like third party audits of an open source project, or fund fixes or improvements, it should ensure not only that such efforts don’t duplicate work already being done, it should ensure that the results of that work are shared (with a minimum of delay) publicly and upstream so that everyone can benefit from that investment.

These three approaches to collaboration would have an outsized impact on any of the specific efforts that the Federal government could undertake.

Where should Congress or the Administration focus efforts to best support and secure the open-sourced software ecosystem as a whole?

The private sector and the Federal government have a common cause in seeing broad improvements in the security of OSS. I’m happy to share where I see the private sector starting to invest in enhanced OSS security, in the hopes that this may inspire similar actions from others.

Education. Very few software developers ever receive a structured education in security fundamentals, and often must learn the hard way about how their work can be attacked. The OpenSSF’s Secure Software Fundamentals courses are well regarded and themselves licensed as open source software, which means educational institutions of all kinds could deliver the content. Enterprises could also start to require it of their own developers, especially those who touch or contribute to OSS. There must be other techniques for getting this content into more hands and certifications against it into more processes.
Metrics and benchmarks. There are plenty of efforts to determine what are suitably objective metrics for characterizing the risks of OSS packages. But running the cloud systems to perform that measurement across the top 100,000 or even 10,000 open source projects may cost more than what can be provided for free by a single company, or may be fragile if only provided by a single vendor. Collective efforts funded by major stakeholders are being planned-for now, and governments as a partner to that would not be turned away.
Digital signatures. There is a long history of U.S. Government standards for identity proofing, public key management, signature verification, and so on. These standards are very sophisticated, but in open source circles, often simplicity and support are more important. This is pulling the open source ecosystem towards Project sigstore for the signing of software artifacts. We would encourage organizations of all sorts to look at sigstore and consider it for their OSS needs, even if it may not be suitable for all identity use cases.
Research and development investments into memory-safe languages. As detailed above, there are opportunities to eliminate whole categories of defects for critical infrastructure software by investing in alternatives written in memory-safe languages. This work is being done, but grants and investments can help accelerate that work.
Fund third-party code reviews for top open source projects. Most OSS projects, even the most critical ones, never receive the benefit of a formal review by a team of security experts trained to review code not only for small bugs that may lead to big compromises, but to look at architectural issues and even issues with the features offered by the software in the search for problems. Such audits vary tremendously in cost based on the complexity of the code, but an average for an average-sized code base would be $150K-250K. Covering the top 100 OSS projects with a review every other year, or even 200 every year, seems like a small price compared to the costs on US businesses to remedy or clean up after a breach caused by just one bug.
Invest into better supply chain security support in key build systems, package managers, and distribution sites. This is partly about seeing technologies like SBOMs, digital signatures, specifications like SLSA and others built into the most widely used dev tools so that they can be adopted and meaningfully used with a minimum of fuss. Any enterprise (including the Federal government) that has software certification processes based on the security attributes of software should consider how those tools could be enhanced with the above technologies, and automate many processes so that updates can be more frequent without sacrificing security.

These activities, if done at sufficient scale, could dramatically lower the risks of future disruptive events like we have seen. As a portfolio of different investments and activities they are mutually reinforcing, and none of them in isolation is likely to have much of a positive impact. Further econometrics research could help quantify the specific reduction of risk from each activity. But I believe that each represents a very cost-effective target for enhancing security in OSS no matter who is writing the check.

Thank you again for the opportunity to share these thoughts with you. I look forward to answering any questions you may have or providing you with further information.

Sincerely,

Brian Behlendorf
General Manager, Open Source Security Foundation
The Linux Foundation

The post Brian Behlendorf Testifies on Open Source Software Security to the US House Committee on Science and Technology appeared first on Linux Foundation.

In Memory of Shubhra Kar

Jason Perlow

May 10, 2022

This past week, we lost our dear friend, colleague, and a true champion of the open source community. Our CTO, Shubhra Kar, passed away suddenly while he was with his entire LF family at our first in-person, all-hands gathering since before the pandemic.

Those who had the honor to work with him will know, he was a special leader and a wonderful human being. Above all, Shubhra was the kind of leader who quickly passed the credit for accomplishments to his team over himself. His humble spirit and ever-present smile was admired by all around him. He was so proud of the world class team he had built here, and did that in part with engineers who followed him from one organization to another throughout his career.

We also knew Shubhra as a selfless leader – one who was more interested in the work than the reward. At the same time, he was incredibly ambitious – wanting to build a platform that would not only transform The Linux Foundation but support open source development communities around the world. This was the week his team unveiled significant new enhancements across the LFX platform. It was a project he led from vision to reality, after many – even members of his own team – had told him the path to success was impossible. He was a transformational leader that has left his legacy here.

While he was passionate about his work and his team, he loved his family even more. In fact, his children were often spotted behind him during video calls throughout the day. He was a fantastic husband and father, and we are so grateful for his wife, son, and daughter sharing him with us.

Sharing Memories

Our thoughts and prayers remain with Shubhra’s family in this incredibly difficult time. If you would like to leave a memorial message for Shubhra, please submit a pull request on GitHub here. His family would love to hear from you and especially appreciates stories that are shared of his life and career.

Memorial Fund

The Linux Foundation has made arrangements with the family to establish Shubhra’s memorial fund that will provide support for his family and his children’s education. Donations can be made to the family here.

The post In Memory of Shubhra Kar appeared first on Linux Foundation.

How to troubleshoot network connectivity problems

May 10, 2022

Intermittent network connectivity errors can be hard to diagnose, especially if they happen between monitoring checks.

Read More at Enable Sysadmin

Create Impact Change with the 2022 Call for Code

May 10, 2022

I am always amazed at the impact we all have coming together, using our collective talents for good. Combining our collective brain power, skills, time, and resources produces stellar results – maybe it is better rendering management for films that entertain with mind-bending CGIs or improving automated software testing and deployment so developers can spend more time on innovation. Human ingenuity is amazing!

Imagine our impact when we come together for good. When we see communities who need a collective leg up in life, or when we see injustice and foresee ways to balance the scale, or when we see the devastation in the wake of natural disasters and know there is a better way. We want to make the lives of everyone better – it might seem daunting, but innovation is bred from not knowing what you can’t do.

Facilitating this drive to help is what the Call for Code® project is about. It is, “creating and deploying open source technologies to tackle some of the world’s greatest challenges.” It is about thinking beyond yourself – using your talents to help others.

Call for Code was created by David Clark Cause with Founding Partner IBM and in partnership with United Nations Human Rights and The Linux Foundation. The goal is to inspire “developers to create practical, effective, and high-quality applications that can have an immediate and lasting impact on humanitarian issues as sustainable open source projects.” The Linux Foundation helps take the raw innovation and put in place the right tools to enable an impact across the world: instill best practices, engage external partners, provide feedback, and test them in the real world.

Call for Code 2022

The Call for Code 2022 is now open for registration. The focus this year is on sustainability. Do you have an idea to improve sustainable production, consumption, and management of resources, reduce pollution creation, and protect biodiversity? Keep reading. You don’t have a world-changing idea. Keep reading – you just might light a spark of ingenuity.

For this year, specifically, your solution should address: carbon emissions; clean energy; supply chain transparency and traceability; water scarcity and quality; reducing waste footprints; biodiversity; food insecurity; and education access and job opportunities to further environmental justice. And, no, this isn’t just for software developers. Each well-rounded team needs builders, designers, communicators, and humanitarians.

There is a total of $285,000 in prizes, all winners will receive open source support from The Linux Foundation, and all participants will receive a variety of support, such as IBM Cloud services, accelerators, expert webinars, mentors, and more.

Registration opened April 26, 2022 and final submissions are due October 31, 2022. Visit callforcode.org for detailed information and requirements and to register.

Call for Code 2021 Winners

Do you still need some inspiration? Take a few minutes to read about the 2021 winners. Half of the projects focus on racial justice – and those are the ones I want to take a moment to highlight. If you see one that inspires you, click through to learn more and for ways you can contribute:

Fair Change allows people to easily record public safety incidents in a safe and secure way with a goal of more transparency, reeducation, and reform.

TakeTwo utilizes machine learning to highlight potentially racially insensitive language on websites you are browsing in Chrome.

Legit-Info provides information on policy proposals at various levels of government. It communicates the potential impact without legalese and facilities sharing opinions with policy makers. It also gives policy makers visibility into how diverse citizens will be impacted.

Open Sentencing helps public defenders understand and document any racial disparities in the judicial system.

Five Fifths Voter helps remove impediments to voting by providing information on voter registration, voter ID laws, restrictions, purging, gerrymandering, and tools that make it easier to vote, such as childcare at the voting stations.

Incident Accuracy Reporting System enables victims and witnesses to contribute to incident reports to help give law enforcement and the public a 360-degree view of events that took place at any incident. It utilizes Hyperledger blockchain to ensure transparency, trust, and that information can’t be altered.

Truth Loop is a mobile-friendly tool to see pending legislation, learn about it, record your own story related to the legislation and its impact, and share that with policy makers.

Call for Code also has seven other projects related to natural disasters and stemming the impact of climate change, including monitoring the real-time air health for wildland firefighters, democratizing earthquake monitoring, inspecting buildings, facilitating drone canvassing and delivery of supplies following a natural disaster, and helping farmers optimize water use. Finally – they have a project, Rend-o-Matic, that enables musicians to remotely record their individual track in a composition and stitches them all together into the final, virtual performance.

Join a Call for Code Project

Let’s show the world the impossible is possible.

Call for Code is making a difference! Are you experiencing some FOMO? Want to join in? Good news – fear no more. You can! And you don’t even have to be a technical person. Besides the need for a wide range of technical specialists, the projects can also utilize individuals for documentation, testing, design, UI/UX, legal, subject matter experts, advocacy, and community building. Just head over to our Call for Code page and help work on these projects.

Do you have another idea around sustainability? Register for the Call for Code 2022 now and pull together your team.

Let’s show the world the impossible is possible.

How to configure your system to preserve system logs after a reboot

May 10, 2022

Edit your systemd-journald configuration to store journal entries for as long as you need them.

Read More at Enable Sysadmin

1...626364...10,742 Page 63 of 10,742