For years, the developers of free open source software spoke anyone who will listen that their projects need better financial help and more oversight. Now, after a number of catastrophic incidents involving open source, the federal government and Silicon Valley may finally be heard.
AND meeting at the White House on Thursday, executives of some of the largest companies in the technology sector met with management officials to discuss the need for better security in the open source community. The list of participants included, among others, big names like Google, Facebook, Microsoft, Amazon, Oracle and Apple.
Unlike proprietary software, Thesoftware with native pen is free, publicly available and can be used or modified by anyone. Because of how useful open source tools can be, large corporations will often use them for development purposes. But, Unfortunately, open source projects need oversight and funding to stay safe – and they don’t always get it. For years, open source developers have complained that their software needs better support from Big Tech and other institutional actors – a problem that is finally gaining a lot of attention.
It’s not hard to see why the White House has convened its meeting right now. Just a month ago, destructive beetle found in the popular open-source Apache log4j library. The problematic program, used by almost everyone, led to widespread panic throughout the technology industry as companies struggled to patch systems and products that relied on the library for success. (Apache Software Foundation officials were also present at Thursday’s meeting.)
In short: there is clearly room for improvement and, fortunately, participants in the recent White House meeting seem quite susceptible to it. At the meeting, White House National Security Adviser Jake Sullivan apparently called open source software a “key issue for national security.” Similarly, Google’s global affairs president and chief legal officer Kent Walker issued a statement on the company’s blog on Thursday claiming it wants to see better support for the open source community.
“For too long, the software community has been comforted by the assumption that open source software is generally secure because of its transparency and the assumption that‘ many eyes ’watched to detect and solve problems,” Walker said. “But actually, while some projects have a lot of eyes fixed on them, others have little or none at all.”
In his statement, Walker further suggested increased public and private support for open source projects, the establishment of security and test bases, and the development of a section to identify “critical” projects – species that are widely used (ie probably something like log4j).
What exactly the government and other members of Big Tech have in mind for better open source security is not entirely clear at this time, but the fact that they are talking about it seems like a good sign.