Open Source Summit Europe Day 2Notes from a world away
Open Source Summit EU in Bilbao, Spain : September 18th - September 21st
State of the Foundation
Jim Zemlin, Executive Director, LF
"Humble, Helpful, Hopeful"
800,000 developers across all projects "The sky is always falling" - but we work through it.
- Hashicorp to BSL.
- The sky is not falling in OSS. it is just getting sunnier.
- "only 9" examples of license changes like this.
- open governance is the missing link to prevent businesses having too much control
- Linux Foundation: OpenTofu - drop in replacement
- 5 weeks
- 700+ developers
- 250+ companies
- 41k stars
- Allianz CTO - "we secure our future." "Pivoting to OpenTofu we're securing more than code; we're securing futures"
- LF governance framework
- foundational security and other resources
AI in Open Source
- "sky is falling." AI will create weapons. bias. misinformation
- open source is antidote. LF: hopeful! OSS is what will combat the negativity.
- we went through this same fear-cycle with cryptography in the 90s
- CDLA.io - community data licensing agreement
- GPU and gaming helped fuel LLM innovation
- hard to write software on GPU without relying on proprietary software
- UXL - Unified Acceleration Foundation
- arm, fujitsu, google, intel, samsung, qualcomm
Creating Sustainable Value
- fujitsu... chips, web3, meh
Sovereign Tech Fund
"strengthening digital infrastructure and open source ecosystems in the public interest"
- feasibility study to examine this work
- sovereign tech fund - german public fund
- two weeks before log4shell
- pilot round: curl, fortran, wireguard, openssh, bundle/rubygems, python, openjs, logback
- https://xkcd.com/2347/ - jenga
- approach so far
- address immediate infra needs
- tech debt and community health
- supply chain security, CI, memory safety
- "no one questions why we maintain roads and bridges"
Node.js What's Next?
Jean Burellier, Michael Dawson, Node.js
Following What's Next
- 200 repos
- 20 LTS in October
- "major releases are boring"
- promotion to LTS is an event though
- Features, Old News
- OpenSSL3 (17). Smaller key lengths. algorithms changed. Native modules deprecations
- Default DNS Resolution. IPv6 vs IPv4.
- fetch (17.5, no flag in 18)
- WASI - WASM in Node.js (13.3, 20 no longer needs a flag)
- Hot off the press
- argument parser (18), collab from yargs and commander
- test runner (20) mocks, reporters, coverage
- single-executable application (19)
- easier distribution
- more secure only runs what is bundled. smaller surface area
- process-based permissions (19)
- file system, spawning, workers
- runtime API
- tracing channel (19)
- diagnostic information.
- arm64 for Windows (19)
- technical values and priorities
- constituencies' needs
- technical priorities
- mini-summits to focus on technical priorities. 3 to 4 times a year
- survey, 1700 respondents
- biggest ask: better docs
- sharing project news
New Teams and Initiatives
- security. funding OpenSSF
- single executable app
- uvwasi / wasm
- examples repository nodejs/examples
- website, redesigned experience
How to Get Involved
- open to all
- participating in meetings
- open issues
- docs / translations
- review PRs
- nobody understands all of it
Improving the Security of a Major Open Source Project : Open Step at a Time
Michael Dawson, Rafael Gonzaga
- "Open Open Source"
- 1B downloads direct last year
- top OpenSSF criticality score
- "but... volunteers are a poor match for time critical work"
- OpenSSF - full time resource in starting in 2022
Reactive - the life of a CVE
- threat model. without a TM, there is imbalanced expecations
- example: sync read of a large file. not a threat, per the TM. trust
- what do we trust? (not to misbehave) ex: FS.
- what we don't trust? HTTP servers
- published in
- security reports
- please dont open public
- hackerone. private. make public after resolved.
- accept or reject, using TM
- CVE and CVSS assignment, if accepted
- what did not work?
- ad hoc triaging
- small number of triagers. needs to rotate else people burnout
- handling reports for experimental features
- what is working?
- triage team > 3 people
- triage rotation
- hackerone, private, public after, easy CVE assignment
- creating fixes
node-privaterepo. running in public CI is disclosing vulns
- people availability - often busy. OpenSSF funding has helped.
- sometimes the vulns are platform-specific, like Windows-only
- locking CI when about to release
- security releases
- 26 steps
- advanced notice to ecosystem, related teams
- coordinating subteams
- release stewards rotation. 6 of them. matteo (platformatic), michael (redhat), bryan (datadog), rafael (nearform), juan, joe
- Dependency Vulnerability Checks (nodejs/nodejs-dependency-vuln-assessments)
- permissions model (20)
npm install magicpackage# malicious file access
node --experimental-permission --allow-fs-read=/path/to/project/*
- allow-fs-read, fs-write, allow-worker, allow-child-worker
- security best practices (document)
- automated dependency updates
- OSSF scorecared
- CII best practices
- automate release
- review build process of the dependencies
- make sure node.js can reliably maintain the release lines
How you can help
- contribute as a collaborator
- volunteer as a releaser
- champion wg initiative
- join the working group
- contribute to issuesa
- reward people for contributing! triage, etc
- reward people for being a security expert
- implement vulnerability reporting policies with considerations for open source projects
- join a foundation
- contribute to LFD bug bounty security fund
OSPOs and Engineering Effectiveness
Nithya Ruff, Amazon & Mary Wang, Volvo Car Corporation
Volvo Case Study
- 9 months old
- ISO 5230:2020 as a basis of OSS management
- OSS directive - enterprise-level
- OSS training to align with goals (practical instruction)
- OSS processes, tools, and instructions (this is the key)
- OSS status dashboard - transparency. a little gaming and competition across business units
- OSS newsletter
Roles and Resp.
- Without product, OSPO not needed.
- OSS Champion. How many you have depends on how many developers you need. They work more directly with the teams. They are on the ground.
- new employee training
- OSS training for engineers, with instructions
- OSS training for champions
- OSS training for managers
- Monthly training course
- be able to audit at a moments notice
- automate in CI if you can. SBOM generation and reporting here...? pilot
- delivery compliance artifacts with binaries
- visualize compliance artifacts to user
- reduce triage steps as best you can. self-service
- templates, project, license and security, IP
- green light for trivial oss contribution
- regular meeting for medium or major contribution
- oss contribution record
- automate the OSS contribution flow
- they've released 9 projects
- external presence in addition to GH
- finding experienced, patient champions
- addressing prioritzation between product and oss compliance
- different teams have different maturity levels. some times have nearly all open source work, and they are more naturally understanding.
- education is the only channel to influence them
- automate oss requests
- integrate scanning in CI
- help teams to solve "how"
- automate flow, compliance, contributions
- avoid word, excel to engineers. meet engineers where they are
Amazon Case Study
- why open source?
- we build on it. customers chose it. world depends on it.
- 70 to 90% of software is OSS. (Black Duck)
- 70 to 80k developers. only5 or 6 OSPO folks. they also have champions in every business unit
- open source is foundational to work.
- remove barriers and delay
- balance risk with speed
- empower modern development
- scanning will open a ticket with the OSPO to review non-compliant licenses
- open source cannot be a bolt on, or add on. it's a part of the entire workflow
- be a good citizen
- sustaining is critical
- creating healthy code and communities for all
- money, dedicated engineers, upstream, research, foundation sponsorships, evenet sponsorships
- maturity stages of OSPOs, TODO Group, [screenshot]
- last thoughts
- too much burden. only 35% of time is spent on innovation
- delight developers
- make it easy to comply
- make it automated
- reduce friction
- help people grow
- aim forr self-service
OSS Champions, what are they?
- not a full time job initially. aim for a %. 5 or 10?
- look for hot spots, and deputize
- weekly meeting. keep discussing issues together.
- using champions help reduce cost
- OSPOs should be small. the goal should be to be of a job
How do you get buyin from leadership to centralize compliance?
- find a central team.
- pilot projects to prove it out
How do you get leadership buyin to allow folks to do this % of time?
- justify upstream as a risk management. healthy upstream is sustainable
- from an audit of usage, find the ones that are most critical... and invest in them. "at least for the top 50, you should have a strategy for how it's managed"
SPDX 3 rc with more use cases