// Post Status Notes

When the Free Rider is Government

Chinmayi Sharma argues our digital infrastructure is built on open source, and it cannot provide adequate security so governments should help out.

Estimated reading time: 8 minutes

Over at Lawfare, Chinmayi Sharma talks open source security and argues our digital infrastructure is built on a house of cards β€” i.e., open source software. Log4j comes up for mention again, since it had a rare CVSS severity score of 10 out of 10.

What’s a CVSS score? How is it calculated? With the Common Vulnerability Scoring System Calculator of course. Learn how it works plus key security terms like “attack vector” from Robert Rowley at Patchstack. And here’s another good recent piece from Robert on the ingredients of a good security bug patching practice.

Sharma’s article is not a hit piece on open source, however. She notes:

The open-source community is aware of its security problem. In fact, the community is already attempting to build out institutions and standards to secure open source. For example, the Open Source Security Foundation, or OpenSSF, has already met with the White House twice and has 10 dedicated workstreams all focused on securing the open-source ecosystem. Companies like Microsoft and Google, large open-source contributors, have pledged $30 million to support OpenSSF’s efforts. The Open Source Technology Improvement Fund (OSTIF) was founded recently to provide free security auditing services to open-source projects and continues to grow.

However, on its own, the open-source community does not have the leverage to demand the resources and minimum security practices required. To preserve its core ethos as a free service and commodity, the open-source community cannot impose conditional requirements on its projects. As a collaborative of many volunteer developers, it also struggles to impose requirements on its own contributors. 

I wonder if that is really true and open source self-regulation is truly impossible. Sharma uses developer pushback as an example, in the case of the Python Package Index (PyPI) imposing “minimum security measures on ‘critical’ projects.”

Her argument is that open source needs help and governments should pitch in because open source software is β€œcritical infrastructure.” This is not a new idea:

Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects β€œjust as much as bridges and roads,” and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to β€œexplore opportunities for dedicated support services for open source solutions [it] considers critical.”