> OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices.
> OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives
> The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others.
I was interested in it but when I saw the corporations supporting it I ended up with a sour taste in my mouth. Reading the rest of the comments it seems more like as an organization with the intention to support their own interests rather than to support the interests of the community.
Can't their interests be aligned with the oss developers?
Google has project zero and Safe Browsing API which does helpful things to me, GitHub auto scans dependencies, and owasp guidelines are helpful I think
It is really interesting that major open source initiatives are now being ran by corporations. I feel this will be open source in the sense that it is being developed in the open, but not in the sense that they will foster an environment of community contribution.
For example, the working group for vulnerability disclosure includes a lot of corporate players, and from what I can tell, not a single security researcher. Only one side of the disclosure process is represented in that working group.
Realizing how allergic major companies are to GPL code really creates some skepticism when they speak about embracing open source.
> For example, the working group for vulnerability disclosure includes a lot of corporate players, and from what I can tell, not a single security researcher. Only one side of the disclosure process is represented in that working group
More importantly, the vulnerability disclosure group does not have a single contributor from the largest consumers of vulnerability disclosures: Linux distribution security teams.
And while I think they can go far improving the current situation, 'creating an API' isn't really the main pain point we are faced with when a legacy entity deals with handing out CVEs. Thus I'm unsure if a corporate-only working group is capable of getting a complete picture of problems regarding F/OSS vulnerability disclosure.
> It is really interesting that major open source initiatives are now being ran by corporations.
That should not be surprising, as they now all depend on OSS. I think this can be a good thing. The resources they bring can help OSS, and thus all its users and contributors.
> I feel this will be open source in the sense that it is being developed in the open, but not in the sense that they will foster an environment of community contribution.
I think it's reasonable to worry about that. But the Linux Foundation works very hard to foster contributions and comments from all. The Linux kernel, Kubernetes, and many other important OSS projects are in the LF. I think LF has a good track record.
Full disclosure: I just started to work for the Linux Foundation. But I would have said the same before.
Hi! I'm leading one of the working groups for the OpenSSF (Identifying Security Threats) and I understand your point here. I hope I speak for everyone, that we want the larger community to be directly involved, and not have this be an organization "run by corporations". (I'd go so far as to say that this initiative cannot be successful without strong community support.)
If you or anyone else is interested in participating or learning more, please drop me a line at michael /dot/ scovetta {at} microsoft.com.
Then why is there no obvious way to get in touch with you on your website? Are we supposed to search for random forum posts of your members?
I once applied for a grant with the Core Infrastructure Initiative, the predecessor of the OpenSSF. It took me about half a day to write and submit a proposal, only to never hear back. After a couple of weeks, I tried to contact the Linux Foundation through their contact form and ask about my grant application, without success. Then I tried to contact some responsible people directly. I never got a single reply.
That's just shameful. Organizations like the Linux Foundation are antithetical to core idea of Open Source which is, well, openness.
But maybe Microsoft can bring some change into these encrusted institutions. BTW, I'm the maintainer of the XML parser and XSLT engine in your latest web browser. Bet you never even heard of me. There are quite a few security-related issues that still need work.
It's because all the work is happening in the open on GitHub in Working Groups if you want to get in touch with people, it's literally describe in the FAQ + "Community" top level button that takes you to https://github.com/ossf
Also, the LF not only helps fund the development of Linux through Linus and other fellows, it hosts a plethora of other open source organizations, like LetsEncrypt which I'm sure you use on a daily basis without knowing.
Disclosure: I work at Amazon on cloud infrastructure, and I am a technical advisor on FOSS related topics from time to time.
Chris,
I think that the feedback on the CII grant process deserves to be acknowledged and addressed if possible. I wasn't directly part of the day-to-day efforts of CII, but I (as an individual providing one's opinion and advice) supported the original charter of directly funding security related development of critical software libraries that are often unnoticed like libxml2, OpenSSL, etc.
I am disappointed that CII didn't achieve this objective for more software (there were a few grants that were awarded and completed, but over time this seemed to end, from the public updates I read at the time). I think that it is still a good one to have.
Matt, the CII grant program became problematic for a number of reasons and that OpenSSF is certainly aiming to avoid replicating those mistakes and making entirely new mistakes instead (to not only focus on grants and truly help define what critical software is).
The CII was before my time at the LF so I don't have much to share outside of it was in the mind of the OpenSSF founders to do better.
I imagine the folks where were directly involved in CII (so, not me) would have loved to have had an opportunity to share their experiences and perspective during the closed-door formation phase of OpenSSF.
All of the Working Groups (WGs) that will be doing the work are forming now in the OPEN so this is the perfect time for anyone to get engaged as the organization gets off the ground: https://github.com/ossf
>> Realizing how allergic major companies are to GPL code really creates some skepticism when they speak about embracing open source.
While orthogonal to your main point, this sentence conflates Free Software (GPL) with Open Source. It should be emphasised that the GPL is NOT open source, and that Open Source is not Free Software.
You seem to be very confused about these things, though those misconceptions are common...
Ultimately Free Software and Open Source mean the same thing. They come from philosophically different viewpoints that they emphasize - free software tries to emphasize on freedom, while open source is more a technical approach and often comes from more business oriented people.
But in terms of what licenses actually qualify as either Open Source or Free Software - they don't differ. And the GPL absolutely is an Open Source license. The organization that made the term Open Source popular agrees:
https://opensource.org/licenses/gpl-license
Yes, the GPL is an Open Source license. However Free Software is a specific kind of Open Source and it adds a number of restrictions not found in a typical Open Source license (BSD, MIT, Apache etc.)
To reference the original point, Business may be allergic to the GPL, but at the same love the wider set of Open Source licenses.
Free Software, and Open Source very much do not mean the same thing. Free Software is a subset of open source with an addional layer of very restrictive clauses. It is that extra layer that prevents GPL code being used by most business.
While the difference is based in philosophy, yes, that philisophical difference has a huge impact in how code is used in the real world.
I stand corrected. Perhaps my point (or my understanding) then is more subtle. Perhaps what I mean to say is that the GPL license comes with additional virility, not found in BSD et al.
Perhaps the difference is most noticeable in libraries (where I do most of my work). Using a GPL library in a commercial app is generally impossible, where BSD (or LGPL) etc is completely acceptable.
In my experience companies are allergic to GPL specifically, whereas other licenses - especially MIT and BSD are far more palatable, and are frequently used.
That is really my point. They will use and celebrate your code if they can use it to make money and give nothing back. If you place some restriction on it that forces openness then it becomes toxic waste to them. It is a one way street.
It's not too strange. Open source has taken off for a similar reason that news wire services took off in the early 1900s. Most software organizations create isn't the end product, so if you can leverage a community to maintain it, it (hopefully) reduces costs for all maintainers.
Meanwhile, free software is really right to repair for software enforced via copyright instead of (dedicated) legislation. It threatens to reduce the power of the corporations, so they will be generally hostile to it unless their end products are the services that only they can build around it.
> Realizing how allergic major companies are to GPL code really creates some skepticism when they speak about embracing open source.
I'm aware of Google being AGPL-allergic, but are there companies out there that ban everything under the ordinary GPL? They'd have to avoid the Linux kernel, if they really meant it.
This is more than just open standards, the problem with standards groups in general is that they haven't woken up on how to do modern open source development, they are slow moving.
Highlights from the FAQ:
> OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices.
> OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives
> The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others.