OSPO mind map animation

TODO Group is proud to announce a new OSPO Mind Map version release. The mind map shows a Open Source Program Office’s (OSPO) responsibilities, roles, behavior, and team size within an organization. This post highlights the major improvements done by the community in this new version of the OSPO Mind Map.

Updates on Responsibilities section

OSPO Mind Map Responsibilities section has new OSPO-specific topics and different sub-sections defined, including:

  • 📘 Develop and Execute Open Source Strategy
  • 🧭 Eliminate Friction from Using and Contributing to Open Source
  • 🖥️ Manage Open Source IT Infrastructure
  • 📚 Give Advice on Open Source
  • 🫶 Grow and Retain Open Source Talent Inside the Organization
  • 🤝 Implement InnerSource Practices
  • ⏱️ Track Performance Metrics
  • 🤝 Collaborate with Open Source Organizations
  • 📈 Prioritize and Drive Open Source Upstream Development
  • 📝 Establish and Improve Open Source Policies and Processes
  • 🔍 Oversee Open Source Compliance
  • 📒 Support Corporate Development Activities

Initial pull request with these changes can be found here . OSPO mind map animation

Welcoming Contributors 👋

The TODO Community welcomes more contributors to the OSPO mind Map to bring together the various communities involved in OSPO-specific topics. This will help to improve open source professionals’ guidance across the OSPO ecosystem (e.g topics like “InnerSource”, “Open Source metrics”, “Open Source Compliance” and more).

Updates on display

Initially, the OSPO Mind Map displayed all sections by default, showing a huge mind map image. Now, when people access https://ospomindmap.todogroup.org/ the display view will only show the first 2 levels, so people can expand specific sections, avoiding unnecessary information and focusing on what matters to them at that time.

Welcoming Contributors 👋

We are looking for tech contributors to work on a process to automatically deploy new versions of OSPO mind map to the website . If you’d be interested to contribute, please open a PR !

About OSPO Mind Map and OSPOlogy

This Mind Map is part of the TODO Group’s OSPOlogy repository which encapsulates a set of open initiatives (including the OSPO Mind Map, virtual global & regional meetings, an OSPO discussion forum, monthly OSPO News, and now, in-person workshops) to work in collaboration and study the status of OSPOs.

Acknowledgments

Thanks to OSPO Mind Map’s v2.0 contributors and reviewers!

  • Thomas Steenbergen (EPAM)
  • Ana Jiménez (Linux Foundation)
  • Jari Koivisto
  • Josep Prat (Aiven)
  • Gergely Csatari (Nokia)

Special thanks to Ibrahim Haddad (Linux Foundation), we were inspired by the OSPO responsibilities section in A Close Look at Open Source Program Offices: Structure, Roles and Responsibilities .

LFX dashboard example

Open source communities are driven by a mutual interest in collaboration and sharing around a common solution. They are filled with passion and energy. As a result, today’s world is powered by open source software, powering the Internet, databases, programming languages, and so much more. It is revolutionizing industries and tackling the toughest challenges. Just check out the projects fostered here at the Linux Foundation for a peek into what is possible. 

What is the challenge? 

As the communities and the projects they support grow and mature, active community engagement to recruit, mentor, and enable an active community is critical. Organizations are now recognizing this as they are more and more dependent on open source communities. Yet, while the ethos of open source is transparency and collaboration, the tool chain to automate, visualize, analyze, and manage open source software production remains scattered, siloed, and of varying quality.

How do we address these challenges?

And now, involvement and engagement in open source communities goes beyond software developers and extends to engineers, architects, documentation writers, designers, Open Source Program Office professionals, lawyers, and more. To help everyone stay coordinated and engaged, a centralized source of information about their activities, tooling to simplify and streamline information from multiple sources, and a solution to visualize and analyze key parameters and indicators is critical. It can help: 

  • Organizations wishing to better understand how to coordinate internal participation in open source and measure outcomes
  • CTOs and engineering leads looking to build a cohesive open source strategy 
  • Project maintainers needing to wrangle the legal and operational sides of the project
  • Individual keeping track of their open source impacts

Enter the Linux Foundation’s LFX Platform – LFX operationalizes this approach, providing tools built to facilitate every aspect of open source development and empowers projects to standardize, automate, analyze, and self-manage while preserving their choice of tools and development workflows in a vendor-neutral platform.

LFX tools do not disrupt a project’s existing toolchain but rather integrate a project’s community tools and ecosystem to provide a common control plane with APIs from numerous distributed data sources and operations tools. It also adds intelligence to drive outcome-driven KPIs and utilizes a best practices-driven, vendor-agnostic tools chain. It is the place to go for active community engagement and open source activity, enabling the already powerful open source movement to be even more successful.

How does it work? 

Much of the data and information that makes up the open source universe is, not surprisingly, open to see. For instance, GitHub and GitLab both offer APIs that allow third-parties to track all activity on open projects. Social media and public chat channels, blog posts, documentation, and conference talks are also easily captured. For projects hosted at a foundation, such as the Linux Foundation, there is an opportunity to aggregate the public and semi-private data into a privacy respecting, opt-in unified data layer. 

More specifically to an organization or project, LFX is modular, extensible, and API-driven. It is pluggable and can easily integrate the data sources and tools that are already in use by organizations rather than force them to change their work processes. For instance:

  • Source control software (e.g. Git, GitHub, or GitLab)
  • CI/CD platforms (e.g. Jenkins, CircleCI, Travis CI, and GitHub Actions)
  • Project management (e.g. Jira, GitHub Issues)
  • Registries  (e.g. Docker Hub)
  • Documentation  (e.g. Confluence Wiki)
  • Marketing automation (e.g. social media and blogging platforms)
  • Event management platforms (e.g. physical event attendance, speaking engagements, sponsorships, webinar attendance, and webinar presentations)

This holistic and configurable view of projects, organizations, foundations, and more make it much easier to understand what is happening in open source, from the most granular to the universal. 

What do real-world users think? 

Part of LFX is a community forum to ask questions, share solutions, and more. Recently, Jessica Wagantall shared about the Open Network Automation Platform (ONAP). She notes:

ONAP is part of the LF Networking umbrella and consists of 30+ components working together towards the same goal since 2017. Since then, we have faced situations where we have to evaluate if the components are getting enough support during release schedules and if we are identifying our key contributors to the project.

In this time, we have learned a lot as we grow, and we have had the chance to have tools and resources that we can rely on every step of the way. One of these tools is LFX Insights.

We rely on LFX Insights tools to guide the internal decisions and keep the project growing and the contributions flowing.

LFX Insights has become a potent tool that gives us an overview of the project as well as statistics of where our project stands and the changes that we have encountered when we evaluate release content and contribution trends.

Read Jessica’s full post for some specific examples of how LFX Insights helps her and the whole team. 

John Mertic is a seasoned open source project manager. One of his jobs currently is helping to manage the Academy Software Foundation. John shares: 

The Academy Software Foundation was formed in 2018 in partnership with the Academy of Motion Pictures Arts and Sciences to provide a vendor-neutral home for open source software in the visual effects and motion picture industries.

A challenge this industry was having was that there were many key open source projects used in the industry, such as OpenVDB, OpenColorIO, and OpenEXR, that were cornerstones to production but lacked developers and resources to maintain them. These projects were predominantly single vendor owned and led, and my experience with other open source projects in other verticals and horizontal industries causes this situation, which leads to sustainability concerns, security issues, and lack of future development and innovation.

As the project hit its 3rd anniversary in 2021, the Governing Board was wanting to assess the impact the foundation has had on increasing the sustainability of these projects. There were three primary dimensions being assessed.

  • Contributor growth
  • Contribution growth
  • Contributor diversity

We at the LF know that seeing those metrics increasing is a good sign for a healthy, sustainable project.

Academy Software Foundation projects use LFX Insights as a tool for measuring community health. Using this tool enabled us to build some helpful charts which illustrated the impacts of being a part of the Academy Software Foundation.

We took the approach of looking at before and after data on the contributor, contribution, and contributor diversity.

Here is one of the charts that John shared. You can view all of them on his post


LFX dashboard example

Conclusion 

LFX will improve communication and collaboration, simplify management, surface the best projects and project leaders, and provide insightful guidance based on real data captured at scale, across the widest variety of projects ever collected into a single source of information. And it is available to you – all Linux Foundation members and projects have access to LFX. 

To learn more about what it can do for you and your organization and project(s), read our white paper (LINK), read posts in the LFX Community Forum, or just log in with your free LFID and give it a spin. And check back here on the LF Blog for more articles in the coming months on LFX – digging in deeper. 

If you would like to talk to someone at the Linux Foundation about LFX or membership, reach out to Jen Shelby at jshelby@linuxfoundation.org

OSPOlogy live workshops

As more and more organizations adopt open source initiatives and/or seek to mature their involvement in open source, they often face many challenges, such as educating developers on good open source practices, building policies and infrastructure, ensuring high-quality and frequent releases, engaging with developer communities, and contributing back to other projects effectively. They recognize that open source is a complex ecosystem that is a community of communities. It doesn’t follow traditional corporate rules, so guidance is needed to overcome cultural change. 

To help address these challenges and take advantage of the opportunities, organizations are turning to open source program offices (OSPOs). An OSPO is designed to be the center of competency for an organization’s open source operations and structure. This can include setting code use, distribution, selection, auditing, and other policies, as well as training developers, ensuring legal compliance, and promoting and building community engagement that benefits the organization strategically. 

The Linux Foundation’s TODO Group’s mission is to help foster the adoption and improvement of OSPOs around the world. They are a tremendous resource, with extensive guides, a new mind map, an online course, case studies, and more. Check out their resources, community, and join their efforts

Thanks in part to their efforts, the OSPO movement is expanding across industries and regions of all types and sizes. However, due to the wide range of responsibilities and ways to operate, OSPO professionals often find it difficult to implement OSPO best practices, policies, processes, or tools for their open source management efforts.

To help people with these challenges, the TODO Group is introducing a new framework for in-person OSPO workshops. The framework is publicly available in ospology. This repo encapsulates a set of open initiatives (including an OSPO Mind Map 2.0, virtual global & regional meetings, an OSPO discussion forum, monthly OSPO News, and now, in-person workshops) to work in collaboration that aims to study and discuss the status of OSPOs and, ultimately, make them even more effective. 

TODO is piloting these in Europe first, and they are currently seeking collaborators to bring together the various communities involved in OSPO-specific topics and help organizations effectively implement OSPO Programs based on the specific needs for the region.

Backing up a bit, let’s look at the OSPOlogy.live framework. 

OSPOlogy.live framework in a nutshell

  • Follows an “unconference style,” meaning it’s a participants-driven meeting
  • Adheres to the Chatham House Rule in order to share openly and learn from each other 
  • Connects OSPOs with various open source communities involved in the open source activities that matter to them (e.g. policies, tooling, standards, and community building)
  • Takes place over two days and is an in-person event
  • Consists of prepared presentations, hands-on workshops, and space for networking
  • Falls under the Linux Foundation’s policies and code of conduct
  • Held at a location provided by one of the participants for free
  • Each participant pays for their own food, travel, and lodging. Meals may be free if workshop organizers find sponsors.
  • Participants can register their interest to receive an invite via Linux Foundation’s community platform as seats are limited.

With that overview, let’s dig in a little on how the workshop is conducted.

Unconference style

Typically at an unconference, the agenda of the workshop portion is created by the attendees at the beginning of the meeting. Anyone who wants to initiate a discussion on a topic can claim a time and a space. OSPOlogy workshops are not fully an unconference as the first day is a series of prepared presentations, so you know what the sessions are before joining (1 or 2 will be chosen by the participants ahead of time). For Day 2, the workshops follow the unconference model. Participants vote on topics to be worked on that day. Participants may be asked to submit their topic before the workshop to accelerate/simplify the voting process.

Suggested workshop sections

  • OSPO USE CASES ➡️Expert-led panels or talks to share experiences and case studies from specific OSPOs
  • OSPO ACCELERATORS ➡️Presentation highlighting a specific activity within the specific project, such as outcomes of recent community activities. The aim of the presentation is to give people insights on various topics the communities are working on and get their feedback / to ask for contributions.
  • SHARED CHALLENGES ASSESSMENT ➡️ Description: Identify OSPO shared challenges / pain points on the OSPO Mind Map 2.0 and let the audience vote for the areas of interest (working groups) for the workshop breakout groups. For instance, focus areas can be specific activities within OSPO responsibilities.
  • BREAK OUT SESSIONS ➡️ Define goals and identify pain points. Each break out group aims to capture their challenges for the selected focus and if possible document their experiences/solutions.
  • NETWORKING

Interested in becoming a collaborator?

We can’t do this alone! If you are part of an open source community involved in OSPO-specific topics or an organization willing to help with the workshop planning, schedule and/or provide a space to kick off the first meet-up in Europe, we need your help! Please contact:

And check out the FAQs below. 

Don’t live in Europe? Pencil us in for when this is expanded. 

Not involved in an OSPO yet? Take time to check out the TODO Group and join the community to start your OSPOlogy journey.

Also, consider joining OSPONCon North America next week, June 21-24, 2022, either in Austin, Texas during the Open Source Summit or virtually. Register here.



Frequently Asked Questions

What do we mean by communities involved in OSPO-specific topics?

OSPO-specific topics range from safely using open source to license compliance, sustainability, contributing back to the community, and more. For the full list of OSPO topics please see https://ospomindmap.todogroup.org/:

  • Develop and Execute Open Source Strategy
  • Oversee Open Source Compliance
  • Establish and Improve Open Source Policies and Processes
  • Prioritize and Drive Open Source Upstream Development
  • Collaborate with Open Source Organizations
  • Track Performance Metrics
  • Implement InnerSource Practices
  • Grow and Retain Open Source Talent Inside the Organization
  • Give Advice on Open Source
  • Manage Open Source IT Infrastructure

Some examples of OS communities highly involved in these topics are:

What are the necessary roles to set up an OSPOlogy.live workshop?

There are two ways in which you can play your part in OSPOlogy.live set up: (1) the hosting party who makes available a meeting room; and, (2) the workshop organizer/facilitator in charge of workshop activities and planning. (1) and (2) may be the same entity/individual. Further details can be found in the framework documentation

Where can I register for the next OSPOlogy.live?

Efforts are already on the way to organize the OSPOlogy workshops in different European countries each quarter. Once collaborators and days are confirmed, registration details and schedules will be published via the OSPOlogy community platform.

For further updates, please subscribe to OSPONewsletter and join the TODO community.

RIT campus view

This post originally appeared on Linux.com. The author, Stephen Jacobs, is the director of Open@RIT and serves on the Steering Committee of the TODO Group and served as a pre-board organizer of the O3DE Foundation. Open@RIT is an associate member of the Linux Foundation. 

What Is An Academic OSPO?

The academic space has begun to see activity around the idea of Open Source Program Offices at colleges and universities.  Like their industry counterparts, these offices lead or advise administrative efforts around policy, licensing compliance, and staff education.  But they can also be charged with efforts around student education, research policies and practices, and the faculty tenure and promotion process tied to research.

Johns Hopkins University (JHU) soft-launched their OSPO 2019, led by Sayeed Choudhury, Associate Dean for Research Data Management and Hodson Director of the Digital Research and Curation Center at the Sheridan Libraries in collaboration with Jacob Green with MOSS Labs. Other universities and academic institutions took notice.

Case Study: Open@RIT

I met Green at RIT’s booth at OSCON in the summer of 2019 and learned about JHU’s soft launch of their OSPO.  Our booth showcased RIT’s work with students in Free and Open Source humanitarian work. We began with a 2009 Honors seminar course in creating educational games for the One Laptop per Child program. That seminar was formalized into a regular course, Humanitarian Free and Open Source Software. (The syllabus for the course’s most recent offering can be found at this link)

By the end of 2010, we had a complete “Course-to-Co-Op lifecycle.” Students could get engaged in FOSS through an ecosystem that included FOSS events like hackathons and guest speaker visits, support for student projects, formal classes, or a co-op experience. In 2012, after I met with Chris Fabian, co-founder of UNICEF’s Office of Innovation, RIT sent FOSS students on Co-Op to Kosovo for UNICEF. We later formally branded the Co-Op program as LibreCorps. LibreCorps has worked with several FOSS projects since, including more work with UNICEF. In 2014 RIT announced what Cory Doctorow called a “Wee Degree in Free,” the first academic minor in Free and Open Source Software and Free Culture. 

All of these efforts provided an excellent base for an RIT Open Programs Office. (more on that missing “s” word in a moment) With the support of Dr. Ryne Raffaelle, RIT’s VP of Research, I wrote a “white paper” on how such an office might benefit RIT. RIT’s Provost, Dr. Ellen Granberg, suggested a university-wide meeting to gauge interest in the concept, and 50 people from 37 units across campus RSVP’d to the meeting. A subset of that group worked together (online, amid the early days of the pandemic) to develop a “wish list” document of what they’d like to see Open@RIT provide in terms of services and support. That effort informed the creation of the charter for Open@RIT approved by the Provost in the summer of 2020.

An Open Programs Office

Open@RIT is dedicated to fostering an “Open Across The University” as a collaborative engine for Faculty, Staff, and Students. Its goals are to discover and grow the footprint, of RIT’s impact on all things Open including, but not limited to, Open Source Software, Open Data, Open Science, Open Hardware, Open Educational Resources, and Creative Commons licensed efforts; what Open@RIT refers to in aggregate as “Open Work.” To highlight the wide constituency being served the choice was made to call it an Open Programs Office to avoid being misread as an effort focusing exclusively on software. The IEEE (which Open@RIT partners with), in their SA Open effort , made the same choice.

In academia, there’s growing momentum around Open Science efforts. Open Science (a term that gets used interchangeably with “Open Research” and “Open Scholarship”) refers to a process that keeps all aspects of scientific research, for the formation of a research plan onward, in the Open. This Scientific American Op-Ed (that mentions Open@RIT) points to the need for academia to become more Open. Open Educational Resources (I.E., making course content, texts, etc., Free and Open) is another academic effort that sees broad support and somewhat lesser adoption (for now).

While the academic community favors Open Science and Open Educational Resource practices, it’s been slow to adopt them. This recently released guide from the National Academies of Science, Engineering, and Mathematics, a bellwether organization, adds pressure to academia to make those changes.

What’s Open@RIT Done Since The Founding?

Drafting Policies and Best Practices Documents

Policy creation in academia is and should be slow and thoughtful.  Open@RIT’s draft policy on Open Work touches every part of the research done at the university.  It’s especially involved as it needs to cover three different classes of constituents.  Students own their IP at RIT (a rarity in academia) except when the university pays them for the work that they do (research assistance ships, work-study jobs, etc.), Staff (the University owns their IP in most cases), and Faculty. The last are a special case in that researchers and scientists are expected to publish their work but may need to work with the university to determine commercialization potential.  It also needs to address Software, hardware, data, etc.

Our current draft is making the rounds to the different constituencies and committees, and that process will be completed at some point in academic year 21-22.  In the meantime, parts of it will be published as Open@RIT’s best practices in our playbook, targeted for release before the end of Fall semester. Our recommendations for citing and supporting Open Work in Tenure and Promotion will also be part of the playbook and its creation is supported by the Alfred P. Sloan Foundation grant and by the LFX Mentorship program.

Faculty and Staff Professional Development

In October of 2020, The Alfred P. Sloan Foundation funded a proposal by Open@RIT funding some general efforts of the unit and, in particular, a LibreCorps team to support what we’re now calling the Open@RIT Fellows Program. We’re charged with supporting 30 faculty projects over two years and already have twenty-one that have registered, with about one-third of those project support requests completed or in progress. In many ways, the Open@RIT Fellows program could be considered an “Inner Source” effort.

This Zotero curated collection of articles, journal papers, book chapters, and videos on various aspects of Open Work and Open scholarship is the first step in our professional development efforts. It includes links to drafts of our recommendations around releasing Open Work and on building your evaluation, tenure and promotion cases with Open Work. We hope to offer professional development-related workshops in late fall or early spring of the coming AY.

Student Education

Open@RIT is wrapping up our “Open Across the Curriculum” efforts.  While we’ve had several courses and a minor in place, they mostly were for juniors and seniors.  Those classes were modified to begin accepting sophomores, and some new pieces are being brought into play.

At RIT, students are required to take an “Immersion,” a collection of three courses, primarily from liberal arts, designed to broaden students’ education and experiences outside of their majors. The Free Culture and Free and Open Source Computing Immersion does just that and opens to students this fall.

Within the month, Open@RIT will distribute a set of lecture materials to all departments for opt-in use in their freshman seminars that discuss what it means for students to own their IP in general and, specifically, what Opening that IP can mean in science, technology, and the arts.

Once the last pieces fall into place, students will be able to learn about Open as Freshmen, take one or both of our foundational FOSS courses Humanitarian Free and Open Source Software and Free and Open Source Culture as Sophomores and then go on to the Immersion (three courses) or the Minor (five courses) should they so choose.

Advisory Board and Industry Service

Open@RIT meets three times/year with our advisory board, consisting of our alums and several Open Source Office members from Industry and related NGOs.

Open@RIT is active in FOSS efforts and organizations that include IEEE SA Open, Sustain Open Source’s Academic and Specialized Projects Working Group and CHAOSS Community’s Value working group.

Next Steps

By the end of 2022, Open@RIT will complete all of the points in its charter, hold a campus conference to highlight Open Work being done across the university, and complete a sustainability plan to ensure its future.

"the new guy" and man with a contemplating look

“Here’s a question from the new guy”. I have been using this a lot the past few weeks after starting here at the Linux Foundation as the lead editor and content manager. How long can I pull that off? 

The reality is that I am new to working professionally in open source software – and really the software/technology industry. But, it has been a long time passion of mine. I spent my formative years in the 1980s and had a drive to learn to program computers. When I was 12, I asked my mom for a computer. Her response, “you have to learn to type first”. 

I went to the library, checked out typing books, and taught myself on our electronic typewriter. We couldn’t afford a computer, but I received a hand-me-down TI-994A and then a Commodore 64 with a tape drive. I taught myself BASIC and also dialed into bulletin board systems (BBS) at a mind-blowing 300bps. If you have never experienced 300bps, imagine yourself reading at 10% of your normal pace. 

I mention BBSs because, in many ways, they were the precursor to open source software. Someone dedicated their PC and a phone line for others to dial in, share messages, exchange software, answer technical questions, etc. 

Fast forward a bit – I taught myself to code enough to get a couple of coding jobs in high school but ended up getting a business degree in college and then working in politics for 15+ years. My passion for software and technology didn’t lapse, but it was mostly a tech hobbyist – taking classes in front-end web development and writing a couple basic web apps, teaching myself some PHP, Python and WordPress development, and reading/writing about software development. And, for the record, I already had a GitHub repo before starting here. 

With that bit of background, let me say that I am very excited about working at the Linux Foundation and diving into the open source community. I am a self-driven, life-long learner, and I want to take you along my journey here to learn about what we do, all of our projects, what open source is, how to advance it, and more. 

At LF, we embrace what we call the three H’s: humble, helpful, and hopeful. It isn’t just lip service. I see it lived out every day, in every interaction I have with my coworkers. My goal with this journey is to be: 

  • Humble: There is so much I don’t know about the open source community and the LF. I am learning every day. 
  • Helpful: I want to be helpful by sharing what I am learning. Much you may already know, but some you may not.
  • Hopeful: My hope is two-fold: I hope others learn too; I am hopeful that our community will continue to grow and thrive and solve some of the world’s toughest challenges. 

The three H’s are perfectly aligned with the general culture of open source. One of the LF’s onboarding tasks for new employees is to take a class entitled Open Source 101. Within that class they teach us Ten Open Source Culture Cores: 

  1. Be open. Openness breeds authenticity. Be consistently authentic in all of your work. 
  2. Be pragmatic. Action > talk. Work towards measurable value, not obscure, abstract, or irrelevant ideas. (Side note: when I worked in politics, my go-to line when speaking to groups was that I was a bit of an anomaly in Washington, I was long on action and short of talk.) 
  3. Be personal. Always focus on a personal level of service and interaction. People don’t join open source communities to talk to computers. 
  4. Be positive. Highly positive environments generate positive engagement.
  5. Be collaborative. Involve people, gather their feedback, get a gut check, and validate your ideas. The only problem silos solve is how to store grain. 
  6. Be a leader. Be open and collaborative–focus on the other 9 Culture Cores too. 
  7. Be a role model. Be the person you want to be and you will be the leader other people want you to be. 
  8. Be empathetic. Don’t just be empathetic in the privacy of your own mind. Say it, demonstrate it visibly. This all builds trust. Empathy is a powerful driver for building inclusion, which is a powerful driver for innovation.
  9. Be down-to-earth. Leave your ego at the door. 
  10. Be imperfect. We all make mistakes. Acknowledge them, share them, and learn from them. 

What a great synopsis of the culture of open source technology. 

With that, let me close out this week by first stating the obvious – a lot has transpired in technology since my first TI-994A (never mind the fact that my network speed is literally one million times faster). I hope you will join me on my “Questions from the New Guy” journey. Look for weekly-ish blog posts diving into all aspects of The Linux Foundation, our projects, and open source technology. 

SPDX was designed for tools to produce and consume SBOM documents. A decade of experience has shown us that tools may interpret fields differently – a file may be a valid syntactic SPDX SBOM,  but different tools may fill in different values.  

By coming together as a community to examine the output of multiple tools and to compare/contrast the results, we can refine the guidance to tool vendors and improve the robustness of the ecosystem sharing SPDX documents.   Historically, these events were called Bake-offs, but we’ve evolved them into “DocFests.” 

After a successful SPDX 2.2 DocFest in September of 2021, the SPDX community has decided to host another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts. 

Specifically, the goals of this DocFest are to:

  • Come to agreement on how the fields should be populated for a given artifact
  • Identify instances where different use cases might lead to different choices for fields and structures of documents
  • Assess how well the NTIA SBOM minimum elements are covered
  • Create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

This event will require “sweat equity” – participants who can produce SPDX documents are expected to have generated at least one SPDX document from the target set (either source, built from source, or an image/container equivalent). Participants who consume SPDX documents are expected to run at least two SPDX documents through their tooling and share any analysis results. 

Those who have signed up and have submitted files by January 21, 2022, will receive a meeting invite to the DocFest.

To indicate interest to participate, please fill in the following form no later than January 16, 2022: https://forms.gle/Mq7ReinTY6gDL4cs9

Imagine you have created an open source project that has become incredibly popular.  Thousands, if not millions, of developers worldwide, rely on the lines of code that you wrote. You have become an accidental hero of that community — people love your code, contribute to improving it, requesting new features, and encouraging others to use it. Life is amazing, but with great power and influence comes great responsibility.

When code is buggy, people complain. When performance issues crop up in large scale implementations, it needs to be addressed. When security vulnerabilities are discovered — because no code or its dependencies are always perfect — they need to be remediated quickly to keep your community safe.  

To help open source projects better address some of the responsibilities tied to security, many communities hosted by the Linux Foundation have invested countless hours, resources, and code into some important efforts. We’ve worked to improve the security of the Linux kernel, hosted Let’s Encrypt and sigstore, helped steward the ISO standardization for SPDX, and brought together a community building metrics for OSS health and risk through the CHAOSS project — among many others.

Today, we are taking steps with many leading organizations around the world to enhance the security of software supply chains. The Linux Foundation has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF) and its initiatives. This cross-industry collaboration brings together an ecosystem to collectively identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. We are also proud to announce that open source luminary, Brian Behlendorf, will serve the OpenSSF community as General Manager. 

Financial commitments for OpenSSF include Premier members such as AWS, Cisco, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members, including Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

To learn more about how to join the OpenSSF or to get involved in one of its six working groups, listen in to this brief introduction from Brian Behlendorf recorded this week at KubeCon:

In 2021, the Linux Foundation and its community will continue to support education and share resources critical to improving open source cybersecurity.  For example, this week, we also hosted SupplyChainSecurityCon, where the SLSA and sigstore projects were heavily featured.

If you are an open source software developer, user, or other community participant who just wants to help further protect the software that accelerates innovation around the world, please consider joining one of our six OpenSSF working groups, or suggest a new working group that addresses gaps in software supply chain security needs.

You can follow the latest news from OpenSSF here on our blog, Twitter (@TheOpenSSF), and LinkedIn.

Industry leaders from technology, financial services, telecom, and cybersecurity sectors respond to Biden’s Executive Order, commit to a more secure future for software; open source luminary Brian Behlendorf becomes general manager

LOS ANGELES, Calif – KubeCon – October 13, 2021 –  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. Open source luminary Brian Behlendorf will serve the OpenSSF community as General Manager. 

Financial commitments from Premier members include Amazon, Cisco, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

“This pan-industry commitment is answering the call from the White House to raise the baseline for our collective cybersecurity wellbeing, as well as ‘paying it forward’ to open source communities to help them create secure software from which we all benefit,” said Jim Zemlin, executive director at the Linux Foundation. “We’re pleased to have Brian Behlendorf’s leadership and extensive expertise on building and sustaining large communities and technical projects applied to this work. With the tremendous growth and pervasiveness of open source software, building cybersecurity practices and programs that scale is our biggest task at hand.”

According to industry reports (“2021 State of the Software Supply Chain,” by Sonatype), software supply chain attacks have increased 650 percent and are having a severe impact on business operations. In the wake of increasing security breaches, ransomware attacks, and other cybercrimes tied to open source software, government leaders worldwide are calling for private and public collaboration. Because open source software makes up at least 70 percent of all software (“2020 Open Source Security and Risk Analysis Report” by Synopsys), the OpenSSF offers the natural, neutral, and pan-industry forum to accelerate the security of the software supply chain. 

“There has never been a more exciting time to work in the open source community, and software supply chain security has never needed more of our attention,” said Brian Behlendorf, general manager, Open Source Security Foundation. “There is no single silver bullet for securing software supply chains.  Research, training, best practices, tooling and collaboration require the collective power of thousands of critical minds across our community. Funding for OpenSSF gives us the forum and resources to do this work.”

The OpenSSF is home to a variety of open source software, open standards, and other open content work for improving security. Examples include:

For more information about OpenSSF, please visit: https://openssf.org/

Premier Member Quotes

AWS

“Open source software plays an increasingly crucial role across the whole landscape of information security. Convening industry leaders to invest in developing policies, practices, tooling, and education around open source security benefits us all. AWS was a founding member of the Core Infrastructure Initiative in 2014, and we will now build on the relationships and investments that continue the mission by joining OpenSSF as a Premier Member. With our partners in this initiative, and as active participants in many open source communities, we will help raise the bar in the security of open source software,” said Mark Ryland, Director of the Office of the CISO at AWS.

Cisco

“OpenSSF will enable the community, across industries, to build tools and practices to secure the software supply chain for open source and beyond. This is crucial to the future of API and application security, which are fast becoming a primary attack vector for all business going forward,” says Vijoy Pandey, VP of Emerging Technologies & Incubation at Cisco. “At Cisco, we believe the application experience is the new brand, which demands better app velocity, trust, security, and availability. This belief drives our deep investment in application security and full-stack observability, which is why joining forces with this prestigious foundation and group as a trusted advisor and partner was a no-brainer for us.”

Dell Technologies 

“The Linux Foundation’s focus on security is fundamental to addressing the increasing risks associated with software,” said John Roese, Dell Technologies’ Global Chief Technology Officer. “The Open Source Security Foundation’s work will help us collectively make sure critical software programs and the end to end software delivery pipeline is secure and trustworthy.”

Ericsson

“As a leader in mobile communication, pioneering and driving 5G globally, security is at the core of the network infrastructure we build and deliver to our customers. In an industry increasingly built around open source and open standardization we are fully committed to address cybersecurity vulnerabilities in a collaborative effort. We are proud to join the Open Source Security Foundation as a founding member and we look forward to continue to work with the community and wider industry for a secure software supply chain, including the open source components,” says Erik Ekudden, Senior Vice President and Chief Technology Officer, Ericsson.

Fidelity

“Open Source Software plays a critical role in Fidelity’s technology strategy. We are proud to be part of the Open Source Security Foundation and to work with others to ensure that Open Source solutions and their supply chains are safe, secure, and reliable, enabling Fidelity to better serve our customers and clients,” said John Andrukonis, SVP, Fidelity Application Architecture.

GitHub

“The world runs on software, and most of that software includes and relies on open source,” said Mike Hanley, Chief Security Officer at GitHub. “As the home to more than 65 million developers around the world, we’re excited to continue partnering across the open source community and with other Open Source Security Foundation members to power a more secure, trustworthy future that will benefit everyone.”

Google

“We are doubling down on our OpenSSF commitment in the wake of rising open source software supply chain attacks and President Biden’s Executive Order,” said Eric Brewer, vice president of infrastructure and fellow at Google. “This decision is part of our White House pledge to spend $100 million to fund open source security foundations and follows a variety of investments we’ve made to support developers and security engineers across the public and private sectors. The OpenSSF is the best place for cross-industry leadership for these very challenging topics, and we look forward to working with the US and other governments to improve security worldwide.” 

IBM 

“IBM is deeply focused on developing and building highly secure hybrid cloud, AI and quantum-safe technologies that are designed to protect our clients’ most sensitive workloads both today and into the future,” said Jamie Thomas, General Manager, Strategy & Development and IBM Enterprise Security Executive. “As a long-time open source leader, IBM looks forward to working with the OSSF, our industry partners, and open source communities towards addressing the ever-increasing challenge of hardware and software open source supply chain security.”

Intel

“As a long-standing member of the open source software community, Intel contributes daily in the upstream projects we collaborate with,” said Greg Lavender, senior vice president, CTO, and general manager of Software and Advanced Technology at Intel Corporation. “Along with the Linux Foundation, we believe the Open Security Foundation (OpenSSF) is a unique opportunity to engage in projects and efforts focused on improving the quality and security for today and our future. Intel remains committed to providing contributions that benefit open source software supply chains and improving the security posture of critical projects on which our ecosystem depends.”

JPMorgan Chase

“JPMorgan Chase is deeply committed to working with the open source community to solve our most pressing security challenges. As a founding member of the Open Source Security Foundation, we have worked together to improve the security of open source and the integrity of all software. We commend the US Government’s recent initiative to raise awareness on this pressing topic and call to action the technology community to solve one of the most complex security challenges of our time.  We welcome the new members to OpenSSF and look forward to continuing the journey of innovation and bringing meaningful change to how we build, secure, and validate software,” said Pat Opet, Chief Information Security Officer, JPMorgan Chase & Co.

Microsoft

“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own. All of us at Microsoft are excited to participate with others in contributing new investments to the Open Source Security Foundation and we look forward to building more secure software through community-driven efforts to create solutions that will help us all,” said Mark Russinovich, Azure CTO and Technical Fellow, Microsoft.

Morgan Stanley

“Whether we are leveraging open source in our own code, contribute to OSS projects, or consume OSS via technology we procure and utilize, the safety and security of OSS and the creation of a trustworthy supply chain is critical to all businesses. To that end, we are delighted to join the Linux Foundation’s Open Source Security Foundation project to collaborate with our cross-industry partners to improve the security, safety and trust in the OSS ecosystem,” said Neil Allen, Global Head of Cyber Security Engineering, Morgan Stanley.

Oracle

“As a contributing member of the open source software community and an inaugural Linux Foundation member, Oracle has a large number of developers that contribute to third-party open source projects daily,” said Wim Coekaerts, senior vice president of software development, Oracle. “Oracle looks forward to participating in the Open Source Security Foundation and working with other members to continue to strengthen the software supply chain, helping customers work more securely.”   

Red Hat

“Open source is pervasive in software solutions of all kinds, and cybersecurity attack rates are on the rise. Our customers look to Red Hat to provide trust and enhanced security in our open source based portfolio. Open source and community collaboration is the best way to solve big, industry-wide challenges, such as open source supply chain security. And that’s why we’re excited to join together with the Linux Foundation and other industry leaders so we can continue to improve the technologies and practices to build a more secure future from open source software,” said Chris Wright, senior vice president and CTO, Red Hat.

Snyk

“Open source is built by millions of empowered developers, who also need to secure this critical foundation of the digital world,” said Guy Podjarny, Founder & President, Snyk. “The vital work of the Linux Foundation and the OpenSSF ensures we collectively live up to this responsibility. The Snyk community is fully committed to this important, collaborative effort and we look forward to working closely with the other OpenSSF members to better secure OSS so it can continue to safely fuel innovation.”

VMware

“Every company that uses software should be concerned about their software supply chain,” said Kit Colbert, chief technology officer, VMware. “For two-plus years, VMware has engaged in contributions to open source projects in the broader software supply chain security space and invested in initiatives to help customers further strengthen their security policies and processes. As a member of the Open Source Security Foundation, we’re committed to collaborating across the industry to drive increased level of software supply chain security.”

General Member Quotes 

Apiiro

“Software supply chain risks are becoming pervasive, with the potential to slow application delivery and stunt innovation,” commented John Leon, VP of Business Development at Apiiro. “Managing application risk has become increasingly complex and requires visibility across the SDLC – including the supply chain. Apiiro is excited to partner with the open source community and support the Linux Foundation and OpenSSF as they power the collaboration that is vital to securing software.”

AuriStor

“AuriStor’s founders have contributed to the standardization of security protocols and open source development of security first software for more than 35 years. We view the OpenSSF, its working groups and projects, and those that participate in them as crucial to improving the security of every industry, service, and home.  The OpenSSF has the potential to make a significant difference in everyone’s future. We encourage all members of the software development community to contribute,” said AuriStor Founder and CEO Jeffrey Altman.

Devgistics

“We seized the opportunity to join this foundation because OpenSSF offers a real industry-neutral forum to accelerate the hardening and security of the software supply chain. Devgistics (formerly InfoSiftr) provides critical enhancements to the world’s most popular open-source repository. Devgistics has been involved in many free and open-source initiatives for years, including being a Moby (Docker Engine) maintainer, providing support to the Docker/container ecosystem, and serving in the Open Container Initiative. Devgistics continues to contribute cutting-edge solutions for security-conscious clients like the US Air Force,” said Devgistics Founder and President Justin Steele. 

DTCC

“DTCC is committed to developing highly resilient and secure code to safeguard the financial marketplace. DTCC is proud to be part of the OpenSSF community and looks forward to partnering with our fellow members on safe, secure and reliable computing,” said Ajoy Kumar, Head of Tech/Cyber Risk at DTCC.

GitLab

“As organizations modernize software development and shift security left, GitLab believes that open source will play a key role in fostering this modernization and delivering secure software with speed to the market,” said Eric Johnson, CTO at GitLab. “Supporting the Open Source Security Foundation aligns with GitLab’s mission of enabling everyone to contribute, and we look forward to supporting, collaborating, and sharing our expertise in implementing security in GitLab’s DevOps Platform to the OpenSSF community.”

Goldman Sachs

“Continuing to secure the software supply chain, in particular the many critical open source projects foundational to any modern organization’s IT architecture, is a top strategic imperative for Goldman Sachs, our peers, partners, and clients in financial services, the technology ecosystem, and the wider economy,” said Atte Lahtiranta, chief technology officer at Goldman Sachs. “This work cannot be done in individual organizational silos. We instead need to work collaboratively, across both the private and public sector, together with open source maintainers and contributors, to answer the call to action that is the recent cybersecurity executive order. The OpenSSF will provide an essential forum and associated infrastructure to allow us to share leading practices, develop improved tooling, and work together to better protect our digital infrastructure.”

JFrog

“Open-source software is the backbone of hundreds of thousands of today’s applications, making it critical that we do our best to flag new vulnerabilities and insecure components fast—before they compromise businesses or critical infrastructure,” said Asaf Karas, JFrog Security CTO. “We’re happy to expand our membership with the Linux Foundation and support this cross-industry collaboration to identify and fix open source security vulnerabilities, strengthen tools, and promote best practices to ensure developers can easily shift left and bake-in security from the start of application planning and design — all the way to software deployment, distribution, and runtime.”

Nutanix

“The world runs on open source software and Nutanix is eager to help ensure its security. This can only be achieved through broad industry collaboration. We believe in the founding vision of the Open Source Security Foundation. We hope to help empower open source developers and better protect all of our customers with the partnership it enables. As members of the Open Source Software Foundation, we join other industry leaders in strengthening the software supply chain security we all rely upon,” said Rajiv Mirani, Chief Technology Officer at Nutanix.

StackHawk

“Software development is moving faster than ever before. The industry needs tooling and processes to ensure that security can keep up with today’s pace of development. StackHawk is excited about the work that the Open Source Security Foundation is doing to improve security and we are proud to continue as a member,” said Joni Klippert, StackHawk Founder & CEO.

Tencent

“IT development to date, an increasing number of critical businesses and core competencies have been built on open source, and this trend will continue. As an important part of the software supply chain, open source security plays an important role in the entire software supply chain. Tencent Cloud has always been keen to contribute code and technology to open source projects, and also maintains a continuous huge investment in security. It is very gratifying to see that OpenSSF can be established, and we look forward to working closely with industry  partners to improve the security level of open source software and strengthen the software supply chain security,” said KK Dong, Chief Security Officer at Tencent Cloud.

Wind River

“As the dependency on open-source software becomes increasingly pervasive, the Open Source Security Foundation’s community-driven approach to developing and sharing security metrics, tools and best practices becomes an imperative. Our customers are actively interested in the health of the open source from which their solutions are constructed, and assuring secure development across open the supply chain is vital,” said Paul Miller, CTO, Wind River. “We are looking forward to collaborating more closely with the OpenSSF community. By working together, Wind River can provide customers with a level of open source security assurance that would otherwise be unobtainable.”

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at https://www.linuxfoundation.org/

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

Backed by many of the world’s largest companies for more than a decade, SPDX formally becomes an internationally recognized ISO/IEC JTC 1 standard during a transformational time for software and supply chain security

SAN FRANCISCO, September 9, 2021 – The Linux Foundation, Joint Development Foundation, and the SPDX community, today announced the Software Package Data Exchange® (SPDX®) specification has been published as ISO/IEC 5962:2021 and recognized as the international open standard for security, license compliance, and other software supply chain artifacts. ISO/IEC JTC 1 is an independent, non-governmental standards body. 

Intel, Microsoft, Siemens, Sony, Synopsys, VMware, and WindRiver are just a small sample of the companies already using SPDX to communicate Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains. 

“SPDX plays an important role in building more trust and transparency in how software is created, distributed, and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena,” said Jim Zemlin, executive director, the Linux Foundation. “SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.” 

Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. An SBOM accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software issues and risks and establish a starting point for their remediation.

SPDX results from ten years of collaboration from representatives across industries, including the leading Software Composition Analysis (SCA) vendors – making it the most robust, mature, and adopted SBOM standard. 

“As new use cases have emerged in the software supply chain over the last decade, the SPDX community has demonstrated its ability to evolve and extend the standard to meet the latest requirements. This really represents the power of collaboration on work that benefits all industries,” said Kate Stewart, SPDX tech team co-lead. “SPDX will continue to evolve with open community input, and we invite everyone, including those with new use cases, to participate in SPDX’s evolution and securing the software supply chain.”  

For more information on how to participate in and benefit from SPDX, please visit: https://spdx.dev.

To learn more about how companies and open source projects are using SPDX, recordings from the “Building Cybersecurity into the Software Supply Chain” Town Hall that was held on August 18th are available and can be viewed at: https://events.linuxfoundation.org/supply-chain-town-hall/ 

ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland. Its membership represents more than 165 national standards bodies with experts who share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges.

Supporting Comments

Intel

“Software security and trust are critical to our Industry’s success. Intel has been an early participant in the development of the SPDX specification and utilizes SPDX both internally and externally for a number of software use-cases,” said Melissa Evers, Vice President – Software and Advanced Technology Group, General Manager of Strategy to Execution, Intel.

Microsoft

“Microsoft has adopted SPDX as our SBOM format of choice for software we produce,” says Adrian Diglio, Principal Program Manager of Software Supply Chain Security at Microsoft. “SPDX SBOMs make it easy to produce U.S. Presidential Executive Order compliant SBOMs, and the direction that SPDX is taking with the design of their next gen schema will help further improve the security of the software supply chain.”

Siemens

“With ISO/IEC 5962:2021 we have the first official standard for metadata of software packages. It’s natural that SPDX is that standard, as it’s been the de facto standard for a decade. This will make license compliance in the supply chain much easier, especially because several open source tools like FOSSology, ORT, scancode, and sw360 already support SPDX,” said Oliver Fendt, senior manager, open source at Siemens. 

Sony

”The Sony team uses various approaches to managing open source compliance and governance,” says Hisashi Tamai, Senior Vice President, Deputy President of R&D Center, Representative of the Software Strategy Committee, Sony Group Corporation. “An example is the use of an OSS management template sheet that is based on SPDX Lite, a compact subset of the SPDX standard. It is important for teams to be able to quickly review the type, version, and requirements of software, and using a clear standard is a key part of this process.”

Synopsys

“The Black Duck team from Synopsys has been involved with SPDX since its inception, and I personally had the pleasure of coordinating the activities of the project’s leadership for more than a decade. Representatives from scores of companies have contributed to the important work of developing a standard way of describing and communicating the content of a software package,” said Phil Odence, General Manager, Black Duck Audits.

VMware

“SPDX is the essential common thread among tools under the Automating Compliance Tooling (ACT) Umbrella. SPDX enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption. SPDX is not just for compliance, either; the well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software,” said Rose Judge, ACT TAC Chair and open source engineer at VMware.

Wind River

“The SPDX format greatly facilitates the sharing of software component data across the supply chain. Wind River has been providing a Software Bill of Materials (SBOM) to its customers using the SPDX format for the past 8 years. Often customers will request SBOM data in a custom format. Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost,” said Mark Gisi, Wind River Open Source Program Office Director and OpenChain Specification Chair.

About SPDX

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. For more information, please visit us at spdx.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:  https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact

Jennifer Cloer

for the Linux Foundation

503-867-2304

jennifer@storychangesculture.com

Open source software (OSS) is vitally important to the functioning of society today; it underpins much of the global economy. However, some OSS is highly secure, while others are not as secure as they need to be.

By its very nature, open source enables worldwide peer review, yet while its transparency has the potential for enhanced software security, that potential isn’t always realized. Many people are working to improve things where it’s needed. Most of that work is done by volunteers or organizations outside the Linux Foundation (LF) who directly pay people to do the work (typically as employees). Often those people work together within a foundation that’s part of the Linux Foundation. Sometimes, however, the LF or an LF foundation/project (e.g., a fund) directly funds people to do security work.

At the Linux Foundation (LF), I have the privilege of overseeing focused work to improve OSS security by the very people paid to do it. This work is funded through various grants and foundations, with credits to organizations like Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself.

The LF and its foundations do much more that I don’t oversee, so I’ve only listed the ones I am personally involved with in the interest of brevity. I hope it will give you a sense of some of the things we’re doing that you might not know about otherwise.

The typical LF oversight process for this work is described in “Post-Approval LF Security Funding.” Generally, performers must provide a periodic summary of their work so they can get paid. Most of those summaries are public, and in those cases, it’s easy for others to learn about their interesting work!

Here’s a sample of the work I oversee:

  • Ariadne Conill is improving Alpine Linux security, including significant improvements to its vulnerability processing and making it reproducible. For example, as noted in the July 2021 report, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. Alpine Linux’s security is important because many containers use it. For more information, see “Bits relating to Alpine security initiatives in June” and “Bits relating to Alpine security initiatives in July.”
  • kpcyrd is doing a lot of reproducible build work on Linux distributions, especially Alpine Linux (including on the Raspberry Pi) and Arch Linux. Reproducible builds are a strong countermeasure against build system attacks (such as the devastating attack on SolarWinds Orion). More than half of the currently unreproducible packages in Arch Linux have now been reviewed and classified.
  • David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code; git is widely used to manage source code.
  • Theo de Raadt has also been receiving funding to secure the critical “plumbing” behind modern communications infrastructure:
    • This funding is being used towards improving OpenSSH (a widely-used tool whose security is critical). These include various smaller improvements, an updated configuration file parser, and a transition to using the SFTP protocol rather than the older RCP protocol inside the scp(1) program.
    • It is also being used to improve rpki-client, implementing Resource Public Key Infrastructure (RPKI). RPKI is an important protocol for protecting the Internet’s routing protocols from attack. These improvements implement the RPKI Repository Delta Protocol (RRDP) data transfer protocol and fix various edge cases (e.g., through additional validation checks). The https://irrexplorer.nlnog.net/ service is even using rpki-client behind the scenes.
  • Nathan Chancellor is improving the Linux kernel’s ability to be compiled with clang (instead of just gcc). This includes eliminating warning messages from clang (which helps to reduce kernel bugs even when gcc is used) and fixing/extending the clang compiler (which helps clang users when compiling code other than the Linux kernel). Unsurprisingly this involves changing both the Linux kernel and the clang/LLVM compiler infrastructure, and sometimes other software as well.
    • In the long run, eliminating warnings that by themselves aren’t bugs is important; developers will ignore warnings if there are many irrelevant ones, but if there are only a few warnings, they’ll examine them (making warnings more useful).
    • Of notable mention for security implications is clang support for Control-Flow Integrity (CFI); this can counter many attacks on arm64, and work will eventually enable x86_64 support.
  • I oversee some security audits conducted via the Open Source Technology Improvement Fund (OSTIF) when funded through the LF. We (the LF) often work with OSTIF to conduct security audits. We work with OSTIF to define the audit scope, and then OSTIF runs a bidding process where qualified security audit firms propose to do the work. We then work with OSTIF to select the winner (who isn’t always the cheapest — we want good work, not a box-check). OSTIF & I then oversee the process and review the final result. 
    • Note that we don’t just want to do audits, we also want to fix or mitigate any critical issues the audits identify, but the audits help us find the key problems. Subject matter experts perform the audit reports, and handling bidding is OSTIF’s primary focus, so my main contribution is usually to help ensure these reports are clear to non-experts while still being accurate. Experts sometimes forget to explain their context and jargon, and it’s sometimes hard to fix that (you must know the terminology & technology to explain it).
    • This work included two security audits related to the Linux kernel, one for signing and key management policies and the other for vulnerability reporting and remediation. 
    • I’ve also overseen audits of the exposure notification applications COVID Shield and COVID Green: 
    • It’s not part of my oversight of OSTIF on behalf of the LF, but I also informally talk with OSTIF about other OSS they’re auditing (such as flux2, lodash, jackson-core, jackson-databind, httpcomponents-core, httpcomponents-client, laravel, and slf4j). A little coordination and advice-sharing among experts can make everything better.

The future is hard to predict, but we anticipate that we will be doing more. In late July, the OpenSSF Technical Advisory Council (TAC) recommended approving funding for a security audit of (part of) Symfony, a widely-used web framework. The OpenSSF Governing Board (GB) approved this on 2021-08-05 and I expect OSTIF will soon take bids on it.

The OpenSSF is also taking steps to raise more money via membership dues (this was delayed due to COVID; starting a new foundation is harder during a pandemic). Once the OpenSSF has more money, we expect they’ll be funding a lot more work to identify critical projects, do security audits, fix problems, and improve or create projects to enhance OSS security. The future looks bright.

Please remember that this is only a small part of ongoing work to improve OSS security. Almost all LF projects need to be secure, so most foundations’ projects include security efforts not listed here. As noted earlier, most development work is done by volunteers or by non-LF organizations directly paying people to do the work (typically employees). 

The OpenSSF has several working groups and many projects where people are working together to improve OSS security. These include free courses on how to develop secure software and the CII Best Practices badge project. We (at the LF) also have many other projects working to improve OSS security. For example, sigstore is making cryptographic signatures much easier; sigstore’s “cosign” tool just released its version 1.0. Many organizations have recently become interested in software bill-of-materials (SBOMs), and we’ve been working on SBOMs for a long time.

If you or your organization would like to fund focused work on improving OSS security, please reach out! You can contribute to the OpenSSF (in general or as a directed fund); just contact them (e.g., Microsoft contributed to OpenSSF in December 2020). If you’d prefer, you can create a grant directly with the Linux Foundation itself — just email me at <dwheeler@linuxfoundation.org> if you have questions. For smaller amounts, say to fund a specific project, you can also consider using the LFX crowdfunding tools to fund or request funding. Many people & organizations struggle to pay individual OSS developers because of the need to handle taxes and oversight. If that’s your concern, talk to us. The LF has experience & processes to do all that, letting experts focus on getting the work done.

My sincere thanks to all the performers for their important work and to all the funders for their confidence in us!

About the author: David A. Wheeler is Director of Open Source Supply Chain Security for The Linux Foundation.