Linux and open-source software are much easier to secure than proprietary software. As open-source co-founder Eric S. Raymond pointed out with Linus’ law: “Given enough eyeballs, all bugs are shallow.” But it requires eyeballs looking for bugs in the first place to make it work. Jim Zemlin, the Linux Foundation (LF)’s executive director, said in the aftermath of the Heartbleed and Shellshock security fiascos: “In these cases, the eyeballs weren’t really looking.”
To help remedy this, David A. Wheeler, the LF’s director of Open Source Supply Chain Security, recently revealed the LF or its related foundations and projects directly fund people to do security work. Here’s how it works.
The funding comes from a variety of pro-Linux and open-source organizations. These include Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself. When a problem is found, a developer reaches out to the appropriate LF organization. Generally speaking, a contract that briefly describes what problem needs to be fixed and how it will be done, the funds required for it, and who will do the work is set up.
The proposal is then examined by the appropriate LF technical review point of contact (POC). This POC is often Wheeler himself.
Once your project is approved, progress reports are made approximately once a month. These must include:
- A stable URL of a publicly accessible post (e.g., a blog or archived mailing list post) describing what you did that month.
- The post must briefly describe what has been accomplished using the funding since the last invoice. Include its date and hyperlinks to details. If git commits were involved, include hyperlinks to them. Make it easy for technical people to learn details (e.g., via hyperlinks).
- Also briefly describe why this work is important or link to such description(s), for someone who is not intimately familiar with it. Some readers may see your post out of context.
- Give credit, similar to National Public Radio. (e.g., “This work to <X> was [partially] funded by the OpenSSF, Google, and The Linux Foundation.”) Thanking others is always polite. We also want people to consider funding OSS security as normal.
- Publicly provide an identifier (a personal name, pseudonym, or project name) of who’s doing the work. This simplifies referring to the work. You do not need to reveal your personal name(s) publicly, though you’re welcome to do so.
This is a lightweight process. It shouldn’t take more than 20 minutes to write these reports. You may find it easier to write your post while you do the work. Funded work must be available under the appropriate open-source licenses. For example, bug fixes to Linux must be licensed under the Gnu General Public Licenses Version 2 (GPLv2).
The POC will then review the post, and if it seems reasonable, approve the payment. Wheeler explained: “We understand that sometimes problems arise. We just want to see credible efforts. If there’s a serious roadblock, try to suggest ways to overcome it or provide partial/incremental benefits. We need to provide confidence to funders that we aren’t wasting their money.”
So, what kind of projects are we walking about? Wheeler cites several examples. These include:
Ariadne Conill, the Alpine Linux security team chair, is improving this important container Linux distro’s security. In particular, Conill has improved its vulnerability processing and made it reproducible. For example, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time.
On Git, the vital distributed version control system, David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code.
It’s not just Linux-related programs that get security help. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, has received funding to secure OpenSSH’s plumbing. OpenSSH is an important suite of secure Secure Shell (ssh)networking utilities based on the protocol. De Raadt has also been funded to help secure Resource Public Key Infrastructure (RPKI), which protects internet routing protocols from attack.
Besides fixing known problems, the LF and company are also looking for security troubles we don’t know about yet. That’s being done with security audits via the Open Source Technology Improvement Fund (OSTIF). These projects include two Linux kernel security audits. One for signing and key management policies and the other for vulnerability reporting and remediation. Subject matter experts perform the audit reports, while Wheeler ensures these reports are clear to non-experts while still being accurate.
Looking ahead, OpenSSF is also working on improving overall open-source software security. These include free courses on how to develop secure software and the CII Best Practices badge project. Other projects improve OSS security, include sigstore, which is making cryptographic signatures much easier and improving software bill-of-materials (SBOMs).
If you’d like to help pay for this kind of work, the LF wants to hear from you. You can contribute to the OpenSSF by just contacting the organization, Or, if you’d rather, you can create a grant directly with the Linux Foundation itself. If you have questions just email Wheeler at email@example.com. For smaller amounts — say, to fund a specific project — you can also use the LFX crowdfunding tools to fund or request funding.
Having trouble with the business side of funding security coding and audits? You’re not alone. As Wheeler said: “Many people and organizations struggle to pay individual open-source software developers because of the need to handle taxes and oversight. If that’s your concern, talk to us. The LF has experience and processes to do all that, letting experts focus on getting the work done.”