The Fragile Open Source Ecosystem Isn't Ready for 'Protestware'
Metadata
- URL: https://www.wired.com/story/open-source-sabotage-protestware/?bxid=621d5f6ee1edea165f7bcfec&cndid=68808180&esrc=register-page&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ
- Published Date: 2022-03-25
- Author: Hay Newman
Highlights
- In some cases, open source software has been modified to display anti-war overlays or other messages of solidarity with Ukraine. In at least one instance, though, a popular software package was modified to deploy a malicious data wiper on Russian and Belarusian computers.
- maintainer sabotaged two of his widely used open source projects out of apparent frustration stemming from feeling overworked and under-compensated.
- In a statement on Thursday, the Open Source Initiative, which has categorically denounced Russia's war in Ukraine, came out against destructive protestware, imploring community members to find creative, alternative ways to use their positions as maintainers to oppose the war.
- No one wants to take the time to write and test a component from scratch when they could just plug and play a readymade version. This means, though, that all sorts of software rely on projects that are maintained by one or a handful of volunteers—or projects that are no longer maintained at all.
- “There’s nothing really in place, systemically, to keep incidents of insider sabotage from happening more often,” says Dan Lorenc, an open source software supply chain researcher and founder of the security firm ChainGuard. “Projects build a reputation over time, and people who are often pseudonymous come to trust each other’s digital identities because of the work they've done. There's no global approvers list, and each project has a different culture of how you become an approver,” or a developer who is empowered to approve and publish code changes.
- Casting such a wide net is particularly important because of another problem in open source security in which bad actors infiltrate projects or convince burned out maintainers to hand over the reins and then have full control to deploy whatever they want. Automated scanners have limitations, though, and Lorenc notes that they are often better at catching accidental bugs than those that are intentionally designed for sabotage.
- Longtime open source security researchers and practitioners are adamant, though, that another vital safeguard exists right out in the open: massively expanding the support and resources maintainers can seek in general and especially if their fun hobby project eventually morphs into a critical link in the global software supply chain.
- Brewer likens open source software to public infrastructure like roads or utilities. Underfunding such infrastructure can (and does) lead to mismanagement and security issues.
- that there has finally been progress on awareness in the wake of major incidents like the SolarWinds supply chain hacking spree perpetrated for Russian espionage and revelations of vulnerabilities in the Log4j open source logging library, which exposed organizations and networks around the world to attack.
- Companies like Google have made significant financial commitments in recent months to support supply chain and open source security along with other facets of cybersecurity.
- Brewer emphasizes, however, that the efforts will take sustained support beyond just writing a check.
- “And the goal is not to replace the role of maintainers but actually to support and help them, and ask them what kind of help they need.
- But he agrees that more financial and moral support for maintainers will create important safeguards around critical projects.
- “I think the temptation of using open source projects as weapons against Russia should be resisted," software engineering consultant Gerald Benischke wrote in a blog post last week.
[The Fragile Open Source Ecosystem Isn't Ready for 'Protestware']: <The Fragile Open Source Ecosystem Isn't Ready for 'Protestware'> "The Fragile Open Source Ecosystem Isn't Ready for "Protestware""
[//end]: # "Autogenerated link references"