Mastodawn

Finn Mar 30, 2024

Open source software is a critical part of our national security infrastructure, but one that government is entirely neglecting. Federal agencies rely on OpenSSL, liblzma, etc. just as much as the private sector.

We need a division of federal government whose job isn’t to find and exploit security holes (like the NSA), but fix them. A sort of a national security agency, but that actually does…that.

Waldo Jaquith Mar 30, 2024

It is obviously bad and unreasonable for a multi-trillion-dollar organization to hope that a few hundred volunteers, working on their own, are properly securing the tools that power that organization.

CivicWhitaker Mar 30, 2024

@waldoj I wonder if anyone has done on study on how much of the DIB (Defense Industrial Base) runs on OSS? I’m sure somebody has, but you could find the most common and point the Hack the Pentagon bug bounty at it. (Opinions own, is not speaking for former employee)

CivicWhitaker Mar 30, 2024

@waldoj the trick would be how to be supportive of OSS maintainers in a way that’s more helpful than ‘HEY WE FOUND A VULN”

Michal Migurski 🍉Mar 30, 2024

@civicwhitaker @waldoj Esp. given this general picture of many load-bearing dependencies: “The real issue with a lot of small, foundational OSS libraries is just that there isn’t enough to do. They were written decades ago by a single person — and beyond bugfixes, they are not really supposed to change much. You don’t do major facelifts of zlib or giflib every year; even if you wave some cash around, it’s hard to build a sustainable community around watching paint dry.”
– https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

Techies vs spies: the xz backdoor debate

Diving into some of the dynamics and the interpretations of the brazen ploy to subvert the liblzma compression library.

lcamtuf’s thing

David S. Reed Mar 30, 2024

@waldoj National Computing Safety Board

Waldo Jaquith Mar 30, 2024

@DavidReed I really think that’s the right paradigm! The NTSB is such a model.

Waldo Jaquith Mar 30, 2024

@DavidReed Such a *good* model, I should have written. :)

Jim Kreft Mar 30, 2024

@waldoj I have been watching the Sovereign Tech Fund with great interest as a potential model. It apparently spun up in response to
Log4j: https://www.sovereigntechfund.de

Home | Sovereign Tech Fund

Strengthening Digital Infrastructure and Open Source Ecosystems in the Public Interest

Sovereign Tech Fund

Waldo Jaquith Mar 30, 2024

@jimkreft Same! I’ve met with the folks there and I’m persuaded it’s a stellar model.

jacobian Mar 30, 2024

@waldoj mmm.... sure, fine, that would be great, but how about addressing the problem _before_ the issues get created? My dream is for the government to fund open source development directly, a US version of the Sovereign Tech Fund.

Luis Villa Mar 30, 2024

@jacob @waldoj STF’s approach, while nice, would not have addressed this, because xz would never have made it to their radar. You need not just a lot more money (though there is that) but also the supported projects need to be driven by data on usage, not a grant-making process.

(Yes, obviously I have opinions here; and yes I’m working frantically to make the federal government a big Tidelift customer…)

jacobian Mar 30, 2024

@luis_in_brief @waldoj I'm not making any sort of serious argument about STF's model etc. I'm just saying that I can't see any way this changes until the government ends up funding the commons. This same thing is just gonna happen again and again until the level of funding in open source increases by several orders of magnitude and I don't see any any way that companies decide to do this out of the goodness of their non-existent hearts. It's gonna be the gov or it ain't gonna happen, imo.

Sovereign Tech Agency Apr 3, 2024

@luis_in_brief @jacob @waldoj Could you elaborate on what you mean by “never made it to their radar”? Maintainers can apply through a light-weight process, and we also scout and reach out to critical technologies. May be a good topic for Upstream with @krakenbuerger in June.

Zeeshan Ali Khan

🇺🇦Apr 3, 2024

@sovtechfund @luis_in_brief FWIW having myself submitted a funding application to STF, I can vouch for this. OTOH, I never figured out if Tidelift can fund my project and if so, what exactly is the process.

Luis Villa Apr 3, 2024

@zeenix @sovtechfund we have a search page, you can literally look the package up and see if it qualifies? https://tidelift.com/about/lifter ("for maintainers" right at the top of our homepage :)

Get Paid as an Open Source Maintainer | Tidelift

Open source maintainers, get paid to maintain your projects and start earning for the value you create by partnering with Tidelift.

Zeeshan Ali Khan

🇺🇦Apr 3, 2024

@luis_in_brief @sovtechfund thanks, I apologise then. I looked again and I recall now why I just gave up after I got this (see screenshot) and not getting a response from you each time I asked you (not holding that against you, just sharing why I got the wrong impression) didn't help either.

jacobian Apr 3, 2024

@sovtechfund I super appreciate the work you do, hope you do more of it, and hope others copy your model. But that said I do have feedback. Context: I work on, and and am friends with, dozens of maintainers working on perhaps "critical" technology, and:

(a) I'm not aware of any direct outreach to STF to any of us

(b) last I looked the application didn't seem particularly “lightweight”. Perhaps it's changed?

Again huge <3s for your work but I don't think it's as accessible as you think it is.

Seth Larson Apr 3, 2024

@jacob @sovtechfund I'll throw my hat in the ring of folks who've been reached out to by STF 👋 Was a lovely exchange and the outcome was none of the project(s) maintainers were in a place to work on a grant.

Sovereign Tech Agency Apr 3, 2024

@jacob thank you for the feedback! We are always trying to improve, and appreciate the points you’re bringing up.

Waldo Jaquith Mar 30, 2024

@jacob Yes, they’re for sure a model for the US.

Michał "rysiek" Woźniak · 🇺🇦Mar 30, 2024

@waldoj or, hear me out, just make NSA do that instead.

John Skiles Skinner Mar 30, 2024

@waldoj
Especially as the white house recently released an executive order calling for type-safe languages in federal software. This would be the right time to rebuild foundational libraries with government support to avoid the next Heartbleed.

Ithral Mar 31, 2024

@waldoj
Public money public code when? This seriously needs to happen. If our tax dollars are going to private corporations for no benefit to us the system is broken. When the tech being invested in is of universal value it should be made universally available.

Jim Apr 1, 2024

@waldoj There's a "the call is coming from inside the house" joke in there somewhere