State of Open: Open Source Has Won, but Is It Sustainable?
LONDON — Open Source has “won” but still stands to lose if government and corporations don’t step up to ensure the resiliency and sustainability of the ecosystem into the future, the State of Open Conference heard earlier this month.
Opening the conference here, OpenUK CEO Amanda Brock said digitalization and the progress of open source over the last five to 10 years had elevated engineers and “brought their status to a level where they’re able to make decisions and be influencers.”
But the success of open source, along with concerns over its security, also meant more focus from policymakers, meaning proposed new laws and government strategies.
“There are some concerns with some of those about where the burden of risk might shift,” said Brock. The recent EU Cyber Resiliency Act was an example of this, with fears it could shift liability onto the maintainers and distributors of projects.
At the same time, Brock said, there were imbalances in the ecosystem, with frequently used components often being maintained by a single person or small groups. “This means the maintainer might not have the resources to update and maintain the package properly and in a timely manner, or adequately review and quality assure code. There is also the risk of the code becoming unmaintained.”
Eric Brewer, Google’s vice president of infrastructure, discussed his model for “curation” of open source projects with Brock. “I would say … essentially all open source is not as trustworthy as we actually currently trust it,” Brewer said.
There is “a fundamental “disconnect,” he said, that leads to the need for curation.
“Everyone understands that open source is free. And free software makes people vastly more productive … But it says literally on every file, pretty much, this comes ‘as is,’ use at your own risk.”
This means that organizations, including enterprises and governments, that are using open source software can have erroneous expectations about maintainers’ responsibilities — for example, in providing fixes for vulnerabilities.
His model envisages “curators” actively finding and fixing vulnerabilities: “The curator you can think of as the group that’s going to take ‘as is’ software and convert it to supported software.”
He added this was the role fulfilled by the likes of Canonical or Red Hat for their services, but this only extended to a tiny proportion of open source software. “You actually need curation for your Apache web server, and your Log4J, and your Spring Java libraries and all kinds of things.”
Curation is the only path forward, he said. “I think it’s honestly an existential threat to open source if you don’t figure out how to cause a path for secure software to get to the consumers … without saying, oh, volunteers should do more.”
If curation is one part of the jigsaw puzzle for making open source sustainable, another is government action, particularly when it comes to enhancing security and resiliency. The European Union is currently progressing its Cyber Resiliency Act, while the U.K. has just launched a consultation on Open Source Resilience and Security, and the White House is pushing forward with a cyber strategy aimed at securing the software supply chain, including open source.
“In the Office of the National Cyber director in particular, we’ve been very focused on how do we evolve towards a digital ecosystem that is secure, resilient and equitable,” said Camille Stewart Gloster, the White House’s deputy national cyber director, in a panel discussion at the conference. “And to do that, you need to not only focus on stuff today, but think about those things in the context of the future. How do we build future resilience?”
In the same session, Salem Avan, director for the United Nations’ policy, strategy and governance division, said open source offered great opportunities, particularly for developing countries to unleash creativity and innovation, but the legal and policy frameworks aren’t always in place.
“When we really start thinking about trying to have the U.N. be in that kind of multilateral space, I think it really has to be regional,” he said. “It has to be partnerships around specific projects, specific activities, specific ideas or opportunities that we really want to try and achieve together.” This would include the private as well as the public sector.
“If we can get to that space, then I think we can start building up the different tiers that we need to improve open source in a global way that’s meaningful. And maybe from now, we can start building larger impetus, larger coalitions, larger consensus across these areas.”
He added that for many countries their immediate concerns were much more visceral and focused on basic needs. For them, open source is “really just a frontier. It’s something that’s new, there isn’t the kind of understanding of how to even enter into that area.”
Mike Bracken, founding partner of Public Digital, and former executive director of digital and chief data officer for the U.K. government, said the supply chain for technology in the U.K. had effectively been an oligopoly in the past, which worked against open source projects. Breaking this down had been a question of signaling “our intent.”
The open source community, he said, had to have the “confidence to face down institutions” and say “we’re not going to be judged by the same standards, whether it be security or just as an industry, [as] the previous rent-seeking technology companies [that] have carved up the public sector.”
For more on open source sustainability efforts, check out this episode of The New Stack Makers, with guest Dawn Foster of VMware’s open source program office, recorded in September at Open Source Summit EU in Dublin: