A string of Incidents of “sabotage” in open source software are sparking discussions about how to protect the projects that underpin digital platforms and networks around the world. Many recent incidents are referred to as “protest software” because they involve open source developers making code changes to show support for Ukraine in the wake of Russia’s invasion and ongoing action. attack on this country.
In some cases, the open source software has been modified to display anti-war overlays or other messages of solidarity with Ukraine. However, in at least one case, a common software package is modified to implement a malicious data eraser on Russian and Belarusian computers. This wave of open-source protests comes just months after a seemingly unrelated incident in which a maintainer vandalized two of his widely used open source projects Frustration clearly stems from feeling overworked and uncompensated.
The incidents have so far been relatively contained, but they threaten to further shake confidence in the ecosystem as well as the tech industry scrambling to address other software supply chain security issues with open source code. And while financial support, the promise of automated tools, and the attention of the White House are welcome, the open source community still needs stronger and more sustainable help.
In one declare On Thursday, the Open Source Initiative, which has explicitly denounced Russia’s war in Ukraine, launched against destructive protest software, calling on community members to find ways to alternative, creative to use their position as maintainers to protest the war.
The downside of vandalizing open source projects far outweighs any potential benefits, and the harm will ultimately harm the projects and responsible contributors, the group writes. duty. Use your power, yes – but use it wisely. ”
Open source software is free for anyone to use, so tools and programs are incorporated into everything from independent projects to mainstream, proprietary consumer software. No one wants to take the time to write and test a component from scratch when they can just plug and play a ready-made version. However, this means that all types of software rely on projects maintained by one or more volunteers — or projects that are no longer maintained.
A long touted benefit of open source software is that it is potentially as secure as, or more secure than, proprietary code, because it is open to independent censorship. The idea is that many eyes make few errors. In practice, however, this protective measure has limitations precisely because there are often not many eyes. However, the question of the vandalism that occurs at the heart of the open source premise is a decentralized, non-distributed space.
“Systemically, nothing is really in place to prevent insider vandalism,” said Dan Lorenc, an open source software supply chain researcher and founder of security firm ChainGuard. happens more often. “Projects build reputations over time, and people who often take pseudonyms trust each other’s digital identities for the work they do. There is no global list of approvers, and each project has a different culture on how you become an “approval” or an empowered developer to approve and publish code changes.
