back to article Google says open source software should be more secure

In conjunction with a White House meeting on Thursday at which technology companies discussed the security of open source software, Google proposed three initiatives to strengthen national cybersecurity. The meeting was arranged last month by US national security adviser Jake Sullivan, amid the scramble to fix the Log4j …

  1. HildyJ Silver badge
    Unhappy

    Everybody knows

    Everybody recognizes the problem. Everybody has ideas about what could be done. Nobody is willing to commit the resources necessary to implement them.

    What is needed is for the big boys to pledge millions of dollars to fund hundreds of code reviewers to examine critical code.

    I'm not holding my breath.

    1. pavel.petrman

      Re: Everybody knows

      Actually, Google (and Facebook and IBM and others) did spend millions of dollars on developing open source projects and are continuing to do so, and those projects are available to general public and actually widely used.

      I, for one, am looking forward to using a program with a new version of Log4j included, which will be built, by Google, on best practices of security and performance.

      And it will be much better than any competition, at least at the beginning, when there actually is competition.

      Later it will not seem to work without Google's geolocation services and analytics services.

      Further on it will be progressively rebuilt by Google's team so that it's impossible to turn off advertising and snooping of all of my data to Google.

      And later still new network protocols and data storage formats will be proposed by Google, and later endorsed by them, which will make Log4j work only within Google's walled garden on modern and secure infrastructure.

      Oh what a joy it is when Google speaks about security and invests in open source.

      1. Alumoi Silver badge
        Coat

        Re: Everybody knows

        You should have used $corporation instead of Google.

        1. pavel.petrman

          Re: Everybody knows

          Of course I could have, but should I have? I believe I shouldn't. First, the article is about Google and I believe in comments being to the point of the corresponding article is a good thing (as a general rule for Friday rant hygiene). Second, I believe I would either cause enormous hosting costs or even a hardware failure, if I were to list all open source related misdeeds of Micros~1, Facebook, IBM, Oracle, ... No Mungo... never kill a customer. Oh . .. the wound! The wound!

          Still, you have my upvote.

      2. LDS Silver badge

        "on developing open source projects"

        Really? All of them are or projects already based on open source licenses and not being used only internally they had to publish them, or projects where they wanted actually to **reduced** the investments looking for people willingly to work for free, or at least paid by someone else.

        If you believe they did that for some ideal, you're utterly wrong....

        1. pavel.petrman

          Re: "on developing open source projects"

          The post I reacted to was about the question of spending millions by for-profit companies, my response was about said companies actually spending millions and how such spending of millions on open source tends to end. No word about wanting, willing od ideals on my part. All I said is big companies actually spending millions tend to affect only the qualitative aspect of open source badness, not quantitative. Or, if you will, the direction of badness changes, not its length.

          1. LDS Silver badge

            Re: "on developing open source projects"

            Ah, OK, it was my misundertanding - still I believe Google & C. are more interested in reducing the costs of developing some code, than trying to make it more proprietary, as long as it doesn't bring any competitive advantage - and probably if they have to spend too much to develop some code they would stop to make it available for others for free, if they see no real competitive advantage but a disadvantage instead.

      3. DevOpsTimothyC Bronze badge

        Re: Everybody knows

        Actually, Google (and Facebook and IBM and others) did spend millions of dollars on developing open source projects and are continuing to do so, and those projects are available to general public and actually widely used.

        How much of that is spent on ensuring those projects are secure (by having people both review the security AND submit security improvements) rather than simply allowing their developers to contribute to open source projects as part of adding features for their own use?

        Perhaps if they setup a bug bounty program for critical open source projects rather than simply having their own bug bounties

      4. dajames Silver badge

        Re: Everybody knows

        Later it will not seem to work ...

        Methinks that that -- the point at which the 'benefactor' seeks to use the Open Source software for profit or lock-in -- is the point at which someone will fork the project to keep it pure.

        The Open Source system does have some built-in protection against this sort of abuse.

      5. Kevin McMurtrie Silver badge

        Re: Everybody knows

        Essentially, AOSP

    2. steelpillow Silver badge

      Re: Everybody knows

      But why should the big boys invest more than is needed to make their business work? This is is a wider, nonprofit issue.

      What is needed is a nonprofit and internationally-recognised security organization, be it charitable or governmental, to be set up to do this shit.

      1. boblongii

        Re: Everybody knows

        "But why should the big boys invest more than is needed to make their business work?"

        But that's all that's being asked! If the software isn't secure enough for them, then they should fix it. Just like they would if they wrote it themselves.

        That's what Free Software is about: each contributor puts in the effort needed for their own purposes and shares the result. If everyone does that the product develops and improves over many iterations and everyone benefits.

        If users just whine about it not doing what they want or not being secure but don't fix anything, then it's not going to change, is it?

        1. LDS Silver badge

          "That's what Free Software is about"

          Like all religions, it says a thing and most people even if saying they support it, don't do what it says, because it's against their own interests.... so free software is just software you don't have to pay for.

          That's the only reason why it has been widely adopted.

        2. tiggity Silver badge

          Re: Everybody knows

          This 100%

          The big companies get to see the source of code they use.

          They choose to inadequately security audit / see code with little in the way of tests * but don't improve project by adding some.

          When something goes wrong (like the log4j bug) they then launch their ire at small groups of volunteers for not fixing fast enough / well enough.

          * It's a long time since I looked at open source code, but of the projects I did look at, none had comprehensive test suites. I am not surprised, the majority of devs hate writing tests & when you're working as a volunteer with limited time then tests are bottom of the list with bug fixes / enhancements being what you want to focus on.

          .. Cannot say commercial software is necessarily better, good intentions a plenty, but deadline / resource contention often means comprehensive test suites seem to end up on the todo list.

          .. plus tests may mean major rearchitecting of code, e.g. might need to go the "interfaces all the way down" for comprehensive unit tests with mocking - which needs lots of resource effort (as, lets face it, most code is still not written from the TDD angle, and so cannot easily retrofit proper tests)

        3. richardcox13

          Re: Everybody knows

          That's what Free Software is about: each contributor puts in the effort needed for their own purposes and shares the result.

          Nice theory. In practice this happens rarefy, and even less for transitive dependencies.

          Much easier to raise an issue asking for a fix or extra functionality.

  2. LDS Silver badge
    Facepalm

    "like Universal Basic Income for the developer community!

    Still, how do you identify those who have the right for that income? Look at the commits they do? With which metrics? Should all of them paid the same, regardless the code they write, and its quality?

    Many of them may be non US citizen also - which State should pay them, and how? Or exploiting non US citizen is fine? Or non US companies will be able to exploit developers paid by US taxpayers?

    What about identifying them for payments? Or money are just sent to some random nickname? Should they also register with their revenue services because they now have a specific income and that usually means it has to be known for accessing or not other services for free? If those people are not directly employed or at least paid by companies, there's no easy solution. And a Code Sovkhoz is not the right one.

    Meanwhile Google still wants to match "volunteers" - not paid developers, its whole business has been built on being able not to pay software licenses.

    1. bombastic bob Silver badge
      Megaphone

      Re: "like Universal Basic Income for the developer community!

      the recording industry has traditionally used a small number of highly successful musicians to LITERALLY FUND A WHOLE LOT OF CRAP. This has resulted in a number of independents going around the recording industry's TOLLWAY and a few bands and artists having to CHANGE THEIR NAMES to get out of CONFISCATORY CONTRACTS.

      Basically, the "Engineer formally known as XXX" should NOT have to give up ANY kind of reward for success to a bunch of incompetent or 'focused only on what HE likes' coders or "copy-pasta-master" scripters, or anyone else NOT the one who earned it.

      (Apply this same kind of thinking to the jungle and it's SURVIVAL OF THE LAZIEST)

  3. SundogUK Silver badge

    "The open source community definitely needs some form of universal basic income..."

    If Google et al are going to pony up for this, then fair enough; if they expect my taxes to fund it, they can fuck right off.

    1. 42656e4d203239
      Trollface

      repeat after me...

      "Privatise the profits, socialise the losses"

      One way or another, your taxes will fund it.

      1. EnviableOne Silver badge

        as long as there is an Open Source Users tax to fund it...

        let's say 1% on revenue for companies with a market value over $1tr ...

        1. bombastic bob Silver badge
          Unhappy

          yet another tax... oh wow THAT would help (*NOT*)

          nothing kils an economic activity like a NEW TAX (starts off small, and only on a few, soon gets big, and applies to YOU). After all, in SOME places they put huge taxes on tobacco to get people to stop smoking.,.

  4. _LC_ Silver badge
    Thumb Down

    Android MediaFramework anyone?

    Hello Google, you can't do shit!

  5. F0ulRaven

    If any funding does become available, it needs to be linked to support rather than the software itself.

    People write the software for fame and fun, they don't do the support with the same spirit.

    Seems to me we could use some of the ideas used within blockchain and crypto to help pay for the support, like the miner model?

    That could then still be open rather than end up becoming a Google tax for everyone?

    1. AndrueC Silver badge
      Unhappy

      You were doing okay until you decided to drag blockchains into it.

      1. LDS Silver badge
        Joke

        That's actually a good idea - each commit should be in a blockchain so it is possible to assess how to pay each developer!

        1. bombastic bob Silver badge
          Unhappy

          the 'Amway' multi-level marketing approach? Wow that could get complicated...

  6. Anonymous Coward
    Anonymous Coward

    For their next trick, the US Government will invite convicted murderers, rapists, drug dealers, embezzlers, and bootleggers to a White House summit on "Sentencing guidelines for violent crime". Details to follow.

    But back to the story, this is exactly what Google has been waiting for - a chance to take over management of chunks of FOSS and claim it's "for the good of all humanity". Only something as feeble-minded as the Federal Government would fall for that. If you think Android sucks now, just you wait...

    1. AVee
      Unhappy

      And if they play their cards right they might even manage to make the government pay for (parts of) it. Win-win...

      1. _LC_ Silver badge

        They are the government.

  7. Adair Silver badge

    Two cultures ...

    In the jungle 'survival of the fittest' is commensal with everything being interdependent.

    In the mono-culture over the road, everything depends on how much money the farmer can pay to keep the bugs at bay.

  8. EnviableOne Silver badge
    Go

    Had a thought

    I know it's unusual, but...

    If there was say a group or team of people that if there was a problem or Incident you might say would then join in to help out or "respond"

    perhaps this could be funded centrally, maybe by $digicorp or the government

    perhaps we could call it a Software Incident Response Team...

    1. MatthewSt

      Re: Had a thought

      It's not just software that's subject to vulnerabilities now with open source hardware also in the mix

      Looks like you're going to need a Software / Hardware Incident Team

      1. AndrueC Silver badge
        Joke

        Re: Had a thought

        No that's step number two. Step number one is to get a Programmer's Introspective Security System in place.

        1. bombastic bob Silver badge
          Pint

          Re: Had a thought

          have some more beer (it should increase your output)

    2. bombastic bob Silver badge
      Trollface

      Re: Had a thought

      perhaps we could call it a Software Incident Response Team...

      S.I.R.T. ? That acronym is not snarky enough. But it DOES use 4 letters...

  9. heyrick Silver badge

    FFS

    The idea of "paying isn't bad but pay who" and "I'm not sure a licence change would fix this" is in any way anything other than smoke and mirrors when the true colours are revealed in the bullet point that says:

    "to match volunteers to needy projects"

    Volunteers, note. Volunteers.

  10. deadcow

    Big business: "We need to find a way to make the free software that we're all using safer"

    Community: "Have you considered, as the largest and most profitable companies on earth, perhaps sponsoring some of those free resources that are helping to generate billions upon billions of dollars for you?"

    Big busines: "Hahaha. No.... No."

  11. a_yank_lurker Silver badge

    Problem

    The problem is partly funding and assigning external resources needed for projects to be properly supported. Recognizing there is a problem is critical but I am not sure what the correct approach or approaches should be.

  12. glennsills

    Worth every penny we pay for it!

    The problem with open source is people, especially businesspeople, think of "open-source software" as "free software". To the extent it is free, people are getting what they paid for, often much more. Having the big companies throw money at the problem will not fix the problem either, Building a secure application requires that all packages be secure - fixing just the key ones does not help.

  13. Anonymous Coward
    Anonymous Coward

    log4j code patched

    the code can be patched and yet the exploit still remain... the issue is 1% the problem in the code and 99% on the users deploying and maintaining regardless of size and profitability

  14. Bitsminer Bronze badge

    money is not the way

    Several commentards have noted the difficulties with "giving" money from $source to $sink, where $sink is defined as a developer. Taxes, attribution, delivery, etc etc.

    Money is just one (ineffective) means. Remember, the goals are (1) reviewed and (2) corrected software.

    Who best to do this? Software developers. Let them become socially responsible for reviewing, testing and correcting software as a moral obligation to society.

    Kind of like lawyers doing pro bono, Doctors Without Borders, and so on.

    Github has a summary of commits for each account. Make a new metric (management is by metrics after all). How many code reviews and corrections on other people's software has this account accomplished? If the account is outside an envelope of own commit rate, commit size, and contributed corrections then make them pay, or shame them into contributing more reviews, or deny them access to El Reg comment boards, or something social.

    Don't Chill with the Big Boys.

    1. doublelayer Silver badge

      Re: money is not the way

      Very nice. Make the people who are already developing stuff for free also code review for free. I'm guessing that will also include some restriction to ensure they review well and with the security and quality goals you have in mind? If the security of components is so important to companies that make money, they can afford to pay for that developer effort, hiring the developers themselves or paying into an organization that will do it for them. They shouldn't be forced to do that, but they certainly shouldn't be able to argue that they need it, therefore I have to do it and likely also pay for others to do it.

  15. grumpy-old-person

    Why only Open Source?

    Surely ALL software should be secure - NOT 'more' secure!

    Large corporations that deliver great returns for shareholders and top management often have terrible security records going back many, many years.

  16. Anonymous Coward
    Anonymous Coward

    It's all a bit wrong

    1. Totally the wrong people/groups invited. Where were the representatives of the mass of smaller/solo developers? Only the billion-dollar businesses get a say; the rest of us are just their suppliers.

    2. Their aim is to 'professionalise' open source developers. For the majority it can't be done (I speak as one). You'd need to somehow impose procedures, documentations, testing regimes, timely patches, etc. And once you do that I walk away; I am writing code because I want to, and if gatekeepers arise and do any of that then my code goes private again as this is definitively not a job, but a passion.

    3. The people who really matter in this, the independent open source people, need to start withholding the product of their labour from the corporations who could afford to pay. It's a basic matter of who sets the terms, them or us? Don't allow them to decide how and how much; they are our customers and it is us, the suppliers, who should set the rules.

    4. They want the code to leech off whilst generating their billions? Then buy a license for it.

    5. The big businesses named are mostly *not* open source companies. They only open source what doesn't matter to them, and keep their Crown Jewels to themselves. Where is the open source code for Google Search? For Windows, Azure, or Xbox? For Oracle? These are cynical companies that offer a pittance to join a club then seek to set the rules so the members work for them instead.

    1. heyrick Silver badge

      Re: It's all a bit wrong

      "this is definitively not a job, but a passion"

      This. Very much this.

      But at the moment, it looks like for some that passion is fast turning into an abusive relationship. Time to consider a divorce?

    2. Terafirma-NZ

      Re: It's all a bit wrong

      Exactly.

      Govt need to get out and stop meddling, use the free market to do what it does. All they need to do is outline rules that if you are supplying software to the govt you must prove that you sponsor any and all open source projects you use.

      Then these big players e.g. Amazon would have to contribute to all the projects they take from either via code or $. These big companies will then push this on who they work with and it will flow down to most companies and become the norm. No license changes are required so no arguments over that just simply if you want our $ you will support the source of where you get your code.

      We all know by now that changes tend to flow form the big govt contracts down whatever the tech involved.

  17. tekHedd

    In the future...

    "As of January 2024, Google will be shutting down their support for the Google Universal Code Verification platform, used by thousands of projects and companies to verify the security of their open source supply chain. If you use the system to verify a project, it will continue to work until March, at which point the servers will be taken offline.

    "Google, in its statement, said that while GUCV had been successful, they are going to shift their focus to other products like Google Flavor Of The Month[TM]."

  18. DS999 Silver badge

    Sorry

    But you can't start/join a project where the license gives it away for free, then complain you can't make a living at it. If you volunteer for a charity and then find you can't make a living at it, should you expect people your charity benefits be willing to "tip" you enough to survive?

    You want to make a living at it, you have to find a way to get paid via a different license, charging people to implement new features they want, or whatever. If that's against the open source ethos to you, then you're the one who needs to adjust NOT the rest of the world!

    1. doublelayer Silver badge

      Re: Sorry

      I have argued that as well, but the reverse is also true. If someone else makes money off the thing you did for free, it is still their, not your, responsibility to ensure it's good enough for their uses. That means that, if there are bugs they want fixed, they don't get to argue that you are failing in your duty to fix it quickly enough (or failed when the bug first came into being). You have no responsibilities to them just as they have no responsibility to pay you.

  19. Lorribot Silver badge

    I am a sysadmin and it amazes me people think that because servers are virtual they are free. They completely ignore the cost of the supporting infrastructure required to keep it healthy and mitigate against borkage and stupidity.

    It is the same with Open source software, its there and i can grab it and use it so there is no cost, again they completely ignore the cost the supporting infrastructure required to keep it healthy and mitigate against borkage and stupidity.

    Project teams, developers and those that get paid more than you or I, often have a limited grasp of real cost of doing IT properly, in the server world that reality check happens when they try the same thing in AWS/Azure and start to see the bills come in and the Finance department can no longer say no but they will make one hell of a noise as everyone who has moved their unstructured data to the cloud after years to being the bad guy trying to keep it all on limited internal storage it was ....amusing. Now with security being number one thing, they realizing that Open Source is only free if they don't care about not being hacked.

  20. Falmari Silver badge
    Devil

    Google’s responsibility

    Google is responsible for security issues, bugs etc in their software products whether the code was written in-house or is external Open Source code. It does not matter if the issue is in Open Source code it is Google’s product that will suffer any commercial losses from the issue. This is true for anyone that commercialises Open Source software.

    The problem is that companies like Google don’t see it like that. They see it as free or more to the point, as a cost saving. Because creating software costs and that Open Source software they just downloaded saves all those costs.

    Design and coding costs, check we have the code. Code reviews and testing costs, err we have the code, better review and test it. Support costs, err we have the code, better support it.

    Companies need to treat Open Source code as they do their own code. They need to review and test it and make their findings and test scripts available to the Open Source devs. Security issues, bugs etc they need to be prepared to fix. So, report the problem and offer to fix it.

    If companies did that sure it would add cost to using Open Source, but it would still be a saving over developing their own code. More importantly it would lead to better supported and better quality Open Source code.

  21. haiku

    And then there was OWASP

    II have always believed that many of the problems experienced with today's software are much the same as they were yesterday, and the day before that i.e. simple bad coding practices.

    This is born out by the stats maintained by OWASP: when "Injection" is (after several years) still one of the top three security flaws, we have a problem that won't be cured by, for example, block-chain - said block-chain being IMHO much the cure for which there is no known disease (with thanks - and apologies - to the late, great Victor Borge).

    See https://owasp.org/Top10/

  22. hayzoos

    Let's say I authored a piece of software that meets my needs. I thought others may benefit so released it under an open source license. Over the years bugs were fixed as I or others found them at the pace I could manage as a hobby at my discretion. Over a decade or so this software became ubiquitous, in use by other individuals, small companies, large companies, giant companies, and multinational conglomerates. Some may just be using the software minimally, others daily but for their own use, and others incorporate it into products or services they sell for a profit.

    I should expect to see bug reports, feature requests, bug fixes, feature code, etc. Still not making any profit from the venture, I am still the hobbyist programmer. Sure I may see donations here and there to cover the cost of hosting distribution and maybe some additional costs all tied to the existence of the software. Then a "sky is falling" type of "security" bug is found when the software is used on or connected to the Internet. Now, I see fame as the author of the bug. I see demands from all, those using the software and not, those donating and not, those contributing and not, those helping and not; to fix this insidious bug I created. Why do I feel the loudest demands would be from the "nots"?

    Let's say I am not using and never designed the software to be used on on or connected to the Internet. I look at the bug and state, "Do NOT use it on or connect it to the Internet" as my fix. Am I obligated to do any more? In looking over the users of the software some would appear to have more of an obligation to fix it than I. Depending on the original license chosen, a fork could be made and fix implemented possibly allowing the fork to become closed source or remain open source as a new project.

    What obligation does one have as an author of an open source program? What obligation does one have as a user of open source software? Does it depend on means? Does it depend on use? Does it depend on anything?

    1. doublelayer Silver badge

      "What obligation does one have as an author of an open source program?"

      None. None at all. The users need to understand that and plan accordingly. If they want you to have a responsibility, they're going to have to get you to agree to it specifically.

      "What obligation does one have as a user of open source software?"

      Again, it's basically none. They could be responsible for incidents that occur from their use, but that's pretty much the extent of it. They have to decide what to do whenever something happens that they don't like.

      "Does it depend on means?"

      No.

      "Does it depend on use?"

      It might for users depending on what they're doing with it. For example, if it's used to store personal information in a GDPR country, they could be obliged to fix or change it in a certain time to prevent breeches.

  23. bigtreeman

    Volunteers

    Volunteers support a lot of areas in our society.

    Fire, rescue, marine radio, the Olympics, clean up the environment, help the poor

    the list goes on

    Society would probably fall apart without volunteers

    We need to look at the wealthiest 10 or top 1% who have just had the spotlight shone on them yet again.

    Minimum wage, proper redistribution of wealth will make everything purr along.

    Yes, suck it up, I'm a socialist, also a realist and don't care about the fascist, right wing agenda.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022