Google says open source software should be more secure

"The open source community definitely needs some form of universal basic income..."

If Google et al are going to pony up for this, then fair enough; if they expect my taxes to fund it, they can fuck right off.

If any funding does become available, it needs to be linked to support rather than the software itself.

People write the software for fame and fun, they don't do the support with the same spirit.

Seems to me we could use some of the ideas used within blockchain and crypto to help pay for the support, like the miner model?

That could then still be open rather than end up becoming a Google tax for everyone?

For their next trick, the US Government will invite convicted murderers, rapists, drug dealers, embezzlers, and bootleggers to a White House summit on "Sentencing guidelines for violent crime". Details to follow.

But back to the story, this is exactly what Google has been waiting for - a chance to take over management of chunks of FOSS and claim it's "for the good of all humanity". Only something as feeble-minded as the Federal Government would fall for that. If you think Android sucks now, just you wait...

Two cultures ...

In the jungle 'survival of the fittest' is commensal with everything being interdependent.

In the mono-culture over the road, everything depends on how much money the farmer can pay to keep the bugs at bay.

FFS

The idea of "paying isn't bad but pay who" and "I'm not sure a licence change would fix this" is in any way anything other than smoke and mirrors when the true colours are revealed in the bullet point that says:

"to match volunteers to needy projects"

Volunteers, note. Volunteers.

Big business: "We need to find a way to make the free software that we're all using safer"

Community: "Have you considered, as the largest and most profitable companies on earth, perhaps sponsoring some of those free resources that are helping to generate billions upon billions of dollars for you?"

Big busines: "Hahaha. No.... No."

Problem

The problem is partly funding and assigning external resources needed for projects to be properly supported. Recognizing there is a problem is critical but I am not sure what the correct approach or approaches should be.

Worth every penny we pay for it!

The problem with open source is people, especially businesspeople, think of "open-source software" as "free software". To the extent it is free, people are getting what they paid for, often much more. Having the big companies throw money at the problem will not fix the problem either, Building a secure application requires that all packages be secure - fixing just the key ones does not help.

log4j code patched

the code can be patched and yet the exploit still remain... the issue is 1% the problem in the code and 99% on the users deploying and maintaining regardless of size and profitability

money is not the way

Several commentards have noted the difficulties with "giving" money from $source to $sink, where $sink is defined as a developer. Taxes, attribution, delivery, etc etc.

Money is just one (ineffective) means. Remember, the goals are (1) reviewed and (2) corrected software.

Who best to do this? Software developers. Let them become socially responsible for reviewing, testing and correcting software as a moral obligation to society.

Kind of like lawyers doing pro bono, Doctors Without Borders, and so on.

Github has a summary of commits for each account. Make a new metric (management is by metrics after all). How many code reviews and corrections on other people's software has this account accomplished? If the account is outside an envelope of own commit rate, commit size, and contributed corrections then make them pay, or shame them into contributing more reviews, or deny them access to El Reg comment boards, or something social.

Don't Chill with the Big Boys.

Why only Open Source?

Surely ALL software should be secure - NOT 'more' secure!

Large corporations that deliver great returns for shareholders and top management often have terrible security records going back many, many years.

It's all a bit wrong

1. Totally the wrong people/groups invited. Where were the representatives of the mass of smaller/solo developers? Only the billion-dollar businesses get a say; the rest of us are just their suppliers.

2. Their aim is to 'professionalise' open source developers. For the majority it can't be done (I speak as one). You'd need to somehow impose procedures, documentations, testing regimes, timely patches, etc. And once you do that I walk away; I am writing code because I want to, and if gatekeepers arise and do any of that then my code goes private again as this is definitively not a job, but a passion.

3. The people who really matter in this, the independent open source people, need to start withholding the product of their labour from the corporations who could afford to pay. It's a basic matter of who sets the terms, them or us? Don't allow them to decide how and how much; they are our customers and it is us, the suppliers, who should set the rules.

4. They want the code to leech off whilst generating their billions? Then buy a license for it.

5. The big businesses named are mostly *not* open source companies. They only open source what doesn't matter to them, and keep their Crown Jewels to themselves. Where is the open source code for Google Search? For Windows, Azure, or Xbox? For Oracle? These are cynical companies that offer a pittance to join a club then seek to set the rules so the members work for them instead.

In the future...

"As of January 2024, Google will be shutting down their support for the Google Universal Code Verification platform, used by thousands of projects and companies to verify the security of their open source supply chain. If you use the system to verify a project, it will continue to work until March, at which point the servers will be taken offline.

"Google, in its statement, said that while GUCV had been successful, they are going to shift their focus to other products like Google Flavor Of The Month[TM]."

Sorry

But you can't start/join a project where the license gives it away for free, then complain you can't make a living at it. If you volunteer for a charity and then find you can't make a living at it, should you expect people your charity benefits be willing to "tip" you enough to survive?

You want to make a living at it, you have to find a way to get paid via a different license, charging people to implement new features they want, or whatever. If that's against the open source ethos to you, then you're the one who needs to adjust NOT the rest of the world!

I am a sysadmin and it amazes me people think that because servers are virtual they are free. They completely ignore the cost of the supporting infrastructure required to keep it healthy and mitigate against borkage and stupidity.

It is the same with Open source software, its there and i can grab it and use it so there is no cost, again they completely ignore the cost the supporting infrastructure required to keep it healthy and mitigate against borkage and stupidity.

Project teams, developers and those that get paid more than you or I, often have a limited grasp of real cost of doing IT properly, in the server world that reality check happens when they try the same thing in AWS/Azure and start to see the bills come in and the Finance department can no longer say no but they will make one hell of a noise as everyone who has moved their unstructured data to the cloud after years to being the bad guy trying to keep it all on limited internal storage it was ....amusing. Now with security being number one thing, they realizing that Open Source is only free if they don't care about not being hacked.

And then there was OWASP

II have always believed that many of the problems experienced with today's software are much the same as they were yesterday, and the day before that i.e. simple bad coding practices.

This is born out by the stats maintained by OWASP: when "Injection" is (after several years) still one of the top three security flaws, we have a problem that won't be cured by, for example, block-chain - said block-chain being IMHO much the cure for which there is no known disease (with thanks - and apologies - to the late, great Victor Borge).

See https://owasp.org/Top10/

Let's say I authored a piece of software that meets my needs. I thought others may benefit so released it under an open source license. Over the years bugs were fixed as I or others found them at the pace I could manage as a hobby at my discretion. Over a decade or so this software became ubiquitous, in use by other individuals, small companies, large companies, giant companies, and multinational conglomerates. Some may just be using the software minimally, others daily but for their own use, and others incorporate it into products or services they sell for a profit.

I should expect to see bug reports, feature requests, bug fixes, feature code, etc. Still not making any profit from the venture, I am still the hobbyist programmer. Sure I may see donations here and there to cover the cost of hosting distribution and maybe some additional costs all tied to the existence of the software. Then a "sky is falling" type of "security" bug is found when the software is used on or connected to the Internet. Now, I see fame as the author of the bug. I see demands from all, those using the software and not, those donating and not, those contributing and not, those helping and not; to fix this insidious bug I created. Why do I feel the loudest demands would be from the "nots"?

Let's say I am not using and never designed the software to be used on on or connected to the Internet. I look at the bug and state, "Do NOT use it on or connect it to the Internet" as my fix. Am I obligated to do any more? In looking over the users of the software some would appear to have more of an obligation to fix it than I. Depending on the original license chosen, a fork could be made and fix implemented possibly allowing the fork to become closed source or remain open source as a new project.

What obligation does one have as an author of an open source program? What obligation does one have as a user of open source software? Does it depend on means? Does it depend on use? Does it depend on anything?

Volunteers

Volunteers support a lot of areas in our society.

Fire, rescue, marine radio, the Olympics, clean up the environment, help the poor

the list goes on

Society would probably fall apart without volunteers

We need to look at the wealthiest 10 or top 1% who have just had the spotlight shone on them yet again.

Minimum wage, proper redistribution of wealth will make everything purr along.

Yes, suck it up, I'm a socialist, also a realist and don't care about the fascist, right wing agenda.