Open-source News

Last month KDE Plasma 5.25 released as the newest feature release to this Qt-based open-source desktop environment. Unfortunately for FreeBSD desktop users, those using KDE will be stuck for a while longer on Plasma 5.24 due to missing security infrastructure...

There are a few Fedora Spins/Labs versions at risk of being removed with Fedora 37 this autumn unless new maintainers step up...

Oracle has issued its newest quarterly release of GraalVM as its high performance Java JVM/JDK that also supports additional execution models and programming languages. GraalVM 22.2 is this newest version and contains a number of different optimizations for its growing number of components...

Daily Deal: The 2022 Complete Linux Learning Paths  Techdirt

System76’s Pop!_OS Linux 22.04 Distro Is Now Available for Raspberry Pi 4 PCs  9to5Linux

There's another great reason to update to 64-bit Linux now  TechRadar

There's another great reason to update to 64-bit Linux now  TechRadar

There's another great reason to update to 64-bit Linux now  TechRadar

How to Manipulate Strings in Bash on Linux  How-To Geek

How to create users and groups in Linux from the command line  ZDNet

Firefox finally ships with long-awaited swipe gestures  TechRepublic

Firefox finally ships with long-awaited swipe gestures  TechRepublic

Intune for Linux: GA coming in Q3 — but will be bare bones.  The Stack

Sunamu is a Slick ‘Now Playing’ Widget for Your Desktop  OMG! Ubuntu!

By Ashwin Ramaswami

Last month, we just concluded the Linux Foundation’s 2022 Open Source Summit North America (OSS NA), when developers, technologists, and community leaders from industry, academia, and government converged in Austin, Texas, from June 21-24 to talk about all things open source. Participants and speakers highlighted open source innovation and efforts to ensure a sustainable open source ecosystem.

What did the summit tell us about the state of OSS security? Several parts of the conference addressed different aspects of this issue – OpenSSF Day, Critical Software Summit, SupplyChainSecurityCon, and the Global Security Vulnerability Summit. Overall, the summit demonstrated an increased emphasis on open source security as a community effort with various stakeholders. More ambitious and innovative approaches to handling the open source security problem – including collaboration, tools, and training – were also introduced. Finally, the summit highlighted the importance for open source users to give back to the community and contribute upstream to the projects they depend on.

Let’s explore these ideas in more detail!

Click on the list on the upper right of this video to view the entire OpenSSF Day playlist (13 videos) Open source security as a community effort

Open source security is not just an isolated effort by users or maintainers of open source software. As OSS NA showed, the stakes of open source security have turned it into a community effort, where a wide variety of diverse stakeholders have an interest and are beginning to get involved.

• As Todd Moore (IBM) mentioned in his keynote, incidents such as log4shell have made open source security a bigger priority for governments – and it is important for existing open source stakeholders, both users and maintainers, to work as a community to take a cohesive message back to the government to articulate our community’s needs and how we are responding to this challenge.
• Speakers at a panel discussion with the Atlantic Council’s Cyber Statecraft Initiative and the Open Source Security Foundation (OpenSSF) discussed the summit held by OpenSSF in Washington, DC on May 12 and 13, where representatives from industry and government met to develop the Open Source Software Security Mobilization Plan, a $150 million plan for better securing the open source ecosystem.
• A panel discussion explored how major businesses are working together to improve the security of the open source supply chain, particularly through the governance structure of the OpenSSF.

New approaches to address open source security

OSS NA featured several initiatives to address fundamental open source security issues, many of which were particularly ambitious and innovative.

• The OpenSSF’s Alpha-Omega Project was announced to address software vulnerabilities for OSS projects that are most critical (alpha) and at the long tail (omega).
• Eric Brewer (Google) gave a keynote discussing the fundamental problem of ensuring accountability in the open source software supply chain. One way of solving this is through curation: creating a repository of vetted and secure packages.
• Standards continue to be important, as always: Art Manion (CERT/CC) discussed the history and future of the CVE Program, while Jennings Aske (New York-Presbyterian Hospital) and Melba Lopez (IBM) discussed the importance of a Software Bill of Materials (SBOM).
• The importance of security tooling was emphasized, with discussions on tools such as sigstore, automation of security checks through Infrastructure as Code tools, and CI/CD pipelines.
• David Wheeler (Linux Foundation) discussed how education in secure software development is critical to ensuring open source software security. Courses like the OpenSSF’s Secure Software Development Fundamentals Courses are available to help developers learn this topic.

Giving back to the community

Participants at the summit recognized that open source security is ultimately a matter of community, governance, and sustainability. Projects that don’t have the right resources or governance structure may not be able to ensure their projects are secure or accept the right funding to do so.

• Steve Hendrick (Linux Foundation) and Matt Jarvis (Snyk) discussed the release of the 2022 State of Open Source Security report from Snyk and the Linux Foundation. The report noted that open source software is often a one-way street where users see significant benefits with minimal cost or investment. It is recommended that organizations need to close the loop and give back to OSS projects they use for larger open source projects to meet user expectations.
• Aeva Black (Microsoft) discussed approaches to community risk management through drafting and enforcing a code of conduct, and how ignoring community health can lead to sometimes catastrophic technical outcomes for OSS Projects.
• Sean Goggins (CHAOSS) discussed the relationship between community health and vulnerability mitigation in open source projects by using metrics models from the CHAOSS projects.
• Margaret Tucker and Justin Colannino (GitHub) discussed the role that package registries have in open source security, beginning to formulate some principles that would balance these registries’ responsibility for safety and reliability with the freedom and creativity of package maintainers.
• Naveen Srinivasan (Endor Labs) and Laurent Simon (Google) explored the OpenSSF Scorecard to more easily analyze the security of open source projects and proactively improve their security.
• Amir Montazery (OSTIF) discussed the Open Source Technology Improvement Fund’s efforts to help OSS maintainers to work with security experts to improve their projects’ security posture.

Conclusion

In sum, the talks and conversations at OSS Summit NA help paint a picture of how key stakeholders in the open source software ecosystem – OSS communities, industry, academia, and government – are thinking about conceptualizing big-picture issues and directing efforts around OSS security.

But these initiatives and talks still have a lot of room for input! Whether individually or through your institution, consider adding your voice to this discussion as we continue to support the open source software community. Join an OpenSSF working group, another initiative, or contribute upstream to open source projects that you depend on.

The post OSS Security Highlights from the 2022 Open Source Summit North America appeared first on Linux Foundation.

Mesa's Turnip driver that provides open-source Vulkan support for Qualcomm Adreno graphics processors continues maturing nicely and is approaching Vulkan 1.3 conformance...

Linux Operating System Market Investment Analysis | IBM, Ubuntu Linux, Linux Mint, Elementary OS, openSUSE – This Is Ardee  This Is Ardee

Mozilla's Firefox 103 web browser is now available from mirrors as the latest monthly update to this open-source, cross-platform browser...

The "THP_SWAP" option for the Linux kernel allows swapping transparent huge-pages in one piece without splitting. With Linux 5.20 the 64-bit Arm kernel (ARM64 / AArch64) will now support this option as a performance optimization...

For the past several years Latte Dock has been a popular macOS-like "dock" for the KDE Plasma desktop but development has now ceased...