OpenUK launched its Summer of Open Source Security on 29 June, with me having the honour of joining Open Source Initiative Founder, Bruce Perens, in keynoting the Digital Catapult’s “Is open source software the future of security” event and our OpenUK’s CISO and Control Plane Founder, Andrew Martin and Arm’s Mark Ince joining us in a panel discussion on security. The event was ably hosted by journalist Geoff White, and sponsored by UKRI and the Digital Catapult.
This event will be followed by a series of free to attend OpenUK digital talks with international leaders in software security and supply chain management, taking place between 6 and 27 July, each Wednesday at 3pm, see openuk.uk/security.
We will also share a series of podcasts on security hosted by Matt Yonkovit.
Why is security important? There was certainly no escaping “security’ this year at the Linux Foundation’s annual Open Source Summit North America, which took place in Austin, Texas 21-24 June and brought the US and global open source software business and engineering communities together.
Eric Brewer, Google Distinguished Engineer, delivered an opening keynote contextualising the positioning of Governments and enterprises across the Globe, as we see national critical infrastructure being built on open source software. He recognised not just the need to consider maintenance and security but the ‘curation’ of open source software, calling out the licensing premise that open source software is distributed and used without warranty, with all liability on the part of its creator excluded.
Open source differs greatly from proprietary software, in part in the proprietary royalty model and the co-related exclusion of liability. This directly impacts the basis of the balance of risk which is very different for open source and proprietary software. The quid pro quo for the free distribution of the open source code is the absolute wavier of liability. The terms of an OSI approved licence applying to the code and governing its use, allows modification and maintenance by the user without cost. This key difference from proprietary software aligns to the lack of royalties being charged making it possible to self-maintain and modify code (if you have the skills or chose who will maintain on your behalf as opposed to your being locked in to the provider of proprietary software) against the standard carve out of all liability.
Brewer explained the need for curation in enterprise and public sector use of open source software to ensure its good hygiene, maintenance and security, effectively to balance the risk. Having already visited the German government to begin discussions like those taking place with the White House in the US he also called out discussions with OpenUK in his keynote. But it wasn’t just Brewer who flagged the importance of compliance, governance and processes, to create good and secure open source – this was really the underlying theme of the whole event.
The Open Source Software Security Foundation (OpenSSF) also added a well-attended inaugural pre-conference Security Day to the OSSummit, sharing various plans and actions following the OpenSSF and key vendors’ interaction with the White House and the Log4Shell security vulnerability through the last 6 months or so. It is hardly surprising that Software Bill of Materials (SBOM) the requirement for which was called out in the May 2021 Biden administration White House Ordinance on software security almost exactly a year before. talk of Austin, throughout the week.
OpenUK’s booth at the Austin event was well attended and we will also have a strong presence in Dublin. A number of the OpenUK team – Directors Dawn Foster and Matt Jarvis spoke, Foster participating in the Open Source Program Office (OSPO) stream, and Jarvis in security launching the new LF/Snyk Security Report on behalf of his employer Snyk. Whilst Board Director Terence Eden joined digitally to deliver his talk. Andrew Martin, was also there – unsurprisingly speaking on security.
The OSSummit moves around the US and is one of a handful of key US open source software conferences including community organised SCaLE (Southern California Linux Event), KubeCon and All Things Open. Having started life as LinuxCon it has evolved into an umbrella event with a range or work streams/ mini conferences taking place in one venue but joined up each day for keynote sessions and evening social events. Its European twin Open Source Summit Europe will take place in Dublin from 12-15 September and OpenUK will host a booth at this and at All Things Open. If you would like to participate in OpenUK’s activities please do let us know, firstname.lastname@example.org
OpenUK plans for its Summer of Open Source Software Security to culminate in a collaborative London event in September, to discuss security and curation of open source in a world recognising open source software as a digital public good and the underlying software in the spine of our digitalised national infrastructure and the base of our enterpriseAmanda Brock,
I’ll be speaking on the above topics at
- SCaLE in Los Angeles in July https://www.socallinuxexpo.org/scale/19x
- Uptime by Aiven in Amsterdam in September – Keynote- https://uptime.aiven.io/
- Bitkom in Germany in September – Keynote – https://www.bitkom.org/EN/bfoss22
- KubeCon colocated Data on Kubernetes Day on 24 October – Keynote- https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/
- All Things Open in October/ November https://openuk.uk/event-calendar/all-things-open/
OpenUK plans a face to face event in London on 20 September, with more details to follow soon.