Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ninjagoo 5 hours ago

> We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler

A lot of open source folks are going to be very skeptical, rightly so, of this group of players.

> ... to find, fix, and responsibly disclose vulnerabilities in critical open source software ...

How this is implemented is going to be key. Are they going to contribute through (a) existing channels, pull requests etc. or (b) are they going to fork the projects under the guise of 'security' or (c) offer bug bounties or (d) contribute financially?

Approach (a) brings the community along. (b) alienates the community, splits resources, and in the long term will likely cause many open-source projects to die. (c) has potential but timing and speed can be unfavorable for critical bugs, and doesn't mesh with 'responsible disclosure'. (d) can be ineffective for critical bugs unless paired with support for maintainers, which can be incredibly helpful for the opensource ecosystem.

RyJones 2 hours ago | parent | next [-]

Keep in mind that while I am employed by the Linux Foundation, I know nothing of the internals of this project; I will speak, instead, of what the projects I support do.

I have found (c) to be high noise, low signal. We're winding down our HackerOne program.

D: we do this in a couple ways. For PQCA, for instance, we use credits from AWS to get access to hardware to run proofs and CI on. PQCA also has a paid mentorship program.

For OWF, we do the same with AWS credits, as well as provide hosting for projects to run services on for testing.

For LFDT, we offer paid mentorships, have paid for Trail of Bits to do reviews, and run events. We had a maintainer summit in New York in January so our maintainers could meet for two days face-to-face. We fund large GitHub CI runners for projects as well.

I know it doesn't answer everything, but our team is only a few people and we really do work hard to help developers. What I'll call the devrel team for OWF/PQCA/LFDT is three FTE, one contractor, and our manager.

LFDT: https://www.lfdecentralizedtrust.org/

OWF: https://openwallet.foundation/

PQCA: https://pqca.org/

PQCA benchmarks, for instance: https://pq-code-package.github.io/mldsa-native/dev/bench/

nickelpro 2 hours ago | parent | prev | next [-]

> A lot of open source folks are going to be very skeptical, rightly so, of this group of players.

You say this as if these players aren't members of "the open source folks". It's not an exclusive club.

tga_d 34 minutes ago | parent | next [-]

I don't see how that was implied? Just because someone is part of the "club" doesn't mean many other "members" can't be skeptical of their role.

In fact, it doesn't even seem difficult to simultaneously acknowledge and commend the valuable role they play, while also expressing concern over the influence they wield and how it might contrast with desires and goals of the wider community.

redsocksfan45 2 hours ago | parent | prev [-]

[dead]

amouat 4 hours ago | parent | prev | next [-]

My best understanding from reading this is a) where possible and b) where necessary. This is the Linux Foundation, so it must put OSS and community first, surely.

People talk about contributing financially, but how and to what end? Most projects aren't set up to accept or utilise donations. That said, I would say we should be providing all OSS projects with significant access to AI in order to review their codebases and PRs and hopefully relieve some of the maintenance burden. I know there are some initiatives in this area already.

unsungNovelty 4 hours ago | parent | next [-]

> This is the Linux Foundation, so it must put OSS and community first, surely.

Linux Foundation is run by the said called corporates from the list. So is Rust Foundation. Linux in itself is safe cos Linus controls it. Not the rest of the projects LF controls.

limagnolia 2 hours ago | parent [-]

So far, the Linux Foundation, from what I have seen, has pretty darn good track record of keeping the projects under its umbrella open source, even going against corporate sponsors to do so. For a recent example, see the recent NATS tuffle. (And I should.recognize that Synadia, finally, did the right thing and backed down).

xyzzy_plugh 22 minutes ago | parent [-]

To add to this, I've experienced all sides of the LF and they are the only organization I trust at this point. Donating a project to them is A Good Thing.

There's bureaucracy of course but the mission is clear. Highly recommend working with them in any capacity.

LtWorf 3 hours ago | parent | prev | next [-]

Remember when google set up a whole project to find vulnerabilities but never sent any fix and unpaid developers were basically having to fix things that an entire team of people was hired to find… yeah maybe they could have just made an offer to some maintainers instead of burning them out?

woodruffw 2 hours ago | parent | next [-]

Is this an oblique reference to OSS Fuzz, or something else?

It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.

The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.

oneshtein 2 hours ago | parent | prev [-]

They are contributing back, which is a good thing. Other companies just fork, fix, and forbid to contribute back.

LtWorf 2 hours ago | parent [-]

Burning out maintainers isn't "contributing back".

limagnolia 2 hours ago | parent [-]

Do you have any examples of Google submitting vulnerabilities and refusing to assist maintainers create a patch when asked to do so?

finnthehuman 22 minutes ago | parent [-]

Wasn’t that a story with ffmpeg a few months ago? And people were getting roasted for even the suggestion that google should contribute patches?

RustyRussell 4 hours ago | parent | prev [-]

Um, the Linux Foundation is an industry body, not a user or community group. You seem confused?

amouat an hour ago | parent | next [-]

No, not really, and I don't think you need to be snarky.

It may be an industry body, but it runs multiple community conferences and projects which support Open Source. A notable example in this case being the OpenSSF https://openssf.org/

The LF is not perfect, but I would expect them to come from an OSS and community angle on this.

limagnolia 2 hours ago | parent | prev [-]

I am pretty sure that these industries use the open source projects the Linux Foundation maintains. So it is pretty clear the Linux Foundation is indeed a user community group, too.

izacus 2 hours ago | parent [-]

These are also some of the largest Linux code contributors as well.

throwaway72587 4 hours ago | parent | prev | next [-]

> alienates the community

That's a feature to them, not a bug. They want the software and don't want the community.

asdfaoeu 4 hours ago | parent | prev | next [-]

> one confidential, trusted place to coordinate discovery, remediation, and disclosure

I read this they would build the patches privately (or with maintainers if confidential) and then share amongst their supporters before public release.

abc123abc123 an hour ago | parent | prev | next [-]

Note that the LF of today is basically just like any other global corporation with its own political agenda. You can just follow the money, and see that it is controlled by corporations. They neutered Torvalds, are very woke, and generally a nightmare to work with.

I always advice aspiring open source enthusiasts to stay far, far away from the Linux Foundation. It has become a barrier to software freedom these days, rather than an enabler.

blcknight 3 hours ago | parent | prev [-]

You realize that the companies listed employ many of the core open source maintainers for large projects? It is project-specific, but 80% of Linux kernel development is from paid corporate employees. Similar for kubernetes. All the load bearing infrastructure is already handled by these companies... literally no one else is going to have the resources or experience to redirect large efforts on securing F/OSS.

What would you propose otherwise?