Linux Foundation reckoning with its security, diversity issues
Foundation executive director Zemlin outlines three key areas of improvement, including 'Tolstoy-esque' application security problems and major issues around diversity
25 October 2018 | 0
Linus Torvalds is back in charge of Linux. With that elephant out of the room, what else might the Linux Foundation be keen to address?
Speaking at the Open Source Summit in Edinburgh this week, executive director of the Foundation, Jim Zemlin, outlined three key areas of improvement: application security, diversity, and data sharing.
Zemlin, whose grandmother was a developer, stressed that the gender balance in open source is woefully under the average even in the (slowly improving, but poorly performing) tech sector.
“If you look at Kubernetes, it’s 7.6% female developers,” he said. “The kernel is like 10%, projects like Hadoop are five or six percent or something like that – low. The industry tech sector average of female tech employees is about 18%, women who are engineers and working in areas that would be analogous to open source project participation.
“So it’s not only low in general, it’s low by industry standards, and this is an area where the Foundation would love to help… we’re doing that by as you probably witnessed at the event, we have a diversity lunch going on, a three-day diversity inclusion track at this event, we’ve got scholarships we provide to bring more women in under-represented communities into these projects.
“The Cloud Native Computing Foundation has given out $300,000 just to bring women to participate in these kinds of events… I think there’s a lot more we can do there, it’s something we’d like to work on. It’s something that by any measurement doesn’t look good in open source.”
‘Tolstoy-esque’ application security
“As the world becomes more dependent on a set of shared technologies, the application security – the amount of vulnerabilities, test coverage of that software – will have an impact on all of our lives, our digital lives,” Zemlin said.
“The degree to which Kubernetes can have better testing, fewer bugs and less vulnerabilities, the better off the world will collectively be – not just Kubernetes but all open source projects. That’s something where we really want to help all open source projects to improve and we have initiatives around our core infrastructure initiative and other areas to improve upon that.”
When even the Davos set are discussing how open source is beneficial to security, there seems to be a certain shift of opinion in understanding fundamentally how modern software is developed today. A report issued earlier this year by the World Economic Forum lauded the benefits of open source both in terms of development but also security and the rate of change.
“I don’t want to say anything bad about the World Economic Forum because I’m hoping to be invited,” laughed Zemlin. “I will say the person who runs our Hyperledger blockchain initiative is the CTO of the World Economic Forum, Brian Behlendorf who created Apache Software Foundation and web server – he probably had some influence in WEF’s view on open source.
“I think it’s an acknowledgment by WEF in all likelihood, and I haven’t spoken to them about it, but Brian definitely has, just about how modern software gets developed. While I agree that peer reviewed software and better software transparency is important, the one thing I think is important to understand is that’s not good enough.
“That open source software should be introspective, about security as well as lauding the transparency coding process and peer review, we find there are projects out there that are critical to society that don’t get a lot of peer review, and if we’re all dependent on OpenSSL, we should probably consider why that is that peer review has not happened there, even though the code is transparent, test coverage is not great in a lot of open source projects because developers naturally want features before they write a bunch of tests – so I think that is something I think is an issue.”
‘Beyond peer review’
Some steps to address according to Zemlin could be security mailing lists and responsible disclosure policies, along with threat modelling code, fuzz testing, linting, and “really taking application security seriously is well beyond peer review”.
“So while I agree that open source probably on balance certainly has an advantage over proprietary software – because who knows what’s going on in proprietary software? – I don’t think we should just rest on that.”
These are the most pressing issues outlined by Zemlin, but another area where the Foundation hopes to see improvement is bolstering collaboration, specifically around the rise of machine learning, artificial intelligence and predictive analytics.
As these become more important to how people build technology products and services, Zemlin adds, the importance of code sharing also increases.
“I think the concept of taking open source practices of code sharing and lending them to data sharing is something that we could assist on, and to that end we’ve created an open data licence – two of them actually, a copyleft one and a more permissive data licence, similar to how standardised open source licences made it easy to share code, make it easy to share data.”
IDG News Service