Open source development has become a prairie fire . However , Behind the explosive growth of open source , Some new crises are also quietly lurking behind them . In recent years , More and more enterprises and organizations begin to pay attention to the security and governance of open source , And open source governance is a huge project , I'm afraid it's difficult to rely on only a few enterprises , Horizontal organizations such as the open source foundation , But can play a leading role in it .

2022 year 7 month 21 Japan , Sponsored by China open source software promotion alliance , Sadie media 、《 Software and integrated circuits 》 Co sponsored by the magazine ,CSDN Exclusive live “ The 17th open source China open source world summit ” On ,OpenSSF General manager of the foundation Brian Behlendorf  stay 《 Trust and security of open source ecosystem 》 In his keynote speech , Expect to 2026 There will be 4.2 Billion open source software will be released , At that time, the software package will be downloaded as much as 2 One trillion . But unfortunately , Open source software is widely used, but it also brings security problems .

The following is a  Brian Behlendorf  The speech was recorded ：

Hello everyone , I am a Linux Under the foundation OpenSSF General manager of the open source security foundation Brian Behlendorf, I am very happy to talk with you today at the 17th open source China open source World Summit Forum , I sincerely look forward to sharing with you my views on open source security .

I will share with you where the open source community should go in the face of security challenges in the software world , And now OpenSSF What the foundation is doing .

We believe that software open source is an inevitable trend . There are already 4000 Ten thousand different open source software components are available , Expect to 2026 There will be 4.2 Billion open source software will be released , By that time , We will have 2 Trillions of software packages download . Everyone uses a lot of shared open source software in a variety of devices .

The enlightenment and development of open source

Now? , I want to rewind the clock to an earlier era of open source .

Many people know that I was involved Apache Start up of network server , as well as Apache Creation of Software Foundation . In the early involvement , There is one thing related to the start of the Internet . stay 1995 year ,Netcraft The website will conduct a survey on each website once a month , Investigate what software they are running , all the time , image Apache Such software will ask you to run it on the website headline Apache Web server to view the survey results .

From a very early time , Public discovery Apache Web servers are developing very fast , And has been on the Internet Web Dominant in servers . The following picture is what I found 1999 Screenshot of the website in , Through this picture , We can measure the spread of open source code , That's the first time you can talk to your boss or budget maker ：“ see ！ Open source software is being used in production environments , It is not confined to certain places .”

By the way ,Netcraft The website can also let you see which end of the server software is running . So you can know that large enterprises are running Apache, Government websites are also running it , Even the Vatican and European religious institutions are running Apache.

All these institutions are running Apache And other open source software , This really helps open source to be accelerated , But it's hard for us to see Linux、MySQL Where is it used , Because these are behind the scenes , but Apache In front of the screen . It is worth noting that , Popularity is not equal to safety .

Building trust in open source software has nothing to do with heroism or personality . as everyone knows ,Linus Torvalds Is a great programmer , And I'm not a great programmer , But we are all grateful to let the public see open source code 、 Let the public check and tell us what went wrong , We also often check other people's code , Is to pass various inspections , To create better software , It also tends to create safer software . therefore ,Apache、Linux、Perl And all these open source communities have adopted the contribution and project acceptance process .

Compared to the code community , Open source software brings great convenience to everyone .Apache、Linux、MySQL、PHP、Python When these large-scale projects are gradually popularized , At the same time, we are also beginning to see more and more small projects appear , This also builds a truly healthy ecosystem . It is the joint efforts of the industry that can form an effective ecosystem . When you browse GitHub, There are 1 Billion open source software libraries , Although there are many overlaps , Many of them are doing the same thing , But that's okay , Despite this lack of rigor , But open source collaboration will not only bring higher quality code , There are more secure software . This promising model looks more like SWAP transaction . Many projects are being shared and trying to involve the public , But sometimes the task will only fall on the shoulders of oneortwo people , This is a huge market exchange mode , I think this has led us to a dark path on the security issue , What I want to encourage you to think is , There is another different way .

In the United States, there is a people called Amish , They traditionally help each other build barns , There is also a system called barn feeding , All the people in the village gathered together , Each of them would put a piece of the barn on it , Then at the end of the day, they will establish a large support structure , And in one day , You can build most of the barn through collective action , Everyone works together , Everyone will build different places , But the core of the action is to involve many people to work together , With the joint efforts of different people, things will become better . Such a system is based on everyone giving full play to their strengths , This is the open source project , Very similar to Apache The type of community you are trying to build , It's very similar to Linux The community that the foundation is trying to build , There are many stakeholders , There are also many people in the community .

When it comes to software , I believe that open source software is composed of these silos , As you know, we have applications based on libraries , The library is built on the operating system , The operating system is built on the network stack or kernel , Think of any modern application , Now it is composed of thousands of underlying dependent components , In the open source software community , You can handle anyone's contribution , Whether they are like Linus Torvalds So famous , Or not famous at all , But it is these processes and organizations that bring us together , This allows us to integrate all these different kinds of contributions .

Apache I haven't met most of the people in the project , Until after doing a lot of things , They are beginning to become important contributors , I think this is the key to scale up , Be able to accept contributions from different places , Even if you don't know where they come from , Which country are they in . I think this is the key to attracting enough eyeballs , ad locum , A culture that accepts many contributions , Can make ideas take shape .

How to ensure open source security ？

Many people ask how to ensure safety in this situation , The University of Minnesota has such an organization , Want to submit them to Linux In the file code of the project , Carrying a very hidden international back door , The individual who reviews the code detects this through the process of review and verification . in fact , The University of Minnesota has been banned from Linux Project contribution , We have such a combination of community structure and tools , It helps to maintain the security of the software .

In order to achieve better open source security , We need better tools based on objective measurement and code to measure the credibility of code , Through careful examination , Run script , To verify whether it has achieved the function it claims . We need a better process to encourage developers to carry out better security practices .

Now there are also some new types of vulnerabilities, which also shows that we lack better process specifications in the open source field , We need to encourage teams to work together , Encourage joint responsibility for safety . In the modern world , Now we face the world and 30 It was quite different years ago , Especially now , It's completely different from when I first came into contact with open source software . Now the software supply chain is destroyed , It doesn't just mean the security of every line of code . Because if you can get the code upstream , Or get the code somewhere in the distribution path , If you compromise to build a server 、 Compromise source code management system 、 Persuade developers to compromise and choose a bad dependent component , You can make all kinds of compromises , This is the main open source security problem nowadays .

Think of open source as a supply chain , You have code from developers and their minds , Through their IDE To the development environment , Go where they share with others , Then go back to the place where it was built . Final , When it is ready to be packaged and released , Loop through dependencies during development and construction , When it reaches the end consumer , All this will work . This is a very informal process , But I think we are used to it in the open source community , And this is the problem we are going to solve today .

You may have heard of Linux Many things happen in the foundation's safe community , There are descriptions of software bill of materials SPDX standard 、 Security software standards based on Cloud Computing 、 A place called CHAOSS Community supply chain best practices . And this best practice really focuses on Community Health . But we are OpenSSF One thing the foundation really does , Is to start a set of focus on systematically thinking about supply chain security from different perspectives , And how to increase rigor 、 How to find and fix vulnerabilities as soon as possible , And promote these restoration schemes to the whole world .

They include working groups focused on best practices , There we developed a best practice logo for certification projects , Make sure it's hard to steal someone else's certificate , Our development course for the foundation of security software development , Help developers think like attackers when writing code , We have another working group , Focus on improving the vulnerability disclosure process , And a guide to making the open source community smarter .

About how to publish the project , We have another working group , Commit to setting priorities , What software packages are forgotten in the open source world , And these may be very critical , Because they are relied on by many people , But it may not be the type of attention .

And the working group on identifying security threats . We have a security tools Working Group , Focus on automated scanning with tools 、 Debug and understand software , We work in working groups with major software libraries , Try to surround IP and NPM To reach common standards , All other major efforts are focused on protecting the security of all market software , Security supply chain integrity is SLSA Basis of specification , Is to make sure that everything passes through the loop , The highest level of quality inspection and background inspection have been carried out .

We also have another group called protecting critical projects , It is mainly committed to identifying the top priority project inputs , Finally, there are a series of additional related projects , such as Sigstore and Alpha-Omega, It helps us systematically understand what is happening in the open source world .

About OpenSSF Community , We convened the open source software security mobilization plan , Integrate all efforts into one overall plan , There are ten different workflows , Focus on improving software security in the open source world . But this cost is not cheap , The first two years will cost about 1.5 Billion dollars , Although we have received 30 million dollars and corresponding commitments , So we are very happy to cooperate with the global community , Jointly improve open source software .

I think safer code will make us more resilient , This can indeed have a positive impact on the global community , So I really want to find a chance to work with everyone , Jointly improve the software security situation and open source code in China and even the world .

therefore , I'm really honored to have this opportunity to share , I hope the next conference will be wonderful , I wish you all the best .

Click on 2022（ The seventeenth ） Open source China open source World Summit Forum -CSDN live broadcast , See more wonderful speeches ！