davidbgk
/
larlet-fr-david-cache
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
387 Commits
1 Branch
Tree: 2e7a3591ea
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2e7a3591ea'
${ noResults }
larlet-fr-david-cache/cache/2024/8ffe1e30cd3dd6446468bd6d035.../index.md

index.md 13KB
Raw Normal View History

Links
2 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200 
  1. title: ongoing by Tim Bray · OSQI

  2. url: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI

  3. hash_url: 8ffe1e30cd3dd6446468bd6d03550457

  4. archive_date: 2024-04-04

  5. og_image: https://www.tbray.org/ongoing/misc/podcast-default.jpg

  6. description: 

  7. favicon: https://www.tbray.org/favicon.ico

  8. language: en_US

  9. 

  10. <p itemprop="description">I propose the formation of one or more “Open Source Quality Institutes”. An OSQI is a public-sector organization that

  11.     employs software engineers. Its mission would be to improve the quality, and especially safety, of popular

  12.     Open-Source software.</p>

  13. 

  14. <p id="p-5" class="p1"><span class="h2">Why?</span> · 

  15. The

  16.     <a href="https://en.wikipedia.org/wiki/XZ_utils_backdoor">XZ-Utils backdoor</a> (let’s just say <b>#XZ</b>) launched the train

  17.     of thought that led me 

  18.     to this idea.  If you read the story, it becomes obvious that the key vulnerability wasn’t technical, it was the fact that a

  19.     whole lot of Open-Source software is on the undermaintained-to-neglected axis, because there’s no business case for paying people

  20.     to take care of it. Which is a problem, because there is a <em>strong</em> business case for paying people to attack it.</p>

  21. 

  22. <p>There are other essential human activities that lack a business case, for example tertiary education,

  23.     potable water quality, and financial regulation. For these, we create non-capitalist constructs such as Universities and

  24.     Institutes and Agencies, because society needs these things done even if nobody can make money doing them.</p>

  25. 

  26. <p>I think we need to be paying more attention to the quality generally, and safety especially, of the Open-Source software

  27.     that has become the underlying platform for, more or less, our civilization. Thus OSQI.</p>

  28. 

  29. <p id="p-6" class="p1"><span class="h2">They’re out to get us</span> · 

  30. For me, the two big lessons from <b>#XZ</b> were first, the lack of resources supporting crucial Open-Source infrastructure,

  31.     but then and especially, the 

  32.     demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this

  33.     episode, where 

  34.     the attacker was already well-embedded in the project

  35.     <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html">by May 2022</a>, opened a few eyes, including

  36.     mine.</p>

  37. 

  38. <p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is

  39.     incalculable.  <b>#XZ</b> was the one we caught; how many have we missed?</p>

  40. 

  41. <p id="p-7" class="p1"><span class="h2">What’s OSQI?</span> · 

  42. It’s an organization created by a national government. Obviously, more nations than one could have an OSQI.</p>

  43. 

  44. <p>The vast majority of the staff would be relatively-senior

  45.     software 

  46.     engineers, with a small percentage of paranoid nontechnical security people

  47.     (see

  48.     <a href="OSQI#p-21">below</a>). You could do a lot with as few as 250 people, and

  49.     the burdened cost would be trivial for a substantial government.</p>

  50. 

  51. <p>Since it is a matter of obvious fact that every company in the

  52.     world with revenue of a billion or more is existentially dependent on Open Source, it would be reasonable to impose a levy of,

  53.     say, 0.1% of revenue on all such companies, to help support this work. The money needn’t be a problem.</p>

  54. 

  55. <p id="p-8" class="p1"><span class="h2">Structure</span> · 

  56. The selection of software packages that would get OSQI attention would be left to the organization, although there would be

  57.     avenues for anyone to request coverage. The engineering organization could be relatively flat, most people giving individual

  58.     attention to individual projects, then also ad-hoc teams forming for tool-building or crisis-handling when something like

  59.     <b>#XZ</b> blows up.</p>

  60. 

  61. <p id="p-10" class="p1"><span class="h2">Why would anyone work there?</span> · 

  62. The pay would be OK; less than you’d make at Google or Facebook, but a decent civil-service salary. There would be no

  63.     suspicion that your employer is trying to enshittify anything; in fact, you’d start work in the morning confident that you’re

  64.     trying to improve the world. The default work mode would be remote, so you could live somewhere a not-quite-Google salary would

  65.     support a very comfortable way of life.  There would be decent vacations and benefits and

  66.     (<em>*gasp*</em>) a pension.</p>

  67. 

  68. <p>And there is a certain class of person who would find everyday joy in peeking and poking and polishing

  69.     Open-Source packages that are depended on by millions of programmers and (indirectly) billions of humans. A couple of decades

  70.     ago I would have been one.</p>

  71. 

  72. <p>I don’t think recruiting would be a problem.</p>

  73. 

  74. <p>So, what are OSQI’s goals and non-goals?</p>

  75. 

  76. <p id="p-11" class="p1"><span class="h2">Goal: Safety</span> · 

  77. This has to come first. If all OSQI accomplishes is the foiling of a few <b>#XZ</b>-flavor attacks, and life becoming harder

  78.     for people making them, that’s just fine.</p>

  79. 

  80. <p id="p-12" class="p1"><span class="h2">Goal: Tool-building</span> · 

  81. I think it’s now conventional wisdom that Open Source’s biggest attack surfaces are dependency networks and build

  82.     tools. These are big and complex problems, but let’s be bold and set a high bar:</p>

  83. 

  84. <blockquote><p>Open-Source software should be built deterministically, verifiably, and reproducibly, from signed source-code

  85.     snapshots. These snapshots should be free of generated artifacts; every item in

  86.     the snapshot should be human-written and human-readable.</p>

  87. </blockquote>

  88. <p>For example: As

  89.     <a href="https://mastodon.social/@kornel">Kornel</a> said,

  90.     <a href="https://mastodon.social/@kornel/112187783363254917">Seriously, in retrospect, #autotools itself is a massive

  91.     supply-chain security risk.</a> No kidding!  But then everyone says “What are you gonna do, it’s wired into everything.”</p>

  92. 

  93. <p>There are alternatives; I know of

  94.     <a href="https://cmake.org">CMake</a> and

  95.     <a href="https://mesonbuild.com">Meson</a>. Are they good enough? I don’t know. Obviously, GNU AutoHell can’t be swept out of

  96.     all of the fœtid crannies where it lurks and festers, but every project from which it is scrubbed will present less

  97.     danger to the world.

  98.     I believe OSQI would have the scope to make real progress on this front.</p>

  99. 

  100. <p id="p-13" class="p1"><span class="h2">Non-goal: Features</span> · 

  101. OSQI should never invest engineering resources in adding cool features to Open-Source packages (with the possible exception

  102.     of build-and-test tools).  The Open-Source community is bursting with new-features energy, most coming from people who either

  103.     want to scratch their own itch or are facing a real blockage at work. They are way better positioned to make those improvements

  104.     than anyone at OSQI.</p>

  105. 

  106. <p id="p-23" class="p1"><span class="h2">Goal: Maintenance</span> · 

  107. Way too many deep-infra packages grow increasingly unmaintained as people age and become busy and tired and sick and dead. As I

  108.     was writing this, a

  109.     <a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes">plea for help</a> came across my radar from Sebastian

  110.     Pipping, the excellent but unsupported and unfunded maintainer of

  111.     <a href="https://github.com/libexpat/libexpat/tree/R_2_6_2">Expat</a>, the world’s most popular XML parser.</p>

  112. 

  113. <p>And yeah, he’s part of a trend, one that notably included the now-infamous

  114.     <a href="https://en.wikipedia.org/wiki/XZ_Utils">XZ-Utils</a> package.</p>

  115. 

  116. <p>And so I think one useful task for OSQI would be taking over (ideally partial) maintenance duties for a lot of Open-Source projects

  117.     that have a high ratio of adoption to support. In some cases it would have to take a lower-intensity form, let’s call it “life

  118.     support”, where OSQI deals with vulnerability reports but flatly refuses to address any requests for features no matter how

  119.     trivial, and rejects all PRs unless they come from someone who’s willing to take on part of the maintenance load.</p>

  120. 

  121. <p>One benefit of having paid professionals doing this is that they will blow off the kind of social-engineering harassment that

  122.     the <b>#XZ</b> attacker inflicted on the XZ-Utils maintainer (see

  123.     <a href="https://research.swtch.com/xz-timeline">Russ Cox’s excellent timeline</a>) and which is unfortunately too common in the

  124.     Open-Source world generally.</p>

  125. 

  126. <p id="p-14" class="p1"><span class="h2">Goal: Benchmarking</span> · 

  127. Efficiency is an aspect of quality, and I think it would be perfectly reasonable for OSQI to engage in

  128.     benchmarking and optimization. There’s a non-obvious reason for this: <b>#XZ</b> was unmasked when a Postgres specialist noticed

  129.     performance problems.</p>

  130. 

  131. <p>I think that in general, if you’re a bad person trying to backdoor an Open-Source package, it’s going to

  132.     be hard to do without introducing performance glitches. I’ve

  133.     <a href="/ongoing/When/202x/2021/05/15/Testing-in-2021#p-13">long advocated</a> that unit and/or integration tests should

  134.     include a benchmark or two, just to avert well-intentioned performance regressions; if they handicap bad guys too, that’s a

  135.     bonus.</p>

  136. 

  137. <p id="p-15" class="p1"><span class="h2">Goal: Education and evangelism</span> · 

  138. OSQI staff will develop a deep shared pool of expertise in making Open-Source software safer and better, and

  139.     specifically in detecting and repelling multiple attack flavors. They should share it! Blogs, conferences, whatever. It even

  140.     occurred to me that it might make sense to structure OSQI as an educational institution; standalone or as a grad college of

  141.     something existing.</p>

  142. 

  143. <p>But what I’m talking about isn’t refereed JACM papers, but what my Dad, a Professor of Agriculture, called “Extension”:

  144.     Bringing the results of research directly to practitioners.</p>

  145. 

  146. <p id="p-16" class="p1"><span class="h2">Non-goal: Making standards</span> · 

  147. The world has enough standards organizations. I could see individual OSQI employees pitching in, though, at the IETF or IEEE

  148.     or W3C or wherever, with work on Infosec standards.</p>

  149. 

  150. <p>Which brings me to…</p>

  151. 

  152. <p id="p-17" class="p1"><span class="h2">Non-goal: Litigation</span> · 

  153. Or really any other enforcement-related activity. OSQI exists to fix problems, build tools, and share lessons. This is going

  154.     to be easier if nobody (except attackers) sees them as a threat, and if staff don’t have to think about how their work and

  155.     findings will play out in court.</p>

  156. 

  157. <p>And a related non-goal…</p>

  158. 

  159. <p id="p-18" class="p1"><span class="h2">Non-goal: Licensing</span> · 

  160. The intersection between the class of people who’d make good OSQI engineers and those who care about Open-Source

  161.     licenses is, thankfully, very small. I think OSQI should accept the license landscape that exists and work hard to avoid 

  162.     thinking about its theology.</p>

  163. 

  164. <p id="p-19" class="p1"><span class="h2">Non-goal: Certification</span> · 

  165. Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a mistake;

  166.     OSQI should be an <em>engineering</em> organization; the cost (measured by required bureaucracy) to perform certification would

  167.     be brutal.</p>

  168. 

  169. <p id="p-20" class="p1"><span class="h2">Goal: Transparency</span> · 

  170. OSQI can’t afford to have any secrets, with the sole exception of freshly-discovered but still-undisclosed

  171.     vulnerabilities. And when those vulnerabilities are disclosed, the story of their discovery and characterization needs to be

  172.     shared entirely and completely.  This feels like a bare-minimum basis for building the level of trust that will be

  173.     required.</p>

  174. 

  175. <p id="p-21" class="p1"><span class="h2">Necessary paranoia</span> · 

  176. I discussed above why OSQI might be a nice place to work.  There will be a downside, though; you’ll lose a certain amount of

  177.     privacy. Because if OSQI succeeds, it will become a super-high-value target for our adversaries. In the natural course of

  178.     affairs, many employees would become committers on popular packages, increasing their attractiveness as targets for bribes or

  179.     blackmail.</p>

  180. 

  181. <p>I recall once, a very senior security leader at an Internet giant saying to me “We have thousands of engineers, and my job

  182.     requires me to believe that at least one of them also has another employer.”</p>

  183. 

  184. <p>So I think OSQI needs to employ a small number of paranoid traditional-security (not Infosec) experts to keep an eye on their

  185.     colleagues, audit their finances, and just be generally suspicious. These people would also

  186.     worry about OSQI’s physical and network security. Because attackers gonna attack.</p>

  187. 

  188. <p id="p-22" class="p1"><span class="h2">Pronunciation</span> · 

  189. Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve grabbed “osqi.org” and will cheerfully donate it

  190.     in the long-shot case that this idea gets traction.</p>

  191. 

  192. <p id="p-24" class="p1"><span class="h2">Are you serious?</span> · 

  193. Yeah. Except for, I no longer speak with the voice of a powerful employer.</p>

  194. 

  195. <p>Look: For

  196.     better or for worse, Open Source won. <i>[Narrator: Obviously, for better.]</i> That means it has become crucial civilizational

  197.     infrastucture, which governments should actively support and maintain, just like roads and dams and power grids.</p>

  198. 

  199. <p>It’s not so much that OSQI, or something  

  200.     like it, is a good idea; it’s that <em>not</em> trying to achieve these goals, in 2024, is dangerous and insane.</p>