|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200 |
- title: ongoing by Tim Bray · OSQI
- url: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI
- hash_url: 8ffe1e30cd3dd6446468bd6d03550457
- archive_date: 2024-04-04
- og_image: https://www.tbray.org/ongoing/misc/podcast-default.jpg
- description:
- favicon: https://www.tbray.org/favicon.ico
- language: en_US
-
- <p itemprop="description">I propose the formation of one or more “Open Source Quality Institutes”. An OSQI is a public-sector organization that
- employs software engineers. Its mission would be to improve the quality, and especially safety, of popular
- Open-Source software.</p>
-
- <p id="p-5" class="p1"><span class="h2">Why?</span> ·
- The
- <a href="https://en.wikipedia.org/wiki/XZ_utils_backdoor">XZ-Utils backdoor</a> (let’s just say <b>#XZ</b>) launched the train
- of thought that led me
- to this idea. If you read the story, it becomes obvious that the key vulnerability wasn’t technical, it was the fact that a
- whole lot of Open-Source software is on the undermaintained-to-neglected axis, because there’s no business case for paying people
- to take care of it. Which is a problem, because there is a <em>strong</em> business case for paying people to attack it.</p>
-
- <p>There are other essential human activities that lack a business case, for example tertiary education,
- potable water quality, and financial regulation. For these, we create non-capitalist constructs such as Universities and
- Institutes and Agencies, because society needs these things done even if nobody can make money doing them.</p>
-
- <p>I think we need to be paying more attention to the quality generally, and safety especially, of the Open-Source software
- that has become the underlying platform for, more or less, our civilization. Thus OSQI.</p>
-
- <p id="p-6" class="p1"><span class="h2">They’re out to get us</span> ·
- For me, the two big lessons from <b>#XZ</b> were first, the lack of resources supporting crucial Open-Source infrastructure,
- but then and especially, the
- demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this
- episode, where
- the attacker was already well-embedded in the project
- <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html">by May 2022</a>, opened a few eyes, including
- mine.</p>
-
- <p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is
- incalculable. <b>#XZ</b> was the one we caught; how many have we missed?</p>
-
- <p id="p-7" class="p1"><span class="h2">What’s OSQI?</span> ·
- It’s an organization created by a national government. Obviously, more nations than one could have an OSQI.</p>
-
- <p>The vast majority of the staff would be relatively-senior
- software
- engineers, with a small percentage of paranoid nontechnical security people
- (see
- <a href="OSQI#p-21">below</a>). You could do a lot with as few as 250 people, and
- the burdened cost would be trivial for a substantial government.</p>
-
- <p>Since it is a matter of obvious fact that every company in the
- world with revenue of a billion or more is existentially dependent on Open Source, it would be reasonable to impose a levy of,
- say, 0.1% of revenue on all such companies, to help support this work. The money needn’t be a problem.</p>
-
- <p id="p-8" class="p1"><span class="h2">Structure</span> ·
- The selection of software packages that would get OSQI attention would be left to the organization, although there would be
- avenues for anyone to request coverage. The engineering organization could be relatively flat, most people giving individual
- attention to individual projects, then also ad-hoc teams forming for tool-building or crisis-handling when something like
- <b>#XZ</b> blows up.</p>
-
- <p id="p-10" class="p1"><span class="h2">Why would anyone work there?</span> ·
- The pay would be OK; less than you’d make at Google or Facebook, but a decent civil-service salary. There would be no
- suspicion that your employer is trying to enshittify anything; in fact, you’d start work in the morning confident that you’re
- trying to improve the world. The default work mode would be remote, so you could live somewhere a not-quite-Google salary would
- support a very comfortable way of life. There would be decent vacations and benefits and
- (<em>*gasp*</em>) a pension.</p>
-
- <p>And there is a certain class of person who would find everyday joy in peeking and poking and polishing
- Open-Source packages that are depended on by millions of programmers and (indirectly) billions of humans. A couple of decades
- ago I would have been one.</p>
-
- <p>I don’t think recruiting would be a problem.</p>
-
- <p>So, what are OSQI’s goals and non-goals?</p>
-
- <p id="p-11" class="p1"><span class="h2">Goal: Safety</span> ·
- This has to come first. If all OSQI accomplishes is the foiling of a few <b>#XZ</b>-flavor attacks, and life becoming harder
- for people making them, that’s just fine.</p>
-
- <p id="p-12" class="p1"><span class="h2">Goal: Tool-building</span> ·
- I think it’s now conventional wisdom that Open Source’s biggest attack surfaces are dependency networks and build
- tools. These are big and complex problems, but let’s be bold and set a high bar:</p>
-
- <blockquote><p>Open-Source software should be built deterministically, verifiably, and reproducibly, from signed source-code
- snapshots. These snapshots should be free of generated artifacts; every item in
- the snapshot should be human-written and human-readable.</p>
- </blockquote>
- <p>For example: As
- <a href="https://mastodon.social/@kornel">Kornel</a> said,
- <a href="https://mastodon.social/@kornel/112187783363254917">Seriously, in retrospect, #autotools itself is a massive
- supply-chain security risk.</a> No kidding! But then everyone says “What are you gonna do, it’s wired into everything.”</p>
-
- <p>There are alternatives; I know of
- <a href="https://cmake.org">CMake</a> and
- <a href="https://mesonbuild.com">Meson</a>. Are they good enough? I don’t know. Obviously, GNU AutoHell can’t be swept out of
- all of the fœtid crannies where it lurks and festers, but every project from which it is scrubbed will present less
- danger to the world.
- I believe OSQI would have the scope to make real progress on this front.</p>
-
- <p id="p-13" class="p1"><span class="h2">Non-goal: Features</span> ·
- OSQI should never invest engineering resources in adding cool features to Open-Source packages (with the possible exception
- of build-and-test tools). The Open-Source community is bursting with new-features energy, most coming from people who either
- want to scratch their own itch or are facing a real blockage at work. They are way better positioned to make those improvements
- than anyone at OSQI.</p>
-
- <p id="p-23" class="p1"><span class="h2">Goal: Maintenance</span> ·
- Way too many deep-infra packages grow increasingly unmaintained as people age and become busy and tired and sick and dead. As I
- was writing this, a
- <a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes">plea for help</a> came across my radar from Sebastian
- Pipping, the excellent but unsupported and unfunded maintainer of
- <a href="https://github.com/libexpat/libexpat/tree/R_2_6_2">Expat</a>, the world’s most popular XML parser.</p>
-
- <p>And yeah, he’s part of a trend, one that notably included the now-infamous
- <a href="https://en.wikipedia.org/wiki/XZ_Utils">XZ-Utils</a> package.</p>
-
- <p>And so I think one useful task for OSQI would be taking over (ideally partial) maintenance duties for a lot of Open-Source projects
- that have a high ratio of adoption to support. In some cases it would have to take a lower-intensity form, let’s call it “life
- support”, where OSQI deals with vulnerability reports but flatly refuses to address any requests for features no matter how
- trivial, and rejects all PRs unless they come from someone who’s willing to take on part of the maintenance load.</p>
-
- <p>One benefit of having paid professionals doing this is that they will blow off the kind of social-engineering harassment that
- the <b>#XZ</b> attacker inflicted on the XZ-Utils maintainer (see
- <a href="https://research.swtch.com/xz-timeline">Russ Cox’s excellent timeline</a>) and which is unfortunately too common in the
- Open-Source world generally.</p>
-
- <p id="p-14" class="p1"><span class="h2">Goal: Benchmarking</span> ·
- Efficiency is an aspect of quality, and I think it would be perfectly reasonable for OSQI to engage in
- benchmarking and optimization. There’s a non-obvious reason for this: <b>#XZ</b> was unmasked when a Postgres specialist noticed
- performance problems.</p>
-
- <p>I think that in general, if you’re a bad person trying to backdoor an Open-Source package, it’s going to
- be hard to do without introducing performance glitches. I’ve
- <a href="/ongoing/When/202x/2021/05/15/Testing-in-2021#p-13">long advocated</a> that unit and/or integration tests should
- include a benchmark or two, just to avert well-intentioned performance regressions; if they handicap bad guys too, that’s a
- bonus.</p>
-
- <p id="p-15" class="p1"><span class="h2">Goal: Education and evangelism</span> ·
- OSQI staff will develop a deep shared pool of expertise in making Open-Source software safer and better, and
- specifically in detecting and repelling multiple attack flavors. They should share it! Blogs, conferences, whatever. It even
- occurred to me that it might make sense to structure OSQI as an educational institution; standalone or as a grad college of
- something existing.</p>
-
- <p>But what I’m talking about isn’t refereed JACM papers, but what my Dad, a Professor of Agriculture, called “Extension”:
- Bringing the results of research directly to practitioners.</p>
-
- <p id="p-16" class="p1"><span class="h2">Non-goal: Making standards</span> ·
- The world has enough standards organizations. I could see individual OSQI employees pitching in, though, at the IETF or IEEE
- or W3C or wherever, with work on Infosec standards.</p>
-
- <p>Which brings me to…</p>
-
- <p id="p-17" class="p1"><span class="h2">Non-goal: Litigation</span> ·
- Or really any other enforcement-related activity. OSQI exists to fix problems, build tools, and share lessons. This is going
- to be easier if nobody (except attackers) sees them as a threat, and if staff don’t have to think about how their work and
- findings will play out in court.</p>
-
- <p>And a related non-goal…</p>
-
- <p id="p-18" class="p1"><span class="h2">Non-goal: Licensing</span> ·
- The intersection between the class of people who’d make good OSQI engineers and those who care about Open-Source
- licenses is, thankfully, very small. I think OSQI should accept the license landscape that exists and work hard to avoid
- thinking about its theology.</p>
-
- <p id="p-19" class="p1"><span class="h2">Non-goal: Certification</span> ·
- Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a mistake;
- OSQI should be an <em>engineering</em> organization; the cost (measured by required bureaucracy) to perform certification would
- be brutal.</p>
-
- <p id="p-20" class="p1"><span class="h2">Goal: Transparency</span> ·
- OSQI can’t afford to have any secrets, with the sole exception of freshly-discovered but still-undisclosed
- vulnerabilities. And when those vulnerabilities are disclosed, the story of their discovery and characterization needs to be
- shared entirely and completely. This feels like a bare-minimum basis for building the level of trust that will be
- required.</p>
-
- <p id="p-21" class="p1"><span class="h2">Necessary paranoia</span> ·
- I discussed above why OSQI might be a nice place to work. There will be a downside, though; you’ll lose a certain amount of
- privacy. Because if OSQI succeeds, it will become a super-high-value target for our adversaries. In the natural course of
- affairs, many employees would become committers on popular packages, increasing their attractiveness as targets for bribes or
- blackmail.</p>
-
- <p>I recall once, a very senior security leader at an Internet giant saying to me “We have thousands of engineers, and my job
- requires me to believe that at least one of them also has another employer.”</p>
-
- <p>So I think OSQI needs to employ a small number of paranoid traditional-security (not Infosec) experts to keep an eye on their
- colleagues, audit their finances, and just be generally suspicious. These people would also
- worry about OSQI’s physical and network security. Because attackers gonna attack.</p>
-
- <p id="p-22" class="p1"><span class="h2">Pronunciation</span> ·
- Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve grabbed “osqi.org” and will cheerfully donate it
- in the long-shot case that this idea gets traction.</p>
-
- <p id="p-24" class="p1"><span class="h2">Are you serious?</span> ·
- Yeah. Except for, I no longer speak with the voice of a powerful employer.</p>
-
- <p>Look: For
- better or for worse, Open Source won. <i>[Narrator: Obviously, for better.]</i> That means it has become crucial civilizational
- infrastucture, which governments should actively support and maintain, just like roads and dams and power grids.</p>
-
- <p>It’s not so much that OSQI, or something
- like it, is a good idea; it’s that <em>not</em> trying to achieve these goals, in 2024, is dangerous and insane.</p>
|