larlet-fr-david-cache/cache/2024/8ffe1e30cd3dd6446468bd6d03550457/index.html

<!doctype html><!-- This is a valid HTML5 document. -->
<!-- Screen readers, SEO, extensions and so on. -->
<html lang="en">
<!-- Has to be within the first 1024 bytes, hence before the `title` element
  See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
<meta charset="utf-8">
<!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
<!-- The viewport meta is quite crowded and we are responsible for that.
  See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
<meta name="viewport" content="width=device-width,initial-scale=1">
<!-- Required to make a valid HTML5 document. -->
<title>ongoing by Tim Bray · OSQI (archive) — David Larlet</title>
<meta name="description" content="Publication mise en cache pour en conserver une trace.">
<!-- That good ol' feed, subscribe :). -->
<link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
<!-- Generated from https://realfavicongenerator.net/ such a mess. -->
<link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
<link rel="manifest" href="/static/david/icons2/site.webmanifest">
<link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
<link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
<meta name="msapplication-TileColor" content="#f7f7f7">
<meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
<meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
<!-- Is that even respected? Retrospectively? What a shAItshow…
  https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
<meta name="robots" content="noai, noimageai">
<!-- Documented, feel free to shoot an email. -->
<link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
<!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
<script>
    function toggleTheme(themeName) {
        document.documentElement.classList.toggle(
            'forced-dark',
            themeName === 'dark'
        )
        document.documentElement.classList.toggle(
            'forced-light',
            themeName === 'light'
        )
    }
    const selectedTheme = localStorage.getItem('theme')
    if (selectedTheme !== 'undefined') {
        toggleTheme(selectedTheme)
    }
</script>

  <meta name="robots" content="noindex, nofollow">
  <meta content="origin-when-cross-origin" name="referrer">
  <!-- Canonical URL for SEO purposes -->
  <link rel="canonical" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI">

<body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">


<article>
  <header>
    <h1>ongoing by Tim Bray · OSQI</h1>
  </header>
  <nav>
    <p class="center">
      <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
      </svg> Accueil</a> •
      <a href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" title="Lien vers le contenu original">Source originale</a>
      <br>
      Mis en cache le 2024-04-04
    </p>
  </nav>
  <hr>
  <p itemprop="description">I propose the formation of one or more “Open Source Quality Institutes”. An OSQI is a public-sector organization that
    employs software engineers. Its mission would be to improve the quality, and especially safety, of popular
    Open-Source software.</p>

<p id="p-5" class="p1"><span class="h2">Why?</span> · 
The
    <a href="https://en.wikipedia.org/wiki/XZ_utils_backdoor">XZ-Utils backdoor</a> (let’s just say <b>#XZ</b>) launched the train
    of thought that led me 
    to this idea.  If you read the story, it becomes obvious that the key vulnerability wasn’t technical, it was the fact that a
    whole lot of Open-Source software is on the undermaintained-to-neglected axis, because there’s no business case for paying people
    to take care of it. Which is a problem, because there is a <em>strong</em> business case for paying people to attack it.</p>

<p>There are other essential human activities that lack a business case, for example tertiary education,
    potable water quality, and financial regulation. For these, we create non-capitalist constructs such as Universities and
    Institutes and Agencies, because society needs these things done even if nobody can make money doing them.</p>

<p>I think we need to be paying more attention to the quality generally, and safety especially, of the Open-Source software
    that has become the underlying platform for, more or less, our civilization. Thus OSQI.</p>

<p id="p-6" class="p1"><span class="h2">They’re out to get us</span> · 
For me, the two big lessons from <b>#XZ</b> were first, the lack of resources supporting crucial Open-Source infrastructure,
    but then and especially, the 
    demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this
    episode, where 
    the attacker was already well-embedded in the project
    <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html">by May 2022</a>, opened a few eyes, including
    mine.</p>

<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is
    incalculable.  <b>#XZ</b> was the one we caught; how many have we missed?</p>

<p id="p-7" class="p1"><span class="h2">What’s OSQI?</span> · 
It’s an organization created by a national government. Obviously, more nations than one could have an OSQI.</p>

<p>The vast majority of the staff would be relatively-senior
    software 
    engineers, with a small percentage of paranoid nontechnical security people
    (see
    <a href="OSQI#p-21">below</a>). You could do a lot with as few as 250 people, and
    the burdened cost would be trivial for a substantial government.</p>

<p>Since it is a matter of obvious fact that every company in the
    world with revenue of a billion or more is existentially dependent on Open Source, it would be reasonable to impose a levy of,
    say, 0.1% of revenue on all such companies, to help support this work. The money needn’t be a problem.</p>

<p id="p-8" class="p1"><span class="h2">Structure</span> · 
The selection of software packages that would get OSQI attention would be left to the organization, although there would be
    avenues for anyone to request coverage. The engineering organization could be relatively flat, most people giving individual
    attention to individual projects, then also ad-hoc teams forming for tool-building or crisis-handling when something like
    <b>#XZ</b> blows up.</p>

<p id="p-10" class="p1"><span class="h2">Why would anyone work there?</span> · 
The pay would be OK; less than you’d make at Google or Facebook, but a decent civil-service salary. There would be no
    suspicion that your employer is trying to enshittify anything; in fact, you’d start work in the morning confident that you’re
    trying to improve the world. The default work mode would be remote, so you could live somewhere a not-quite-Google salary would
    support a very comfortable way of life.  There would be decent vacations and benefits and
    (<em>*gasp*</em>) a pension.</p>

<p>And there is a certain class of person who would find everyday joy in peeking and poking and polishing
    Open-Source packages that are depended on by millions of programmers and (indirectly) billions of humans. A couple of decades
    ago I would have been one.</p>

<p>I don’t think recruiting would be a problem.</p>

<p>So, what are OSQI’s goals and non-goals?</p>

<p id="p-11" class="p1"><span class="h2">Goal: Safety</span> · 
This has to come first. If all OSQI accomplishes is the foiling of a few <b>#XZ</b>-flavor attacks, and life becoming harder
    for people making them, that’s just fine.</p>

<p id="p-12" class="p1"><span class="h2">Goal: Tool-building</span> · 
I think it’s now conventional wisdom that Open Source’s biggest attack surfaces are dependency networks and build
    tools. These are big and complex problems, but let’s be bold and set a high bar:</p>

<blockquote><p>Open-Source software should be built deterministically, verifiably, and reproducibly, from signed source-code
    snapshots. These snapshots should be free of generated artifacts; every item in
    the snapshot should be human-written and human-readable.</p>
</blockquote>
<p>For example: As
    <a href="https://mastodon.social/@kornel">Kornel</a> said,
    <a href="https://mastodon.social/@kornel/112187783363254917">Seriously, in retrospect, #autotools itself is a massive
    supply-chain security risk.</a> No kidding!  But then everyone says “What are you gonna do, it’s wired into everything.”</p>

<p>There are alternatives; I know of
    <a href="https://cmake.org">CMake</a> and
    <a href="https://mesonbuild.com">Meson</a>. Are they good enough? I don’t know. Obviously, GNU AutoHell can’t be swept out of
    all of the fœtid crannies where it lurks and festers, but every project from which it is scrubbed will present less
    danger to the world.
    I believe OSQI would have the scope to make real progress on this front.</p>

<p id="p-13" class="p1"><span class="h2">Non-goal: Features</span> · 
OSQI should never invest engineering resources in adding cool features to Open-Source packages (with the possible exception
    of build-and-test tools).  The Open-Source community is bursting with new-features energy, most coming from people who either
    want to scratch their own itch or are facing a real blockage at work. They are way better positioned to make those improvements
    than anyone at OSQI.</p>

<p id="p-23" class="p1"><span class="h2">Goal: Maintenance</span> · 
Way too many deep-infra packages grow increasingly unmaintained as people age and become busy and tired and sick and dead. As I
    was writing this, a
    <a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes">plea for help</a> came across my radar from Sebastian
    Pipping, the excellent but unsupported and unfunded maintainer of
    <a href="https://github.com/libexpat/libexpat/tree/R_2_6_2">Expat</a>, the world’s most popular XML parser.</p>

<p>And yeah, he’s part of a trend, one that notably included the now-infamous
    <a href="https://en.wikipedia.org/wiki/XZ_Utils">XZ-Utils</a> package.</p>

<p>And so I think one useful task for OSQI would be taking over (ideally partial) maintenance duties for a lot of Open-Source projects
    that have a high ratio of adoption to support. In some cases it would have to take a lower-intensity form, let’s call it “life
    support”, where OSQI deals with vulnerability reports but flatly refuses to address any requests for features no matter how
    trivial, and rejects all PRs unless they come from someone who’s willing to take on part of the maintenance load.</p>

<p>One benefit of having paid professionals doing this is that they will blow off the kind of social-engineering harassment that
    the <b>#XZ</b> attacker inflicted on the XZ-Utils maintainer (see
    <a href="https://research.swtch.com/xz-timeline">Russ Cox’s excellent timeline</a>) and which is unfortunately too common in the
    Open-Source world generally.</p>

<p id="p-14" class="p1"><span class="h2">Goal: Benchmarking</span> · 
Efficiency is an aspect of quality, and I think it would be perfectly reasonable for OSQI to engage in
    benchmarking and optimization. There’s a non-obvious reason for this: <b>#XZ</b> was unmasked when a Postgres specialist noticed
    performance problems.</p>

<p>I think that in general, if you’re a bad person trying to backdoor an Open-Source package, it’s going to
    be hard to do without introducing performance glitches. I’ve
    <a href="/ongoing/When/202x/2021/05/15/Testing-in-2021#p-13">long advocated</a> that unit and/or integration tests should
    include a benchmark or two, just to avert well-intentioned performance regressions; if they handicap bad guys too, that’s a
    bonus.</p>

<p id="p-15" class="p1"><span class="h2">Goal: Education and evangelism</span> · 
OSQI staff will develop a deep shared pool of expertise in making Open-Source software safer and better, and
    specifically in detecting and repelling multiple attack flavors. They should share it! Blogs, conferences, whatever. It even
    occurred to me that it might make sense to structure OSQI as an educational institution; standalone or as a grad college of
    something existing.</p>

<p>But what I’m talking about isn’t refereed JACM papers, but what my Dad, a Professor of Agriculture, called “Extension”:
    Bringing the results of research directly to practitioners.</p>

<p id="p-16" class="p1"><span class="h2">Non-goal: Making standards</span> · 
The world has enough standards organizations. I could see individual OSQI employees pitching in, though, at the IETF or IEEE
    or W3C or wherever, with work on Infosec standards.</p>

<p>Which brings me to…</p>

<p id="p-17" class="p1"><span class="h2">Non-goal: Litigation</span> · 
Or really any other enforcement-related activity. OSQI exists to fix problems, build tools, and share lessons. This is going
    to be easier if nobody (except attackers) sees them as a threat, and if staff don’t have to think about how their work and
    findings will play out in court.</p>

<p>And a related non-goal…</p>

<p id="p-18" class="p1"><span class="h2">Non-goal: Licensing</span> · 
The intersection between the class of people who’d make good OSQI engineers and those who care about Open-Source
    licenses is, thankfully, very small. I think OSQI should accept the license landscape that exists and work hard to avoid 
    thinking about its theology.</p>

<p id="p-19" class="p1"><span class="h2">Non-goal: Certification</span> · 
Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a mistake;
    OSQI should be an <em>engineering</em> organization; the cost (measured by required bureaucracy) to perform certification would
    be brutal.</p>

<p id="p-20" class="p1"><span class="h2">Goal: Transparency</span> · 
OSQI can’t afford to have any secrets, with the sole exception of freshly-discovered but still-undisclosed
    vulnerabilities. And when those vulnerabilities are disclosed, the story of their discovery and characterization needs to be
    shared entirely and completely.  This feels like a bare-minimum basis for building the level of trust that will be
    required.</p>

<p id="p-21" class="p1"><span class="h2">Necessary paranoia</span> · 
I discussed above why OSQI might be a nice place to work.  There will be a downside, though; you’ll lose a certain amount of
    privacy. Because if OSQI succeeds, it will become a super-high-value target for our adversaries. In the natural course of
    affairs, many employees would become committers on popular packages, increasing their attractiveness as targets for bribes or
    blackmail.</p>

<p>I recall once, a very senior security leader at an Internet giant saying to me “We have thousands of engineers, and my job
    requires me to believe that at least one of them also has another employer.”</p>

<p>So I think OSQI needs to employ a small number of paranoid traditional-security (not Infosec) experts to keep an eye on their
    colleagues, audit their finances, and just be generally suspicious. These people would also
    worry about OSQI’s physical and network security. Because attackers gonna attack.</p>

<p id="p-22" class="p1"><span class="h2">Pronunciation</span> · 
Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve grabbed “osqi.org” and will cheerfully donate it
    in the long-shot case that this idea gets traction.</p>

<p id="p-24" class="p1"><span class="h2">Are you serious?</span> · 
Yeah. Except for, I no longer speak with the voice of a powerful employer.</p>

<p>Look: For
    better or for worse, Open Source won. <i>[Narrator: Obviously, for better.]</i> That means it has become crucial civilizational
    infrastucture, which governments should actively support and maintain, just like roads and dams and power grids.</p>

<p>It’s not so much that OSQI, or something  
    like it, is a good idea; it’s that <em>not</em> trying to achieve these goals, in 2024, is dangerous and insane.</p>
</article>


<hr>

<footer>
  <p>
    <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
      </svg> Accueil</a> •
    <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
      </svg> Suivre</a> •
    <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
      </svg> Pro</a> •
    <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
      </svg> Email</a> •
    <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
        <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
      </svg> Légal</abbr>
  </p>
  <template id="theme-selector">
      <form>
          <fieldset>
              <legend><svg class="icon icon-brightness-contrast">
                <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
              </svg> Thème</legend>
              <label>
                  <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
              </label>
              <label>
                  <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
              </label>
              <label>
                  <input type="radio" value="light" name="chosen-color-scheme"> Clair
              </label>
          </fieldset>
      </form>
  </template>
</footer>
<script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
<script>
    function loadThemeForm(templateName) {
        const themeSelectorTemplate = document.querySelector(templateName)
        const form = themeSelectorTemplate.content.firstElementChild
        themeSelectorTemplate.replaceWith(form)

        form.addEventListener('change', (e) => {
            const chosenColorScheme = e.target.value
            localStorage.setItem('theme', chosenColorScheme)
            toggleTheme(chosenColorScheme)
        })

        const selectedTheme = localStorage.getItem('theme')
        if (selectedTheme && selectedTheme !== 'undefined') {
            form.querySelector(`[value="${selectedTheme}"]`).checked = true
        }
    }

    const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
    window.addEventListener('load', () => {
        let hasDarkRules = false
        for (const styleSheet of Array.from(document.styleSheets)) {
            let mediaRules = []
            for (const cssRule of styleSheet.cssRules) {
                if (cssRule.type !== CSSRule.MEDIA_RULE) {
                    continue
                }
                // WARNING: Safari does not have/supports `conditionText`.
                if (cssRule.conditionText) {
                    if (cssRule.conditionText !== prefersColorSchemeDark) {
                        continue
                    }
                } else {
                    if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
                        continue
                    }
                }
                mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
            }

            // WARNING: do not try to insert a Rule to a styleSheet you are
            // currently iterating on, otherwise the browser will be stuck
            // in a infinite loop…
            for (const mediaRule of mediaRules) {
                styleSheet.insertRule(mediaRule.cssText)
                hasDarkRules = true
            }
        }
        if (hasDarkRules) {
            loadThemeForm('#theme-selector')
        }
    })
</script>
</body>
</html>