123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367 |
- <!doctype html><!-- This is a valid HTML5 document. -->
- <!-- Screen readers, SEO, extensions and so on. -->
- <html lang="en">
- <!-- Has to be within the first 1024 bytes, hence before the `title` element
- See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
- <meta charset="utf-8">
- <!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
- <!-- The viewport meta is quite crowded and we are responsible for that.
- See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
- <meta name="viewport" content="width=device-width,initial-scale=1">
- <!-- Required to make a valid HTML5 document. -->
- <title>ongoing by Tim Bray · OSQI (archive) — David Larlet</title>
- <meta name="description" content="Publication mise en cache pour en conserver une trace.">
- <!-- That good ol' feed, subscribe :). -->
- <link rel="alternate" type="application/atom+xml" title="Feed" href="/david/log/">
- <!-- Generated from https://realfavicongenerator.net/ such a mess. -->
- <link rel="apple-touch-icon" sizes="180x180" href="/static/david/icons2/apple-touch-icon.png">
- <link rel="icon" type="image/png" sizes="32x32" href="/static/david/icons2/favicon-32x32.png">
- <link rel="icon" type="image/png" sizes="16x16" href="/static/david/icons2/favicon-16x16.png">
- <link rel="manifest" href="/static/david/icons2/site.webmanifest">
- <link rel="mask-icon" href="/static/david/icons2/safari-pinned-tab.svg" color="#07486c">
- <link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
- <meta name="msapplication-TileColor" content="#f7f7f7">
- <meta name="msapplication-config" content="/static/david/icons2/browserconfig.xml">
- <meta name="theme-color" content="#f7f7f7" media="(prefers-color-scheme: light)">
- <meta name="theme-color" content="#272727" media="(prefers-color-scheme: dark)">
- <!-- Is that even respected? Retrospectively? What a shAItshow…
- https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
- <meta name="robots" content="noai, noimageai">
- <!-- Documented, feel free to shoot an email. -->
- <link rel="stylesheet" href="/static/david/css/style_2021-01-20.css">
- <!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
- <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
- <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
- <link rel="preload" href="/static/david/css/fonts/triplicate_t4_poly_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)" crossorigin>
- <link rel="preload" href="/static/david/css/fonts/triplicate_t3_regular.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
- <link rel="preload" href="/static/david/css/fonts/triplicate_t3_bold.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
- <link rel="preload" href="/static/david/css/fonts/triplicate_t3_italic.woff2" as="font" type="font/woff2" media="(prefers-color-scheme: dark)" crossorigin>
- <script>
- function toggleTheme(themeName) {
- document.documentElement.classList.toggle(
- 'forced-dark',
- themeName === 'dark'
- )
- document.documentElement.classList.toggle(
- 'forced-light',
- themeName === 'light'
- )
- }
- const selectedTheme = localStorage.getItem('theme')
- if (selectedTheme !== 'undefined') {
- toggleTheme(selectedTheme)
- }
- </script>
-
- <meta name="robots" content="noindex, nofollow">
- <meta content="origin-when-cross-origin" name="referrer">
- <!-- Canonical URL for SEO purposes -->
- <link rel="canonical" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI">
-
- <body class="remarkdown h1-underline h2-underline h3-underline em-underscore hr-center ul-star pre-tick" data-instant-intensity="viewport-all">
-
-
- <article>
- <header>
- <h1>ongoing by Tim Bray · OSQI</h1>
- </header>
- <nav>
- <p class="center">
- <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
- </svg> Accueil</a> •
- <a href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" title="Lien vers le contenu original">Source originale</a>
- <br>
- Mis en cache le 2024-04-04
- </p>
- </nav>
- <hr>
- <p itemprop="description">I propose the formation of one or more “Open Source Quality Institutes”. An OSQI is a public-sector organization that
- employs software engineers. Its mission would be to improve the quality, and especially safety, of popular
- Open-Source software.</p>
-
- <p id="p-5" class="p1"><span class="h2">Why?</span> ·
- The
- <a href="https://en.wikipedia.org/wiki/XZ_utils_backdoor">XZ-Utils backdoor</a> (let’s just say <b>#XZ</b>) launched the train
- of thought that led me
- to this idea. If you read the story, it becomes obvious that the key vulnerability wasn’t technical, it was the fact that a
- whole lot of Open-Source software is on the undermaintained-to-neglected axis, because there’s no business case for paying people
- to take care of it. Which is a problem, because there is a <em>strong</em> business case for paying people to attack it.</p>
-
- <p>There are other essential human activities that lack a business case, for example tertiary education,
- potable water quality, and financial regulation. For these, we create non-capitalist constructs such as Universities and
- Institutes and Agencies, because society needs these things done even if nobody can make money doing them.</p>
-
- <p>I think we need to be paying more attention to the quality generally, and safety especially, of the Open-Source software
- that has become the underlying platform for, more or less, our civilization. Thus OSQI.</p>
-
- <p id="p-6" class="p1"><span class="h2">They’re out to get us</span> ·
- For me, the two big lessons from <b>#XZ</b> were first, the lack of resources supporting crucial Open-Source infrastructure,
- but then and especially, the
- demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this
- episode, where
- the attacker was already well-embedded in the project
- <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html">by May 2022</a>, opened a few eyes, including
- mine.</p>
-
- <p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is
- incalculable. <b>#XZ</b> was the one we caught; how many have we missed?</p>
-
- <p id="p-7" class="p1"><span class="h2">What’s OSQI?</span> ·
- It’s an organization created by a national government. Obviously, more nations than one could have an OSQI.</p>
-
- <p>The vast majority of the staff would be relatively-senior
- software
- engineers, with a small percentage of paranoid nontechnical security people
- (see
- <a href="OSQI#p-21">below</a>). You could do a lot with as few as 250 people, and
- the burdened cost would be trivial for a substantial government.</p>
-
- <p>Since it is a matter of obvious fact that every company in the
- world with revenue of a billion or more is existentially dependent on Open Source, it would be reasonable to impose a levy of,
- say, 0.1% of revenue on all such companies, to help support this work. The money needn’t be a problem.</p>
-
- <p id="p-8" class="p1"><span class="h2">Structure</span> ·
- The selection of software packages that would get OSQI attention would be left to the organization, although there would be
- avenues for anyone to request coverage. The engineering organization could be relatively flat, most people giving individual
- attention to individual projects, then also ad-hoc teams forming for tool-building or crisis-handling when something like
- <b>#XZ</b> blows up.</p>
-
- <p id="p-10" class="p1"><span class="h2">Why would anyone work there?</span> ·
- The pay would be OK; less than you’d make at Google or Facebook, but a decent civil-service salary. There would be no
- suspicion that your employer is trying to enshittify anything; in fact, you’d start work in the morning confident that you’re
- trying to improve the world. The default work mode would be remote, so you could live somewhere a not-quite-Google salary would
- support a very comfortable way of life. There would be decent vacations and benefits and
- (<em>*gasp*</em>) a pension.</p>
-
- <p>And there is a certain class of person who would find everyday joy in peeking and poking and polishing
- Open-Source packages that are depended on by millions of programmers and (indirectly) billions of humans. A couple of decades
- ago I would have been one.</p>
-
- <p>I don’t think recruiting would be a problem.</p>
-
- <p>So, what are OSQI’s goals and non-goals?</p>
-
- <p id="p-11" class="p1"><span class="h2">Goal: Safety</span> ·
- This has to come first. If all OSQI accomplishes is the foiling of a few <b>#XZ</b>-flavor attacks, and life becoming harder
- for people making them, that’s just fine.</p>
-
- <p id="p-12" class="p1"><span class="h2">Goal: Tool-building</span> ·
- I think it’s now conventional wisdom that Open Source’s biggest attack surfaces are dependency networks and build
- tools. These are big and complex problems, but let’s be bold and set a high bar:</p>
-
- <blockquote><p>Open-Source software should be built deterministically, verifiably, and reproducibly, from signed source-code
- snapshots. These snapshots should be free of generated artifacts; every item in
- the snapshot should be human-written and human-readable.</p>
- </blockquote>
- <p>For example: As
- <a href="https://mastodon.social/@kornel">Kornel</a> said,
- <a href="https://mastodon.social/@kornel/112187783363254917">Seriously, in retrospect, #autotools itself is a massive
- supply-chain security risk.</a> No kidding! But then everyone says “What are you gonna do, it’s wired into everything.”</p>
-
- <p>There are alternatives; I know of
- <a href="https://cmake.org">CMake</a> and
- <a href="https://mesonbuild.com">Meson</a>. Are they good enough? I don’t know. Obviously, GNU AutoHell can’t be swept out of
- all of the fœtid crannies where it lurks and festers, but every project from which it is scrubbed will present less
- danger to the world.
- I believe OSQI would have the scope to make real progress on this front.</p>
-
- <p id="p-13" class="p1"><span class="h2">Non-goal: Features</span> ·
- OSQI should never invest engineering resources in adding cool features to Open-Source packages (with the possible exception
- of build-and-test tools). The Open-Source community is bursting with new-features energy, most coming from people who either
- want to scratch their own itch or are facing a real blockage at work. They are way better positioned to make those improvements
- than anyone at OSQI.</p>
-
- <p id="p-23" class="p1"><span class="h2">Goal: Maintenance</span> ·
- Way too many deep-infra packages grow increasingly unmaintained as people age and become busy and tired and sick and dead. As I
- was writing this, a
- <a href="https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes">plea for help</a> came across my radar from Sebastian
- Pipping, the excellent but unsupported and unfunded maintainer of
- <a href="https://github.com/libexpat/libexpat/tree/R_2_6_2">Expat</a>, the world’s most popular XML parser.</p>
-
- <p>And yeah, he’s part of a trend, one that notably included the now-infamous
- <a href="https://en.wikipedia.org/wiki/XZ_Utils">XZ-Utils</a> package.</p>
-
- <p>And so I think one useful task for OSQI would be taking over (ideally partial) maintenance duties for a lot of Open-Source projects
- that have a high ratio of adoption to support. In some cases it would have to take a lower-intensity form, let’s call it “life
- support”, where OSQI deals with vulnerability reports but flatly refuses to address any requests for features no matter how
- trivial, and rejects all PRs unless they come from someone who’s willing to take on part of the maintenance load.</p>
-
- <p>One benefit of having paid professionals doing this is that they will blow off the kind of social-engineering harassment that
- the <b>#XZ</b> attacker inflicted on the XZ-Utils maintainer (see
- <a href="https://research.swtch.com/xz-timeline">Russ Cox’s excellent timeline</a>) and which is unfortunately too common in the
- Open-Source world generally.</p>
-
- <p id="p-14" class="p1"><span class="h2">Goal: Benchmarking</span> ·
- Efficiency is an aspect of quality, and I think it would be perfectly reasonable for OSQI to engage in
- benchmarking and optimization. There’s a non-obvious reason for this: <b>#XZ</b> was unmasked when a Postgres specialist noticed
- performance problems.</p>
-
- <p>I think that in general, if you’re a bad person trying to backdoor an Open-Source package, it’s going to
- be hard to do without introducing performance glitches. I’ve
- <a href="/ongoing/When/202x/2021/05/15/Testing-in-2021#p-13">long advocated</a> that unit and/or integration tests should
- include a benchmark or two, just to avert well-intentioned performance regressions; if they handicap bad guys too, that’s a
- bonus.</p>
-
- <p id="p-15" class="p1"><span class="h2">Goal: Education and evangelism</span> ·
- OSQI staff will develop a deep shared pool of expertise in making Open-Source software safer and better, and
- specifically in detecting and repelling multiple attack flavors. They should share it! Blogs, conferences, whatever. It even
- occurred to me that it might make sense to structure OSQI as an educational institution; standalone or as a grad college of
- something existing.</p>
-
- <p>But what I’m talking about isn’t refereed JACM papers, but what my Dad, a Professor of Agriculture, called “Extension”:
- Bringing the results of research directly to practitioners.</p>
-
- <p id="p-16" class="p1"><span class="h2">Non-goal: Making standards</span> ·
- The world has enough standards organizations. I could see individual OSQI employees pitching in, though, at the IETF or IEEE
- or W3C or wherever, with work on Infosec standards.</p>
-
- <p>Which brings me to…</p>
-
- <p id="p-17" class="p1"><span class="h2">Non-goal: Litigation</span> ·
- Or really any other enforcement-related activity. OSQI exists to fix problems, build tools, and share lessons. This is going
- to be easier if nobody (except attackers) sees them as a threat, and if staff don’t have to think about how their work and
- findings will play out in court.</p>
-
- <p>And a related non-goal…</p>
-
- <p id="p-18" class="p1"><span class="h2">Non-goal: Licensing</span> ·
- The intersection between the class of people who’d make good OSQI engineers and those who care about Open-Source
- licenses is, thankfully, very small. I think OSQI should accept the license landscape that exists and work hard to avoid
- thinking about its theology.</p>
-
- <p id="p-19" class="p1"><span class="h2">Non-goal: Certification</span> ·
- Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a mistake;
- OSQI should be an <em>engineering</em> organization; the cost (measured by required bureaucracy) to perform certification would
- be brutal.</p>
-
- <p id="p-20" class="p1"><span class="h2">Goal: Transparency</span> ·
- OSQI can’t afford to have any secrets, with the sole exception of freshly-discovered but still-undisclosed
- vulnerabilities. And when those vulnerabilities are disclosed, the story of their discovery and characterization needs to be
- shared entirely and completely. This feels like a bare-minimum basis for building the level of trust that will be
- required.</p>
-
- <p id="p-21" class="p1"><span class="h2">Necessary paranoia</span> ·
- I discussed above why OSQI might be a nice place to work. There will be a downside, though; you’ll lose a certain amount of
- privacy. Because if OSQI succeeds, it will become a super-high-value target for our adversaries. In the natural course of
- affairs, many employees would become committers on popular packages, increasing their attractiveness as targets for bribes or
- blackmail.</p>
-
- <p>I recall once, a very senior security leader at an Internet giant saying to me “We have thousands of engineers, and my job
- requires me to believe that at least one of them also has another employer.”</p>
-
- <p>So I think OSQI needs to employ a small number of paranoid traditional-security (not Infosec) experts to keep an eye on their
- colleagues, audit their finances, and just be generally suspicious. These people would also
- worry about OSQI’s physical and network security. Because attackers gonna attack.</p>
-
- <p id="p-22" class="p1"><span class="h2">Pronunciation</span> ·
- Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve grabbed “osqi.org” and will cheerfully donate it
- in the long-shot case that this idea gets traction.</p>
-
- <p id="p-24" class="p1"><span class="h2">Are you serious?</span> ·
- Yeah. Except for, I no longer speak with the voice of a powerful employer.</p>
-
- <p>Look: For
- better or for worse, Open Source won. <i>[Narrator: Obviously, for better.]</i> That means it has become crucial civilizational
- infrastucture, which governments should actively support and maintain, just like roads and dams and power grids.</p>
-
- <p>It’s not so much that OSQI, or something
- like it, is a good idea; it’s that <em>not</em> trying to achieve these goals, in 2024, is dangerous and insane.</p>
- </article>
-
-
- <hr>
-
- <footer>
- <p>
- <a href="/david/" title="Aller à l’accueil"><svg class="icon icon-home">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-home"></use>
- </svg> Accueil</a> •
- <a href="/david/log/" title="Accès au flux RSS"><svg class="icon icon-rss2">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-rss2"></use>
- </svg> Suivre</a> •
- <a href="http://larlet.com" title="Go to my English profile" data-instant><svg class="icon icon-user-tie">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-user-tie"></use>
- </svg> Pro</a> •
- <a href="mailto:david%40larlet.fr" title="Envoyer un courriel"><svg class="icon icon-mail">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-mail"></use>
- </svg> Email</a> •
- <abbr class="nowrap" title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340"><svg class="icon icon-hammer2">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-hammer2"></use>
- </svg> Légal</abbr>
- </p>
- <template id="theme-selector">
- <form>
- <fieldset>
- <legend><svg class="icon icon-brightness-contrast">
- <use xlink:href="/static/david/icons2/symbol-defs-2021-12.svg#icon-brightness-contrast"></use>
- </svg> Thème</legend>
- <label>
- <input type="radio" value="auto" name="chosen-color-scheme" checked> Auto
- </label>
- <label>
- <input type="radio" value="dark" name="chosen-color-scheme"> Foncé
- </label>
- <label>
- <input type="radio" value="light" name="chosen-color-scheme"> Clair
- </label>
- </fieldset>
- </form>
- </template>
- </footer>
- <script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
- <script>
- function loadThemeForm(templateName) {
- const themeSelectorTemplate = document.querySelector(templateName)
- const form = themeSelectorTemplate.content.firstElementChild
- themeSelectorTemplate.replaceWith(form)
-
- form.addEventListener('change', (e) => {
- const chosenColorScheme = e.target.value
- localStorage.setItem('theme', chosenColorScheme)
- toggleTheme(chosenColorScheme)
- })
-
- const selectedTheme = localStorage.getItem('theme')
- if (selectedTheme && selectedTheme !== 'undefined') {
- form.querySelector(`[value="${selectedTheme}"]`).checked = true
- }
- }
-
- const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
- window.addEventListener('load', () => {
- let hasDarkRules = false
- for (const styleSheet of Array.from(document.styleSheets)) {
- let mediaRules = []
- for (const cssRule of styleSheet.cssRules) {
- if (cssRule.type !== CSSRule.MEDIA_RULE) {
- continue
- }
- // WARNING: Safari does not have/supports `conditionText`.
- if (cssRule.conditionText) {
- if (cssRule.conditionText !== prefersColorSchemeDark) {
- continue
- }
- } else {
- if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
- continue
- }
- }
- mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
- }
-
- // WARNING: do not try to insert a Rule to a styleSheet you are
- // currently iterating on, otherwise the browser will be stuck
- // in a infinite loop…
- for (const mediaRule of mediaRules) {
- styleSheet.insertRule(mediaRule.cssText)
- hasDarkRules = true
- }
- }
- if (hasDarkRules) {
- loadThemeForm('#theme-selector')
- }
- })
- </script>
- </body>
- </html>
|