Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation Project Will Evaluate Security of Open Source Software

Posted by Soulskill on from the if-boy-scouts-found-zero-days dept.

An anonymous reader writes: The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software. The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses and is also coordinating the CII's Census Project, and Dan Kohn, a senior adviser on the CII.

3 of 37 comments (clear)

  1. Just one request... by Penguinisto · · Score: 4, Interesting

    Please, please, PLEASE do not let this thing get morphed into Yet Another Certification Program.

    Considering the expense and the mind-chewing bureaucratic colonoscopy that PCI (and similar) usually requires, I'd hate to see something similar have to happen to OSS dev projects - they can't afford that shit (either in time, attention, or money).

    If you're truly going to do it? Advise, not dictate. Not all OSS projects have big-name sponsors and gobs of money, so make it a service to the smaller ones if you can.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  2. short self-assess. Bug tracker, git, test suite by raymorris · · Score: 2

    The current proposal involves a short self-assessment questionnaire and an automated script which checks a few things. The current (very early) draft of possible criteria is here:

    https://github.com/linuxfounda...

    Major items include a big tracker (with responses to security bugs), source control, and peer review. These are all standard best practices which improve software quality.

        If you have a one-person project and can't get someone else to review your commits, that's okay. You can keep doing what you're doing. However, your software also can't be expected to be as reliable and secure as something like Moodle, in which AT LEAST three people review all changes. Therefore Moodle would be able to use the badge and you wouldn't, until you got another person to look at your changes. Having some criteria for the badge actually makes it more useful for small projects because you can choose to use libraries which are badged and have some indication that they're somewhat reliable and secure.

    The one pair of proposed criteria that isn't already done by most projects is use of a static analysis tool and a dynamic analysis tool. There are free , open source tools available and using them does reduce bugs and improve performance . Using them would be a change for many developers, but probably in the long term it'll save you more time than it costs.

  3. Re:Every public venue is amateur hour ... by MacDork · · Score: 2

    Every public distribution channel is amateur hour, open source or commercial.

    This. If the download is compromised, it doesn't matter how secure the source is. Maybe what you thought was XCode is actually a CIA rootkit.

    Why is there no gpg signature on Eclipse.org downloads? Why are the jars in the eclipse executable even signed if the signatures are not verified by default in Eclipse? Why does the Oracle Java 8 ppa:webupd8team for Ubuntu download and install from http sources just after I typed in sudo?