もっと詳しく

A cloud company’s CTO argues on CTO that the “hypocrite commits” controversy “is symptomatic, on every side, of related trends that threaten the entire extended open-source ecosystem and its users.”

That ecosystem has long wrestled with problems of scale, complexity and free and open-source software’s (FOSS) increasingly critical importance to every kind of human undertaking. Let’s look at that complex of problems:

– The biggest open-source projects now present big targets.
– Their complexity and pace have grown beyond the scale where traditional “commons” approaches or even more evolved governance models can cope.
– They are evolving to commodify each other. For example, it’s becoming increasingly hard to state, categorically, whether “Linux” or “Kubernetes” should be treated as the “operating system” for distributed applications. For-profit organizations have taken note of this and have begun reorganizing around “full-stack” portfolios and narratives.
– In so doing, some for-profit organizations have begun distorting traditional patterns of FOSS participation. Many experiments are underway. Meanwhile, funding, headcount commitments to FOSS and other metrics seem in decline.
– OSS projects and ecosystems are adapting in diverse ways, sometimes making it difficult for for-profit organizations to feel at home or see benefit from participation.
Meanwhile, the threat landscape keeps evolving:

– Attackers are bigger, smarter, faster and more patient, leading to long games, supply-chain subversion and so on.
– Attacks are more financially, economically and politically profitable than ever.
– Users are more vulnerable, exposed to more vectors than ever before.
– The increasing use of public clouds creates new layers of technical and organizational monocultures that may enable and justify attacks.
– Complex commercial off-the-shelf solutions assembled partly or wholly from open-source software create elaborate attack surfaces whose components (and interactions) are accessible and well understood by bad actors.
– Software componentization enables new kinds of supply-chain attacks.
Meanwhile, all this is happening as organizations seek to shed nonstrategic expertise, shift capital expenditures to operating expenses and evolve to depend on cloud vendors and other entities to do the hard work of security. The net result is that projects of the scale and utter criticality of the Linux kernel aren’t prepared to contend with game-changing, hyperscale threat models.

Among other things, the article ultimately calls for a reevaluation of project governance/organization and funding “with an eye toward mitigating complete reliance on the human factor, as well as incentivizing for-profit companies to contribute their expertise and other resources.” (With whatever culture changes this may require.) It also suggests “simplifying the stack” (and verifying its components), while pushing “appropriate” responsibility for security up to the application layer.
Slashdot reader joshuark argues this would be not so much the end of Open Source as “more turning the page to the next chapter in open-source: the issues of contributing, reviewing, and integrating into an open-source code base.”

Read more of this story at Slashdot.