Focusing open source on security, not ideology

Underlying the proliferating memes about the CloudStrike update fail is a certain smugness that such things won’t happen to you. Yes, it’s true that Microsoft may be particularly susceptible to such things. As the US Cyber Safety Review Board has found, “Microsoft’s security culture [is] inadequate and requires an overhaul,” but let’s not kid ourselves. Could something equally catastrophic happen in Linux land? Maybe not that exact issue, but Linux systems have been ripped open by supply chain attacks like Heartbleed repeatedly in the past. No, that doesn’t make them bad, any more than the CrowdStrike issue makes Windows machines bad. This is just the world we live in. Everything breaks, and everything gets hacked.

Yes, we absolutely should try to avoid breaks and hacks, but real safety comes in how we respond when they happen. This is why open source and open technology, generally, have been such a boon. Not because open source is more secure or less prone to break, but because fixing it can be easier. Rather than dance on a Windows security breakdown, now is the time to refocus open source on the issues that matter most.

The bell tolls for thee

Open source software is not more secure than proprietary software. But the process for securing open source software arguably is. I’ve been saying so for decades, and lots of data supports the contention.

Yet even here, the process only works if people follow it. There’s a reason supply chain attacks succeed: Even when a fix for a bug is available, we stink at applying the patches. It’s been 10 years since Heartbleed hit, and there are still tens of thousands of systems that remain vulnerable. Why? Well, it’s non-trivial to effectively inventory enterprise systems, and patching older systems can be complicated.

At an industry level, we can’t really resolve these issues, as they’re specific to each enterprise. However, there are things we can do. The Open Source Security Foundation (OpenSSF) has taken up the challenge to both improve the security posture of open code while also training people on the process of security. This is excellent. For me, it’s one of the most important things that the Linux Foundation, which is the ultimate home for OpenSSF, does.

I’d also point out that this is what open source communities should emphasize, generally. We have a graying open source community, as Steven J. Vaughan-Nichols writes. “If we’re going to change the world for good with open source, we need to grab the attention of people who haven’t turned 30 yet,” he argues. He’s not wrong.

Changing the conversation

I’d hazard a guess that one reason open source remains largely an older developer’s game is the insistent gatekeeping on the “right way” to open source. They grew up on a steady diet of the Open Source Definition, and persist in fixating on the wrong open source issues. The biggest concern isn’t companies relicensing their software (disclosure: my company did just that in 2019). It’s security.

The younger GitHub generation of coders has never shown the same concern for open source licensing, something first observed by RedMonk’s James Governor in 2013, as he dubbed this group the “post open source generation.” They are open, yes, but not pedantic about the underlying licenses (sometimes to a fault, because it’s not as if GitHub repositories without a license are somehow public domain—that’s not how copyright works).

Given how critical open software is for security, that’s where we should focus our attention. In other words, yes, open source and open technology matter, but not for the reasons we sometimes suggest. Rather than doing our best impressions of Dana Carvey’s Grumpy Old Man skit on open source definitions, we should put that energy into talking about the process for securing software and how open source helps. This will be much more interesting and relevant to younger developers, who have grown up in the “everything will break; everything will be hacked” era, than tedious discussions about licensing.