Technology

Linux Foundation’s trust scorecards aim to battle rising open-source security threats

abzee/Getty Images

Open-source code has become a malware vector. For example, by the closest of shaves, an open-source developer discovered that Jia Tan, a chief programmer and maintainer of the Linux xz data compression library, was also a hacker who’d put a backdoor in the code to enable attackers to take over Linux systems. One of the root problems? No one knew who Tan was. We still don’t know. 

Jim Zemlin, the Linux Foundation’s executive director, addressed this fundamental problem of developer identity at the Linux Foundation Members Summit in Napa, CA. Zemlin opened his talk by saying: “Open source is now a fundamental building block of all modern computing, and hackers are paying attention. In addition, we’ve seen a whole bunch of new regulations around open source, such as the European Union’s Cyber Resilience Act (CRA). The day when open-source software had minimal scrutiny is probably winding to a close.”

Also: Linux Foundation’s latest partnership could shake up open-source ecosystems

Making matters even more complicated, we live in a time when “geopolitical tension, the rise of techno-nationalism, is happening. The Linux Foundation, however, wants to preserve our ability for anybody to participate in open source from anywhere on Earth.”

That aim is easier said than done. Zemlin emphasized that while security is crucial, trust is equally important. Trust involves not just ensuring that software is secure but also verifying the identities and intentions of contributors. 

To address these challenges, Zemlin proposed developing a decentralized trust system, including a “trust scorecard” similar to the existing Open Source Software Foundation (OpenSSF) Scorecards. This system would help users assess the trustworthiness of open-source projects based on factors like contributor verification and project history.

In such a system, people would need to earn levels of trust before they could rise to the position of maintaining a major project. Factors that could go into this rating include proof of identity, project contribution history, code quality, security history, and community reputation. 

Also: What happened at the Homebrew Computer Club 50 years ago: Apple was born, and a revolution began

So, for example, using such a trust system, comparing Tan to Greg Kroah-Hartman, the well-known maintainer of the stable Linux kernel, we’d see Tan would barely make it to level 1, and wouldn’t have been trusted with anything, while Kroah-Hartman has a perfect score. 

To build such a system, the Linux Foundation is exploring the First Person Project, which aims to establish a decentralized credentialing system using blockchain technology. This system would allow contributors to verify their identities while preserving anonymity. 

The project maintainers would set trust policies. For example, they could ensure their contributors meet specific criteria, such as verified employment or attendance at industry events.

One group, the Linux kernel maintainers, already uses this system. After a Linux code repository security breach in 2011, the Linux crew uses a Pretty Good Privacy (PGP) signing system to ensure any new code is from a known programmer.

Also: Seeking the latest in Linux? There’s a right way and a wrong way to use Distrowatch

However, this system doesn’t work that well, as Kroah-Hartman told me at the Members Summit, and said to forget about scaling this “ring of trust. We hate it, and it’s miserable. But it’s what we got.” So, Kroah-Hartman and Linux creator Linus Torvalds would entertain using a different system. However, any such system must have “low friction” so it’s easy to onboard new people. 

To make this happen, Zemlin called for collaboration from large enterprises and open-source communities to develop and implement these trust mechanisms. The goal is to preserve the permissionless entry that defines open source while enhancing trust and security in a regulated era. This effort involves working with organizations like the Trust over IP Foundation and the OpenWallet Foundation to create scalable, privacy-conscious approaches.

Show More

Related Articles

Amitabh Kant takes over as Chairperson of NIIT University

2 hours ago

How to Factory Reset your Gmail Account

10 hours ago

Spring Equinox Is Thursday: Everything You Need to Know

14 hours ago

Consistent Coming Soon with their B2C Portal to offer Cutting-Edge Consumer Tech Products

18 hours ago
Back to top button