Companies are concerned with open source security, why devs may need to ditch GitHub & more: Open Source Matters

Welcome to the August 2022 edition of Open Source Matters: our regular publication about the latest happenings in open source! Let’s dive into the news.

Report: Just 24% of organizations have confidence in the security of their open source software

The Linux Foundation is back with yet another insightful report. This time, they partnered with Snyk to publish, Addressing Cybersecurity Challenges in Open Source Software, which includes new research and the results of a survey of open source maintainers and contributors, developers of proprietary software, and individuals who focus on supply chain security.

The report centers around the confidence organizations have in the security of the open source software they use. According to the report, only 24% of respondents say they are confident in the security of their direct dependencies. This response is concerning because, according to their research, the average project has more than 68 direct dependencies. This number nearly triples for languages like JavaScript, which tends to focus on smaller libraries that serve a single purpose. Their analysis also discovered that the average software project has more than five critical security vulnerabilities and that the overall number of vulnerabilities in projects of all severities varied quite a bit depending on the language a project is written in.

It’s not all bad news, though. The study also showed that it’s common practice for developers to monitor industry vulnerability notifications and to use automated monitoring for known vulnerabilities. The survey also shows that developers are taking a broad range of approaches to handle security concerns, including incorporating security scans into their continuous integration tooling, using static code and software composition analysis tools, and monitoring public vulnerability databases.

Check out the Linux Foundation’s report to learn more.

Software Freedom Conservancy: Devs need to ditch GitHub

The Software Freedom Conservancy (SFC) is calling on all open source developers to abandon GitHub and move to open source alternatives. In a scathing blog post on the SFC site, they listed major concerns with GitHub’s use of open source code to train the machine learning models behind their Copilot software.

Copilot is a product that GitHub markets as an AI pair programmer that makes automatic code recommendations based on code and comments developers write. GitHub used open source code hosted on their platform, among other things, to train their recommendation models. Despite this, the company recently stopped offering Copilot as a free service. Now, they charge users a monthly fee — a move considered controversial in the open source community since it’s viewed as a way for Github to profit off the hard work of open source developers.

Meanwhile, the SFC claims to have made multiple attempts to get answers about what data GitHub uses to train these models and to clarify their policies about intellectual property hosted on their platform. After months without a satisfactory answer, the SFC has launched giveupgithub.org, where they provide information and resources to help developers leave GitHub for open source platforms like GitLab, Gittea, and Codeberg.

Whether or not your opinion is as strong as the SFC’s, if you’ve thought about trying alternatives to GitHub, go check out Give Up GitHub to learn more.

In response to the open source community, Microsoft remedies a mistake

Recently, Microsoft made and then reversed a controversial decision that affected developers who publish software to the Microsoft App Store. Back in June, Microsoft quietly updated its Microsoft App Store policies to state that apps may not attempt to profit from open source or other software that is otherwise generally available for free.

Giorgio Sardo, general manager for the Microsoft App store, stated on Twitter that Microsoft intended to protect customers from misleading listings. It seems they may have some issues with publishers who repackage open source projects that they have no association with into paid products — presumably to trick unsuspecting users.

However, many people expressed concern on social media that this would also affect open source communities that monetize their Windows applications to provide financial support to the development team. This policy change would negatively impact projects like Krita and Shotcut, two open source projects that do exactly that.

After a brief delay in enforcement, Microsoft reversed this decision and removed the controversial language from the app store policy in mid-July. Sardo returned to Twitter to inform the community that Microsoft is committed to enabling open source developers to publish their work to the Microsoft App Store. He advised people with concerns about intellectual property abuse to report them via their IP infringement portal. 

While many people have problems with Microsoft because of past transgressions, this decision is an excellent example of the developer community being vigilant at holding organizations accountable — and the organization responding with a solution that accounts for the needs of their developer community. Everyone makes mistakes, and it’s nice to see an organization like Microsoft making up for its own.

Open source projects we’re watching

• AlmaLinux Build System – The Linux distro best known for having the fastest build system this side of CentOS has published that very same build system as an open source project. This system lets anyone replicate their build process, providing a totally open source competitor to Red Hat Enterprise Linux.
• Peridot – Following the lead of the previous project, Rocky Linux has also published its own build system under the Peridot moniker, adding heat to the competition in the space downstream of CentOS.
• Pulsar – This runtime observability tool for IoT devices is worth checking out.
• AI Reference Kits – Intel recently released a set of open source implementations of AI models for specific use cases, including a conversational chatbot, visual quality control, document digitization, and asset health prediction.

Want more news about open source? Subscribe to The Build, a newsletter for software engineers dedicated to sharing useful technical content on effective development and collaboration techniques.