GitHub improves supply chain security, EFF takes on U.S. Treasury Department & more: Open Source Matters

Welcome to the Fall 2022 edition of Open Source Matters: our regular publication about the latest happenings in open source! Let’s dive into the news.

GitHub improves supply chain security with Sigstore

GitHub is back with more improvements to help open source developers improve supply chain security. They’re rolling out Sigstore as an option for all projects that publish packages to the npm repository. 

In case you’re unfamiliar, Sigstore is a project from OpenSSF that makes it easier for developers to cryptographically sign software packages by enabling users to validate that the software they downloaded via their package manager matches the source code in the software’s repository.

This validation was previously challenging to build because it requires developers to register and manage cryptographic keys that often have long lifespans. Sigstore reduces the barrier to entry for developers to guarantee the safety of packages they publish. This project is an immensely positive step in the right direction to help open source developers everywhere. 

GitHub seeks developer feedback on this change before it’s completely rolled out to all users. If you have opinions about software security relevant to Sigstore and npm, head over to the GitHub issue for the RFC and add your input.

EFF clashes with U.S. Treasury Department over blockchain sanctions

In a story that may have major legal implications for open source software, the EFF is facing off against the U.S. Department of Treasury over sanctions against Tornado Cash. 

In early August, the Office of Foreign Assets Control put Tornado Cash on the Specially Designated Nationals sanction list, claiming that more than $7 billion has been laundered through the network by multiple nefarious organizations around the world.  Tornado Cash is a blockchain and cryptocurrency used to obscure the source of money sent through the network.

The problem is that the announcement refers to three separate names: Tornado Cash, Tornado Cash Classic, and Tornado Cash Nova. The latter two refer to GitHub repositories, making it unclear what exactly is being restricted.

Given the lack of clarity in the definitions, GitHub decided to play it safe and removed all Tornado Cash repositories from their platform, a decision with which the EFF disagrees. The EFF is basing its argument on Bernstein v. U.S. Department of State, a court case from 1996 that established source code as being protected as free speech. They believe that the actions of the Treasury Department and GitHub could have a chilling effect on the publication of open source code.

As a response, they’ve teamed up with Matthew Green, a computer science professor at Johns Hopkins Information Security Institute, to publish the code and mount a legal defense against the Treasury Department.

For more, head over to the EFF site to learn more about the situation or to provide support in their efforts to protect open source software.

FOSS Force aims to promote open source around the world

FOSS Force has launched a new initiative to promote open source events worldwide. In a post to their blog, the group describes a problem they’ve faced with being unaware of events for open source subjects until the event was already underway. 

To solve this problem, FOSS Force published a new event calendar highlighting any and all meetups, conferences, user groups, and other events of all sizes that would interest open source developers.

Itemizing all these events is a monumental task, so they’re asking the public to submit events to include in the calendar. If you have any events that you think should be on this list, head to the FOSS Force website to fill out their submission form.

Alma Linux looks to increase its community’s influence

Our good friends over at Alma Linux have announced a new election to increase the influence its community has over the project’s direction. Alma Linux is a Red Hat Enterprise Linux clone launched in response to changes the CentOS community made in late 2020. 

In the project’s early days, the Alma Linux board of directors consisted of a small, influential group of people. Now that they’ve grown considerably in the past two years, they’re looking to increase the amount of influence the community has over the project.

To that end, they’ve announced an election for a new board of directors in September. If you want to help determine the future of this project, head over to their election wiki page that has all the information.

Open Source Projects We’re Watching

  • Motionity – A web-based motion graphics editor alternative to After Effects and Canva.
  • snoopForms – A tool that lets you build multi-page forms via React or a built-in no code builder.
  • Hanko – A passwordless user authentication system.
  • Jazzer.js – A fuzzing tool for Node.js that’s based on libFuzzer.
  • Fluent Emoji – A collection of 3D emojis from Microsoft.
  • AdGuard DNS – Privacy protection against trackers and ads from AdGuard.
  • Velox – A database acceleration library for high-performance data processing from Meta.
  • Pyrsia – A decentralized package network for Docker image validation.
  • Bloom – An educational stock market simulation game.

Want more news about open source? Subscribe to The Build, a newsletter for software engineers dedicated to sharing useful technical content on effective development and collaboration techniques.

Read more about:

GitHub open source matters security

Ben Lloyd Pearson is the Director of Developer Marketing for Mattermost. He is a technology generalist who focuses his broad understanding to grow and engage developer audiences through digital media, open source advocacy, and events strategy and operations.