[HN Gopher] 'Securing Open Source Software Act' introduced to US...
___________________________________________________________________
'Securing Open Source Software Act' introduced to US Senate
Author : di
Score : 76 points
Date : 2022-09-23 19:44 UTC (3 hours ago)
(HTM) web link (www.hsgac.senate.gov)
(TXT) w3m dump (www.hsgac.senate.gov)
| ananonymoususer wrote:
| Seems like they are taking the right approach. Instead of trying
| to regulate OSS, they're funding CISA to help make it more
| secure.
| beambot wrote:
| What will the CISA actually do?
| mistrial9 wrote:
| get funded
| smm11 wrote:
| "This led top cybersecurity experts to call it one of the most
| severe and widespread cybersecurity vulnerabilities ever seen."
|
| Apparently they never changed one character in a query string in
| the late-90s.
| peteforde wrote:
| Reading the comments so far, I'm genuinely surprised that more
| folks haven't applied a "follow the money" lens to their
| analysis.
|
| To me, it reads as a bald-faced attempt to discourage public
| sector entities from using OSS solutions, when in fact there are
| perfectly good and definitely >100% secure proprietary offerings
| that cost a reasonable amount when purchased from the sorts of
| vendors that pay lobbyists to "help" senators write OSS bills.
|
| Do you honestly think Rob fucking Portman woke up one day with
| strong opinions about FOSS?
|
| Make no mistake: this is a thinly veiled late-stage attempt to
| displace the growing dominance of OSS-based solutions to the
| sorts of problems that the government and military used to pay 8
| and 9 figures a year to EDS to solve.
|
| An actual, good-faith bill that seeks to address these issues
| would attempt to incentivize/punish orgs that use FOSS without
| making meaningful contributions to it.
| kube-system wrote:
| They're trying to destroy FOSS ...by hiring FOSS developers?
|
| I don't buy it. More like, log4j was an actual real big issue
| for government agencies because they use rely on tons of open
| source projects and haven't previously done much to make sure
| that that supply chain is robust. This would help to change
| that.
|
| Federal contractors don't need to sell proprietary software to
| make money -- they make more money selling FOSS software.
| throwbigdata wrote:
| More or less of a big issue than the revolving door of
| Microsoft bugs?
| buscoquadnary wrote:
| For those curious about what it actually is:
|
| > The Securing Open Source Software Act would direct CISA to
| develop a risk framework to evaluate how open source code is used
| by the federal government. CISA would also evaluate how the same
| framework could be voluntarily used by critical infrastructure
| owners and operators. This will identify ways to mitigate risks
| in systems that use open source software. The legislation also
| requires CISA to hire professionals with experience developing
| open source software to ensure that government and the community
| work hand-in-hand and are prepared to address incidents like the
| Log4j vulnerability. Additionally, the legislation requires the
| Office of Management and Budget (OMB) to issue guidance to
| federal agencies on the secure usage of open source software and
| establishes a software security subcommittee on the CISA
| Cybersecurity Advisory Committee.
|
| So basically just another framework to evaluate risk for use by
| the Federal Government. A nothing burger as it were. Which I am
| on one hand glad about, because I don't like the government
| starting to get involved in Open Source which is at it's core
| "Here's some code I wrote or whatever", but it also isn't doing
| anything for security.
| nimbius wrote:
| the legislation seems a little pointlessly broad. "open source"
| is just software at the end of the day so it can easily be
| covered by existing STIG guidelines. these already work with
| Ubuntu and Redhat.
|
| https://en.wikipedia.org/wiki/Security_Technical_Implementat...
|
| Open source doesnt need a special response process, and the
| only reason you'd want one is if youre old guard like Symantec,
| F5, VMWare, or Veritas and starting to become alarmed at the
| amount of business you're losing to open source now that
| "devops" is starting to catch on and a recession is in effect.
| sullivanmatt wrote:
| Not a complete nothing burger; a lot of people here work for
| companies that sell to the Feds or host FedRAMP-authorized SaaS
| solutions. There will definitely be private-sector impact from
| that risk framework, though I'm not saying that's necessarily a
| good or a bad thing.
| 9wzYQbTYsAIc wrote:
| Additionally,
|
| "The legislation also requires CISA to hire professionals
| with experience developing open source software to ensure
| that government and the community work hand-in-hand and are
| prepared to address incidents like the Log4j vulnerability."
|
| So we should definitely expect at least some minute changes
| to the open source economy, itself.
| dimitrios1 wrote:
| This is the worst part. "Experience developing open source
| software" is both entirely vague and specific at the same
| time, likely conjuring up an image of some developer with
| green boxes on a GitHub repo or something, which is
| terrible. This is going to force the creation of some sort
| of silly criteria for what constitutes that experience, of
| which suits in federal agencies, and the political pressure
| and politicians they are behest to, will likely have no
| concept of less-popular open source communities, which will
| detract from the ethos of open source and ultimately, and
| more importantly, freedom.
| tazjin wrote:
| Anyone owning at least three Hacktoberfest t-shirts
| qualifies.
| RobotToaster wrote:
| It _sounds_ innocuous enough, but could the real motivation be
| to make open source software so expensive to use that all
| government agencies "choose" to use closed source software?
|
| (This is a genuine question, I'm honestly not sure what the
| consequences, intended or otherwise, could be?)
| thomaslangston wrote:
| Nah. You'd just need to use the old versions that had gone
| through a security audit and had some enterprise level Long
| Term Support contracts available.
|
| IBM will offer quotes for whatever is required within 2
| quarters or less.
| failrate wrote:
| "Oh, great, more STIGs." How about they take some millions and
| PAY THE OSS PROJECTS?
| amatwl wrote:
| In my experience, the hesitancy to contribute/ pay open
| source projects comes more from the contractors versus the
| government.
| slaymaker1907 wrote:
| It sounds extremely similar to the executive order from Biden
| last year. For what it's worth, I think some parts of that are
| valuable such as productive a bill of materials for all the
| software that gets shipped. That way figuring out of if some
| product uses a vulnerable version of log4j is very simple and
| independent of particular programming languages.
| yazzku wrote:
| So will they help fund the projects now, or will they just
| express their opinions on how your unpaid work should be done?
| 9wzYQbTYsAIc wrote:
| There is this little nugget:
|
| "The legislation also requires CISA to hire professionals with
| experience developing open source software to ensure that
| government and the community work hand-in-hand and are prepared
| to address incidents like the Log4j vulnerability."
| rtev wrote:
| That's really the question, isn't it? The article makes it
| sound like hiring "open source devs" may be part of the
| strategy, which essentially amounts to anyone with a public
| GitHub repo.
| adastra22 wrote:
| No the people hired will be IBM consultants and such with
| long lists of meaningless qualifications and no GitHub
| profile.
| verisimilitudes wrote:
| _No the people hired will be IBM consultants and such with
| long lists of meaningless qualifications and no MicroSoft
| profile._
| Schroedingersat wrote:
| Don't worry about it. It's just code for 'government
| departments only get to use software from giant corps with well
| known and unpatched bugs now'.
| RobotToaster wrote:
| Do licenses like the GPL even apply to TLA like the NSA and
| CIA? Or could they just make patches for themselves and not
| release them?
| Rebelgecko wrote:
| Anyone can make open source code changes and be license
| compliant as long as you don't release the binary (YMMV
| depending on specific license). However as soon as you give
| someone binaries they're entitled to request the source. I'd
| love to see a future with goofy situations like Iran suing
| for the stuxnet source code because it statically linked a
| GPL library.
| xxpor wrote:
| where it gets really goofy is the US gov work doesn't have
| copyright itself, so wouldn't any work done by them be PD,
| regardless of the underlying license?
| kmeisthax wrote:
| My gut feeling is no, because the work is still a
| derivative work of a privately-owned copyrighted work,
| and private copyright does not dissolve when the
| government touches it. If you could separate the
| governments' code from the GPL code, then it would be
| automatically public domain, but the combination is still
| GPL.
|
| However I'm not aware of any case law proving this.
| not2b wrote:
| If they extend an existing GPL work, the work as a whole
| is GPL, even if their added code is PD.
| SllX wrote:
| My first instinct is that sovereign immunity applies. GPL
| is a license designed to protect the copyrights of the
| creator or copyright owner, but copyright itself is a
| privilege granted by the Federal government and protected
| by law. So if you sued them for violating the GPL, I'm
| fairly certain they could just claim sovereign immunity in
| court.
| Cyberdog wrote:
| When government agencies behave within the law, it is by
| coincidence, if not an accident which will soon be rectified.
| m463 wrote:
| Might depend on whether copyright applies to the agencies,
| since the GPL depends on copyright itself.
| kmeisthax wrote:
| Yes. The US federal government has voluntarily relinquished
| their sovereign immunity and they can and often do get sued
| for copyright violations. Of course, given that the NSA/CIA
| have the luxury of classification, the resulting lawsuit will
| be even more complicated than a normal copyright lawsuit
| (which is already one of the most expensive and frustrating
| parts of law to litigate).
|
| States are where you need to worry. Occasionally a state
| decides to pass a law[0] saying they can't be sued for
| certain copyright violations. Because of how the US
| constitution is set up, states (and nothing smaller than
| them) are allowed to just say they can't be sued, which lets
| them crime with impunity.
|
| [0] https://www.npr.org/2020/03/24/820381016/in-blackbeard-
| pirat...
| Longlius wrote:
| GPL only requires you to provide source code when you provide
| an executable program. If their internal software isn't
| released outside the organization, then source code does not
| need to be either.
| mistrial9 wrote:
| google famously used this clause and that was near twenty
| years ago.. things have evolved in GPL land
|
| https://en.wikipedia.org/wiki/GNU_General_Public_License
| staticassertion wrote:
| FWIW, while this specific act may not be enforcing significant
| regulation, software developers need to understand that there's a
| ticking clock. Modern civic engineers went without any
| significant regulation, and then that changed. Software is young,
| it's in the phase where people aren't dying _too_ often for the
| public to care. But breaches are leading to massive privacy
| problems, real wars and conflicts are increasingly leveraging
| software defects, and the impact and scrutiny will only grow.
|
| If you want to avoid having to pass tests, having to maintain
| insurance, having to do a bunch of bullshit, all just to be a
| software engineer, get started on fixing things _now_.
|
| It is absurd that anyone can anonymously provide open source
| code, with no assurances whatsoever, and that can end up in
| critical software. And you might be saying "well, it's up to
| people to audit their dependencies" - and maybe you're right. But
| I would challenge that _everyone_ has the right to publish code
| _for distribution purposes_ with zero responsibility.
|
| Publishing code to Github? Sure, go for it, anyone can do it.
| Publishing _packages_ to _package distributors_ ? No, that
| crosses a line. I don 't _want_ legal requirements, I don 't
| _want_ identification requirements, just to publish and
| distribute code.
|
| If we want to avoid that we're going to need to step it up - that
| means, yeah, _basic_ measures like strong 2FA to distribute
| packages should be a requirement. Signing packages should be a
| requirement. Acknowledging and triaging vulnerabilities should be
| a requirement. If you aren 't willing to do the above, which is
| frankly trivial, you shouldn't be allowed to publish software
| _for distribution purposes_.
|
| I think we need to start taking a bit more responsibility for the
| work we do. "NO WARRANTY" doesn't mean "No obligations", it just
| means no one has a legal right to pursue damages due to your
| software, you should _still do some things_.
| yjftsjthsd-h wrote:
| I'm going to disagree, I think. The problem isn't on the push
| side, it's on the pull side. People throwing random-quality
| code in github is fine. People deciding to amalgamate that into
| distributions and publish it is fine. The problem is that
| somewhere someone who _is_ supposed to be held to some standard
| decided to pull that code in without looking at it, and _that_
| is the problem. NO WARRANTY is partially about legal issues,
| but not exclusively - if people share their code for free, they
| don 't owe anyone anything. If you don't like that, you're free
| to offer them enough money to actually accept your standards.
| ChrisMarshallNY wrote:
| I'm not arguing, but the standard response ( _caveat emptor_
| , basically):
|
| _> pull that code in without looking at it_
|
| Is no longer reasonable. The dependency chains are too vast
| to expect the end-user to be able to audit the whole thing.
|
| There are a couple of options:
|
| 1) Don't use open-source code, and make sure that commercial
| code that you use doesn't have it.
|
| 2) Have some kind of "regulated middleman" auditors, or
| certification authorities, that can certify (and probably
| hash) "approved" open-source chains.
|
| They both suck. I worked for a company that did #1. They
| hired a company (can't remember the name, but it started with
| "P") that scanned our entire codebase, looking for open
| source.
|
| #2 is likely to result in either corruption, or "roadblocks,"
| where we can't use new fixed libraries, because the chain
| hasn't been audited, yet.
| JohnFen wrote:
| > Is no longer reasonable. The dependency chains are too
| vast to expect the end-user to be able to audit the whole
| thing.
|
| The end user shouldn't have to audit the whole thing. The
| software that includes the dependencies should audit their
| dependencies.
|
| If that burden is unworkable (and in a lot of cases, it
| is), that's a sign that the software needs to shed a lot of
| the dependencies.
| gus_massa wrote:
| >> _pull that code in without looking at it_
|
| > _Is no longer reasonable. The dependency chains are too
| vast to expect the end-user to be able to audit the whole
| thing._
|
| Each open source project is different. For example I'm
| using:
|
| Racket: Only the main distribution that is created by the
| development team and a few packages, and ver few additional
| packages, like 1 or 2 for viewing the assembler version of
| the compiled functions.
|
| Python: Also only the official distribution, NumPy and
| perhaps 1 or 2 more packages. The batteries are included,
| so it's not necessary to download too much.
|
| LaTeX: As many packages as I can add, my coworkers hate me.
| Each package has a different author and chains to more and
| more packages. But I'm using MiKTeX and I thrust the
| maintainer whoever he is [1]
|
| [1] I had to google the name of the maintainer. He is
| Christian Schenk, I was convinced his name was Michael or
| something like that.
| yjftsjthsd-h wrote:
| It sounds like you want to get something for nothing. If
| you want software that meets some given standard, then
| someone has to invest the effort to make that happen. This
| isn't always expensive, but it's never free. So your
| options are indeed that _if_ that should happen, then it
| has to be done by the author, an intermediate party, or the
| consumer. Trying to make the author pay when they 're not
| getting anything out of it is a great way to kill FOSS
| outright. That's not to say that "open-source code" is some
| boogeyman that has to be kept away, it just means that you
| gotta pay someone to make it meet your standards. Heck,
| offer the original author a contract and you'll solve the
| problem for everyone, and other problems besides.
| staticassertion wrote:
| I think a lot of people will disagree, which is cool and I'm
| fine with that but I do hope that this discussion can be had.
|
| > The problem is that somewhere someone who is supposed to be
| held to some standard decided to pull that code in without
| looking at it
|
| Why is it that there is no standard applied to those who
| publish code for distribution purposes? Why do we _want_ that
| to be the case? Again, publishing to Github or some source
| repository is fine, that should never ever be restricted, but
| publishing with the express intent for others to use it? I
| don 't get why we're trying to ensure that that's something
| that shouldn't at least imply the bare minimum of assurances.
|
| > if people share their code for free, they don't owe anyone
| anything
|
| My point is that they don't legally owe anyone anything but
| we should impose a _moral_ standard in lieu of a legal one.
| If you are saying "here's this code, I've packaged it up and
| sent it out for distribution" I think it should be perfectly
| fine for us to say "did you do the bare minimum to make this
| code acceptable for others to use?".
|
| I don't get why we say "you have no ethical obligations in
| open source", why do we do that? Who benefits? I get not
| having legal obligations, but once you're distributing code
| for use it seems absurd to say that you have no ethical
| obligations. You chose to do that, you chose to distribute
| it, you didn't have to do that.
|
| And while I do think that the obligation exists regardless, I
| also feel that if we don't step it up here, these things are
| going to be forced on us. I'd rather we do it ourselves.
| mwint wrote:
| > but we should impose a moral standard in lieu of a legal
| one
|
| I agree with you, but these moral obligations tend to get
| enshrined in law eventually (or quickly! See Covid)
| staticassertion wrote:
| They're gonna get enshrined into law eventually one way
| or the other. If we do it ourselves and we're effective
| at limiting the damage we cause we'll be able to maintain
| control over our own processes. If we don't it will be
| taken out of our hands.
| JohnFen wrote:
| > Why is it that there is no standard applied to those who
| publish code for distribution purposes?
|
| What does "publish code for distribution purposes" mean?
| That sounds like all published code.
|
| Does that mean that I can't put my own hobby code up in
| public? That's a sure-fire way to kill the community dead.
|
| > You chose to do that, you chose to distribute it, you
| didn't have to do that.
|
| I think the burden is more properly on the people who
| choose to download and use it, knowing what it is.
| yjftsjthsd-h wrote:
| > Why is it that there is no standard applied to those who
| publish code for distribution purposes?
|
| Because it's rude to make demands of someone who is doing
| you a favor.
|
| Because a system that adds costs to profit-free work will
| collapse.
|
| Because your "distribution" line-in-the-sand doesn't exist.
| I assume you're thinking of NPM or pypi, but ex. Debian
| doesn't ask people before including their packages, and ex.
| nixos pulls directly from those "non-distribution"
| channels.
|
| > My point is that they don't legally owe anyone anything
| but we should impose a moral standard in lieu of a legal
| one. If you are saying "here's this code, I've packaged it
| up and sent it out for distribution" I think it should be
| perfectly fine for us to say "did you do the bare minimum
| to make this code acceptable for others to use?".
|
| Okay; let's also make a moral standard of paying people
| when we derive value from their work. I think it should be
| perfectly fine for us to say "did you do the bare minimum
| to repay the person who gave you this code to use?".
|
| > I don't get why we say "you have no ethical obligations
| in open source", why do we do that? Who benefits? I get not
| having legal obligations, but once you're distributing code
| for use it seems absurd to say that you have no ethical
| obligations.
|
| We do that because _we_ benefit. Making things easy for the
| people who are giving their work away for free helps foster
| an ecosystem where people keep giving stuff away for free.
|
| > You chose to do that, you chose to distribute it, you
| didn't have to do that.
|
| Yes, that's the point. We'd like people to keep giving
| things away even though they don't have to. If you try to
| impose costs on them for doing that, you'll alter the
| incentives so that they do the rational thing and stop
| giving stuff away, and/or start charging for it.
| peteforde wrote:
| > It is absurd that anyone can anonymously provide open source
| code, with no assurances whatsoever, and that can end up in
| critical software.
|
| While you're welcome your position and your ideas on how to
| solve these problems, I believe that the logic you're applying
| punishes the provider and not the consumer. Nobody is forcing
| anyone to use OSS without auditing every damn line, if that's
| their requirement.
|
| Telling people that share their hard work with strangers for
| free that they have an ethical responsibility to accept vague
| "obligations" - as defined by lobbyists and politicians - is
| not an idea with wings.
| unity1001 wrote:
| > Modern civic engineers went without any significant
| regulation, and then that changed
|
| There is no analogy. The only reason why other engineering
| disciplines are not adopting software practices is because the
| other engineering fields are not easy to iterate. You build a
| bridge. And then you could maybe get some funding to improve
| one part of it a decade afterwards. Because it is too expensive
| and cumbersome to do it.
|
| When IoT, AI, nanomachines, 3D printing proliferate, you will
| see how that will change. Devices and buildings will be
| possible to iterate, and they will have versions that get
| incremented as they are improved.
|
| ...
|
| As for obligations, the existing law already covers it. From
| GDPR to payments compliance, everything is there. And a lot of
| the best practices are invented and standardized by Open
| Source, actually.
|
| ...
|
| What Open Source still lacks is the mindset to approach end-
| users and consumers and be able to get them on board. Open
| Source needs to take the route of 'no backwards compatible
| changes', and even 'add, never deprecate' (like JSON project)
| along with the habit of hiding complexity from end users and
| making things easy.
|
| Then we can create a truly Open Source world in which there
| will be infinite new possibilities.
| mkl95 wrote:
| Why limit it to open source? You wouldn't let an engineer build a
| bridge with car-sized holes just because the blueprint is not
| open.
___________________________________________________________________
(page generated 2022-09-23 23:00 UTC)