They’ll need every penny of it and more. At the White House press conference, OpenSSF general manager Brian Behlendorf said, “I want to be clear: We’re not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful.” Here are the ten goals the open-source industry is committed to meeting. I’ll go into more detail about those in later stories, but even at a glance, this is a massive undertaking. For instance, C, which is core to the Linux kernel, the most important of all open-source projects, has many vulnerabilities within it. While the memory-safe Rust language is now being used in Linux, it’s years, decades away, from replacing C in Linux’s over 27.8 million lines of code. Indeed, I doubt we’ll ever see all of Linux’s C code replaced by Rust. We’re already close to solving some of the others. The open-source security company Chainguard is calling on the software industry to standardize on Sigstore. Sigstore enables developers to securely sign software artifacts such as release files, container images, binaries, bills of material manifests. and more. This Linux Foundation project is backed by Google, Red Hat, and Purdue University. Sigstore has several great features. These include:
Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.Sigstore’s public transparency log (Rekor) and APIs mean Kubernetes consumers may easily verify signed artifacts.Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), means it integrates seamlessly with other tools and services.The active, open-source, vendor-neutral Sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard.
Indeed, Kubernetes has already adopted Sigstore. In brief, it makes it simple to adopt a secure digital signature for your code. Then, the programmers who use your code can be sure it really is the code they want and can trust. This is essential. As Stephen Chin, software chain security company JFrog VP of Developer Relations, said, “While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories.” Of course, there will always be bugs. As Behlendorf said, “Software will never be perfect. The only software that doesn’t have any bugs is software with no users.” Related Stories:
Red Hat Enterprise Linux 9: Security baked inSecuring the open-source ecosystem: SBOMs are no longer optionalIn 2022, security will be priority number one for Linux and open-source developers
