Hi folks, I just concluded a call with Jen Easterly (Director of CISA)
We chatted for approximately 50 minutes about open source security and particularly around Apache. Going forward we're going to setup quarterly syncs, and I'd like to pull in one or more of the Marks and potentially others down the road. I brought up some of the concerns that Phil Steitz (and Danny Angus, on another list) surfaced about the right kind of help, and concerns about masses of sudden energy being directed around specific things that weren't sustainable. She seemed confused by our "volunteer" base. I pointed out that many, if not most contributors are employed in tech roles, but that "volunteers" is part of our internal taxonomy. I called out that we used that because we don't pay them or direct their efforts. As Sam pointed out else-thread, "volunteer" does not denote the quality of work. I tried to reinforce that the ASF was a vendor-neutral place for collaboration. She asked what help she or her agency could offer us. I told her that I didn't have any short term requests, but said that I would discuss with others at the ASF. The one pointed question she asked was why the log4j vulnerability existed for so long, and wasn't found earlier. I told her that finding security vulnerabilities was not quite like experiencing a bug, and that in complex systems it's often a series of interactions rather than glaring solitary problems that were easily findable in codebases. I cited a number of other examples of long-latent security issues. She also asked about memory safety, and I told her that the ASF as a corporation doesn't pick technologies or set technical direction, leaving that instead to the projects. But I also noted that we did have some efforts happening in those areas, and called out Stefan Eissing's work around a mod_tls implementation in Rust as an example. --David
