David Nalley, Sam Ruby, and I attended the White House virtual meeting last week, and you have probably seen the press from us, the White House, and various companies after the event. Of course, with such a large meeting, and only 5 hours, there was a limit to how much detail we could get into. Here's my personal thoughts which I'll base around the press statement [1] (as the meeting itself wasn't public).
The meeting was framed as a way to start collaboration and lead to definable and actionable steps. While this meeting was likely triggered or at least accelerated by the log4j issue, log4j and the ASF were not the main focus and it wasn't trying to be a post-mortem of any specific issue. The first main topic was "preventing defects". OpenSSF showed their Alpha/Omega proposal[2] and talked about how they had already started channeling significant funding into code audits. Our ASF position paper[3] stated we are more than happy to work with third parties that want to do audits of our projects (as long as it's a collaboration so that the audit produces consumable results without overly burdening a project). A lot of talk also focused on education issues, specifically in the USA. While training courses, such as those created by OpenSSF, have a place, ideally this would happen much earlier, in the education system. Scorecard systems and SLSA were also brought up[4] as a way of labelling OSS to help downstreams make informed decisions as to how projects are built and maintained. The next topic was about how to determine which projects needed help. Again, work by groups such as OpenSSF have looked at many ways, both automated and manually augmented, to determine which projects are 'critical'. While you can get metrics from github for projects that use that as their primary development platform, it's actually pretty hard to do this across OSS as a whole. While SBOMs may help companies know what dependencies they're consuming, it likely won't work in reverse, and our position paper again highlighted we have no way of knowing how widely and all the purposes our projects are used. I don't think it matters too much inside the ASF - we apply the same security processes and standards to all our projects no matter how popular or critical they are. However, it may help others choose which projects to audit or which they wish to get involved with. The third topic was around SBOMs. There was talk on how to incentivise OSS developers to create SBOMs, how to make them part of build systems, and so on. While widespread use of SBOMs may help in the future, we highlighted a couple of times that our concern was the issues caused by lack of timely patching and mentioned the previous issues in other Apache projects which have caused businesses that didn't mitigate or update to get exploited. The term "curation" was used a lot in the meeting - I think of curation as what organisations such as OS distributions do where they make a collection of open source projects that they select using some criteria, build, and are responsible for getting updates and notifications to their users (and being the 'maintainer of last resort' for things they ship if the upstream is EOL, non-responsive, etc). The ASF is a curator to our projects, and the policies and processes we currently have (around vulnerability response, release creation and signing and so on) are part of that. I'm glad we were invited to this meeting and could attend it and I felt that our perspective provided useful context for the participants. While there was no direct action on ASF from this meeting, it has certainly been a good catalyst to revisit what we're doing for security across ASF projects. And there are likely to be follow on meetings in the future. To me it also was a good reminder how OpenSSF have created projects that align well with the concerns and the Executive Order, but we've not really spent time helping OpenSSF integrate with the way we work. What's immediate next? We created that page of brainstormed ideas [5] and as a next step we can go into each one in a little more detail, perhaps put them into the buckets on how they align to the White House discussions, and figure out which are feasible and with what priority. Regards, Mark [1] https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/13/readout-of-white-house-meeting-on-software-security/ [2] https://lists.openssf.org/g/openssf-tac/topic/alpha_omega_proposal_for/85656707 [3] https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper [4] https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/ [5] https://cwiki.apache.org/confluence/display/COMDEV/Brainstorm+Initiatives
