A voluntary peer review system, but for pull requests. Instead of throwing money around, having meta discussions on how to run FOSS better, keep it simple. A group of people, including some real experts for the truly weird cases. Let’s call it the s-express (security express, and yes, when you remember the song, all the better). When you as maintainer receive a pull request that looks dodgy, you can forward it to s-express, who will take a look and report back with a first assessment in 24 hours
@jwildeboer So companies would lend work time to this common pool and fund it with separate resources? I don't see how that can work for individual freelancers.
@jwildeboer (Or even Red Hat, for that matter. If I want to throw money at Red Hat to borrow one of their experts to spend 1 day reviewing a piece of software and maybe package it, I don't think I can. So they'd only ever have resources to do what they're already doing.)
@jwildeboer Ok, so then the question becomes how those freelancers are paid if they aren't already organised in a flexible structure like Freexian. I guess that brings us to the StandICT fellowship/grant model suggested by https://meshed.cloud/@webmink/112223747461839858
@jwildeboer How do you vet which projects are allowed to submit requests?
(Otherwise subject to DoS.)
Unless this is funded, it'll perpetuate the ad hoc-ness and occasionally exploitative nature of FLOSS.
Further, my main concern would be that as soon as a maintainer has identified something as dodgy, it's basically already caught. This doesn't help for something snuck in via trust or cunning.
Can we overcome those?
@jwildeboer@larsmb
assuming most of these things require deep knowledge of the whole project the code to be checked runs in i think it will be difficult to create a Team with finite amount of members that can check such things in not too long time so they can say it’s 100% ok.
so it will always be better to say “this is unclear and hard to understand - please make a new Pull Request that is easier to understand” directly inside the project.
@larsmb@jwildeboer but some of the points are still useful - a security group looking at things and maybe a bigger picture is not wrong… i just think it might not work as a 24h response service.
@lazyb0y@jwildeboer Note though the the issue in xz wasn't found by someone with deep knowledge of the particular project, but with deep general system experience and expertise.
This should be run as a service that is for free for every open source project out there. The s-express collective should collect, aggregate and deliver regular reports to the interested public on what trends they see and where more vigilance is needed. S-express can and should have subgroups focusing on specific languages but also on emerging attack vectors. But they only give advice. The maintainer stays in control.
If you know a bit or a lot about possible attack vectors, you can join s-express in many ways. As a volunteer, freelancer, full time, part time. This should be more of a network and not a foundation or something. Companies could allow their own security teams to participate for, say, up to 20% (1 day per week). Why? It’s learning and sharing effectively for free and a way to give back to FOSS that is quite natural. Also teaches their people how to be a good community citizen.
I am sharing this very unpolished first idea in the hope that it attracts people that can add positive criticism and ultimately with the hope that it might get implemented. I just needed to share it before I sabotage it myself with my own criticism :)
@jwildeboer I really like the idea as part of a strategy to help FOSS developers with security challenges. Maybe not as one organization, but a design pattern for different communities. This could keep the overhead manageable and use existing structures (e.g. if Wordpress offers an s-express for plugin developers).
Another aspect could also be services like crisis communication, in case shit hits the fan: A place where developers quickly get help if a situation becomes overwhelming.
@jwildeboer But I think it's important to make it very clear that it's a service for the maintainers and not a way for companies to unload their due diligence.
A single maintainer or even a small team – even if they get a support contract – should never carry the responsibility for a piece of software without an organisation in between, that can take the hit. This is where companies like Red Hat can come in, or easy-to-adopt processes for companies to do the due diligence themselves.
A problem I see is that the understanding required to do this kind of security review is often (usually?) highly domain specific. You'd need reviewers for your specific domain more often than not.
And there are plenty of other occasions when somebody who is only a domain expert will not spot something big.
It would be interesting to pilot this and see what emerges.
I think this would be simplest to implement for projects with drivers/plugins.
@jwildeboer
I thought about a similar group like ten years ago. A ipv6 team to help projects get ipv6 support.
And I really like it, I think many projects could benefit and having them "just" do reviews it will help gain experience to yet learning devs. Especially those lacking confidence and hence being mentally blocked.
@saffronsnail@jwildeboer yeah, this is the kind of structure and resource we need. And the same could be done for other concerns, too. Maybe performance, maybe accessibility. It also doesn't have to be (entirely) volunteer work. I don't see any harm in companies funding 3rd party review as a service. Either by making their employees available, as you suggest, or by contributing to a fund that would pay people to do this work.
Add comment