Open Source Software (OSS) makes up a critical part of today's digital infrastructure. As with physical infrastructure, its robustness and security depend on how well it is maintained. But how do you know how "well-maintained" and secure an OSS project is? Or what you can do to help? This presentation will shed light on the concept of health and sustainability of OSS projects, how to analyze it, and how to act on it. We will also discuss how this can help public as well as private entities in decisions related to OSS adoption and contributions, and consider how it may, and should, be part of a continuous and proactive security mindset and risk management process.
3. Open Source
Software Sustainability
Slide #3 | @johanlinaker
• An Open Source Software project’s
capability to stay maintained at length
without interruption or weakening
Photo by Jan Piatkowski | https://unsplash.com/photos/eopz9bkwROs
4. Open Source
Software Health
Slide #4 | @johanlinaker
• An Open Source Software project’s
ability to stay viable over time
– Productivity: There is an active
development of the project
– Robustness: The development is
open and spread out on several
(independent) individuals
– Openness: Users of the project
can influence and contribute to the
development of the project
Photo by Markus Frieauff | https://unsplash.com/photos/IJ0KiXl4uys
5. Slide #5 | @johanlinaker
• Open Source Software makes up a
vitale building block in our digital
infrastructure
• Needs maintenance as with physical
infrastructure to stay secure and robust
Photo by Modestas Urbonas | https://unsplash.com/photos/vj_9l20fzj0
Open Source Software and
our Digital Infrastructure
6. Slide #6 | @johanlinaker Photo by Modestas Urbonas | https://unsplash.com/photos/vj_9l20fzj0
Open Source Software and
our Digital Infrastructure
• Recommended reading by Nadia Eghbal
– Roads and Bridges
– Working in Public: The Making and
Maintenance of Open Source
Software
7. Slide #7 | @johanlinaker Photo by @tsjost and XKCD | https://twitter.com/tsjost/status/1295662118113619968
Open Source Software and
our Digital Infrastructure
8. Slide #8 | @johanlinaker
• Open Source Software is...
– full of, or receptible to,
vulnerabilties ready to be exploited
– always more secure than
proprietary alternatives
Photo by Elena Rouame | https://unsplash.com/photos/9JU2CKqtw0M
The Dualism of Quality
9. Example: Heartbleed
Slide #9 | @johanlinaker
• A bug introduced into the OpenSSL
cryptography library
• Used in a large part of the world’s
connected devices
• Introduced in 2012, fixed in 2014
• Enabled access to private identification
keys
• Was maintained by two individauls at
time of introduction while used by
(almost) everyone
Photo by Alexander Sinn | https://unsplash.com/photos/KgLtFCgfC28
10. Slide #10 | @johanlinaker
• Also known as Linus’ law →
• ”Given enough eyeballs, all bugs are
shallow”
• Requires that enough eyeballs actually
reaches the codebase
Photo by Frida Bredesen | https://unsplash.com/photos/c1fFv08N7qE
The ”Many-Eyes” effect
11. Slide #11 | @johanlinaker
• Maintainers are humans, not robots
– Burnout, changed family or
working conditions
• Companies must adapt to stay
competitive
– Refactorization, new products,
changed business model
Photo by NeONBRAND | https://unsplash.com/photos/KYxXMTpTzek
Development Resources
are Depletable
12. Slide #12 | @johanlinaker
●
Maintainer(s)?
●
Developer community?
●
User community?
●
Individuals vs. Companies vs.
Government?
Photo by Scott Blake | https://unsplash.com/photos/x-ghf9LjrVg
Who’s responsible for
ensuring the SW quality?
13. Slide #13 | @johanlinaker
●
Challenged by lack of culture,
knowledge and resources
●
Acquisition and public procurement
key to adoption and development of
open source software
●
Need for support and direction
Photo by Marco Oriolesi | https://unsplash.com/photos/wqLGlhjr6Og
Open Source Software in
the Public Sector
14. The OSPO-approach:
Example from Italy
Slide #14 | @johanlinaker
• National and regional competence centers →
Government Open Source Program Offices
• Law requiring use and release of Open Source
Software
• Decision model and guidelines for how to evaulate
and compare open source software, including:
– ”the viability of the open source project,
through the assessment of visible indicators
on the repository, such as code activity,
release history, user community, longevity of
the project, number of unique developers.”
• See: https://docs.italia.it/italia/developers-italia/gl-
acquisition-and-reuse-software-for-pa-docs/en/
stabile/index.html
Photo by Mark Tegethoff | https://unsplash.com/photos/l-GmdF7Md0o
15. The Foundation-approach:
Example from Denmark
Slide #15 | @johanlinaker Photo by Nick Karvounis | https://unsplash.com/photos/3_ZGrsirryY
• OS2 – formal collaboration between majority of
Danish municipalities → Government foundation
• Projects initiated by one or multiple municipalities,
developed through procurement
• Ecosystem of 60+ vendors and service suppliers
• Established governance and collaboration models
for new open source software projects
• See: https://os2.eu/
16. The Network-approach:
Example from Sweden
Slide #16 | @johanlinaker Photo by Inès d'Anselme | https://unsplash.com/photos/IAe4R_RiB08
• Network for Open Source and Data
• Network for public entities sharing knowledge and
growing culture on the use and collaboration of open
source software and open data
• Monthly workshops with 80-120 participants with
diverse representation
• Software catalouge of open source software used by
Swedish public entities
• Do what we can we available time and resources
• See: https://nosad.se
17. Health Assessment in
Acquisition process
Slide #17 | @johanlinaker
• Is the project secure, i.e., viable long-
term?
• Enable comparance between open and
closed alternatives
Photo by Miguel Teirlinck | https://unsplash.com/photos/UreG3TJEpiQ
18. Health Assessment of
Dependent Projects
Slide #18 | @johanlinaker
• Identify projects in need of support
where health is low or at risk
• Proactive risk management and security
work
• (or just being a good open source
citizen)
Photo by Miguel Teirlinck | https://unsplash.com/photos/UreG3TJEpiQ
19. Need for general tools
and process support
Slide #19 | @johanlinaker
• ...criteria that can be used to evaluate
software security, include criteria to
evaluate the security practices of the
developers and suppliers
themselves...”
• https://www.whitehouse.gov/briefing-room/presidential-actions/
2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Photo by Tabrez Syed | https://unsplash.com/photos/dbc9DGSJzKo
20. CHAOSS – a
metric toolbox
Slide #20 | @johanlinaker
• Community Health Analytics for Open
Source Software (CHAOSS)
• Framework with metrics for health
analysis and assessments
• Five focus areas
– Value
– Risk
– Evolution
– Diversity and Inclusion
– Common
• See: https://chaoss.community
Photo by Luke Chesser | https://unsplash.com/photos/JKUTrJ4vK00
21. Slide #21 | @johanlinaker Photo by Bilgin Ibryam | https://monetize.substack.com/p/a-framework-for-open-source-evaluation
Need for
systamization
22. A qualitative approach
to health assessment
Slide #22 | @johanlinaker
• Legal – Ownership of copyright, type of license
• Governance – Openness for influence and
appointment
• Accessability – Comunication and development
• Diversity – Users and developers
• Professionell support – Variety and types of services
• Social activity – Comunication and development
• Development activity – Technical and non-technical
• Quality – Testcases, documentation, process etc.
• Based on https://CHAOSS.community and
https://www.redhat.com/en/resources/open-source-p
roject-health-checklist
Photo by JESHOOTS.COM | https://unsplash.com/photos/LtNvQHdKkmw
23. Lessons Learned
from Practice
Slide #23 | @johanlinaker
• For sourcing and acqusition processes
of strategic software
– Comprehensive and thorough
process
– Easy to maintain overview
– Qualitative focus
– Evaluation support
Photo by Belinda Fewings | https://unsplash.com/photos/LtNvQHdKkmw
24. Final takeaways
Slide #24 | @johanlinaker
• Health and sustainability of open source software is
key to a secure and robust digital infrastructure
• Public sector (and everyone else) should consider
what responsibility they have in terms of contributing
to health of central open source software projects
• Public entities need support and direction in how
they can use and develop open source software
• Health assessment should be integrated as a key
practice in public acquisition processes
Photo by Omer Sonido | https://unsplash.com/photos/LEMtekMLW4o