Cleaning up the Beach

This blog was created by Charlie Bedard.

It is a lovely day and, being fortunate enough to live near a coast with long, sandy beaches, you decide to take the family to the beach. You hop in the car and head to the beach. Everyone jumps out of the car and heads to the sand. And then they see this!


Who would want to lay out on that?

The Open Source “Beach”

 

The world of Open Source software is a lot like our beach in this story. Like the public beaches, the world of Open Source components is available for everyone to use. And use it they do.

In 2022, the Linux Foundation, in collaboration with the Laboratory for Innovation Science of Harvard (LISH) published a paper titled Census II of Free and Open Source Software – Application Libraries. In that paper, it claimed “It has been estimated that up to 98% of codebases include FOSS and that software is an increasingly vital resource in nearly all industries.”

So, the Open Source “beach” is not only large but critical to developing software. But, like our beach example, it is not necessarily a pristine place to “lay out our blankets”. That same Census II report reminded their readers that the “security of FOSS is vital to the future of nearly all industries in the modern economy. This has become more evident after recent vulnerabilities identified in widely used FOSS like OpenSSL (the open source command line tools and libraries widely used for secure communications over computer networks), and log4j (the Java-based logging utility from the Apache Software Foundation).”

The Open Source Dependencies

 

The security of Open Source code is dependent upon the vast community of developers who maintain the tens of thousands of components making up the huge library of Open Source software. I expect that everyone has seen and chuckled at the well-known xkcd illustration of just how fragile Open Source can be. How many important services are relying on the security diligence and commitment to maintaining that by that “random person in Nebraska”?

Thankfully, the Linux Foundation has spearheaded an effort to help “clean up the beach”. The Alpha-Omega project was established in February 2022, funded by Microsoft, Google and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems”. Hooray! Someone is worrying about cleaning up the beach!

OpenRefactory’s Contribution

 

But this is an enormous problem. After all, the beach appears endless. And, even if you could clean up the beach, what is there to stop it from reverting back to its unsafe state?

This is where OpenRefactory has been able to offer a helping hand. It has received a grant from Alpha-Omega that allows OpenRefactory to use its technology and expertise to cordon off a section of the beach and clean it up.

Through the use of OpenRefactory’s Intelligent Code Repair (iCR) along with other tools, OpenRefactory has developed a scalable approach to “scrubbing the beach”. Currently, OpenRefactory is working with the Python Software Foundation (PSF) to clean up the top 2,000 projects in the Python Project Index (PyPI).

For every project that is analyzed, a report is produced identifying any high-severity security or reliability flaws that were detected. The maintenance teams are contacted, and the detected issues are presented to them for, hopefully, correction. Once corrected and verified, an attestation is made available via GitHub so that any potential users of that library are assured that “this portion of the beach” has been scrubbed.

OpenRefactory is also part of a continuing relationship with Alpha-Omega to help create a “safety-first” ecosystem in which developers are encouraged to continue to maintain their portion of the beach clean.

OpenRefactory envisions a future in which developers and users of FOSS work together, as a community, to ensure a trusted code base. In that vein, OpenRefactory is creating the Clean Beach Project whereby everyone who seeks to resolve this issue can contribute and share in tackling this difficult problem. Look for the Clean Beach Project website soon.

After all, who would not feel comfortable enjoying the pleasures of a nice safe beach.

Recent Posts