$10m for Security

kemitchell · February 2, 2022, 6:08pm

Schneier blogged the $10m in grants to the LF’s new Open Source Security Foundation, which got me thinking about it again.

https://www.schneier.com/blog/archives/2022/02/finding-vulnerabilities-in-open-source-projects.html

Last I checked, the plan for the money was essentially in-house projects of the LF. Pick a couple hundred key projects and vet them by hand. Develop some broad-scale scanning tools and run those on the rest of open source.

There are some stray mentions of “training” or similar work on the maintainers. But overall, my strong impression was this is another LF-centralized effort at doing security unto maintainers, rather than supporting them to do it themselves.

Celebrating this as a big number also feels kind of goofy, begging dollars-to-dollars comparisons that don’t really flatter. $10m is a big headline number for an open source initiative. It certainly blows the big numbers from donation- and sponsorship-supported projects away. But it’s also less than the median Series A venture financing amount for a startup in Q2 2021. The average A funds-raised amounts I see elsewhere run much higher, like $20m+.

Lux · February 2, 2022, 9:17pm

I’ve been told: go open source. Money in FOSS is increasing. FOSS is the future.

My response: Let me know when FOSS is getting more than chump change.

kemitchell · February 2, 2022, 10:01pm

I’m sure Brian Behlendorff’s doing fine. All the folks listed by name on LF’s 990. The people in year five at some F500’s open source program office. The project leads getting paid to do OSS in big companies.

There are people getting paid. And not a pittance. But not that many of them. And not all of those at the code-and-issues level.

Lots of intermediaries. That’s what bothers me about the LF security raise.

Lux · February 2, 2022, 10:16pm

My comment about chump-change is more about the run-of-the-mill FOSS dev that isn’t part of a well-funded foundation.

I think most folks on GitHub would be elated to even make chump change.

kemitchell · February 2, 2022, 10:59pm

I hear you. But that’s the problem, isn’t it?

When big companies “give money to open source”, they’re not giving to GitHub people. They’re giving to foundation people, who don’t necessarily pass along to GitHub people. But the headlines invite us to think it’s all the same.

As often as not, they seem to pass money along to other foundation people, whose job it becomes to make or take work from maintainers. Here’s a new list of best practices you’re supposed to follow. Here’s a security program you need to sign onto. Here’s a vuln we found after the fact, because you were too stretched or stressed to avoid introducing it in the first place. Supportive care.

The savvy, accept-the-world-as-it-is play in open source is to do enough time and get enough creds on GitHub, they parlay that into a program office, foundation, or heavily marketed corporate project. Do less open source development and more open source management.