Google has proposed a framework for discussing and addressing open-source security based on factors like verified identity, code review, and trusted builds, but its approach may be at odds with open-source culture.
The security of open-source software is critical because of its wide adoption, from the Linux kernel on which most of the internet runs to little JavaScript libraries that get built into millions of web applications, sometimes via a chain of dependencies somewhat hidden from the developer. Vulnerabilities such as one discovered recently in the essential sudo utility affect millions of systems.
A team from Google has now posted at length about the issue in the hope of "sparking industry-wide discussion and progress on the security of open source software."
< ..
Support the originator by clicking the read the rest link below.
