The impact of security in FOSS projects and its future
How the faker.js incident shed limelight on the mindset of Open-source community
All of us have either heard of the Faker.js debacle or have used the package in our repositories/projects. Faker JS has been very useful and convenient that the Amazon Cloud SDKs used them in some level. Unfortunately, due to the rogue actions of the maintainer(who actually had control over their repository and were legally entitled to do so) the package got impacted. This incident has become a turning point in the history of FOSS and security
Forking Open-Source software disgracefully
It is of high importance that we address the concern of Big Tech companies using FOSS software without any contribution. Maintainers are really tired of maintaining large repositories when there are big tech companies who swoop in and take the projects for free. Elastic (the company behind the infamous Elastic Logstash and Kibana stack) had recently amended their license to prevent one of the major cloud provider(s) from using their open-source projects and it clearly reflects on the mentality of the maintainers who are tired of seeing this happen. It is clear that the Open source repository maintainers are expecting major tech companies to back them instead of forking without any contribution.
The mentality of maintainers have evolved into :
Contribute to FOSS in any and all possible forms, Forking without contribution is disgraceful
With that being said, Big Tech companies have been pioneers of FOSS culture and have contributed enormously, some of them would be
- Facebook — React JS
- Microsoft — Typescript
- Google — Angular and Kubernetes
Open Source is not equal to Secure
The idea of open-source applications being s3cure because of it being transparent has been disproved by this debacle and it can clearly be understood that, more time, attention, effort and money needs to go towards the security of Open Source applications. GitHub (which pioneers Open Source work) has rolled out useful features like dependabot but let us address the reality, is dependabot enough to maintain repositories? Certainly not, it was built for the small-scale projects. All of us can agree that dependabot is amazing for small repositories but for the scales of applications like Firefox, VLC Media player or even Kubernetes, it is certainly not enough.
This part of the story has a better ending than the previous part, Various tech giants have come together and committed 10 Million US dollars to fund the OpenSSF organization which works and strives to ensure the security of Open source projects. As developers, I think we should also start contributing to the projects and initiatives of OpenSSF to have a more harmonious tech-world.
What the maintainer of faker.js did was totally unacceptable and unfair though they were legally entitled to do so. It must be duly noted that they are not the only part of the community but their actions reflect the mindset of the community which runs the world. With that being said, there are FOSS projects which bring bread and butter to plates of the contributors and maintainers, it’d be really unfair for me(as the author) to not mention that perspective as well. Open Source community works on good-faith and acts of bad faith is detrimental to every stake holder of the community, including but not limited to itself. The Open-source community really is amazing and deserves respect for the work it does. It’d be really unfair from my side as the author if I can’t emphasize enough on the FOSS community.
As the author, I am also of the belief that using open-source repositories for Hacktivism is not helping anyone, it is just making the situation worse for every stake holder.