• About
  • Privacy & Policy
  • Contact
Today Headline
  • HOME
  • NEWS
    • POLITICS
  • FINANCE
  • Video
  • ENTERPRISE
  • TECHNOLOGY
  • HEALTH
  • ENTERTAINMENT
  • LIFESTYLE
    • TRAVEL
  • AUTOMOTIVE
  • SPORTS
  • HOME
  • NEWS
    • POLITICS
  • FINANCE
  • Video
  • ENTERPRISE
  • TECHNOLOGY
  • HEALTH
  • ENTERTAINMENT
  • LIFESTYLE
    • TRAVEL
  • AUTOMOTIVE
  • SPORTS
No Result
View All Result
TodayHeadline
No Result
View All Result
Home Enterprise

Open source: Google wants new rules for developers working on ‘critical’ projects

February 4, 2021
in Enterprise
0
Open source: Google wants new rules for developers working on ‘critical’ projects
0
SHARES
2
VIEWS
Share on FacebookShare on Twitter


Developer using a laptop.

The new practices would require project maintainers to be identifiable, accountable, and authenticated.

Image: Getty Images/iStockphoto

Open-source software should be more secure than closed source, but only if people are inspecting it and that’s not an easy job, Google argues.

But to ensure future software supply chain attacks don’t involve key open-source software projects, some of Google’s top engineers have proposed new ‘norms’ that might cause problems with open-source contributors – if their project is considered “critical”.

If the industry as a whole can decide that a particular project is “critical”, Google has suggested new practices that would require project owners and maintainers to be identifiable, accountable, and authenticated. That would mean no more changes to code at will, and subjecting changes to third-party review.

SEE: Hiring Kit: Python developer (TechRepublic Premium)

Google acknowledges its suggestions for critical open-source software are more “onerous” on project owners, and so it is expecting resistance to its recommendations.

Google admits “we are but one voice in a space where consensus and sustainable solutions matter most of all.” But it’s a powerful voice in tech. The company has outlined its suggestions for attaining these goals in the blogpost.

Rob Pike, a key designer of Google’s Go programming language, and Eric Brewer, and VP Infrastructure & Google Fellow argue in a new blogpost that the industry should agree to “define collectively the set of “critical” software packages, and apply these higher standards only to this set.”

The objectives for critical open-source software include:

  1. No unilateral changes to code. Changes would require code review and approval by two independent parties
  2. Authenticate participants. This means owners and maintainers cannot be anonymous; contributors are required to use strong authentication (eg 2FA)
  3. There need to be notifications for changes in risk to the software
  4. Enabling transparency for software artifacts
  5. Create ways to trust the build process

“The [goals are] more onerous and therefore will meet some resistance, but we believe the extra constraints are fundamental for security,” the engineers explain.

The first set of goals Google wants the industry to consider for all open-source software are less contentious, but would still require more work and address issues that even Google finds challenging.

The first three key objectives overall for all open-source software include:

  1. Know about the vulnerabilities in your software
  2. Prevent the addition of new vulnerabilities, and
  3. Fix or remove vulnerabilities.

The recent supply chain attacks involving SolarWinds and others that led to the compromise of thousands of organizations involved closed source or proprietary software.

While open source doesn’t suffer from ‘security through obscurity’, it doesn’t follow that open source is actually free of vulnerabilities.

“Open-source software should be less risky on the security front, as all of the code and dependencies are in the open and available for inspection and verification. And while that is generally true, it assumes people are actually looking,” they write.

Open-source software projects, particularly Java and JavaScript/Node.js, rely on thousands of direct and indirect dependencies, making them tough to explore for vulnerabilities.

The Google engineers note that it is “impractical to monitor them all” and, they add, many open-source packages are not well maintained.

“Open source likely makes more use of dependencies than closed source, and from a wider range of suppliers; the number of distinct entities that need to be trusted can be very high,” they write.

“This makes it extremely difficult to understand how open source is used in products and what vulnerabilities might be relevant. There is also no assurance that what is built matches the source code.”

SEE: Microsoft 365 vs Google Workspace: Which productivity suite is best for your business?

To address supply chain attacks, the industry needs to focus on addressing the “majority of vulnerabilities” because attackers frequently pursue known vulnerabilities rather than finding their own.

The problem for organizations using open source is that few verify all the packages they’re using. Even Google finds this task difficult.

“Tracking these packages takes a non-trivial amount of infrastructure, and significant manual effort.

“At Google, we have those resources and go to extraordinary lengths to manage the open-source packages we use—including keeping a private repo of all open-source packages we use internally—and it is still challenging to track all of the updates. The sheer flow of updates is daunting.”

Google sees automation as a way forward to address the torrent of updates to open-source packages.

 
 
   
Previous Post

One Direction’s Liam Payne reminisces about band’s ‘best’ tour amid reunion rumours | Music | Entertainment

Next Post

This stunning property in Saint-Tropez is yours if you have a spare £20m

Next Post
This stunning property in Saint-Tropez is yours if you have a spare £20m

This stunning property in Saint-Tropez is yours if you have a spare £20m

  • Trending
  • Comments
  • Latest
Schoolgirl’s ‘unimaginable’ final hours and how her earring put killer on Death Row

Schoolgirl’s ‘unimaginable’ final hours and how her earring put killer on Death Row

February 28, 2021
Notorious gang leader shot dead and 400 inmates escape during prison break

Notorious gang leader shot dead and 400 inmates escape during prison break

February 27, 2021
Diamond-tipped probe used to fix faulty heart rhythms could cut the risk of stroke

Diamond-tipped probe used to fix faulty heart rhythms could cut the risk of stroke

March 2, 2021
PS5 UK restocks TODAY – Live alerts for GAME, Currys, Very, Amazon, Argos stock drops | Gaming | Entertainment

PS5 UK restocks TODAY – Live alerts for GAME, Currys, Very, Amazon, Argos stock drops | Gaming | Entertainment

March 2, 2021

Many Generation Xers in UK face financial hardship in retirement | Retirement planning

March 2, 2021
Majorcan estate where Richard Branson will build ‘the most luxurious hotel in the Mediterranean’ 

Majorcan estate where Richard Branson will build ‘the most luxurious hotel in the Mediterranean’ 

March 3, 2021
John Oates revives music festival to help fight pandemic-related hunger crisis

John Oates revives music festival to help fight pandemic-related hunger crisis

March 3, 2021

Bitcoin and Robinhood will end badly for those who can least afford it | Stock markets

March 3, 2021
‘Now I can try and deal with it’ – NZ star Stott reveals cancer diagnosis – FTBL | The home of football in Australia – The Women’s Game

‘Now I can try and deal with it’ – NZ star Stott reveals cancer diagnosis – FTBL | The home of football in Australia – The Women’s Game

March 3, 2021

Burst Water Main Floods Street in Alexandria, Virginia

March 3, 2021

About Us

Todayheadline the independent news and topics discovery
A home-grown and independent news and topic aggregation . displays breaking news linking to news websites all around the world.

Follow Us

Latest News

Majorcan estate where Richard Branson will build ‘the most luxurious hotel in the Mediterranean’ 

Majorcan estate where Richard Branson will build ‘the most luxurious hotel in the Mediterranean’ 

March 3, 2021
John Oates revives music festival to help fight pandemic-related hunger crisis

John Oates revives music festival to help fight pandemic-related hunger crisis

March 3, 2021
Majorcan estate where Richard Branson will build ‘the most luxurious hotel in the Mediterranean’ 

Majorcan estate where Richard Branson will build ‘the most luxurious hotel in the Mediterranean’ 

March 3, 2021
John Oates revives music festival to help fight pandemic-related hunger crisis

John Oates revives music festival to help fight pandemic-related hunger crisis

March 3, 2021

Bitcoin and Robinhood will end badly for those who can least afford it | Stock markets

March 3, 2021
  • About
  • Privacy & Policy
  • Contact

© 2019 All rights are reserved Todayheadline

No Result
View All Result
  • About Us
  • Contact Us
  • Cookie policy (EU)
  • Home
  • Privacy Policy
  • Video

© 2019 All rights are reserved Todayheadline