This talk discusses the current state of security in open source software, and in particular, how the ASF is responding to the growing threat. The ASF started with the first project: a web server running on an open source operating system. Since then, the organization has built hundreds of communities based on principles of openness, collaboration, and public good. Open source is now considered to be the principal component of most commercial software projects, accounting for some 90% of all commercial code, with an estimated value of USD $8.8 billion. With the rise of open source software, bad actors have found ways of exploiting weaknesses for financial gain. This presentation will discuss actual scenarios that affected open source systems, and strategies for mitigating the attacks. Open source software has a specific role to play in helping to prevent attacks. Open source stewards are responsible for following a defined process to handle security vulnerabilities. Most open source foundations qualify for the role of steward. The ASF is committed to working with other open source foundations and government entities to continue to build software for the public good that is openly available and safe for widespread adoption.

Speakers:

Craig joined Apache as a committer on the incubating JDO project in 2005 and became an Apache Member in 2007. I was appointed Assistant Secretary in 2009 and Secretary in 2010, where I served until 2019. I was elected to the Board of Directors in 2019 and served four terms as a Director.

I was originally attracted to Apache by its approach to governance, where the people doing the work decide what direction to take the project. This is exactly the opposite of how most corporations work, where “the smartest people in the room (managers and executives)” make the decisions.

Once my own project was accepted into Apache, I looked around to see what else I could contribute to, and joined a number of projects where I could help. I also started looking at the intellectual property model of licensing of contributions and licensing of the end products. That led me to start contributing to the Secretary role, processing the “paperwork” granting IP rights to the Foundation.

Recently it has come to my attention that people feel that the Foundation has “too many rules” which go against the free expression that people look for. Looking deeper into this issue, I found that there are some common themes that, if understood better, can make the experience easier.