Remember how I raised €1 million to demonstrate security and freedom aren’t opposites? Well here’s what happened next and how we are going to move forward with this.
In 2014, two major security vulnerabilities, Heartbleed and Shellshock, were discovered. Both concerned Free Software projects that are widely used throughout the Internet, on computers, tablets, and smartphones alike. My colleague Max Andersson from the Swedish Greens and I proposed a so-called “pilot project”, the Free and Open Source Software Audit (FOSSA).
The FOSSA project and outcomes in short
- Create an inventory of all Free and Open Source Software (FOSS) used within the EU institutions
The full inventory of software used – on desktops, servers, or when building upon them in software development – will be released after the project concludes.
- Develop a methodology and best practice for code review and quality assessment comparing how the EU and FOSS projects handle security
The Commission’s findings on a methodology and code governance in open source projects were released over the summer in a set of documents. A final batch is expected after the project’s end.
- Conduct an audit of software used in the EU institutions
In June, we asked you to help make free software more reliable and secure by submitting your favourites for the exemplary code review. The KeePass password manager and the Apache web server were chosen and received a code review. The reviews turned up a few issues but both projects did well in the audit and no critical vulnerabilities were found.
I think the EU-FOSSA project is a great idea. For KeePass, the project went well and has resulted in improvements. I hope that the EU-FOSSA project will be continued.– Dominik Reichl, KeePass
Extending the project
As the pilot project is coming to its end in mid-November, we submitted a proposal for its continuation. In Strasbourg today, the European Parliament voted in favour of the EU’s 2017 budget and with it, for the continuation of FOSSA as a preparatory action. Parliament and Council now have three weeks of time to reach an agreement on the 2017 budget. Then finally, the next phase of FOSSA can start.
More and more software underpins society. Keeping this (almost exclusively open source) infrastructure safe is a never-ending process. The FOSSA pilot highlights again the subtle trade-offs between security and complexity – sometimes it is hard to make sure that audits, bug-bounties and other one-off contributions have a net-positive effect. Key lessons learned from the pilot are that it is vital to analyse each (potential) issue in depth. Furthermore, it shows that there is great value (and need!) in building both capacity and capability in society to maintain key open source infrastructure code while also training the next cadre of developers. We need support for these communities in the long term, and that also means devoting significant resources to this.– Dirk-Willem van Gulik, member of the Apache Software Foundation
In the preparatory action phase of the FOSSA project, we want to bring the EU institutions and the Open Source community closer together. The pilot project has been an important step in this direction, but there are many things that we can improve. Among other ideas, the preparatory action will include a bug bounty approach which will allow you to participate in the discovery of potential problems and continue making Free Software even more stable and reliable.
With the Free Software audit, we will bring the EU and the Open Source community closer together.
To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.