Open Source Survey Reviews Project Security and Sustainability Issues
A Linux Foundation report on trends in open-source software development assesses the factors driving contributors while urging more incentives to secure code and sustain community-based projects.
The document, "Report on the 2020 FOSS Contributor Study," identifies key issues in improving the security and sustainability of free, open-source software (FOSS) due to its importance worldwide in much of the critical infrastructure that underlies the modern economy. Survey collaborators included the Linux Foundation’s Core Infrastructure Initiative, Harvard University’s Laboratory for Innovation Science and the Open Source Security Foundation.
The researchers received a total of 1,866 survey responses to the survey, including 1,196 to at least one question about open-source contributions. Just over 600 respondents completed the entire survey. Of those, 27 percent of respondents were U.S.-based. Germany (12 percent) and France (7 percent) represent the next largest demographic. Three-quarters of respondents were employed full-time, most (61 percent) in the technology sector. More than half of those polled said they are paid to contribute to open-source development projects, though the amount varied significantly by country. Contributors were categorized as maintainers, core or occasional participants along with programmers providing one-time suggestions.
The primary takeaways included the heightened need for secure code and creating financial and other incentives to adopt secure development. The study recommends that stakeholders fund security audits for mission-critical development projects and ensure those audits produce “mergeable changes.” The report also calls for greater adoption of best practices for secure software development while requiring security training for paid developers.
When vulnerabilities are uncovered, the report recommends rewriting entire open-source software components in a “memory-safe language” using methods that protect code from bugs and security vulnerabilities.
Forty-eight percent of those polled said they are paid by their employers to contribute to open-source projects. Among the survey’s other recommendations was greater corporate recognition of the value of participating in open-source projects, including the skills gained by contributors. While providing financial support to community projects, employers should also back open-source efforts with computing resources and security audits, the survey authors recommend.
Corporate funding should also be used to sustain projects after companies release their own distributions of platforms based on free open source code. Transferring projects to the Linux Foundation and other groups would provide “neutral governance to ensure diversity of organizations and control,” the report’s authors noted.
More than 45 percent of respondents said they do not need permission from employers to contribute code to open source projects, up from 35.8 percent last year. Still, about one-quarter of respondents said corporate policies on open-source contributions were either unclear or nonexistent.
The report encourages companies to contribute to open-source efforts by establishing clear policies for participation. Defined policies also would help improve code security via collaboration with groups like the Open Source Security Foundation, the survey noted. OpenSSF’s membership includes leading open-source companies such as Microsoft-owned GitHub, Google and IBM’s Red Hat unit.
“It is clear from the 2020 findings that we have work to do to ensure we staff across the community for security and to enable individuals to confidently contribute to open source software,” noted David Wheeler, director of open source supply chain security at the Linux Foundation.
The survey authors said they compiled a list of popular open source projects to assemble a sample group for the project. They then sent emails to project contributors to participate in the open source survey. Social media was also used to generate survey responses.