DEV Community

Cover image for The impact of security in FOSS projects and the future
Abhijith Ganesh for IEEE Computer Society, VIT Chennai

Posted on • Updated on

The impact of security in FOSS projects and the future

All of us have either heard of the Faker.js debacle or have used the package in your repositories/projects. Faker JS has been very useful and convenient that one of the Amazon SDKs used them in some level. Unfortunately, due to the rogue actions of the maintainer(who actually had control over their repository and were legally entitled to do so) the package got impacted. This incident has become a turning point in the history of FOSS and security

Stop forking Open-Source software disgracefully

It is of high importance that we address the concern of Big Tech companies using FOSS software without any contribution. Maintainers are really tired of maintaining large repositories when there are big tech companies who swoop in and take the projects for free. Elastic (the company behind the infamous Elastic Logstash and Kibana stack) had recently amended their license to prevent one of the major cloud provider(s) from using their open-source projects and it clearly reflects on the mentality of the maintainers who are tired of seeing this happen. It is clear that the Open source repository maintainers are expecting major tech companies to back them instead of forking without any contribution.

The mentality of maintainers have evolved into :

Contribute to FOSS in any and all possible forms, Forking without contribution is disgraceful

Open Source is not equal to Secure

The idea of open-source applications being s3cure because of it being transparent has been disproved by this debacle and it can clearly be understood that, more time, attention, effort and money needs to go towards the security of Open Source applications. GitHub (which pioneers Open Source work) has rolled out useful features like dependabot but let us address the reality, is dependabot enough to maintain repositories? Certainly not. All of us can agree that dependabot is amazing for small repositories but for the scales of applications like Firefox, VLC Media player or even Kubernetes, it is certainly not enough.

This part of the story has a better ending than the previous part, Various tech giants have come together and committed 10 Million US dollars to fund the OpenSSF organization which works and strives to ensure the security of Open source projects. As developers, I think we should also start contributing to the projects and initiatives of OpenSSF to have a more harmonious tech-world.

Post-Script: What the maintainer of faker.js did was totally unacceptable and unfair though they were legally entitled to do so. It must be duly noted that they are not the only part of the community but their actions reflect the mindset of the community which runs the world. With that being said, there are FOSS projects which bring bread and butter to plates of the contributors and maintainers, it'd be really unfair for me(as the author) to not mention that perspective as well. Open Source community works on good-faith and acts of bad faith is detrimental to every stake holder of the community, including but not limited to itself.

Top comments (0)