Supply chain security has been a hot topic in recent years, particularly as it relates to open source software. Previously, malicious, black hat hackers have been commonplace in this space for many years, but we’re increasingly seeing open source supply chains being disrupted in acts of hacktivism, dubbed “protestware.” Not long ago, we reported on the maintainer of faker.js who intentionally sabotoged his long-maintained open source project while claiming that he no longer wanted to support large companies with free work.
Today, with an ongoing war between Russia and Ukraine, some open source maintainers have taken it upon themselves to protest the war via changes to their code that express anti-war rhetoric via messages that display when the software is run. However, one maintainer in particular took it to the next level. Brandon Nozaki Miller, published a library on GitHub named peacenotwar that simply printed an anti-war message to the computer it was run on. This package is harmless on its own, but things got interesting when he included this package as a dependency in the node-ipc module he maintains. Users who downloaded the latest version of node-ipc to a machine in Russia would be subject to complete data destruction. Miller defended the act by claiming that this is all documented publicly and that users who don’t want this installed on their machine should lock their dependencies to older versions.
This move has caused much controversy in the open source community. Proponents argue that extreme situations require extreme measures. However, detractors, including the Open Source Initiative and Electronic Frontier Foundation, claim this move is likely to cause collateral damage and hurt the reputation of open source software. Either way, this is clearly a unique method for open source developers to demonstrate the power and influence they have over society.
A US district court in California made a ruling on Neo4j, Inc. v. Graph Foundation, Inc that has been received with some controversy in the open source community. The court case centers around Neo4j’s use of the Affero GPL (AGPL) with the addition of the Commons Clause on their enterprise code. The Graph Foundation interpreted a section of the AGPL that states a licensee may remove any “further restriction” imposed in addition to the AGPL, which the Graph Foundation interpreted to include the Commons Clause. The Graph Foundation publishes and maintains a version of the Neo4j enterprise product named ONgDB with the Commons Clause removed.
The court ruled that only the licensor is allowed to remove additional license restrictions beyond the AGPL and that the Graph Foundation is in violation of Neo4j’s copyright claim. The Open Source Initiative and the Software Freedom Conservancy have both come out in opposition to the court ruling and they claim that the original intention of the AGPL was to give licensees the right to do exactly what the Graph Foundation did in this situation. This is only a preliminary injunction, and It seems likely that this ruling will be appealed. In the meantime, the code for the project is still available on GitHub, and you can read the full ruling here.
Red Hat has released their 2022 report that outlines the state of open source in the enterprise. They interviewed nearly 1,300 IT professionals about the importance of open source in vendor selection, the types of open source technologies enterprises are looking for, and open source security.
Here are some of the major findings:
- 82% of IT leaders are more likely to select vendors who contribute to open source. Familiarity with open source processes, influence on technical direction, and effectiveness are all cited as major reasons for this.
- 89% of IT leaders believe open source is as secure or more secure than proprietary software. The ability to test open source code, scan for security vulnerabilities and updates, and the pace of security fixes are the main reasons for this belief.
- Enterprises expect to decrease their use of proprietary software by 18% and increase their use of open source software by 17% over the next two years.
- AI, machine learning, edge computing, containers, and serverless computing are the technologies most targeted for open source adoption.
What started as a weekend project for Linus Torvalds, the famous inventor of Linux, 17 years later has become a ubiquitous tool used across the software development world. At this point, Git is almost synonymous with code version control and it doesn’t seem like this is likely to change anytime soon. To celebrate the 17th anniversary of Git, check out this wonderful article over at opensource.com about the community’s favorite Git commands.
The RoninX Foundation is the world’s first non-profit organization dedicated to bringing together camera hardware, streaming, and blockchain communities to produce technologies for real-time content streaming via Web 3.0. The foundation has organized around working groups for transport layer, metadata, file management, metaverse, and blockchain technologies.
- Dagger - A portable dev kit for CI/CD from the founder of Docker.
- Eden - a cross-platform, scalable source control management system from Meta.
- FastTreeSHAP - A Python package from LinkedIn for fast interpretation of the TreeSHAP algorithm.
- xGitGuard - A security tool from Comcast to detect secrets exposed on GitHub repositories.
- Code Verify - A browser extension from Meta for verifying the integrity of web pages and detect executed code that’s not included in the site manifest.
- Access Undenied on AWS - A security tool from Ermetic to analyze AccessDenied events on AWS CloudTrail.
Want more news about open source projects? Subscribe to The Build, a newsletter for software engineers dedicated to sharing useful technical content on effective development and collaboration techniques.