On June 7th, for the third year in a row, we hosted Upstream, a virtual, one-day celebration of open source, the developers who use it, and the maintainers who make it. It was our biggest Upstream yet, with hundreds of attendees joining us in discussions about the current state of open source and how to make it better for everyone.
In his Upstream keynote, Mike Milinkovich, executive director of the Eclipse Foundation, spoke about the impending changes of the open source software community as government regulations become a fact of life, aptly titled: Open source won, now comes the hard part.
Open source has been driving innovation for the last 20 years. A Tidelift study conducted in 2018 showed that over 92% of all software is built upon open source components. However, opportunists have taken note of this growing open source software supply chain, and cybersecurity attacks are on the rise.
“The amount of money that's being made in cybercrime is absolutely stupendous, to the point where we're looking at $10.5 trillion in damages by 2025,” Mike said. “That's an enormous amount of money out there, and that's harming consumers and businesses around the world.”
The people behind the packages
Keeping these open source components maintained and secure isn’t an easy task when most of the maintainers behind open source packages are unpaid volunteers. When a big cybersecurity event like the Log4Shell exploit happens, maintainers scurry to mend the situation, doing so mostly without support from most of the large enterprise organizations that benefit from their work. In Mike’s words, “We have a resource and sustainability problem across all of these packages that make up our software's or global software supply chain.”
Regulation asks more from open source maintainers
As we learned from the 2023 Tidelift state of the open source maintainer report, over half of the maintainers surveyed aren’t aware of prominent software security standards, such as NIST SSDF, OpenSSF, and SLSA. With more government guidelines being proposed and fine-tuned, such as the EU’s Cyber Resiliency Act and the U.S. Office of Management and Budget’s memorandum M-23-16, maintainers are going to be asked to do even more work, work they rightfully see as “unfunded mandates.”
For proposed guidelines and regulations hoping to curb cybersecurity threats, we need to make sure that we provide feedback to make the systems work for all parties involved—especially the open source maintainers. We also need to help maintainers become aware of these standards, help outline what work needs to be done, and ensure they are incentivized to actually take on the additional responsibilities.
As Mike put it, “The vast majority of open source code is being developed by people that are just barely hanging on in terms of their obligations to develop and maintain that code.”
— — — — — —
To learn about the EU’s Cyber Resiliency Act and to listen to Mike’s talk in full, including the potential consequences of this regulation, you can watch the Upstream talk on-demand here.