Thank you for clicking on the clickbait!
What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter.
The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.
If you read Linkedin, which I would not suggest you do, there are a ton of hot takes about how open source is insecure and bad and will be dead in a year or two. The solution of course is whatever thing that person is selling.
Lucky for us nothing will change. Let’s look at a quick history of world ending open source security events to understand why.
Heartbleed
This was how a lot of people found out that his thing called open source existed. Apparently thanks to some project that only nerds knew about and was being worked on by one person, we all had to change our passwords. This would be the thing that changed everything!
The biggest change after Heartbleed was probably the creation of the OpenSSF which turns free time into meetings.
Most companies affected by Heartbleed chose to do nothing, which is not only the easiest option but also the cheapest.
Log4Shell
There were some other incidents between Heartbleed and Log4Shell, but since nobody can remember what they are, it doesn’t really matter. Log4Shell was probably the event that made a lot of businesses realize they have open source in absolutely everything.
Once again after extensive meetings the decision was made that the best way to solve this problem is doing nothing. Maybe it’ll fix itself someday. Those open source people are pretty smart.
XZ
The XZ incident was the wake up call a lot of open source users needed! Just kidding.
After what is best described as “winning the lottery without buying a ticket” the open source world avoided what could have been a pretty big mess. XZ had a really small blast radius which made it pretty easy to ignore fixing anything. Thank goodness for that!
Trivy
This brings us to the Trivy incident. THIS TIME IT WILL ALL CHANGE!!!
I suspect nothing will change. This is like how societal problems often get ignored until they affect someone in charge or with a lot of money. Unless this somehow directly affects an oligarch or politician, which I don’t think it will, we’ll just get back on the trolley after someone (not me, goodness no) puts it back on the track.
The reality is security incidents don’t seem to change anything. Solarwinds is a memory. All the firewall vendors that have had critical incidents for the last few months are names I can’t ever remember anymore.
We only bring up events like Heartbleed and Log4Shell when we give conference talks or try to scare someone into giving us budget. We better hope this Trivy thing gets a fancy name and logo, lest we can’t easily use it in the future!
What about open source?
So what about open source? The truth is it’s too easy to use and too cheap for anyone to really use anything else. There will be big companies and regulated industries that use some sort of paid service that curates open source packages. But it will be expensive and something that takes months to purchase. If those curated services don’t have what the developers need, they will find a way to sneak something through the back door.
And most importantly, these security incidents aren’t actually a threat to open source. The biggest threat to open source right now is the lack of support for developers that’s burning them out. Unfortunately we don’t know how to fix that problem yet.