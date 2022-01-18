On Thursday, January 13, the White House hastily brought together the most important voices in the digital sector to discuss an issue that is lately seen as problematic, that of vulnerabilities of open source systems. These are codes and programs that are made available to the world so that they can be replicated, modified and adapted by anyone who wants to work with them, entities that in the last period have ended up at the center of the news due to a couple of striking incidents.

The emergency summit involved big names. TOpple, Google, Amazon, Meta, IBM, Microsoft, Apache Software Foundation, Oracle, GitHub and the Linux Open Source Foundation they all took part in the meeting with the aim of defining an action plan to resolve a doubt that the MIT had already recently considered: how to ensure that voluntary projects, when harmful, do not affect the entire cyber galaxy.

Although it is easy to think that the use of open source is for the exclusive use of independent programmers, in fact, there are many large companies that usually rely on it to create software that is then distributed on countless devices. Drawing on prefabricated and free solutions is obviously cheaper than producing your own code internally, however the flaw behind this modus operandi is evident: if you use defective source code, everything that comes with it is just as crippled.

Developers who donate their work through platforms such as GitHub do so on a charitable basis and often don’t have the resources or time to professionally test, supervise and update their product. In many cases the projects are created by novice professionals who seek visibility while waiting for a paid job or by individuals who only dedicate their free time to it, contexts in which it is easy to run into disillusionment and critical vulnerabilities.

Washington is alarmed by just one of these flaws. A freely distributed Java library, log4j, has passed on its own flaw to a giant chunk of derivatives by unleashing the one that has been tagged by some as “the most critical vulnerability of the last decade“. The industry’s discomforts are historical, however, whether it be bugs or political acts: recently the programmer Marak Squires, fed up with seeing Big Tech relying on him without any financial recognition, sabotaged some of its codes to harm anyone who uses it, by manifesting a feeling of frustration which recalls that of the creator of the ua-parser-js project, who abandoned his creature in 2018 precisely due to the lack of any financial return.

It is therefore not surprising that, on the occasion of the discussion, the group has repeatedly highlighted the need for a partnership between public and private that serves to identify open source projects of vital importance to be supported with funds and technical assistance. How we intend to classify the urgency of open source is still confusing, on the other hand the meeting mostly served to make the US government recognize that it is now impossible to do without this kind of resource, that there are no viable alternatives and that it is necessary to intervene through small developers. However, such an evolution will not be immediate, the White House already promises new meetings to be fixed in the near future.

