Open source software (OSS) is vitally important to the functioning of society today; it underpins much of the global economy. However, some OSS is highly secure, while others are not as secure as they need to be.
To secure OSS, David A Wheeler, Linux Foundation’s director of Open Source Supply Chain Security, revealed plans to directly fund developers to do security work. The funding comes from various pro-Linux and open source organisations including Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself.
When identified with a problem, the developer reachers out to the concerned LF organisation. The typical LF oversight process for this work is described in “Post-Approval LF Security Funding.” Generally, performers must provide a periodic summary of their work to get paid.
The proposed solution would be examined and further progress reports are made approximately once in a month. These must include
- A stable URL of a publicly accessible post (e.g., a blog or archived mailing list post) describing what you did that month.
- The post must briefly describe what has been accomplished using the funding since the last invoice. Include its date and hyperlinks to details. If git commits were involved, include hyperlinks to them. Make it easy for technical people to learn details (e.g., via hyperlinks).
- Also briefly describe why this work is important or link to such description(s), for someone who is not intimately familiar with it. Some readers may see your post out of context.
- Give credit, similar to National Public Radio. (e.g., “This work to <X> was [partially] funded by the OpenSSF, Google, and The Linux Foundation.”) Thanking others is always polite. We also want people to consider funding OSS security as normal.
- Publicly provide an identifier (a personal name, pseudonym, or project name) of who’s doing the work. This simplifies referring to the work. You do not need to reveal your personal name(s) publicly, though you’re welcome to do so.
This is a lightweight process, that shouldn’t take more than 20 minutes to write these reports. You may find it easier to write your post while you do the work. Funded work must be available under the appropriate open-source licenses. For example, bug fixes to Linux must be licensed under the Gnu General Public Licenses Version 2 (GPLv2).
The POC will review the post, and if it seems reasonable, will approve payment. “We understand that sometimes problems arise. We just want to see credible efforts. If there’s a serious roadblock, try to suggest ways to overcome it or provide partial/incremental benefits. We need to provide confidence to funders that we aren’t wasting their money,” writes Wheeler in a blog post.