5
This article is transferred from the open source agency KAIYUANSHE
Author: Zhuang Biaowei

origin

I wrote an article "Open Source Software Supply Chain Security as I Understand". At that time, there were no urgent hot events that were worth discussing, so I only talked about it in general, and left it at the end. One sentence: "My proposal is: no longer mention "open source supply chain security", but "open source ecological construction"."

In the recent period, the Log4j2 incident and the Marak Squires database deletion incident have appeared one after another. For a while, everyone has been talking about it. I also feel that I have a responsibility to discuss this issue in more depth.

Times have changed

On station B, there is a famous Up master: Half-Buddha Immortal, who posted an article and later recorded a video. Because it is a "layman", it will receive a lot of criticism and accusations. In fact, I think what he said is generally reasonable. As an enthusiastic person, it is very good to actively communicate with programmer friends, try to understand open source in depth, and then express his own opinions.

At least one of the half-Buddha's views, I particularly agree with: times have changed. Only when we are aware of and understand these changes can we talk about "how to deal with it".

A letter from Bill Gates

On February 3, 1976, the founder of the famous Microsoft Corporation issued "An Open Letter to Computer Enthusiasts". In the open source community, it is estimated that no one knows this letter, and no one knows it. The key lies in the following passage: "Who will engage in professional software development and get nothing. How can an amateur spend 3 man-years of energy writing software, revising software, writing manuals and distributing them to others for free. ?"

For a long time, people in the open source community regarded Microsoft as the enemy of open source, and often liked to "slap in the face" with some words. Now there are so many people, so many people with high technical level who don't expect anything in return, willing to spend an astonishing amount of time writing software, fixing bugs, and writing documentation. There are even many jobs such as community operations, technical evangelism, etc.

"Things that you capitalists can't understand are happening in this world, and more and more."

early hackers?

There are some things that are really hard to understand. Especially someone like Ban Buddha, unable to understand the motivations of those early hackers. Because according to the assumption of "rational economic man", those hackers are doing something that just pays and doesn't expect anything in return.

In fact, we can understand the logic of hackers from two perspectives.

  • Regarding returns: If we expand the economic man hypothesis, the returns are not limited to economic, monetary, direct returns. But according to the definition of utilitarianism: "utility maximization". The so-called utility, including happiness, joy, satisfaction and other emotional experience. By earning economic income, of course, is one way. But: promotion of social status, or even just being revered on a community level, is one way. What's more, just creating something that never existed, the joy of this creation is enough to repay those hackers for all their investment.
  • About the future: Hackers, programmers, maybe the people who like science fiction the most. Not just like, but they even hope to contribute to the early realization of some kind of future. If the code written by oneself can help such a future come true sooner, if working together with a group of hackers can promote the early arrival of such a world, almost every hacker will be willing to do their best.

So, the short summary is this: early hackers, in their efforts to push for an early realization of the future, have reaped the rewards they hoped for.

Supply and demand sides, from unity to separation

We can quote a definition of free software: "Free software" respects the freedom of the user and respects the community as a whole. Roughly speaking, if a piece of software is free software, it means that users are free to run, copy, distribute, learn, modify and improve the software.

Later, there were some different voices in the community, questioning this definition. Why only talk about the freedom of users, but not the freedom of "authors"? In order for users to freely run, copy, distribute, learn, modify and improve, is it possible to ignore the interests of the author? Why can't authors freely define their own license agreements? Grant if you want? Want to take it back?

In fact, the root cause is that the times are different. Back in the days when free software, even open source software, was just born. The supply and demand sides of software are a tight whole. People in the community are both developers of some software and users of another software. That's what it means to "respect the whole community." Respecting the freedom of the entire community is for the benefit of the entire community.

In the early days: Open source and the Internet were almost twins who grew up together and supported each other. Wind borrows fire, and fire borrows wind. However, gradually, the open source community and the software industry, the Internet industry, and the cloud computing industry that grew up from the Internet industry are no longer integrated. In the process, the supply side has changed, and so has the demand side. If you want to play happily together again, you need to rethink their respective positions.

Therefore, I will analyze this problem from the supply and demand sides after separation.

From "Gift Culture" to "Attention Exchange"

In Eric Raymond's "The Cathedral and the Bazaar," one of the most classic metaphors is gift culture. We quote two of these passages:

In a gift culture, its members compete for social status by giving gifts.

Gift culture is not an adaptation to material scarcity, but an adaptation to material abundance. Abundance can make command relations difficult to maintain and exchange relations into a meaningless game. In a gift culture, social status is not determined by what you control, but by what you give.

The value of a gift is determined by the gift itself?

Let us analyze the connotation of the metaphor of the gift. A person gave a gift. People "give" the giver a corresponding social status according to the value of the gift.

This means three elements that are not explicitly stated:

  • Is the value of a gift objective? Can it be judged objectively, accurately, and in a recognized way?
  • People, pay attention to the people here, is it a hundred people or ten thousand people? How many should these people be and how do they reach consensus?
  • What is the so-called social status? Respect, courtesy, or some kind of "observance"?

The value of open source software is now determined by "value + attention"

Assuming that we still use the idea of "gift" and look at the current open source software, how do we measure how much a person has contributed? Or, "How precious was the gift?"

First distinguish two cases, one person independently develops an open source software as a gift. A person participates in an open source project in which they contribute a portion of "code, documentation, discussions, sermons, etc."

  • The first should be the software value itself. An encryption software should be more valuable than an addition software.
  • The second is how many people is this software valuable to? A software that is only useful to a hundred people is certainly not as valuable as software that is useful to a million people.
  • Then there is the competition for attention. A piece of software that is useful to a million people, and now only a hundred people know about it, the value of this software is not much in the end.

Now to calculate the value of the gift: a person, made an open source software, how many people know this software, and know that he did it, and recognize his work. This amount can probably be used to calculate the value of the gift he contributed.

How does 161f790023c59a redeem attention for other things?

Since the popularity of the Internet, especially since the free business model on the Internet has become popular, everyone talks about a word called "traffic monetization". In fact, in the field of open source software, the simple "gift culture" also needs to be upgraded to "attention exchange".

The previous logic was: a person contributes gifts -> gains social status

The current logic is: a person contributes gifts –> how much attention is attracted –> how much social status can these attention be exchanged for

Of course, we can also use the word exchange to describe more phenomena.

  • Redeem your inner satisfaction (if someone uses it, I am very happy)
  • Exchange social status (higher social rating)
  • Redeem employment opportunities (jump to a factory)
  • Exchange venture capital (some investors like this open source software)
  • Exchange maintenance contract (used by enterprise-level users, willing to find you for maintenance)

However, all of this requires a premise: attention. If you don't have enough attention, you can't redeem anything.

In fact, the attitude of "use it if you like it, don't bother me" in the early days of open source is of course no problem. However: that is not "friendly" enough, and it will also affect the rapid increase of attention. Whether it is responding quickly in the community, answering questions amiably, or fixing bugs quickly, it is actually a way to attract more attention and retain more attention.

Although it is a bit cruel to say this, I still want to say: "Marak Squires is wrong. An open source software has tens of millions of downloads and cannot be automatically exchanged for social status, personal income or other things".

Supply Chain, Chain of Responsibility and Chain of Interest

Now let's talk about the demand side. Now we often say: software eats the world, and open source eats software. But why do we continue to say: cloud computing eats open source?

  • Software eats the world: The world runs on software
  • Open source swallowing software: almost all software has open source components, or even completely open source
  • Cloud computing swallows open source: cloud computing makes money from open source, but it does not distribute it to open source

Of course, there may be some problems with every sentence here.

of open source software, naturally formed supply chains

In the last article, I wrote this paragraph: "When we are doing software development, we usually define a dependency file. A piece of software will depend on a set of other software (packages), and these software (packages) It will further depend on some other software (package). However, with the continuous improvement of package dependency description, we will distinguish: development period (Dev) dependencies and execution period (Running) dependencies."

In that paragraph, I just want to explain that "dependency does not equal risk", the entire network formed by software dependencies can be called "open source supply chain" or "open source ecology", but it cannot be simply equated with supply chain risk.

However, I did not further analyze: what is the difference between the supply chain of open source software and the general supply chain? In the following paragraph, I would like to express my special thanks to Mr. Li Dawei, because the conversation with him made me realize this.

In the traditional supply chain, contracts are signed between the first level and the first level.

But in the supply chain of software, especially open source software, at every level, there are disclaimers.

Disclaimer

In fact, there are two disclaimers. One is written in the license agreement of most open source software. For example in GPL 2.0.

Because this program is provided free of charge, to the extent permitted by law, this program is not warranted. unless stated in writing. This program is "AS IS" without any express or implied warranties, such as the default merchantability and applicability, and the risks caused by the functions and performance of this program are borne by the user. If something goes wrong with my work, don't try to take me as a backer, big companies don't take the blame, you make me a backer who doesn't earn your money?) If my work is really flawed, you can find a way to fix it yourself. You can spend money to buy services, and this kind of company is not without.

Excerpt from Self-Defense Sir's "Human Version GPL 2.0 Agreement"

Another example is in MIT:

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS, NON-INFRINGEMENT, OR OTHERWISE. In no event shall the author or copyright holder be liable for any claims for rights, damages, or other liability. Whether these claims arise from contract, tort, or directly or indirectly from the software and circumstances related to the use or operation of the software.

Excerpted from "Behind the Open Source Programmers Desperately Destroying the Library and Running" by Self-Defense Sir

The other is the disclaimer of Internet services, the disclaimer of cloud computing services, and the disclaimer of commercial software.

No more excerpts here, because that kind of legal text is often very long, and you can hardly read it before you use it. But: you must have clicked the "OK" or "Accept" button.

Interest Break

On the one hand, it is the continuity of the supply chain, and on the other hand, it is the rupture (exemption) of responsibility. Then, we will find a phenomenon that actually exists: because the chain of responsibility is broken, the chain of interests is also broken.

Because in fact, after a software problem occurs, the amount that the manufacturer may lose is not too high, so the manufacturer has no incentive to invest enough manpower and budget to ensure the supply chain security of the open source software he uses.

A course I heard two days ago introduced Section 230 of the US Communications Decency Act, which affects the global Internet industry. Internet companies are exempted from legal liability involving user-generated content. On the one hand, the existence of these contents will not harm the interests of Internet manufacturers, on the other hand, Internet manufacturers can delete or manage these contents on their own out of "good faith".

This of course greatly reduces the legal risk and investment cost of Internet manufacturers. Coupled with the open source software they use, there is no need to pay for it. This has brought about the rapid development and prosperity of the Internet industry.

Iceberg phenomenon

At the same time, we are also actively promoting the gift culture in the open source community. “Abundance can make command relations difficult to maintain, and exchange relations into a meaningless game.”

The result became: the double world of open source world

  • An iceberg is an "open source project", and the open source projects that can be seen above the sea are only a very small part of the open source world

Open source projects under the sea are not only important, but also the basis for the existence of open source projects on the sea

However, open source projects under the sea have little commercial value and no investment prospects.

  • Another kind of iceberg is "open source contributors", open source developers above the sea, only a small part of the open source community

They did make a great contribution and thus enjoyed the "gift culture"

Developers under the sea, their contributions are even ignored, and the respected status of the community has almost nothing to do with them

Ecological Responsibility

When we talk about the supply chain risk of open source software or the problem of open source ecology, we first need to reach a consensus: the current open source ecology does have problems, and it is a serious problem that needs to be solved urgently.

Based on this consensus, we can discuss what roles and responsibilities each have in this ecosystem?

open source developer's responsibility

Everyone should be able to admit that open source is a collaborative approach to software development. For some, open source is even a form of entertainment. Of course, open source is also a great way to work if a company is willing to hire you to write open source code. But if you want to make open source your way of life, you either have a mine at home or you're very good at redemption for attention. Otherwise, you will inevitably be disappointed.

Although we all believe that open source is a purely personal act, it is simply a matter of venting grievances. At most, it will cause sympathy, but it may not be supported, and it is even more difficult to obtain the results that you really want.

As a rational actor, knowing what you want and what you will pay is a responsible approach.

Open Source Users

"With enough eyeballs, all software defects can surface.", or "As long as there are enough testers and co-developers, all software defects will be found in a very short time and can be easily fixed. ." This phrase is called Linus' Law. Now I want to tell users of these open source software that there are more and more open source software, and eyeballs are simply not enough.

Assuming that "open source software has no quality problems, will not bring you security risks, it is completely free, and you can use it." It is a completely irresponsible risk.

Open source software is not "free". Any company that uses open source software needs to be responsible for its use, set aside a budget, or find qualified employees or qualified service providers to help you deal with these risks.

Open Source Foundation

An open source software, if there is a security risk, the open source software community should quickly solve it. If this open source software is donated to an open source foundation, the foundation is also obliged to be responsible for the quality of this open source software.

why? Because: Your brand and reputation endorse this open source software, making more manufacturers choose it. So: if it carries risks, your brand and prestige amplify those risks.

As a foundation, the donations you receive should be more invested in the work of ensuring software quality!

Open Source Evangelist Responsibilities

Don't just introduce "gift culture", don't repeatedly stress "Just for Fun". Don't just advertise the Linus eyeball law. During the sermon, more real-world situations need to be introduced.

Government Responsibilities

On January 13, 2022, the White House held the Open Source Software Security Summit on Log4j Vulnerabilities and Public and Private Entities. "While open source software accelerates innovation and drives enormous social and economic benefits, the fact that it is widely used and maintained by volunteers is a significant national security risk, as we are experiencing with the Log4j breach," said one of the senior officials. . It's not a new problem. At this summit we will discuss how to address it, what solutions are in effect and what else we can do to keep the open source software we all depend on safe."

Quoted from What the White House and Tech Giants Said at the Open Source Software Security Summit? 》

In my opinion, every government should take action.

Conclusion

This article is already too long, so let's end by citing a foreword in my "2021 China Open Source Annual Report".

When open source was just a niche hobby, it was free to do almost anything. However, at a time when software is eating the world and open source is eating software, open source technology has become one of the infrastructures of the entire world. With great power comes great responsibility. The wider the application, the higher the risk. How should we think about and ensure the security of open source supply chains? How should we build a healthier open source ecosystem? In such an ecosystem, how should the responsibilities of all parties be defined?

I would like to explore with you all.


六一
556 声望347 粉丝

SegmentFault 新媒体运营