We’ve just published MOSS’s Q4 2017 update, bringing you up to speed on what’s going on in the world of MOSS (Mozilla Open Source Support, our program for giving back to the open source and free software community).
The application deadline for the next round is at the end of this month. If you know a project that Mozilla is using somehow that could do with some financial help, or a project that’s working on something in line with Mozilla’s mission and goals, please do encourage them to apply.
I’m spending some time over the next few days looking for the next round of projects which might benefit from an SOS Fund security audit. (Here‘s what’s been done and published so far; a few more are in the works.) The criteria for what makes a good project are recorded on the MOSS website. We have two hard-and-fast criteria:
- The software must be open source/free software, with a license that is OSI-certified and/or FSF-approved
- The software must be actively maintained
And then we have a series of factors we consider when evaluating an application:
- How commonly used is the software?
- Is the software network-facing or does it regularly process untrusted data?
- How vital is the software to the continued functioning of the Internet or the Web?
- Is the project known for something besides the code we are relying on?
- Does the software depend on closed-source code, e.g. in a web service?
- Are the software’s maintainers aware of and supportive of the application for support from the SOS fund?
- Has the software been audited before? If so, when and how extensively? Was the audit made public? If so, where?
- Does the software have existing corporate backing or involvement?
People do have a tendency to suggest the entirely impractical, such as “Linux Mint” or “Copperhead OS”. We aren’t able to do full audits on corpuses of software of that size. In general, if it’s more than about 200kloc, we are going to have to pick and choose.
If you know of a project which fits, please submit a suggestion, or drop me an email. Thanks!
The Mozilla Open Source Support (MOSS) update for Q3 has been published on the main Mozilla blog. Highlights include the launch of our pilot program focussed on supporting open source in India, a large grant to Ushahidi, and a very successful audit of the chrony NTP daemon.
We decided to implement a lightweight Conflict of Interest policy for the MOSS Committees, not because we have had problems, but because we’d like never to have them :-) They are based loosely on the Wikipedia ones, and are here for anyone to use who wants them (CC-0).
MOSS Conflict of Interest Rules (v1.0)
As a committee member, you must:
1. Disclose actively if you are receiving, will receive, or have received in the past 5 years payment or anything of value from an applicant or their project;
2. Disclose actively if any family member, spouse, partner, business associate, significant other, close friend, or their organizations or employers would benefit from the approval of an application;
3. Answer fully and honestly any relevant and appropriate questions about potential conflicts of interest when discussing an application;
4. Disclose actively if your approval or disapproval of an application could be perceived by others or the public as improper, because even the perception of a conflict or unauthorized personal gain needs to be disclosed;
5. Not approve applications for personal gain.
Under the above rules, a person should “disclose actively” a potential or actual conflict of interest. To “disclose actively” means (1) to report the conflict to the MOSS Administrator; and (2) to do so explicitly and as soon as the conflict is known.
The MOSS Administrator will assess the conflict and, if it is judged to be material, will report it or request that the member report it to the committee.
The team behind the Caddy secure-by-default webserver have written a blog post on their experience with MOSS:
The MOSS program kickstarted a new era for Caddy: turning it from a fairly casual (but promising!) open source project into something that is growing more than we would have hoped otherwise. Caddy is seeing more contributions, community engagement, and development than it ever has before! Our experience with MOSS was positive, and we believe in Mozilla’s mission. If you do too, consider submitting your project to MOSS and help make the Internet a better place.
Always nice to find out one’s work makes a difference. :-)
We are starting to ask MOSS project awardees to write an end-of-award report detailing what happened. Here’s one written a few months ago by the Mio project (Carl Lerche).
Secure Open Source is a project, stewarded by Mozilla, which provides manual source code audits for key pieces of open source software. Recently, we had a trusted firm of auditors, Cure53, examine the dovecot IMAP server software, which runs something like two thirds of all IMAP servers worldwide. (IMAP is the preferred modern protocol for accessing an email store.)
The big news is that they found… nothing. Well, nearly nothing. They managed to scrape up 3 “vulnerabilities” of Low severity.
Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.
Now, if we didn’t trust our auditors and they came back empty handed, we might suspect them of napping on the job. But we do, and so this sort of result, while seemingly a “failure” or a “waste of money”, is the sort of thing we’d like to see more of! We will know Secure Open Source, and other programs to improve the security of FLOSS code, are having an impact when more and more security audits come back with this sort of result. So well done to the dovecot maintainers; may they be the first of many.
When we opened our web form to allow people to make suggestions for open source projects that might benefit from a Secure Open Source audit, some joker submitted an entry as follows:
- Project Name: Donald J. Trump for President
- Project Website: https://www.donaldjtrump.com/
- Project Description: Make America great again
- What is the maintenance status of the project? Look at the polls, we are winning!
- Has the project ever been audited before? Its under audit all the time, every year I get audited. Isn’t that unfair? My business friends never get audited.
Ha, ha. But it turns out it might have been a good idea to take the submission more seriously…
If you know of an open source project (as opposed to a presidential campaign) which meets our criteria and might benefit from a security audit, let us know.