MOSS Conflict of Interest Rules

We decided to implement a lightweight Conflict of Interest policy for the MOSS Committees, not because we have had problems, but because we’d like never to have them :-) They are based loosely on the Wikipedia ones, and are here for anyone to use who wants them (CC-0).

MOSS Conflict of Interest Rules (v1.0)

As a committee member, you must:

1. Disclose actively if you are receiving, will receive, or have received in the past 5 years payment or anything of value from an applicant or their project;

2. Disclose actively if any family member, spouse, partner, business associate, significant other, close friend, or their organizations or employers would benefit from the approval of an application;

3. Answer fully and honestly any relevant and appropriate questions about potential conflicts of interest when discussing an application;

4. Disclose actively if your approval or disapproval of an application could be perceived by others or the public as improper, because even the perception of a conflict or unauthorized personal gain needs to be disclosed;

5. Not approve applications for personal gain.

Under the above rules, a person should “disclose actively” a potential or actual conflict of interest. To “disclose actively” means (1) to report the conflict to the MOSS Administrator; and (2) to do so explicitly and as soon as the conflict is known.

The MOSS Administrator will assess the conflict and, if it is judged to be material, will report it or request that the member report it to the committee.

Caddy Webserver and MOSS

The team behind the Caddy secure-by-default webserver have written a blog post on their experience with MOSS:

The MOSS program kickstarted a new era for Caddy: turning it from a fairly casual (but promising!) open source project into something that is growing more than we would have hoped otherwise. Caddy is seeing more contributions, community engagement, and development than it ever has before! Our experience with MOSS was positive, and we believe in Mozilla’s mission. If you do too, consider submitting your project to MOSS and help make the Internet a better place.

Always nice to find out one’s work makes a difference. :-)

Security Audit Finds Nothing: News At 11

Secure Open Source is a project, stewarded by Mozilla, which provides manual source code audits for key pieces of open source software. Recently, we had a trusted firm of auditors, Cure53, examine the dovecot IMAP server software, which runs something like two thirds of all IMAP servers worldwide. (IMAP is the preferred modern protocol for accessing an email store.)

The big news is that they found… nothing. Well, nearly nothing. They managed to scrape up 3 “vulnerabilities” of Low severity.

Cure53 write:

Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.

Now, if we didn’t trust our auditors and they came back empty handed, we might suspect them of napping on the job. But we do, and so this sort of result, while seemingly a “failure” or a “waste of money”, is the sort of thing we’d like to see more of! We will know Secure Open Source, and other programs to improve the security of FLOSS code, are having an impact when more and more security audits come back with this sort of result. So well done to the dovecot maintainers; may they be the first of many.

Auditing the Trump Campaign

When we opened our web form to allow people to make suggestions for open source projects that might benefit from a Secure Open Source audit, some joker submitted an entry as follows:

  • Project Name: Donald J. Trump for President
  • Project Website: https://www.donaldjtrump.com/
  • Project Description: Make America great again
  • What is the maintenance status of the project? Look at the polls, we are winning!
  • Has the project ever been audited before? Its under audit all the time, every year I get audited. Isn’t that unfair? My business friends never get audited.

Ha, ha. But it turns out it might have been a good idea to take the submission more seriously…

If you know of an open source project (as opposed to a presidential campaign) which meets our criteria and might benefit from a security audit, let us know.