US Republicans query Linux Foundation about open-source security
Wednesday, April 4, 2018
On Monday, two US Republican Party legislators, Greg Walden and Frank Pallone Jr., respectively the chairman and the ranking member of the United States House Committee on Energy and Commerce, co-wrote a public letter to Jim Zemlin, executive director of The Linux Foundation, about open-source software (OSS) and improving its security. They requested Zemlin to answer their questions by no later than April 16.
The letter contained the following four questions; each of the first two has a further two follow-up questions.
- Has the CII [Core Infrastructure Initiative] performed a comprehensive study of which pieces of OSS are most crucial to the “global information infrastructure”?
- If not, does the CII plan to perform such a study?
- What would the CII need in order to do so?
- Has the CII, or any other organizations, compiled any statistics on OSS usage?
- If not, does the CII plan to perform such a study?
- What would the CII need in order to do so?
- In your estimation, how sustainable and stable is the OSS ecosystem?
- Based on your response to the previous question, how can the OSS ecosystem be made more sustainable and stable?
Walden and Pallone exemplified Heartbleed, a “critical cybersecurity vulnerability” that allowed the hacking of websites and passwords, and millions of medical records in 2014. They also wrote that, in response to that vulnerability, The Linux Foundation established a multi-million dollar project, the Core Infrastructure Initiative, intended to improve the global infrastucture of such software.
The politicians noted large tech companies like Microsoft, Apple Inc., and Adobe Systems respond more quickly to such critical vulnerabilities than distributors and developers of open-source software.
Open-source software is “publicly accessible” and usually freely-licensed for a wide range of use, such as modification and commercial uses. Walden and Pallone also expressed praise toward open-source software and cited a 2015 survey conducted by Black Duck Software saying 78% of companies used such software.