Feds To Offer New Support To Open-Source Developers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will start providing more hands-on support to open-source software developers as they work to better secure their projects, the agency said. From a report: CISA hosted a two-day, invite-only summit this week with leaders in the open-source software community and other federal officials. During the private event, the agency also ran what's likely the first tabletop exercise to assess how well the government and the open-source community would respond to a cyberattack targeting one of their projects.

During the summit, CISA and a handful of package repositories unveiled new initiatives to help secure open-source projects. CISA is working on a new communication channel where open-source software developers can share threat intelligence and ask the agency for assistance during an incident. The Rust Foundation is developing new public key infrastructure for its repository, which will help ensure that the code developers are uploading isn't malicious and is coming from legitimate users.

npm, which manages the JavaScript programming language, is requiring project maintainers to enroll in multi-factor authentication and is rolling out a tool to generate "software bills of materials," which provide a recipe list of what code and other elements are in a project. Additional repositories -- including the Python Software Foundation, Packagist, Composer and Maven Central -- are pursuing similar projects and also also rolling out tools to help detect and report malware and other security vulnerabilities.

So They Can Back Door It Properly

[zenlessyank]

It's free!! It's from the Gubmint. It's got to be good.

Scariest words you could ever hear...

[thtrgremlin]

I'm from the government and I'm here to help.

Re:

[Miles_O'Toole]

Also on that list: "Please stay on the line. Your call is important to us".

Don't Sign Anything

[bill_mcgonigle]

CISA is shady af - don't sign anything they give you.

We'll find out in a couple years how people got screwed.

At least run anything by an alert attorney.

Re:

[DarkOx]

This - its basically a censorship organization.

About as far from FOSS ideals as you could get. Best policy is probably don't even respond to them until you lawyer up.

CISA?

[PPH]

When did they add the 'S'?

Already got it wrong

[dynamo]

If they want to get the trust of, and have some influence over, the open source community, a private invite-only event with only a group of individuals that the CISA chooses is not exactly the best method. Something like an open registration convention or an open published set of proposed recommendations on a public website or GitHub repo with a discussion space and Wiki and the ability to submit Pull Requests before the final recommendation is decided upon.. that would have been better.

Missing point

[manu0601]

I must be missing some point, but repository signing and developer 2FA access will not prevent a rogue actor to register an account and push malicious software.

Re:

[micheas]

I must be missing some point, but repository signing and developer 2FA access will not prevent a rogue actor to register an account and push malicious software.

It's about being able to trust the response after an incident happens.

If Jane Doe's credentials are used to push malware then in the response you blacklist Jane Doe's credentials and don't trust any fixes from Jane.

In the past only Debian has had reasonable procedures around this from having had to deal with the occasional rouge developer.

Re:

[manu0601]

It's about being able to trust the response after an incident happens.

If Jane Doe's credentials are used to push malware then in the response you blacklist Jane Doe's credentials and don't trust any fixes from Jane.

But after Jane, it will be Betty, then Ruth. Look at how trolls farm account on social networks to spread fake news. They are constantly blacklisted, and start over under another identity.