Google and the Linux Foundation have announced plans to fund two full-time maintainers who will focus exclusively in the development of linux kernel security.
Gustavo Silva and Nathan Chancellor, both active contributors to Linux, will work to strengthen the maintenance and enhance the security of the kernel and related initiatives to guarantee the viability of the free software project world's most popular user for decades to come.
The goal is to do what the ubiquitous operating system is more durableas research indicates that there is a need to improve the security of open source software, especially on Linux.
A report from the Linux Foundation Open Source Security Foundation (OpenSSF) and the Harvard University Innovation Science Laboratory (LISH) found a lack of security efforts in open source software.
Free and Open Source Software (FOSS) has become an essential part of the modern economy. Free software is estimated to make up 80 to 90 percent of all modern software, and software is an increasingly vital resource in nearly every industry, according to the Linux Foundation.
To understand improve the state of security and sustainability of the free and open source software ecosystem and how organizations and companies can support it, OpenSSF and LISH have collaborated to carry out an extensive survey of contributors to this type of software as part of a larger effort to adopt a preventive approach to strengthening cybersecurity by improving the security of free software.
The objectives of this survey were understand the state of security and sustainability of open source software and identify opportunities to improve it and ensure the viability of open source software in the future. The results identified reasons for optimism about the future of open source software.
"Supply chain security and open source software security are essential," said Dan Lorenc, Google software engineer. "We are trying to talk about it now and show people how we do it, so they can be encouraged and inspired and find other ways to help us as well."
Lorenc sees two key elements on the subject of open source software security. The first is the fact that it comes from people all over the world, some of whom may be malicious or have bad intentions, a security problem inherent in open source software. The other is the fact that it is software and all software has flaws, intentional or not, that need to be fixed.
"Just because the code isn't yours doesn't mean there aren't any bugs," Lorenc added. "It's kind of a misconception that a lot of companies are starting to realize." These two factors, combined with the increasing number of people using open source software, make security a priority. "We are honored to support the efforts of Gustavo Silva and Nathan Chancellor in their work to strengthen the security of the Linux kernel," he added.
Chancellor, one of the two developers taking on this role, has been working on the Linux kernel for four and a half years. Two years ago, he began contributing to the major version of Linux as part of the ClangBuiltLinux project, an initiative to build the Linux kernel with the Clang and LLVM build tools.
It will focus on classifying and correcting any bugs found with the Clang / LLVM compilers while working to establish continuous integration systems to support this work in the future. With those goals in place, you plan to start adding functionality and tuning the kernel using these build technologies.
Chancellor expect more people to start using the project compiler infrastructure LLVM and contribute to the latter and kernel fixes, because "it will go a long way toward improving Linux security for everyone," he said in a statement.
Silva began working on the kernel as part of the Linux Foundation's Central Infrastructure Initiative, a program in which young developers are mentored by engineers working on the kernel.
Currently, his full-time security job is focused on eliminating various categories of buffer overflows. It also works on fixing vulnerabilities before they hit the main line and developing defense mechanisms that eliminate entire classes of vulnerabilities. Silva released his first kernel patch in 2010 and has been in the top five active kernel developers since 2017.
"We are working to build a high-quality core that is reliable, robust, and more resistant to attack at all times," Silva said. "Through these efforts, we hope that people, maintainers in particular, will recognize the importance of adopting changes that will make their code less prone to common errors."