The OpenSSF is distributing a total of 800,000 US dollars to the open source organizations. The money is to flow into personnel and resources for security measures.
The Open Source Security Foundation (OpenSSF) has announced it will fund the Eclipse Foundation and the Python Software Foundation with $400,000 each. The cash injection is a measure of the Alpha Omega project and is intended to flow into dedicated resources and personnel for the security of the open source projects. In May, the OpenSSF had already supported Node.js with $300,000.
The Linux Foundation launched the OpenSSF 2020 to improve the security of open source software. In February 2022, representatives of technology companies, US authorities and non-profit organizations met in the White House with the same goal. This ultimately resulted in the Alpha-Omega project, which primarily focuses on the security of the software supply chain.
The twenty-somethings among the open source foundations
The first funding in the The JavaScript runtime environment was given Node.js as part of the Alpha Omega initiative. Two other large open source foundations are now following, the Python Software Foundation (PSF) and the Eclipse Foundation. The latter celebrated its 20th birthday in November 2021 and is home to countless projects, including the Eclipse IDE and the Java EE successor Jakarta. 22 working groups are dedicated to specific topics such as IoT, edge computing, open hardware and autonomous driving.
The PSF is a few months older than the Eclipse Foundation and already celebrated its 20th anniversary in March 2021. She takes care of the further development of Python and also manages the package manager Python Package Index (PyPI). Like the JavaScript package manager npm, the latter is repeatedly the target of supply chain attacks. But accidental glitches can also jeopardize the software supply chain.
Money for staff and supply chain
The $400,000 for the PSF is intended to flow into a new full-time position for is responsible for the security of the programming language, the PyPI and the Python ecosystem. The money should also enable a security audit.
The Eclipse Foundation appointed its own dedicated security officer in May. The cash injection is to flow into additional personnel and resources to ensure the security of the software supply chain. The foundation published a best practices document for securing the software supply chain on GitHub last year.
A slightly different free beer analogy
The head of the Eclipse Foundation, Mike Milinkovich, announced in a blog post that the money will primarily be invested in the automatic generation of SBOMs (Software Bill of Materials), a SLSA-based (Supply-Chain Levels for Software Artifacts) program and security audits for the Eclipse Foundation projects.
In his post he also uses the free beer analogy, but in a different way than the Free Software Foundation, whose concept of Free Software uses the term “free” to mean freedom of speech rather than free beer. Milinkovich, on the other hand, writes that many consider open source to be “free as in free beer” but should treat it as “free as in a free puppy”, arguably implying that they should nurture it and be involved in raising it: “To Participating in the maintenance of projects and communities that provide open source is no longer an option, it’s a necessity,” he writes.
SOS.dev under the Alpha-Omega umbrella
In addition to the cash injection for the open source foundations, the OpenSSF has announced that the program Secure Open Source Rewards (SOS), founded in 2021, is now under the umbrella of the Alpha Omega project. The program pays rewards for improving the security of open source projects. Google had funded SOS with one million US dollars in autumn 2021.
Further details on the funding measures for the Eclipse Foundation and the PSF as well as the new responsibility for Secure Open Source Rewards can be found on the OpenSSF blog .
