Forem: Ben Lloyd Pearson

Is it time to give up GitHub? August Open Source News

Ben Lloyd Pearson — Mon, 08 Aug 2022 13:40:00 +0000

Open Source News: June 2022

Ben Lloyd Pearson — Tue, 21 Jun 2022 13:02:33 +0000

Open Source: A Patent Troll’s Worst Target

After a multi-year legal battle, an infamous patent troll was stripped of the rights to a patent they claimed the Gnome Foundation infringed upon. The case started back in 2019 when Rothschild Patent Imaging (RPI) filed suit against the Gnome Foundation over functionality contained in the Shotwell app.

According to RPI, the app violates patent US9936086B2, which describes a system and method of capturing and receiving devices that transmit digital images over wireless networks to filter and store the images. To many, this is a obvious case of yet another generic patent that describes simple capabilities.

After the suit was filed, the open source community rallied behind the Gnome Foundation to raise over $150,000, and it should be no surprise that RPI quickly agreed to a settlement that absolved the Gnome Foundation — and all other code licensed under an Open Source Initiative-approved license — from any restrictions relating to that patent.

While this decision protected the Gnome Foundation and the broader open source community, it wasn’t enough for some people — specifically, McCoy Smith, founder of Lex Pan Law. In October 2020, Smith took it upon himself to file a re-examination of the patent in question. Earlier this year, the US Patent and Trademark Office finally determined that the patent was not for a new invention and RPI’s claims to it were cancelled.

GitHub Promotes Open Source with the ReadME Project

GitHub has long supported the open source community, and the company’s ReadME Project seeks to highlight open source stories that help grow the collective knowledge of everyone working in the space.

At a high level, the project brings attention to open source developers by giving them a platform to share their stories about open source culture, security, software development, and more. Content includes featured articles from tech industry leaders, guides on growing open source communities, and a podcast that contains in-depth interviews. If you’re interested in open source, there’s certainly something for you at The ReadME Project.

OpenSSF Releases Software Supply Chain Security Mobilization Plan

In response to U.S. President Joe Biden’s executive order on improving the nation’s cybersecurity, The Open Source Security Foundation (OpenSSF) has published a new report: The Open Source Software Security Mobilization Plan.

Key topics in the plan — which stems from work completed at the Open Source Security Summit in Washington — include developer education, code auditing, data sharing, using software bill of materials, scanning, digital signatures, and software supply chains. The OpenSSF believes these are high-impact actions that can improve the resiliency and security of open source software. For more more information, visit OpenSSF’s website.

LWN Is Hiring!

LWN — one of the longest running internet publications for free and open source software development — is seeking new talent! The publication has served a critical role in keeping the world informed about advancements to the largest developer projects in the world.

In January, the organization will reach 25 years of publishing activity, and they’re now actively looking for a new generation of technology writers to pass the torch. In particular, LWN is seeking writers with expertise in Linux, Rust, systems administration, and embedded systems. If this sounds up your alley, check out the announcement blog post.

Nvidia Releases Open Source GPU Kernel Modules

At long last, Nvidia has finally published their Linux GPU Kernel modules under an open source license. Open source developers everywhere are rolling back the expletives they posted over the years to describe Nvidia and are cautiously optimistic about a future where Nvidia forges closer ties with the open source community.

This release isn’t free from limitations, however. For instance, the only official support is for a small selection of GPUs in specific scenarios, and a significant amount of the Nvidia graphics stack is still contained in proprietary firmware and user space modules. So, this release should be viewed through of a lens of what is to come in the future rather than what this means for Nvidia users today.

Engineers at Red Hat played a critical role in making this happen and they hope to leverage these open source drivers to improve the Nouveau project: a community-led initiative to reverse engineer Nvidia GPU drivers. This release should also have broader implications for Linux users everywhere as Nvidia hardware becomes increasingly easier to support.

Open Source Hacktivism, Open Source Gains Traction in the Enterprise, and More: Open Source Matters

Ben Lloyd Pearson — Sun, 15 May 2022 11:10:51 +0000

Open Source Hacktivism in Russia

Supply chain security has been a hot topic in recent years, particularly as it relates to open source software. Previously, malicious, black hat hackers have been commonplace in this space for many years, but we’re increasingly seeing open source supply chains being disrupted in acts of hacktivism, dubbed “protestware.” Not long ago, we reported on the maintainer of faker.js who intentionally sabotoged his long-maintained open source project while claiming that he no longer wanted to support large companies with free work.

Today, with an ongoing war between Russia and Ukraine, some open source maintainers have taken it upon themselves to protest the war via changes to their code that express anti-war rhetoric via messages that display when the software is run. However, one maintainer in particular took it to the next level. Brandon Nozaki Miller, published a library on GitHub named peacenotwar that simply printed an anti-war message to the computer it was run on. This package is harmless on its own, but things got interesting when he included this package as a dependency in the node-ipc module he maintains. Users who downloaded the latest version of node-ipc to a machine in Russia would be subject to complete data destruction. Miller defended the act by claiming that this is all documented publicly and that users who don’t want this installed on their machine should lock their dependencies to older versions.

This move has caused much controversy in the open source community. Proponents argue that extreme situations require extreme measures. However, detractors, including the Open Source Initiative and Electronic Frontier Foundation, claim this move is likely to cause collateral damage and hurt the reputation of open source software. Either way, this is clearly a unique method for open source developers to demonstrate the power and influence they have over society.

US Federal Court Makes Controversial Ruling on AGPL

A US district court in California made a ruling on Neo4j, Inc. v. Graph Foundation, Inc that has been received with some controversy in the open source community. The court case centers around Neo4j’s use of the Affero GPL (AGPL) with the addition of the Commons Clause on their enterprise code. The Graph Foundation interpreted a section of the AGPL that states a licensee may remove any “further restriction” imposed in addition to the AGPL, which the Graph Foundation interpreted to include the Commons Clause. The Graph Foundation publishes and maintains a version of the Neo4j enterprise product named ONgDB with the Commons Clause removed.

The court ruled that only the licensor is allowed to remove additional license restrictions beyond the AGPL and that the Graph Foundation is in violation of Neo4j’s copyright claim. The Open Source Initiative and the Software Freedom Conservancy have both come out in opposition to the court ruling and they claim that the original intention of the AGPL was to give licensees the right to do exactly what the Graph Foundation did in this situation. This is only a preliminary injunction, and It seems likely that this ruling will be appealed. In the meantime, the code for the project is still available on GitHub, and you can read the full ruling here.

Other Open Source News

Red Hat Releases 2022 State of Enterprise Open Source Report

Red Hat has released their 2022 report that outlines the state of open source in the enterprise. They interviewed nearly 1,300 IT professionals about the importance of open source in vendor selection, the types of open source technologies enterprises are looking for, and open source security.

Here are some of the major findings:

82% of IT leaders are more likely to select vendors who contribute to open source. Familiarity with open source processes, influence on technical direction, and effectiveness are all cited as major reasons for this.
89% of IT leaders believe open source is as secure or more secure than proprietary software. The ability to test open source code, scan for security vulnerabilities and updates, and the pace of security fixes are the main reasons for this belief.
Enterprises expect to decrease their use of proprietary software by 18% and increase their use of open source software by 17% over the next two years.
AI, machine learning, edge computing, containers, and serverless computing are the technologies most targeted for open source adoption.

Get the full report.

Git Turns 17

What started as a weekend project for Linus Torvalds, the famous inventor of Linux, 17 years later has become a ubiquitous tool used across the software development world. At this point, Git is almost synonymous with code version control and it doesn’t seem like this is likely to change anytime soon. To celebrate the 17th anniversary of Git, check out this wonderful article over at opensource.com about the community’s favorite Git commands.

RoninX Launches to Promote Decentralized Content Streaming

The RoninX Foundation is the world’s first non-profit organization dedicated to bringing together camera hardware, streaming, and blockchain communities to produce technologies for real-time content streaming via Web 3.0. The foundation has organized around working groups for transport layer, metadata, file management, metaverse, and blockchain technologies.

New Open Source Projects

Dagger - A portable dev kit for CI/CD from the founder of Docker.
Eden - a cross-platform, scalable source control management system from Meta.
FastTreeSHAP - A Python package from LinkedIn for fast interpretation of the TreeSHAP algorithm.
xGitGuard - A security tool from Comcast to detect secrets exposed on GitHub repositories.
Code Verify - A browser extension from Meta for verifying the integrity of web pages and detect executed code that’s not included in the site manifest.
Access Undenied on AWS - A security tool from Ermetic to analyze AccessDenied events on AWS CloudTrail.

Want more news about open source projects? Subscribe to The Build, a newsletter for software engineers dedicated to sharing useful technical content on effective development and collaboration techniques.