Forem: lauren rae hanford

The ROI of paying open source maintainers (in light of the xz utils backdoor)

lauren rae hanford — Tue, 09 Apr 2024 20:08:52 +0000

As we continue to watch the attempted xz utils backdoor hack unfold, I’ve been following several conversations where questions are being raised about what this type of hack means for the software supply chain, and for security, identity, and trust.

At Tidelift, for years our rallying cry has for years been to “pay the maintainers.” We believe this is an essential step in avoiding situations like xz where a volunteer maintainer who described themselves as an unpaid hobbyist was tasked with more work than they had the time or space to do.

Yet some of this discussion reveals conflicting opinions about the effectiveness of paying maintainers for their work. Some have said that money is not the answer, or even part of the answer. A few examples of exchanges that caught my eye:

My colleague Luis Villa pointed out in his post about xz earlier this week that paying maintainers should not be viewed as a magic bullet, but instead a cornerstone of efforts to improve the security and resilience of open source.

I’d like to outline the guaranteed, measurable benefits that Tidelift’s customers receive from using our software throughout their entire development lifecycle. Customers using Tidelift’s software to implement unified software supply chain policy and practices get the result of better software, and the maintainers developing their software are certified and paid. You can read more about what our software does, and how it works here.

Paid, contracted secure development work

Here is what is in our agreement with every single maintainer partner. These are all explicit, contractual promises that maintainers make about their projects that customers can count on, when they are paid by Tidelift.

Multi-factor authentication is turned on.
Security policies and procedures are in place to ensure maintainers are notified of vulnerability reports before they are made public.
When a security vulnerability is reported, it is reviewed, a fixed release will be made (unless it’s determined to be a false positive), and a post-mortem review will be provided with context-specific details, available workarounds, and other critical data that saves engineering teams time and money.
Maintainers review release managers every time a new release is made to ensure that those on the project with access to make releases are verified.
There is a security maintenance plan in place, so customers can plan for the end of software’s life and know when security fixes will no longer be available. In many cases, our maintainers are willing and able to backport security fixes to older release streams—because they take the security of our customers seriously.
Maintainers commit to giving us at least 30 days notice when they decide to stop their work on a project.

Multiplicative benefits

Maintainers receiving reliable income often are able to go above and beyond the list above to add even more security to their projects, and to the ecosystem.

These are just a few examples:

Catching critical invisible security issues like leaked passwords, tokens, and other secrets due to attacks on the toolchains in use.
Adding co-maintainers to projects to ensure they have backup and improve health, stability, and longevity.
Expressing willingness to take on emerging security practices like SLSA—with commensurate income for that additional labor.
Giving secure development templates back to the community to make secure development practices easier to adopt.
Increasing the diversity of contributors and ideas by writing clear documentation and giving mentorship to the next generation of maintainers that we need to drive the global economy.

Why is this worth investment?

I’m going to make this really simple:

As Ashley Williams points out in their comments above, when it comes to the open source software we use to build our businesses, we’ve become “entitled AF.”

We expect volunteer open source maintainers to deliver as enterprise suppliers, but it is a contract that maintainers neither signed nor agreed to. Our collective actions are speaking louder than our words.

We’ve rated their performance against secure development standards without considering what resources it takes to meet those standards. We show up in their issues demanding fixes. We repackage those fixes and sell them as secured open source, without compensating the creators.

In place of actual contractual agreements with maintainers to pay them for work delivered, we’ve built up an entire industry around scanning and remediating vulnerabilities in their code.

The chart here shows the number of CVEs published in the National Vulnerability Database each week since 2006. Since 2017, the number of reported vulnerabilities trend is clear.

If the name of the game was fixing vulnerabilities, perhaps you could see this as a good thing. There are certainly people benefitting from more CVEs—but it isn’t open source maintainers.

Let me be clear: the current model of running scans to look for known CVEs in open source code is not working. The idea that we should just continue patching things until we burn out the people that are creating the patches in the first place, and then just move on to another replacement package is an embarrassing, and inefficient, strategy in 2024.

Don’t we ultimately want more secure, more reliable software? When software is more secure and reliable, it has less risk.

If you are building software on top of open source that delivers revenue-generating value to customers without investing time, energy, or money to ensure that your end-to-end code is safe and reliable — you are taking unnecessary chances with your customers’ data and adding risk to your business.

If your take is that any open source maintainer seeking reliable income should re-license or abandon their project, I would encourage you to review the data Github provides on maintainers seeking sponsorship, and hold that list up against any enterprise application dependency graph. All maintainers seeking income for their work essentially walking off the job is not a realistic solution.

Investing in open source doesn’t need to be complicated. If you need to unify your approach to software supply chain security throughout the development lifecycle, CI/CD, and internal organizational policies — Tidelift’s software does this. If you are running an operation that could benefit from data to comply with attestation requirements, Tidelift’s software does this— and we’ll pay for that data that you won’t acquire otherwise. All of our customers receive maintainer impact reports on what their money is achieving, and they are seeing results in their application risk posture.

A recent Harvard Business School paper estimated the demand-side value of the open source software ecosystem at $8.8 trillion. By comparison, the entire U.S. electrical grid is valued at 1.5- 2 trillion dollars, and the U.S. interstate highway system is valued at 750 billion dollars.

Open source software is an exceptionally valuable resource, and we shouldn’t take it—or its creators—for granted.

Technology problems and data risks are accelerating around us, and we will not meet these challenges without open source maintainers. They are providing the bedrock of maintenance needed to continue our progress as a civilization.

Watch a demo of how our partnered maintainers opt into your software supply chain, and how our superior resulting data drives better open source software supply chain security, and come join us for a conversation about new ideas for how to improve open source software security and resilience at Upstream on June 5.

Double shift: parenting and working remotely

lauren rae hanford — Wed, 08 Apr 2020 12:49:03 +0000

Over the past few weeks, we’ve seen many people and companies forced into a new reality of remote work as a way to keep employees healthy and help stop the spread of infection.

While much of the discussion is focused on how to ensure employees remain productive and continue to be able to collaborate effectively, today I’d like to focus on an element of remote work that is often overlooked. Namely, how does remote work impact working parents, especially when daycare is closed or schools are out of session.

As the parent of two young children and the head of design here at Tidelift, a company that has been remote-first since the beginning, I have a few years of trial-and-error experience working remotely with children at home. I thought I’d share a few of the key things I’ve learned along the way.

1. Don’t panic.

If the immediate vision you have of what it will be like to work from home is the terror you might feel the first time you are sitting on a video call with your boss, and your three year-old needs immediate (perhaps bathroom-related?) attention, you are not alone. These things will happen. I’m here to tell you that sometimes they may be even worse. There may be permanent markers, peanut butter, or a sibling involved.

But you will be OK, and here is why. The work world is changing. My experience has been that most people understand these life disruptions more than you think they will. Often, they have children too. As the lines between home and work become more blurry, the work world is becoming more accepting of things that show we are human and not just robot workers. My colleagues and leadership team continuously model their humanity, and I can feel comfortable giving my kids the mic briefly at our morning standup—sometimes just that moment of your kids being included is all it takes to get some peace in return from them. Plus, it gives you some shared experiences to talk about outside of work.

If you find yourself in a role or organization that isn’t handling remote or child-related interruptions well, give yourself grace and try to recompose. Remind yourself that this is work, and that it will still be there in 10 minutes if you need to excuse yourself from a call. Sometimes the more professional approach is to just ask for a brief break to return with 100% focus.

2. Prepare your home for remote.

Set some sane defaults around workspace, equipment, boundaries with your family. Mom’s desk is where her work is done, and it is not a playspace. If you see I am talking to someone on the computer, please see how far you can get arguing over the Frozen microphone on your own unless it is an emergency (potential actual emergency: Let it Go on repeat all day long). If you need something from me, wave at me, and I’ll respond as soon as I can. My experience has been that it is best to have a dedicated work area, ideally a room where you can have some privacy for virtual meetings and kids are still free to make noise in other rooms.

When my kids are home with me, I try to model their regular environment and schedule as much as possible. Designate space for puzzles, art, blocks, home living (real world cooking implements like muffin tins or whisks can be really thrilling), or TV rotations (hey, they don’t have that at school!). Routine is my only fighting chance of getting that nap time break.

3. Set schedule expectations.

Talk to your manager and team about what you expect your schedule to be, with the understanding that kids are unpredictable and your schedule may need to adapt on short notice. Again, my experience has been that most people understand—especially if they are parents themselves. If your team doesn’t have firsthand experience, it becomes even more important to set and manage super clear expectations.

For me, it often means that I may have at most four hours of productive work time during standard working hours if my partner is home. Which means I usually make up for that time very early in the morning, and during the evenings after the children have gone to bed. If you’re doing the math here, that means less time for yourself (see below).

Also set some clear goals for whatever timeframe you expect to be working at home with kids. This will keep outcomes tangible for you and your team, and help head off any analysis paralysis that might emerge from being put in an unusual situation (if being remote with children is not your routine).

4. Make a plan for self care.

If you are working the double shift of caring for your children and working a job during the day, it often means that you’ll need to spend time in the evenings catching up on extra work. The reality is that this may leave less time for self care. So you need to plan times in your week that are for you, or you and your partner, and not related to work or children.

One additional thing that works for me is embracing play as a method for self care. Take walks with your children. Blow bubbles, have a dance party, draw or color together. When you do things as a family that make everyone happy, this can have a huge impact in terms of keeping you calm and sane. Here are some activity guides by age for kids that might inspire you. Also, don’t hesitate to use technology however your household chooses to; sometimes it can be the tool you need to help you out when you have an important meeting or a pressing deadline.

5. Make a household management plan.

If you have a partner, grandparent, or other support buddy in your life, work out a plan with them to share household duties. Who is in charge of laundry? Maybe now is the perfect time for your kids to learn how to fold clothes? What are some easy dinner recipes that don’t require a lot of time or attention? Consider the snack bar as a family feeding plan. Who among us does not love snacks!

6. Look for virtual community support.

Now’s the time to reach out to other parents within your organization, school or daycare, or online communities. I’m personally a part of several groups that connect parents geographically or within the tech industry. Get a text chain of support going with people who understand what you’re experiencing. Share ideas, share your pain, and share your successes.

7. Embrace the opportunity!

If you look at working with children at home from a glass half full perspective, perhaps some new and interesting possibilities will emerge that you hadn’t considered. Maybe you’ll get to spend more synchronous time with colleagues in another time zone? Maybe your children might start to discover more autonomy? Your kids will learn that work matters to you. And over time, they'll get exposed to things that will be thought-provoking for them. When every day is "take your child to work day," they end up learning quite a bit that they otherwise would not.

Finally, just remember that none of this is permanent. Although it may feel like an eternity, you will get through it, and the people around you in most cases will understand and be empathetic. For most, working with children at home is temporary. Be kind to yourself. You will have moments of frustration with your family, your job, and often both. Feel the feelings and then keep moving on.

We’ve got this!