Open source is a heavily interdependent community, which is good and bad for security
Commentary: Open source is a tangled web of interdependencies. How can we do better to secure this web?
Open source is all about community. While that’s usually a good thing, it’s a fact that some members of the community are jerks. No, I’m not referring to the sometimes unwelcoming nature of different communities. Instead, I’m referring to the interlopers who have hijacked different projects in so-called “supply chain” attacks like the Webmin and RubyGems exploits.
Given how increasingly interdependent open source projects have become, the potential to take advantage of this (for good and ill) has risen considerably. What can developers do to keep the world safe for the open source community?
SEE: How to build a successful developer career (free PDF)
We’re all in this together
Open source has never been an American thing. While North American developers have long played an important part in fostering open source development, many of the most prominent projects came from abroad, particularly Europe (think MySQL, Linux, etc.). This isn’t particularly surprising, given a European penchant for community mindedness.
While developers living in the US remain the single largest group of contributors, since 2014 the number of open source contributions originating outside the US has ballooned, according to GitHub’s State of the Octoverse 2019 report. Today, of the 40 million accounts on GitHub (many of which may not reflect active or even actual developers), 80% come from outside the US.
Where, in particular? Well, China, of course. Developers in China contributed dramatically more than any other country (except the US), and that activity is accelerating: Developers in China forked and cloned 48% more projects than…