 hearing my displays, but okay, I'll read it. So thank you, Nithya, for the really nice scene setting for why we're here today. I wanted to add also a little bit of historical context that I think is really germane to how the open source community actually got into a very favorable position when it comes to security. I might even use the term irrational exuberance, which if anyone is familiar with where that term first came into the popular mindset it was at the time of the 2008 financial crisis. And who was it who gave testimony about irrational exuberance in the stock market? Anyways, I think what we actually need to do is think about how do we substantiate what is already actually a really great reputation for open source software when it comes to security, but really try to understand also where some of that came from. So I also tried to look deep in the past. I went to the internet archive and the oldest screen grab I could get of the NetCraft web server survey was from 99, but they actually started in 95 with a survey of the entire web once a month where they would ask every web server what software are you running? And again, the internet was a high trust environment at the moment where at that time where telemetry of what people were running was considered a public good. I think it's kind of crazy in retrospect that people would advertise the specific patch level of the server software they were running to make it easier for you to figure out which compromise would come in. But the great thing about this was this is really the first moment where we had substantiated evidence that open source software was being used out there in the wild and in quantity, right? And not just being used for research purposes or early days of the web kinds of things but actually being used in production because not only could you see quantitatively and if I had scrolled down to the bottom and see more that the Apache web server was being used something like five times as much well, two and a half times as much as the Microsoft web server was being used apologies to Microsoft, it was being used about what almost 10 times as much as the Netscape server was being used apologies to anyone who worked for Netscape but also you could ask through this website and you didn't have to type HTTP commands you could ask through this website what is that site running? And it made it really easy for those of us who were working on the Apache web server back then to make the case to our own pointy haired bosses which is what PHP is but also to others that not only can people using this in production you could also point people to CIA.gov or to, I believe it was Vatican.va it might have been something else but it was .va and people could see oh, Apache is running behind those and if it's good enough for the CIA and for the Vatican simultaneously it probably is good enough for your company, right? But which was great and it allowed us to make the case that you could trust this that it's what garnered interest from some of the first companies IBM was really one of the first to say can we bundle Apache into our web-based products that kind of thing lots of others followed suit but it also led us down I think a path that started to say popularity was a rough proxy for perhaps even equivalent to security that the more people use this stuff and certainly a case that we made, right? The more eyeballs just naturally just almost by the law of large numbers and therefore you could trust it and that seemed to be true we would get notices of security holes we'd respond quickly and that started to also be mirrored by the Linux community that also developed a great reputation for being able to respond very quickly and I'll note by the way there were very few analysts looking at this data in fact even IBM sent a poll out to their top 100 customers in 97 and asking their CIOs how many of you are using Linux or Apache or any open source in your organization only one out of those hundreds said that they were they repeated that by asking systems administrators in those 100 companies and got back something like 93 of them saying oh yes we're using it's just that the CIOs never saw a purchase order for anything labeled open source software until Red Hat came along and others of course but anyways it was really nice to have those numbers but it led us to some interesting place the second places the second thing that I think really helped the world come to trust open source software was that a lot of the early communities were really rigorous about setting up processes and setting up a culture that said we need to avoid heroics like we might still have what was the term for like one individual kind of at the top I'm struggling to count sorry? BDFL sorry benevolent dictator for life BDFL thank you I was blanking on that even if we have a Linux Torvalds or a Larry Wall or others they are surrounded by people who can help catch the falling you know hot knives you know or help review patches who can help enforce some process and even at Apache one of the founding kind of principles was community over code we wouldn't start a project we wouldn't even take one in as an incubator project without some evidence that there was more than one person interested in working on this code and really ideally it should be from more than one company and that premise is that just then if somebody burns out if a company changes tack whatever happens there's some resiliency built into that and somehow we got away from that somehow in the last 20 years we kind of got more to the swap meat model of open source code where rather than looking at and kind of and not that those projects went away certainly Apache and the Linux kernel and other projects do have this kind of culture of let's pull communities together to write code but we're all also very proud of the millions and millions of repos up on GitHub of the millions and millions of packages published at NPM and any one package is always very proud of boasting of the hundreds of thousands or hundreds of millions of downloads that get per week again as a sign of the law of large numbers means you should be able to trust us and that just kind of seems wrong just at an intuitive level and to me feels like a place where perhaps we've gone a little bit in a different direction and I'd like to see us return to this idea of open source communities and open source projects as being a little bit more like barn raisings where you know people working together to build a thing it's not just about pull 10 or 100 people together to do in one day what would otherwise take one person 10 or 100 days there's no way for one person to build a barn at least in the old arm Amish you know barn raising kind of stereotype right that one person cannot pull the timber up the timber frames up to mount them in the right way they cannot you know do all the things that are required to to build a barn it actually does take a village of people and it and for me that's always been the hallmark of well-run open source projects too is that they're people with complementary skills people who might specialize in that one function that no one else really wants to look at but at least one person is keeping an eye on I and hopefully more than one if we're every given line of code and it's not perfect and it fails and it means a whole lot of overhead in managing a community managing clashing priorities managing overhead but it pays off and it pays off in more resilient code and with respect to turtles with apologies to them actually was we think about building critical infrastructure and we think about from the bottoms up you know from the hardware layer up you know which should be barn raisings all the way down I to to to really help build the kind of secure critical infrastructure that that we know that we need and I'm would love somebody to do a better graphic than this this was me last night doing cut and paste eight times but it seemed to work and and so I for me the the open source community really was one of the first places on the internet I'm sorry an important angle on this I I I feel is that the pros by by having these things be barn raisings rather than kind of one person projects it made it possible to bring in anonymous and pseudonymous contributors uh... and and this is really key and I remember in the early days of the patchy web server there's a con contributor named Alexi Kosic who was uh... very productive wrote great code up but didn't write as much as some others which was fine but he did a lot of tending to the use net news group of answering user questions writing documentation like a model open source contributor and three years in to his contribution history to patchy he wrote a note to the other uh... maintainers going i'm really sorry guys but uh... probably will have to pull back a little bit of my contributions because i'm starting as a freshman in the fall at stanford university so like that was the fact that we have very low barriers to entry in open source is actually key in my opinion i mean i don't have numbers to back this up what would love to see the econometrics but i would assume a lot of you share this guy that is key to the scalability of the open source process and getting to uh... what uh... you know uh... what eric raymond called lenis's law which was with enough eyeballs uh... all bugs are shallow which intuitively we know that it's not quite a mathematical equation of course but uh... no matter what tooling what processes we come up with they all fall down in my opinion if you have too few developers per line of code uh... and and and i want to know uh... this uh... this idea of being able to have our our projects be open to uh... both lightly authenticated people uh... or even a not totally anonymous contributors doesn't mean that reputation doesn't matter we know it matters we know that we use certain projects because we get to know the developers behind them and we know that when the developer shows up on a project who has a history of contributing to other projects that matters to and is part of the trust equation we as maintainers or as the community use to decide what to incorporate but it really is important that we and uh... avoid going down the path of the open source community becoming but there's there are a lot of vendors at rsa two weeks ago selling tools to do know your developer behind open source projects and other contributed to other uh... collaborative software projects uh... where factors such as national identity or i p address of where the contribution came from are considered a viable viable basis for trusting a contribution or not and i think that would be very dangerous uh... all major open source projects have healthy amounts of i p from contributors from countries that aren't necessarily places you and i would be able to travel to or want to travel to right now uh... and you know geopolitical relationships come and go but i think it's important that the open source community remain a global uh... community and in a way that we found challenging in other parts of the internet we truly are one of the last remaining places on the net where uh... you can productively work and even come to trust people who are lightly authenticated into the community and i think that's core to to what we're trying to build uh... and at the same time we can we can do that because we have processes uh... how many people remember the university minnesota hack from uh... last year i think it was uh... uh... where uh... a team of researchers the university minnesota thought it would be cute to prove how valuable our processes were by slipping intentionally uh... broken code or not not a back door so much as an intentional vulnerability into the next kernel uh... it was noticed it was stopped but not before it consumed a whole lot of time on the part of great carl hartman and and leanness and some others and in response of the university minnesota has now been banned uh... i think by i p address i don't know if it's by email address uh... but uh... but now been banned permanently from contributing to the linux kernel uh... and which kills jim semblin's heart because he's a graduate of the university minnesota good old you know minnesota uh... kid uh... but uh... uh... yeah uh... we have these processes we have these mechanisms but they're not perfect are they perfectable that's worth asking uh... but but we need to to fight one might otherwise be a tendency to slip into a dark place so in my perspective we need tools that measure the trustworthiness of code based on objective measures that go beyond number of downloads in npm number of stars on github uh... number of of users out there uh... uh... certainly we can be better at turning users into contributors turning contributors into maintainers that sort of thing but a lot of what's going on in the open ssf matches that first uh... kind of kind of thing the uh... when you hear about a lot of that today the best practices badge work the scorecard work uh... things that we're looking at in the in the uh... mobilization plan all of that speak to uh... this need to better understand through processes through measurements through tools uh... what uh... uh... how do we get an objective sense of the trustworthiness of code not because we want to stop using certain open source packages but so that the better ones can nowhere to invest to increase that we're far past the point of uh... uh... done bars number right one fifty uh... which is about the number of social relationships anybody can any one person can keep in their brain at one time far past the point of being able to rely on that as our mechanism to know what open source projects to trust at the tens of millions of different components out there we need other better tooling to scale that up uh... we also need processes that simply encourage better security practices by developers uh... uh... and and that also is a theme for many of the projects you'll hear about today and are a key part of the open ssf uh... speaking to this third part though about uh... uh... teamwork this is a place where i challenge us a little bit to think about where perhaps an existing efforts in the open ssf uh... perhaps new efforts that we might take on might encourage uh... a little bit more teamwork and shared responsibility amongst open source projects uh... and shared responsibility for security uh... encourage folks to to to if you're working on one bit of open source code you thrown it out you might have hundreds of thousands of downloads a week that's great but what happens when you burn out what happens when uh... you slip in a bug that you didn't realize and notice and it wouldn't be great to have other people help you find those this is why i loved open source cuz i'm not a good coder the world is much better off without my code in the world uh... i i was it wasn't just me being humble is me being completely honest i'm this is broken this is something i know there's something broken about this please help me find the bugs in it uh... and for me with that without that sounding board uh... there's no point uh... and and most important for us is to think about how to add the words by default to every one of those right how do we make the lift as as zero cost as we can to adopt better tooling to adopt better practices to get this into the default workflows the default build tools uh... uh... the systems that that we use as open source developers and contributors to make this all work uh... and and so as i mentioned you'll hear a lot today uh... you won't get everything going on in the open ssf we are kind of a circus uh... i i i say that lovingly and and somebody likes going to the circus like there's lots of things going on at open ssf lots of different teams and that is a part of our strength we're roughly divided out by working groups uh... in certain thematic areas we also have a set of initiatives uh... alpha mega six store in the new toolchain infrastructure that are added into a lot of those different efforts and certainly with her lots of people on multiple working groups and efforts at the same time uh... there's a lot more we can do and one of the things we in the open ssf community are actively trying to figure out is how much to be big tent verses best of breed and small and focused right uh... and and this is this is something you'll perhaps hear more about today is how do we how do we tread that line and and and make sure we're tapping into really the best of what's going on in the open source world in the best uh... the best thinkers the best developers the best people thinking about how this maps to the real world uh... now in the remaining kind of seventeen minutes i want to pivot a little and thank you of course all the organizations here's a few of them uh... there's actually a longer list of the full membership you can see on the website it's organizations like these that are have uh... really helping make those efforts work uh... both through their individual developers contributing and participating on the working groups in the projects but also by putting some money into allow us to spend money on some of the work that uh... that is necessary to to do uh... now i want to pivot and talk a little bit about uh... this uh... effort that we put together since the beginning of this year to take this circus uh... so to speak on the road and to think creatively about if we were to to not just say here's a bunch of things that might help the world but to to get activist about it and invest in it and say could we actually close uh... some of the known issues we have in the world around how open source is built uh... in some reasonable time frame in the next few years how would we do it and and frankly how much would it cost and a lot of this was spurned uh... by by the log for share shell vulnerability i try to avoid saying log for jay because the developers behind log for jay and other apache projects are professionals they are doing a great job i wanna give them due credit they are uh... they're buying art for for a component that's used as pervasively as it is again the law of large numbers does say occasionally we will stumble over vulnerabilities here there and it should not reflect upon them so i do try to say log for shell uh... when i can just to to be reflective of that log for shell broke the internet it caused a whole bunch of organizations particularly in government said to go this is an earthquake we've got a scramble we don't even know where we're running it uh... you know uh... the number of organizations that said oh no problem uh... we're using it you know the ball the bugs are in the cv is in uh... log for uh... log for jay version two but we're on log for jay version one so we're not vulnerable which had been out of maintenance for five years uh... uh... you know yeah it it was an earthquake right and it caused a it caused people at all levels both the private sector in the public sector to reasonably ask the question is if this is an example of doing it right if this is an example of the process working well we we would be frustrated if we woke up one day in every bridge crossing every for every highway bridge crossing every uh... river had to be shut down for a month while it got re-architected and read cement report so we can then cross that bridge again and and and drive over it or we would be frustrated if the electrical grid had to go down for three days while we updated it which is dauntingly similar to uh... some of what we've heard about it you know uh... the electrical grid is much more of a software-driven piece of infrastructure these days than anything else so so they cause a bunch of people ask are you all okay is this really what it's how it's supposed to work so the white house can be in this meeting in january uh... invited a bunch of us there uh... david nally if he's in the room i don't know if he is uh... from apache and a few others from apache the few of us from the linux foundation about ten other companies and they kind of pose this question and and for about six hours uh... we uh... came out with basically uh... the question what would it take to actually solve many of these issues that we were coming up which could roughly be categorized in three kind of different buckets how do we secure how the code is written how do we uh... find get better at finding the vulnerabilities that are out there and fixing them uh... and then uh... apologies how do we get better at pushing those fixes out to the world uh... and uh... and so we went back as the open as a step and started a little bit more privately kind of you know uh... talking about this talking about in in the in the governing board talking of this uh... you know uh... kind of one-on-one between us and staff and a lot of others and said well maybe what we should do is think about how to frame and organize all those different efforts in the circus uh... in the eye with with this idea of what it take to push those to the point where they can actually address uh... a set of issues that are responsive to those goals what are things that are working now that we could double down on uh... and and and put some more resources behind uh... in a somewhat inorganic manner i mean i'll be honest most of the time that the linux foundation when we open projects we as linux foundation staff in the funding kind of goes into air traffic control right it goes into convening the space hosting the calls hope it hosting you know whatever is required even the build systems that kind of thing it doesn't really go into top down driving the stuff to be everywhere it does sometimes uh... in the automotive great automotive grade linux project uh... that's a community where there aren't a lot of open source developers in companies like yet uh... or at least a few years ago inside of companies like toyota and nissan and the like and so when they organize they did go out and and pay developers to build a body of code uh... other projects like let's encrypt uh... actually run a service which requires an ops team which requires you know some actual uh... staff to go and run this even though the code is open source even though uh... it's built on open protocols and and they work uh... very very publicly so with us it was a little bit like well even given all of the folks showing up to our circus making contributions how might we best organize our efforts to go and and uh... and accomplish some of these things uh... and we're not gonna solve tomorrow what what could we do though in a year or two years to make it work uh... and and so what are some ambitious but pragmatic targets that we could set to make that happen uh... and in ten minutes i'm not gonna be able to go into depth on the next ten different slides but we put together a plan uh... mobilization plan that laid out ten different streams that identified some reasonably interesting places that we felt would make a big difference in the trustworthiness and reliability of open source code and frankly to bring the reality up to that set of expectations that irrational exuberance around uh... the security and open source code uh... we publish this uh... it in may uh... and had uh... convening uh... in dc with friends of ours in government it was not a government plan it was not intended to be you know uh... here's what we want government to pay for but it was intended to say look those of us organizing this would like to collaborate with our peers in government there's a few in fact uh... from uh... government here at open ssf day at at the conference this week uh... and we'd like to make sure whatever you're doing in that uh... uh... uh... in in uh... inside of government around pushing further on s bombs or evolving the cyber security uh... uh... uh... uh... infrastructure uh... framework uh... it's driven by nests or other places that that's complimentary by the way i'm sorry they're showing top gun uh... maverick next door so uh... uh... i can't compete with that but i will try uh... and and so what we identified to our surprise was actually uh... what we thought was kind of a low number a hundred and fifty million dollars worth of well vetted spending that would go and pay pay for itself tremendously so at this convening in dc uh... we uh... i tried to pull in more companies more open source community members uh... more organizations it was never going to be enough of course but uh... for his public as we'd normally like to be about how we work uh... but it was enough to try to get across to the government were serious about this and this was something that uh... we'd like to repeat with other governments around the world as well and we've got some conversation starting in a few uh... places to have a similar type of uh... kind of rollout and conversation with them in that event uh... we identified thirty million dollars in pledges to that project thank you to many of the companies who are here today who helped make that work these are pledges these are uh... moments where uh... this is basically an investment fund if you think of it that way uh... towards the one fifty so we're gonna be raising more uh... from different sources uh... to uh... to go and hopefully start work on each of those different streams independently uh... i won't be able to go in-depth you'll be able to find it but very briefly just to give you the highlights uh... uh... one of them is about trying to reach everybody with many of the security education uh... documents and processes that we've developed here thank you particularly to david wheeler for that work he'll be talking about it later today uh... one of those is about trying to do that that risk assessment kind of they talked about how do we better understand the riskiness of code well pulling together all the data that the tooling we're coming up with can give us as well as additional data sets into one place to go to say i'm i'm interested in this code what what is its risk profile right uh... and can i compare that to similar code uh... another is to further the work of the sick store community on digital signatures uh... that you'll hear more about today as well uh... to invest in memory safety in the conversion of some court internet utilities like ntpd or or further invest in rustles for example the rust library for tl s uh... to try to eliminate whole categories of vulnerabilities in uh... in really critical software to establish a security incident response team uh... to focus on uh... specifically open source projects who are don't have the funding uh... or have a big community around them who can help manage a vulnerability disclosure process uh... another tool to really double down on the work going on alpha mega to do more pervasive scanning of open source code on a regular basis to try to find new vulnerabilities to be you can think of it as an open source the version of project zero uh... at google another one to invest in code audits amir here from austin uh... knows this process well uh... not for a large number of projects before starting with the fifty and maybe to the hope hopefully to uh... two hundred projects a year in the kind of third party audits that really start to ask you do you mean to put that chainsaw in the middle of that dinner cutlery set right so not just the the potential memory corruption issues but also really starting to ask at a feature level an architectural level you know are you if you really built this defensively uh... and and thoughtfully uh... to encourage more data sharing to understand what are really the most critical open source projects not based on download numbers from npm but based on data that might actually be hard to get in public data sets so uh... working with with uh... uh... distribution points and vendors to try to collaborate around around that data and and help make like the harvard study that uh... we published recently i uh... even more more thoughtful and more and and perhaps more frequently updated uh... to really invest in as bomb so far we haven't done much in the open ssf with software bill of materials uh... with that we've talked about it there's been some work in the security tooling community i i think you did josh bressers if you're here uh... but this is a place we know there's a need to invest more this particularly was a big message from our partners in government uh... i i we need to also finally just look at the especially the last few stages of the software supply chain the distribution points uh... the the the the software repositories and ask is there more that we can do to bring salsa for example to those uh... to bring i i kind of uh... native consumption of s bombs to those it other things that can help may make it easier for people consuming software through what are essentially the apple app stores of the open source community be more thoughtful about how they get that data and this is work that i'd say is already begun through uh... collaboration with uh... i i what the through the securing software repositories working group uh... that is really just getting underway uh... all this work together uh... you know uh... there were teams that formed around each of those ten i want to thank everybody here who put did participate in those work streams it was very short time frames partly intentionally so so that we could get to really just the first kind of size of the bread box kind of notion uh... these numbers will change this is a draft uh... the the the the process from here is uh... that will continue working with interested parties on those streams to refine the proposals to get to the point where we can start to match them up against pledges or other sources of funding uh... frankly a hundred fifty million dollars was cheap in my book uh... i i talked about that a bit hundred fifty million might sound like a lot uh... certainly for when he won open source project it's a lot there's very few with uh... i i i budgets that are larger than that but i want to give you one other number against which it sounds fairly affordable seven hundred million does anyone know what number i might be referring to when i'd said seven hundred million that it's a little obscure i apologize but it was just a few years ago that uh... the f t c fine levy to find on aquifax uh... for uh... it's breach it's data breach uh... and find them seven hundred million dollars uh... due to a vulnerability in apache struts again not to blame apache struts not to blame apache or anything like that in fact i believe they were only like a few months out of date uh... in in in their patching uh... but that provided enough of a window for somebody to come in an actual trade a ton of data and the f t c has already started to say they will issue a notice uh... it already issued a notice saying that if they find that future data breaches or other uh... major you know uh... compromises occur because somebody did not update their log for jay frequently enough of david's applauding here because this is these are the kinds of nudges that we're gonna see more of both from the uh... public sector i think even from folks like insurance companies who ensure against cyber security breaches they're gonna start to raise the the floor when it comes to what what's the minimum that they expect organizations to do to be more secure uh... and uh... this is serious this is the government getting serious these are the sticks and i am much more about carrots frankly much more about incentives and like helping people in fact a big theme through the mobilization plan has not been how do we make open source developers get more serious you know uh... but it's been about how do we show up with help how do we add to uh... uh... their existing processes and with uh... with with better tooling with with people and other things like that in fact the vast majority of that hundred fifty million dollars are is is paying for people to show up on projects and say we're here to help in one way or another uh... and so so i think you know pressures like this are pretty useful at the end of the day the mobilization plan is just one element of what we do at the open ssf it's about sprinkling some uh... accelerant on top of existing efforts uh... at the core of open ssf though we are an open source project like any other you'd find uh... where anybody can contribute where anybody can use the tools in the bed and benefit from uh... the standards and all the goodness coming out and the and the docs and and the guides i mean there's too much to mention uh... this is about just trying to sprinkle you know doubts a little bit of fuel uh... on on on these different efforts and make that work so uh... come in and get and and and check out the plan but but do check out the rest of what's going on inside open ssf and apologize to james brown for stealing his rift but uh... get involved uh... and with that uh... i think i'd like to pass the baton back to crow thank you all