Google suggests requirements that are likely to be controversial are strict rules for working on and with open-source software, which should apply to all supervisors and contributors to the projects — even outside of Google.
In a post in Google’s security blog, company officials show what needs to be done to make open-source software used in an industry more secure.
The long-term goal of the Google initiative is to prevent so-called supply chain attacks. In the case of modern software, this supply chain means the use of a large number of different open-source projects as a dependency on one’s own software. The first major rethinking of security and equipment began in the IT industry with the Heartbleed bug in OpenSSL, which had far-reaching effects.
The proposals now published by Google provide, among other things, that code may no longer be changed by individuals but that a code review must always take place, and changes must be confirmed by two independent parties. This is already being sought in many projects and implemented in OpenBSD, which focuses on security.
In addition, Google wants that code administrators no longer act anonymously and must be known. Likewise, the team demands strong authentication of contributors as well as some kind of identity management that enables contributors to be verified across many different projects and systems. Changes in supervisors should also be recognized and tracked quickly and easily.
Google’s ideas can easily be understood in the context of the software industry, in which companies can relatively easily demand and implement such rules internally. With the variety and sheer abundance of open source software that is used productively worldwide, this is probably more difficult.
As Google itself writes, those involved assume that the required rules could be perceived as a burden and “therefore will meet some resistance, but we believe the extra constraints are fundamental for security.“
Google formulated numerous other ideas and demands that the team wants to advance as part of the OpenSSF.