Linux Distros Need to Take More Responsibility for Security
Open source is everywhere; a Synopsys study found that 96% of all software code bases analyzed included open-source software. That’s the good news. Ironically, it’s also the bad news, as the very pervasiveness of open source introduces risk.
Decades ago, proprietary players used to spew disingenuous fear, uncertainty, and doubt around open source security, but they may finally have a point. Not at the individual project level where critics once wrongly focused their case, but rather in supply chains, as massive vulnerabilities like SolarWinds and Log4j remind us that we still have essential open source security work to do.
Most enterprises have gotten very mature at network and perimeter security, but are still juvenile in their understanding and workflow around open source provenance and software supply chain security. Hackers have shifted their attention towards not only the security of individual open source projects themselves, but the gaps between software artifacts: their transitive dependencies and the build systems they touch.
We need to fix this, and the way to do so is arguably not at the individual project level but rather at the level of the distribution.