We've all been hearing a lot about software supply chain security, but what does it mean to make open source more secure? Will a software bill of materials, package signatures, and more complex build systems prevent the next LOG4SHELL, HEARTBLEED, or PANTSDOWN?
Not exactly, though such tools will help us respond faster and prevent some types of attacks. While ensuring that *these* bytes get from *here* to *there*, without being tampered with along the way, is important—it's only part of the puzzle. To secure the long tail of open source, all those projects that aren't in the limelight but *are* in critical systems, we must understand that our projects are more than mere code. They are a relationship built upon trust.
And in an open source community this large and globally interconnected, we need to understand how we trust people that we may never meet.
Aeva Black is an incurably queer geek, passionate about privacy, ethics, and vegan chocolate. They work in Azure's Office of the CTO, and serve on the Board of the Open Source Initiative and on the OpenSSF's Technical Advisory Council. They also previously served on the OpenStack Technical Committee and on the Board of the Consent Academy. Many years ago, Aeva founded the OpenStack Ironic project, wrote a lot of Python, and managed a few small MySQL databases.
Aeva is a lifelong student of the Buddha Dharma and a frequent keynote speaker at open source conferences around the world. They are an aspiring, yet time-starved, writer whose recent works include contributing to "Transcending: An Anthology Of Trans Buddhist Voices" (2019), and being the technical editor for "Trust In Computer Systems And The Cloud" (2021).