DEVOPSdigest

Open source software (OSS) is a cornerstone of modern digital infrastructure, driving innovation and supporting applications across industries and regions. With its pervasive use, identifying critical OSS components and addressing their security challenges are vital. The recent Census III report, conducted by the Linux Foundation and the Laboratory for Innovation Science at Harvard, provides key insights into the OSS ecosystem. Analyzing over 12 million OSS library observations from 10,000 organizations, the study highlights what is really happening in OSS, including trends shaping the future of digital technology.

Massive Increase in Cloud Service Integration

One striking revelation from Census III is the surge in OSS libraries for cloud service integration. This suggests an ongoing shift from the earlier "lift-and-shift" approach for using clouds, in which organizations moved existing applications to the cloud with minimal changes. Today, software developers increasingly create software natively for the cloud, leveraging its unique capabilities through OSS libraries. This trend reflects a deeper adoption of cloud-first strategies in software development.

Security Risks in Single-Maintainer Projects

The report also identifies a significant concern in some OSS — some critical widely used OSS components are projects with essentially a single maintainer. This doesn't apply to all OSS; many widely used OSS projects have many maintainers. Still, of the top 50 non-npm projects in our "version-agnostic direct list," 17% had one developer, accounting for more than 80% of commits authored.

This also doesn't mean that those solo maintainers are doing a bad job — there are good reasons some single-maintainer projects are widely used. However, if that single maintainer dies or stops maintaining the project, that may end its sustainment. In addition, single-maintainer projects may get less review. It's important to find ways to increase the number of trustworthy maintainers in important OSS projects.

Lesson from the Python 2 to 3 Transition

Despite being released 16 years ago, Python 3 adoption remains incomplete, with some still relying on Python 2. There has been progress; the majority of Python use is now version 3, though Python 2 use remains significant in some sectors (29% of Python in data analysis uses Python 2). This progress in Python 3 growth was greatly enabled by the Python package "six," a set of utility functions designed to make it easier to write Python code that is compatible with both Python 2 and Python 3. The package "six" is now one of the most widely used OSS packages in the world today.

The lesson is simple: it's important that software developers make it extremely easy for users to update to newer versions. Projects that maintain backward compatibility minimize disruption, reduce friction, and accelerate adoption. The Linux kernel exemplifies this principle with its "don't break userspace" policy, which ensures that updates do not disrupt existing workflows. If the kernel can uphold this standard while processing over 800 commits daily, other projects can and should adopt similar approaches to balance innovation with usability.

Rust's Role in Enhancing Security

Another noteworthy trend is the increasing adoption of Rust, a memory-safe programming language. System-level projects like the Linux kernel and the widely used curl tool are beginning to incorporate Rust to mitigate vulnerabilities inherent in memory-unsafe languages such as C and C++. This gradual adoption indicates a broader industry shift toward memory-safe development practices.

The Case for Standardized Software Identifiers

A key takeaway from Census III is the need for standardized identifiers to accurately track software dependencies and vulnerabilities. Current naming ambiguities create confusion and inefficiencies, particularly in addressing security issues. Vulnerability reports are less valuable if people can't automatically determine what software is vulnerable.

Adopting package URLs (purls) as a standard identifier, where practical, would streamline vulnerability tracking and resolution. Governments and organizations must prioritize such standardization to strengthen OSS security. For example, I would love to see the CVE process require that all reported vulnerabilities include at least one mechanically processable software ID, such as a purl.

Strengthening the Open Source Ecosystem

Census III shows the immense value of the open source ecosystem. There are millions of OSS packages, and the most popular ones are used across society. However, vulnerabilities in widely used OSS can also cause serious problems. The findings reveal a dual imperative — supporting maintainers of widely used OSS projects and implementing systemic measures to enhance security.

Simply improving the most popular OSS isn't enough, of course. One of the most common attacks on users of OSS involves convincing developers to download the wrong OSS package. This includes "typosquatting," which involves creating malicious packages with names similar to popular ones to deceive developers into installing them, and "dependency confusion," in which malicious packages are uploaded to public repositories with the same names as internal dependencies. So improving popular OSS as well as strengthening the overall OSS ecosystem are both important.

To address security risks, the Linux Foundation's Open Source Security Foundation (OpenSSF) spearheads initiatives such as Alpha-Omega, which funds efforts to improve the security of critical OSS projects and lower the barriers to entry for new developers on some projects. Additionally, tools like Sigstore and SLSA enhance the OSS supply chain by making it more likely that the source code reviewed by the community matches what users deploy in production environments.

The partnership between the Linux Foundation, Harvard University, and industry leaders in producing this report demonstrates the collective effort to improve the security and sustainability of open source software. By addressing the challenges outlined in Census III, we can ensure OSS continues to drive innovation while safeguarding the digital infrastructure that depends on it.