US Republicans query Linux Foundation about open-source security

This is the stable version, checked on 29 December 2022. Template changes await review.
 
Correction — December 28, 2022
 
The article originally referred to Frank Pallone Jr. as a co-author of the letter. He was only cc'd. Gregg Harper is the other author, not Pallone.
 

Wednesday, April 4, 2018

On Monday, two US legislators, Republican legislators, Greg Walden and Gregg Harper, respectively the chairman of the United States House Committee on Energy and Commerce and the chairman of the Subcommittee on Oversight and Investigations, co-wrote a public letter to Jim Zemlin, executive director of The Linux Foundation, about open-source software (OSS) and improving its security. They requested Zemlin to answer their questions by no later than April 16.

The letter contained the following four questions; each of the first two has a further two follow-up questions.

  1. Has the CII [Core Infrastructure Initiative] performed a comprehensive study of which pieces of OSS are most crucial to the "global information infrastructure"?
    1. If not, does the CII plan to perform such a study?
    2. What would the CII need in order to do so?
  2. Has the CII, or any other organizations, compiled any statistics on OSS usage?
    1. If not, does the CII plan to perform such a study?
    2. What would the CII need in order to do so?
  3. In your estimation, how sustainable and stable is the OSS ecosystem?
  4. Based on your response to the previous question, how can the OSS ecosystem be made more sustainable and stable?

Walden and Harper exemplified Heartbleed, a "critical cybersecurity vulnerability" that allowed the hacking of websites and passwords, and millions of medical records in 2014. They also wrote that, in response to that vulnerability, The Linux Foundation established a multi-million dollar project, the Core Infrastructure Initiative, intended to improve the global infrastucture of such software.

The politicians noted large tech companies like Microsoft, Apple Inc., and Adobe Systems respond more quickly to such critical vulnerabilities than distributors and developers of open-source software.

Open-source software is "publicly accessible" and usually freely-licensed for a wide range of use, such as modification and commercial uses. Walden and Harper also expressed praise toward open-source software and cited a 2015 survey conducted by Black Duck Software saying 78% of companies used such software.


Sources