Hopefully this also introduces standardized auditing of open sourced packages. Just because something is open sourced, doesn’t mean it’s altruistic and not susceptible to malicious actors submitting seemingly innocuous code that gives bad actors a back door.
The xz fiasco earlier this year should encourage every organization to conduct such audits. A code smell could and should be enough for packages to not be supported.
For anyone who has not heard of the “postmaster debacle”, as I; it is a stunning atrocity of government that appears to have affected 3,650 people who were hounded and persecuted and prosecuted for various types of theft and malfeasance even though it was a glitch in the Fujitsu software that caused whatever appeared to have been thefts or irregularities in the accounting that was the basis for the government tyrannical terror descending on these people. It also cause at least four (4) suicides.
I suspect this also has its roots in the European legal tendency to presume guilt and the accused having to prove their innocence, far more than the system has also been poisoned with in the USA. It’s not perfect and getting worse in the USA, but in the past, it would have been incumbent upon the prosecution to prove you actually stole, not just that the system used indicated irregularities. For example there would have to be evidence of money transfers, exceptional lifestyles, video surveillance of stealing money, or at least witness testimony of some kind validating that money was stolen, etc. If something was stolen, it essentially has to be shown what happened to it, i.e., it was in the possession/control of the accused.
> I suspect this also has its roots in the European legal tendency to presume guilt and the accused having to prove their innocence
This scandal took place in the UK, though, not in a European civil code jurisdiction. The concept of "presumption of innocence" originates in English common law.
Under British law, however, courts presume that a computer system is working flawlessly unless proven otherwise, so if computer says guilty it'll be tough to convince a jury that you're not.
And that was made even harder by the massive and continuous perjury by the Post Office when it came to the robustness of the system
The US government, especially the military, is largely allergic to software. This is slowly starting to change, but only in small pockets. I am aware of three software teams in the military but they are highly specialized with small dedicated customers.
I have tried several times to get Node.js into the military on approved software lists for internal development and its a huge struggle. I suspect the main culprits are due to valid security concerns regarding package managers like NPM and old ignorant thinking about open source being either immature or open software being a wide open exploitation vector. That is really tough because there aren't official binaries of Node without NPM and ignorant thinking about open source is really persistent.
I mean… open source IS suffering insecurity issues.
A lot of the supply chain failures I can think of, were open source projects.
I’m not saying node or OSS has no place, but there is more than something to do t being a security issue.
How many years was heartbleed exploitable despite “all the eyes on it”?
The good part about OSS is all the people that can review it, the bad part is all the people that can review it. Now… which one is more incentivized today ignoring a future military use?
It only works when assets are put into hardening existing code.
i can think of no act more deviously effective in bringing down the american empire than introducing the NPM ecosystem into its vital bloodstream, well played comrade!
Yeah, go w/ htmx + vanillajs (or possibly alpine.js or https://github.com/gnat/surreal) would be a reasonable option for many government projects. You can audit the htmx codebase and it is dependency free (same w/ alpine & surreal) and self-host everything, go compiles to a single binary for deployment.
Yes, absolutely. I can manually import the 2-3 packages I regularly use. TypeScript, for example, has no dependencies. The only thing I would miss is ESLint which has a billion dependencies that I wouldn't bother with.
If you can piggyback on an existing system, you may only need to pursue using the RMF assess only process with the gaining system owner. Once the assess only process is approved, the hardware, software and PPSM in the gaining system would be updated to reflect the new components. Those approved software lists don’t get updated very quickly. Using an assess only process may move things ahead more quickly.
For the untested in this subject you’ve got to research about Brazil’s effort to use as much open source as they can at the state level. They’ve been doing so for nearly 20 years.
Yet the Brazilian government releases little of its own code publicly. I'm still waiting for the ballot machine code.
Brazilian government's relation with open technology is such a weird thing. Lula and Dilma government were huge sponsors of free software conferences like FISL, with several ministries and agencies with huge booths and whatnot - but most of their actual technical side was just "we use libre office or Zimbra or whatever". All talk, no action.
One thing that specially made me angry was the lack of commitment with open data. The post office was eager to sponsor conferences, but kept zip code data under lock and key, only allowing a CAPTCHAd query tool for people, and selling API access to companies for huge prices. This was actually only fixed... during the right wing governments that followed (can't remember if Temer or Bolsonaro).
There was a talk about this at this years FOSDEM [0]
Regarding the "Several European countries are betting on open-source software for their technology. In the United States, eh, not so much." I thought software developed by the US govt is public domain? At least that's how I remember sqlite got it's license because it was developed for the US Navy.
Reading the sourced link, it's currently only for federal government institutions, a lot of things, like the "DMV", or social services, are still the domain of the Kantons (equivalent to a US state).
So it's "all" but in a different context to what you might understand as "all". ;)
This doesn't require all software used by Switzerland to be open source. Per the article:
> This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This "public money, public code" approach aims to enhance government operations' transparency, security, and efficiency.
Sounds great. Except that as a company, you can now only deliver services to this government. No products, since you will lose your competitive advantage. This is a big disadvantage for for instance startups that target this market.
Good ideas finally need government backing and adoption to scale and sustain. OSS has been facing tough times since cloud providers like AWS came in. Moves like this will help keep the open source spirit alive. Really proud to see this and hope more governments go this way.
43 comments
[ 2.7 ms ] story [ 85.5 ms ] threadGovernments not knowing what their software is doing is a recipe for chaos.
Hopefully this also leads to more audits of said code.
The xz fiasco earlier this year should encourage every organization to conduct such audits. A code smell could and should be enough for packages to not be supported.
https://en.m.wikipedia.org/wiki/British_Post_Office_scandal
I suspect this also has its roots in the European legal tendency to presume guilt and the accused having to prove their innocence, far more than the system has also been poisoned with in the USA. It’s not perfect and getting worse in the USA, but in the past, it would have been incumbent upon the prosecution to prove you actually stole, not just that the system used indicated irregularities. For example there would have to be evidence of money transfers, exceptional lifestyles, video surveillance of stealing money, or at least witness testimony of some kind validating that money was stolen, etc. If something was stolen, it essentially has to be shown what happened to it, i.e., it was in the possession/control of the accused.
This scandal took place in the UK, though, not in a European civil code jurisdiction. The concept of "presumption of innocence" originates in English common law.
And that was made even harder by the massive and continuous perjury by the Post Office when it came to the robustness of the system
https://www.gov.uk/guidance/be-open-and-use-open-source
I have tried several times to get Node.js into the military on approved software lists for internal development and its a huge struggle. I suspect the main culprits are due to valid security concerns regarding package managers like NPM and old ignorant thinking about open source being either immature or open software being a wide open exploitation vector. That is really tough because there aren't official binaries of Node without NPM and ignorant thinking about open source is really persistent.
A lot of the supply chain failures I can think of, were open source projects.
I’m not saying node or OSS has no place, but there is more than something to do t being a security issue.
How many years was heartbleed exploitable despite “all the eyes on it”?
The good part about OSS is all the people that can review it, the bad part is all the people that can review it. Now… which one is more incentivized today ignoring a future military use?
It only works when assets are put into hardening existing code.
What's on the approved stack? I imagine .Net and Java/spring are the standard, right? anything else like php, python, go etc?
I feel like it's pretty much one of the worst runtimes/scripting languages if you can't utilize it's ecosystem.
https://opensource.com/government/12/8/brazil-forefront-open...
Brazilian government's relation with open technology is such a weird thing. Lula and Dilma government were huge sponsors of free software conferences like FISL, with several ministries and agencies with huge booths and whatnot - but most of their actual technical side was just "we use libre office or Zimbra or whatever". All talk, no action.
One thing that specially made me angry was the lack of commitment with open data. The post office was eager to sponsor conferences, but kept zip code data under lock and key, only allowing a CAPTCHAd query tool for people, and selling API access to companies for huge prices. This was actually only fixed... during the right wing governments that followed (can't remember if Temer or Bolsonaro).
Regarding the "Several European countries are betting on open-source software for their technology. In the United States, eh, not so much." I thought software developed by the US govt is public domain? At least that's how I remember sqlite got it's license because it was developed for the US Navy.
[0] https://fosdem.org/2024/schedule/event/fosdem-2024-3401-the-...
So it's "all" but in a different context to what you might understand as "all". ;)
Some more discussion earlier this month: https://news.ycombinator.com/item?id=40852084
> This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This "public money, public code" approach aims to enhance government operations' transparency, security, and efficiency.
Don't target that market if you don't like the terms. Someone else will. I will.