Google recently announced a $100 million donation to organizations that manage open-source security priorities and assist with vulnerability fixes, and it has now revealed eight of the projects it will fund. The Linux Foundation recently stated that it will directly support persons working on open-source project security. Google, Microsoft, the Open Source Security Foundation, and the Linux Foundation Public Health Foundation have all endorsed it. When problems are discovered, the Linux Foundation coordinates fixes.
The foundation and its colleagues will use the Open Source Technology Improvement Fund’s (OSTIF) security assessments to hunt for previously discovered problems. Two Linux kernel security audits are among these initiatives.
The Open Source Technology Improvement Fund is a non-profit corporation committed to improving the security of open-source software. OSTIF makes it simple for projects to dramatically improve security by enabling security audits and reviews.
“Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open-source ecosystem,” said Kaylin Trychon, a security comms manager on the Google Open Source Security team.
OSTIF selected 25 essential projects for MAP, which were then prioritized to determine the eight that will get Google funding. Trychon explains that the eight chosen projects, which include libraries, frameworks, and applications, were chosen because enhancing their security will have the most influence on the open-source ecosystem.
Along with five other Java-related projects, these eight projects include Git, a prominent version control software, Lodash, a JavaScript utility library, and Laravel, a PHP web application framework. Git, the “de facto” version control software established by Linux kernel founder Linus Torvalds and which forms the backbone of platforms like GitHub and GitLab, is perhaps the largest of the eight audit projects Google is sponsoring.
Well-known systems and tools used by developers, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat’s Ansible, and Google’s Guava Java framework, are among the projects with funding pending support.
Google made a $10 billion commitment to boosting zero-trust programmes, securing software supply chains, and enhancing open-source security following a meeting between US President Joe Biden and leading US tech corporations last month.