Linux Foundation's 'Census II' of Open Source Libraries Urges Support, Security, and Standardization

“Much of the most widely used free and open source software is developed by only a handful of contributors,” warns the Linux Foundation, in the executive summary for its massive new census of free and open source software application libraries. It was prepared in conjunction with Harvard’s Laboratory for Innovation Science — and that’s just one of its five high-level findings.

The census also notes “the increasing importance of individual developer account security,” but also the persistence of legacy software, the need for a standardized naming schema for software components, and “complexities” around package versions. But there’s also just a lot of data about package popularity, writes SD Times:

The report, Census II, is a follow-up to Census I, which was conducted in 2015 to identify the packages in Debian Linux that were most critical to the operation and security of the kernel. According to the Linux Foundation, Census II allows for a more “complete picture of free and open source (FOSS) adoption.”

“Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support,” said Brian Behlendorf, executive director at Linux Foundation’s Open Source Security Foundation (OpenSSF).
The census “aggregates data from over half a million observations of FOSS libraries used in production applications at thousands of companies,” according to its executive summary. It argues that preserving FOSS will require this kind of data-sharing (about where and how FOSS packages are being used ) as well as coordination — including standardizing terminology — and of course, investment.

“The motivation behind publishing these findings is to not only inform, but also to inspire action by developers to improve their security practices and by end users to support the FOSS ecosystem and developers who need assistance.” (It suggests companies companies could provide not just financial support but also the technical talent and their time.)The results take the form of eight Top 500 lists — four that include version numbers in the analysis and four that are version agnostic. Further, as mentioned above, we present npm and non-npm packages in separate lists… Although these lists provide valuable, important insights into the most widely used FOSS projects, it is important to also consider the level of security related to these projects. Therefore, in each list, we also include the “Tiered %” measure from the OpenSSF Best Practices Badging Program…

1 Like