State of open source: Computer Weekly Downtime Upload podcast

Listen to this podcast

In this special edition of the Computer Weekly Downtime Upload podcast, OpenUK’s Amanda Brock speaks to Cliff Saran about open source challenges

OpenUK’s latest State of open report came out in July, covering growth of open source software in the UK. Among the headline figures is that the total investment by UK companies sits somewhere between £4.87bn and £5.65bn. While this represents a significant expenditure, Amanda Brock, CEO of Open UK, says the amount being spent on open sourced is 29 to 34 times more than the money being spent on digital infrastructure through the levelling-up fund. “I think it is incredible,” she said. 

Behind these figures, Brock believes a shift in open source is happening. She said: “I think it’s a given that open source is being used everywhere. Now the models are shifting slightly to focus on how we bring value to the end-user, whether that’s enterprise or the public sector.”

Brock believes such values are achieved through what she calls “curation”, which brings together the skills and services required by the enterprises that want to deploy open source within their overall IT strategy.

For Brock, governance is one of the top priorities for the open source community.  Open source governance ensures that the right technical expertise is involved in projects and how this is funded. Brock would like people to appreciate that there is a cost involved in the development and upkeep of open source code, even if there is no licensing fee. There is a cost associated with maintenance and the cost of implementation.

Cost of maintenance was the top priority among the respondents surveyed as part of the OpenUK study. Based on a survey of 243 organisations, 44% said they see cost of maintenance as a key challenge of open source.

This cost is associated not only with keeping open source projects fresh and adding new features, but is a key element in ensuring open source code is secure and that any vulnerabilities are patched as quickly as possible.

OpenUK also reported that sharing code via repositories based on Git, although crucial for distributed collaboration, innovation and skill development, is also necessary for quality control. OpenUK’s study found that 77% of organisations involved in the distribution of their code as open source software use Github.com, followed by self-hosted Gitlab (12%) and Gitlab.com (11%). Azure DevOps and BitBucket are used by 3%, while gitee.com is used by 2%.

These repositories offer a gateway to open source projects. Source code can be automatically pulled into application code, which enables software developers to take advantage of new open source functionality without having to “reinvent the wheel” by writing all the code themselves.

However, attacks such as Log4j have highlighted the inherent risks associated with open source components. How quickly can the vulnerability be fixed? How many applications are impacted by the vulnerable open source component? Who is responsible for fixing the vulnerability?

Earlier this year, following a meeting with government and industry leaders at the White House, OpenSSF announced the Alpha-Omega Project to improve the security posture of open source software. Microsoft and Google are among the organisations supporting the project.

At the time, Mark Russinovich, chief technology officer at Microsoft Azure, said: “Alpha-Omega will provide assurance and transparency for key open source projects through direct engagement with maintainers and by using state-of-the-art security tools to detect and fix critical vulnerabilities.”

Eric Brewer, vice-president of infrastructure and fellow at Google, believes automation will be one of the greatest improvements for open source security.

It is something the open source repository GitHub has begun implementing. Earlier in August, GitHub introduced an automated alert mechanism to enable developers to address vulnerabilities in the open source components that their code uses.

Read more about open source governance