xz incident shows the need for structural change
By Adriana Groh
In STF
At Sovereign Tech Fund, we're following the xz incident closely and listening to the many voices in the FOSS maintainer community.
There are clear signs that this is a sophisticated attack, but experts are still analyzing it, and it seems we won't know all the facts for a while. At this time, we don't want to point at any single cause and certainly don’t want to suggest a quick fix. We would, however, like to point out again the huge importance of digital infrastructure, which is regrettably overlooked and invisible to most of us.
xz is merely the most recent example to illustrate how important the open source ecosystem is for all of us. At the same time, it shows very clearly how serious the structural issues are: for example, not enough new contributors, too few experienced contributors, too little recognition, and not enough (long-term) support from various stakeholders. One consequence is burnout among unpaid volunteers, which is unfortunately not a rare occurrence. If we keep ignoring these systemic issues, this house of cards will be our undoing (see our favorite xkcd comic).
A great many companies and organizations incorporate and use critical open source components without ensuring that they are maintained and secured at all. We see this kind of maintenance as an undertaking that is in the public interest. It should not be the responsibility of unpaid volunteers alone, nor should it rest wholly on the private sector. It's a task whose importance society as a whole needs to acknowledge, and should be prioritized accordingly.
As we saw with Heartbleed (2014), Log4Shell (2021) and other incidents, foundational open source technologies are essential parts of modern digital infrastructure. They underpin all (not just digital) endeavors, both in the public and private sectors. Just as physical infrastructure like roads, railways, and water systems are constantly being maintained, these digital components also need to be serviced and updated in order to serve as the foundation for digital sovereignty, a successful economy, and a resilient democratic society.
Since the creation of the Sovereign Tech Fund, we have been exploring different support mechanisms to fulfill our mission of supporting the development, improvement, and maintenance of open digital infrastructure. We are currently working on more ways to tackle these challenges. Financial support for the people behind the code is a good first step and an important building block. However, to increase the long-term success of our mission, complementary and reinforcing mechanisms are needed. We are in contact with maintainers and FOSS communities as we develop and test these additional mechanisms. Our areas of focus include improving software maintainability, increasing bug resilience, better developer tooling, reducing technical debt, and expanding the communities of FOSS contributors.
We welcome you to share your ideas, feedback, or constructive criticism with us. Through Sunday, 7 April 2024, we are especially eager to hear from open source maintainers who would like to fill out our fellowship pilot program survey. The Sovereign Tech Fund is on Mastodon, LinkedIn, Bluesky and Twitter. Subscribe to our email newsletter and RSS for updates.
We see the creation of and commitment to the Sovereign Tech Fund by SPRIND and the German Ministry for Economic Affairs and Climate Action as a clear sign of the increasing awareness of the open source ecosystem’s significance. We hope that our plans for the future will inspire many others to join us in this work and have a lasting impact together. Incidents like xz – others will surely follow – show that we have a major task ahead of us for the foreseeable future.