FOSS Security, and Transparency at the Linux Foundation

admin Saturday March 13, 2021

In December, the Linux Foundation released a report on its 2020 FOSS Contributor Survey. The most important and discussed takeaway was weakness in security (Need to Increase Security). At the core of that finding is that section's very first paragraph, which starts as follows.

Linux Foundation wrote:
One of the survey goals was to understand the state of security in FOSS, and indeed it found that respondents report spending very little of their time on responding to security issues (an average of 2.27% of their total time spent). Moreover, the respondents do not report a desire to increase this significantly; in fact, the average of percent of time reported they would like to spend on security was only 0.06% higher.

These figures are obviously eyebrow-raising. The flagrant error in the figure number right after in that same paragraph surely doesn't help trusting, so I checked. Unfortunately, the report gives no explanation at all about how these figures were computed. And I couldn't reproduce these figures interpreting survey data.

But my third surprise would be even greater. I checked what others were saying about the topic - and found nothing. Not because no one questioned or challenged, but because the Linux Foundation provides no means at all to report an issue in that report.

That is right. The report indicates it was updated to fix errors, but suggests no way to report remaining errors. And that's just the tip of the iceberg; the Linux Foundation, in general, does not offer any system to track its issues. Nor does it even offer any forum to discuss such matters. Its tens of mailing lists are all project-specific. That, from an organization which suggests greater transparency, no further than in that very report… if FOSS is short on security, it sure isn't on irony!

The ultimate surprise would take a little longer. Having no other option, I questioned the foundation in the only possible way, via its contact form:

Regarding the Report on the 2020 FOSS Contributor Survey, how do you translate survey data into the figures in the first paragraph of section 2. Need to Increase Security (High-Level Takeaways & Suggested Actions, page 31)?

The form didn't even send me a copy of my message. But it said I would get a reply within 2 business days.

I have been waiting for 3 business weeks.

I will of course update this as soon as the Linux Foundation replies. But until the foundation is built on stronger foundations, none of its publications should be taken at face value.