OpenJS Foundation’s Leader Details the Threats to Open Source
Before and after the XZ Utils backdoor vulnerability was discovered in late March, the OpenJS Foundation got inquiries from would-be contributors to open source JavaScript.
Many of those inquiries raised no alarm bells. “JavaScript communities are very much volunteer-led, as opposed to some corporate-led open source projects,” said Robin Ginn, executive director of the OpenJS Foundation, in this episode of The New Stack Makers.
“And of course, they’re overwhelmed, and we’re always trying to recruit new contributors, and so you get emails all the time, and you have contributions all the time, and those are very welcome.”
But after the news broke of how a single contributor, “Jia Tan,” planted a backdoor in XZ Utils, Ginn said, some emails “triggered that Spidey sense that maybe something was a little off. And I think it was. It was them asking for admin privileges to take over a project, and that is something that usually takes some time to earn.”
In this episode of Makers, Ginn spoke to Alex Williams, founder and publisher of TNS, about the impact of episodes like XZ on open source communities and the organizations that use open source code, how security differs from trust in working with open source software and the struggle to secure resources for project maintainers.
The XZ Utils example, Ginn said, clarified the difference between trust and security.
“Security has always been critical for open for any kind of developer, any sort of engineer,” she said. “But when you hand over the keys to your kingdom, your GitHub repository, you need to trust the people who are accepting changes to your codebase. So I think we found trust is not security, which I think we already knew, but it really hit home.”
Too Many Single-Maintainer Projects
The XZ vulnerability, Ginn said, is “likely not an isolated incident.”
In the days after the news about XZ broke, her foundation and the Open Source Security Foundation (OpenSSF) released a joint statement saying they had foiled a hacker’s attempt to gain access to the OpenJS software library last November.
“The XC Utils had the one person identified. In our case, we saw multiple GitHub IDs, overlapping emails, avatars and things like that,” Ginn told Williams. “But they are real people, probably some bad actor somewhere who is not only getting close to understanding the code, but they’re also understanding how our open source communities work.”
The New Stack has previously written about the crisis in recruiting and compensating open source project maintainers. With nearly all websites using JavaScript, it’s especially alarming, Ginn said, that its maintainers remain so overmatched.
“We have Red Hat, who has a couple of people who work part of their day job is to support the Node.js project, and that’s fantastic,” she said. “Microsoft and Slack have employees contributing to Electron. But I would say probably 90% of our contributors are volunteers.”
Those nights-and-weekend maintainers have a lot to do, she added, noting that Node.js, jQuery, Webpack and other JavaScript projects have been around for many years. “So either you have a small group of maintainers, or sometimes even one maintainer, which is pretty common for JavaScript. I think if you look at some other open source projects, they require three maintainers and double checks. JavaScript as a whole has a lot of single maintainers.”
In 2023, the OpenJS Foundation received a €800,000 grant (roughly $893,000) from Germany’s Sovereign Tech Fund. The grant “almost doubled our budget,” Ginn said, but the foundation is still thinly resourced. “We have 35 open source projects and only two full-time staffers working to support those projects and those volunteers.”
A better long-term solution, she said, is for more of the companies that rely on open source software to pay their employees to take more responsibility for maintaining it.
“The best way to pay an open source maintainer is definitely to hire them, give them a full engineering role, or documentation or marketing. There’s lots of ways to contribute.”
Check out the full episode for more from Ginn, including how you can find out if your organization’s website is using outdated open source software (most sites are) and what’s new with jQuery.
Clarification: A previous version of this article stated that the OpenJS Foundation received an increased number of inquiries from aspiring project contributors after the XZ Utils vulnerability was discovered. The foundation has received a continuous stream of inquiries, with no spike after the XZ incident.
