In a significant move towards enhancing global digital infrastructure security, seven prominent open source foundations have announced their collaboration to establish common specifications for secure software development.
The Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are joining forces to address the complex challenges of cybersecurity in the open source ecosystem and to demonstrate their commitment to implementing the European Union's Cyber Resilience Act (CRA).
The CRA, recently introduced by the European Union, sets forth rules on software development, testing, auditing, and support to ensure more secure software.
Given the critical role of open source software in today's digital infrastructure, the CRA has far-reaching implications for the open source software ecosystem. In response, the seven foundations are forming a working group to tackle these challenges head-on.
The working group's initial focus will be to compile and evaluate the existing security policies, procedures, and best practices maintained by the respective open source foundations and communities.
These industry-standard practices have been developed and refined over the years, serving as a strong foundation for the group's efforts. By leveraging these best practices, the working group aims to accelerate the development of cohesive cybersecurity processes that meet regulatory compliance requirements while fostering an open and neutral environment for technical discussions within the broader open source community.
Neutrality is a core principle of this collaborative effort. The Eclipse Foundation AISBL, based in Brussels, will host the new working group under the Eclipse Foundation Specification Process. The working group's governance will adhere to the Eclipse Foundation's established member-led model, with the addition of explicit representation from the open source community to ensure diversity and balance in decision-making. This approach guarantees that the interests of all stakeholders, including foundations, vendors, and communities, are fairly represented.
The working group's deliverables will include one or more process specifications, which will be made available under a liberal specification copyright license and a royalty-free patent license. This open and accessible approach ensures that the resulting cybersecurity processes can be widely adopted and implemented by the open source community and beyond.
The formation of this working group marks a significant step forward in the collaborative effort to enhance cybersecurity in the open source ecosystem.
By pooling their expertise and resources, the seven participating foundations are demonstrating their unwavering commitment to developing robust, standardized processes that will contribute to a more secure digital landscape.
As the group commences its work, the open source community and the wider technology industry eagerly await the outcomes of this groundbreaking initiative, which has the potential to reshape the future of secure software development.