Google Will Start Distributing a Security-Vetted Collection of Open-Source Software Libraries

Google announced a new initiative Tuesday aimed at securing the open-source software supply chain by curating and distributing a security-vetted collection of open-source packages to Google Cloud customers. From a report: The new service, branded Assured Open Source Software, was introduced in a blog post from the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed to some of the challenges of securing open-source software and stressed Google's commitment to open source. "There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks," Chang wrote, citing last year's major log4j vulnerability as an example. "Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure." Per Google's announcement, the Assured Open Source Software service will extend the benefits of Google's own extensive software auditing experience to Cloud customers. All open-source packages made available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.

Sorry , no go.

[hebertrich]

I would never in a hundred years be able to trust anything coming out of Google.
Sorry .. my instincts tell me to be extremely cautious of them .
What have they added in there to spy on us ? That's a super important question.
Google approved means what .. NSA and Google backdoored libs ?
I mean , the way they behaved till now spying and milking everyone's data for their benefit and profit only makes me more worried about using their so called " trustable libraries"

Re:Sorry , no go.

[jellomizer]

It is open source, so if you don't trust google, you can check out the code yourself and see if there is anything that Google will take advantage of. You can also compare it with the Official Source channel and check the differences.

Unfortunately life isn't about clear good guys and bad guys. We have Good guys who do bad things from time to time. And bad guys who do good things as well.
Google and Apple, for the most part actually have been rather good with security, considering how much exposure they get, and the amount of profit it would be for someone to break in to all these accounts.

We know that Googles business model is targeted advertisements based on our data. They normally don't give the data to advertisers, but show us ad's based on the data we provide them. I am not comfortable about this, however being Google has been around for a while now without a major security problem, compared to say the likes of Microsoft.

Re:

[oldgraybeard]

"Unfortunately life isn't about clear good guys and bad guys" when it comes to big tech the good guys and bad guys are perfectly clear. Big Tech for the most part are ideological crazies and parasites.

Re:

[jellomizer]

Big Tech isn't a bunch of mustache twirling villains. Neither are the Democrats or Republicans, Liberals or Conservatives... They are a group of people...
People on a whole tend to amplify many of the negative traits a person may have. As a person will identify with a particular set of groups not to share a common good, but to protect themselves from a common threat, as people will be more risk adverse than reward motivated.

Tech companies want to make money, a lot of it, so they can grow and be more and be

Re:

[ocean_soul]

I would consider Google a more evil entity than Microsoft nowadays.

Re: Sorry , no go.

[NagrothAgain]

Well, if you go by their "track record" then no, it wouldn't have any NSA hooks in it.

Re:

[muh_freeze_peach]

RTFA FFS

Re:

[Pascoea]

Welcome to Slashdot. Orientations are on Wednesdays and Fridays.

Re:

[znrt]

what they essentially do is fuzz test opensource code and register any vulnerabilities found in a public database, besides notifying the respective developers. they have been doing this for years and have signaled a ton of bugs that way and i can't see anything wrong or suspicious on that.

what's different now is that they offer that curated code in a trusted distribution process blablabla to customers of google cloud to consume. i would assume such customers are already willing to trust google, and google w

Re:

[Uldis Segliņš]

If the repository is on their systems, then it is sus, yes. But if they vet outside repos and mark them as "this version is approved", then it could be ok. At least doing it with identifable hashes, so exact copy on their repos would be same as external. If we accept their repos with unknown internal contributions, they could add security backdoors in plain sight. Unfortunately they are under US law, that makes it illegal to reveal if you even have been asked of backdoor creation.

Excited to see where this goes

[polotheclown]

Hopefully the Open Source Maintenance Crew cant help maintain some of the stuff as well, as this could become critical tools at companies.

Google Approved?

[oldgraybeard]

Only if I can compile anything they approve from source.

Does this comply with the licenses?

[Xylantiel]

The wordings in the summary and story come rather startlingly close to being direct violations of copyleft type licenses. In a copyleft scenario, while google-internal versions don't trigger required public distribution, surely provision to "cloud customers" would. For the cynical this looks a lot more like embrace and extend or software-as-a-service than is usually thought to be compatible with using the words "open source" when claiming something positive. This looks a lot like "we'll make our in-house library versions available to our customers by pretending that isn't distribution and worry about complying with the license later." Basically privatizing publicly available code and trying to spin it as something else. But, as ever, the devil will be in the details.

Re:Does this comply with the licenses?

[Guillermito]

Open source licenses generally don't disallow charging for redistribution.

For example, quoting from the GPL "preamble": "When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish)"

Based on the blog post referenced by the article, it doesn't look like Google will be having their own internal versions of the libraries with bug or vulnerability fixes only available to paying customers. They will just provide the same code available elsewhere, and only "rubber stamp" it after scanning it for vulnerabilities, plus distributing the copy of the code from Google servers that are presumably secured against tampering from third parties.

As long as this "vetting" process is the only thing Google is charging for, I don't think they would be out of compliance.

Re:

[mmell]

I don't think they intend to bill for it specifically - they're just providing their cloud customers access to their privately curated library of open source software. Even if they do bill for it, I don't see a problem here. It's their curated archive; they deserve to be compensated for the service they provide. I don't see a conflict here with any of the Open Source licenses I've ever seen.

No thank you

[ocean_soul]

Trusting Google, that's gonna be a hard nope.

Nothing wrong with this.

[Petersko]

How many companies have the time, money, ability, or willingness to perform comprehensive security audits on all the libraries they use? Damn few. Google is saying, "You know what? We'll do it. You can offload that responsibility with a pure monetary exchange."

Absolutely nothing wrong here. They aren't selling the software. They're selling their opinion on the software. And that's a useful commodity in the right context.

That's also a bit simplified... a quick search on the service shows it's complex... but they're likely compliant with the letter and spirit of all licenses involved.

Re:

[QuietLagoon]

{{{ - Absolutely nothing wrong here. - }}} --- Sorry, I do not have the time to look through all of the source code google provides to see what google may have added to the code which might make it more than just a "pure monetary exchange.". The problem seems to be that google has lost the trust of many. Maybe google should create a project to work towards regaining that trust.

Re:

[Petersko]

And how would you propose that be done? And is it in their best interest to pursue that at great cost? What's in it for them?

Regardless, perhaps Google has lost the trust of many people "here", but most of us aren't their sales target. They need to sell to D- and C- level folks.

And lots of those folks view the world through eyes that see only two paths - offload the risk by buying the "insurance", or ban Open Source outright.

Re:

[QuietLagoon]

{{{- And is it in their best interest to pursue that at great cost? What's in it for them? -}}} --- Both of those are google's problem, not mine. Google has lost trust, and it seems to be getting worse as more people come to that realization. At what point does/should google care? That's their problem.

My dystopian take.

[AcidFnTonic]

My dystopian take, the government wants to use known-plaintext attacks against lots of the open source supply chain but those pesky people don't use single-distributed-binaries and instead have the GALL to compile things themselves which of course means non-standard memory layouts which thwarts the WHOLE POINT of my embedded management-engine spy apparatus.

What I *REALLY* need is a way to keep open source users on exact known code-bases so I can easily snag anything out of memory that I desire. Apache passwords and such in the good-ole days were always in known spots so we worked hard to subvert all computers via management engines only for the contents of memory to not be where I was expecting them to be after I did all this hard work!

I was *expecting* to be able to search for known plaintext names in encrypted disk partitions and it would be FAR easier if I could easily decrypt them by simply knowing the plaintext of a lot of binaries that should be on that system. You guys compiling your own stuff randomizing these things is extremely bad for national security.

So to fix this we have decided to get together and distribute exact binary copies of these things you guys compiled on your own, so we can get back to knowing exactly which exploits will work and more importantly getting a lot of known plaintext inside those encrypted disk partitions!

Extend

[MostAwesomeDude]

This is the "extend" in "embrace, extend, extinguish."

I am suspicious.

[oldgraybeard]

I keep thinking that in the future Google will start doing compiled library binaries (think Nvida). After all, how else can Google keep things secure. In reality the goal will be to hide the ad crap and data collection for future sale which is Googles' life blood.

NodeJS, positioning

[mattr]

So, like if they provided a security locked down snapshot of NodeJS libraries that might be useful.. until people depend on it and then Google stops offering the service. They do need to provide the source code to non-customers too I would think though, so why not just become the good guy and not limit it to their customers?