An initiative by the German Federal Government aims to strengthen the important role Open Source Software plays in modern society.

Open Source Software powers everything, from modern servers, to IoT, to the desktops at work and, as it seems, is at the heart of European Union systems too. In "European Union Will Pay For Finding Bugs In Open Source Software" we covered the Office's initiative of offering bug bounties on popular open source software based on the actual use by public services across the European Union. That list is comprised of:

• LibreOffice - the free and powerful office suite.
• Mastodon - a free, open-source social network server based on ActivityPub where users can follow friends and discover new ones.
• Odoo - an ERP business management solution with a eCommerce and CRM system built in.
• Cryptpad - a secure and encrypted open-source collaboration platform that allows people to work together online on documents, spreadsheets, and other types of documents.
• LEOS - software tool helping those involved in drafting legislation, which is usually a complex process requiring efficient online collaboration.

The current OSS hardening movement was kickstarted by an older initiative, that of the Free and Open Source Software Audit (FOSSA) project, thanks to Julia Reda MEP of the EU Pirate Party, who started the project thinking that enough is enough after severe vulnerabilities were discovered in key infrastructure components like OpenSSL. This prompted her to involve the EU Commission in contributing to the security of the Internet.

The Sovereign Tech Fund started life in October 2022, financed by the German Federal Ministry for Economic Affairs and Climate Action and has a lot to spend; 11.5 million EUR for 2023 alone. It's goal is to:

sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity, and the people behind the code.

therefore sharing FOSSA's principles according to its mission statement :

We often don’t notice how much our lives depend on digital infrastructure until it stops working. But making it available, accessible and secure is key for digitalization in the public interest.

The Sovereign Tech Fund invests in open digital infrastructure. We understand this to be foundational technologies that enable the creation of other software. These trusted components — for instance, libraries and standards — are openly accessible and free to use. As a result, open digital infrastructure is critical for innovation and economic growth, and forms the foundation for digitalization across sectors.

But unlike FOSSA not only does it focus on the security aspect of OSS, it adopts a more general outlook, like maintenance, documentation, usability, reliability or bug fixes. As such since October 2022 has allocated funds to projects like curl, Drupal, Fortran, the Python Package Index, OpenPGP. js/GopenPGP , OpenSSH, etc.

Sovereign Tech Fund founders Adriana Groh & Fiona Krakenbürger (Credit: Ben Mergelsberg)

From that list of projects it is evident that the Fund does invest in projects that benefit and strengthen the open source ecosystem; package managers, open implementations of communication protocols, administration tools for developers, digital encryption technologies and libraries for programming languages.

The last application category, that of libraries is very important, since these libraries are the basis of everybody's software supply chain powering thousands of end user applications.

So like FOSSA and the OpenSSL library, it was also very refreshing to see that the Fund has also sponsored two very popular Java libraries, those of Log4back and Log4j, and we know what kind of commotion especially the latter has generated. The reasoning behind their funding goes like this:

Java remains a widely used programming languages internationally, and logging is a common function required in most programs. System administrators and programmers around the world embed logging libraries into data centers, enterprise servers, network technologies, and system components, making these libraries critical digital infrastructure in businesses and administrations. Therefore, when a security vulnerability exists in a logging library, it can have a very wide impact. This became a reality in 2021 when a critical vulnerability was discovered in the other widely used Java logging library Apache Log4j 2, called the log4shell.

Logback and Log4j 2 are both Java logging libraries, yet due to different architectural choices, they both have their advantages and drawbacks in certain situations. In order to reduce the likelihood of a similar scenario to log4shell occurring in the future, it’s important to invest in the maintainability of logging libraries at large, ensure ease of adoption, and offer a variety of implementations. That way, software developers can choose the right library for their situation and still be safe from vulnerabilities.

It is hard to overstate the impact of the Log4Shell vulnerability. It affected billions of applications and services all over the world, in all kinds of industries and sectors, because Log4j is used in so many contexts.

As such, the STF has been working to improve the release pipeline, documentation, source code repository structure, efficiency, as well as introducing fuzz testing and a performance testbed of Log4j. In detail:

Infrastructure Enhancement:

• Enhance a continuous-integration-based release pipeline, for faster releases and quicker reaction times in cases of emergency
• Speed up and simplify the release process
• Upgrade core dependencies, for improved security and stability
• Set up code formatting and static analysis tools for better code quality
• Implement SBOM, for additional security and improved monitoring of security incidents for users

Code Quality and Documentation:

• Implement unified memory management, for even more performance and simplicity in the codebase
• Generate configuration documentation and schema from source code, to keep users always up to date on the latest changes
• Implement online configuration validation tool, so even less advanced users can work with configuration
• Improve documentation, for better accessibility to Log4j features

Compatibility and Testing:

• Introduce API compatibility checks
• Research and implement source and bytecode migration tools
• Implement fuzz testing
• Modernize and stabilize the test suites, for quicker and more throughout testing
• Improve native compilation support

In the case of logback, the funds are directed to maintainer Ceki Gülcü to continue to perform maintenance work, such as fixing bugs and vulnerabilities, and working on further improvements to the logback, SLF4J, and reload4j libraries. In addition, some work will be done to adapt logback to the latest version of the Java Development Kit and the GraalVM, a high performance Java virtual machine.

Saying that, you do not have to manage such a high valued project to get funded. If you manage an open source project that falls with the category of project the Fund looks for, feel to free to make a submission through the Funds online application form, and who knows, you might be the next one to be funded!

In conclusion, this newest fund goes to highlight once again the societal relevance OSS has. Technologies from which a broad public benefits or on which particularly vulnerable groups depend. The public interest in these technologies is not measured solely by the number of users, but also by their criticality in particularly important areas of society.

More Information

Sovereign Tech Fund

Related Articles

European Union Will Pay For Finding Bugs In Open Source Software

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info