The Linux Foundation has laid the foundation for the software industry to comply with the new Executive Order.
The recent cybersecurity-focused executive order (EO) by the Biden Administration touches on several issues important to the open-source community. Kate Stewart, VP of Dependable Embedded Systems at The Linux Foundation (LF), finds that the EO lines up with a lot of projects the Linux Foundation has been working on. On top of that, the Linux Foundation has had a fair amount of progress in some of the directions the executive order is looking to move the industry towards.
For example, the executive order lists out criteria for what security software is and the Secure Software Foundation is tracking a lot of these issues. To that point, Stewart brings up the Zephyr Project (a project created to deliver the best-in-class, real-time operating system for connected, resource-constrained devices), which has had security teams since the very beginning and has started focusing on the issues that are being asked for in Biden’s EO. With that in mind, the Linux Foundation is aligning all projects to ensure it can get a secure supply chain.
One particular project is Open Chain, which is the international standard for open source license compliance. According to Stewart, “What Open Chain has been looking at is how companies handle software, how they create that inventory, and can you trust it when they export that inventory?” And since becoming ISO standard, as of last December, Open Chain has become prescriptive about what companies should do. As for other projects, Stewart says, “There’s a variety of projects at the Linux Foundation, under the automated compliance tooling umbrella that are used for generating a software bill of materials or consuming them. So we’ve got these projects sitting there to help in the general space. And then in specific spaces, we’ve got various projects that are working on generating a software bill of materials directly like Zephyr.”
The discussion then centers around the Zephyr project. The resource-constrained space has numerous challenges of its own. One of the biggest challenges is knowing what’s inside those tiny devices. SBOMs (software bill of materials) tell us what software is running in those devices so when people flash that firmware onto their devices, they know what’s there and if there are any known vulnerabilities in the included packages, they know exactly which version is on the device at any given time so that you can fix it. You are not going to climb up a tree to update the firmware of the devices you have installed up there. SBOMs help in keeping track of inventory to help companies keep their devices safe and secure to comply with the Executive Order.
Stewart brings up the fact that the Zephyr team has been working on the upcoming LTS release. Accordingly, they’re working to improve the code quality and to align certain coding guidelines so they can be ready for safety certification, once the LTS release is out. Features the Zephyr project is focusing on for the LTS release include scaling, more devices going into the house, native drivers, and how the project handles multiple toolchains. For those who’d like to get involved with the Zephyr Project, Stewart indicates that in their project documentation there’s a section dedicated to contributing. As to where contributors can start, Stewart suggests looking into the Zephyr GitHub repo as well as the Zephyr Slack Channel
Summary for this interview/discussion was written by Jack Wallen