Post Syndicated from original https://lwn.net/Articles/896244/

The Linux Foundation has posted an “Open Source
Software Security Mobilization Plan” that aims to address a number of
perceived security problems with the expenditure of nearly
$140 million over two years.

While there are considerable ongoing efforts to secure the OSS
supply chain, to achieve acceptable levels of resilience and risk,
a more comprehensive series of investments to shift security from a
largely reactive exercise to a proactive approach is required. Our
objective is to evolve the systems and processes used to ensure a
higher degree of security assurance and trust in the OSS supply
chain.

This paper suggests a comprehensive portfolio of 10 initiatives
which can start immediately to address three fundamental goals for
hardening the software supply chain. Vulnerabilities and weaknesses
in widely deployed software present systemic threats to the
security and stability of modern society as government services,
infrastructure providers, nonprofits and the vast majority of
private businesses rely on software in order to function.