Big Data Digest is authorized to reproduce from Pinwan
Author: Bai Ning
"Thousands of developers scattered all over the world, in their spare time, have created a world-class operating system just through the fragile cooperation of the Internet? I definitely can't think of it."
This is Eric S.Raymond's 1999 article "The Cathedral and the Bazaar" describing the Linux system.
This book was later hailed as the "Bible of the Open Source Movement, which subverted traditional software development thinking and influenced the entire software development field".
The Linux system that surprised him has also grown all the way. Today, it is one of the first programs loaded when most computers are started, and it is also the core module of cloud computing and the Internet of Things. It can even be said that the entire network computer world runs on this most famous open source software.
The advantages of open source software summarized by Eric in the book have also become the best explanation for the subsequent success of open source software such as Linux:
"As long as there are enough eyes, bugs are easy to catch." (given enough eyeballs, all bugs are shallow)
In his book, he describes closed development as a cathedral—top-down, opaque, and expensive; open-source software brings together different developers to contribute from different perspectives, who dig into every line of code with enthusiasm Not only is it more efficient, but it is also safer and easier to find vulnerabilities - like a lively bazaar.
In the open source movement promoted by this, many definitions of open source have also been reached, including its most important feature is open source code, and one of the core principles is that no one or group should be treated differently.
But this spirit of openness and mutual trust has been suffering from various shocks. Microsoft was once considered to be the representative of suppressing open source. Linux founder Linus Torvalds and former Microsoft vice president Craig Mundy had a famous debate. The hot-tempered Torvalds opposed Mundy. Say:
“我不知道蒙迪是否听说过艾萨克·牛顿爵士?他不仅因为创立了经典物理学而出名,也因为说过这样一句话:‘我之所以能够看得更远,是因为我站在巨人肩膀上的缘故‘。我宁愿听牛顿的也不愿听蒙迪的。他(牛顿)虽然死了快300年了,却也没有让房间这样地臭气熏天。”
后来的故事大家都知道了,微软经过了各种事情后也变成拥抱开源的企业。Linux也已经存在于每个人的电子设备中。
但针对Linux和开源软件的不信任,从没消失——现在,轮到美国政府表达对开源的不信任了。
或者应该说,美国政府不太想站在那些非美国籍牛顿们的肩膀上了。
据MIT科技评论最新的一篇报道,美国国防高级研究计划局(Defense Advanced Research Projects Agency,简称DARPA)开展了一个名为SocialCyber的项目。
在介绍这个项目的报告——《混合 AI 保护开源代码的完整性》中写道,使用开源虽然节省了成本,提高了可维护性,甚至吸引了开发人才,但也暴露了所用开源软件的组成和路径,使其更容易遭到攻击。所以,他们觉得有必要全方位分析开源软件,以防止恶意活动。
为此,DARPA成立了专门的项目组,打算花费18个月时间、数百万美元做这件事。而且,项目组表示,在AI工具的协助下,不仅要分析开源软件的源代码(一般有数百万甚至上千万行),还要进行社会维度的分析。
据MIT科技评论报道,研究人员将分析开源社区内的互动,以识别扰乱性或伤害性的行为,然后进一步判断社区成员的性质,比如,哪些值得信赖,哪些又需要警惕。
而DARPA选择用这套方法“处理”的第一个开源软件,正是Linux。
Linux已经是当前最著名的开源软件。应用Linux的计算机之多,远远超出其他任何操作系统:
-
我们熟悉的所有互联网终端,手机、平板电脑、路由器、电视和电子游戏机等等,其嵌入式系统都建构在Linux之上。
-
Linux也是服务器所用的主要系统,是公共互联网服务器上最常用的操作系统。
-
From database MySQL to big data processing tools Hadoop and Spark, Linux can be found in almost any technical field you can imagine.
It can be said that we use Linux all the time, although many people do not know it.
The normal operation of open source software with such great influence is naturally built on the assistance of the entire Internet. If someone counts the contributors to the Linux kernel, it will be found that this is equivalent to writing a roster of global IT vendors: Intel, Google, IBM, NVIDIA, Red Hat...
However, what many people don't know is that among these Linux kernel contributors, Huawei has climbed to No. 1. In July last year, Linux released one of the largest distributions ever, Linux Kernel 5.8. At that time, the Linux kernel contribution ranking statistics showed:
Huawei ranked first in the line changed, accounting for 27.8%, more than three times that of the second place; code contributions (changesets) ranked second, accounting for 8.6%, second only to Intel.
The 1399 patches contributed by Huawei cover system features such as ARM64 SPE perf event, ACPI CPPC support for ARM64 CPU overclocking, virtualized live migration page label dirty optimization, CPU sleep controller default can be adjusted according to the scene and other system features, as well as network, file system, perf The bugfix patches for key subsystems such as commissioning and security are the basic functions required for the normal operation of Linux, and are very important for Linux.
As we all know, Huawei has been a key target of control by the US government in recent years. Therefore, when analyzing the nature of community members, DARPA conducted key research and affirmed Huawei's contribution again.
The research institute in charge of its project claims that they found that Huawei is currently the largest contributor to the Linux kernel. However, the purpose of "affirmation" is of course not to praise, because the research organization next said:
In addition, Positive Technologies, a Russian cybersecurity company sanctioned by the US like Huawei, has also contributed to the Linux kernel.
The adjective "sanctioned by the United States" basically explains the groups pointed to by "need to be vigilant" above. Some comments pointed out that the so-called analysis of Linux by the DARPA project is more like "reviewing Linux developers":
It doesn't sound like they're interested in maintenance, but more of a "sanctioned entity" that submits code.
On the other hand, contrary to DARPA's "Hybrid AI Protecting the Integrity of Open Source Code", people seem to "only use and not maintain" Linux. In order to maintain nux, Internet giants have been contributing people, money, and efforts.
Microsoft has released Microsoft Defense Advanced Threat Protection (ATP), which is universal for Linux, to protect Linux servers from server and network threats.
Google has been keen to participate in the security maintenance of open source applications, and it even funded two people in 2021 to develop and maintain Linux kernel security full-time.
The Linux Foundation also announced in October 2021 that it is raising $10 million with other industry leaders to identify and fix cybersecurity vulnerabilities in open source software and develop improved tools, training, research, and vulnerability disclosure practices.
However, developers on the Linux platform have contributed the most to patching platform vulnerabilities. As of the publication date, members of this group have now reached 13,256.
According to Google's research project, it is the platform's developers' efforts to fix the vulnerabilities that have given Linux a security rating far ahead of Windows and macOS.
They looked at the reported fixed bugs between January 2019 and December 2021 and found that it took open source programmers an average of 25 days to fix a Linux issue, compared to about 69 days for Apple and 44 days for Google , Mozilla is about 46 days, Microsoft is 83 days.
In addition, Linux developers have been steadily reducing the time it takes to patch security holes. As early as 2019, this data has been shortened to one month, and now, it has been shortened to about two weeks.
That said, before DARPA stepped in, maintenance for Linux had been fruitful. And all system maintenance is for the code itself, never involving human identity.
This operation of DARPA to further identify contributing members has caused controversy-because it looks more like "controlling" open source software such as Linux according to DARPA's "one big" idea, and it will be based on the interests of the United States. to decide who is a "trusted" contributor.
In fact, the United States has long been accustomed to taking open source as its own sphere of control. For example, a few years ago, the United States included open source software in the "export control" list. For this reason, Apache, the world's largest open source software foundation, and Github, the world's largest open source code hosting platform, had to issue announcements, saying that affected by the policy, services may affected:
Apache: "ASF software/technical data may not be exported/re-exported, directly or indirectly, to any destination subject to U.S. embargoes or trade sanctions unless duly authorized by the U.S. government."
Github: "GitHub.com, GitHub Enterprise Server, and open source projects hosted by you may be subject to U.S. export control laws, including the U.S. Export Administration Regulations (EAR)."
After the restriction incident, there were many voices of opposition. Developers created a project called "github-do-not-ban-us" on GitHub to protest, and it was once ranked first on the GitHub hot list.
It is worth noting that Linux, the protagonist of this "censorship incident", has not issued relevant announcements at that time, and a year later, it officially released a Chinese and English white paper "Understanding Open Source Technology and U.S. Export Control".
It provides an operational guide to bypassing issues such as export control regulations, and writes:
"Open source technology that is publicly released for the world to enjoy is not subject to the U.S. export control EAR, and open source remains the most convenient model for global collaboration."
