Remember how we managed to raise €1 million to demonstrate security and freedom aren’t opposites? For the next two weeks now (until July 8, 2016), you can decide which project you think should be the first to receive a code review as part of the FOSSA pilot project.

heartbleed

After the discovery of the “Heartbleed” vulnerabilities in the widely used Free Software cryptography library OpenSSL in 2014, my Swedish Greens/EFA colleague Max Andersson and I proposed a pilot project to get the EU to contribute to the security of Open Source projects. Both European institutions and the European public (companies as well as individuals) rely on Free and Open Source Software (FOSS).

Progress so far

The project started in January 2015 and runs until October this year, when the results of the first code review will be published. So far, according to the info published by the project team within the Commission, the project has created an inventory methodology for software and standards used in the European institutions and compared software development methodologies in the institutions and in FOSS projects.

Your choice

The next big project step is the choice of software project to be reviewed – and the choice is yours! The project team has now published a public poll to choose one out of 18 free software projects or alternatively propose additional ones. Popular projects such as VLC Media Player, KeePass, and Git are among the suggestions. When making your choice, consider the potential impact an undiscovered vulnerability in each project would have.

The poll closes July 8, 2016.

Vote now: Which software should the EU review?

A permanent budget item?

Security audits of free software should become a permanent EU budget item
Tweet this!

Pilot projects (PP) are a way for the Parliament to propose new items for the EU’s budget. Each year, the overall budget for PPs is €40 million. If a (usually two-year) pilot project works out, it can be continued in a so-called preparatory action (PA), with a maximum duration of three years, and then has a chance of being permanently added to the EU budget. The yearly budget for PAs is €50 million. (From the Working Document on Pilot projects and Preparatory actions in budget 2016 and 2017.)

My colleague Max and I will propose to continue the project as a PA in the following years, and subsequently as a general budget item. The Free and Open Source Software Audit is an important contribution to ensure the reliability and security of the IT infrastructure we all rely on.

To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.

4 comments

  1. 1
    Gabriel Scherer

    Thanks for this initiative! The poll list is a bit dry; to make an informed choice, it would be hepful to have more information on what the projects are and how security-sensitive their usage is. I just created an editable wiki to crowd-source this information:

    https://github.com/gasche/EU-software-audit-poll-info/wiki

    in particular, see the list of projects with a short description and a link to the project website

    https://github.com/gasche/EU-software-audit-poll-info/wiki#projects-links-and-descriptions

    Anyone is welcome to edit this page to add more information on the proposed projects.

  2. 2

    Please, if you are progressive in terms of technology, get the relevant people to acknowledge mobile technologies and OS (operating systems) in their efforts. I have the feeling that the world is moving towards mobile, but all the technology initiatives are based on desktop solutions. I want iOS and Android native apps that would be 1st class citizens in the new electronic future…Thanks.

    • Oh,

      great thing seeing EU spending money on this kind of activity: this *does* benefit the public. I kind of agree with comment from Marian regarding mobile solutions. I also notice that whole “mobile” platform is difficult in security-related discussion like here: both iOS and android are designed so that owner of the platform automatically gets to know each and every piece of information written, read, stored or transmitted through these software packages. With this starting point auditing individual application on top of that kind of platform makes very little sense. Modern-day (popular) mobile platforms are designed to be insecure, and for selected and paying customers only.

      My own suggestion (voted with the “other..”) option was messaging app called classified ads http://katiska.org/classified-ads/ that enables private and group communications between humans and frees users from having a “service provider” that would ask money, disappear, revoke account or turn users into merchandice.

  3. 3
    Who Ever

    Thanks, great initiative. I just noticed to my chagrin the voting process requires JavaScript and uses a google captcha.