CS Table 12/4/18: Open Source and Security

This week's discussion topic was suggested by an alumna, who writes:

Recently an NPM package author handed over control of his open source project to a stranger who promised to maintain the package for future users. The stranger added malicious code to the package, which was then downloaded by millions of users. This raises questions about responsibility in the open source world. What responsibilities does the owner of an open source project hold? What responsibilities are up to the user? What can developers do to utilize open source projects in a safe and secure manner?

There are two recommended readings for the CS Table discussion; the first is an account of the recent event we’ll discuss, and the second is a perspective on security and open source from Bruce Schneier, written in 1999.

• Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib. Thomas Claburn. The Register. 26 Nov 2018.
• Open Source and Security. Bruce Schneier. Counterplane Security and schneier.com. 15 Sept 1999.

You may also find these resources helpful or informative as you prepare for our discussion:

• Core Infrastructure Initiative. The Linux Foundation.
• What is NPM and why do I need it? Stack Overflow thread.
• The GitHub issue for the exploit that was discovered.

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–12:50pm in JRC 224C (inside the Marketplace). Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the Marketplace front desk).