What does it mean to host a project?
- When the maintainers of an open source project decide to have it become hosted at the Linux Foundation, they specifically transfer ownership of the trademark for their project to the LF.They don’t transfer the copyright since usage is already available to other users under the open source license.
- Note that LFPH will only be hosting the upstream code. Each Public Health Authority (PHA) may use that upstream to create its own custom implementation.
- Hosting a project with the Linux Foundation enables open governance, which means that there is no one company or individual in control of a project.
- Several decades of experience with open source software has demonstrated that it is the most robust, secure, and resilient way to implement core infrastructure.
- Most open source projects (including most Linux Foundation hosted projects) use GitHub as their source code repository and as a forum for collaboration between developers.
What uses of the software are allowed?
- All of the software hosted by the Linux Foundation is open source, meaning that anyone can use it and modify it without asking permission, for free.
- The LF generally recommends the use of the Apache 2.0 license for projects like LFPH which allows PHAs and their vendors to use or modify the software in their open- or closed-source implementations.
- Note that there is no requirement for PHAs or their vendors to start or maintain membership with LFPH to use any of its hosted software projects.
- Engagement with LFPH and its hosted projects is strongly encouraged, however, and is helpful to get bug fixes and new features implemented upstream so that individual apps do not need to maintain significant amounts of code in a fork.
- LFPH may create a certification program to enable downstream apps to demonstrate that they are following best practices in using LFPH software, particularly in regards to privacy protections and security updates.
- The certification would include a trademark like “Certified LFPH app” and be completely optional.
Is LFPH software only for use by PHAs?
- LFPH is focused, particularly for its first 6 months, on hosting software that meets the critical needs of PHAs.
- However, all LFPH software is open source and so anyone may use it for any purpose.
- It’s fine to have compilation or other configuration options that allows the same project to be built as an add-on module to a PHA’s multi-function app or as a standalone app.
- Also note that membership in LFPH is completely separate from technical decision making.
- Anyone can use, contribute to, or become a maintainer of an LFPH-hosted project, regardless of the membership status of their employer.
What is upstream? What is a fork? What is a maintainer?
- These are standard terms in open source software development.
- Upstream, by metaphor to a river, refers to the main branch where ongoing development of a project is taking place.
- A project like Kubernetes makes a new upstream release approximately every 3 months.
- Mixing metaphors, this is also known as “vanilla” Kubernetes, because nothing extra has been added.
- Downstream (aka distributions aka customized versions) refers to changes made by vendors and other organizations to customize the upstream software for specific uses.
- There are over 100 downstream Certified Kubernetes implementations.
- A fork represents an independent development that is occurring separate from upstream and may or may not be reincorporated to upstream.
- Open source development best practice is to minimize the divergence from upstream so as not to have to take on significant re-integration efforts with each new upstream release.
- A project maintainer is a developer who has write privileges to make changes to a project.
- While the LF provides many services to help open source projects succeed, the LF does not (except for a small number of exceptions) employ maintainers.
Is open source less secure?
- No. Most of the world’s technology infrastructure runs on top of open source software, which is more secure because more people are working to secure it.
- Open source software enables peer review and PHA-specific customization.
- CDC criteria for digital contact tracing tools for COVID-19 prefers open source software.
What are reproducible builds and why do they matter?
- In any kind of health-related application, many people have concerns about security and privacy protection.
- Open source applications assuage many of these concerns by allowing anyone with the technical know-how to review the source code of the application and confirm that it does what it is supposed to do and nothing more.
- But, there is an additional question of whether the app that you download to your phone is created from the known source code and has not been altered.
- Reproducible builds (though challenging on iOS) are a set of software development practices that create an independently-verifiable path from the code source to the installed app.
- LFPH will assist its PHA partners in setting up continuous integration/continuous delivery (CI/CD) pipelines that enable reproducible builds and otherwise implement best practices for security and privacy protection.
- LFPH-hosted projects will also earn a Core Infrastructure Initiative Best Practices badge, demonstrating that the project follows best practices for producing higher-quality secure software.
How can trademarks protect against code misuse?
- All LFPH-hosted projects will be open source, which means that a government or other body could use the code in a privacy-harmful way, such as in a surveillance app.
- One protection against this is to use a trademark like “LFPH Privacy Certified” for apps that properly implement appropriate protections when using LFPH projects.
- The Certified Kubernetes program has used the Kubernetes trademark so that only conformant implementations are allowed to use the term Kubernetes in their product name.
- Open source software can be used by anyone for any purpose, but access to the trademark can be limited to those deploying the app as intended.
Do we really need 60% adoption in order for exposure notification apps to be effective?
The 60% number comes from a highly-cited article out of the Coronavirus Fraser Group at Oxford. The article uses modeling to figure out at what level having nothing but an exposure notification app would stop the virus, which is where the 60% comes from. However, what the article goes on to say is that lower adoption levels will also help to slow down the spread.
As Professor Fraser explains “Our results suggest a digital contact tracing app, if carefully implemented alongside other measures, has the potential to substantially reduce the number of new coronavirus cases, hospitalisations and ICU admissions. Our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths.”
Even just 14% of the population using the app can be helpful in slowing the spread of the virus, and once you start to get into the mid-20s the effect can become quite substantial. Read more.