Google joins the Open Source Security Foundation

In modern software development, much of the code developers use originates outside their organization and is open source. While the cloud and internet ecosystem depends on an open source foundation, the sheer scale and dependency chain of the libraries and packages we all use makes it difficult to validate and verify the origin of the code you’re ingesting; that it’s up to date on recent patches, and coming from projects following security best practices. To continue deriving benefits from open source, we need to ensure that as a community we are building on the strongest possible foundation. 

At Google, security is always top of mind, and we have developed robust systems and security tools—including open source ones—to protect our internal systems and our customers. We believe the more we share what we’ve learned about open source security, and the more we work with those who face similar challenges, the more we can improve the state of open source security for everyone.

We’re happy to announce that Google is joining the Open Source Security Foundation (OpenSSF) to work alongside the broader industry on this journey of improving the state of security of open source projects we all depend on. Google has key areas in open source security we want to work on, and we’re excited to share our ideas with the OpenSSF community and work together. Some of our key areas are:

1. Shared schemas and metadata that enable automation for enforcing security best practices along the entire software supply chain.
2. Dependency management and risk assessments through tooling and data. We want to make it easy to map vulnerabilities back to specific versions of code that are affected and take action.
3. Verifiable builds through trusted build systems so that we know artifacts haven’t been tampered with. The Tekton project has been exploring this idea, and we’re excited to share some of these ideas with OpenSSF.
4. A developer identity system to help associate code changes back to their original author and help code reviewers have developer authentication as part of their commit and PR review process.
5. Securing critical OSS projects and helping projects respond to vulnerabilities. If you’re a maintainer who’s interested in getting help with vulnerability response or security engineering efforts, watch this space!

Security challenges are never going to disappear, and we must work together to maintain the security of the open source software we collectively depend on. If you're interested in getting involved in the OpenSSF initiatives, visit openssf.org or OpenSSF on GitHub.You can be a part of how the OpenSSF serves the open source community and the world!

By Kim Lewandowski, Product Security Team, and Dan Lorenc, Infrastructure Security Team, Google

Announcing a new kind of open source organization

Google has deep roots in open source. We're proud of our 20 years of contributions and community collaboration. The scale and tenure of Google’s open source participation has taught us what works well, what doesn’t, and where the corner cases are that challenge projects.

One of the places we’ve historically seen projects stumble is in managing their trademarks—their project’s name and logo. How project trademarks are used is different from how their code is used, as trademarks are a method of quality assurance. This includes the assurance that the code in question has an open source license. When trademarks are properly managed, project maintainers can define their identity, provide assurances to downstream users of the quality of their offering, and give others in the community certainty about the free and fair use of the brand.

In collaboration with academic leaders, independent contributors, and SADA Systems, today we are announcing the Open Usage Commons, an organization focused on extending the philosophy and definition of open source to project trademarks. The mission of the Open Usage Commons is to help open source projects assert and manage their project identity through programs specific to trademark management and conformance testing. Creating a neutral, independent ownership for these trademarks gives contributors and consumers peace of mind regarding their use of project names in a fair and transparent way.

Understanding and managing trademarks is critical for the long-term sustainability of projects, particularly with the increasing number of enterprise products based on open source. Trademarks sit at the juncture of the rule of law and the philosophy of open source, a complicated space; for this reason, we consider it to be the next challenge for open source, one we want to help with.

To get the Open Usage Commons started, Google has contributed initial funding, and the trademarks of Angular, a web application framework for mobile and desktop; Gerrit, web-based team code-collaboration tool; and Istio, an open platform to connect, manage, and secure microservices, will be joining the Open Usage Commons. If you use a trademark of one of the projects currently, you can continue to use those marks, following any current guidance from the project. As the Open Usage Commons is focused on trademark management, the contributor communities and technical roadmaps of these projects are not changed by joining the Commons, although we hope this new model encourages anyone who has stood on the sidelines until now to participate in these projects.

As the Open Usage Commons board wrote in their announcement, this is uncharted territory, and the Commons intends to “walk before they run,” so you can expect more information and activity from the organization in the coming months.

Learn more about the role of trademarks in open source and the Open Usage Commons at openusage.org.

By Chris DiBona, Director, Open Source at Google

Expanding our Differential Privacy Library

All developers have a responsibility to treat data with care and respect. Differential privacy helps organizations derive insights from data while simultaneously ensuring that those results do not allow any individual's data to be distinguished or re-identified. This principled approach supports data computation and analysis across many of Google’s core products and features.

Last summer, Google open sourced our foundational differential privacy library so developers and organizations around the world can benefit from this technology. Today, we’re announcing the addition of Go and Java to our library, an end-to-end solution for differential privacy: Privacy on Beam, and new tools to help developers implement this technology effectively.

We’ve listened to feedback from our developer community and, as of today, developers can now perform differentially private analysis in Java and Go. We’re working to bring these two libraries to full feature parity with C++.

We want all developers to have access to differential privacy, regardless of their level of expertise. Our new Privacy on Beam framework captures years of Googler developer experience and efficiency improvements in a comprehensive and easy-to-use solution that handles computation end-to-end. Built on Apache Beam, Privacy on Beam can reduce implementation mistakes, and take care of all the steps that are essential to differential privacy, including noise addition, partition selection, and contribution bounding. If you’re new to Apache Beam or differential privacy, our codelab can get you started.

Tracking privacy budgets is another challenge developers face when implementing differential privacy. So, we’re also releasing a new Privacy Loss Distribution tool for tracking privacy budgets. With this tool, developers can maintain an accurate estimate of the total cost to user privacy for collections of differentially private queries, and better evaluate the overall impact of their pipelines. Privacy Loss Distribution supports widely used mechanisms (such as Laplace, Gaussian, and Randomized response) and can scale to hundreds of compositions.

We hope these new languages, tools, and features unlock differential privacy for even more developers. Continue to share your stories and suggestions with us at dp-open-source@google.com—your feedback will help inform our future differential privacy launches and updates.

Acknowledgements

Software Engineers: Yurii Sushko, Daniel Simmons-Marengo, Christoph Dibak, Damien Desfontaines, Maria Telyatnikova, Dennis Kraft, Jimmy Ross, Vadym Doroshenko
Research Scientists: Pasin Manurangsi, Ravi Kumar, Sergei Vassilvitskii, Alex Kulesza, Jenny Gillenwater, Kareem Amin

By: Miguel Guevara, Mirac Vuslat Basaran, Sasha Kulankhina, and Badih Ghazi – Google Privacy Team and Google Research

Welcoming 1,000+ Interns to Open Source at Google

One of the core tenets of open source is about finding ways for people to build great things by working together, regardless of location. This summer, through our intern program we’re gathering incredible talent from schools around the world, Googlers with a passion for open source, and project maintainers both inside and outside of Google to see what we can build together. 

Onboarding that many interns and turning them into new open source contributors was no easy task. So in partnership with the Intern Programs team and engineering teams across Google, we’ve grounded our planning by answering four key questions. 

How can we make our internship program a force for good in the open source ecosystem?

We knew that having more than a thousand interns contribute to open source projects could have a huge impact, however, many projects aren’t set up to onboard dozens of new contributors at one time and many maintainers can’t take on hundreds of new pull requests. Early on, we established best practices for intern placement and support. We committed to:

• Aligning interns’ work with project priorities to advance the project while also allowing the interns to learn and grow their skills.
• Proactively communicating with project maintainers and contributors, keeping them in the loop on timelines and logistics.
• Looking beyond Google. While we prioritized projects that have full-time Google engineerings support. That includes Google-owned projects like Go, TensorFlow, and Chromium, as well as Google-created projects we invest heavily in, such as Kubernetes, Apache Beam, and Tekton. But Google also has full-time engineers working on outside projects we rely on, so our interns will also be working on projects like Envoy, Rust, and Apache Maven.

How can we introduce the interns to open source at Google?

We are determined to support and empower the interns as they become lifelong contributors to open source. Every Noogler in engineering learns about using and contributing to open source in a training run by our Open Source Programs Office. With an unprecedented number of interns working on open source projects, we are also providing additional resources; from offering a platform for questions, office hours, enrichment talks, and partnerships with external open source organizations.

How can we learn from our interns about the experience of contributing to open source at Google and beyond?

We see a huge opportunity to listen to our interns this summer. By meeting with interns and hosts—as well as surveying the entire class of interns at the end of the summer—we can look for ways to improve open source at Google and the contributor experience for projects they’re working on. We’re excited to learn from the internship program and from interns’ perspectives working in and contributing to open source.

How can we have an impact on these students that carries on throughout their careers?

One of my favorite questions to ask Googlers who are active in open source is how they were first introduced to open source. There’s a well-trodden path of a developer fixing an annoying bug, then a few more bugs, then adding small features, becoming a core contributor, and eventually a project maintainer. That process requires persistence and patience, and projects lose a lot of great developers along the way.

But... What if your first experience with open source is being welcomed into a large and thriving community of contributors? What if you get to contribute to open source full time, mentored by creators and maintainers of the project you’re working on, collaborating across organizations and across time zones? Our hope is that this kind of experience will leave a lasting impression on this summer’s interns and that they’ll continue to contribute to open source for a long time to come.

By Jen Phillips, Google Open Source

COVID-19: How Google is helping the open source community

COVID-19 has affected so much of the world around us, and open source is no exception. Project resilience is being challenged by COVID-19. Community members have even less time to contribute. Event cancellations are impacting networking, collaboration, and fundraising.

Google wants to do everything it can to help. This means that it’s even more important for the Google Open Source Programs Office to step up our commitment to citizenship. We’re taking several steps to support industry organizations and the projects that we participate in to help them operate during this time.

Virtual Events Support

• Participating in talks internally and externally to Google to share knowledge and insight into open source projects and practices with the wider open source communities.
• To support the shift from an offline to online events model, we created an online guide to share resources and event planning knowledge: Open Source Virtual Events Guide.

Talent

• COVIDActNow is a multidisciplinary team working to provide disease intelligence and data analysis on COVID in the U.S. Google contributed to this project by improving their data pipeline allowing for county level data visualization, providing more localized insight for crisis planning.
• Nextstrain is a platform for real-time tracking of pathogen evolution. Google contributed engineering, design, and translation resources to help scientists conduct research into real-time tracking of pathogen evolution.
• Schema.org - Google led Schema.org rapid response designs for structured data markup to contribute to the COVID-19 global response, leading to the UK making similar announcements.
• Google’s annual internship program was converted to a digital program where interns will focus on open source projects, allowing projects to gain new contributors in a non-traditional environment.
• Google Summer of Code brings over 1100 university students from around the world together with open source communities, many of which are working on various humanitarian efforts related to COVID-19. The program is completely online so students can work with their mentors remotely, allowing all organizations to continue receiving the support they need.

The impact from COVID-19 will have long-term effects on many organizations and projects that may not be immediately apparent. In the coming months, we will monitor the needs of projects and organizations across open source. We understand the value of open source not just to the tech world, but the impact it has on bringing communities together; Google has a long standing history in open source and we will continue supporting our community to stay strong during and after the passing of COVID-19.

We encourage folks who have the time and ability to support open source communities to do so by getting involved and reaching out directly to organizations that interest you. This is a time for all of us to come together and lift up each other and open source.

By Megan Byrd-Sanicki, Sr. Program Manager, and Radha Jhatakia, Program Manager – Google Open Source Programs Office