Software security continues to plague open-source developers and users as well. Ongoing efforts to fix broken security issues are producing innovative solutions. However, like a game of whack-a-mole, new security hurdles continue to pop up.
Ubuntu Linux users can now grab some free security help to make keeping up with patches and maintenance a bit easier. Find out why some data scientists are starting to have second thoughts about open source. Wolfi arrived recently as the first Linux “(un)distro.” Read on to learn its relationship with the underwater octopus creature.
Canonical Heightens Computer Security
Ubuntu Pro, the expanded security maintenance and compliance subscription, is now in public beta for data centers and workstations. Canonical will provide a free tier for personal and small-scale commercial use for up to five machines.
Canonical on Wednesday announced the new program as part of the company’s community commitment and mission to make open source more easily consumable by everyone. Ubuntu Pro is available for every Ubuntu LTS from 16.04 LTS, and it is already in production for large-scale customers offering global services. Users can obtain a free personal Ubuntu Pro subscription.
“Since we first launched Ubuntu LTS, with five years of free security coverage for the main OS, our enterprise customers have asked us to cover more and more of the wider open-source landscape under private commercial agreements,” according to Canonical CEO Mark Shuttleworth.
Google has partnered with Canonical for the last decade to promote the adoption of open-source software, noted Derry Cheng, product manager for Compute Engine. That helps customers enhance the security and compliance of their production workloads.
Canonical, for years, has provided timely security updates for the main Ubuntu OS. It patches critical Common Vulnerabilities and Exposures (CVEs) in less than 24 hours on average.
Ubuntu Pro expands this coverage to 10 times the number of packages in the standard Ubuntu repositories — more than 25,000 of them. These patches are for critical, high, and selected medium CVEs, with many zero-day vulnerabilities fixed under embargo for release the moment the CVE is public.
Canonical backports security fixes from newer versions of applications to give Ubuntu Pro users a path to long-term security with no forced upgrades. The result is a decade of API stability. “Transformative innovations such as AI and deep learning are being put to work to unlock new levels of business automation,” said Justin Boitano, VP of Enterprise Computing at Nvidia. “With the introduction of Ubuntu Pro, enterprises will benefit from better security, support, and long-term maintenance for thousands of open-source libraries that are at the core of modern AI and data science workflows. “
The standard Ubuntu Pro subscription covers the complete set of security updates for all packages in Ubuntu. Canonical’s Ubuntu Advantage for Infrastructure subscription is now rebranded to Ubuntu Pro (Infra-only) with no price or scope changes.
An Ubuntu Pro (Infra-only) subscription covers the base OS and the private cloud components needed for large-scale bare-metal deployments. It excludes the new broader application coverage and is helpful for organizations building private clouds that use other guest operating systems for applications.
Shuttleworth discusses the significance of the Ubuntu Pro release in this video:
A 30-day free trial of Ubuntu Pro is also available for new enterprise customers. Paid plans cost $25 per year for workstations or $500 per year for servers. Ubuntu Pro is priced at approximately 3.5% of the public cloud’s average underlying compute cost. Additional services, such as 24×7 support, can be added if required, so businesses can choose the level of service they need. Pricing details are available at Ubuntu.
Data Scientists Pushing Pause on Open Source Over Security
Anaconda’s 2022 State of Data Science report released last month reveals that security concerns, limited talent, and ethical dilemmas are the biggest threats to the future of data science.
The report garnered responses from 3,500 respondents targeting the open-source community through three cohorts of academics, industry professionals, and students. The results disclosed three troubling trends involving the use of open-source technology.
- 40% of professional respondents indicated that their organizations scaled back their open-source software usage in the past year due to concerns around security.
- 90% of professional respondents indicated that their organizations are concerned about the potential impact of a talent shortage.
- Only 19% of student respondents currently learn ethics in AI/ML/data science lectures.
Open-source software was created by and for developers. According to the report, it is now an integral part of commercial software development and the backbone for continuous enterprise innovation. Of those surveyed, 20% identified open source’s speed of innovation and affordability as the most valued benefits of its usage.
Most organizations use open-source software. Of the 8% of respondents whose organizations do not, 54% said the biggest reason is fear of potential vulnerabilities, exposures, or risks; a 13% increase from the 2021 report reaffirms the escalated security awareness across the industry in 2022.
New ‘Undistro’ Designed To Secure Software Supply Chain
The massive push for software supply chain integrity and transparency has left organizations struggling to bolt things like signatures, provenance, and software bill of materials (SBOMs) onto existing Linux distributions. Chainguard launched Wolfi; the first Linux OS developed for supply chain security, late last month.
Chainguard describes its release an (un)distro to separate it from the pack of roughly 1,000 existing Linux distributions, none of which are designed to fill the security gap in the software supply chain for existing Linux distros. Chainguard’s Founder and CTO is Matt Moore, who teamed up with fellow Googlers to address the security issues in the software supply chain.
What makes Wolfi so different is its design strategy. Wolfi is a Linux (un)distribution that builds toolchain designed from the ground up to produce container images that meet the requirements of a modern secure supply chain, according to the company’s press announcement. Its name comes from that of the world’s smallest octopus. That Wolfi moniker represents many key aspects of the Wolfi (un)distro, from minimalism to flexibility.
Based on the Android Package Kit (APK) file format, Wolfi’s granularity and independence support minimal images. The release provides a high-quality, build-time Software Bill of Materials (SBOM) standard for all packages and a fully declarative and reproducible build system.
Wolfi gives developers the secure by default base they need to build software; it scales to support organizations running massive environments and provides the necessary control to fix most modern supply chain threats. “With Wolfi, we can patch anything at any time, including language package managers,” Chainguard maintained.
Chainguard Images powered by Wolfi are a suite of distro-less images that support both musl and Glibc. These come with enterprise support, built according to the strict SLSA 4 requirements. Its community images are created with GitHub Actions and are SLSA 2 compliant. Wolfi images are rebuilt daily from upstream sources to keep everything fresh.
For more information on Wolfi, browse through the images on Chainguard’s GitHub repository, which also provides usage instructions. These images should integrate easily into existing pipelines, according to Chainguard. Signing and SBOMs can be retrieved with the cosign tool.