(Naruhiko) • Japanese Open Source enthusiast • LibreOffice, Ubuntu, Desktop printing, ... • An employee of a Japanese security vendor • Senior security engineer • Internal tool developer (Scala) • River kayaker
security testing vendors • Not a "OSS centric" software company • Using several software both of proprietary and OSS • Develop some software but not published as OSS • Using international security standard developed by OWASP (Open Web Application Security Project) or CIS (Center for Internet Security) • But we have open mind • That’s why I belong to...
Translations • User Interfaces / Help / Online Documents • Having talks in several events like here • Organizing OSS events • File bug tickets for the Bug Tracking Systems • Join open international discussions via BTS / forums / mailinglists • (a little) code hack
tend to try to guess why when we don't understand something about the behavior of software or the operation of a community. • But especially in OSS, there is someone in front of you whom you can ask. • It is better to ask than to guess. • There's a language barrier, but machine translation should help you out!
the new version of this software has different behavior than prior one, I guess this should be a bug... Wait and see it will be solved." • "The developer has their own user forum. Why not to ask it is a bug or expected change?" • "OK, I will... Oh, they said it is expected. We must consider changing its use." • Now there's a culture of listening in forums etc. without me having to say anything.
forking • When we find something wrong with the OSS we are using, or something that behaves differently from what we want, we tend to solve it at our own hand (internal forking). • However, if there are other people who have the same problem, fixing it upstream will increase the number of happy people. • Also, we will not have to maintain our own solutions. • So it is better to send a pull-req upstream than to fork internally.
internal forking • "We found an error in the OWASP standard. We will not use it as it is, but will modify it." • "Hmm, OWASP publish their standard in GitHub, I think we should send a pull-req or file an issue." • "Oh, yes... The request has accepted, the standard has been fixed. Thanks!" • Sending pull-req is also now our usual culture!
upstream seems inactive • In the previous lesson, I told that it is better to send a pull-req upstream than a fork. • However, when the upstream project does not seem to be working, it is better to dare to fork to increase activity and increase the number of collaborators. • Forking is also an important freedom and power of OSS.
if upstream seems inactive (jOpenDocument) • Example 3-a: jOpenDocument • jOpenDocument is the Java library to manipulate OpenDocument Format, LibreOffice's native format. • This is powerful and useful, but unfortunately development has stopped since 2014. • See the slide “Why ODF is the best intermediate format for report generation systems” in COSCUP 2020 https://speakerdeck.com/naruoga/why-odf-is-the-best-intermediate-format-for-report-generation-systems
if upstream seems inactive (jOpenDocument) • Our business is highly depend on the library. • I pinged the original author via mailing list, but there was no answer. • So I decided to fork it as my personal project. • See the slide “jOpenDocument: Restarting the ODF manipulation Java library after a seven-years hiatus” in COSCUP 2021 • Then my colleague send some pull-req to support ODF 1.3, and several functional updates!!! • And now we are considering it will be our companie's “official” OSS (means publish it via our own organization) https://speakerdeck.com/naruoga/jopendocument-restarting-the-odf-manipulation-java-library-after-a-seven-years-hiatus
if upstream seems inactive (OWASP Mobile Top 10) • Example 3-b: OWASP Mobile Top 10 • This is the top 10 threats list for Mobile applications maintained by OWASP • Similar than OWASP Top 10, web top 10 threats • But last version is 2016 (6 years ago...) • There is a github issue about updating in 2020 but no response...
if upstream seems inactive (OWASP Mobile Top 10) • JSSEC: Japan Smartphone Security Assosiation • Japanese local assosiation founded to create security environment on smartphone for both users and service providers. • I asked the members to: > Want something like the OWASP Mobile Top 10? Let's make one ourselves and say to OWASP, "Hey, we made something like this, can we help you out?" • They were amused and I became the working group leader and we decided to implement this as this year's activity!
in the enterprise is important. • But it is also important to bring the OSS culture into the company, even if only partially. • If you are an OSS enthusiast, try to bring OSS culture to your company or organization! • It will surely make your life easier!!!