The Apache Software Foundation (ASF) participated today in a meeting hosted by the White House to discuss security of open source software, and how to improve the "supply chain" of open source software to better facilitate the rapid adoption of security fixes when necessary.

The virtual summit included representation from a number of companies and U.S. departments and agencies. Three representatives of the ASF participated in the virtual summit, ASF President David Nalley, VP of Security Mark Cox, and ASF board member Sam Ruby.

Securing open source and its supply chain

The ASF produces software for the public good. We are committed to working with the larger community, including industry and government consumers of open source software, to find ways to improve security while adhering to The Apache Way.

This means that we believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software. There's no single "silver bullet" to get there, and it will take all of our organizations working together to improve the open source supply chain.

Since its inception more than 20 years ago, the ASF has evolved and adapted to meet the changing needs of its mission: to provide software in the public good, by providing support and services of its project communities. To do this, we've refined our governance models, our infrastructure, recommended best practices, and more over the years. 

We expect to continue to evolve and improve over the next 20 years, and helping to improve the security of the open source supply chain is part of that. We are committed to doing the work through our communities to help make that a reality.

Communities thrive on conversation

Those who are familiar with the ASF know that we value community and having a level playing field for contributors. We believe today’s conversation is a good beginning that can help catalyze and direct a wider response to addressing today’s security needs for open source software. 

Many of the organizations represented today are important contributors and consumers of open source, but of course are not all of the important contributors or consumers. We know that it’s important to hear from individual contributors as well as corporations, foundations and government entities. For our part, we’ll strive to make sure that happens.

As always, we welcome participation and contributions in our communities from those who wish to show up and be part of the projects that are part of the ASF. We appreciate the opportunity to participate in today’s conversation, and look forward to participating in the follow on conversations that this effort inspired.