At Mozilla we were born out of, and remain a part of, the open source and free software movement. Through the Mozilla Open Source Support (MOSS) program, we recognize, celebrate, and support open source projects that contribute to our work and to the health of the Internet.
Our major initiative in the past few months has been the launch of “Global Mission Partners: India”, a pilot scheme to bring the Mission Partners track of MOSS to particular regions of the globe which have strong open source communities. The initial application period has just closed, and our India committee will shortly begin the work of assessing the over a dozen applications we have received.
We’ve also received updates from earlier awardees who have finished their work. We made an award last year to the Tor Project to improve their metrics; they’ve written a blog post and final report (PDF) on how that went. The Kea DHCP server project finished their configuration API, and ReadTheDocs have significantly improved the Python documentation ecosystem. Now that MOSS has been in action for a while, we are starting to amass a significant collection of ecosystem improvements which would not have happened without our support.
Additionally, since our last update, we have made a total of $539,000 in additional awards.
The biggest amount ($194,000) went to Ushahidi, an open source software platform for crowdsourcing, monitoring, visualizing, and responding to reports from people caught up in political turmoil or subject to governmental or vigilante abuse. They are working on making it easier to securely submit reports, and documentation on how to deploy Ushahidi while minimising risk to the hosts.
We have also agreed to support some other projects we believe will advance a free and healthy Internet:
- $100,000 to RiseUp, a coordination platform used by activists across the political spectrum, to improve the security of their email service;
- $50,000 to Phaser, the open source HTML5 games engine, to allow them to complete the development of version 3;
- $70,000 for creating mod_md, an Apache module which speaks ACME, the automated certificate issuance protocol, to make it easier for websites to deploy and use secure HTTP.
Under the Secure Open Source arm of MOSS, it’s been a good few months from a security perspective. We ran audits on the codebases of expat (an XML parser), and GNU libmicrohttpd (an embedded HTTP server). In neither of these cases did we find an issue more severe than Medium.
We also managed an audit on chrony, which is another NTP daemon, following on from our previous audits of ntp and ntpsec. This audit was funded by the Core Infrastructure Initiative, who have done a comparative write-up of the results from their perspective.
The experienced security auditors who evaluated chrony were particularly impressed, writing a ringing endorsement in their report: “Withstanding eleven full days of testing … means that Chrony is robust, strong, and developed with security in mind. The software boasts sound design and is secure across all tested areas. … While the functional scope of the software is quite wide, the actual implementation is surprisingly elegant and of a minimal and just necessary complexity. In sum, the Chrony NTP software stands solid and can be seen as trustworthy.”
Applications for “Foundational Technology”, “Mission Partners”, and “Global Mission Partners: India” remain open, with the next batch deadline being the end of October 2017 (January 2018 for India). Please consider whether a project you know of could benefit from a MOSS award. Encourage them to apply! You can also submit a suggestion for a project which might benefit from an SOS audit.