“An unmanageable mess” is how Paul Gillin, senior editor for Wikibon Inc. and SiliconANGLE Media Inc., described the open-source software community last year. Both proprietary legacies and open-source-native companies have since tried to bring order to the confusion. Now, the open-source community has resolved to pull itself together.

“We take seriously that that code runs modern society,” said Jim Zemlin (pictured), executive director at The Linux Foundation. “It keeps us private — or doesn’t, as we saw with Equifax hack, which was a CVE [Common Vulnerabilities and Exposures ID] and an open-source project.”

Equifax itself has blamed open-source Apache Struts software for last week’s breach, which affected at least 143 million people.

Zemlin spoke with John Furrier (@furrier) and Stu Miniman (@stu), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during this week’s Open Source Summit in Los Angeles. (* Disclosure below.)

Codies

In the nick of time, open-source leaders have joined forces on Community Health Analytics for Open-Source Software, or CHAOSS, a new Linux Foundation project announced on September 11. The project provides transparency and health and security metrics for open-source projects, Zemlin explained.

“If you don’t have a healthy project, you kind of don’t want to bet your company on this project by using it in a production system,” Zemlin said.

CHAOSS will monitor open-source project health on a number of levels, including:

• How many developers are contributing?
• Are there code-quality metrics that could be looked at?
• Do they have security practices, like a responsible disclosure policy and a security mailing list?
• Have they recently fuzzed (tested) their code?

For anyone unsure, the role Linux plays in open source can be clearly seen in CHAOSS, according to Zemlin. “We are the roadies, the supporting cast, the plumbers and the janitors of the system,” he said. “The real rock stars are the developers.”

However, these menial aids and assists might save coders a breach affecting 143 million people and a high-profile slamming in the press. “Throw your code up on GitHub — you don’t need The Linux Foundation, right? Why do we even exist? The answer is to do things like [CHAOSS],” Zimler concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of Open Source Summit 2017. (* Disclosure: TheCUBE is a paid media partner for Open Source Summit 2017. Neither The Linux Foundation nor Red Hat Inc. have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE