The Open Source Initiative (OSI)'s recent board election was hacked. The organization will re-run the election once the voting process's vulnerability has been analyzed and fixed.
Deb Nicholson, the OSI's interim general manager, wrote that a "vulnerability in our voting processes was exploited and had an impact on the outcome of the recent Board Election. That vulnerability has now been closed. OSI will engage an independent expert to do a forensic investigation to help us understand how this happened and put measures in place to keep it from ever happening again."
So, what happened? OSI Executive Director, Josh Simmons, explained in an interview that:
What we know for sure: the issue wasn't with Helios, [an open-source, online-voting system] but an issue with our processes and the way we use our database that created the opportunity for one or more entities to vote more than once. We'll be relying on an independent forensics expert and an Oversight Committee to tell us more about the nature of what happened, and we look forward to sharing that information as soon as we have it. We're committed to nothing less than a complete restoration of trust in the OSI elections and transparency as to what precisely went wrong in this last one.
The OSI was founded on February 3rd, 1998 in Palo Alto, California. This came after the announcement of the release of the Netscape source code, which would eventually lead to the Firefox web browser. The idea was to seize the moment to advocate for what would become the dominant programming paradigm of the 21st century, open source. It was also meant to define a difference between the Free Software Foundation's (FSF) free software model, which was perceived by many as being unfriendly to businesses.
As Christine Peterson, who coined the term "open-source," recalled:
The introduction of the term "open source software" was a deliberate effort to make this field of endeavor more understandable to newcomers and to business, which was viewed as necessary to its spread to a broader community of users. The problem with the main earlier label, "free software," was not its political connotations, but that -- to newcomers -- its seeming focus on price is distracting. A term was needed that focuses on the key issue of source code and that does not immediately confuse those new to the concept. The first term that came along at the right time and fulfilled these requirements was rapidly adopted: open source.
To help clarify what open source was, and wasn't, Eric S. Raymond, Bruce Perens, Peterson, and several other early open-source leaders founded the OSI. Its purpose was, and still is, to define what are and aren't real open-source software licenses.
In 2021, the OSI is resetting its mission statement. While it remains the steward of the Open Source Definition (OSD) and related open-source licenses, it's also looking for other ways to support, grow and maintain the open-source ecosystem. The new board will help set this new agenda.
But, first, the OSI will make sure that its next election will be fair and represent the needs of its membership. Nicholson wrote, "Because it is critical to the integrity of our elections process and the trust of our members and the public place in OSI, we've made a decision to rerun our 2021 board elections for both Individual and Affiliate seats. ... We want to make absolutely sure that the Board Election accurately represents the will of our voters and in this instance, that means we must run it again."
Originally, the OSI was going to re-run the election starting on March 23rd. The members decided, however, that was much too fast.
Nicholson explained that lots of people have raised quite reasonable doubt -- and then some less reasonable fear, uncertainty, and doubt (FUD) seeped into the discourse. Plans changed accordingly. The new plan is to:
Engage an independent forensic expert to investigate the process and technology and report on their findings.
Charter an Oversight Committee including a mix of current board members (excluding any who were running for reelection) and highly trusted and visible long-term members of the OSI community in good standing.
Have the Oversight Committee receive the forensic report, summarize their findings, and, at their discretion, make recommendations to the Board.
Board decides on a course of action and publishes the report after adding details about its own deliberations and both short- and long-term action plans.
Communicate the report publicly as well as directly to voting members of OSI.
Run the election again.
The goal is, Nicholson wrote, "to clear everything up and demonstrate to everyone in the community just how committed OSI is to do right by you. After all, OSI is an organization of, by, and for the community."