Interestingly, seems that the vast majority of responses disagree. 100m+ for "security" is not real value. Free tokens that can be applied to any service (not just AWS) is (potentially) huge and, most importantly, addresses a REAL threat, not just "make security better".
Conversation
IMO AWS showed everyone else up here. Addressed a real problem, helps their direct customers be safe across services, didn't have to spend 100M+ on nothing.
3
4
Replying to
If Google gave money to or something like this, or funded development/donated to critical infrastructure, that's not a bad contribution IMO. Lifting OpenSSL out of its previously underfunded state was a massive boost to everyone's security (for example).
1
Funding insecure infrastructure rather than replacing it with secure infrastructure isn't a long-term solution. It may make things worse rather than making them better.
No amount of funding is going to make OpenSSL into a project focused on security/correctness like BoringSSL.
1
2
I don't think what they intend to do with that money is simply funding critical open source infrastructure. I think they intend for most of it to be used on efforts like the Rust TLS stack they're funding via ISRG.
abetterinternet.org/post/preparing
At least, I hope that's their plan.
2
4
Similarly, see opentitan.org which is an open hardware secure element they could use to replace their Titan secure elements in Pixels and their servers, but available for others too.
Google does fairly aimlessly throw money at projects but has more focused efforts too.
2
5
Yeah, my concern was this was going to be aimless. If they actually put money into meaningful projects, I support that, but "open source security" is scary-vague.
Giving people tokens has obvious, real value. I don't have to really guess as much about it.
1
1
Google has gotten pretty good at this especially now that they're onboard with Rust. Likely interested in funding replacing a bunch of infrastructure with solid Rust projects, among other things.
Android 12 even replaces most of the old C++ Bluetooth stack with a new Rust one.
3
3
Interesting. Rust at Google has been something I've watched for a while and it felt fragmented for a long time, only recently (last year) making progress in some orgs. Seems like Fuschia was critical for that, since it unblocked build system support.
1
1
Rust is now one of the official AOSP languages with C++, Java and Kotlin. New components are going to be primarily written in Kotlin at a high level and Rust for low-level code. Fuchsia and AOSP have both thoroughly rejected any further use of Go beyond in the build system, etc.
2
2
I think Chromium will follow the same path as Fuchsia and AOSP in terms of using Rust for low-level code. I also wouldn't be surprised if they started using Dart for higher level code. I'm curious what will happen with Google's server-side Java code. It's so easy to use Kotlin.
They're also contributing quite heavily to Tock, a Rust "OS" for embedded systems, and their proof of concept here is a roll-your-own u2f security key on the nrf52840-dongle.
1
Check out security.googleblog.com/2021/06/rustc- and security.googleblog.com/2021/05/integr if you haven't already.
Rust is well integrated into AOSP. Uses same declarative Blueprint build system based on a ninja/bazel backend and has interoperability with C++ and auto-generated IPC APIs like Java and C++.
1
2
Thanks, I don't follow Android too much anymore tbh