Tech firms shell out to prevent another Heartbleed
The Heartbleed flaw uncovered in OpenSSL has prompted top tech firms to join forces to better support critical open-source projects.
OpenSSL is used by a wide range of tech firms and organisations, and underpins a large part of the security of the web. Despite its importance and heavy use, the project previously raised a scant $2,000 in donations annually, with the rest of its funding raised by charging for support.
The Linux Foundation is now heading up efforts to change that, starting the Core Infrastructure Initiative to boost funding and support for open-source projects – starting with OpenSSL.
Our global economy is built on top of many open-source projects
The initiative’s backers include Amazon, Google, Microsoft and Facebook, and participants have already kicked in millions of dollars to pay for full-time developers, security audits, and infrastructure testing.
“Our global economy is built on top of many open-source projects,” said Jim Zemlin, executive director of The Linux Foundation. “Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open-source projects.”
The Linux Foundation stressed that the plans shouldn’t be seen as an indication that open-source software isn’t currently secure, merely that growing complexity in systems means more developer support is necessary.
OpenSSL is the first project under consideration for funds, but the idea is to improve code more broadly before future problems happen.
“The Core Infrastructure Initiative will change funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects,” the group said. “By raising funds at a neutral organisation like The Linux Foundation, the industry will effectively give these projects the support they need while ensuring that open-source projects retain their independence and community-based dynamism.”
OpenSSL has been on the receiving end of some criticism following the exposure of the Heartbleed flaw – notably from the OpenBSD community, which has created a fork of the project in order to clean up the code itself. OpenBSD founder Theo de Raadt has gone so far as to declare the OpenSSL team “not responsible software developers”.
However, Steve Marquess, the OpenSSL Software Foundation’s president and self-described “money guy” for OpenSSL, has revealed how little support the project receives.
Between its support contracts and the $2,000 in donations it normally gets, the project has never grossed more than $1 million in a given year.
Since Heartbleed raised its profile, donations to OpenSSL have been pouring in, totalling $9,000 as of last week, Marquess said – but warned that this “is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product”.
Speaking before the establishment of the Core Infrastructure Initiative, he said that “the ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted,” pointing the finger at Fortune 1,000 firms and the US Department of Defense. It would appear his wishes have been granted, though it’s unclear exactly how much funding or support the initiative will generate for OpenSSL.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.