A project to fund and support critical elements of the global information infrastructure is being backed by major technology names.
Formed by The Linux Foundation and backed by companies including Cisco, Microsoft, Dell, Google and Facebook, the initiative will collaboratively identify and fund open source projects that are in need of assistance.
Following the OpenSSL Heartbleed flaw revelations, the first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.
Jim Zemlin, executive director of The Linux Foundation, said: “We are expanding the work we already do for the Linux kernel to other projects that may need support. Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100 per cent on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects.
“We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”
The initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project, while support will include funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.
Marty Roesch, VP and chief architect of the security business group at Cisco, and CTO and founder of Sourcefire, told IT Security Guru that the great thing about open source is you can have a group of people who are very dedicated on poor infrastructure, pick it up and help the core OpenSSL team out very quickly and transparently.
“It demonstrates the power of the open source way of doing things. Knowing all open source software has bugs – my open source software has bugs over the years and sometimes they exist for a long time as some of the bugs can be subtle,” he said.
“In open source we have the many eyes concept and they are discovering and rooting out bugs rapidly, we have an open discussion on the scope of the bug and determine whether we have seen it replicated anywhere else and what can be done to get rid of those bugs throughout an entire project.”
Imad Sousou, vice president and general manager of the Intel Open Source Technology Center, said: “Intel is committed to support the development of open source technology and Linux. As an active and long term contributor to open source community, Intel believes the Core Infrastructure Initiative can help provide long term, sustainable support to Linux, the world’s most important open source standard.”
Steve Lipner, partner director of software security at Microsoft, said: “Security is an industry-wide concern requiring industry-wide collaboration. The Core Infrastructure Initiative aligns with our participation in open source and the advancement of secure development across all platforms, devices and services.”
John Engates, CTO of Rackspace, said: “Open source code powers everything we do online. We look forward to working with the Linux Foundation, our other comp
any partners, and the open source community to make sure these projects get the support they need.”
In an email to IT Security Guru, TK Keanini, CTO of Lancope, said: “This news is generally good news as funding has been surprisingly low for such critical security functionality, but we need to be careful it does not swing the other way. Too much money too fast can also be toxic to these efforts so what is important is that the right governance be put in place and the Linux Foundation has a solid track record in getting this balance right.
“The reality is that even well-funded open source projects sometimes produce critical vulnerabilities. To be clear, this does not remove the chance that a Heartbleed like vulnerability will ever appear, it just makes it harder for it to be released and undiscovered for a very long period.”
