Life Support: Tech Coalition Hopes To Prevent Another Heartbleed

After the Heartbleed bug exposed the low level of funding the OpenSSL project was subsisting on, a tech-world coalition led by the Linux Foundation came up with a plan to fund the project, along with similar ones.

The effects of the Heartbleed bug—a flaw in the OpenSSL software used widely across the internet—exposed an oversight in the way open-source software works.

Short version: Critical low-level infrastructure wasn’t getting the support it needed in the open-source community. Now a number of major firms are working to solve that issue.

The Core Infrastructure Initiative (CII), a coalition of tech companies brought together by the Linux Foundation, plans to help fund and administer projects such as OpenSSL whose value isn’t obvious on the surface but which help power large portions of the internet.

We are expanding the work we already do for the Linux kernel to other projects that may need support.

OpenSSL had a wide reach—it’s used by more than half a million servers worldwide—but only limited funding. The project received around $9,000 in donations in the wake of the Heartbleed bug, according to OpenSSL Software Foundation President Steve Marquess. In prior years, it got by on as little as $2,000.

In a blog post, Marquess noted that team members often had to take on secondary consulting projects to fund their OpenSSL work.

“There should be at least a half dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” he wrote. “If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.”

Fulfilling A Need

The Heartbleed incident led many to question whether the corporate world was doing enough to fund the open-source projects relied on by many, much the way the Linux Foundation receives tech-industry backing. CII appears to be a direct response to the criticism.

“The computing industry has increasingly come to rely upon shared source code to foster innovation,” CII’s FAQ states. “But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open-source software projects are under-funded and under-resourced.”

The companies taking part in the endeavor—donating $100,000 per year for three years—include tech giants like Amazon, Dell, Facebook, Google, IBM, Microsoft, and Intel, according to The Washington Post.

While OpenSSL will be the first coalition-funded project, similarly important open-source projects are expected to get coalition funding as well.

“We are expanding the work we already do for the Linux kernel to other projects that may need support,” the Linux Foundation’s executive director, Jim Zemlin, told ZDNet.


Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!