Post Heartbleed, tech giants join initiative to bolster open source
In search of some cheer
The multimillion dollar Core Infrastructure Initiative (CII), newly formed in response to the Heartbleed bug, and currently supported by 12 vendors and the Linux Foundation will first tackle improving the security, enabling outside reviews, and boosting responsiveness to patch requests for OpenSSL.
CII, organized by The Linux Foundation and supported by Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and Vmware, was conceived in the wake of the Heartbleed crisis as an initiative aimed at funding open source projects critical to shoring up the global computing infrastructure and which currently are under-funded.
CII plans to form a steering committee composed of members, developers and other stakeholders in the industry to identify projects and developers that need support, commit funding, ride herd over project roadmaps and approve additional members. The formation of the initiative came less than two weeks after OpenSSL Software Foundation President Steve Marquess made a plea for more funding in an April 12 blog post. "There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," he posted.
Shared source code has increasingly fueled innovation, the CII said on the Linux Foundation website. And, Google's Chris DiBona, director of engineering for Open Source at the company, in a statement reiterated Google's belief “that an open-source approach to online security will ensure that code is constantly improving, making the web a safer place.”
But shared source code has also become more complex to build and maintain, with many worthy projects landing on the backburner because they don't get the funding they need. The OpenSSL project, for example, has pulled in a mere $2,000 in donations per year.
"Open source software makes today's computing infrastructure possible,” Doug Beaver, engineering director of Traffic & Edge at Facebook, said in a statement. “This initiative will help ensure that these core components of internet infrastructure get the assistance they need to respond to new threats and to reach new levels of scale.”
The organizations throwing their support behind CII have committed to at least $3.9 million of funding over three years, according to a report from Ars Technica.
"It sounds promising for critical OSS projects in general and could potentially be a game-changer for the OpenSSL project," the OpenSSL Software Foundation's Marquess told SCMagazine.com in an email correspondence. "We look forward to seeing what comes next."