In 2014, OpenSSL had a gigantic security problem: Heartbleed. Its root cause? A combination of blind trust in the open-source programming method and a shoe-string budget. Less than a year later Werner Koch, author and sole maintainer of the popular Gnu Privacy Guard (GnuPG) email encryption program, revealed he was going broke supporting GnuPG.
Koch's story had a happy ending. First, The Linux Foundation, via its Core Infrastructure Initiative (CII), donated $60,000 to GnuPG. Then, e-payments vendor Stripe and Facebook agreed to sponsor the program's development to the tune of $50,000 a year.
That's great, but something's seriously wrong when small, but vital open-source programs can be ignored until either the code breaks from neglect or its programmers abandon it to make a living from more lucrative projects.
It's not the fault of open-source itself. Every major technology company invests millions in open-source development today. Even Microsoft, once proprietary software's poster child, is now a major open-source supporter.
No, the problem is that there are still many small but important programs that don't get the headlines and millions of dollars of a Docker, Linux, or OpenStack. These projects get swept under the carpet even though, as Heartbleed proved, they're absolutely vital to modern IT.
That's why last year The Linux Foundation -- along with Cisco, Microsoft, VMware, and many other Fortune 500 technology companies -- formed the CII. It's mission is to provide the funding needed by key developers to work full time on important open-source projects.
Since then, the CII has helped fund such tiny but significant programs as the Network Time Protocol (NTP), OpenSSH, and OpenSSL. It hasn't been enough.
The Linux Foundation knows this. Jim Zemlin, the Foundation's Executive Director, blogged on February 9 that while CII has done a lot, they're just getting started in helping those vital open-source cogs-and-gears programs that the larger programs need to keep running.
First, we have begun a comprehensive third party audit of the entire OpenSSL codebase, which represents almost a half a million lines of code. This will provide objective third party analysis of the code to the development team in order to make the code better.
Second, we have been undertaking a research initiative to conduct a census of the hundreds of open source projects that directly impact the security and integrity of the global Internet. We are analyzing these projects based on the number of other components and systems that depend on them, the size and breadth of their community, the availability they have to resources, and much more. This research will allow us to make informed decisions about projects that we can fund in order to provide the highest impact.
Third, we are organizing a set of projects that go beyond simply funding specific open source projects and move toward providing additional resources such as shared testing, secure coding best practices and more that would help all open source projects improve their security and thereby improve the security of the Internet as a whole.
I'm glad to see this work being done. I urge companies that use open-source software--and it's hard to think of any technology business that doesn't today--to join and support the CII. Further, if you have an open-source project that you believe is important to the larger software ecosystem but has fallen off the radar, apply for a CII grant. If we all work together, we can make open-source software better than ever and make sure its programmers are well paid for their efforts.