The OpenSSL Heartbleed security fiasco made everyone aware of just how fragile and under-financed many vital open source projects were. To help fix the cash flow problem, a dozen top technology companies, including Amazon, IBM, Intel, and VMware, joined forces with The Linux Foundation to form the Core Infrastructure Initiative (CII). Here's how it's going to work.
There's no question of the need. Steve Marquess, the OpenSSL Software Foundation president, said after the Heartbleed security hole was revealed that OpenSSL had never received enough donations "to properly sustain the manpower levels needed to support such a complex and critical software product."
As Matthew Green, an assistant professor at Johns Hopkins University and OpenSSL critic, told BuzzFeed. "The OpenSSL Foundation has some very devoted people. It just doesn’t have enough of them, and it can’t afford enough of them." Or, as he put in a tweet, "Windows has a dev team. OpenSSL these days is two guys and a mangy dog (said with love — they're great guys, and a great dog)..."
Something must be done if under-funded, mission-critical open source software programs such as OpenSSL, OpenSSH, and OpenBSD are to continue to be trustworthy. The last, for example, which is working on its own fork of OpenSSL, almost had to close its doors because it couldn't pay its electric bill.
CII hopes to make these kinds of problems a thing of the past for some projects. The goal, said Eben Moglen, Columbia Law School professor and founding director of the Software Freedom Law Center (SFLC), is to enable "dedicated programmers to continue maintaining and improving the free and open source software that makes the Net work safely for us all. This is business and community collaboration in the public interest." Specifically, this will include funding fellowships for key developers to work full time on open source projects, security audits, computing and test infrastructure, to travel, meet face to face, and offer other support.
The project is starting, according to Linux Foundation Executive Director Jim Zemlin, with $3.9 million in seed money. More funding will be coming and more companies are expected to join CII shortly.
In an e-mail interview, Amanda McPherson, The Linux Foundation's chief marketing officer, explained that the methodology for choosing projects for funding is still a work in progress. Exactly how it will work "will be determined by the Steering Committee and Advisory Board." The final call will be made by the "CII Steering Committee, which will be informed by key developers and industry stakeholders and experts who will sit on the Advisory Board."
The Steering Committee, according to the CII FAQ, will be made up of "CII members, developers, and industry stakeholders to identify projects in need of support," while "The advisory board will be made up of key developers and industry stakeholders."
For the most part, CII will fund existing projects and they'll have no need to "apply" for grants. McPherson said, "Most of these projects are well known to computing experts who will be on the Steering Committee and Advisory Board so applications aren't needed, but there will be a way for projects to request funding on the site."
The exact criteria they'll be using to decide which groups will receive funding "will be determined by the Steering Committee and Advisory board in the coming weeks but generally, the Initiative has been established to help projects that are critical to our global infrastructure but that are currently being under-resourced," said McPherson.
How much each project gets is also up in the air. McPherson did say, however, that "Developer fellowships will generally pay developers what they would receive as a full-time employee on the open market. The only difference is they can devote 100% of their time to the open source project instead of juggling the company's needs with the project's needs." She added, "there are absolutely no strings attached" to the CII's fellowships.
In the meantime, more funding is already coming directly to some important open source projects. Nokia Solutions and Networks, the Nokia division that Microsoft did not buy, has announced that they've made a large donation to OpenSSL. While the exact amount is not known, Steve Marquess said in a statement "This is by far our largest donation to date."
Money can't solve every problem, but it can certainly help a lot. The world runs on open source software. Even Microsoft, a CII founding member, knows that. Hopefully, the CII and other companies giving back to the open source community will go a long way to making our core technologies both safer and more stable.
- Core Infrastructure Initiative just first step in open source funding
- Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source project
- OpenSSL needs corporate funding to avoid Heartbleed repeat
- Heartbleed: Open source's worst hour
- Coverity finds open source software quality better than proprietary code