When you think of companies that support open source, you think of Google, IBM, and Intel. You don't think of Cisco, Microsoft, and VMware. Things have changed.
The OpenSSL Heartbleed security hole, arguably open-source's biggest security breach ever, has made many major technology companies realize just how much they all depend on open source and that such vital projects as OpenSSL need adequate funding.
So it is that The Linux Foundation brought Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware together to form a new project to fund and support critical elements of the global technology: The Core Infrastructure Initiative (CII).
The purpose of CII is to enable technology companies to collaboratively identify mission-critical open-source projects that need funding. That done, the project will then receive the funds its developers need to continue their work under their existing open-source management.
OpenSSL will be the first project under consideration. In 2013, OpenSSL, which was at the heart of Web security for millions of companies and organizations, got by on a mere $9,000. In past years, OpenSSL has received an average of $2,000 per year in donations.
The CCI funding will pay key developers to devote their efforts to OpenSSL. It will also provide other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.
This multi-million dollar project will be administered by The Linux Foundation and a steering group composed of project backers as well as key open-source developers and other industry stakeholders. Support from the initiative will include funding fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.
"Maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone's interest," said Eben Moglen, Columbia Law School professor and founding director of the Software Freedom Law Center, in a statement. "The Linux Foundation, and the companies joining this Initiative, are enabling these dedicated programmers to continue maintaining and improving the free and open source software that makes the Net work safely for us all. This is business and community collaboration in the public interest."
As Heartbleed showed, simply being open source doesn't guarantee that a project will avoid major mistakes.
"We are expanding the work we already do for the Linux kernel to other projects that may need support,” said Jim Zemlin, executive director of The Linux Foundation. “Our global economy is built on top of many open-source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100 percent on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”
Historically, open source development methods have produced high quality and highly secure software. For instance, the most recent Coverity Open Scan software quality study showed that open-source code has fewer errors than proprietary code. But, as Heartbleed showed, simply being open source doesn't guarantee that a project will avoid major mistakes.
To make sure that vital open-source projects don't have to operate on a shoe-string, CII members will be making millions available to such programs. After all, as Colin Kincaid, Cisco's VP of Product Management and Architecture, said, "Supporting dedicated open source collaborators and contributors is vital to the success and growth of innovation."
Doug Beaver, Facebook's Engineering Director of Traffic & Edge, agreed: "Open-source software makes today's computing infrastructure possible. Facebook is excited to support these projects and the developers who maintain them. This initiative will help ensure that these core components of Internet infrastructure get the assistance they need to respond to new threats and to reach new levels of scale."
In particular, securing open source software is a critical issue even for Microsoft. “Security is an industry-wide concern requiring industry-wide collaboration," said Steve Lipner, Microsoft's partner director of software security. "The Core Infrastructure Initiative aligns with our participation in open source and the advancement of secure development across all platforms, devices and services."
It took a major security catastrophe, but now many of technology's biggest players, including proprietary software companies, have realized that open-source software has become such a vital part of the global technology base that it must be supported not just with lip-service but with cold hard cash. Hopefully, the result will be better quality and safer software for all.