Core Infrastructure Initiative just first step in open source funding

Core Infrastructure Initiative just first step in open source funding

Summary: As the immediate danger of Heartbleed begins to subside, the theory of open source remains sound, yet questions of funding loom large. Perhaps enterprises should fund projects too.


On the barometer of security issues, Heartbleed was the big one that we were warned could happen. But as well as the security problems that the Heartbleed revealed, it is also serving as a reality check on the world of open source software, which is going to need funding from its corporate beneficiaries.

In years past, it was often the case that business took the view that all was needed to was to drop source code on a server, and the community will magically descend to contribute and clean up the code base.

Similarly, users of open source software wrongly assume that because the code is open source, that an extensive review and testing of the package has occurred.

But as Steve Marquess, OpenSSL Software Foundation president, wrote earlier this month, the question isn't how did the Heartbleed bug occur, but an issue of resources for the project.

Marquess said that project needed half a dozen full-time employees, at least, for the project to be better managed, and that a special personality was needed to work with current funding and deal with the scrutiny that is part of working on a widely used cryptographic project.

"It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code," he said. "Knowing that you'll be ignored and unappreciated until something goes wrong."

"So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often."

Often, when the issue of funding open source projects is raised, it is individuals that stump up cash, rather than corporations making billions of dollars by building on the foundation that open source provides.

Following Heartbleed, OpenSSL received a stream of small donations that totalled a mere US$9,000.

"The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted," Marquess said.

Action is finally being taken in that direction with the establishment of the Core Infrastructure Initiative (CII).

Reportedly armed with US$3.9m in backing, the CII is intended to fund critical open source projects that are in need, of which OpenSSL will be the first.

While the idea of a group with millions of dollars to help out open source projects should to be applauded, the numbers are less impressive when broken down.

From a consortium consisting some of the technology industry's biggest corportations — Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware — the US$3.9m figure breaks down to a paltry average of US$325,000 each.

The real kicker though, is that these numbers are across three years, so in essence, the dozen companies that are part of the CII at the moment, have signed on to pay the wage of a one mid-level developer each.

"The computing industry has increasingly come to rely upon shared source code to foster innovation," the CII FAQ said.

"But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced."

Faced with the biggest security issue of recent times, a collection of technology's biggest multi-billion dollar corporations found it in themselves to donate the annual wages for a single developer.

Such generosity from firms with billions of dollars each quarter in profit.

It is however, at least a step in the right direction.

For too long, Free software has been misinterpreted as free software — free from the need to understand how it is doing things, and free from the need to audit.

The adage that "given enough eyeballs, all bugs are shallow" only works when a large community of testers and developers exist around a project. For projects with a high barrier of entry, such as encryption-related ones, finding the number of users needed to take advantage of all the testing benefits of open source can be difficult.

Heartbleed should once and for all dismiss the thought that open source software is inherently secure because of the methodology of its development, but there is still much that recommends it as a method of producing of quality code.

The bigger question for many large open source projects is keeping the lights on. OpenSSL took in only US$2,000 before Heartbleed arrived, OpenBSD's survival was threatened by an electricity bill, GNOME recently imposed a budget freeze after running out of cash reserves, and Mozilla is heavily reliant on the goodwill and wallet of Google.

Beyond the first three years of CII, and projects deemed critical to CII, there are larger funding issues with open source to address.

CII is the first step, and it is time that those who have taken advantage of open source to build large corporate empires back the projects that helped them take on the world.

Previously on Monday Morning Opener

Topics: Open Source, Linux, Security


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OpenSSL shows that the Open Source Myth is ... a Myth!

    In order to actually work, Open Source needs proprietary developers using proven proprietary software development techniques to actually work.

    (E.g., Linux, mostly developed by proprietary software developers working in large corporations using well-known proprietary software development techniques.)

    Everything else (the "million eyes") is a myth, which has never ever worked.
    Ian Easson
    • Not really.

      The best developers are those that work on what they want, and what interests them.

      proprietary software development doesn't allow that.

      Linux didn't start that way, nor was it designed that way.

      The people that worked on it independently identified a business use for what the whole could be used for... and formed the companies.

      So you got that part backward.

      The "million eyes" still produced the most error free operating system ever known, that can scale from the smallest controllers to the largest supercomputers ever built.

      And it works quite well. If the source to Windows+IE were generally available (and could be used for creating running systems), do you think that 0 day announcement Microsoft has just given would have lasted so long?
      • Please explain..

        "The best developers are those that work on what they want, and what interests them.
        proprietary software development doesn't allow that"

        You can always find a company to work in what you want, or create your own company and develop whatever your interest are.

        If you want to release your code for free, to save the world from the evil corporations, then don't complain if your checking account is empty at the end of the month, or if corporations use your code to actually make some money.
      • Logic

        So with your logic

        "The best developers are those that work on what they want, and what interests them.

        proprietary software development doesn't allow that."

        That means OpenSSL does not have good developers.
    • Then why does open source projects have less bugs on average?
  • Cheap does not equal value for money

    You get what you pay for.
    • Depends entirely on the currency used...

      You can pay in cash...

      Or you can pay in barter. For a number of things barter is more effective.
  • Finally the truth

    We can tell the "F" in OSS crowd to take their "F" and "F" off. There is NOTHING that is really "free as in beer" that is in the end worth it. The cost in dollars, euros, yen, whatever is replaced with the cost in risk. And with more lawyers than programmers out there to feed, that one is more expensive.

    And truthfully, quality work does require support and discipline, which does require being funded. Just hoping "someone will see it" is a bit like policing by saying someone will spot the crook. It has never worked either (ask the neighbors who get broken into or the retiree who loses their life savings to a phone scam or a Wall Street scam missed by the self-policing out there).

    It also shows how OSS got so big so fast and that has to do with money too. A lot of companies that should have known better were more than willing to take whatever they could grab for nothing and run with it. There is the talk of tech companies giving back to open source, but how many non-software-related entities use it and don't even remotely think about giving back. Bet a lot. Same reason why XP won't go away, since a large block of business in some parts of the world rely on the pirated versions. Likewise the lure of a FREE software package that can be made to work is way too tempting for a lot of companies. And consultants who can make more themselves by selling this didn't help.

    Guess a whole generation of business folks are going to have to relearn what it means to support software development. First wholesale outsourcing in many cases blew up, and now relying blindly on open source is doing the same.

    There is NOTHING FREE. You pay now, or you pay later. Paying for OSS starts now.
    • The difference between free as in freedom and free as in no cost

      Do you know what that difference is? You can have free software that is paid for, see the billion dollar company Red Hat for example.

      The difference lies in that with free software, you are free to do whatever you want, INCLUDING paying for high quality support and skilled developers.
    • " big so fast..."???

      Software has been freely available ever since there have been computers.

      Proprietary software has only existed since about 1975 (+- a couple of years).

      The source code to entire operating systems, compilers, database systems had been distributed since day one. The money was made from the hardware, not the software.

      Customers worked on it, users worked on it, contributing changes back, contributing entire systems back.

      Open source the entire time. Sometimes with a license that came with the hardware, sometimes not. One of the largest organized sharing groups was the IBM Share, the group of IBM mainframe users that shared problems, solutions, code... EVERY vendor attempted to have the best user group - as they found it was a good sales promotion.

      "...companies that should have known better were more than willing to take whatever they could grab for nothing and run with it."

      Including Microsoft. How else do you think they learned how to implement TCP/IP? For YEARS it had a BSD copyright on it. Did MS contribute back? nope. Neither money nor code.

      "First wholesale outsourcing in many cases blew up, and now relying blindly on open source is doing the same."

      What do you think purchasing off the shelf software is? Nothing different than "outsourcing" software development from your company, "and now relying blindly" on that outsourced development.

      There is still SHARED EXPENSES when using open source when you contribute development time to a project. For each company the development is cheaper, and the risks are smaller... Even using OSS makes things cheaper - and things get better when the problems are reported... This is just part of quality control.

      Everybody can contribute, nobody is excluded...