Core Infrastructure Initiative just first step in open source funding

As the immediate danger of Heartbleed begins to subside, the theory of open source remains sound, yet questions of funding loom large. Perhaps enterprises should fund projects too.
Written by Chris Duckett, Contributor

On the barometer of security issues, Heartbleed was the big one that we were warned could happen. But as well as the security problems that the Heartbleed revealed, it is also serving as a reality check on the world of open source software, which is going to need funding from its corporate beneficiaries.

In years past, it was often the case that business took the view that all was needed to was to drop source code on a server, and the community will magically descend to contribute and clean up the code base.

Similarly, users of open source software wrongly assume that because the code is open source, that an extensive review and testing of the package has occurred.

But as Steve Marquess, OpenSSL Software Foundation president, wrote earlier this month, the question isn't how did the Heartbleed bug occur, but an issue of resources for the project.

Marquess said that project needed half a dozen full-time employees, at least, for the project to be better managed, and that a special personality was needed to work with current funding and deal with the scrutiny that is part of working on a widely used cryptographic project.

"It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code," he said. "Knowing that you'll be ignored and unappreciated until something goes wrong."

"So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often."

Often, when the issue of funding open source projects is raised, it is individuals that stump up cash, rather than corporations making billions of dollars by building on the foundation that open source provides.

Following Heartbleed, OpenSSL received a stream of small donations that totalled a mere US$9,000.

"The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted," Marquess said.

Action is finally being taken in that direction with the establishment of the Core Infrastructure Initiative (CII).

Reportedly armed with US$3.9m in backing, the CII is intended to fund critical open source projects that are in need, of which OpenSSL will be the first.

While the idea of a group with millions of dollars to help out open source projects should to be applauded, the numbers are less impressive when broken down.

From a consortium consisting some of the technology industry's biggest corportations — Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware — the US$3.9m figure breaks down to a paltry average of US$325,000 each.

The real kicker though, is that these numbers are across three years, so in essence, the dozen companies that are part of the CII at the moment, have signed on to pay the wage of a one mid-level developer each.

"The computing industry has increasingly come to rely upon shared source code to foster innovation," the CII FAQ said.

"But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced."

Faced with the biggest security issue of recent times, a collection of technology's biggest multi-billion dollar corporations found it in themselves to donate the annual wages for a single developer.

Such generosity from firms with billions of dollars each quarter in profit.

It is however, at least a step in the right direction.

For too long, Free software has been misinterpreted as free software — free from the need to understand how it is doing things, and free from the need to audit.

The adage that "given enough eyeballs, all bugs are shallow" only works when a large community of testers and developers exist around a project. For projects with a high barrier of entry, such as encryption-related ones, finding the number of users needed to take advantage of all the testing benefits of open source can be difficult.

Heartbleed should once and for all dismiss the thought that open source software is inherently secure because of the methodology of its development, but there is still much that recommends it as a method of producing of quality code.

The bigger question for many large open source projects is keeping the lights on. OpenSSL took in only US$2,000 before Heartbleed arrived, OpenBSD's survival was threatened by an electricity bill, GNOME recently imposed a budget freeze after running out of cash reserves, and Mozilla is heavily reliant on the goodwill and wallet of Google.

Beyond the first three years of CII, and projects deemed critical to CII, there are larger funding issues with open source to address.

CII is the first step, and it is time that those who have taken advantage of open source to build large corporate empires back the projects that helped them take on the world.

Previously on Monday Morning Opener

Editorial standards