OpenSSL needs corporate funding to avoid Heartbleed repeat

Steve Marquess, OpenSSL Software Foundation president, has called for major users of OpenSSL to stump up and help fund a half dozen full-time OpenSSL employees, rather than the one it has now.
Written by Chris Duckett, Contributor

An outpouring of donations to the OpenSSL Software Foundation following last week's revelation of the Heartbleed OpenSSL flaw, has netted the team that produces a critical piece of internet infrastructure, a mere US$9,000.

Steve Marquess, OpenSSL Software Foundation president, said that even if the small donations arrived at the same rate indefinitely, it would not be enough for the project.

"It is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product," Marquess said in a blog post.

Marquess said that the burden for supporting the project should not rely on individuals, but on corporations and governments.

"The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."

Fortune 1,000 companies that use OpenSSL and never contribute to open source came in for special treatment from Marquess.

"I'm looking at...the ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications," he said.

"The ones who don't have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can't figure out how to use it.

"The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."

Current funding arrangements for the foundation rely on support contracts, which start at US$20,000 for an annual contract and US$250 for hourly work, and donations which raise around US$2,000 annually, but most of the contract development work is focused on specific features, rather than improving OpenSSL overall.

Marquess said that project needed half a dozen full-time employees, at least, for the project to be better managed, and that a special personality was needed to work with current funding.

"It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smartphones, industry, government, everywhere. Knowing that you'll be ignored and unappreciated until something goes wrong," he said.

"The combination of the personality to handle that kind of pressure with the relevant technical skills and experience to effectively work on such software is a rare commodity, and those who have it are likely to already be a valued, well-rewarded, and jealously guarded resource of some company or worthy cause. "

Striking out at comments that OpenSSL made a sloppy mistake that broke the internet, Marquess said that it wasn't a mystery that overworked OpenSSL volunteers missed the bug, but that it hadn't happened more often.

"Given the widespread use of OpenSSL over many years it still has an excellent track record."

"Two years passed before Google with its impressive technical resources and talent (and shortly thereafter Codenomicon) found this issue."

The call from Marquess mirrors a similar call made by OpenBSD earlier this year.

In January, OpenBSD founder and leader Theo de Raadt warned that OpenBSD would shut down if the money to cover its electricity bill could not be found.

"Rather than the 'little people' funding our efforts, many of the things we do in OpenBSD are often incorporated into products made by multimillion-dollar companies," said de Raadt at the time.

"This is not a BSD vs GPL issue, it is about a plain lack of goodwill, something you cannot mandate via a licence. A lack of goodwill is effectively bad will."

Less than a week later, the project had raised CA$100,000, with Google and one Romanian BitCoin user being the largest donors.

The OpenBSD Foundation's funding campaign for 2014 currently sits above its CAD$150,000 target at CAD$153,000.

Fellow open source foundation, the GNOME Foundation, today announced that it would implement a budget freeze following the foundation's covering of the costs for internships for companies that had yet to pay for them.

Editorial standards