Since the discovery of the OpenSSL Heartbleed bug some two weeks ago, the one positive thing brought forth by it is a better understanding of the limitations of open source software development.
The main problem is almost always insufficient funding, which consequently affects the developers' ability to give all their attention to one project, and the project managers' ability to pay for independent quality source code audits.
Google has recently started a Patch Rewards Program to reward researchers who aim to "improve the security of key third-party software critical to the health of the entire Internet." The program includes many open source projects, including OpenSSL, but obviously, that is not nearly enough.
Well-known cryptographer Matthew Green pointed out that the small OpenSSL team has had a "a pretty amazing record considering the amount of use this library gets and the quantity of legacy cruft and the number of platforms they have to support."
"Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job," he noted.
The wish was echoed a little more forcibly by Steve Marquess, who runs the OpenSSL Software Foundation and is its "money guy."
He confirmed that since the discovery of the Heartbleed bug and public revelation of the dire financial straits the OpenSSL project finds itself in, the Foundation has received an injection of cash from donations (around $17,000) from the OpenSSL user community. Still, he says, this uptick won't last, and anyways, this amount of money is "nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product."
"While OpenSSL does 'belong to the people' it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support," he pointed out. "The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted."
While the companies involved in the Initiative - Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, and VMware - might have indeed stepped in at one point, props go to the Linux Foundation who organized a joint effort. The list of the companies involved will hopefully also get longer in the days to come.
"The Core Infrastructure Initiative enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful," the announcement reads. "The most recent Coverity Open Scan study of software quality has shown that open source code quality surpasses proprietary code quality. But as all software has grown in complexity – with interoperability between highly complex systems now the standard – the needs for developer support has grown."
"The Initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders. Support from the initiative will include funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support," it has been explained.
The first recipient of the funds and support will likely be the OpenSSL Software Foundation, but other projects will be considered as well, and those who are most crucial to the Internet and computer users will be funded.
"Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects," commented Jim Zemlin, executive director of The Linux Foundation. "We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL."
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.