The Heartbleed vulnerability in the OpenSSL code has pointed out that one flaw in any of the critical elements of the global information infrastructure can have devastating consequences for data security.
The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support to commensurate with their importance. For instance, the OpenSSL project has in past years received about $2,000 per year in donations.
Organized by the Linux Foundation, the Core Infrastructure Initiative, together with Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware will enable technology companies to collaboratively identify and fund open-source projects that are in the critical path for core computing and internet functions and that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open-source so successful.
“Protecting and supporting the work of open-source developers and the projects that provide the underpinning of the world’s technology infrastructure is of the highest priority,” said Don Ferguson, software CTO and senior fellow at Dell, in a statement. “The Core Infrastructure Initiative gives the industry a way to do this effectively.”
Indeed, the first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers, as well as other resources, to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.
After having been as it says "galvanized by the Heartbleed OpenSSL crisis," the Initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project, as well as key open-source developers and other industry stakeholders. Support from the initiative will include funding for fellowships for key developers to work full-time on open-source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.
“We are expanding the work we already do for the Linux kernel to other projects that may need support,” said Jim Zemlin, executive director of The Linux Foundation, in a statement. “Our global economy is built on top of many open-source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”
The Core Infrastructure Initiative will change funding requests from the reactive post-crisis solicitations of today to proactive reviews identifying the needs of the most important projects, the Foundation said.