A few days back I wrote a column about the “Heartbleed drama queens,” otherwise known as the folks in the media that were hyping the Heartbleed bug to make money and, in some cases, to bash open source. The Linux Foundation has struck back aggressively by launching the Core Infrastructure Initiative with a load of high-profile corporate partners, and in doing so has effectively taken a page from Linus’ book and given the finger to the open source bashers in the media.
Of course the middle finger characterization is mine and not the Linux Foundation’s. But I think it puts the lie to some of the drivel about open source that appeared in the wake of the Heartbleed bug. It might seem a bit over the top to some readers, but I think the media has to be called out when it disrespects the open source community in such a blatant way.
The Core Infrastructure Initiative is a multi-million dollar project to fund and support critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, RackSpace, and VMware. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.
The first project under consideration to recieve funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII was formed as a response to the Heartbleed security crisis; however, the Initiative’s efforts will not be restricted to security-related issues.
Yes, the open source community-based model works
One of the contentions by some in the media who dislike open source is that the community-based software model failed in the case of Heartbleed. But it’s never wise to underestimate the open source community, particularly parts of it like the Linux Foundation. When a problem is discovered the community will organize and find a way to fix the problem.
In the case of Heartbleed, it’s clear that some projects simply have not had funding and staff available to properly maintain and improve them. The Core Infrastructure Initiative is an important step toward making sure that that does not happen again. However, the Linux Foundation has been quick to note that CII will not be limited to security related problems. I was glad to see that since it bodes well for other projects that have not been given the headline coverage of the OpenSSL bug.
A stellar list of corporate partners
The early list of corporate partners seems like a who’s who in the technology world:
Amazon Web Services
Each company will contribute $100,000 per year for the next three years to CII. A steering committee will identify worthy projects and route money to them for various purposes including development staff, security improvement, outside reviews, and improved patch requests. The committee will consist of developers, CII members, and other stakeholders.
One very prominent name missing from the list of corporate partners is Apple, and I’m not sure why. Apple has a page up on its site about open source, and it seems to be a prominent issue for the company. But no mention has been made of the Core Infrastructure Initiative. Nor did I see anything on the Linux Foundation’s site indicating any interest in the project on Apple’s part.
It may simply be that the project is too new for Apple to be aware of it, or the company might be taking it’s time in announcing support. But, given Apple’s very deep pockets and use of open source software in its products, you’d think that they would have jumped right on the CII bandwagon. I suspect we’ll all have to stay tuned to see how this plays out.
Apple aside, kudos to all of the other companies that have decided to support the Core Infrastructure Initiative.
But why did it take so long?
Ars Technica has some coverage of the CII, and notes that it took companies a long time to realize that there were important resource-starved open source projects.
The companies pledging money here might have avoided a big mess if they donated years ago. The Heartbleed vulnerability would have been bad enough if it had been contained to Web servers, but it affected numerous other products too.
IBM had to warn its business customers that some of its products were put at risk by the Heartbleed flaw. So did Cisco, VMware, Dell, Intel, and NetApp.
According to Marquess’ post last week, “There should be at least a half-dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.”
It’s a fair question, but I don’t think anybody has a very good answer for it. Let’s face it, stuff like OpenSSL isn’t very glamorous or exciting enough to draw the attention of corporate or even many individual contributors. It’s not like OpenSSL is some cool new mobile platform based on Linux, or some gorgeous desktop environment for users to drool over. It’s an important but unobtrusive and even unnoticeable (until something like Heartbleed happens) part of the Internet’s infrastructure.
And this is really why efforts like CII are so important. They have the potential to draw these important and necessary projects out of the shadows, and to focus the attention of users and developers on them like a laser beam. Without that happening bugs and problems can fester for years without anybody noticing them, and that’s not good for anybody.
How you can help the Core Infrastructure Initiative
The Linux Foundation has a contributions page up on its site. You can make a donation via PayPal or major credit card to support the Core Infrastructure Initiative. You can opt for a one-time donation or make it a recurring thing, it’s totally up to you.
While it’s wonderful that big companies like Cisco, IBM and others are contributing, it’s also a good idea for those of us who can afford it to chip in to help with the effort. I threw a few bucks into the pot while writing this article, and I encourage you to do so too if you can spare the cash.
Thank you, Linux Foundation
Kudos to the Linux Foundation for putting this effort together. I think it shows what can happen when the open source community identifies a problem and comes together to solve it. Things like this are one of the reasons why I’m so optimistic about the future of open source software. Sure, there are always going to be problems and issues. But none of them are insurmountable, and the open source community will always rally together in the end to get them fixed.
What’s your take on this? Tell me in the comments below.