Blog Post

Linux Foundation rounds up vendor posse to save OpenSSL

One thing we learned from the Heartbleed security crisis — other than that we need to be more password savvy — is that OpenSSL is a very important open-source project that has been used by lots of tech giants but gets funded by very few of them.

Today, the Linux Foundation launched a campaign to change all that — and said it’s signed up a who’s-who of tech backers to support development and improvement of OpenSSL. Initial participants of this Core Infrastructure Initiative are Amazon Web Services(s amzn), Cisco(s csco), Dell, Facebook(s fb), Fujitsu, Google(s goog), IBM(s ibm), Intel(s intc), Microsoft(s msft), NetApp(s ntap), Rackspace(s rax), VMware(s vmw) and The Linux Foundation.

Robin Seggelemann, the German developer who submitted code that accidentally included the vulnerability, told The Guardian the reason it went undetected for so long was that OpenSSL is “definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project.”

A Linux Foundation spokeswoman said each company is providing $100,000 per year for a minimum of three years so the initial investment is $3.6 million spread over those three years. OpenSSL is the first of several projects that will get Core Infrastructure Initiative support.

The contributions come out of enlightened self-interest. Heartbleed hurts all these tech vendors because it spooks consumers and makes them wary of using web-based applications — and in this day and age, they’re pretty much all web-based.

Jim Zemlin, executive director of the Linux Foundation, said in a statement:

“Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”

The notion that fat cat vendors use free open-source software to build their empires without necessarily funding development work or sharing back enough of their intellectual property has long been a sore spot among open-source proponents. Perhaps the Heartbleed meltdown will change that in the long term.

2 Responses to “Linux Foundation rounds up vendor posse to save OpenSSL”

  1. Given those big names and the infamous disability of such to be frugal with money, this will cost millions of dollars will likely not resulting in anything close to as good as LibreSSL – the current on-going efforts of the OpenBSD team to clean up OpenSSL. Really, just save your money and let people who know security do the job for free.

    • gerardsexton

      “Good as LibreSSL”? Aren’t you jumping the gun a bit there – it is not released nor available for general Linux yet? They say they have removed 90K lines of code, hacking and slashing away in there. Anything new in security should be treated with great scrutiny.