The Internet may not agree on much. But if there’s one idea its citizens can get behind, it’s that nothing like the Heartbleed bug should ever happen again.
And so the Linux Foundation—backed by Google, Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, IBM, Intel, Microsoft, NetApp, Rackspace and VMware—is launching a new Core Infrastructure Initiative that aims to bolster open-source projects critical to the Internet and other crucial information systems. Many such projects are starved for funding and development resources, despite their importance to Internet communications and commerce.
The initiative is brand new—the steering committee hasn’t even had a meeting yet—so there aren’t many details as to how this will all work at the moment.
It’s hard not to applaud such an important development, even if the promise seems somewhat vague. Of course, the details do matter; no one wants to lull a post-Heartbleed world into a false sense of security. The Heartbleed bug tarnished the image of open source. Another serious failure could erode support for it.
That would be a shame—mostly because, despite the hard knock it’s taken from Heartbleed, open-source software really is more solid than proprietary code.
Heartbleed: The Truth Is Stranger Than Fiction
One of the biggest arguments in favor of open source—which typically depends on volunteers to add and refine programs and tools—is that projects with many eyes on them are less prone to serious bugs.
Often enough, that’s exactly how it works out. A recent report from software-testing outfit Coverity found that the quality of open-source code surpassed that of proprietary software. Shocked? You shouldn’t be. Popular open-source projects can have hundreds or thousands of developers contributing and reviewing code, while in-house corporate teams are usually far smaller and frequently hobbled by strict confidentiality to boot.
Unfortunately, not all open-source projects work like that. OpenSSL—yes, the communications-security protocol that fell prey to Heartbleed—was one such project.
This potentially huge security hole started out as a mistake made by a single developer, a German researcher named Robin Seggelmann. Normally, revised code gets checked before going out, and his work on OpenSSL’s “heartbeat” extension did go through a review—by a security expert named Stephen Henson. Who also missed the error.
So Heartbleed started with two people—but even involving the entire OpenSSL team might not have helped much. There are only two other people listed on that core team, and just a handful more to flesh out the development team. What’s more, this crucial but non-commercial project makes do on just $2,000 in annual donations.
If this were a fictional premise, no one would believe it. A critical security project, limping along on a couple of thousand dollars a year, winds up in the hands of two people, whose apparently innocent mistake goes on to propagate all over the Internet.
The Core Infrastructure Initiative aims to ensure that OpenSSL and other major open-source projects don’t let serious bugs lie around unfixed. Its plan: Fill in the gaps with funding and staff.
Making Open Source Whole
Security for the Internet at large was practically built on OpenSSL. And yet, the open-source software never went though a meticulous security audit. There wasn’t money or manpower for one.
From the Linux Foundation’s perspective, that’s unacceptable.
The Linux operating system may be the world’s leading open-source success story. Volunteers across the globe flock to Linus Torvalds’ software, contributing changes at a rate of nine per hour. That amounts to millions of lines of code that improve or fix various aspects of the operating system each year. And it draws roughly half a million dollars in annual donations. Some of those funds go to Torvalds, Linux’s creator, so he can dedicate himself to development full-time.
The Linux Foundation likewise sees its Core Infrastructure Initiative becoming a benefactor of sorts to key software projects, one that can direct funds to hire full-time developers, arrange for code review and testing, and handle other issues so that major vulnerabilities like Heartbleed don’t slip through the cracks again.
The first candidate is—you guessed it—OpenSSL. According to the press announcement, the project “could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.”
But OpenSSL is just the beginning. “I think in this crisis, the idea was to create something good out of it,” Jim Zemlin, executive director of the Linux Foundation, told me. “To be proactive about pooling resources, looking at projects that are underfunded, that are important, and providing some resources to them.”
Sounds like a great idea. Not only does the move address specific concerns about open-source development—like minimal staffing and non-existent funding—it would also reinforce the integrity of critical systems that hinge on it.
It’s an ambitious plan, one that came together at lightning speed. Chris DiBona, Google’s director of engineering of open source, told me Zemlin called him just last week with the idea.
“We [at Google] were doing that whole, ‘Okay, we’ve been helping out open source. Are we helping them enough?’” said DiBona, who reminded me that it was a security engineer at his company who first found the Heartbleed bug. “And then Jim calls up and says, ‘You know, we should just figure out how to head this off at the pass before the next time this happens.’ And it’s like, ‘Yeah, you’re right. Let’s just do it. We’ll try to find a way’.”
Over the next few days, other companies immediately jumped at the chance to help. “I think it’s a historical moment, when you have a collective response to what was a collective problem,” said Zemlin.
The Core Infrastructure initiative is still gaining new supporters. Just a few hours before I spoke with Zemlin and DiBona Wednesday evening, another backer signed on. As of this writing, 12 companies had officially joined the fold. Each is donating $100,000 per year for a minimum of three years, for a total of $3.6 million.
Those Pesky Details
Eventually, the details will have to be ironed out. There will be a steering committee made up of backers, experts, academics and members of the open-source community. And when they meet, they will need to make some big decisions—like determining criteria for deciding which projects get funded (or not). The committee will also need to figure out “what we consider to be a minimum level of security,” said DiBona.
Zemlin is careful to note that he doesn’t want to fall into the trap of over-regulating or dictating so much that it would alter the spirit of open-source development. “Everyone who’s participating will respect the community norms for the various projects,” he said. “We don’t want to mess up the good things that happen by being prescriptive.”
He and his initiative will draw from the Linux Foundation’s experience powering Linux development. “We have 10 years of history showing that you can support these projects and certainly not slow down their development,” Zemlin said. And indeed, if anyone can figure it out, it could be him and his foundation.
But it may not be easy, keeping the creative, free-spirited nature of open source alive in the face of serious core infrastructure concerns. Critical systems usually demand organization and regimented practices. And sometimes, to keep the heart from bleeding, a prescription might just be in order.