OpenSSL and Linux: A Tale of Two Open-Source Projects

The Heartbleed bug has cast a bright and not entirely flattering light on the open-source movement’s incentive model.

When a crucial and ubiquitous piece of security code like OpenSSL — left vulnerable for two years by the Heartbleed flaw — can be accessed by all the world’s programming muscle, but only has one full-time developer and generates less than $2,000 in donations a year, clearly something is amiss.

But then there’s Linux.

Linux, arguably the world’s most emblematic open-source project, provides a counterpoint to OpenSSL’s problems. Volunteers all over the world submit seven changes to Linux every hour, and millions of lines of code improvements and fixes are voluntarily added to the software every year. Over 180 major companies, including Hewlett-Packard, Oracle, IBM and Samsung, every year contribute around half a million dollars to the Linux Foundation, the nonprofit that supports the Linux system.

So what explains the discrepancy between the inattention to OpenSSL and the great fortune of Linux? Good old lack of awareness, experts say.

Open-source advocates and participants say Linux has simply had the benefit of strong brand ambassadors and better name recognition than OpenSSL.

Photo
As a student in Finland, Linus Torvalds wrote the original software in 1991 for the Linux operating system. Seen here in 2004 with the system's mascot, he is often credited as having jump-started the open-source movement. Credit Paul Sakuma/Associated Press

Thousands of televisions sold every day are controlled by Linux. Ninety-two percent of the world’s high-performing computing systems run on Linux. It runs financial systems, Internet and air traffic control systems, Android smartphones and Kindles.

Linux may be invisible to most consumers, but because it is used so widely and in so many vital systems, experts say, companies are acutely aware that their livelihood depends on Linux’s health and are more than happy to contribute financially and in the form of programmers’ time and energy.

The fact that OpenSSL escaped such awareness was “a screw-up,” said Jim Zemlin, the executive director of the Linux Foundation.

“I don’t believe there was some nefarious free-rider problem going on here, or that this was a case of perverse incentives,” he said. “It was a screw-up. With Heartbleed and OpenSSL, most people were looking around and saying ‘Oh yeah, what ever happened to those guys?'”

Part of the problem, some open-source advocates say, is that OpenSSL is in dire need of someone like Linus Torvalds, the Finnish programmer who developed the Linux operating system, jump-started the open-source movement and is actively involved with the project today. 

“You do need an ambassador,” Mr. Zemlin said. “We regularly employ Linus Torvalds and Greg Kroah-Hartman,” another well-known Linux developer.

Mr. Zemlin regularly sits on conference panels, does press interviews, and is often on the TED conference circuit reminding people of Linux’s humble origins and its current importance.

Some open-source advocates say Mr. Zemlin is exactly what OpenSSL is missing. “OpenSSL simply hasn’t had the benefit of a leader like Jim around it,” said Brian Behlendorf, a board member at the Electronic Frontier Foundation and the Mozilla Foundation, another open-source project, which runs the Firefox browser.

“There’s a new world order where developers have become the new king-leaders and I’m just their lobbyist,” Mr. Zemlin said. “You have to fund these projects in a way that is on a level with their importance to our society.”

Until the Heartbleed bug was disclosed last week, not many had heard of Dr. Stephen Henson, the developer who is the only person to work full time on OpenSSL, or the OpenSSL Software Foundation and its director, Steve Marquess.

The good news, open-source advocates say, is that in the last week that has changed.

Now Mr. Zemlin and other open-source advocates are working to fix what is being coined as the “OpenSSL problem,” which affects many other open-source projects that play a crucial role in the digital age but are maintained by the work of a small, strained cadre of volunteers.

“OpenSSL is far from unique,” said Eric Steven Raymond, author of book “The Cathedral and the Bazaar”, an open-source manifesto of sorts. “There are lots of critical libraries maintained by volunteers that are not given enough attention.”

Mr. Raymond pointed to other crucial systems like the Domain Name System, a kind of switchboard for the Internet that is held together by volunteers at nonprofits and some corporations, and the Internet Time Service protocol, a crucial feature that syncs the clocks of computers over the Internet. Major financial exchanges depend on the protocol’s health, but it’s currently being managed by one volunteer programmer in Maryland.

“The leadership is aware this is a serious incentive problem here and we are going to fix it,” Mr. Raymond said.