A Linux Foundation project inspired by the Heartbleed security flaw announced that it will fund a security audit for the OpenSSL code base and the salaries of two full-time developers.
The Heartbleed flaw shone a spotlight on how poorly funded the OpenSSL cryptographic software library is despite being used by many of the world's richest technology companies. The Linux Foundation, with support from those tech companies, created the Core Infrastructure Initiative (CII) to boost the security of OpenSSL and other open source projects in need of help.
Today, the foundation announced that the first projects to get funding will be OpenSSL, OpenSSH, and Network Time Protocol.
"OpenSSL will receive funds from CII for two, full-time core developers," the announcement said. "The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base."
The Linux Foundation further noted that "the OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).""It is fantastic news and a great start to a new beginning and revitalization of the OpenSSL project," OpenSSL Software Foundation President Steve Marquess told Ars. "I personally do not consider it 'enough' in that I'd ultimately like to see more than just two dedicated people working on OpenSSL, but these Linux Foundation fellowships are the most significant good news the OpenSSL project has ever had."
The fellowships are going to developers Stephen Henson and Andy Polyakov, Marquess said.
The members of the Core Infrastructure Initiative have each pledged to commit at least $100,000 a year for a minimum of three years, with that money being distributed to multiple open source projects. Members announced at the initiative's launch included Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware. Today, the Linux Foundation said that Adobe, Bloomberg, HP, Huawei, and Salesforce.com have also joined. Overall, $5.4 million over three years has been committed.
The Linux Foundation said it isn't disclosing how much money is being given to each project. As for OpenSSH and Network Time Protocol, a foundation spokesperson said they will receive "support for developers as well as infrastructure support." OpenSSH, developed by the OpenBSD project, is an open source implementation of the Secure Shell protocol used for remote command-line login and other types of secure communication. OpenSSH is deployed on popular Linux distributions as well as Apple's OS X. Network Time Protocol is an Internet protocol used to synchronize computer clocks.
While OpenSSL, OpenSSH, and Network Time Protocol are the only projects to be funded so far, they won't be the last. "Other projects are under consideration and will be funded as assessments are completed and budget allows," the Linux Foundation said.
The project's aim, Linux Foundation Executive Director Jim Zemlin said, "is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need."
reader comments
58