With the Heartbleed security bug being a good example of a potentially devastating open-source software vulnerability, the Linux Foundation has formed a multi-million dollar project to fund and support critical elements of the global information infrastructure.
Known as the “Core Infrastructure Initiative,” initial members include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.
OpenSSL, the open-source library behind Heartbleed, is the first project under consideration to receive support. In the past years, it had only received around $2,000 per year in funding through donations.
While many of these projects have become integral to online services, many would argue that their support has not kept pace, especially since software has grown in complexity across the board.
The Core Infrastructure Initiative is designed to provide fellowships to key developers so they can work on projects full-time. It also plans on helping open-source projects with outside reviews, speedy patch development, security testing and audits, test hardware, as well as funding for face-to-face group meetings.
“Maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone’s interest,” Eben Moglen said in a statement. Moglen is a Columbia Law School professor and Founding Director of the Software Freedom Law Center.
“The Linux Foundation, and the companies joining this Initiative, are enabling these dedicated programmers to continue maintaining and improving the free and open source software that makes the Net work safely for us all,” he stated. “This is business and community collaboration in the public interest, and we should all be grateful to The Linux Foundation for making it happen.”
After hearing about Heartbleed, many service providers pushed patches across their infrastructure and replaced potentially compromised certificates. But, while it had a particularly large impact, Heartbleed is one of countless vulnerabilities constantly being discovered in open-source and proprietary software.
Projects to fund will be chosen by the Linux Foundation and a steering group of project backers, along with key open source developers and other industry stakeholders.
With companies expanding their role in open-source projects, there’s always potential for corporate interests to take control of these community-supported projects. The Core Infrastructure Initiative, however, is designed to maintain the community norms that have made open source so successful, keeping corporations at arm’s length.