Open source software has a problem, as was made patently clear in the recent Heartbleed mess, in which a crucial part of the infrastructure intended to secure communication between Internet clients and servers was shown to have a gaping vulnerability. OpenSSL is everywhere. It’s a critical part of the online economy. The expense of fixing Heartbleed has been enormous, both for patching systems and SSL certificate rekeying, not to mention the more intangible cost in user trust.
In the grand narrative of the open source world, this sort of thing isn’t supposed to happen. While proprietary software is closed and hidden from view, open source code can be examined and audited by anyone who can understand it. The theory is fine, but in reality hardly anyone bothers to read the code, even for mission critical software libraries like OpenSSL, the development team of which is tiny.
OpenSSL is incredibly complex: very few have the expertise to properly audit it, and those who do don’t have the time to invest in an altruistic exercise. The same is true of many of the fundamental components that underlie the online ecosystem. This situation is nothing new — with the exception of a few star projects like the Linux kernel, open source projects have been woefully underfunded forever, particularly complex applications and libraries with cryptographic and security functions.
Fortunately, it appears that the tech giants whose success is built on open source software have been kicked out of their complacency by Heartbleed. Amazon, Intel, Google, IBM, Cisco, and even Microsoft have banded together with the Linux Foundation to form the Core Infrastructure Initiative.
The CII will be tasked with evaluating open source projects that are essential to the global online infrastructure to discover which of them are underfunded. Funds, donated by the members of the CII, will be funneled to those organization, mostly in the form of fellowships for key developers, so they can devote their full attention to making sure that the wheels don’t fall off quite so spectacularly in the future.
The number and size of the companies involved is indicative of the vital importance of many open source projects and just how much we’ve all come to rely on them. I’d be surprised if there’s anyone in the developed world that doesn’t directly or indirectly benefit from the work of the developers who created software like OpenSSL. The Internet tech giants have made hundreds of billions of dollars collectively.
The penetration of open source software and its criticality to global infrastructure is evidence of the validity of the open source development method, but even good ideas need a little help from time to time.
Photo credits: nathanmac87