Forgot your password?
typodupeerror
Open Source Google Microsoft

Microsoft, Google, Others Join To Fund Open Source Infrastructure Upgrades 101

Posted by timothy
from the and-moving-forward-henceforth dept.
wiredmikey (1824622) writes "Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow. The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site."
This discussion has been archived. No new comments can be posted.

Microsoft, Google, Others Join To Fund Open Source Infrastructure Upgrades

Comments Filter:
  • OpenSSL has nothing to do with Linux, other than that a number of vendors that bundle it with their products also bundle Linux. The FreeBSD or NetBSD Foundations would have made as much sense (i.e. none).
    • by sproketboy (608031) on Thursday April 24, 2014 @09:04AM (#46831977)

      Mentioned in the FAQ:

      http://www.linuxfoundation.org... [linuxfoundation.org]

      For the lazy:

      Why is The Linux Foundation the right forum for this funding?

      The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

      • While that is correct, the Linux foundation does not focus on security-first. If they cared about things like heartbleed and want the best there is in security, they should have picked the OpenBSD Foundation.

    • by king neckbeard (1801738) on Thursday April 24, 2014 @09:13AM (#46832031)
      I'm not aware of a FreeBSD foundation or a NetBSD foundation. The Linux Foundation, however, is a consortium that includes several large companies and has individuals experienced with bridging gaps between big corporations and communities. It's also worth remembering that the Linux foundation arose from the merger of Open Source Development Labs and Free Standards Group. When you take in that context, it makes a lot more sense.
      • by ReeceTarbert (893612) on Thursday April 24, 2014 @09:28AM (#46832133)

        I'm not aware of a FreeBSD foundation or a NetBSD foundation.

        Okay, time to get up to speed then:

        The FreeBSD Foundation [freebsdfoundation.org]

        Donations to The NetBSD Foundation [netbsd.org]

        RT.

      • by TheRaven64 (641858) on Thursday April 24, 2014 @09:47AM (#46832287) Journal
        It's a shame then that they chose a name that explicitly excludes large portions of the Free and Open Source Software ecosystem.
        • Agreed. When you talk about core infrastructure, yes OpenSSL is definitely part of it. But what about the ISC (BIND)? I suppose it could be that the Linux Foundation has the reputation they were going for, but if that was the case why not fund LibreSSL.

          • by gbjbaanb (229885)

            because it has a stupid name, and it is getting all its cross-platform code ripped out to make it BSD-friendly.

            Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

            • by RR (64484)

              Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

              Because all those cross-platform hacks directly contribute to its bugginess. The Heartbleed bug was facilitated by a cross-platform reimplementation of malloc that was written for speed rather than security.

              And also because the OpenSSL developers have been demonstrated to sit on patches for years instead of fixing bugs.

              For a morbidly good time, go look at OpenSSL Valhalla Rampage, [opensslrampage.org] a blog highlighting some of the insanity that the OpenBSD devs are encountering as they rewrite OpenSSL into LibreSSL. It become

        • by rtb61 (674572)

          As long as they also exclude a bunch of US three letter agencies with a special mention for the NSA, their agents and contractors. Sometimes some sources should be excluded, not to judge anyone, excluding of course the NSA, which of course should now be considered a bunch of security fuckups.

  • Pick and choose (Score:5, Insightful)

    by just_another_sean (919159) on Thursday April 24, 2014 @09:08AM (#46831997) Homepage Journal

    Say what you want about Theo or the name his team has chosen but I think I'd rather give my money to OpenBSD's LibreSSL project than donate to this.

    I get that they are probably just after the good will and PR that this will generate, and that this isn't some vast conspiracy against open source, but I don't trust one of the companies on that list to give a care once public attention to heartbleed dies off.

    Pick a project and donate directly, don't let these giants pick and choose for us!

    • > and that this isn't some vast conspiracy against open source

      In fact, there is no need to fear conspiracies, when standard operating practice in business, with open source* considered as an external threat, brings same results.

      (*) I should say free software, or better, free personal computing (because google and others taught us that centralized computing can be carried out using free software).

    • I'm not so sure; heartbleed cost these companies a lot of money. This is an investment that acts as an insurance policy.

    • I don't think it's a PR move. It's in their best interest to fund these projects, and they can cut costs by teaming up on this. It really look good on them, but they're doing it out of self-interest really.

  • So they will fun projects that make up critical elements... what about projects that might one reach that status? Why not fund interesting open source projects in general?

    • Most likely because their motivation is the (belated; but logical) recognition that it's cheaper to support OSS projects that you use than it is to bear the risk of having them fail or maintain a full in-house fork all by yourself. It's not really a fund dedicated to 'more and better OSS generally'; but an attempt to share (to some degree) the cost of improving and maintaining the stuff that they already use or already depend on in some way.
      • by mlts (1038732)

        This does make sense, because it benefits all involved and not a single company/organization has to shoulder all the dev work. Plus, should something happen, the donors are well insulated from lawsuits.

        It would be nice to see more projects along these lines. ZFS comes to mind so a drive array attached to a Linux server could be moved to a Windows box and imported without trouble in a production environment.

  • by serviscope_minor (664417) on Thursday April 24, 2014 @09:09AM (#46832003) Journal

    So while these people have been doodling around forming initiatives and getting their logos splattered all over a web page, the OpenBSD people have actually founded the LibreSSL project and started actually overhauling the OpenSSL library, including fixing bugs that have been in the OpenSSL queue for years, not to mention finding a metric assload of new ones.

    Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

    But hey, actually doing work like fixing bugs and etc is not nearly as glamorous as making press releases and having a hudge wodge of logos.

    • Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Perhaps because the OpenSSL team are loath to actually clean up a messy code base, so it's up to a separate group of developers to clean up all the legacy cruft?

      • It's conceivable that it's just a fit of temper (team OpenBSD certainly did not sound happy about what team OpenSSL had been up to); but it's also quite likely that they are doing it this way because they want it to happen. You can contribute something; but if the maintainers don't accept it, it just sits there. If you and the maintainers disagree on some important points, or they have a strong NIH attitude, this condition may continue indefinitely. If you fork, it's your problem now; but you do get to acce
      • by serviscope_minor (664417) on Thursday April 24, 2014 @09:33AM (#46832185) Journal

        Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?

        Because the OpenSSL people sat around with important bugs sitting in the queue for years and never fixed them. This is why the OpenBSD people---which is where some of the unresolved bug reports came from---decided that basically working with upstream is not an option and decided to go it alone.

        In fact that's exactly what the OpenBSD people said about the fork at the beginning.

        The problems with OpenSSL predate heartbleed and they've finally got too big for the OpenBSD people to leave it alone. Hence the fork.

      • by Raumkraut (518382)

        Because:
        1. It's not initially feature-compatible with OpenSSL
        2. While there is momentum, it's faster to work apart from the existing project.
        3. There's no guarantee the rewrite would be accepted by the OpenSSL team
        4. There's no guarantee LibreSSL will work on anything but BSD
        5. Theo doesn't control OpenSSL

        Personally, my hopes are:
        1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.
        2. Important bugs identified by both teams are

        • by serviscope_minor (664417) on Thursday April 24, 2014 @09:54AM (#46832395) Journal

          1. It's not initially feature-compatible with OpenSSL

          It's feature compatible enough to recompile the entire OpenBSD ports tree with LibreSSL as a drop in replacement.

          3. There's no guarantee the rewrite would be accepted by the OpenSSL team

          Probably not, but they didn't accept fixes for big bugs which had been maintained as out of tree patches by OpenBSD and a bunch of Linux distros, so at this point who cares?

          4. There's no guarantee LibreSSL will work on anything but BSD

          Well, it will if they port it. Besides, it's not like OpenBSD don't have a proven track record in this department.

          5. Theo doesn't control OpenSSL

          That sounds like a reason for LibreSSL, not against. The OpenBSD project (apart from an astounding security record) is in charge of OpenSSH, another piece of critical infrastructure.

          1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.

          That would be good.

          2. Important bugs identified by both teams are ported to patch the current OpenSSL release.

          That seems unlikely given the above.

        • > 3. LibreSSL gains feature parity with OpenSSL

          The LibreSSL team has deleted tens of thousands of lines of code from OpenSSL, saying that one of their key goals is to remove as many features as possible. Their reasoning is that simple is more secure, that features which don't exist can't have bugs.

          That principle is correct, unless either:
          a) It's a feature people need, in which case each code-monkey will scratch out their own homebrew version.

          or

          b) It's a security feature, a chunk of code designed to make

      • Because the OpenBSD developers are ripping out the destabilizing cross-compatibility hooks. That means that cross-compatibility will be an afterthought, rather than a goal. If you've ever attempted to cross port OpenSSH to an unsupported platform, you'll know exactly the kind of work and maintenance pain this can create.

        • Is that a good thing or a bad thing though? :)

          reading the 'rampage' comments, they're removing quirks, or hacks for obscure or archaic platforms such as ultrix, hp-ux and cray. They mention using a c-library function which does the work of several functions but later it's mentioned that not all platforms implement that library function, since it wasn't part of POSIX.

          As for missing c-library functions, implementing those would no doubt help porting of other software packages to a platform that lacks them. (N

    • The OpenSSL rampage (Score:4, Interesting)

      by Neo-Rio-101 (700494) on Thursday April 24, 2014 @09:37AM (#46832217)

      For some funny blow-by-blow commentary that the LibreSSL people are doing, check out http://opensslrampage.org/ [opensslrampage.org]

      Too many VMS jokes to count.... but just looking at the comments, OpenSSL's code is labyrinthine and full of cruft and useless files.

    • by Anonymous Coward

      The best choice would just be to fund LibreSSL at this point.

      Not if you care about SSL on, say, Windows.

    • by swillden (191260) <shawn-ds@willden.org> on Thursday April 24, 2014 @12:12PM (#46833485) Homepage Journal

      Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

      The best choice is to fund LibreSSL and another project or two to do the same thing. Thoroughly vetting and fixing OpenSSL is a good thing. Getting a couple of solid, API-compatible competitors in the same space is even better, to reduce the monoculture problem, and to create competition.

      Also, LibreSSL is just about OpenSSL. This initiative is supposed to be a long-term, ongoing effort to improve other widely-used open source software packages as well. Doing it through the Linux Foundation makes sense to me, too, mostly because it's an already-established example of exactly what the initiative wants to do to other open source packages. Linux is collaboratively developed by many companies (plus a few individual contributions) for the mutual benefit of all, and that model can and should be applied to other pieces of important open source infrastructure.

      This is a good idea. It may or may not be a better approach to fixing OpenSSL (which, incidentally, has terrified me for years) than LibreSSL, but it's good for OpenSSL and for other projects. These companies can donate what to them is peanuts (and a tax writeoff to boot), and in return the world as a whole will get improvements in fundamental computing infrastructure.

      I do have to say I'm surprised (and pleased) to see Microsoft's name in the list. Google is no surprise; Google uses open source software heavily and has a long history of supporting it. Intel has been involved in OSS for years, too, since they're just as happy to sell hardware to run OSS as anything else. Cisco also uses open source software and has a clear interest in the health of the networking ecosystem. But Microsoft has in the past been a serious opponent of OSS, doing various things to try to undermine it, some openly and some rather underhanded. Lately the company has been divided on the question, in some cases supporting and/or benefitting from OSS while the other hand is trying to squash it, but I think Microsoft is gradually coming around, beginning to admit that OSS is not only here to stay, but that it has a valid and valuable place.

    • by Wdomburg (141264)

      Aside from the obvious problem that LibreSSL is currently OpenBSD only with no concrete portability roadmap? There is good reason to question whether performing surgery with a machete is the most judicious response to a breach.

  • the OpenSSL library will be the initiative's first project

    This announcement comes days after openbsd has launched libreSSL.

    So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?

    • by serviscope_minor (664417) on Thursday April 24, 2014 @09:48AM (#46832299) Journal

      So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?

      It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

      I expect that shortly after, some enterprising person from Debian will do some basic porting and have an alteriative set up in the experimental repo. From there it will wend its way around into the other distributions (mint, ubuntu) and the patch set might wind up in some early Arch AUR builds and Fedora packages. By that stage the OpenBSD people will have probably accepted the patches and it will be officially portable. At this point Arch will have probably replaced it as a system wide depencendy because hey, it can always be unreplaced if it's bad. Gentoo of course will make it easy to switch between OpenSSL and LibreSSL with just a teeny little recompile of everything, but whatever it's just some portage flags anyway. Redhat probably won't care since they're probably on a version of OpenSSL so old that there are no longer any known bugs. Fedora will vascillate between the two and eventually decide to do whatever ubuntu finally chooses.

      Then maybe in a while, we'll have an announcement that someone we've never heard of will be heading this terribly important project, and that huge splat of logos will get another outing. I expect this will happen at about the same time that some nutjob finishes a port of LibreSSL to his Amiga.

      During the above timespan, I expect to hear about Linux and Theo swearing at people in public and to have some good troll threads on slashdot about geneder equality in IT (or nursing or teaching), 27 articles about 3D printing (guns or otherwise).

      • by Kjella (173770)

        It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

        No doubt Theo will do a solo run as usual, then bitch about all those ungrateful companies using it and giving nothing in return just like with OpenSSH. Meanwhile, this looks like a genuine attempt at starting a "Linux-style" project with lots of corporate support like the Linux kernel that all seem to have a stake in users trusting their computers for shopping and banking and cloud services and whatnot. Of course Theo can make his heroic and sacrificial stand, but this looks more like collaborative open s

    • by chill (34294)

      10. The companies listed do large amounts of business with the U.S. government, which requires FIPS certification of crypto software.

      20. OpenBSD has explicitly stated that FIPS certification is off the table for OpenSSH. NOT one of their goals.

      30. Taking that off the table leaves a large pile of money ON the table.

      40. GOTO 10

  • by HangingChad (677530) on Thursday April 24, 2014 @09:11AM (#46832015) Homepage

    Team up to create the pie, then fight for your pieces. I'm actually shocked Microsoft is participating. It's a good move and I'm not used to seeing Redmond do the smart thing. Maybe their collective IQ went up now that Ballmer is out of the picture.

    • If the big players didn't jump in and show good faith, that could mean congress could jump in and force some regulations on them.

      Laws that may punish the free riders more if their service was vulnerable. Or in general more laws punishing companies for software bugs, will cause havoc with the institution.

      Software of any complexity will tend to have bugs... Sometimes these are security bugs. Having them being punished for not being perfect will have a chilling effect on the industry. It is better to show t

    • My impression (given that they also dedicate a certain amount of time and trouble to hunting bot-herders and assorted similar types) is that Microsoft takes an interest in things that facilitate malware distribution, since their customers often take the hit (not necessarily because of an MS zero day; lots of systems running well behind on patches and users clicking on trojans and merrily executing them, along with anything Adobe or Java related).

      An issue that causes lots of accounts to be compromised on
  • hold the fuck up... (Score:5, Interesting)

    by nimbius (983462) on Thursday April 24, 2014 @09:28AM (#46832129) Homepage

    that make up critical elements of their information infrastructure.

    Frankly the only reason I think these multibillion dollar monopolistic companies have banded together to throw money is because their reputation and userbase have clammored for some kind of response to the problem. lets be perfectly clear: Theo De Raadt is completely capable of handling the code refactor (he even went so far as to say he didnt need help with the code projects website.) going to the Linux foundation just shows how fucking shortsighted these guys are. If you want to help, donate to the OpenBSD [openbsdfoundation.org] foundation because this is a BSD package that was kindly ported to Linux. It will be released as LibreSSL, not the OpenSSL you want to "fix" in your products, as the code is completed and tested in accordance with what I presume is an OpenBSD development model, not Linux. And in regard to the 'other open source projects will follow' statement, its arrogant and absurd to think that once the LibreSSL code is finalized and ported that these dicks are going to stick around and continue to contribute to any open source technology that doesnt clandestinely butter their bread in user facing products that happen to be facing a sev. 1 exploit they cant avoid through marketing or a new product.

    • by wjcofkc (964165)
      Linux does not have a monopoly on Open Source. Open Source spans several platforms. Nowhere is it written that all of this money will be spent on Linux or limited software designed specifically Linux. I doubt that the likes of Free and OpenBSD will be left out in the cold - it simply wouldn't make sense. Even if that were the case, any Open Source software of the very particular nature we are talking about here (low level infrustructure), is by default software that gets builds for those operating systems a
    • by Jahta (1141213) on Thursday April 24, 2014 @10:46AM (#46832869)

      Leaving aside the fact that OpenSSL is not a "BSD package that kindly ported to Linux", I suggest it's rather more arrogant to assume that the world will rush to replace OpenSSL with Theo De Raadt's LibreSSL when (if) it becomes available.

      OpenSSL is not fundamentally broken. It had a bug, albeit one with big consequences. Lots of people depend on OpenSSL and it needs to properly maintained. Paying people to work on opensource projects is nothing new and if this funding supports developers with the necessary cryptographic skills devoting quality time to maintaining OpenSSL then that's a good thing.

  • Where is Apple? (Score:4, Interesting)

    by kbdd (823155) on Thursday April 24, 2014 @09:49AM (#46832313) Homepage
    Oh wait, they can't afford it, it's not in their budget...
    • Heartbleed was an issue targetting OpenSSL.

      Apple write their own library for Darwin, viz the recent 'goto' bug.

      so why expect them to join an industry conglomerate that has limited relevance to their products?

      • by kbdd (823155)
        This group is not intended to only address OpenSSL. I would be surprised if Apple did not have ANY open source software in their products.

        Mac OSX is (was?) based on the Mach microkernel for instance.

        How about the iTune store, does it use open source software?

  • People here are already complaining. The whole operation seems pretty straight-forward to me. Make a fund, get some people to administer it and ask some big corporations to donate a tiny percentage of their profits to help fund some infrastructure projects we are all relying on.

    I can see some people being anxious their pet projects will not get funded, but come on! One free software project in need receiving funds is better than nothing.

    Maybe the fund will be mismanaged or whatever, but in the worst case th

    • by Tailhook (98486)

      What's the problem?

      A lot of these people have shit colored glasses bolted to their skulls. Combine this with an irrational hate for anything corporate and there you go; petulant little office trolls emoting on Slashdot.

      Theo et al. have and are publically seeking for both individual and corporate [openbsdfoundation.org] support for both the OpenBSD Foundation and LibreSSL [libressl.org], and are specifically seeking a "Stable Commitment of Funding."

      Unlike some of the malcontents that haunt Slashdot, they actually spend their time writing open source code. As such

      • What's the problem?

        A lot of these people have shit colored glasses bolted to their skulls.

        That's just the default Ubuntu colour scheme.

fortune: not found

Working...