Microsoft, Google, Others Join To Fund Open Source Infrastructure Upgrades 101
wiredmikey (1824622) writes "Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow. The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site."
Re: (Score:2)
They're doing this out of the goodness of their hearts! Honest!
Re:Sure they do. (Score:4, Informative)
You post as if their enlightened self interest is a bad thing.
Sure they benefit. But each of them could sit tight and wait/hope for someone else to pay for this.
I say good for them. This deserves praise, not contempt.
Re: (Score:1)
Forgive me if I'm hesitant to trust a company that does everything in its power to crush open source. They are not OSS friendly. MSFT is patent trolling here. Nothing more. They will encourage OSS projects to spring up that violate their patents and wait for the right moment so that their competitors are using the OSS and then wham -- lawsuit. Apple and Google are doing this too for the same probable reason. Of course I could be somewhat wrong, but my caution & cynicism is not entirely wrong.
Re: (Score:1)
Linux on the desktop is easy now. What are you talking about? Do you work at MSFT? Apple? Google?
WHO DO YOU WORK FOR? ;-)
Re: (Score:2)
Hate to tell you but open source does enough to hurt itself. Hopefully Linux realizes "Linux on the Desktop" won't ever really happen, and they focus on server and other stuff.
What's funny is when you point out that while Linux on the Desktop has yet to happen, Linux on the handheld (Android) is booming.
Then the Freetards clarify that by Linux they actually meant GNU + Linux, using X11 and wobbly windows for a UI. And having to sudo apt-get some commands on your phone... imagine.
Re: (Score:2)
Nothing wrong with this picture.
Hasn't Microsoft has been selling other peoples work as their own since day 1?
Remember Bill is the product of 2 lawyers.
Re: (Score:2)
Yeah isn't it weird that Microsoft is supporting something they call "Cancer."
Wasn't it Ballmer who said that?
Anyway, suppose it was Gates. Why couldn't he change his mind during the intervening years?
Re:Sure they do. (Score:5, Interesting)
Disclaimer: When I talk about Microsoft's technology, I am not talking about their current consumer OS debacle. I used to be a ZOMG! M$ SUX!!! type, but Microsoft is now an embattled company well aware that they fucked up a lot these last few years. I am curious to see what direction that will take them. I suppose this is part of that. Also, their back end products: Windows Server/Active Directory/Sql server, etc... really are pretty nice. Although I do prefer Linux, FreeBSD and their associated Open Source server solutions.
Re:Sure they do. (Score:4)
Anyway, lots of people run open source stuff on windows servers (well, some do at least...), and it's in the best interest of MS that those boxes are safe.
And last but not least, it's if not free so at least very cheap publicity.
Re: (Score:2)
Pretty much nothing is wrong with it. Microsoft has become a huge supporter of open source and recently open sourced major components of the .NET framework and more recently their beta Roslyn compiler.
I know, I know... they will never be truly open source until they give all the code they ever created and will ever create away for free and also throw in a car to everyone who has ever run Linux.
Re: (Score:2)
Old mentalities die hard I guess...
Re:Sure they do. (Score:4, Insightful)
there's open source, and then there's open source that only works using Microsoft products.
Its the latter they're releasing; the products, and the candy to make you buy more of them.
Re: (Score:2)
Re: (Score:2)
"Do not trust the money, Geeks. Whatever it is, I fear the Redmondians even when they bring gifts."
Why the Linux Foundation? (Score:2)
Re:Why the Linux Foundation? (Score:5, Informative)
Mentioned in the FAQ:
http://www.linuxfoundation.org... [linuxfoundation.org]
For the lazy:
Why is The Linux Foundation the right forum for this funding?
The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.
Re: (Score:2)
While that is correct, the Linux foundation does not focus on security-first. If they cared about things like heartbleed and want the best there is in security, they should have picked the OpenBSD Foundation.
Re: (Score:2)
You won't get a disagreement from me but this is politics you know.
Re:Why the Linux Foundation? (Score:4, Informative)
Re:Why the Linux Foundation? (Score:5, Informative)
I'm not aware of a FreeBSD foundation or a NetBSD foundation.
Okay, time to get up to speed then:
The FreeBSD Foundation [freebsdfoundation.org]
Donations to The NetBSD Foundation [netbsd.org]
RT.
Re:Why the Linux Foundation? (Score:4, Informative)
Re: (Score:2)
Agreed. When you talk about core infrastructure, yes OpenSSL is definitely part of it. But what about the ISC (BIND)? I suppose it could be that the Linux Foundation has the reputation they were going for, but if that was the case why not fund LibreSSL.
Re: (Score:3)
because it has a stupid name, and it is getting all its cross-platform code ripped out to make it BSD-friendly.
Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,
Re: (Score:3)
Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,
Because all those cross-platform hacks directly contribute to its bugginess. The Heartbleed bug was facilitated by a cross-platform reimplementation of malloc that was written for speed rather than security.
And also because the OpenSSL developers have been demonstrated to sit on patches for years instead of fixing bugs.
For a morbidly good time, go look at OpenSSL Valhalla Rampage, [opensslrampage.org] a blog highlighting some of the insanity that the OpenBSD devs are encountering as they rewrite OpenSSL into LibreSSL. It become
Re: (Score:2)
As long as they also exclude a bunch of US three letter agencies with a special mention for the NSA, their agents and contractors. Sometimes some sources should be excluded, not to judge anyone, excluding of course the NSA, which of course should now be considered a bunch of security fuckups.
Pick and choose (Score:5, Insightful)
Say what you want about Theo or the name his team has chosen but I think I'd rather give my money to OpenBSD's LibreSSL project than donate to this.
I get that they are probably just after the good will and PR that this will generate, and that this isn't some vast conspiracy against open source, but I don't trust one of the companies on that list to give a care once public attention to heartbleed dies off.
Pick a project and donate directly, don't let these giants pick and choose for us!
Re: (Score:2)
> and that this isn't some vast conspiracy against open source
In fact, there is no need to fear conspiracies, when standard operating practice in business, with open source* considered as an external threat, brings same results.
(*) I should say free software, or better, free personal computing (because google and others taught us that centralized computing can be carried out using free software).
Re: (Score:2)
I'm not so sure; heartbleed cost these companies a lot of money. This is an investment that acts as an insurance policy.
Re: (Score:3)
I don't think it's a PR move. It's in their best interest to fund these projects, and they can cut costs by teaming up on this. It really look good on them, but they're doing it out of self-interest really.
Short sighted hindsight (Score:2)
So they will fun projects that make up critical elements... what about projects that might one reach that status? Why not fund interesting open source projects in general?
Re: (Score:3)
Re: (Score:2)
This does make sense, because it benefits all involved and not a single company/organization has to shoulder all the dev work. Plus, should something happen, the donors are well insulated from lawsuits.
It would be nice to see more projects along these lines. ZFS comes to mind so a drive array attached to a Linux server could be moved to a Windows box and imported without trouble in a production environment.
Ah industry initiatives. (Score:5, Insightful)
So while these people have been doodling around forming initiatives and getting their logos splattered all over a web page, the OpenBSD people have actually founded the LibreSSL project and started actually overhauling the OpenSSL library, including fixing bugs that have been in the OpenSSL queue for years, not to mention finding a metric assload of new ones.
Someone's already doing something. The best choice would just be to fund LibreSSL at this point.
But hey, actually doing work like fixing bugs and etc is not nearly as glamorous as making press releases and having a hudge wodge of logos.
Re: (Score:2)
Re: (Score:2, Insightful)
Perhaps because the OpenSSL team are loath to actually clean up a messy code base, so it's up to a separate group of developers to clean up all the legacy cruft?
Re: (Score:3)
Re:Ah industry initiatives. (Score:5, Informative)
Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?
Because the OpenSSL people sat around with important bugs sitting in the queue for years and never fixed them. This is why the OpenBSD people---which is where some of the unresolved bug reports came from---decided that basically working with upstream is not an option and decided to go it alone.
In fact that's exactly what the OpenBSD people said about the fork at the beginning.
The problems with OpenSSL predate heartbleed and they've finally got too big for the OpenBSD people to leave it alone. Hence the fork.
Re: (Score:2)
Not any that have ever been found. At least not security bugs. OpenBSD actually has the best track record for security.
Re: (Score:2)
Because:
1. It's not initially feature-compatible with OpenSSL
2. While there is momentum, it's faster to work apart from the existing project.
3. There's no guarantee the rewrite would be accepted by the OpenSSL team
4. There's no guarantee LibreSSL will work on anything but BSD
5. Theo doesn't control OpenSSL
Personally, my hopes are:
1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.
2. Important bugs identified by both teams are
Re:Ah industry initiatives. (Score:5, Interesting)
1. It's not initially feature-compatible with OpenSSL
It's feature compatible enough to recompile the entire OpenBSD ports tree with LibreSSL as a drop in replacement.
3. There's no guarantee the rewrite would be accepted by the OpenSSL team
Probably not, but they didn't accept fixes for big bugs which had been maintained as out of tree patches by OpenBSD and a bunch of Linux distros, so at this point who cares?
4. There's no guarantee LibreSSL will work on anything but BSD
Well, it will if they port it. Besides, it's not like OpenBSD don't have a proven track record in this department.
5. Theo doesn't control OpenSSL
That sounds like a reason for LibreSSL, not against. The OpenBSD project (apart from an astounding security record) is in charge of OpenSSH, another piece of critical infrastructure.
1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.
That would be good.
2. Important bugs identified by both teams are ported to patch the current OpenSSL release.
That seems unlikely given the above.
libressl says too many features the problem, delet (Score:2)
> 3. LibreSSL gains feature parity with OpenSSL
The LibreSSL team has deleted tens of thousands of lines of code from OpenSSL, saying that one of their key goals is to remove as many features as possible. Their reasoning is that simple is more secure, that features which don't exist can't have bugs.
That principle is correct, unless either:
a) It's a feature people need, in which case each code-monkey will scratch out their own homebrew version.
or
b) It's a security feature, a chunk of code designed to make
Suggestion: clue first, argue second (Score:1)
Clearly you haven't followed ANY of the relevant discussion. We're not putting back 98% of the features that are being removed. Not. Going. To. Happen.
Security for BSD is more important than support for FIPS or HP. If you want HP support, use OpenSSL or gnuTLS. LibreSSL will be simple and clean - screw features.
A suggestion - get a clue what you're talking about before arguing about it. The discussion is on the list. Read it - or stfu when people who HAVE read it ate talking.
Re: (Score:2)
Because the OpenBSD developers are ripping out the destabilizing cross-compatibility hooks. That means that cross-compatibility will be an afterthought, rather than a goal. If you've ever attempted to cross port OpenSSH to an unsupported platform, you'll know exactly the kind of work and maintenance pain this can create.
Re: (Score:2)
Is that a good thing or a bad thing though? :)
reading the 'rampage' comments, they're removing quirks, or hacks for obscure or archaic platforms such as ultrix, hp-ux and cray. They mention using a c-library function which does the work of several functions but later it's mentioned that not all platforms implement that library function, since it wasn't part of POSIX.
As for missing c-library functions, implementing those would no doubt help porting of other software packages to a platform that lacks them. (N
Comment removed (Score:4, Interesting)
Re: (Score:1)
The best choice would just be to fund LibreSSL at this point.
Not if you care about SSL on, say, Windows.
Re:Ah industry initiatives. (Score:5, Insightful)
Someone's already doing something. The best choice would just be to fund LibreSSL at this point.
The best choice is to fund LibreSSL and another project or two to do the same thing. Thoroughly vetting and fixing OpenSSL is a good thing. Getting a couple of solid, API-compatible competitors in the same space is even better, to reduce the monoculture problem, and to create competition.
Also, LibreSSL is just about OpenSSL. This initiative is supposed to be a long-term, ongoing effort to improve other widely-used open source software packages as well. Doing it through the Linux Foundation makes sense to me, too, mostly because it's an already-established example of exactly what the initiative wants to do to other open source packages. Linux is collaboratively developed by many companies (plus a few individual contributions) for the mutual benefit of all, and that model can and should be applied to other pieces of important open source infrastructure.
This is a good idea. It may or may not be a better approach to fixing OpenSSL (which, incidentally, has terrified me for years) than LibreSSL, but it's good for OpenSSL and for other projects. These companies can donate what to them is peanuts (and a tax writeoff to boot), and in return the world as a whole will get improvements in fundamental computing infrastructure.
I do have to say I'm surprised (and pleased) to see Microsoft's name in the list. Google is no surprise; Google uses open source software heavily and has a long history of supporting it. Intel has been involved in OSS for years, too, since they're just as happy to sell hardware to run OSS as anything else. Cisco also uses open source software and has a clear interest in the health of the networking ecosystem. But Microsoft has in the past been a serious opponent of OSS, doing various things to try to undermine it, some openly and some rather underhanded. Lately the company has been divided on the question, in some cases supporting and/or benefitting from OSS while the other hand is trying to squash it, but I think Microsoft is gradually coming around, beginning to admit that OSS is not only here to stay, but that it has a valid and valuable place.
Re: (Score:2)
Aside from the obvious problem that LibreSSL is currently OpenBSD only with no concrete portability roadmap? There is good reason to question whether performing surgery with a machete is the most judicious response to a breach.
duplicated effort? (Score:2)
This announcement comes days after openbsd has launched libreSSL.
So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?
Re:duplicated effort? (Score:5, Interesting)
So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?
It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.
I expect that shortly after, some enterprising person from Debian will do some basic porting and have an alteriative set up in the experimental repo. From there it will wend its way around into the other distributions (mint, ubuntu) and the patch set might wind up in some early Arch AUR builds and Fedora packages. By that stage the OpenBSD people will have probably accepted the patches and it will be officially portable. At this point Arch will have probably replaced it as a system wide depencendy because hey, it can always be unreplaced if it's bad. Gentoo of course will make it easy to switch between OpenSSL and LibreSSL with just a teeny little recompile of everything, but whatever it's just some portage flags anyway. Redhat probably won't care since they're probably on a version of OpenSSL so old that there are no longer any known bugs. Fedora will vascillate between the two and eventually decide to do whatever ubuntu finally chooses.
Then maybe in a while, we'll have an announcement that someone we've never heard of will be heading this terribly important project, and that huge splat of logos will get another outing. I expect this will happen at about the same time that some nutjob finishes a port of LibreSSL to his Amiga.
During the above timespan, I expect to hear about Linux and Theo swearing at people in public and to have some good troll threads on slashdot about geneder equality in IT (or nursing or teaching), 27 articles about 3D printing (guns or otherwise).
Re: (Score:2)
It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.
No doubt Theo will do a solo run as usual, then bitch about all those ungrateful companies using it and giving nothing in return just like with OpenSSH. Meanwhile, this looks like a genuine attempt at starting a "Linux-style" project with lots of corporate support like the Linux kernel that all seem to have a stake in users trusting their computers for shopping and banking and cloud services and whatnot. Of course Theo can make his heroic and sacrificial stand, but this looks more like collaborative open s
Re: (Score:3)
10. The companies listed do large amounts of business with the U.S. government, which requires FIPS certification of crypto software.
20. OpenBSD has explicitly stated that FIPS certification is off the table for OpenSSH. NOT one of their goals.
30. Taking that off the table leaves a large pile of money ON the table.
40. GOTO 10
Game theory in action (Score:3, Interesting)
Team up to create the pie, then fight for your pieces. I'm actually shocked Microsoft is participating. It's a good move and I'm not used to seeing Redmond do the smart thing. Maybe their collective IQ went up now that Ballmer is out of the picture.
Re: (Score:2)
If the big players didn't jump in and show good faith, that could mean congress could jump in and force some regulations on them.
Laws that may punish the free riders more if their service was vulnerable. Or in general more laws punishing companies for software bugs, will cause havoc with the institution.
Software of any complexity will tend to have bugs... Sometimes these are security bugs. Having them being punished for not being perfect will have a chilling effect on the industry. It is better to show t
Re: (Score:2)
An issue that causes lots of accounts to be compromised on
Comment removed (Score:5, Interesting)
Re: (Score:2)
Re:hold the fuck up... (Score:4, Insightful)
Leaving aside the fact that OpenSSL is not a "BSD package that kindly ported to Linux", I suggest it's rather more arrogant to assume that the world will rush to replace OpenSSL with Theo De Raadt's LibreSSL when (if) it becomes available.
OpenSSL is not fundamentally broken. It had a bug, albeit one with big consequences. Lots of people depend on OpenSSL and it needs to properly maintained. Paying people to work on opensource projects is nothing new and if this funding supports developers with the necessary cryptographic skills devoting quality time to maintaining OpenSSL then that's a good thing.
Where is Apple? (Score:4, Interesting)
Re: (Score:2)
Heartbleed was an issue targetting OpenSSL.
Apple write their own library for Darwin, viz the recent 'goto' bug.
so why expect them to join an industry conglomerate that has limited relevance to their products?
Re: (Score:2)
Mac OSX is (was?) based on the Mach microkernel for instance.
How about the iTune store, does it use open source software?
Re: (Score:2)
Re: (Score:2)
They've god plenty [apple.com].
Well, thanks! (Score:2)
People here are already complaining. The whole operation seems pretty straight-forward to me. Make a fund, get some people to administer it and ask some big corporations to donate a tiny percentage of their profits to help fund some infrastructure projects we are all relying on.
I can see some people being anxious their pet projects will not get funded, but come on! One free software project in need receiving funds is better than nothing.
Maybe the fund will be mismanaged or whatever, but in the worst case th
Re: (Score:2)
What's the problem?
A lot of these people have shit colored glasses bolted to their skulls. Combine this with an irrational hate for anything corporate and there you go; petulant little office trolls emoting on Slashdot.
Theo et al. have and are publically seeking for both individual and corporate [openbsdfoundation.org] support for both the OpenBSD Foundation and LibreSSL [libressl.org], and are specifically seeking a "Stable Commitment of Funding."
Unlike some of the malcontents that haunt Slashdot, they actually spend their time writing open source code. As such
Re: (Score:2)
What's the problem?
A lot of these people have shit colored glasses bolted to their skulls.
That's just the default Ubuntu colour scheme.