Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL

jeremy · 04-25-2014, 11:38 AM

Quote:

IBM, Intel, Microsoft, Facebook, Google, and others pledge millions to open source.

The important role OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it.

The open source cryptographic software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies, but it operates on a shoestring budget. OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code.

Given that, perhaps we shouldn’t be surprised by the existence of Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.

OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.

That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.

To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL.

The initiative came together quickly once the foundation began approaching the companies involved. “Before I could even get my last word out most folks were like, ‘absolutely,’” Zemlin said. “We should have done this three years ago to be honest.”

More at Ars...

--jeremy

ReaperX7 · 04-27-2014, 11:34 PM

Its about time these projects are taken seriously. These open source efforts have long suffered against the lack of funding and manpower, but its inexcusable when widespread security software like OpenSSL goes so barebones with resources.

This is a classic problem of open source. Nobody is willing to contribute until someone gets caught with their pants down. The open source community needs to be more proactive in making things better, and not reactive, and companies and projects need to be more open, willing, and receptive to contributions.

metaschima · 04-28-2014, 10:58 AM

They should donate it to libressl instead. My impression is that OpenSSL code is beyond salvation even with millions of dollars.

szboardstretcher · 04-28-2014, 11:39 AM

I disagree. I actually get irritated when something goes wrong, people automatically want to fork it rather than fix the original. Everyone should get together and help the guy in charge of the project by giving him money and resources.

It's worked this long, based off the hard work and dedication of mostly one person, why not spend the money on fixing it and rewarding him? It's shitty that the whole world uses his program and he pulls down a whopping 2k dollars a year.

TobiSGD · 04-28-2014, 11:56 AM

Quote:

Originally Posted by szboardstretcher

I disagree. I actually get irritated when something goes wrong, people automatically want to fork it rather than fix the original.

The OpenBSD guys didn't just fork it now because of the Heartbleed disaster (it was just the last bit of problems which caused the fork), they had problems with the maintainers for years, for example not fixing bugs though they have been provided with patches, so that the bug now is fixed downstream in Debian and other distributions, while it still remains unpatched upstream.
You may want to read this article, which explains the reasons of the fork: http://www.tedunangst.com/flak/post/origins-of-libressl

metaschima · 04-28-2014, 12:22 PM

I think the fork is worthwhile and that it should receive the money instead. The OpenSSL developer can join the effort to totally redo the code and get paid too. Just look at the code yourself, tons of very outdated code, obfuscated assembly, unnecessary function redundancy, and insecure coding decisions. I really hope that the millions of dollars will be used to get rid of this nonsense code (like libressl has done) and get everything to a good working state. If this does not happen then I will be using libressl in spite of all the monetary aid to openssl.

TobiSGD · 04-28-2014, 12:55 PM

All the fixes already done by the LibreSSL developers can be found here: http://opensslrampage.org/

metaschima · 05-18-2014, 11:29 AM

I don't think there is any use in funding openssl, because the openssl foundation seems to be a for-profit (millions income per year) that does FIPS counseling and ignores bug reports and writes deliberately obfuscated code.
http://www.openbsd.org/papers/bsdcan...ssl/index.html

What a waste of time and money.