back to article Bevy of tech behemoths aim to plug the next Heartbleed with DOLLARS

Tech's biggest names have vowed to pour cash into crucial open-source projects that glue the web together – and hopefully kill off any dire bugs that could wreck the net. The Linux Foundation announced on Thursday that it had formed "The Core Infrastructure Initiative" to fund open projects that are critical to the functioning …

COMMENTS

This topic is closed for new posts.
  1. Longrod_von_Hugendong
    Thumb Up

    As long as its only money...

    then its great. They should not allowed any control etc. over it.

    1. Spoonsinger

      Re: "They should not allowed any control etc."

      Ummm, well it's their money, so I suspect they will have a significant say in it's development in the future. It's nice to see some proper backing for something which is quite important. If there is a problem with that someone could always fork it

    2. Bronek Kozicki

      Re: As long as its only money...

      Without change in attitude to taking fixes, contributions etc. this is wasted money. OpenSSL are known for rejecting bugfixes from outside, but they take new features from their own without as much as honest review.

      It is the attitude which led to Heartbleed, not lack of money. If OpenSSL do not admit the problem here, I do not not believe they will be able to fix it.

      1. Tom 13

        Re: Without change in attitude to taking fixes

        It's already been forked. If OpenSSL don't change their attitude they will die. They may be dead already and just not know it yet.

  2. Dan 55 Silver badge

    OpenSSL is not a shining example of open source development, the quality of code leaves something to be desired and there are bugfixes (not just bugs but fixes as well) spending years sitting in their bug tracker. Would throwing money at it make it any better?

    Edit: It's probably more effective use of money just to license PolarSSL, go with NSS that many big names are already supporting, or donate to LibreSSL (Apple really should be thinking about this as their OSes are BSD based).

  3. Anonymous Coward
    Anonymous Coward

    Why Microsoft ?

    They were not affected by the OpenSSL bug and they always despised OSS. It's like Smith&Wesson sponsoring a hospital, it's a nice gesture however it's the opposite of their line of business.

    1. bill 36

      Re: Why Microsoft ?

      Do you honestly believe that Microsoft runs all of its business on its own software?

    2. Anonymous Coward
      Anonymous Coward

      Re: Why Microsoft ?

      Microsoft has a stack of open source code...

      Its not their core business but to say they despise it is a bit wide of the mark.

      also maybe MS acknowledge that this kind of issue, even in a competing companies products affects consumer confidence...bad for everyone

      Finally, Linux servers in azure could be compromised.. This most certainly affects them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why Microsoft ?

        Microsoft only want their customers to despise open source.

  4. Charlie Clark Silver badge

    Talking shop

    Only code counts. NFT

  5. Anonymous Coward
    Anonymous Coward

    And who will vet the "volunteers" who work on these critical projects and their code. I love open source, but it can be manipulated by those with in-depth knowledge of encryption flaws. Typically, they created those flaws to begin with.

    I'm not paranoid, just practical.

    1. Mark Cathcart

      Did you read the press release? There are going to be paid positions at the Linux Foundation to work on the core infrastructure initiatives, the first being OpenSSL. So not volunteers.

      At least at this point, I can't answer the question beyond that, but as the person from Dell who pushed through the funding, the point was to establish at least a small set of paid Fellow positions at the Linux Foundation to oversee, drive these technologies.

  6. Anonymous Coward
    Trollface

    Apple would have thrown in a few bucks

    But all the cash is tied up in Irish tax-avoidance schemes, unfortunately...

    1. Destroy All Monsters Silver badge

      Re: Apple would have thrown in a few bucks

      Well, it's not like it is SITTING there.

      Unless Apple really wants to see it nuked by the central bank's printing presses.

      1. Bronek Kozicki

        Re: Apple would have thrown in a few bucks

        Apple oferred money to OpenSSL once, to help implement support for dynamic libraries and the offer was rejected in no uncertain terms. This led Apple to never upgrading OpenSSL in its products and, in the words of their engineer "taking it behind a shed and shot". I do not think there is much appettite in Apple to offer the money again. As for the other companies, they may be yet disappointed in the response of OpenSSL team.

        1. Anonymous Coward
          Pirate

          Re: Apple would have thrown in a few bucks

          @Bronek - "Apple oferred money to OpenSSL once, to help implement support for dynamic libraries and the offer was rejected in no uncertain terms. This led Apple to never upgrading OpenSSL in its products and, in the words of their engineer "taking it behind a shed and shot". I do not think there is much appettite in Apple to offer the money again."

          Google paid $300 million to the Mozilla foundation last year.

          The NetBSD foundation, whose products and services ultimately benefit OSX, had a total income of $26,000 last year.

          I can see why a foundation might reject Apple's offer of assistance.

          1. Bronek Kozicki

            Re: Apple would have thrown in a few bucks

            Google paid $300 million to the Mozilla foundation last year.

            PAID, not donated. That was commercial deal, royalties for making Google default search engine in the web browser.

            This aside, I fail to see where it the connection, especially between NetBSD and OpenSSL.

            1. Anonymous Coward
              Anonymous Coward

              Re: Apple would have thrown in a few bucks

              @Bronek - you can't play both sides of the argument. Either you share the wealth with those whose technology you gobble up, or you don't. Google does, Apple doesn't.

              The connection between OpenSSL and NetBSD? Neither one of them appears to see a penny of Cupertino's vast fortune, even though some of their code gets shipped with the iGadgets.

  7. Roland6 Silver badge

    Objectives too narrow

    The CII has been needed for years, unfortunately it does seem to have hobbled itself from the outset.

    It starts off reading well: "The Linux Foundation to fund open source projects that are in the critical path for core computing functions."

    This would seem to imply that under one umbrella (the CII) ALL open source projects that are (deemed) critical for core computing functions, eg. internet, virtualisation, cloud etc. will gain a degree of oversight and wider credibility and visibility. But then it throws the potential away by adding the "under investment caveat".

    Looking at the workgroups it does seem that, other than the OpenSSL project, the need is to identify critical projects and give them some visibility and then determine whether they are in need of financial support.

  8. Anonymous Coward
    Anonymous Coward

    > (Where, El Reg wonders, are HP, Red Hat, Oracle and Ubuntu, to name a few?)

    Where are the big non-US companies, Huawei and Samsung, to name a few?

    1. keithpeter Silver badge
      Coat

      " > (Where, El Reg wonders, are HP, Red Hat, Oracle and Ubuntu, to name a few?)

      Where are the big non-US companies, Huawei and Samsung, to name a few?"

      RedHat already pays quite a few salaries and supports quite a lot of free/open source software. Canonical do stuff as well, but remember they are mainly packaging software into a distribution and not making too much at present. Oracle, well, Oracle ya know. They seem to just use the GPL to take RedHat's srpms and make their own Linux. There is Java to maintain as well, so there is a fairly large contribution there.

      I agree that some of the large companies outwith Western Europe and North America could start contributing a bit really as well could they not. This project should cost low millions really, apply code audits and sensible practices to existing components that already have well defined interfaces and logic. Not a huge inefficient mudball with fuzzy outcomes like most UK govt IT projects.

  9. Billieboi

    How often has throwing money at bad software worked?

    Reg Readers -

    How many times have we seen money being thrown at a struggling software project with the only result being a more spectacular failure? It's pure folly!

    The LibreSSL fork will be software that I'll trust. I know Theo de Raadt rubs one or two people the wrong way, but he and his cadre of coders seem to have a habit of producing secure software.

    1. Michael Wojcik Silver badge

      Re: How often has throwing money at bad software worked?

      I know Theo de Raadt rubs one or two people the wrong way, but he and his cadre of coders seem to have a habit of producing secure software.

      Yes. It's a pity they insist on the abominable KNF (mixing tab and space characters for indentation should be illegal), but that's just a style issue - and one I'd personally overlook1 in order to contribute patches. I won't be hopping on the LibreSSL bandwagon just yet, but I'm keeping an eye on it.

      1Obviously it's trivial to convert source written with sensible space-only indentation to KNF's vile tab-and-space with a post-editing filter.

      1. Jamie Jones Silver badge
        Thumb Up

        Re: How often has throwing money at bad software worked?

        "mixing tab and space characters for indentation should be illegal)"

        "+1" this!

        I hate TABS

  10. Justin Stringfellow
    FAIL

    that's that gate firmly slammed

    now... where's the horse again?

  11. Anonymous Coward
    Anonymous Coward

    Rather than trying to shore-up OpenSSL, maybe they should get behind the OpenBSD fork. A complete rewrite seems like it is a necessary step so it is easier to maintain. OpenSSL is such a mess code wise that many probably can't follow it let alone find bugs. OpenSSL could have 1 million people looking at the code, that doesn't mean bugs will be found.

    1. Michael Wojcik Silver badge

      OpenSSL is such a mess code wise that many probably can't follow it let alone find bugs.

      The OpenSSL source code isn't pretty, but any competent C programmer should be able to read it. As I've suggested before, readability is a big problem with the OpenSSL sources, but the problem is not that the control flow is difficult to follow; it's that the source isn't expressive enough, which makes it all too easy to overlook errors.

      The organization of the OpenSSL sources is actually not that bad. The file hierarchy is sensible and there's decent parallelism and orthogonality in the APIs. There are common ADT templates (built with a substantial dose of C macros, but that's due to limitations of the language, and their use is reasonable). Again, there are big architectural issues with OpenSSL but they're in things like resource allocation, not code organization, for the most part.

      To really understand the OpenSSL sources you need to understand cryptography, ASN.1, X.509v3 certificates, the SSL/TLS protocols, the PKCS data formats, etc; but again that's not an issue with the OpenSSL sources, just domain knowledge. And it will apply to any SSL/TLS implementation.

  12. ben_myers

    All it took was a gaping bug

    All it took was a gaping well-publicized bug to wake these companies up to the fact that their reputations depend on open source code down in the plumbing of the internet, And the money spigots opened up.

    1. Anonymous Coward
      Anonymous Coward

      Re: All it took was a gaping bug

      They also probably worked out that it'll be a lot cheaper to fund improvements to the core components their businesses rely on now than it would be to fix even one more Heartbleed-scale bug.

  13. Andraž 'ruskie' Levstik

    libreSSL

    Seriously... libressl is the project to get behind... not openssl. And it will be what I'll choose to run and I wouldn't be surprised if a lot of others will as well.

  14. EJMF

    Shower?

    Read on another website earlier today that it's 12 companies donating $100,000 each for an initial total of $1.2 million. That's hardly a shower.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Shower?

      $1.2 million is a shower for impoverished open-source projects, IMHO.

      C.

      1. Michael Wojcik Silver badge

        Re: Shower?

        $1.2 million is a shower for impoverished open-source projects, IMHO.

        Indeed. If OpenSSL gets 1% of that, it'd be equivalent to six years' worth of typical donations. (See emails from Steve Marquess to the openssl-users list over the past few weeks.) I'd call that fairly significant.

  15. Rick Giles
    Black Helicopters

    Oh FFS

    Letting these shit heads get a financial foothold on open source is almost as bad as letting Obama hand over control of the internet to terrorist governments.

    I'm going to start building my wireless mesh network now...

  16. Jamie Jones Silver badge

    "Linux foundation"

    I realise this post will be unpopular with the GPL cultists here, but whatever.

    I'm actually not trolling - I just hope there is no pressure on non-GPL projects to switch to GPL, or indeed, any bias towards GPL licensed projects.

    Downvotes from people that think GPL is the solution to everything in 3..2..1...

This topic is closed for new posts.

Other stories you might like