Linux Foundation enlists Microsoft, Google to prevent the next Heartbleed

Backed by tech giants, Core Infrastructure Initiative will provide support for crucial Internet projects like OpenSSL

If we've learned one lesson from the Heartbleed fisaco, it's this: It should never happen again. But just patching or upgrading a project as crucial as OpenSSL won't be enough in the long run. When the Internet's stability and security rest on a project, that project must be given solid material support that ensures both growth and dependibility.

That's the plan of the newly formed CII (Core Infrastructure Initiative), a consortium organized by the Linux Foundation and backed by a roster of A-list tech outfits: Cisco, Dell, Facebook, Fujitsu, Google, Intel, Microsoft, NetApp, and VMware. All of them deploy or rely on Linux or other open source projects in one form or another, so this is as much a defensive measure as it is a charitable one -- a way to ensure the software they're deploying isn't silently broken.

As Amanda McPherson, chief marketing officer at the Linux Foundation explained to me, the group decided to initiate the project since it was "really in our wheelhouse of connecting industry with developers."

The basic plans for the CII involve collecting funds that will be administered by the Linux Foundation to support certain key projects. The money will not just pay for full-time developers or third-party code audits, but also cover any needed infrastructure to conduct such work and the expenses of in-person collaborations.

One close parallel, as drawn by the Foundation itself, is how the Foundation supports Linus Torvalds' full-time development of the kernel. "We don't change the way they work, the structure of projects, or anything else. We simply marshal together the industry resources and give a modicum of support to these communities."

When it comes to short-term fixes for OpenSSL, one solution would be to have CII support the recently launched fork of OpenSSL as performed by the OpenBSD team. Wouldn't that make more sense, I asked, than sponsoring a from-scratch audit of OpenSSL, which by many accounts is a rat's nest of code?

"If the CII steering committee and advisory board identified this as a need, absolutely," McPherson told me. "Our general approach is always to support existing projects and communities rather than duplicating the effort within The Linux Foundation. This is why we offer fellowships for developers who already have standing in the community rather than employ new people to do specific work or start new projects."

Future projects that might be singled out for support from CII haven't been identified yet, but McPherson told me that the CII's steering committee and advisory board will be "identifying [other] projects in the coming weeks."

Some immediate possibilities present themselves, though: DNS and BIND, or the Border Gateway Protocol, both of which have been prone to hijacks and manipulation in the past. At the very least, the CII's committees will have no shortage of candidate projects and infrastructure componentsto choose from.

This story, "Linux Foundation enlists Microsoft, Google to prevent the next Heartbleed," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies