Last week, I explored some of the important issues raised by the discovery of a major flaw in the widely-used open source program OpenSSL, and how that might be addressed. Since then, a couple of things have happened.
The Linux Foundation today announced it has formed a new project to fund and support critical elements of the global information infrastructure. The Core Infrastructure Initiative enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful. Founding backers of the Initiative include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.
The first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.
The Core Infrastructure Initiative is a multi-million dollar project organized by The Linux Foundation to fund open source projects that are in the critical path for core computing and Internet functions. Galvanized by the Heartbleed OpenSSL crisis, the Initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders. Support from the initiative will include funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support.
That’s good to see – let’s hope that it represents the start of a much broader, and sustained understanding that free-riding on free software may be permissible but is really bad business. It’s worth noting that one of the sponsors of the Core Infrastructure Initiative is Microsoft, which is also welcome.
The second development, alongside that move from the corporate side of things, comes from the coders: OpenBSD founder Theo de Raadt has forked OpenSSL to produce a new project, LibreSSL (looks like LibreOffice may have started something in the naming department.) Here’s why:
When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.
“Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers,” de Raadt told Ars [Technica] in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap.
It’s pretty easy to read between the lines here. Some people are unhappy about the way OpenSSL has been written, and have done what any true hacker does when confronted by such a situation: fork the code to come up with something better.
That’s a well-known advantage of free software – indeed, one of its crucial and defining features. It helps keep projects and their leaders “honest”: if enough coders disagree with what’s happening and where they’re going, they can simply fork the code and do things the way they want to – until such time, perhaps, as enough people of the new group get upset, and fork the fork.
But there’s another aspect of this, not mentioned so much. Open source allows honest anger – about the quality of code, or about the direction of a project – to motivate people to do it better, or to do it right. That’s not an option with closed source: programmers must just think about their doubtless generous salaries, and do as they are told whether or not they agree. In other words, the birth of LibreSSL is another powerful demonstration that free software is generally born of freedom and passion, which is partly why it is superior to the kind that comes into the world for less uplifting reasons.
Find your next job with computerworld UK jobs