Bevy of tech behemoths aim to plug the next Heartbleed with DOLLARS Tech's biggest names have vowed to pour cash into crucial open-source projects that glue the web together – and hopefully kill off any dire bugs that could wreck the net. The Linux Foundation announced on Thursday that it had formed "The Core Infrastructure Initiative" to fund open projects that are critical to the functioning …
Without change in attitude to taking fixes, contributions etc. this is wasted money. OpenSSL are known for rejecting bugfixes from outside, but they take new features from their own without as much as honest review.
It is the attitude which led to Heartbleed, not lack of money. If OpenSSL do not admit the problem here, I do not not believe they will be able to fix it.
OpenSSL is not a shining example of open source development, the quality of code leaves something to be desired and there are bugfixes (not just bugs but fixes as well) spending years sitting in their bug tracker. Would throwing money at it make it any better?
Edit: It's probably more effective use of money just to license PolarSSL, go with NSS that many big names are already supporting, or donate to LibreSSL (Apple really should be thinking about this as their OSes are BSD based).
Microsoft has a stack of open source code...
Its not their core business but to say they despise it is a bit wide of the mark.
also maybe MS acknowledge that this kind of issue, even in a competing companies products affects consumer confidence...bad for everyone
Finally, Linux servers in azure could be compromised.. This most certainly affects them.
Did you read the press release? There are going to be paid positions at the Linux Foundation to work on the core infrastructure initiatives, the first being OpenSSL. So not volunteers.
At least at this point, I can't answer the question beyond that, but as the person from Dell who pushed through the funding, the point was to establish at least a small set of paid Fellow positions at the Linux Foundation to oversee, drive these technologies.
Apple oferred money to OpenSSL once, to help implement support for dynamic libraries and the offer was rejected in no uncertain terms. This led Apple to never upgrading OpenSSL in its products and, in the words of their engineer "taking it behind a shed and shot". I do not think there is much appettite in Apple to offer the money again. As for the other companies, they may be yet disappointed in the response of OpenSSL team.
@Bronek - "Apple oferred money to OpenSSL once, to help implement support for dynamic libraries and the offer was rejected in no uncertain terms. This led Apple to never upgrading OpenSSL in its products and, in the words of their engineer "taking it behind a shed and shot". I do not think there is much appettite in Apple to offer the money again."
Google paid $300 million to the Mozilla foundation last year.
The NetBSD foundation, whose products and services ultimately benefit OSX, had a total income of $26,000 last year.
I can see why a foundation might reject Apple's offer of assistance.
Google paid $300 million to the Mozilla foundation last year.
PAID, not donated. That was commercial deal, royalties for making Google default search engine in the web browser.
This aside, I fail to see where it the connection, especially between NetBSD and OpenSSL.
@Bronek - you can't play both sides of the argument. Either you share the wealth with those whose technology you gobble up, or you don't. Google does, Apple doesn't.
The connection between OpenSSL and NetBSD? Neither one of them appears to see a penny of Cupertino's vast fortune, even though some of their code gets shipped with the iGadgets.
The CII has been needed for years, unfortunately it does seem to have hobbled itself from the outset.
It starts off reading well: "The Linux Foundation to fund open source projects that are in the critical path for core computing functions."
This would seem to imply that under one umbrella (the CII) ALL open source projects that are (deemed) critical for core computing functions, eg. internet, virtualisation, cloud etc. will gain a degree of oversight and wider credibility and visibility. But then it throws the potential away by adding the "under investment caveat".
Looking at the workgroups it does seem that, other than the OpenSSL project, the need is to identify critical projects and give them some visibility and then determine whether they are in need of financial support.
" > (Where, El Reg wonders, are HP, Red Hat, Oracle and Ubuntu, to name a few?)
Where are the big non-US companies, Huawei and Samsung, to name a few?"
RedHat already pays quite a few salaries and supports quite a lot of free/open source software. Canonical do stuff as well, but remember they are mainly packaging software into a distribution and not making too much at present. Oracle, well, Oracle ya know. They seem to just use the GPL to take RedHat's srpms and make their own Linux. There is Java to maintain as well, so there is a fairly large contribution there.
I agree that some of the large companies outwith Western Europe and North America could start contributing a bit really as well could they not. This project should cost low millions really, apply code audits and sensible practices to existing components that already have well defined interfaces and logic. Not a huge inefficient mudball with fuzzy outcomes like most UK govt IT projects.
Reg Readers -
How many times have we seen money being thrown at a struggling software project with the only result being a more spectacular failure? It's pure folly!
The LibreSSL fork will be software that I'll trust. I know Theo de Raadt rubs one or two people the wrong way, but he and his cadre of coders seem to have a habit of producing secure software.
I know Theo de Raadt rubs one or two people the wrong way, but he and his cadre of coders seem to have a habit of producing secure software.
Yes. It's a pity they insist on the abominable KNF (mixing tab and space characters for indentation should be illegal), but that's just a style issue - and one I'd personally overlook1 in order to contribute patches. I won't be hopping on the LibreSSL bandwagon just yet, but I'm keeping an eye on it.
1Obviously it's trivial to convert source written with sensible space-only indentation to KNF's vile tab-and-space with a post-editing filter.
Rather than trying to shore-up OpenSSL, maybe they should get behind the OpenBSD fork. A complete rewrite seems like it is a necessary step so it is easier to maintain. OpenSSL is such a mess code wise that many probably can't follow it let alone find bugs. OpenSSL could have 1 million people looking at the code, that doesn't mean bugs will be found.
OpenSSL is such a mess code wise that many probably can't follow it let alone find bugs.
The OpenSSL source code isn't pretty, but any competent C programmer should be able to read it. As I've suggested before, readability is a big problem with the OpenSSL sources, but the problem is not that the control flow is difficult to follow; it's that the source isn't expressive enough, which makes it all too easy to overlook errors.
The organization of the OpenSSL sources is actually not that bad. The file hierarchy is sensible and there's decent parallelism and orthogonality in the APIs. There are common ADT templates (built with a substantial dose of C macros, but that's due to limitations of the language, and their use is reasonable). Again, there are big architectural issues with OpenSSL but they're in things like resource allocation, not code organization, for the most part.
To really understand the OpenSSL sources you need to understand cryptography, ASN.1, X.509v3 certificates, the SSL/TLS protocols, the PKCS data formats, etc; but again that's not an issue with the OpenSSL sources, just domain knowledge. And it will apply to any SSL/TLS implementation.
$1.2 million is a shower for impoverished open-source projects, IMHO.
Indeed. If OpenSSL gets 1% of that, it'd be equivalent to six years' worth of typical donations. (See emails from Steve Marquess to the openssl-users list over the past few weeks.) I'd call that fairly significant.
I realise this post will be unpopular with the GPL cultists here, but whatever.
I'm actually not trolling - I just hope there is no pressure on non-GPL projects to switch to GPL, or indeed, any bias towards GPL licensed projects.
Downvotes from people that think GPL is the solution to everything in 3..2..1...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
