Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, Google, Others Join To Fund Open Source Infrastructure Upgrades

Posted by timothy on from the and-moving-forward-henceforth dept.

wiredmikey (1824622) writes "Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow. The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site."

29 of 101 comments (clear)

  1. Re:Sure they do. by mfh · · Score: 2

    They're doing this out of the goodness of their hearts! Honest!

    --
    The dangers of knowledge trigger emotional distress in human beings.
  2. Re:Why the Linux Foundation? by sproketboy · · Score: 5, Informative

    Mentioned in the FAQ:

    http://www.linuxfoundation.org...

    For the lazy:

    Why is The Linux Foundation the right forum for this funding?

    The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

  3. Pick and choose by just_another_sean · · Score: 4, Insightful

    Say what you want about Theo or the name his team has chosen but I think I'd rather give my money to OpenBSD's LibreSSL project than donate to this.

    I get that they are probably just after the good will and PR that this will generate, and that this isn't some vast conspiracy against open source, but I don't trust one of the companies on that list to give a care once public attention to heartbleed dies off.

    Pick a project and donate directly, don't let these giants pick and choose for us!

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    1. Re:Pick and choose by hobarrera · · Score: 2

      I don't think it's a PR move. It's in their best interest to fund these projects, and they can cut costs by teaming up on this. It really look good on them, but they're doing it out of self-interest really.

  4. Short sighted hindsight by __aalwyc6372 · · Score: 2

    So they will fun projects that make up critical elements... what about projects that might one reach that status? Why not fund interesting open source projects in general?

    1. Re:Short sighted hindsight by fuzzyfuzzyfungus · · Score: 2

      Most likely because their motivation is the (belated; but logical) recognition that it's cheaper to support OSS projects that you use than it is to bear the risk of having them fail or maintain a full in-house fork all by yourself. It's not really a fund dedicated to 'more and better OSS generally'; but an attempt to share (to some degree) the cost of improving and maintaining the stuff that they already use or already depend on in some way.

  5. Ah industry initiatives. by serviscope_minor · · Score: 4, Insightful

    So while these people have been doodling around forming initiatives and getting their logos splattered all over a web page, the OpenBSD people have actually founded the LibreSSL project and started actually overhauling the OpenSSL library, including fixing bugs that have been in the OpenSSL queue for years, not to mention finding a metric assload of new ones.

    Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

    But hey, actually doing work like fixing bugs and etc is not nearly as glamorous as making press releases and having a hudge wodge of logos.

    --
    SJW n. One who posts facts.
    1. Re:Ah industry initiatives. by Anonymous Coward · · Score: 2, Insightful

      Perhaps because the OpenSSL team are loath to actually clean up a messy code base, so it's up to a separate group of developers to clean up all the legacy cruft?

    2. Re:Ah industry initiatives. by fuzzyfuzzyfungus · · Score: 2

      It's conceivable that it's just a fit of temper (team OpenBSD certainly did not sound happy about what team OpenSSL had been up to); but it's also quite likely that they are doing it this way because they want it to happen. You can contribute something; but if the maintainers don't accept it, it just sits there. If you and the maintainers disagree on some important points, or they have a strong NIH attitude, this condition may continue indefinitely. If you fork, it's your problem now; but you do get to accept your own preferred solution.

    3. Re:Ah industry initiatives. by serviscope_minor · · Score: 4, Informative

      Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?

      Because the OpenSSL people sat around with important bugs sitting in the queue for years and never fixed them. This is why the OpenBSD people---which is where some of the unresolved bug reports came from---decided that basically working with upstream is not an option and decided to go it alone.

      In fact that's exactly what the OpenBSD people said about the fork at the beginning.

      The problems with OpenSSL predate heartbleed and they've finally got too big for the OpenBSD people to leave it alone. Hence the fork.

      --
      SJW n. One who posts facts.
    4. Re:Ah industry initiatives. by serviscope_minor · · Score: 4, Interesting

      1. It's not initially feature-compatible with OpenSSL

      It's feature compatible enough to recompile the entire OpenBSD ports tree with LibreSSL as a drop in replacement.

      3. There's no guarantee the rewrite would be accepted by the OpenSSL team

      Probably not, but they didn't accept fixes for big bugs which had been maintained as out of tree patches by OpenBSD and a bunch of Linux distros, so at this point who cares?

      4. There's no guarantee LibreSSL will work on anything but BSD

      Well, it will if they port it. Besides, it's not like OpenBSD don't have a proven track record in this department.

      5. Theo doesn't control OpenSSL

      That sounds like a reason for LibreSSL, not against. The OpenBSD project (apart from an astounding security record) is in charge of OpenSSH, another piece of critical infrastructure.

      1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.

      That would be good.

      2. Important bugs identified by both teams are ported to patch the current OpenSSL release.

      That seems unlikely given the above.

      --
      SJW n. One who posts facts.
    5. Re:Ah industry initiatives. by swillden · · Score: 4, Insightful

      Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

      The best choice is to fund LibreSSL and another project or two to do the same thing. Thoroughly vetting and fixing OpenSSL is a good thing. Getting a couple of solid, API-compatible competitors in the same space is even better, to reduce the monoculture problem, and to create competition.

      Also, LibreSSL is just about OpenSSL. This initiative is supposed to be a long-term, ongoing effort to improve other widely-used open source software packages as well. Doing it through the Linux Foundation makes sense to me, too, mostly because it's an already-established example of exactly what the initiative wants to do to other open source packages. Linux is collaboratively developed by many companies (plus a few individual contributions) for the mutual benefit of all, and that model can and should be applied to other pieces of important open source infrastructure.

      This is a good idea. It may or may not be a better approach to fixing OpenSSL (which, incidentally, has terrified me for years) than LibreSSL, but it's good for OpenSSL and for other projects. These companies can donate what to them is peanuts (and a tax writeoff to boot), and in return the world as a whole will get improvements in fundamental computing infrastructure.

      I do have to say I'm surprised (and pleased) to see Microsoft's name in the list. Google is no surprise; Google uses open source software heavily and has a long history of supporting it. Intel has been involved in OSS for years, too, since they're just as happy to sell hardware to run OSS as anything else. Cisco also uses open source software and has a clear interest in the health of the networking ecosystem. But Microsoft has in the past been a serious opponent of OSS, doing various things to try to undermine it, some openly and some rather underhanded. Lately the company has been divided on the question, in some cases supporting and/or benefitting from OSS while the other hand is trying to squash it, but I think Microsoft is gradually coming around, beginning to admit that OSS is not only here to stay, but that it has a valid and valuable place.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Game theory in action by HangingChad · · Score: 2, Interesting

    Team up to create the pie, then fight for your pieces. I'm actually shocked Microsoft is participating. It's a good move and I'm not used to seeing Redmond do the smart thing. Maybe their collective IQ went up now that Ballmer is out of the picture.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  7. Re:Why the Linux Foundation? by king+neckbeard · · Score: 3, Informative

    I'm not aware of a FreeBSD foundation or a NetBSD foundation. The Linux Foundation, however, is a consortium that includes several large companies and has individuals experienced with bridging gaps between big corporations and communities. It's also worth remembering that the Linux foundation arose from the merger of Open Source Development Labs and Free Standards Group. When you take in that context, it makes a lot more sense.

    --
    This is my signature. There are many like it, but this one is mine.
  8. hold the fuck up... by nimbius · · Score: 4, Interesting

    that make up critical elements of their information infrastructure.

    Frankly the only reason I think these multibillion dollar monopolistic companies have banded together to throw money is because their reputation and userbase have clammored for some kind of response to the problem. lets be perfectly clear: Theo De Raadt is completely capable of handling the code refactor (he even went so far as to say he didnt need help with the code projects website.) going to the Linux foundation just shows how fucking shortsighted these guys are. If you want to help, donate to the OpenBSD foundation because this is a BSD package that was kindly ported to Linux. It will be released as LibreSSL, not the OpenSSL you want to "fix" in your products, as the code is completed and tested in accordance with what I presume is an OpenBSD development model, not Linux. And in regard to the 'other open source projects will follow' statement, its arrogant and absurd to think that once the LibreSSL code is finalized and ported that these dicks are going to stick around and continue to contribute to any open source technology that doesnt clandestinely butter their bread in user facing products that happen to be facing a sev. 1 exploit they cant avoid through marketing or a new product.

    --
    Good people go to bed earlier.
    1. Re:hold the fuck up... by Jahta · · Score: 3, Insightful

      Leaving aside the fact that OpenSSL is not a "BSD package that kindly ported to Linux", I suggest it's rather more arrogant to assume that the world will rush to replace OpenSSL with Theo De Raadt's LibreSSL when (if) it becomes available.

      OpenSSL is not fundamentally broken. It had a bug, albeit one with big consequences. Lots of people depend on OpenSSL and it needs to properly maintained. Paying people to work on opensource projects is nothing new and if this funding supports developers with the necessary cryptographic skills devoting quality time to maintaining OpenSSL then that's a good thing.

  9. Re:Why the Linux Foundation? by ReeceTarbert · · Score: 5, Informative

    I'm not aware of a FreeBSD foundation or a NetBSD foundation.

    Okay, time to get up to speed then:

    The FreeBSD Foundation

    Donations to The NetBSD Foundation

    RT.

  10. Re:Sure they do. by wjcofkc · · Score: 4, Interesting

    Nothing is wrong with this picture. Like pretty much every tech company, the future of Microsoft relies on a vibrant, healthy, and growing internet - and there is still lot of room grow. Helping to fine tune the world of Open Source results in expanding needs and infrastructure, which invariably means that Microsoft software will find a way to be involved. Helping Open Source is a fast-track to expanding profits, fighting Open Source is a task for Sisyphus and they know it. There is no reason that Open and closed source cannot coexist in this world.

    Disclaimer: When I talk about Microsoft's technology, I am not talking about their current consumer OS debacle. I used to be a ZOMG! M$ SUX!!! type, but Microsoft is now an embattled company well aware that they fucked up a lot these last few years. I am curious to see what direction that will take them. I suppose this is part of that. Also, their back end products: Windows Server/Active Directory/Sql server, etc... really are pretty nice. Although I do prefer Linux, FreeBSD and their associated Open Source server solutions.

    --
    Brought to you by Carl's Junior.
  11. The OpenSSL rampage by Neo-Rio-101 · · Score: 3, Interesting

    For some funny blow-by-blow commentary that the LibreSSL people are doing, check out http://opensslrampage.org/

    Too many VMS jokes to count.... but just looking at the comments, OpenSSL's code is labyrinthine and full of cruft and useless files.

    --
    READY.
    PRINT ""+-0
  12. Re:Why the Linux Foundation? by TheRaven64 · · Score: 3, Informative

    It's a shame then that they chose a name that explicitly excludes large portions of the Free and Open Source Software ecosystem.

    --
    I am TheRaven on Soylent News
  13. Re:duplicated effort? by serviscope_minor · · Score: 4, Interesting

    So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?

    It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

    I expect that shortly after, some enterprising person from Debian will do some basic porting and have an alteriative set up in the experimental repo. From there it will wend its way around into the other distributions (mint, ubuntu) and the patch set might wind up in some early Arch AUR builds and Fedora packages. By that stage the OpenBSD people will have probably accepted the patches and it will be officially portable. At this point Arch will have probably replaced it as a system wide depencendy because hey, it can always be unreplaced if it's bad. Gentoo of course will make it easy to switch between OpenSSL and LibreSSL with just a teeny little recompile of everything, but whatever it's just some portage flags anyway. Redhat probably won't care since they're probably on a version of OpenSSL so old that there are no longer any known bugs. Fedora will vascillate between the two and eventually decide to do whatever ubuntu finally chooses.

    Then maybe in a while, we'll have an announcement that someone we've never heard of will be heading this terribly important project, and that huge splat of logos will get another outing. I expect this will happen at about the same time that some nutjob finishes a port of LibreSSL to his Amiga.

    During the above timespan, I expect to hear about Linux and Theo swearing at people in public and to have some good troll threads on slashdot about geneder equality in IT (or nursing or teaching), 27 articles about 3D printing (guns or otherwise).

    --
    SJW n. One who posts facts.
  14. Where is Apple? by kbdd · · Score: 3, Interesting

    Oh wait, they can't afford it, it's not in their budget...

  15. Re:Sure they do. by zarr · · Score: 3

    While MS wasn't hit too hard by this praticular bug, they have been hit by bugs in open source "core infrastructure" libraries before. Anyone remember this: http://www.geek.com/news/micro... ? Basically everything MS shipped had to be patched due to zlib being statically linked all over the place.

    Anyway, lots of people run open source stuff on windows servers (well, some do at least...), and it's in the best interest of MS that those boxes are safe.

    And last but not least, it's if not free so at least very cheap publicity.

  16. Re:Sure they do. by Mdk754 · · Score: 2

    This. Microsoft is not the anti-open source monster people on Slashdot like to make it out to be.

    .NET, TypeScript, ASP.NET MVC, NTVS, PTVS, etc.

    Old mentalities die hard I guess...

  17. Re:duplicated effort? by chill · · Score: 2

    10. The companies listed do large amounts of business with the U.S. government, which requires FIPS certification of crypto software.

    20. OpenBSD has explicitly stated that FIPS certification is off the table for OpenSSH. NOT one of their goals.

    30. Taking that off the table leaves a large pile of money ON the table.

    40. GOTO 10

    --
    Learning HOW to think is more important than learning WHAT to think.
  18. Re:Sure they do. by gbjbaanb · · Score: 3, Insightful

    there's open source, and then there's open source that only works using Microsoft products.

    Its the latter they're releasing; the products, and the candy to make you buy more of them.

  19. Re:Why the Linux Foundation? by gbjbaanb · · Score: 2

    because it has a stupid name, and it is getting all its cross-platform code ripped out to make it BSD-friendly.

    Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

  20. Re:Sure they do. by ConfusedVorlon · · Score: 3, Informative

    You post as if their enlightened self interest is a bad thing.

    Sure they benefit. But each of them could sit tight and wait/hope for someone else to pay for this.

    I say good for them. This deserves praise, not contempt.

    --
    VLC Remote for iPhone and Android
  21. Re:Why the Linux Foundation? by RR · · Score: 2

    Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

    Because all those cross-platform hacks directly contribute to its bugginess. The Heartbleed bug was facilitated by a cross-platform reimplementation of malloc that was written for speed rather than security.

    And also because the OpenSSL developers have been demonstrated to sit on patches for years instead of fixing bugs.

    For a morbidly good time, go look at OpenSSL Valhalla Rampage, a blog highlighting some of the insanity that the OpenBSD devs are encountering as they rewrite OpenSSL into LibreSSL. It becomes clear that Theo de Raadt was right, and the OpenSSL devs are not responsible people.

    --
    Have a nice time.