Core Infrastructure Initiative
   HOME

TheInfoList



Click Here for Items Related To - Core Infrastructure Initiative
OR:
Core Infrastructure Initiative on:   [Wikipedia]   [Google]   [Amazon]

The Core Infrastructure Initiative (CII) was a project of the
Linux Foundation The Linux Foundation (LF) is a non-profit technology consortium founded in 2000 as a merger between Open Source Development Labs and the Free Standards Group to standardize Linux, support its growth, and promote its commercial adoption. Additi ...
to fund and support
free and open-source software Free and open-source software (FOSS) is a term used to refer to groups of software consisting of both free software and open-source software where anyone is freely licensed to use, copy, study, and change the software in any way, and the source ...
projects that are critical to the functioning of the Internet and other major information systems. The project was announced on 24 April 2014 in the wake of Heartbleed, a critical security bug in
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
that is used on millions of websites. OpenSSL is among the first software projects to be funded by the initiative after it was deemed underfunded, receiving only about $2,000 per year in donations. The initiative will sponsor two full-time OpenSSL core developers. In September 2014, the Initiative offered assistance to Chet Ramey, the maintainer of
bash Bash or BASH may refer to: Arts and entertainment * ''Bash!'' (Rockapella album), 1992 * ''Bash!'' (Dave Bailey album), 1961 * '' Bash: Latter-Day Plays'', a dramatic triptych * ''BASH!'' (role-playing game), a 2005 superhero game * "Bash" ('' ...
, after the Shellshock vulnerability was discovered. The CII has since been superseded by the Open Source Security Foundation.


Heartbleed bug

OpenSSL is an
open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
implementation of Transport Layer Security (TLS), allowing anyone to inspect its source code. It is, for example, used by smartphones running the
Android operating system Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of deve ...
and some Wi-Fi routers, and by organizations including Amazon.com, Facebook, Netflix, Yahoo!, the United States of America's
Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, t ...
and the Canada Revenue Agency. On 7 April 2014, OpenSSL's Heartbleed bug was publicly disclosed and fixed. The vulnerability, which had been shipped in OpenSSL's current version for more than two years, made it possible for hackers to retrieve information such as usernames, passwords and credit card numbers from supposedly secure transactions. At that time, roughly 17% (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack.


Open-source software

According to Linus's law, from Raymond's book ''
The Cathedral and the Bazaar ''The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary'' (abbreviated ''CatB'') is an essay, and later a book, by Eric S. Raymond on software engineering methods, based on his observations of the Linux k ...
'', "Given enough eyeballs, all bugs are shallow." In other words, if there are enough people working on the software, a problem will be found quickly and its fix will be obvious to someone. Raymond stated in an interview that "there weren't any eyeballs" for the Heartbleed bug. Prior to the CII funding, only one person, Stephen Henson, worked full-time on OpenSSL; Henson approved well over half of the updates to more than 450,000 lines of the OpenSSL's source code. Besides Henson, there are three core volunteer programmers. The OpenSSL Project existed on a budget of $2,000 per year in donations, which was enough to cover the electrical bill, and Steve Henson was earning around $20,000 per year. To gather more revenue for the project, Steve Marquess, a consultant for the Defense Department, created the OpenSSL Software Foundation. This allowed programmers to make some money by consulting for organizations that used the code. However, the foundation brought in less than $1 million per year, and the contract work tended to focus on adding new features rather than maintaining the old ones. Other open-source software projects have similar difficulties. For example, the maintainers of
OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...
, a security-conscious operating system, nearly had to shut the project down in early 2014 because it could not pay the electricity bills.


The initiative

Jim Zemlin, the executive director of the Linux Foundation, conceived the idea of the Core Infrastructure Initiative not long after Heartbleed was announced, and spent the night of April 23 calling firms for support. Thirteen companies responded and joined the initiative: Amazon Web Services, Cisco Systems,
Dell Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies. Dell sells personal computers (PCs), servers, data ...
, Facebook,
Fujitsu is a Japanese multinational information and communications technology equipment and services corporation, established in 1935 and headquartered in Tokyo. Fujitsu is the world's sixth-largest IT services provider by annual revenue, and the la ...
, Google, IBM, Intel, Microsoft, NetApp, Rackspace,
Qualcomm Qualcomm () is an American multinational corporation headquartered in San Diego, California, and incorporated in Delaware. It creates semiconductors, software, and services related to wireless technology. It owns patents critical to the 5G, 4 ...
and VMware. The list was mainly determined by who Zemlin knew. Each of the thirteen companies has pledged to donate $100,000 a year for the next three years bringing the initial funding pool to almost $4 million. An additional five companies
Adobe Systems Adobe Inc. ( ), originally called Adobe Systems Incorporated, is an American multinational computer software company incorporated in Delaware and headquartered in San Jose, California. It has historically specialized in software for the crea ...
, Bloomberg L.P.,
Hewlett-Packard The Hewlett-Packard Company, commonly shortened to Hewlett-Packard ( ) or HP, was an American multinational information technology company headquartered in Palo Alto, California. HP developed and provided a wide variety of hardware components ...
, Huawei, and Salesforce.comhave since joined the initiative. The money that the CII pooled was used to fund specific tasks such as providing compensation to developers to work full-time on an open-source software project, conducting reviews and security audits, deploying test infrastructure, and facilitating travel and face-to-face meetings among developers. The CII was composed of two bodies, a steering committee and an advisory board. The steering committee was made up of representatives from the member companies and other industry stakeholders and the committee was in charge of identifying target software projects and approving specific funding to those projects. The advisory board, composed of developers and other stakeholders, provided advice to the steering committee.


Projects backed in 2016

The Core Infrastructure Initiative also invested 120,000 USD for education to the good practices of open-source development, 120,000 USD in popular open-source project analysis and 95,000 USD for auditing OpenSSL


References


External links

* {{Linux Foundation Linux Foundation projects