Linux Foundation pours millions into critical internet infrastructure

Millions of dollars will be invested in maintaining criticial internet infrastructure in the wake of the Heartbleed OpenSSL bug.

Eric S Raymond.

The Linux Foundation last week announced the set-up of the Core Infrastructure Initiative (CII) to fund open source projects such as OpenSSL, as a direct response to the Heartbleed crisis.

The bug allows attackers to access in-process data in server and client memory over what was thought to be secured communications.

Software such OpenSSL - which runs many critical systems on the internet - is often maintained by a handful of people in their spare time and with little funding, as the cryptographic library's foundation president Steve Marquess pointed out recently in a blog post.

Since many large and wealthy corporations as well as governments rely on open source projects created and maintained by volunteers, more support is needed to avoid future Heartbleed disasters.

The CII has won the backing of Amazon Web Services, Cisco, Dell, Facebook, Google, IBM, Microsoft, VMware and other large corporations who have committed US$3.6 million (A$3.9 million) in funding for the Linux Foundation project.

However, the CII may collide with existing efforts to improve internet infrastructure, chief communications officer and president of the Internet Civil Engineering Institute (ICEI) Eric S Raymond told iTnews.

"It's a panic reaction to Heartbleed," Raymond said.

"They have backers with money, but no plan and no staff. We need to work out a way to either merge or not to step on each other."

The concept behind the ICEI, which seeks to fund and organise civil engineering for the whole internet infrastructure, is around 18 months old, according to Raymond, a well-known open source software advocate.

While the internet has become a criticial piece of infrastructure, the ICEI believes that as a public good, it has tended to be chronically underfunded.

Corporations and individuals are making fortunes using the infrastructure while "the work building a future for the most vibrant sectors of the world economy is done by people who have to couch-surf and live on ramen noodles because the benefits of their enormously valuable labour are too diffuse to give any government or corporation a funding incentive," the ICEI said in its funding prospectus.

Supporting engineers and freeing them to work on digital infrastructure would be an "extremely wise investment for everyone who relies on the Internet and the software around it," it said.

Grants and bounties in support of specific, existing infrastructure projects will be directed by the ICEI, with deliverables being running code, realised hardware designs or specified deployment or performance objectives, according to the institute's plan.

Pure research, white papers or policy studies will not be funded by the ICEI, nor any technical standards implementations known to be encumbered by non-royalty free patents, or closed-source software or proprietary hardware designs.

The ICEI was set to launch within months, until the recent massive security hole in the popular open source cryptographic library OpenSSL was discovered.

"We've been doing a lot of planning and thinking and were about 60 days from public launch when Heartbleed hit," Raymond said.

OpenSSL forks into LibreSSL

Volunteers from the OpenBSD secure operating system project started working on the OpenSSL code last week while criticising it for being messy and containing old, unused parts. 

OpenBSD is a UNIX-like operating system that emphasises security and exacting coding standards. The OpenBSD volunteers have been aggressively pruning the OpenSSL code, with the project founder Theo de Raadt claiming some 90,000 lines had been removed already. 

Not content with modifying the existing OpenSSL code base, the OpenBSD project then decided to fork or create a new version of the cryptographic library, called LibreSSL.

LibreSSL will be included in OpenBSD 5.6. The team said "... our primary focus is good software that we trust to run ourselves. We don't want to break your heart."

OpenSSL president Steve Marquess told iTnews that OpenBSD was free to try create their own version, similar to certain corporations that also forked the cryptographic library to fit their needs.

"However, in their enthusiasm they are inevitably going to introduce new bugs and problems of their own, and they will discover that for all its apparent complexity and clutter, OpenSSL is battle-tested code that has served well in a wide range of applications for a long time," Marquess said.

"They will find that writing cryptographic code that is both secure and interoperable is not an easy task."

Marquess said OpenSSL would overhaul the code base in order to 'aggressively pursue a goal of maximum utility for the widest audience'. The overhaul will see a new code review being instituted as well as testing procedures.

"We will be plowing through the backlog of patch contributions that have languished for lack of manpower. We will be doing a code cleanup for a consistent style, and refactoring for tighter code," he said.

"The current OpenSSL users community is not going to be disappointed in the result."