News Column

Hearts bleed for funds for open source software

April 28, 2014

ON APRIL 1, nominally the day when foolish stories make news, internet security chatter was subjected to the equivalent of a nuclear |bomb. A critical warning was issued for the OpenSSL cryptography library used to secure online |transactions.

Heartbleed - as the security bug has come to be known - affected 17 percent of all secure websites and 500 000 services, including Google, Amazon and Facebook. That's right: companies which earn billions of dollars annually depend for their online security on software maintained by four core developers, and a handful of volunteers from around the world.

The error happened because of a lack of adequate funding. In an average year the OpenSSL Foundation receives about $2 000 (R21 000). After the Heartbleed disaster, following a global outpouring of concern, they managed to raise… $9 000.

A hefty amount of abuse has been hurled at the poor developers but it's hard to dedicate much attention to something - no matter how important - when there is no money to pay for what promises to be quite time-consuming labour.

OpenSSL is not alone. There are hundreds of unglamorous bits of plumbing upon which the internet depends - from components which allow e-mail servers to communicate, to load-balancing systems which prevent websites falling over, to file-sharing tools which mean that blurry image of your cat goes on to Facebook.

A large number of these components are open source projects started by enthusiasts at the dawn of Dot Com. OpenSSL started in 1998. NGINX, used for load balancing, was released in 2002. Dovecote, used for securing e-mail, also in 2002. If you've used the internet, you've used this software.

"Open Source" has been used as a weird bandage, like the miracle that keeps on giving. It's a reliance on exceptionally talented people to donate their time in support of the common good.

Weirdly enough, it's been a sufficiently reasonable assumption that has worked to grow the internet to an astounding size. But now the internet is really, really big and reliance on unpaid volunteers to secure the internet has gone as far as it can go.

Fortunately the Linux Foundation has announced a new initiative funded by Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware.

These companies will each donate $100 000 a year for the next three years into a Core Infrastructure Initiative that will allocate cash to critical open source projects. OpenSSL will be one of their first recipients.

Well-funded critical open source projects ensure their long-term sustainability.

l Gavin Chait is a data engineer and development economist at Whythawk.

Cape Argus

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Cape Argus (South Africa)