Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft, Google, Others Join To Fund Open Source Infrastructure Upgrades

timothy posted about 6 months ago | from the and-moving-forward-henceforth dept.

Open Source 101

wiredmikey (1824622) writes "Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow. The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site."

Sorry! There are no comments related to the filter you selected.

Sure they do. (0)

Anonymous Coward | about 6 months ago | (#46831899)

Microsoft and Open source, in the same sentence. What's wrong with this picture?

Re:Sure they do. (2)

mfh (56) | about 6 months ago | (#46831943)

They're doing this out of the goodness of their hearts! Honest!

Re:Sure they do. (3, Informative)

ConfusedVorlon (657247) | about 6 months ago | (#46834311)

You post as if their enlightened self interest is a bad thing.

Sure they benefit. But each of them could sit tight and wait/hope for someone else to pay for this.

I say good for them. This deserves praise, not contempt.

Re:Sure they do. (1)

mfh (56) | about 6 months ago | (#46835145)

Forgive me if I'm hesitant to trust a company that does everything in its power to crush open source. They are not OSS friendly. MSFT is patent trolling here. Nothing more. They will encourage OSS projects to spring up that violate their patents and wait for the right moment so that their competitors are using the OSS and then wham -- lawsuit. Apple and Google are doing this too for the same probable reason. Of course I could be somewhat wrong, but my caution & cynicism is not entirely wrong.

Re:Sure they do. (0)

Anonymous Coward | about 6 months ago | (#46835509)

Hate to tell you but open source does enough to hurt itself. Hopefully Linux realizes "Linux on the Desktop" won't ever really happen, and they focus on server and other stuff.

Re:Sure they do. (1)

mfh (56) | about 6 months ago | (#46835825)

Linux on the desktop is easy now. What are you talking about? Do you work at MSFT? Apple? Google?

WHO DO YOU WORK FOR? ;-)

Re:Sure they do. (1)

LinuxIsGarbage (1658307) | about 6 months ago | (#46836619)

Hate to tell you but open source does enough to hurt itself. Hopefully Linux realizes "Linux on the Desktop" won't ever really happen, and they focus on server and other stuff.

What's funny is when you point out that while Linux on the Desktop has yet to happen, Linux on the handheld (Android) is booming.

Then the Freetards clarify that by Linux they actually meant GNU + Linux, using X11 and wobbly windows for a UI. And having to sudo apt-get some commands on your phone... imagine.

Re: Sure they do. (0)

Anonymous Coward | about 6 months ago | (#46836565)

My heart bleeds :)

Re:Sure they do. (0)

Anonymous Coward | about 6 months ago | (#46836917)

It's an attempt to appear relevant again...basically, as long as there's a list of companies like this, they want to be on it. They'd probably love to retroactively get in on that "no poaching" class action suit since, by being left out, it's tantamount to saying that none of the companies were worried about Microsoft stealing their employees.

Re:Sure they do. (1)

drainbramage (588291) | about 6 months ago | (#46831971)

Nothing wrong with this picture.
Hasn't Microsoft has been selling other peoples work as their own since day 1?
Remember Bill is the product of 2 lawyers.

Re:Sure they do. (-1, Troll)

binarylarry (1338699) | about 6 months ago | (#46831987)

Yeah isn't it weird that Microsoft is supporting something they call "Cancer."

The Bill and Melinda Gates Foundation for the advancement of Digital Carcinogens.

Re:Sure they do. (0)

Anonymous Coward | about 6 months ago | (#46832067)

Just to be pedantic, they said that the GPL was a cancer. The BSD license, on the other hand, is pure gold. This begs the question of how they will decide who gets their support.

Re:Sure they do. (0)

Anonymous Coward | about 6 months ago | (#46832981)

They are ususally quoted as saying "Linux" was a cancer. Perhaps someone can find the original attribution quote.

Re:Sure they do. (1)

neilo_1701D (2765337) | about 6 months ago | (#46832503)

Yeah isn't it weird that Microsoft is supporting something they call "Cancer."

Wasn't it Ballmer who said that?

Anyway, suppose it was Gates. Why couldn't he change his mind during the intervening years?

Re:Sure they do. (4, Interesting)

wjcofkc (964165) | about 6 months ago | (#46832151)

Nothing is wrong with this picture. Like pretty much every tech company, the future of Microsoft relies on a vibrant, healthy, and growing internet - and there is still lot of room grow. Helping to fine tune the world of Open Source results in expanding needs and infrastructure, which invariably means that Microsoft software will find a way to be involved. Helping Open Source is a fast-track to expanding profits, fighting Open Source is a task for Sisyphus and they know it. There is no reason that Open and closed source cannot coexist in this world.

Disclaimer: When I talk about Microsoft's technology, I am not talking about their current consumer OS debacle. I used to be a ZOMG! M$ SUX!!! type, but Microsoft is now an embattled company well aware that they fucked up a lot these last few years. I am curious to see what direction that will take them. I suppose this is part of that. Also, their back end products: Windows Server/Active Directory/Sql server, etc... really are pretty nice. Although I do prefer Linux, FreeBSD and their associated Open Source server solutions.

Re:Sure they do. (3)

zarr (724629) | about 6 months ago | (#46832339)

While MS wasn't hit too hard by this praticular bug, they have been hit by bugs in open source "core infrastructure" libraries before. Anyone remember this: http://www.geek.com/news/micro... [geek.com] ? Basically everything MS shipped had to be patched due to zlib being statically linked all over the place.

Anyway, lots of people run open source stuff on windows servers (well, some do at least...), and it's in the best interest of MS that those boxes are safe.

And last but not least, it's if not free so at least very cheap publicity.

Re:Sure they do. (1)

bondsbw (888959) | about 6 months ago | (#46832601)

Pretty much nothing is wrong with it. Microsoft has become a huge supporter of open source and recently open sourced major components of the .NET framework and more recently their beta Roslyn compiler.

I know, I know... they will never be truly open source until they give all the code they ever created and will ever create away for free and also throw in a car to everyone who has ever run Linux.

Re:Sure they do. (2)

Mdk754 (3014249) | about 6 months ago | (#46832945)

This. Microsoft is not the anti-open source monster people on Slashdot like to make it out to be.

.NET, TypeScript, ASP.NET MVC, NTVS, PTVS, etc.

Old mentalities die hard I guess...

Re:Sure they do. (3, Insightful)

gbjbaanb (229885) | about 6 months ago | (#46834197)

there's open source, and then there's open source that only works using Microsoft products.

Its the latter they're releasing; the products, and the candy to make you buy more of them.

Re:Sure they do. (1)

flyingfsck (986395) | about 6 months ago | (#46834597)

Not to mention that MS uses a lot of BSD code.

The new nicey nicey Microsoft.... (0)

Anonymous Coward | about 6 months ago | (#46831905)

is not to be trusted. I know all multi-billion dollar tech companies are untrustworthy to varying degrees, but MS is the worst of the lot. They are pure slime.They are just betting better at hiding it.

Re:The new nicey nicey Microsoft.... (1)

silentcoder (1241496) | about 6 months ago | (#46831957)

"Do not trust the money, Geeks. Whatever it is, I fear the Redmondians even when they bring gifts."

Re:The new nicey nicey Microsoft.... (0)

Anonymous Coward | about 6 months ago | (#46832023)

Take a shower.

Re:The new nicey nicey Microsoft.... (0)

Anonymous Coward | about 6 months ago | (#46832759)

You missed a citation eh, try with
Timeo Danaos et dona ferentes. [wikipedia.org]

Hah... Third post (-1)

Anonymous Coward | about 6 months ago | (#46831929)

vzzbx

Elizabeth Warren Is Rewriting History (-1)

Anonymous Coward | about 6 months ago | (#46831951)

http://www.usnews.com/opinion/blogs/brian-walsh/2014/04/22/elizabeth-warren-glosses-over-native-american-controversy-in-new-book

"“Everyone on our mother’s side — aunts, uncles, and grandparents — talked openly about their Native American ancestry. My brothers and I grew up on stories about our grandfather building one-room schoolhouses and about our grandparents’ courtship and their early lives together in Indian Territory.”

This is ironic because, until the Boston Herald first broke the news in April 2012 that Harvard Law School had repeatedly promoted Warren as a Native American faculty member, Warren never once mentioned these stories of her upbringing in a single press interview, speech, class lecture or testimony at any point, ever, in her decades-long career. What's more, Warren was not listed as a minority on her transcript from George Washington University where she began her undergraduate education, nor did she list herself as a minority when applying to Rutgers University Law School in 1973.

In fact, it was not until she was in her 30s and focused on climbing the highly competitive ladder of law school academia that Warren apparently rediscovered her Native American heritage. It’s important to note that entrance and advancement in the law school profession is governed by the Association of American Law Schools, which requires registrants interested in teaching at law schools to fill out a questionnaire detailing their education, experience, bar passage and, yes, ethnicity. This information is then disseminated to law schools around the country that, as Warren surely knew, are always on the lookout to add to the diversity of their faculty.

A copy of Warren's questionnaire currently resides in the Association of American Law Schools archives at the University of Illinois at Urbana-Champaign. However, only Warren herself has the authority to release the complete copy of her questionnaire and to date, she has refused to do so. "

Ditrty detestable lying democrat scumbag politician.

But I repeat myself.

Why the Linux Foundation? (1)

TheRaven64 (641858) | about 6 months ago | (#46831959)

OpenSSL has nothing to do with Linux, other than that a number of vendors that bundle it with their products also bundle Linux. The FreeBSD or NetBSD Foundations would have made as much sense (i.e. none).

Re:Why the Linux Foundation? (5, Informative)

sproketboy (608031) | about 6 months ago | (#46831977)

Mentioned in the FAQ:

http://www.linuxfoundation.org... [linuxfoundation.org]

For the lazy:

Why is The Linux Foundation the right forum for this funding?

The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

Re:Why the Linux Foundation? (1)

hobarrera (2008506) | about 6 months ago | (#46841691)

While that is correct, the Linux foundation does not focus on security-first. If they cared about things like heartbleed and want the best there is in security, they should have picked the OpenBSD Foundation.

Re:Why the Linux Foundation? (3, Informative)

king neckbeard (1801738) | about 6 months ago | (#46832031)

I'm not aware of a FreeBSD foundation or a NetBSD foundation. The Linux Foundation, however, is a consortium that includes several large companies and has individuals experienced with bridging gaps between big corporations and communities. It's also worth remembering that the Linux foundation arose from the merger of Open Source Development Labs and Free Standards Group. When you take in that context, it makes a lot more sense.

Re:Why the Linux Foundation? (3, Informative)

TheRaven64 (641858) | about 6 months ago | (#46832287)

It's a shame then that they chose a name that explicitly excludes large portions of the Free and Open Source Software ecosystem.

Re:Why the Linux Foundation? (1)

ByTor-2112 (313205) | about 6 months ago | (#46833455)

Agreed. When you talk about core infrastructure, yes OpenSSL is definitely part of it. But what about the ISC (BIND)? I suppose it could be that the Linux Foundation has the reputation they were going for, but if that was the case why not fund LibreSSL.

Re:Why the Linux Foundation? (2)

gbjbaanb (229885) | about 6 months ago | (#46834241)

because it has a stupid name, and it is getting all its cross-platform code ripped out to make it BSD-friendly.

Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

Re:Why the Linux Foundation? (2)

RR (64484) | about 6 months ago | (#46834643)

Why not fund openSSL developers to do the same with the OpenSSL code, but including much of the cross platform options that has made it so ubiquitous. And without the silly name,

Because all those cross-platform hacks directly contribute to its bugginess. The Heartbleed bug was facilitated by a cross-platform reimplementation of malloc that was written for speed rather than security.

And also because the OpenSSL developers have been demonstrated to sit on patches for years instead of fixing bugs.

For a morbidly good time, go look at OpenSSL Valhalla Rampage, [opensslrampage.org] a blog highlighting some of the insanity that the OpenBSD devs are encountering as they rewrite OpenSSL into LibreSSL. It becomes clear that Theo de Raadt was right, and the OpenSSL devs are not responsible people.

Re:Why the Linux Foundation? (1)

rtb61 (674572) | about 6 months ago | (#46834251)

As long as they also exclude a bunch of US three letter agencies with a special mention for the NSA, their agents and contractors. Sometimes some sources should be excluded, not to judge anyone, excluding of course the NSA, which of course should now be considered a bunch of security fuckups.

Pick and choose (4, Insightful)

just_another_sean (919159) | about 6 months ago | (#46831997)

Say what you want about Theo or the name his team has chosen but I think I'd rather give my money to OpenBSD's LibreSSL project than donate to this.

I get that they are probably just after the good will and PR that this will generate, and that this isn't some vast conspiracy against open source, but I don't trust one of the companies on that list to give a care once public attention to heartbleed dies off.

Pick a project and donate directly, don't let these giants pick and choose for us!

Re:Pick and choose (1)

marcello_dl (667940) | about 6 months ago | (#46832895)

> and that this isn't some vast conspiracy against open source

In fact, there is no need to fear conspiracies, when standard operating practice in business, with open source* considered as an external threat, brings same results.

(*) I should say free software, or better, free personal computing (because google and others taught us that centralized computing can be carried out using free software).

Re:Pick and choose (1)

ByTor-2112 (313205) | about 6 months ago | (#46833475)

I'm not so sure; heartbleed cost these companies a lot of money. This is an investment that acts as an insurance policy.

Re:Pick and choose (2)

hobarrera (2008506) | about 6 months ago | (#46841709)

I don't think it's a PR move. It's in their best interest to fund these projects, and they can cut costs by teaming up on this. It really look good on them, but they're doing it out of self-interest really.

Short sighted hindsight (2)

2fakeu (443153) | about 6 months ago | (#46832001)

So they will fun projects that make up critical elements... what about projects that might one reach that status? Why not fund interesting open source projects in general?

Re:Short sighted hindsight (2)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#46832147)

Most likely because their motivation is the (belated; but logical) recognition that it's cheaper to support OSS projects that you use than it is to bear the risk of having them fail or maintain a full in-house fork all by yourself. It's not really a fund dedicated to 'more and better OSS generally'; but an attempt to share (to some degree) the cost of improving and maintaining the stuff that they already use or already depend on in some way.

Re:Short sighted hindsight (1)

mlts (1038732) | about 6 months ago | (#46832745)

This does make sense, because it benefits all involved and not a single company/organization has to shoulder all the dev work. Plus, should something happen, the donors are well insulated from lawsuits.

It would be nice to see more projects along these lines. ZFS comes to mind so a drive array attached to a Linux server could be moved to a Windows box and imported without trouble in a production environment.

Ah industry initiatives. (4, Insightful)

serviscope_minor (664417) | about 6 months ago | (#46832003)

So while these people have been doodling around forming initiatives and getting their logos splattered all over a web page, the OpenBSD people have actually founded the LibreSSL project and started actually overhauling the OpenSSL library, including fixing bugs that have been in the OpenSSL queue for years, not to mention finding a metric assload of new ones.

Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

But hey, actually doing work like fixing bugs and etc is not nearly as glamorous as making press releases and having a hudge wodge of logos.

Re:Ah industry initiatives. (1)

jbmartin6 (1232050) | about 6 months ago | (#46832061)

Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?

Re:Ah industry initiatives. (2, Insightful)

Anonymous Coward | about 6 months ago | (#46832089)

Perhaps because the OpenSSL team are loath to actually clean up a messy code base, so it's up to a separate group of developers to clean up all the legacy cruft?

Re:Ah industry initiatives. (0)

Anonymous Coward | about 6 months ago | (#46832919)

Perhaps because the OpenSSL team are loath to actually clean up a messy code base, so it's up to a separate group of developers to clean up all the legacy cruft?

It is my impression from the media reports that the OpenSSL team consists of exactly one part-time software developer.

Re:Ah industry initiatives. (0)

Anonymous Coward | about 6 months ago | (#46836987)

Who the OpenBSD lead publicly called irresponsible.

Contributing back to OpenBSD still leaves open the possibility of that developer introducing bugs from poorly-thought-out code. Bringing it under the OpenBSD umbrella means that irresponsible developers need to have changes reviewed by what they believe to be a more responsible, security knowledgeable team.

Re:Ah industry initiatives. (2)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#46832181)

It's conceivable that it's just a fit of temper (team OpenBSD certainly did not sound happy about what team OpenSSL had been up to); but it's also quite likely that they are doing it this way because they want it to happen. You can contribute something; but if the maintainers don't accept it, it just sits there. If you and the maintainers disagree on some important points, or they have a strong NIH attitude, this condition may continue indefinitely. If you fork, it's your problem now; but you do get to accept your own preferred solution.

Re:Ah industry initiatives. (4, Informative)

serviscope_minor (664417) | about 6 months ago | (#46832185)

Why wouldn't they just contribute this work to the existing OpenSSL? Why does it have to be a fork?

Because the OpenSSL people sat around with important bugs sitting in the queue for years and never fixed them. This is why the OpenBSD people---which is where some of the unresolved bug reports came from---decided that basically working with upstream is not an option and decided to go it alone.

In fact that's exactly what the OpenBSD people said about the fork at the beginning.

The problems with OpenSSL predate heartbleed and they've finally got too big for the OpenBSD people to leave it alone. Hence the fork.

Re:Ah industry initiatives. (0)

Anonymous Coward | about 6 months ago | (#46835547)

And OpenBSD doesn't have bugs that have sat around a while, eh?

Re:Ah industry initiatives. (1)

hobarrera (2008506) | about 6 months ago | (#46841723)

Not any that have ever been found. At least not security bugs. OpenBSD actually has the best track record for security.

Re:Ah industry initiatives. (1)

Raumkraut (518382) | about 6 months ago | (#46832291)

Because:
1. It's not initially feature-compatible with OpenSSL
2. While there is momentum, it's faster to work apart from the existing project.
3. There's no guarantee the rewrite would be accepted by the OpenSSL team
4. There's no guarantee LibreSSL will work on anything but BSD
5. Theo doesn't control OpenSSL

Personally, my hopes are:
1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.
2. Important bugs identified by both teams are ported to patch the current OpenSSL release.
3. LibreSSL gains feature parity with OpenSSL.
4. LibreSSL becomes OpenSSL v2, under the stewardship of a healthier OpenSSL community.

Re:Ah industry initiatives. (4, Interesting)

serviscope_minor (664417) | about 6 months ago | (#46832395)

1. It's not initially feature-compatible with OpenSSL

It's feature compatible enough to recompile the entire OpenBSD ports tree with LibreSSL as a drop in replacement.

3. There's no guarantee the rewrite would be accepted by the OpenSSL team

Probably not, but they didn't accept fixes for big bugs which had been maintained as out of tree patches by OpenBSD and a bunch of Linux distros, so at this point who cares?

4. There's no guarantee LibreSSL will work on anything but BSD

Well, it will if they port it. Besides, it's not like OpenBSD don't have a proven track record in this department.

5. Theo doesn't control OpenSSL

That sounds like a reason for LibreSSL, not against. The OpenBSD project (apart from an astounding security record) is in charge of OpenSSH, another piece of critical infrastructure.

1. This Linux Foundation fund identify LibreSSL as the most feasible solution in the long-term, and provide support for both projects.

That would be good.

2. Important bugs identified by both teams are ported to patch the current OpenSSL release.

That seems unlikely given the above.

libressl says too many features the problem, delet (1)

raymorris (2726007) | about 6 months ago | (#46832535)

> 3. LibreSSL gains feature parity with OpenSSL

The LibreSSL team has deleted tens of thousands of lines of code from OpenSSL, saying that one of their key goals is to remove as many features as possible. Their reasoning is that simple is more secure, that features which don't exist can't have bugs.

That principle is correct, unless either:
a) It's a feature people need, in which case each code-monkey will scratch out their own homebrew version.

or

b) It's a security feature, a chunk of code designed to make things more secure.

Right or wrong, it appears unlikely that LibreSSL will ever get anywhere near feature parity with OpenSSL. They would consider it a failure if they did that.

Re:libressl says too many features the problem, de (0)

Anonymous Coward | about 6 months ago | (#46836681)

In reply to
a) They are willing to put extra features back in as needed/requested/paid for

b) You are a twit. If the OpenBSD team is working to make OpenSSL more secure you can bet that their version (LibreSSL) is already more secure.

Oh and a lot of the code removed was insecure OpenSSL cruft and/or support for legacy systems that broke security

Suggestion: clue first, argue second (0)

raymorris (2726007) | about 6 months ago | (#46836927)

Clearly you haven't followed ANY of the relevant discussion. We're not putting back 98% of the features that are being removed. Not. Going. To. Happen.

Security for BSD is more important than support for FIPS or HP. If you want HP support, use OpenSSL or gnuTLS. LibreSSL will be simple and clean - screw features.

A suggestion - get a clue what you're talking about before arguing about it. The discussion is on the list. Read it - or stfu when people who HAVE read it ate talking.

Re:Ah industry initiatives. (1)

Antique Geekmeister (740220) | about 6 months ago | (#46836893)

Because the OpenBSD developers are ripping out the destabilizing cross-compatibility hooks. That means that cross-compatibility will be an afterthought, rather than a goal. If you've ever attempted to cross port OpenSSH to an unsupported platform, you'll know exactly the kind of work and maintenance pain this can create.

Re:Ah industry initiatives. (1)

ChunderDownunder (709234) | about 6 months ago | (#46837859)

Is that a good thing or a bad thing though? :)

reading the 'rampage' comments, they're removing quirks, or hacks for obscure or archaic platforms such as ultrix, hp-ux and cray. They mention using a c-library function which does the work of several functions but later it's mentioned that not all platforms implement that library function, since it wasn't part of POSIX.

As for missing c-library functions, implementing those would no doubt help porting of other software packages to a platform that lacks them. (Not possible with proprietary vendors, naturally)

So what % is actually OpenBSD specific, that won't run unmodified on current platforms using defacto standard compilers such as gcc or clang with a modern c-library?

The OpenSSL rampage (3, Interesting)

Neo-Rio-101 (700494) | about 6 months ago | (#46832217)

For some funny blow-by-blow commentary that the LibreSSL people are doing, check out http://opensslrampage.org/ [opensslrampage.org]

Too many VMS jokes to count.... but just looking at the comments, OpenSSL's code is labyrinthine and full of cruft and useless files.

Re:Ah industry initiatives. (1)

Anonymous Coward | about 6 months ago | (#46832377)

The best choice would just be to fund LibreSSL at this point.

Not if you care about SSL on, say, Windows.

Re:Ah industry initiatives. (0)

Anonymous Coward | about 6 months ago | (#46833151)

don't forget it was a paid Google engineer working on OpenSSL as his full-time job that *found* the heartbleed bug!

Re:Ah industry initiatives. (4, Insightful)

swillden (191260) | about 6 months ago | (#46833485)

Someone's already doing something. The best choice would just be to fund LibreSSL at this point.

The best choice is to fund LibreSSL and another project or two to do the same thing. Thoroughly vetting and fixing OpenSSL is a good thing. Getting a couple of solid, API-compatible competitors in the same space is even better, to reduce the monoculture problem, and to create competition.

Also, LibreSSL is just about OpenSSL. This initiative is supposed to be a long-term, ongoing effort to improve other widely-used open source software packages as well. Doing it through the Linux Foundation makes sense to me, too, mostly because it's an already-established example of exactly what the initiative wants to do to other open source packages. Linux is collaboratively developed by many companies (plus a few individual contributions) for the mutual benefit of all, and that model can and should be applied to other pieces of important open source infrastructure.

This is a good idea. It may or may not be a better approach to fixing OpenSSL (which, incidentally, has terrified me for years) than LibreSSL, but it's good for OpenSSL and for other projects. These companies can donate what to them is peanuts (and a tax writeoff to boot), and in return the world as a whole will get improvements in fundamental computing infrastructure.

I do have to say I'm surprised (and pleased) to see Microsoft's name in the list. Google is no surprise; Google uses open source software heavily and has a long history of supporting it. Intel has been involved in OSS for years, too, since they're just as happy to sell hardware to run OSS as anything else. Cisco also uses open source software and has a clear interest in the health of the networking ecosystem. But Microsoft has in the past been a serious opponent of OSS, doing various things to try to undermine it, some openly and some rather underhanded. Lately the company has been divided on the question, in some cases supporting and/or benefitting from OSS while the other hand is trying to squash it, but I think Microsoft is gradually coming around, beginning to admit that OSS is not only here to stay, but that it has a valid and valuable place.

Re:Ah industry initiatives. (1)

Wdomburg (141264) | about 6 months ago | (#46834105)

Aside from the obvious problem that LibreSSL is currently OpenBSD only with no concrete portability roadmap? There is good reason to question whether performing surgery with a machete is the most judicious response to a breach.

Re:Ah industry initiatives. (0)

Anonymous Coward | about 6 months ago | (#46836697)

Are you willfully stupid or just to stunned to read up on the OpenBSD plan for portability of LibreSSL?

Twit

duplicated effort? (1)

ChunderDownunder (709234) | about 6 months ago | (#46832011)

the OpenSSL library will be the initiative's first project

This announcement comes days after openbsd has launched libreSSL.

So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?

Re:duplicated effort? (0)

Anonymous Coward | about 6 months ago | (#46832261)

Does the world really need two competing forks of OpenSSL?

Based on the events of the last couple of weeks, I'd say yes.

Re:duplicated effort? (4, Interesting)

serviscope_minor (664417) | about 6 months ago | (#46832299)

So the Linux Foundation has a fundamental distaste for Theo? Does the world really need two competing forks of OpenSSL?

It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

I expect that shortly after, some enterprising person from Debian will do some basic porting and have an alteriative set up in the experimental repo. From there it will wend its way around into the other distributions (mint, ubuntu) and the patch set might wind up in some early Arch AUR builds and Fedora packages. By that stage the OpenBSD people will have probably accepted the patches and it will be officially portable. At this point Arch will have probably replaced it as a system wide depencendy because hey, it can always be unreplaced if it's bad. Gentoo of course will make it easy to switch between OpenSSL and LibreSSL with just a teeny little recompile of everything, but whatever it's just some portage flags anyway. Redhat probably won't care since they're probably on a version of OpenSSL so old that there are no longer any known bugs. Fedora will vascillate between the two and eventually decide to do whatever ubuntu finally chooses.

Then maybe in a while, we'll have an announcement that someone we've never heard of will be heading this terribly important project, and that huge splat of logos will get another outing. I expect this will happen at about the same time that some nutjob finishes a port of LibreSSL to his Amiga.

During the above timespan, I expect to hear about Linux and Theo swearing at people in public and to have some good troll threads on slashdot about geneder equality in IT (or nursing or teaching), 27 articles about 3D printing (guns or otherwise).

Re:duplicated effort? (1)

Kjella (173770) | about 6 months ago | (#46834771)

It doesn't: this new initiative have so far done nothing. I fully expect Amazon, Cisco, Facebook, Fujitsu, Google, HP, IBM, Intel, Linux Foundation, Microsoft, Netapp, Qualcomm, Rackspace and VMWare (yep those are the logos splattered all over the place) to sit around with their dicks in their hands having press releases statting initiatives and decding how to spend the funding while OpenBSD actually knuckles down and fixes OpenSSL.

No doubt Theo will do a solo run as usual, then bitch about all those ungrateful companies using it and giving nothing in return just like with OpenSSH. Meanwhile, this looks like a genuine attempt at starting a "Linux-style" project with lots of corporate support like the Linux kernel that all seem to have a stake in users trusting their computers for shopping and banking and cloud services and whatnot. Of course Theo can make his heroic and sacrificial stand, but this looks more like collaborative open source in progress "You know these low level libraries we all depend on? Well they're not really getting the attention they should have, none of us alone are going to do all the grunt work but if we pool our resources..." It can of course be fluff and PR but really it doesn't seem like a big seller to their end users, there's more potential for PR blunders if big bugs slip past them.

Are they going to hit the ground running? No. But I think you underestimate the potential here if they really choose to take... well, not ownership but stewardship over key libraries and provide the level of development, patching, review, testing, auditing etc. they lack today. Of course they will need skilled people, but those companies certainly have the capability to provide that if they want to. It's not like Theo is the only coder who knows his stuff around and he's still only one person with so many hours in a day and who'd better not get hit by a bus. And it still remains to be seen how clean the code Theo writes is in someone else's eyes, I usually think my code is perfectly clear until I ask others to look at it...

Re:duplicated effort? (2)

chill (34294) | about 6 months ago | (#46833417)

10. The companies listed do large amounts of business with the U.S. government, which requires FIPS certification of crypto software.

20. OpenBSD has explicitly stated that FIPS certification is off the table for OpenSSH. NOT one of their goals.

30. Taking that off the table leaves a large pile of money ON the table.

40. GOTO 10

Game theory in action (2, Interesting)

HangingChad (677530) | about 6 months ago | (#46832015)

Team up to create the pie, then fight for your pieces. I'm actually shocked Microsoft is participating. It's a good move and I'm not used to seeing Redmond do the smart thing. Maybe their collective IQ went up now that Ballmer is out of the picture.

Re:Game theory in action (1)

jellomizer (103300) | about 6 months ago | (#46832079)

If the big players didn't jump in and show good faith, that could mean congress could jump in and force some regulations on them.

Laws that may punish the free riders more if their service was vulnerable. Or in general more laws punishing companies for software bugs, will cause havoc with the institution.

Software of any complexity will tend to have bugs... Sometimes these are security bugs. Having them being punished for not being perfect will have a chilling effect on the industry. It is better to show that the industry is attempting to regulate itself and taking steps to prevent the problem, then letting congress pass a non useful bill that will sound good, but will end up being more harmful.

Re:Game theory in action (1)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#46832277)

My impression (given that they also dedicate a certain amount of time and trouble to hunting bot-herders and assorted similar types) is that Microsoft takes an interest in things that facilitate malware distribution, since their customers often take the hit (not necessarily because of an MS zero day; lots of systems running well behind on patches and users clicking on trojans and merrily executing them, along with anything Adobe or Java related).

An issue that causes lots of accounts to be compromised on various popular social networking and email type sites? That will mean tons of particularly convincing malware links getting sent out to people's entire contact lists.

Re:Game theory in action (0)

Anonymous Coward | about 6 months ago | (#46835697)

What the fuck are you talking about?

whois the linux foundation principles? (-1)

Anonymous Coward | about 6 months ago | (#46832077)

& what motives remain? excellent question(s)... thanks /.

mynuts won? i knew it (0)

Anonymous Coward | about 6 months ago | (#46832361)

whois the band of 15? http://www.linuxfoundation.org/about/board-members current & former penguin clubbers every one

hold the fuck up... (4, Interesting)

nimbius (983462) | about 6 months ago | (#46832129)

that make up critical elements of their information infrastructure.

Frankly the only reason I think these multibillion dollar monopolistic companies have banded together to throw money is because their reputation and userbase have clammored for some kind of response to the problem. lets be perfectly clear: Theo De Raadt is completely capable of handling the code refactor (he even went so far as to say he didnt need help with the code projects website.) going to the Linux foundation just shows how fucking shortsighted these guys are. If you want to help, donate to the OpenBSD [openbsdfoundation.org] foundation because this is a BSD package that was kindly ported to Linux. It will be released as LibreSSL, not the OpenSSL you want to "fix" in your products, as the code is completed and tested in accordance with what I presume is an OpenBSD development model, not Linux. And in regard to the 'other open source projects will follow' statement, its arrogant and absurd to think that once the LibreSSL code is finalized and ported that these dicks are going to stick around and continue to contribute to any open source technology that doesnt clandestinely butter their bread in user facing products that happen to be facing a sev. 1 exploit they cant avoid through marketing or a new product.

Re:hold the fuck up... (0)

Anonymous Coward | about 6 months ago | (#46832275)

OpenSSL is not a BSD package that was kindly ported to Linux.

Re:hold the fuck up... (0)

Anonymous Coward | about 6 months ago | (#46832505)

MS doesn't have this heartbleed issue. OSS missed it for years, comically.

LibreSSL won't do shit for my Windows servers/clients. Although, we don't need LibreSSL anyway, sometimes you get what you pay for.

Re:hold the fuck up... (1)

wjcofkc (964165) | about 6 months ago | (#46832511)

Linux does not have a monopoly on Open Source. Open Source spans several platforms. Nowhere is it written that all of this money will be spent on Linux or limited software designed specifically Linux. I doubt that the likes of Free and OpenBSD will be left out in the cold - it simply wouldn't make sense. Even if that were the case, any Open Source software of the very particular nature we are talking about here (low level infrustructure), is by default software that gets builds for those operating systems anyway, and if that were not the case, by the very nature of Open Source we will still have better software sooner can then be ported and that would otherwise simply not exist.

Re:hold the fuck up... (3, Insightful)

Jahta (1141213) | about 6 months ago | (#46832869)

Leaving aside the fact that OpenSSL is not a "BSD package that kindly ported to Linux", I suggest it's rather more arrogant to assume that the world will rush to replace OpenSSL with Theo De Raadt's LibreSSL when (if) it becomes available.

OpenSSL is not fundamentally broken. It had a bug, albeit one with big consequences. Lots of people depend on OpenSSL and it needs to properly maintained. Paying people to work on opensource projects is nothing new and if this funding supports developers with the necessary cryptographic skills devoting quality time to maintaining OpenSSL then that's a good thing.

Re:hold the fuck up... (0)

Anonymous Coward | about 6 months ago | (#46834319)

Not fundamentally broken? You obviously haven't been following http://opensslrampage.org/ [opensslrampage.org] .

Finding an obscure bug every few years denotes "not fundamentally broken". A sea of bad frees and platefulls of spaghetti code is "fundamentally broken", especially for a high-value security product. The entire codebase is a ticking time bomb.

Re:hold the fuck up... (0)

Anonymous Coward | about 6 months ago | (#46834925)

Worse - it's many ticking time bombs.
One of them just blew up a few weeks ago. I'm thankful to Theo's team that they're working hard to avoid the next one.

Re:hold the fuck up... (0)

Anonymous Coward | about 6 months ago | (#46832961)

sorry, not seeing many monolopolies in the list of companies funding this... ...and whither apple?

People Power has failed in software (0)

hessian (467078) | about 6 months ago | (#46832297)

The idea behind open source is "people power." Instead of relying on government or corporations, we'll do it ourselves through a volunteer effort.

Unfortunately, as anyone involved in a serious volunteer effort (e.g. not your beer-drinking weekend "fun" activism) knows, volunteer efforts don't work without strong leadership.

They become "everybody do whatever they want" under the guise of "helping out," and the result is always pointless and bad.

So far, we've ignored problems. Bad code, no documentation, most products either (a) imitations of already successful commercial products or (b) academic projects gone on to a new life as volunteer efforts.

With Heartbleed, it became clear that "people power" in software is not a substitute for strong leadership. Just moving it from the commercial realm to the volunteer realm does not automatically make it good.

Now history has caught up. The open source era is over or at least fundamentally changed.

Where is Apple? (3, Interesting)

kbdd (823155) | about 6 months ago | (#46832313)

Oh wait, they can't afford it, it's not in their budget...

Re:Where is Apple? (1)

ChunderDownunder (709234) | about 6 months ago | (#46833027)

Heartbleed was an issue targetting OpenSSL.

Apple write their own library for Darwin, viz the recent 'goto' bug.

so why expect them to join an industry conglomerate that has limited relevance to their products?

Re:Where is Apple? (1)

kbdd (823155) | about 6 months ago | (#46833149)

This group is not intended to only address OpenSSL. I would be surprised if Apple did not have ANY open source software in their products.

Mac OSX is (was?) based on the Mach microkernel for instance.

How about the iTune store, does it use open source software?

Re:Where is Apple? (1)

kbdd (823155) | about 6 months ago | (#46833193)

Replying to my own question, found out the iTune store uses WebObjects, a NexT technology that is not open source.

Re:Where is Apple? (0)

Anonymous Coward | about 6 months ago | (#46833707)

Webkit.

Re:Where is Apple? (0)

Anonymous Coward | about 6 months ago | (#46833747)

Apple uses lots of opensource in their products - you can get a nice overview at http://www.opensource.apple.com - all kinds of things - OpenSSH, PostgreSQL, WebKit, and the all important chess game [http://www.opensource.apple.com/source/Chess/Chess-310.5/]

Re:Where is Apple? (1)

hobarrera (2008506) | about 6 months ago | (#46843505)

They've god plenty [apple.com] .

At this moment (0)

Anonymous Coward | about 6 months ago | (#46832633)

Shut up and hack. Paying your way through projects you don't want to get actively involved in won't get you going anywhere to how exactly you want it to be. Instead, put one of your engineers to work on it and contribute to it.

Well, thanks! (1)

olau (314197) | about 6 months ago | (#46833461)

People here are already complaining. The whole operation seems pretty straight-forward to me. Make a fund, get some people to administer it and ask some big corporations to donate a tiny percentage of their profits to help fund some infrastructure projects we are all relying on.

I can see some people being anxious their pet projects will not get funded, but come on! One free software project in need receiving funds is better than nothing.

Maybe the fund will be mismanaged or whatever, but in the worst case these corporations will have lost a small sum (to them). In all other cases, bugs will be fixed and the Internet will generally be better off. What's the problem?

Re:Well, thanks! (1)

Tailhook (98486) | about 6 months ago | (#46834215)

What's the problem?

A lot of these people have shit colored glasses bolted to their skulls. Combine this with an irrational hate for anything corporate and there you go; petulant little office trolls emoting on Slashdot.

Theo et al. have and are publically seeking for both individual and corporate [openbsdfoundation.org] support for both the OpenBSD Foundation and LibreSSL [libressl.org] , and are specifically seeking a "Stable Commitment of Funding."

Unlike some of the malcontents that haunt Slashdot, they actually spend their time writing open source code. As such, they are painfully aware [marc.info] that large scale open source work is not actually the exclusive product of self funding trust fund rebels.

Re:Well, thanks! (1)

LinuxIsGarbage (1658307) | about 6 months ago | (#46836901)

What's the problem?

A lot of these people have shit colored glasses bolted to their skulls.

That's just the default Ubuntu colour scheme.

Dang (0)

Anonymous Coward | about 6 months ago | (#46834703)

Victory was short lived.

Moral of the rich (0)

Anonymous Coward | about 6 months ago | (#46835119)

So after all these corporation has literally made billions in profit, exploiting free software, they finally offer pennies to help develop them further... Where was their moral in first place? Now they pay only because bug in this library can danger their future profits so it needs fixed.

Well, is OpenSSL gonna be audited then? (0)

Anonymous Coward | about 6 months ago | (#46838545)

TrueCrypt is getting audited by OCAP, how about OpenSSL too?

http://IsOpenSSLAuditedYet.com?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?