It's often said that "you get what you pay for", but when it comes to free software, this doesn't apply. You often get a lot more. However, you do get what someone pays for. Software development takes time and money, and without substantial donations, sponsorship, etc., a free-software project will be limited to what volunteers can achieve in their own time.
According to an article in Ars Technica, the security software OpenSSL has one full-time employee and receives about $2000 a year in donations. It's therefore not surprising that bugs aren't always caught before they cause problems.
Based on the recent, and serious, "heartbleed" bug, this state of affairs needs to change and, according to that same article, is about to change. The Linux Foundation is launching the Core Infrastructure Initiative with some decent financial backing. "Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years".
OpenSSL will not be the only project to receive a share of this money, but it was the inspiration for the initiative and will be the first under consideration. The funding will "not come with strings attached", according to Linux Foundation Executive Director Jim Zemlin.
One could argue it's much cheaper to support something like OpenSSL than to clean up the mess when a small and underfunded team fail to catch important bugs in a timely manner.
Which other projects would be cheaper in the long run (for all concerned) if they received more financial support?
Related Stories
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
(Score: 3, Informative) by Anonymous Coward on Thursday April 24 2014, @04:55PM
(Score: 5, Interesting) by frojack on Thursday April 24 2014, @05:13PM
True, but his code should have been checked by peers. That didn't happen.
Theo de Raadt of OPENBSD has already taken it upon himself to clean up OpenSSL and has stated he doesn't expect to need much help. I can't think of a better bunch to handle this, and would trust his fork more than the original. OpenBSD are security fanatics. [zdnet.com]
While I do believe that there needs to be more support for these critical projects, I'm not sure throwing it into the hands of a new group.
Of course, I have no problem with having a couple competing stacks available to choose from.
No, you are mistaken. I've always had this sig.
(Score: 2) by edIII on Thursday April 24 2014, @06:38PM
What pisses me off is that there is at least the possibility that money might have solved the issue with a new hire. Just one more guy reviewing the contributions and managing things with a different set of eyes.
Just throwing money at it can be simplistic, but I've suggested to clients and people benefiting from FOSS to give a donation. I had one client where it literally became his backbone for his major service, and he couldn't be bothered because it was free in the first place.
As for myself I've given donations here and there, but maybe we can all do a little more. FOSS is pretty damn important, even if only competition in the marketplace.
I've heard about OpenSSL for years but never donated. I think if even 10% of the user base donated a $1 it would be a lot higher than $2000 per year. That one guy must be retired or rich because $2000 doesn't go a long way.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by frojack on Thursday April 24 2014, @07:17PM
Well what you say is true, but the problem is that Linux is made up of literally hundreds of projects, and donating to all of them becomes a nightmare.
So I donate to those projects where I have been helped by the developers personally, rather than indiscriminately throwing donations to nebulous groups.
Excretion: For many years I always bought boxed sets of my favorite Linus distro (opensuse), just to support them. However it turns out they actually receive little if any of these funds. The Linux foundation seems rather guarded as to what they do with funds.
Its pretty hard, in many cases to even find out HOW to donate to projects. Things like KDE seem mostly interested in donations of hardware (real or virtual) bandwidth, and also to have companies employing developers and keeping them on the payroll but not demanding much of their time for company work.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by omoc on Thursday April 24 2014, @05:14PM
Seriously, after we've been made aware of their general code quality it won't get better by just putting money into that project. It will just get more bloated and messy. It would be much wiser to give the money to the OpenBSD foundation and their LibreSSL fork and make this mainline everywhere. Those are the capable hands we need.
(Score: 0) by Anonymous Coward on Friday April 25 2014, @12:24AM
Will this LibreSSL fork have immediate support for non-BSD operating systems from day one, or will it be "we support BSD and who cares about the rest of you"? I'd rather they clean up what we already have, like they did with Xfree86.
(Score: 0) by Anonymous Coward on Friday April 25 2014, @05:47AM
You still have your POSIX layer which should run on Linux and Windows alike
(Score: 0, Interesting) by Anonymous Coward on Thursday April 24 2014, @05:15PM
The OpenBSD people seem to have their shit together in general, while the OpenSSL people come off as "we screwed up, give us $$$ to screw up less... maybe..."
(Score: 5, Informative) by frojack on Thursday April 24 2014, @05:27PM
Ah, no.
OpenSSL is really ONE guy in charge of merging, and a very few inexperienced contributors.
OpenSSL really didn't go looking for this money, and the industry group isn't thinking of giving it to them. They are going to give it to the Linux Foundation, and let them decide where to spend it.
The industry group is trying to do this in the most open and transparent way. I'm not sure the Linux Foundation can be totally trusted, but I suspect its better than having Microsoft get its hooks into the project directly.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by Grishnakh on Thursday April 24 2014, @05:35PM
What I don't understand is why Microsoft is involved here at all. Isn't their answer going to just be "use our software!!!"? Why would they fund an open-source foundation, esp. the Linux Foundation?
(Score: 3, Informative) by Anonymous Coward on Thursday April 24 2014, @06:08PM
MS is bonkers about compatibility. They spend tons of time making sure their stuff 'just works' with '3rd party'. For example samba. They spend tons of time making sure they do not break it.
Basically their customers use it. So they use it. And 'just use our $tuff' is a bad answer when your customer just dropped several million on support contracts and CALs. Which can in turn get you thrown out and loosing out to 'free'.
They may even use it themselves in there somewhere and have an interest in making sure it works.
MS is a company that makes money. They can and do slimy things. But as a software company they actually have pretty cool stuff. Do not dismiss your 'enemy' for they are strong.
(Score: 1) by GeminiDomino on Thursday April 24 2014, @07:13PM
Since then? The last time I heard about MS and Samba, the former was having its peepee slapped in the EU for intentionally breaking it.
"We've been attacked by the intelligent, educated segment of our culture"
(Score: 3, Informative) by Sir Garlon on Thursday April 24 2014, @06:17PM
If I had to guess, I'd say they are probably using Linux-based appliances in their cloud data centers. I'm not really a network guy so I'll not speculate on exactly what.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 2) by Grishnakh on Thursday April 24 2014, @06:31PM
Isn't that totally against their Windows-everywhere philosophy? When they bought up Hotmail, they moved that from FreeBSD to Windows as fast as they could (and then had problems, had to go back to FreeBSD, then got the problems sorted out, probably with a bunch more hardware, and moved to Windows permanently).
(Score: 2) by Sir Garlon on Thursday April 24 2014, @07:18PM
I said "appliances" not "servers." Things like load balancers, routers, you know, low-level stuff. I'd be surprised if there are Windows versions of everything they need.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 2) by HiThere on Thursday April 24 2014, @08:31PM
You give them more credit for honesty and upright behavior than I do. If they say something my first reaction is usually "Now how does this lie benefit them?" It's not always the right reaction, but it's right often enough to have saved me a few times.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by frojack on Thursday April 24 2014, @06:32PM
Microsoft is a MAJOR Linux contributor. They contribute tons of code and patches.
Most of the stuff Microsoft works on in linux is under one form or other of the GPL, and as such does not find its way into Windows itself.
Openssl is one of those packages that they may have lifted in its entirety and ported to Windows because Openssl has a BSD style license. (I haven't actually researched this).
No, you are mistaken. I've always had this sig.
(Score: 2, Informative) by bryan on Thursday April 24 2014, @06:44PM
Nearly all of Microsoft's patches to Linux are from its VM team. They want to improve Windows' ability to run Linux VMs in Microsoft's "cloud" offering.
(Score: 3, Insightful) by frojack on Thursday April 24 2014, @07:23PM
You might be right about that, It appears I was going on year old information:
http://www.theregister.co.uk/2013/09/16/linux_foun dation_kernel_report_2013/ [theregister.co.uk]
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday April 24 2014, @07:42PM
Next time, do the background fact check FIRST and THEN post the bold controversial comment. I know I'm guilty myself of occasionally doing this backwards...
(Score: 2) by Grishnakh on Thursday April 24 2014, @06:57PM
Microsoft hasn't contributed anything at all to Linux, except for drivers to make it run on their own VM.
You might be right about them lifting OpenSSL thought.
(Score: 3, Informative) by FakeBeldin on Thursday April 24 2014, @09:39PM
"I'd rather donate to libressl..."
Go ahead:
- Option Paypal [openbsdfoundation.org] (from what I can tell)
- Option No Paypal [openbsdfoundation.org].
(Score: 2, Insightful) by Bytram on Thursday April 24 2014, @06:08PM
I found this unanswered question on the Core Infrastructure Initiative FAQ [linuxfoundation.org]:
I hope they do a little better on their code reviews. =)
(Score: 3, Insightful) by emg on Thursday April 24 2014, @06:36PM
Hearbleed wasn't caused by lack of funding, it was caused by a poor spec (as I understand it, they have both a ping response field and a length field, and don't reject the message immediately if they don't match) implemented by programmers who were naive enough to trust external data.
(Score: 1) by monster on Friday April 25 2014, @09:16AM
The "fail gracefully" mode should be to return data up to the minimum of both numbers and not to reject it outright, IMHO. Remember, "be strict with what you send and loose in what you accept" is the motto of the Internet and of interoperability in general.
Software bugs happen. Being too strict about them leads to spawns averybody hates and avoids like XHTML.
(Score: 3, Insightful) by Nerdfest on Thursday April 24 2014, @06:33PM
Damn nice to hear, and about time. These companies benefit greatly from the free and open infrastructure (as do the rest of us). It's nice to see them stand up and do the right thing. Some of these companies do contribute to open source, financially, or with code, but the money is very nice, especially for the core functionality.
(Score: 1, Interesting) by Anonymous Coward on Thursday April 24 2014, @07:51PM
As many people have pointed out, money is not the fix all magic bullet. The corollary to that statement however points out that without money there will be no development, none at all.
I think this figuring out how to collectively fund our free software is very important. Now it looks like the millions of little (for varying values of little) projects do all their own fundraisers and more or less randomly hit their targets.
I used to be that science was only performed by Lords (e.g. Lord Kelvin) and other such persons of independent wealth. This naturally drastically limited the pool from which the observations and conclusions and ultimately theories came from. We're at a very similar situation now with regards to free software development. (And yes, science itself.)
Once again it's time to underline that the free in free software doesn't stand for gratis.
(Score: 2) by urza9814 on Friday April 25 2014, @01:47AM
$100,000 per year for 3 years? Is that EACH or TOTAL? Because it reads like total -- which means MAYBE one quality developer, if he's willing to work cheap. Decent security experts cost real money.
And they're planning to distribute this among *multiple* core projects?
To improve things, you're gonna need to give enough to actually hire paid developers. Just writing a check for an extra $10,000 to some guy who hasn't REALLY gotten paid for his work in years isn't gonna cut it. He'll just pocket it and keep doing the same thing. And rightly so, because that's the quality of development that kind of money buys.
Unless maybe they give the full amount to a new project every year or something...or maybe just hire a dev or two and tell them what projects they're contributing to this month...neither of those seem like they'd produce fantastic results either.
Money isn't everything, but it's not nothing either. They're gonna need a lot more cash...
Guess there's more than one way to make that happen though. Where do we donate?
(Score: 1) by LukeSkywalker on Friday April 25 2014, @03:56AM
I really hope this is each, otherwise it is a bit of a joke. These companies have huge amounts of wealth, $100,000 divided by 13 is only about $7,700 each (which I'm sure is tax deductible anyway). This is at the minimum but unless they can get some good PR out of it I don't see them paying much more than the minimum.