It's often said that "you get what you pay for", but when it comes to free software, this doesn't apply. You often get a lot more. However, you do get what someone pays for. Software development takes time and money, and without substantial donations, sponsorship, etc., a free-software project will be limited to what volunteers can achieve in their own time.
According to an article in Ars Technica, the security software OpenSSL has one full-time employee and receives about $2000 a year in donations. It's therefore not surprising that bugs aren't always caught before they cause problems.
Based on the recent, and serious, "heartbleed" bug, this state of affairs needs to change and, according to that same article, is about to change. The Linux Foundation is launching the Core Infrastructure Initiative with some decent financial backing. "Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years".
OpenSSL will not be the only project to receive a share of this money, but it was the inspiration for the initiative and will be the first under consideration. The funding will "not come with strings attached", according to Linux Foundation Executive Director Jim Zemlin.
One could argue it's much cheaper to support something like OpenSSL than to clean up the mess when a small and underfunded team fail to catch important bugs in a timely manner.
Which other projects would be cheaper in the long run (for all concerned) if they received more financial support?
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)