Core Infrastructure Initiative

Last updated
Core Infrastructure Initiative
Core Infrastructure Initiative logo.png
Mission statement "To fund open source projects that are in the critical path for core computing functions."
Commercial?No
FounderJim Zemlin
Established24 April 2014 (2014-04-24) [1]
FundingBy donations
StatusSuperseded by the OpenSSF

The Core Infrastructure Initiative (CII) was a project of the Linux Foundation to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The project was announced on 24 April 2014 in the wake of Heartbleed, a critical security bug in OpenSSL that is used on millions of websites.

Contents

OpenSSL is among the first software projects to be funded by the initiative after it was deemed underfunded, receiving only about $2,000 per year in donations. [1] The initiative will sponsor two full-time OpenSSL core developers. [2] In September 2014, the Initiative offered assistance to Chet Ramey, the maintainer of bash, after the Shellshock vulnerability was discovered. [3]

The CII has since been superseded by the Open Source Security Foundation. [4]

Heartbleed bug

Logo representing Heartbleed Heartbleed.svg
Logo representing Heartbleed

OpenSSL is an open-source implementation of Transport Layer Security (TLS), allowing anyone to inspect its source code. [5] It is, for example, used by smartphones running the Android operating system and some Wi-Fi routers, and by organizations including Amazon.com, Facebook, Netflix, Yahoo!, the United States of America's Federal Bureau of Investigation and the Canada Revenue Agency. [6]

On 7 April 2014, OpenSSL's Heartbleed bug was publicly disclosed and fixed. [7] The vulnerability, which had been shipped in OpenSSL's current version for more than two years, [8] made it possible for hackers to retrieve information such as usernames, passwords and credit card numbers from supposedly secure transactions. At that time, roughly 17% (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack. [9]

Open-source software

According to Linus's law, from Raymond's book The Cathedral and the Bazaar , "Given enough eyeballs, all bugs are shallow." [10] In other words, if there are enough people working on the software, a problem will be found quickly and its fix will be obvious to someone. Raymond stated in an interview that "there weren't any eyeballs" for the Heartbleed bug. [6]

Prior to the CII funding, only one person, Stephen Henson, worked full-time on OpenSSL; Henson approved well over half of the updates to more than 450,000 lines of the OpenSSL's source code. [11] Besides Henson, there are three core volunteer programmers. The OpenSSL Project existed on a budget of $2,000 per year in donations, which was enough to cover the electrical bill, and Steve Henson was earning around $20,000 per year. [8] To gather more revenue for the project, Steve Marquess, a consultant for the Defense Department, created the OpenSSL Software Foundation. This allowed programmers to make some money by consulting for organizations that used the code. However, the foundation brought in less than $1 million per year, [6] and the contract work tended to focus on adding new features rather than maintaining the old ones. [8]

Other open-source software projects have similar difficulties. For example, the maintainers of OpenBSD, a security-conscious operating system, nearly had to shut the project down in early 2014 because it could not pay the electricity bills. [12]

The initiative

Jim Zemlin, the executive director of the Linux Foundation, conceived the idea of the Core Infrastructure Initiative not long after Heartbleed was announced, and spent the night of April 23 calling firms for support. [13] Thirteen companies responded and joined the initiative: Amazon Web Services, Cisco Systems, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware. [14] [15] The list was mainly determined by who Zemlin knew. [13] Each of the thirteen companies has pledged to donate $100,000 a year for the next three years bringing the initial funding pool to almost $4 million. [16] [17] [18] An additional five companies Adobe Systems, Bloomberg L.P., Hewlett-Packard, Huawei, and Salesforce.com have since joined the initiative. [19]

The money that the CII pooled was used to fund specific tasks such as providing compensation to developers to work full-time on an open-source software project, conducting reviews and security audits, deploying test infrastructure, and facilitating travel and face-to-face meetings among developers. [2]

The CII was composed of two bodies, a steering committee and an advisory board. The steering committee was made up of representatives from the member companies and other industry stakeholders [2] [16] and the committee was in charge of identifying target software projects and approving specific funding to those projects. The advisory board, composed of developers and other stakeholders, provided advice to the steering committee. [2]

Projects backed in 2016

Project NameTypeFunding (USD)website
Frama-C Developer tool192,000
GnuPG System tool or application60,000
Network Time Protocol Daemon System tool or application180,000
OpenSSH System tool or application50,000
OpenSSL Developer Library550,000
OWASP Zed Attack Proxy Testing tool or project23,000 Archived 2018-03-29 at the Wayback Machine
Reproducible Builds Testing tool or project250,000
The Fuzzing Project Testing tool or project60,000
The Linux Kernel Self Protection Project System tool or application80,000
NTPsec System tool or application150,000
Bouncy Castle Developer Library15,000

The Core Infrastructure Initiative also invested 120,000 USD for education to the good practices of open-source development, 120,000 USD in popular open-source project analysis and 95,000 USD for auditing OpenSSL [20]

Related Research Articles

In software development, Linus's law is the assertion that "given enough eyeballs, all bugs are shallow". The law was formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar (1999), and was named in honor of Linus Torvalds.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

<span class="mw-page-title-main">UEFI</span> Operating system and firmware specification

Unified Extensible Firmware Interface is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O. UEFI replaces the BIOS which was present in the boot ROM of all personal computers that are IBM PC compatible, although it can provide backwards compatibility with the BIOS using CSM booting. Intel developed the original Extensible Firmware Interface (EFI) specification. Some of the EFI's practices and data formats mirror those of Microsoft Windows. In 2005, UEFI deprecated EFI 1.10.

In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

Vyatta is a software-based virtual router, virtual firewall and VPN product for Internet Protocol networks. A free download of Vyatta has been available since March 2006. The system is a specialized Debian-based Linux distribution with networking applications such as Quagga, OpenVPN, and many others. A standardized management console, similar to Juniper JUNOS or Cisco IOS, in addition to a web-based GUI and traditional Linux system commands, provides configuration of the system and applications. In recent versions of Vyatta, web-based management interface is supplied only in the subscription edition. However, all functionality is available through KVM, serial console or SSH/telnet protocols. The software runs on standard x86-64 servers.

<span class="mw-page-title-main">Linux Foundation</span> Non-profit technology consortium to develop the Linux operating system

The Linux Foundation (LF) is a non-profit organization established in 2000 to support Linux development and open-source software projects. In addition to providing a neutral home where Linux kernel development can be fostered and accelerated, the LF is dedicated to building sustainable ecosystems around open-source projects to accelerate technology development and encourage commercial adoption.


This is a comparison of notable free and open-source configuration management software, suitable for tasks like server configuration, orchestration and infrastructure as code typically performed by a system administrator.

<span class="mw-page-title-main">OpenBSD</span> Operating system

OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. The OpenBSD project emphasizes portability, standardization, correctness, proactive security, and integrated cryptography.

<span class="mw-page-title-main">TurnKey Linux Virtual Appliance Library</span> Open-Source virtual appliance library

The TurnKey Linux Virtual Appliance Library is a free open-source software project which develops a range of Debian-based pre-packaged server software appliances. Turnkey appliances can be deployed as a virtual machine, in cloud computing services such as Amazon Web Services or installed in physical computers.

<span class="mw-page-title-main">Software Freedom Conservancy</span> Non-profit organization

Software Freedom Conservancy, Inc. is an organization that provides a non-profit home and infrastructure support for free and open source software projects. The organization was established in 2006, and as of June 2022, had over 40 member projects.

<span class="mw-page-title-main">Cloud Foundry</span> Open source, multi-cloud application platform as a service

Cloud Foundry is an open source, multi-cloud application platform as a service (PaaS) governed by the Cloud Foundry Foundation, a 501(c)(6) organization.

CloudStack is open-source Infrastructure-as-a-Service cloud computing software for creating, managing, and deploying infrastructure cloud services. It uses existing hypervisor platforms for virtualization, such as KVM, VMware vSphere, including ESXi and vCenter, XenServer/XCP and XCP-ng. In addition to its own API, CloudStack also supports the Amazon Web Services (AWS) API and the Open Cloud Computing Interface from the Open Grid Forum.

Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it describes a software edition that is supported for months or years longer than the software's standard edition.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

<span class="mw-page-title-main">LibreSSL</span> Open-source implementation of TLS protocols; forked from OpenSSL in 2014

LibreSSL is an open-source implementation of the Transport Layer Security (TLS) protocol. The implementation is named after Secure Sockets Layer (SSL), the deprecated predecessor of TLS, for which support was removed in release 2.3.0. The OpenBSD project forked LibreSSL from OpenSSL 1.0.1g in April 2014 as a response to the Heartbleed security vulnerability, with the goals of modernizing the codebase, improving security, and applying development best practices.

<span class="mw-page-title-main">Dan Kohn</span> American entrepreneur (1972–2020)

Dan Kohn was an American serial entrepreneur and nonprofit executive who led the Linux Foundation's Public Health initiative. He was the executive director at Cloud Native Computing Foundation (CNCF), which sustains and integrates open source cloud software including Kubernetes and Fluentd, through 2020. The first company he founded, NetMarket, conducted the first secure commercial transaction on the web in 1994.

The Update Framework (TUF) is a software framework designed to protect mechanisms that automatically identify and download updates to software. TUF uses a series of roles and keys to provide a means to retain security, even when some keys or servers are compromised. It does this with a stated goal of requiring minimal changes and effort from repository administrators, software developers, and end users. In this way, it protects software repositories, which are an increasingly desirable target for hackers.

<span class="mw-page-title-main">IPFire</span> Linux distribution

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

Microsoft, a technology company historically known for its opposition to the open source software paradigm, turned to embrace the approach in the 2010s. From the 1970s through 2000s under CEOs Bill Gates and Steve Ballmer, Microsoft viewed the community creation and sharing of communal code, later to be known as free and open source software, as a threat to its business, and both executives spoke negatively against it. In the 2010s, as the industry turned towards cloud, embedded, and mobile computing—technologies powered by open source advances—CEO Satya Nadella led Microsoft towards open source adoption although Microsoft's traditional Windows business continued to grow throughout this period generating revenues of 26.8 billion in the third quarter of 2018, while Microsoft's Azure cloud revenues nearly doubled.

<span class="mw-page-title-main">Open Source Security Foundation</span> Industry forum on software security

The Open Source Security Foundation (OpenSSF) is a cross-industry forum for collaborative improvement of open-source software security. Part of the Linux Foundation, the OpenSSF works on various technical and educational initiatives to improve the security of the open-source software ecosystem.

References

  1. 1 2 "Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation Form New Initiative to Support Critical Open Source Projects" (Press release). The Linux Foundation. 24 April 2014. Archived from the original on 10 June 2016. Retrieved 25 July 2016.
  2. 1 2 3 4 "Core Infrastructure Initiative FAQ". The Linux Foundation. Archived from the original on 14 April 2016. Retrieved 25 July 2016.
  3. "Security experts expect 'Shellshock' software bug to be significant". The Times of India. Archived from the original on 2014-09-29. Retrieved 2014-09-29.
  4. "Home". Core Infrastructure Initiative. Retrieved 2023-01-20.
  5. Sullivan, Gail (9 April 2014). "Heartbleed: What you should know". The Washington Post. Archived from the original on 9 May 2014. Retrieved 14 May 2014.
  6. 1 2 3 Perlroth, Nicole (18 April 2014). "Heartbleed Highlights a Contradiction in the Web". The New York Times. Archived from the original on 8 May 2014. Retrieved 14 May 2014.
  7. Grubb, Ben (15 April 2014). "Heartbleed disclosure timeline: who knew what and when". The Sydney Morning Herald. Archived from the original on 25 November 2014. Retrieved 14 May 2014.
  8. 1 2 3 Stokel-Walker, Chris (25 April 2014). "The Internet Is Being Protected By Two Guys Named Steve". BuzzFeed . Archived from the original on 15 May 2014. Retrieved 15 May 2014.
  9. Mutton, Paul (April 8, 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. Archived from the original on November 19, 2014. Retrieved May 22, 2014.
  10. Young, Eric S. Raymond ; with a foreword by Bob (2008). The Cathedral & the Bazaar Musings on Linux and Open Source by an Accidental Revolutionary (2nd ed.). Sebastopol: O'Reilly Media, Inc. p. 30. ISBN   978-0596553968.{{cite book}}: CS1 maint: multiple names: authors list (link)
  11. Babbage (6 May 2014). "A heartbeat from disaster". The Economist. Archived from the original on 15 May 2014. Retrieved 15 May 2014.
  12. Finley, Klint (22 January 2014). "Bitcoin Baron Keeps a Secretive Open Source OS Alive". Wired. Archived from the original on 11 May 2014. Retrieved 15 May 2014.
  13. 1 2 Rosenblatt, Seth (24 April 2014). "Tech titans join forces to stop the next Heartbleed". CNET. Archived from the original on 17 May 2014. Retrieved 15 May 2014.
  14. "Core Infrastructure Initiative". The Linux Foundation. Archived from the original on 10 September 2016. Retrieved 25 July 2016.
  15. Finley, Klint (24 April 2014). "Twitter Facebook RSS Google, Facebook, and Microsoft Team Up to Stop Another Heartbleed". Wired. Archived from the original on 14 May 2014. Retrieved 15 May 2014.
  16. 1 2 Perlroth, Nicole (24 April 2014). "Companies Back Initiative to Support OpenSSL and Other Open-Source Projects". Bits. The New York Times. Archived from the original on 30 April 2014. Retrieved 29 April 2014.
  17. Vaughan-Nichols, Steven J. (24 April 2014). "Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source projects". ZDNet. Archived from the original on 27 April 2014. Retrieved 29 April 2014.
  18. Warren, Christina (24 April 2014). "Facebook, Google, Microsoft Join Forces to Prevent Another Heartbleed". Mashable. Archived from the original on 29 April 2014. Retrieved 29 April 2014.
  19. "The Linux Foundation's Core Infrastructure Initiative Announces New Backers, First Projects to Receive Support and Advisory Board Members" (Press release). The Linux Foundation. 29 May 2014. Archived from the original on 11 July 2017. Retrieved 23 June 2014.
  20. "Core Infrastructure Initiative 2016 Annual Report" (PDF). The Core Infrastructure Initiative. Archived from the original on 6 November 2017. Retrieved 14 April 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.