This past week the person who manages one of the world’s most important cryptography projects, Werner Koch, went from going broke to raising more than $100,000 for his project, GNU Privacy Guard. This is in addition to the $60,000 The Linux Foundation’s Core Infrastructure Initiative (CII) dedicated to Werner last month. GnuPG is used not just to encrypt and authenticate email but provides the confirmation that software packages and releases are what they claim to be. Facebook, Stripe and others are answering the calls to support the individuals who are developing the world’s most critical digital infrastructure.
There are hundreds of these stories. Many open source software projects are in a similar state. In addition to the world’s email encryption software being managed by one person, the Internet is being secured by two guys named Steve. The Network Time Protocol that manages clock synchronization for the world’s computer systems is largely maintained by a couple of folks. The examples go on.
Koch’s story is a reminder that open source software written by the world’s smartest developers is powering our digital lives. We must continue to identify these projects and individuals to help them and prevent the next Heartbleed or Shellshock. We know we can’t solve every security vulnerability in computing, but we also know that by taking preventive measures to support these projects, we can decrease the severity and frequency of security issues.
I am happy with the progress we have seen from the Core Infrastructure Initiative since its creation last year. First, we are now funding the “two Steves,” well really Steve Henson and Andy Polyakov, two of the key maintainers of OpenSSL. We even enabled a historical first meeting of the OpenSSL team in 15 years. In addition, we have provided grants to NTP in order to help keep Internet time secure. We have established funding for OpenSSH which provides encrypted communication across a massive host of Internet infrastructure. Finally, as I already mentioned, we are helping GnuPG.
These are all good but more importantly, what comes next? The good news is that we are just getting started:
First, we have begun a comprehensive third-party audit of the entire OpenSSL codebase, which represents almost a half a million lines of code. This will provide objective third-party analysis of the code to the development team in order to make that code better.
Second, we have been undertaking a research initiative to conduct a census of the hundreds of open source projects that directly impact the security and integrity of the global Internet. We are analysing these projects based on the number of other components and systems that depend on them, the size and breadth of their community, the availability they have to resources, and much more. This research will allow us to make informed decisions about projects that we can fund in order to provide the highest impact.
Third, we are organizing a set of projects that go beyond simply funding specific open source projects and move toward providing additional resources such as shared testing, secure coding best practices and more that would help all open source projects improve their security and thereby improve the security of the Internet as a whole.
It is encouraging to see the industry remains committed to helping support open source projects that are critical to information security and infrastructure and used by millions of people. Congratulations to Werner for increasing the profile of his project and the good work that’s happening there. And please follow this space as CII and its members makes more investments in open source security over the months and years to come.