fbpx
Wikipedia

Core Infrastructure Initiative

January 01, 1970

The Core Infrastructure Initiative (CII) was a project of the Linux Foundation to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The project was announced on 24 April 2014 in the wake of Heartbleed, a critical security bug in OpenSSL that is used on millions of websites.

Core Infrastructure Initiative
Mission statement"To fund open source projects that are in the critical path for core computing functions."
Commercial?No
FounderJim Zemlin
Established24 April 2014 (2014-04-24)[1]
FundingBy donations
StatusSuperseded by the OpenSSF

OpenSSL is among the first software projects to be funded by the initiative after it was deemed underfunded, receiving only about $2,000 per year in donations.[1] The initiative will sponsor two full-time OpenSSL core developers.[2] In September 2014, the Initiative offered assistance to Chet Ramey, the maintainer of bash, after the Shellshock vulnerability was discovered.[3]

The CII has since been superseded by the Open Source Security Foundation.[4]

Heartbleed bug edit

Main article: Heartbleed
 
Logo representing Heartbleed

OpenSSL is an open-source implementation of Transport Layer Security (TLS), allowing anyone to inspect its source code.[5] It is, for example, used by smartphones running the Android operating system and some Wi-Fi routers, and by organizations including Amazon.com, Facebook, Netflix, Yahoo!, the United States of America's Federal Bureau of Investigation and the Canada Revenue Agency.[6]

On 7 April 2014, OpenSSL's Heartbleed bug was publicly disclosed and fixed.[7] The vulnerability, which had been shipped in OpenSSL's current version for more than two years,[8] made it possible for hackers to retrieve information such as usernames, passwords and credit card numbers from supposedly secure transactions. At that time, roughly 17% (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack.[9]

Open-source software edit

According to Linus's law, from Raymond's book The Cathedral and the Bazaar, "Given enough eyeballs, all bugs are shallow."[10] In other words, if there are enough people working on the software, a problem will be found quickly and its fix will be obvious to someone. Raymond stated in an interview that "there weren't any eyeballs" for the Heartbleed bug.[6]

Prior to the CII funding, only one person, Stephen Henson, worked full-time on OpenSSL; Henson approved well over half of the updates to more than 450,000 lines of the OpenSSL's source code.[11] Besides Henson, there are three core volunteer programmers. The OpenSSL Project existed on a budget of $2,000 per year in donations, which was enough to cover the electrical bill, and Steve Henson was earning around $20,000 per year.[8] To gather more revenue for the project, Steve Marquess, a consultant for the Defense Department, created the OpenSSL Software Foundation. This allowed programmers to make some money by consulting for organizations that used the code. However, the foundation brought in less than $1 million per year,[6] and the contract work tended to focus on adding new features rather than maintaining the old ones.[8]

Other open-source software projects have similar difficulties. For example, the maintainers of OpenBSD, a security-conscious operating system, nearly had to shut the project down in early 2014 because it could not pay the electricity bills.[12]

The initiative edit

Jim Zemlin, the executive director of the Linux Foundation, conceived the idea of the Core Infrastructure Initiative not long after Heartbleed was announced, and spent the night of April 23 calling firms for support.[13] Thirteen companies responded and joined the initiative: Amazon Web Services, Cisco Systems, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware.[14][15] The list was mainly determined by who Zemlin knew.[13] Each of the thirteen companies has pledged to donate $100,000 a year for the next three years bringing the initial funding pool to almost $4 million.[16][17][18] An additional five companies‍—‌Adobe Systems, Bloomberg L.P., Hewlett-Packard, Huawei, and Salesforce.com‍—‌have since joined the initiative.[19]

The money that the CII pooled was used to fund specific tasks such as providing compensation to developers to work full-time on an open-source software project, conducting reviews and security audits, deploying test infrastructure, and facilitating travel and face-to-face meetings among developers.[2]

The CII was composed of two bodies, a steering committee and an advisory board. The steering committee was made up of representatives from the member companies and other industry stakeholders[2][16] and the committee was in charge of identifying target software projects and approving specific funding to those projects. The advisory board, composed of developers and other stakeholders, provided advice to the steering committee.[2]

Projects backed in 2016 edit

Project Name Type Funding (USD) website
Frama-C Developer tool 192,000 [1]
GnuPG System tool or application 60,000 [2]
Network Time Protocol Daemon System tool or application 180,000
OpenSSH System tool or application 50,000 [3]
OpenSSL Developer Library 550,000
OWASP Zed Attack Proxy Testing tool or project 23,000 [5] 2018-03-29 at the Wayback Machine
Reproducible Builds Testing tool or project 250,000 [6]
The Fuzzing Project Testing tool or project 60,000 [7]
The Linux Kernel Self Protection Project System tool or application 80,000 [8]
NTPsec System tool or application 150,000 [9]
Bouncy Castle Developer Library 15,000 [10]

The Core Infrastructure Initiative also invested 120,000 USD for education to the good practices of open-source development, 120,000 USD in popular open-source project analysis and 95,000 USD for auditing OpenSSL[20]

References edit

  1. ^ a b "Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation Form New Initiative to Support Critical Open Source Projects" (Press release). The Linux Foundation. 24 April 2014. from the original on 10 June 2016. Retrieved 25 July 2016.
  2. ^ a b c d "Core Infrastructure Initiative FAQ". The Linux Foundation. from the original on 14 April 2016. Retrieved 25 July 2016.
  3. ^ "Security experts expect 'Shellshock' software bug to be significant". The Times of India. from the original on 2014-09-29. Retrieved 2014-09-29.
  4. ^ "Home". Core Infrastructure Initiative. Retrieved 2023-01-20.
  5. ^ Sullivan, Gail (9 April 2014). "Heartbleed: What you should know". The Washington Post. from the original on 9 May 2014. Retrieved 14 May 2014.
  6. ^ a b c Perlroth, Nicole (18 April 2014). "Heartbleed Highlights a Contradiction in the Web". The New York Times. from the original on 8 May 2014. Retrieved 14 May 2014.
  7. ^ Grubb, Ben (15 April 2014). "Heartbleed disclosure timeline: who knew what and when". The Sydney Morning Herald. from the original on 25 November 2014. Retrieved 14 May 2014.
  8. ^ a b c Stokel-Walker, Chris (25 April 2014). "The Internet Is Being Protected By Two Guys Named Steve". BuzzFeed. from the original on 15 May 2014. Retrieved 15 May 2014.
  9. ^ Mutton, Paul (April 8, 2014). "Half a million widely trusted websites vulnerable to Heartbleed bug". Netcraft Ltd. from the original on November 19, 2014. Retrieved May 22, 2014.
  10. ^ Young, Eric S. Raymond ; with a foreword by Bob (2008). The Cathedral & the Bazaar Musings on Linux and Open Source by an Accidental Revolutionary (2nd ed.). Sebastopol: O'Reilly Media, Inc. p. 30. ISBN 978-0596553968.{{cite book}}: CS1 maint: multiple names: authors list (link)
  11. ^ Babbage (6 May 2014). "A heartbeat from disaster". The Economist. from the original on 15 May 2014. Retrieved 15 May 2014.
  12. ^ Finley, Klint (22 January 2014). "Bitcoin Baron Keeps a Secretive Open Source OS Alive". Wired. from the original on 11 May 2014. Retrieved 15 May 2014.
  13. ^ a b Rosenblatt, Seth (24 April 2014). "Tech titans join forces to stop the next Heartbleed". CNET. from the original on 17 May 2014. Retrieved 15 May 2014.
  14. ^ "Core Infrastructure Initiative". The Linux Foundation. from the original on 10 September 2016. Retrieved 25 July 2016.
  15. ^ Finley, Klint (24 April 2014). "Twitter Facebook RSS Google, Facebook, and Microsoft Team Up to Stop Another Heartbleed". Wired. from the original on 14 May 2014. Retrieved 15 May 2014.
  16. ^ a b Perlroth, Nicole (24 April 2014). "Companies Back Initiative to Support OpenSSL and Other Open-Source Projects". Bits. The New York Times. from the original on 30 April 2014. Retrieved 29 April 2014.
  17. ^ Vaughan-Nichols, Steven J. (24 April 2014). "Cisco, Microsoft, VMware, and other tech giants unite behind critical open-source projects". ZDNet. from the original on 27 April 2014. Retrieved 29 April 2014.
  18. ^ Warren, Christina (24 April 2014). "Facebook, Google, Microsoft Join Forces to Prevent Another Heartbleed". Mashable. from the original on 29 April 2014. Retrieved 29 April 2014.
  19. ^ (Press release). The Linux Foundation. 29 May 2014. Archived from the original on 11 July 2017. Retrieved 23 June 2014.
  20. ^ (PDF). The Core Infrastructure Initiative. Archived from the original on 6 November 2017. Retrieved 14 April 2017.

External links edit

  • Official website

January 01, 1970
core, infrastructure, initiative, project, linux, foundation, fund, support, free, open, source, software, projects, that, critical, functioning, internet, other, major, information, systems, project, announced, april, 2014, wake, heartbleed, critical, securit. The Core Infrastructure Initiative CII was a project of the Linux Foundation to fund and support free and open source software projects that are critical to the functioning of the Internet and other major information systems The project was announced on 24 April 2014 in the wake of Heartbleed a critical security bug in OpenSSL that is used on millions of websites Core Infrastructure InitiativeMission statement To fund open source projects that are in the critical path for core computing functions Commercial NoFounderJim ZemlinEstablished24 April 2014 2014 04 24 1 FundingBy donationsStatusSuperseded by the OpenSSF OpenSSL is among the first software projects to be funded by the initiative after it was deemed underfunded receiving only about 2 000 per year in donations 1 The initiative will sponsor two full time OpenSSL core developers 2 In September 2014 the Initiative offered assistance to Chet Ramey the maintainer of bash after the Shellshock vulnerability was discovered 3 The CII has since been superseded by the Open Source Security Foundation 4 Contents 1 Heartbleed bug 2 Open source software 3 The initiative 4 Projects backed in 2016 5 References 6 External linksHeartbleed bug editMain article Heartbleed nbsp Logo representing Heartbleed OpenSSL is an open source implementation of Transport Layer Security TLS allowing anyone to inspect its source code 5 It is for example used by smartphones running the Android operating system and some Wi Fi routers and by organizations including Amazon com Facebook Netflix Yahoo the United States of America s Federal Bureau of Investigation and the Canada Revenue Agency 6 On 7 April 2014 OpenSSL s Heartbleed bug was publicly disclosed and fixed 7 The vulnerability which had been shipped in OpenSSL s current version for more than two years 8 made it possible for hackers to retrieve information such as usernames passwords and credit card numbers from supposedly secure transactions At that time roughly 17 around half a million of the Internet s secure web servers certified by trusted authorities were believed to be vulnerable to the attack 9 Open source software editAccording to Linus s law from Raymond s book The Cathedral and the Bazaar Given enough eyeballs all bugs are shallow 10 In other words if there are enough people working on the software a problem will be found quickly and its fix will be obvious to someone Raymond stated in an interview that there weren t any eyeballs for the Heartbleed bug 6 Prior to the CII funding only one person Stephen Henson worked full time on OpenSSL Henson approved well over half of the updates to more than 450 000 lines of the OpenSSL s source code 11 Besides Henson there are three core volunteer programmers The OpenSSL Project existed on a budget of 2 000 per year in donations which was enough to cover the electrical bill and Steve Henson was earning around 20 000 per year 8 To gather more revenue for the project Steve Marquess a consultant for the Defense Department created the OpenSSL Software Foundation This allowed programmers to make some money by consulting for organizations that used the code However the foundation brought in less than 1 million per year 6 and the contract work tended to focus on adding new features rather than maintaining the old ones 8 Other open source software projects have similar difficulties For example the maintainers of OpenBSD a security conscious operating system nearly had to shut the project down in early 2014 because it could not pay the electricity bills 12 The initiative editJim Zemlin the executive director of the Linux Foundation conceived the idea of the Core Infrastructure Initiative not long after Heartbleed was announced and spent the night of April 23 calling firms for support 13 Thirteen companies responded and joined the initiative Amazon Web Services Cisco Systems Dell Facebook Fujitsu Google IBM Intel Microsoft NetApp Rackspace Qualcomm and VMware 14 15 The list was mainly determined by who Zemlin knew 13 Each of the thirteen companies has pledged to donate 100 000 a year for the next three years bringing the initial funding pool to almost 4 million 16 17 18 An additional five companies Adobe Systems Bloomberg L P Hewlett Packard Huawei and Salesforce com have since joined the initiative 19 The money that the CII pooled was used to fund specific tasks such as providing compensation to developers to work full time on an open source software project conducting reviews and security audits deploying test infrastructure and facilitating travel and face to face meetings among developers 2 The CII was composed of two bodies a steering committee and an advisory board The steering committee was made up of representatives from the member companies and other industry stakeholders 2 16 and the committee was in charge of identifying target software projects and approving specific funding to those projects The advisory board composed of developers and other stakeholders provided advice to the steering committee 2 Projects backed in 2016 editProject Name Type Funding USD website Frama C Developer tool 192 000 1 GnuPG System tool or application 60 000 2 Network Time Protocol Daemon System tool or application 180 000 OpenSSH System tool or application 50 000 3 OpenSSL Developer Library 550 000 4 OWASP Zed Attack Proxy Testing tool or project 23 000 5 Archived 2018 03 29 at the Wayback Machine Reproducible Builds Testing tool or project 250 000 6 The Fuzzing Project Testing tool or project 60 000 7 The Linux Kernel Self Protection Project System tool or application 80 000 8 NTPsec System tool or application 150 000 9 Bouncy Castle Developer Library 15 000 10 The Core Infrastructure Initiative also invested 120 000 USD for education to the good practices of open source development 120 000 USD in popular open source project analysis and 95 000 USD for auditing OpenSSL 20 References edit a b Amazon Web Services Cisco Dell Facebook Fujitsu Google IBM Intel Microsoft NetApp Rackspace VMware and The Linux Foundation Form New Initiative to Support Critical Open Source Projects Press release The Linux Foundation 24 April 2014 Archived from the original on 10 June 2016 Retrieved 25 July 2016 a b c d Core Infrastructure Initiative FAQ The Linux Foundation Archived from the original on 14 April 2016 Retrieved 25 July 2016 Security experts expect Shellshock software bug to be significant The Times of India Archived from the original on 2014 09 29 Retrieved 2014 09 29 Home Core Infrastructure Initiative Retrieved 2023 01 20 Sullivan Gail 9 April 2014 Heartbleed What you should know The Washington Post Archived from the original on 9 May 2014 Retrieved 14 May 2014 a b c Perlroth Nicole 18 April 2014 Heartbleed Highlights a Contradiction in the Web The New York Times Archived from the original on 8 May 2014 Retrieved 14 May 2014 Grubb Ben 15 April 2014 Heartbleed disclosure timeline who knew what and when The Sydney Morning Herald Archived from the original on 25 November 2014 Retrieved 14 May 2014 a b c Stokel Walker Chris 25 April 2014 The Internet Is Being Protected By Two Guys Named Steve BuzzFeed Archived from the original on 15 May 2014 Retrieved 15 May 2014 Mutton Paul April 8 2014 Half a million widely trusted websites vulnerable to Heartbleed bug Netcraft Ltd Archived from the original on November 19 2014 Retrieved May 22 2014 Young Eric S Raymond with a foreword by Bob 2008 The Cathedral amp the Bazaar Musings on Linux and Open Source by an Accidental Revolutionary 2nd ed Sebastopol O Reilly Media Inc p 30 ISBN 978 0596553968 a href Template Cite book html title Template Cite book cite book a CS1 maint multiple names authors list link Babbage 6 May 2014 A heartbeat from disaster The Economist Archived from the original on 15 May 2014 Retrieved 15 May 2014 Finley Klint 22 January 2014 Bitcoin Baron Keeps a Secretive Open Source OS Alive Wired Archived from the original on 11 May 2014 Retrieved 15 May 2014 a b Rosenblatt Seth 24 April 2014 Tech titans join forces to stop the next Heartbleed CNET Archived from the original on 17 May 2014 Retrieved 15 May 2014 Core Infrastructure Initiative The Linux Foundation Archived from the original on 10 September 2016 Retrieved 25 July 2016 Finley Klint 24 April 2014 Twitter Facebook RSS Google Facebook and Microsoft Team Up to Stop Another Heartbleed Wired Archived from the original on 14 May 2014 Retrieved 15 May 2014 a b Perlroth Nicole 24 April 2014 Companies Back Initiative to Support OpenSSL and Other Open Source Projects Bits The New York Times Archived from the original on 30 April 2014 Retrieved 29 April 2014 Vaughan Nichols Steven J 24 April 2014 Cisco Microsoft VMware and other tech giants unite behind critical open source projects ZDNet Archived from the original on 27 April 2014 Retrieved 29 April 2014 Warren Christina 24 April 2014 Facebook Google Microsoft Join Forces to Prevent Another Heartbleed Mashable Archived from the original on 29 April 2014 Retrieved 29 April 2014 The Linux Foundation s Core Infrastructure Initiative Announces New Backers First Projects to Receive Support and Advisory Board Members Press release The Linux Foundation 29 May 2014 Archived from the original on 11 July 2017 Retrieved 23 June 2014 Core Infrastructure Initiative 2016 Annual Report PDF The Core Infrastructure Initiative Archived from the original on 6 November 2017 Retrieved 14 April 2017 External links editOfficial website Retrieved from https en wikipedia org w index php title Core Infrastructure Initiative amp oldid 1191440045, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.