The Linux Foundation is launching a “multi-million dollar project” to improve Linux security in the wake of the Heartbleed OpenSSL crisis. Big-name tech companies are contributing to the fund – but Red Hat, a big backer of OpenSSL and the global Linux commercial leader, isn’t among the listed funders for the “Core Infrastructure Initiative.”
Red Hat says it “supports” the initiative but remains mum on specifics.
What gives?
Is Red Hat (NYSE: RHT), which is based in Raleigh, withholding a full-fledged commitment to the program until more details are made available? Red Hat took a similar “hold off” stance on OpenStack before joining up two years ago. Now, OpenStack (a key to “cloud computing” operations) has no bigger backer than the Hatters.
Red Hat certainly has a connection to the OpenSSL situation as Stephanie Wonderlick acknowledged in response to a query from WRALTechWire.
“Mark Cox, Red Hat’s director of security response, is a founding member of the OpenSSL project,” she said.
The Hatters also have dealt with the Heartbleed crisis, she added.
“Red Hat quickly resolved the issue; more information is available at (https://access.redhat.com/security/cve/CVE-2014-0160) and (https://access.redhat.com/site/announcements/781953),” Wonderlick wrote in an email.
“The flaw only affects customers using Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1 who have not yet applied the errata we have released. No other products are affected. Additionally, Red Hat updates the installer ISO images during our regular update. As a best practice, customers should always install all security updates before connecting a system to the public Internet.”
Why an Infrastructure Project?
The Foundation says the new funding effort is needed to provide more resources for OpenSSL and other projects.
How scant has support been in the past? Note this news as reported by The New Yorker:
“How did such a catastrophic bug remain undetected for two years? OpenSSL, which is used to secure as many as two-thirds of all encrypted Internet connections, is a volunteer project. It is overseen by four people: one works for the open-source software company Red Hat, one works for Google, and two are consultants. There is nobody whose full-time job it is to work on OpenSSL”
For now, Red Hat would say nothing else about the Foundation project other than a statement provided by Wonderlick:
“Red Hat supports today’s announcement of the Core Infrastructure Initiative. We believe this is testament to the critical role open source plays in powering and securing the connected world in which we live. As a founding and current core member of OpenSSL, Red Hat remains deeply committed to this effort, as well as across the thousands of components that we help develop which together create the robust and secure platform that is Linux.”
The Hatters’ stance is intriguing, especially when one looks at the big-name companies pledging money:
- Amazon Web Services
- Cisco
- Dell
- Fujitsu
- IBM
- Intel
- Microsoft
- NetApp
- RackSpace,
- VMware
- The Linux Foundation
Funding Could Back Code Developers
The Linux Foundation said funding could be used for funding “key developers” as well as “other resources” to help improve OpenSSL security. The Foundation and a “steering group” will administer the funds.
“We are expanding the work we already do for the Linux kernel to other projects that may need support,” said Jim Zemlin, executive director of The Linux Foundation, in a statement. “Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”
The Linux Foundation says a formal fund-raising project and mechanism to support development is needed because donations to OpenSSL have been running at a meager $2,000 a year.
While more sophisticated systems run on Linux and rely on Open Source development, he Foundation said support [read dollars, R&D, personnel, etc.] has not been enough.
“[T]he computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support to commensurate with their importance. For instance, the OpenSSL project has in past years received about $2,000 per year in donations,” the Foundation declared.
Amazing. Shocking. And downright dangerous.
[RED HAT ARCHIVE: Check out a decade of Red Hat stories as reported in WRALTechWire.]
