
Core Infrastructure Initiative - chiachun
http://www.linuxfoundation.org/programs/core-infrastructure-initiative
======
matt__rose
Basically, through a combination of clever marketing and actual impact,
Heartbleed hit the Open Source community HARD, and left most people in the
Open Source Community asking two questions: 1\. How did this happen? 2\. How
can we stop this from happening again?

LibreSSL and openSSLRampage is the OpenBSD response, and, it's absolutely in
keeping with their character. I admire the "Fuck it, let's just fix this shit"
attitude that goes along with it.

The Core Infrastructure Initiative is the Linux Foundation's response.

They're two valid ways of dealing with the problem. the LibreSSL way is more
direct, targetted, and, in a way, satisfying, especially if you run OpenBSD,
and can gain from these efforts relatively quickly.

The "Core Infrastructure Initiative" is looking at it from a more holistic
perspective and saying: OK, OpenSSL was in trouble and nobody noticed, what
other projects are in the same situation, and how can we prevent what happened
to OpenSSL from happening to other projects.

Neither way is necessarily "The only right way", or even better than the other
way. In fact, both approaches complement each other. OpenBSD fixes the actual
current problem child, Linux Foundation is on the hunt for the next problem
child

~~~
remon
I think pretty solid arguments can be made for the position that the Linux
Foundation approach is the better route actually.

~~~
matt__rose
As also noted, pretty solid arguments can be made that the OpenBSD approach is
the better approach. My point was that they're not mutually exclusive, and
this is definitely a win-win scenario, as we have the potential to get 1\. A
rock-solid open source SSL library 2\. Less surprises in the future.

~~~
mhurron
> pretty solid arguments can be made that the OpenBSD approach is the better
> approach

Not really. OpenBSD is making a OpenSSL replacement for OpenBSD. They _might_
make a portable version, but they might not. They have made it clear they are
not putting the FIPS compliance stuff back in and there's a good chance a lot
of those sponsors are interested in that.

Secondly, you don't get to choose where donations go in OpenBSD. You donate to
OpenBSD and they distribute wherever. You don't get to say 'I need this money
to go to improving the SSL library.' That can be kind of an issue for things
like this.

~~~
teacup50
FIPS is actively harmful to security by virtue of being an empty and ill-
conceived certification. Removing FIPS from an otherwise best available option
is to the benefit of the industry at large.

By comparison, glossy marketing of a security effort offers no security
benefits, and plenty of room within which to hide bad ideas such as FIPS.

~~~
mhurron
As others have said, the technical arguments against FIPS don't mean anything
when a huge potential customer requires it.

~~~
worklogin
And huge potential customers don't mean anything to a non-profit open source
ecosystem that actually care about security.

~~~
mpyne
When did Red Hat and Google become non-profits? Did I miss something?

~~~
nitrogen
RedHat and Google can afford to add FIPS to their own Libre SSL if they want
to stop using OpenSSL.

------
tedks
Holy crap, Microsoft donating to the Linux Foundation. Cats and dogs, living
together. It's the end of days for real this time.

My one real question: How well has the Linux Foundation managed its money in
the past? Are they going to be an effective steward of this fund?

~~~
filmgirlcw
I asked Jim Zemlin -- the Linux Foundation boss -- about Microsoft and if he
ever could have predicted this would happen. He just laughed, but I could tell
he enjoyed the irony too.

The Linux Foundation handles the Linux kernel, so they have a good track
record in that regard. They also have worked on some less-successful (but very
well-managed) initiatives like Meego and now Tizen.

The members are big corporations and as a result, the auditing process and
outlay of funds isn't something I'd be concerned with.

The greater (potential) concern would be over how the corporate sponsors could
influence a project. Zemlin assured me that the SOP is not to interfere with
existing operational structures or governances of a project -- so they
wouldn't have any impact on how the OSF is run, for instance -- and certainly,
in the case of the Linux kernel, corporate sponsorship hasn't dictated Linus's
direction of the project.

That said, I think the level of influence a corporation could have over a
project is probably directly related to how a project is initially structured.
Tizen, as an example, is in partnership with the Linux Foundation, but is
largely led by Samsung and Intel. That's totally fine, and was that way by
design.

I would be concerned about projects that might not have strong leaders (like
Linus). Of course, one could argue that if that's the case, the project might
have bigger problems than being co-opted by other entities.

~~~
anandrm
There was time ,maybe a year back, where Microsoft turned out to be one of the
Top contributors to Linux Kernel. They had to fix some issue on Linux kernel
to run on HyperV

~~~
Teckla
_There was time ,maybe a year back, where Microsoft turned out to be one of
the Top contributors to Linux Kernel. They had to fix some issue on Linux
kernel to run on HyperV_

Let's be very clear on this subject, though: Microsoft was doing it for their
own benefit. It wasn't altruism.

------
general_failure
As expected no Apple. I have always been fascinated how Apple gets a lot of
developer love and yet is completely absent in most (all?) conference/event
sponsorship, initiatives etc.

~~~
dorfsmay
No Apple fan here, but to be fair they give some apps back (eg: cups)

~~~
awalton
They hired the main developer of CUPS to adapt it for OS X. The license of
CUPS ensures they continue to share it - the GPL and LGPL - they even had to
explicitly add a licensing exception for Apple's (and other company's) binary
printer drivers. I would bet money if Apple had CUPS under a BSD license they
would not be sharing their improvements so leisurely.

~~~
danudey
Really? Because they did that with WebKit. They made huge modifications to
KHTML and KJS, released them back (admittedly in kind of an amateurish way at
the start), and also open-sourced their proprietary component, WebKit, which
wraps WebCore and JSCore up in a nice, manageable interface. They didn't have
to, but they did.

They also have a lot of contributions to LLVM/Clang, as well as several other
open-source projects.

~~~
patrickaljord
Of course they had to share webkit, KHTML and KJS were under the LGPL so they
had to. What they didn't have to share was the apps based on top of webkit
such as Safari and they didn't share Safari.

------
sanxiyn
I hope that OpenSSH developers get some funding too. OpenSSH is clearly a core
infrastructure, and they had financial difficulty in the past.

Mozilla Foundation once donated 10K USD to OpenSSH after OpenSSH's call for
donation. Not many others did.

~~~
wmf
Are the OpenBSD people still saying that money donated for OpenSSH will be
used to develop OpenBSD?

------
ausjke
OpenBSD is great but it has its own agenda. Linux Foundation does have a Linux
in it, maybe that tells something. Plus, Libressl can pull in whatever changes
future openssl will have. I think it's a win-win for both sides. I used
OpenBSD in the past, but nowadays it's all Linux for everything, from server
to desktop to my cellphone.

~~~
the_ancient
I think the opposite will be true... openssl will be pulling in what libressl
does, and it probally not be long before many of the distro's drop openssl...

~~~
sliverstorm
Alternative possibility: OpenSSL & LibreSSL pull from eachother, but OpenSSL
incorporates more new features sooner. Banks run LibreSSL- much as they run
OpenSSL 0.98 today- and hip new startups that want New Feature X run OpenSSL-
much as they run OpenSSL 1.0.1f today.

------
rubyfan
So to get this straight, the Linux Foundation has responded to OpenSSL
problems by creating a web page, a committee and are soliciting dollars from
sponsors and grass roots?

OpenBSD responds by rolling up sleeves and fixing the problem.

------
zatkin
I get the feeling that these companies are throwing money at trying to fix the
problems (in other projects besides OpenSSL that are fundamental), and not
talent/manpower.

------
gnu8
Their web page says OpenSSL group is their first candidate for funding. It's
puzzling that they would choose to fund such a corrupt and incompetent
organization over LibreSSL, which is actually fixing the code and ultimately
is what will actually be used.

Or maybe it's not so mysterious, the principle companies involved have a long
record of benefiting from OpenSSH and never contributing to that either.

~~~
privong
LibreSSL is a fork for OpenBSD and doesn't have all the functionality of
openSSL (e.g., no Windows support), so it's not a given that LibreSSL will
actually become the standard. Also, despite the issues with openSSL, there is
significant name recognition for it. That means that funding and improving
openSSL can potentially lead to a better outcome than funding libreSSL. I mean
this in the sense that funding something else (e.g., LibreSSL) could result in
a situation where people still use openSSL because they know the name but that
the improvements are going elsewhere. Sure, you can say that people should
switch, but name recognition can be tough to overcome.

~~~
dlgeek
I think as long as LibreSSL plans on ripping out the FIPS stuff, it's not
going to replace OpenSSL in a huge number of places. Don't get me wrong, I
think it's the right decision for the OpenBSD guys, and for the security of
the library, but it's definitely going to limit adoption.

~~~
danudey
FIPS support is such a rare requirement (and such an awful one) that I'm
willing to bet LibreSSL, once it's 'finished' and buildable on the typical
Linux system, will be gladly adopted by pretty much everyone who can. Distros
will probably prefer LibreSSL whenever possible, with the exception of Debian,
unless the licensing issue can be resolved (which I hope it is because GnuTLS
is awful).

The vast majority of people who use OpenSSL don't need FIPS compliance, and
LibreSSL will provide them with a more solid, better reviewed, more secure,
lightweight, reliable drop-in replacement. It's hard to argue with that.

~~~
count
FIPS support will be required by RedHat, SuSE and any other vendor that wants
to do business with the US (and many other) federal governments.

If none of the major vendors will ship a non-FIPS certified crypto lib, then
where exactly will it get used?

------
a2079648
Looks like somebody is trying hard to prevent LibreSSL from becoming widely
adapted.

> By raising funds at a neutral organization like The Linux Foundation, the
> industry can effectively give projects the support they need while ensuring
> that open source projects retain their independence and community-based
> dynamism.

I somehow can't imagine an organization named "Linux Foundation" to give money
to OpenBSD and other non-Linux related open source projects.

~~~
angrybits
I think you're over-thinking it. I imagine this was done solely in response to
heartbleed itself, not OpenBSD's fork. It's a good charter, I'm happy it's
being done.

~~~
danielweber
Yes, they've obviously been working on this announcement for a few weeks. You
can't get all those big players on board in the time since libressl was
announced.

