The Core Infrastructure Initiative (CII) is the software industry’s response to the Heartbleed vulnerability. I read OpenSSL Foundation president Steve Marquess’s recent blog post before the announcement of the CII that explained that his foundation typically received a meager $2,000 per year in donations and maybe as much as a $1 million per year in support contracts. I really hope the half-million sites that use OpenSSL would get out their checkbooks and donate to pay for independent pen testing and code reviews.
The CII might be even better for the open source industry than ad-hoc voluntary contributions by the companies that have self assigned their own responsibility. CII is a Linux Foundation project that includes companies such as Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, and VMware.
This group has more than deep pockets. They use open source internally and as a component to deliver customer solutions. Each is capable of disciplined market measurement to assess the adoption of open source projects and has the project management skills to assess where resources need to be added to improve mission-critical quality.
This is a promising development, though it should be categorized as “says easy does hard.” All of these companies, especially Facebook, Google, IBM, Intel, and Microsoft, really understand open source software as well as anyone on the planet. But more than money, these companies will have to dedicate some of their best people, not just for a conference, but dedicate them to monitoring and measuring existing large-scale open source projects and look for the tips of the icebergs of new open source projects that have become critical components to internet infrastructure.
Open source projects regularly run into bugs and project delays. When this happens, it’s not uncommon for the most affected development teams to contribute a full-time developer or two to the project until it is back on track. It’s a self-sustaining system that has worked well. And hopefully the ad hoc cash and developer contributions will continue in parallel to the CII to build better project management skills in the community that will cope with the increasing scale and complexity of the open source projects that drive the internet.