Core Infrastructure Initiative FAQ
About Core Infrastructure Initiative
- What is the Core Infrastructure Initiative?
- Who is involved in CII and what role do they play?
- How will CII be structured?
- Who is on the Advisory Board?
- How will CII be funded?
- Why is The Linux Foundation the right forum for this funding?
- Why is CII really needed?
- Why didn’t you think about doing this before the lack of funding for OpenSSL resulted in Heartbleed?
- Is it needed because open source code is low quality and needs more funding?
- Which projects are currently funded by CII?
About Core Infrastructure Initiative
The Core Infrastructure Initiative is a multi-million dollar project to fund and support critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. CII enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.
The first project under consideration to recieve funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII was formed as a response to the Heartbleed security crisis; however, the Initiative’s efforts will not be restricted to security-related issues.
Members of CII evaluate open source projects that are essential to global computing infrastructure and are experiencing under-investment. These companies recognize the need for directed funds for highly critical open source software projects they all consume and that run much of modern day society. They also value and invest in developers and collaborative software development and want to support this important work.
A steering committee consists of one representative frome each CII members. Committee members:
- Identify projects and developers in need to support
- Approve specific funding commitments
- Oversee project roadmaps
- Reach consensus to add additional members (e.g., crypto experts, community leaders) to the advisory board.
An advisory board of open source developers and respected community members helps inform the steering committee.
The CII Advisory Board inform the CII Steering Committee about the open source projects most in need of support. With esteemed experts from the developer, security and legal communities, the CII Advisory Board plays an important role in prioritizing projects and individuals who are building the software that runs our lives. Advisory Board members include:
- Alan Cox, a longtime Linux kernel developer and has been recognized by the Free Software Foundation for advancing free software.
- Matthew Green, a Research Professor of Computer Science at the Johns Hopkins University and a co-founder of the Open Crypto Audit Project. His research focuses on computer security and cryptography, and particularly the way that cryptography can be used to promote individual privacy.
- Dan Meredith, a director at Radio Free Asia’s Open Technology Fund. He has been an activist and technologist exploring emerging trends intersecting human rights, transparency, global communication policy, the Internet, and information security for over a decade.
- Bruce Schneier, a fellow at the Berkman Center for Internet & Society at Harvard Law School and a well-recognized expert on computer security and privacy. He is also a fellow at New America Foundation’s Open Technology Institute.
- Eric Sears, a Program Officer for Human Rights for MacArthur Foundation. His grant-making portfolio includes efforts to strengthen digital free expression and privacy through advancing a more open and secure Internet.
- Ted T’so has been recognized as the first Linux kernel developer in North America and today is a file system developer at Google who also works on Kerberos v5 and /dev/random. T’so is also a member of the Internet Engineering Task Force and serves on its Security Area Directorate.
CII is funded by donations from individuals and members of Initiative. Contribute to the fund.
The Linux Foundation is a nonprofit organization with strong, existing relationship throughout the technology industry. It marshals the resources of the Linux ecosystem and other innovative open source projects to provide much needed services that are not easily offered by a single community member, entity or company. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.
The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. As we just witnessed with the Heartbleed crisis, too many critical open source software projects are under-funded and under-resourced. For instance, the OpenSSL project has in past years received about $2,000 per year in donations.
We’re doing what we can now collectively to identify critical projects being overlooked or underfunded so that we drastically reduce the chances of this happening again.
Open source development has historically produced high-quality and highly secure software. For instance, the most recent Coverity Open Scan study of software quality has shown that open source code quality surpasses proprietary code quality. But as all software has grown in complexity – with interoperability between highly complex systems now the standard– the needs for developer support has grown.
Upon an initial review of critical open source software projects, the CII Steering Committee has prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding. OpenSSL is receiving funds from CII for two, fulltime core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at email@example.com).
The Open Crypto Audit Project (OCAP) has also received funding to conduct a security audit of the OpenSSL code base. Other projects are under consideration and will be funded as assessments are completed and budget allows.