Many of the projects in our ecosystem are critically important to developers and users, but on their own lack the resources to keep them viable. The Linux Foundation provides support to a number of these projects through grants and human capital to make sure we have a safe, stable, and secure internet.

The Linux Foundation provides significant resources to keep critical projects up and running. We provide a large amount of assistance to the Linux Kernel, but we have many other programs, too. These programs are helping to keep the plumbing of the Internet safe and secure as well as provide the means for those developers who work on this infrastructure to build critically needed software.

We provide full-time tech support and hardware/software for many community workgroups, including Open Printing, OpenChain, SPDX, and Core Embedded Linux workgroups. Through the Core Infrastructure Initiative (CII), we raised and funded major projects to improve open source security. Two full-time OpenSSL core developers have been sponsored and a complete audit of OpenSSL has been initiated. This has resulted in a reduction of bug backlog, refactoring critical code paths, improved testing, and security/vulnerability handling policy put into place.

Infrastructure Projects and Initiatives Supported By The Linux Foundation

Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. Released in 1989, Unix has been distributed widely as the shell for the GNU operating system and as a default shell on Linux and OS X. The Linux Foundation provides equipment to maintain the development of the Bash shell.

For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said to have been derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronise the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv4 (RFC 5905) server and peer to provide a time service to other computers in the network.

The Census represents Core Infrastructure Initiative’s (CII) current view of the open source ecosystem and which projects are at risk. The Heartbleed vulnerability in OpenSSL highlighted that while some open source software (OSS) is widely used and depended on, vulnerabilities can have serious ramifications, and yet some projects have not received the level of security analysis appropriate to their importance. Some OSS projects have many participants, perform in-depth security analyses, and produce software that is widely considered to have high quality and strong security. However, other OSS projects have small teams that have limited time to do the tasks necessary for strong security. The trick is to identify quickly which critical projects fall into the second category.

Core Embedded Linux is focused on finding new requirements or topics for embedded Linux systems. The needs identified by member companies are based on real-world requirements that would best be solved in collaboration with the open source community. The project can be used to research and discuss topics that are not covered by another collaborative project. For example, the Civil Infrastructure Platform project started as an investigation inside the Core Embedded Linux project.

In its first year, The Linux Foundation’s Core Infrastructure Initiative (CII) has awarded $2.5 million in funding to shore up security in open source projects we all use. With our Core Infrastructure Initiative, we’re taking a collaborative, pre-emptive approach to strengthening cybersecurity. Many industry giants have signed on to harden the security of key open source projects.

For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users. Ensuring that no flaws are introduced during the build process greatly improves software security and control. This work has already made significant progress in Debian, and they are making their tools available for Fedora, Ubuntu, OpenWrt and other distributions as well. You can read more about the project at the Reproducible Builds website. You can see current statistics on Debian’s reproducible build project at Overview of various statistics about reproducible builds.

The Linux Foundation hosts DiaMon, a project that aims to improve open source diagnostic and monitoring software. The project creates de facto standards and tools for tracing, monitoring, and diagnostics. It also focuses on increasing interoperability among tools, as well as improving Linux-based tracing, profiling, logging, and monitoring features.

Expat is a stream-oriented XML parser library written in C. It excels with files too large to fit RAM, and where performance and flexibility are crucial. There are a number of applications and libraries using Expat, as well as bindings and 3rd-party wrappers.

Frama-C is an extensible framework for source code analysis. Pascal Cuoq, co-initiator of the Frama-C project and chief scientist and co-founder of TrustInSoft, a company that uses the Frama-C platform to guarantee software has no flaws, will receive a grant to build an open source TIS Interpreter, including all the extensions necessary to support the false-positive-free operation on OpenSSL. This work is based on TIS Analyzer, a commercial software analysis tool based on Frama-C, the extensible open-source framework for source code analysis. One issue impairing TIS Analyzer’s widespread adoption is that it occasionally produces false positives: it can report security errors that are actually false alarms.

The fuzzing software testing technique is an easy and powerful way to identify security problems in software. Security researcher Hanno Böck spearheads The Fuzzing Project, coordinating fuzzing efforts for open source software. The project uses zzuf, Address Sanitizer, and american fuzzy lop to find bugs in open source projects. Many well-known vulnerabilities, including several GnuPG and OpenSSL bugs reported earlier this year, were found by Böck’s efforts

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications, and features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command-line tool with features for easy integration with other applications. A wealth of front-end applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh). Support for one part-time GnuPG developer is being provided with funding from the Core Infrastructure Initiative.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It’s a service provided by the Internet Security Research Group (ISRG) and hosted by The Linux Foundation. During their beta period from September 2015 through April 2016, they’ve issued more than 1.7 million certificates for more than 3.8 million websites. Let’s Encrypt provides free certificates to anyone who owns a domain name to use Let’s Encrypt to obtain a trusted certificate at zero cost. Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

The Linux Foundation provides full-time tech support for the Linux kernel. This includes full-time senior sysadmins, hardware, and software. Prior to The Linux Foundation taking this on, it was done via volunteers. We manage and fund (with our partners) The Linux Kernel Organization, which provides full technical, financial, and staffing support for running and maintaining the infrastructure. We also fund Linus Torvalds and Greg Kroah-Hartman as fellows at The Linux Foundation, with no obligations other than to continue to develop the Linux Kernel.

The Kernel Self Protection Project’s mission is to “eliminate classes of bugs and eliminate methods of exploitation.” To achieve this mission, the project will work to incorporate a variety of security features into the mainline Linux kernel.

The Linux Foundation hosts The Linux Standard Base, which was created to lower the overall costs of supporting the Linux platform. By reducing the differences between individual Linux distributions, the LSB greatly reduces the costs involved with porting applications to different distributions, as well as lowering the cost and effort involved in after-market support of those applications.

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest internet protocols in current use. If you have communicating programs running on different computers, time still should advance if you switch from one computer to another. Obviously, if one system is ahead of the others, the others are behind that particular one. From the perspective of an external observer, switching between these systems would cause time to jump forward and back, a non-desirable effect. Two part-time developers have been sponsored via a grant from the Core Infrastructure Initiative: One works on the core network timecode, and the other works on ntimed, a new client-only implementation of the network time protocol.

The NTPsec project is a secure, hardened, and improved implementation of Network Time Protocol derived from NTP Classic, Dave Mills’s original. NTPsec, as its name implies, is a more secure NTP. We employ best practices and state-of-the art technology in code auditing, verification, and testing to deliver code that can be used with confidence in deployments with the most stringent security, availability, and assurance requirements.

OpenChain is a community effort focused on identifying common best practices in compliance programs that should be applied across a supply chain for efficient and effective compliance with open source licenses.

The Linux Foundation provides hosting of the OpenPrinting project to help with printing under free operating systems like GNU/Linux and the BSDs or under commercial UNIX-like systems such as Solaris and Mac OS X.

OpenSSH is an open source implementation of the SSH protocol that technical users of the Internet rely on. Users of telnet, rlogin, and ftp may not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions. Like all software, OpenSSH, has occasionally suffered from avulnerability, and it’s important to continually improve and test the software over time.

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.

The R Consortium awarded the first grant in November 2015 to R-Hub, a service for developing, building, testing, and validating R packages. The R Consortium is providing funding for additional initiatives to develop tools and resources for the R user community, bringing total grant funding to $200,000 (as of 3/23/2016).

The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating the components, licenses, and copyrights associated with a software package hosted by The Linux Foundation. The objective of the SPDX Report program is to create a repository of articles to capture and share community knowledge about anything and everything SPDX. For example, this knowledge base covers a diverse collection of topics including (but not limited to) technical issues, best practices, relevant legal topics, tool proposals, adoption strategies and analysis, license compliance considerations, and position papers.

TIS Interpreter, released as open source software in March 2016, uses existing test cases to detect bugs with no false positives, which saves developers time. CII is investing in this work, which combines existing technologies to test this new technique on OpenSSL; if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.