A month ago we announced the Core Infrastructure Initiative, a project to help fund critical open source projects that we all rely upon but that are in need of support. We moved quickly to organize the initiative and the industry reaction was swift and enthusiastic. I am proud to report on significant progress that I believe matches the quality of the reaction to the formation of the project.
First order of business was electing the Advisory Board, which will help the Steering Group (made up of funders and The Linux Foundation) determine which projects to fund. We are fortunate to have assembled many of the brightest minds in open source, web technology and computer security. I am thrilled to work with these individuals.
They include:
- Alan Cox of the Linux kernel community
- Matt Green of Open Crypto Audit Project
- Dan Meredith of the Radio Free Asia’s Open Technology Fund
- Eben Moglen of Software Freedom Law Center
- Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
- Eric Sears of The MacArthur Foundation
- and Ted Ts’o of Google, prominent security and kernel hacker
Next we focused on who to initially fund. Working together with the Advisory Board, the Steering Group and open source projects, we’re happy to announce the first projects to be funded from this effort:
- NTP
- OpenSSH
- OpenSSL
- The Open Crypto Audit Project (OCAP) will also receive funding to conduct an audit of OpenSSL
These are important projects that are central to our modern day computing infrastructure. The support CII gives will enable developers to work within the projects to make improvements and streamline contributions from others. The funds will also go to auditing the code, which will make the developers more effective and the code better quality. Are these the only projects we will fund? Absolutely not. We are in constant review of critical projects. Will our work prevent all future security issues? Of course not. There is no such thing as a quick fix on issues such as these. But we hope that it will make them less frequent and less severe. Will we fund competing projects? I can’t say for sure but it’s likely since open source at its heart is about choice and the best technical solution winning. But the investments in these projects will help code quality and support for software that is in use — and will continue to be in use — by millions.
Finally we are pleased to announce additional members who include Adobe, Bloomberg, HP, Huawei and salesforce.com. We are grateful to these companies, as well as those previously announced, for their commitment. These companies clearly “get it” and don’t need much selling by me. We are impressed with the level of understanding and commitment from the technology industry.
As we said at launch, the aim of CII is to move from the reactive, crisis-driven responses that characterized Heartbleed to a measured, proactive process to identify and fund those projects that are in need. The ultimate aim of CII is to prevent these crises from happening in the first place. I am thrilled that we now have a forum to connect those in need with those with the funds. I am also thankful that the industry has stepped up to fund these important projects and work hand in hand with industry experts to improve the critical infrastructure we all rely upon.