Posts Tagged 'cii'

#HEARTBLEED was 5-years ago.

I was reading through my old handwritten tech notebooks this morning, search for some details on a Windows problem I know I’ve had before. I noticed an entry for March 28th, 2014 on the latest bug tracker list from Red Hat. One of the items on the list from the week before was the #Heartbleed bug in OpenSSL.

heartbleed-twoway-featured[1]

Image from synopsis.com

In less than a couple of weeks, Jim Zemlin from the Linux Foundation contacted John Hull in the open source team at Dell, who passed the call to me. I was happy to tell Jim we’d be happy to sign up, I got voice approval for the spending commitment and the job was done.

The Core Infrastructure Initiative (CII) was announced on April 24th, 2014. One of the first priorities was how to build a more solid base for funding and enabling open source developers. The first projects to receive funding were announced on April 26th, 2014 with remarkable speed.

Five years later I’m delighted to see Dell are still members, along with the major tech vendors, especially and unsurprisingly, Google. Google employees have made both substantial commitments to CII and open projects in general. I remember with great appreciation many of the contributions made by the tehn steering committee members, especially, but not limited to Ben Laurie and Bruce Schneier.

This blog, on synopsis.com, has a summary, entitled Heartbleed: OpenSSL vulnerability lives on. May 2, 2017.

My blog entries on Heartbleed and CII are here, here, and here.

There is still much to be concerned about. There are still many unpatched Apache HTTPD servers, especially versions 2.2.22 and 2.2.15 accessible on the Internet.

Remember, just because you don’t see software, it doesn’t mean it isn’t there.

Linux Foundation Core Infrastructure Initiative

In a discussion recently I was asked about the Linux Foundation Converged Infrastructure Initiative and if it was still active?

Indeed it is, they’ve made some great progress on funding and supporting open source projects, and there are some interesting developments coming before the end of the year. CII has funded a number of projects through their grants process, you can read more of the some of the projects, and help with prioritization.

It’s not the nature of the CII to broadcast its’ work, the best measure of success are no vulnerabilities in the projects they are supporting.¬†Projects funded following on from the initial OpenSSL, include:

  • Network Time Protocol (NTP)
  • GnuPG
  • OpenSSH
  • Debian Reproduceable Builds
  • The Fuzzing Project
  • False-Positive-Free Testing with Frama-C

Details of the grants etc. are here. Also, I’ve finally added my profile to the CII web site, as seen here

.CII Profile

OpenSSL and the Linux Foundation

Former colleague and noted open source advocate Simon Phipps recently reblogged to his webmink blog a piece that was originally written for meshedinsights.com

I committed Dell to support the Linux Foundation Converged Infrastructure Initiative (CII) and attended a recent day long board meeting with other members to discuss next steps. I’m sure you understand Simon, but for the benefit of readers here are just two important clarifications.

By joining the Linux Foundation CII initiative, your company can contribute to helping fund developers of OpenSSL and similar technologies directly through Linux Foundation Fellowships. This is in effect the same as you(Simon) are suggesting, having companies hire experts . The big difference is, the Linux Foundation helps the developers stay independent and removes them from the current need to fund their work through the (for profit) OpenSSL Software Foundation (OSF). They also remain independent of a large company controlling interest.

Any expansion of the OpenSSL team depends on the team itself being willing and able to grow the team. We need to be mindful of Brooks mythical man month. Having experts outside the team producing fixes and updates faster than they can be consumed(reviewed, tested, verified, packaged and shipped) just creates a fork, if not adopted by the core.

I’m hopeful that this approach will pay off. The team need to produce at least an abstract roadmap for bug fix adoption, code cleanup and features, and I look forwarding to seeing this. The Linux Foundation CII initiative is not limited to OpenSSL, but that is clearly the first item on the list.

About & Contact

I'm Mark Cathcart, formally a Senior Distinguished Engineer, in Dells Software Group; before that Director of Systems Engineering in the Enterprise Solutions Group at Dell. Prior to that, I was IBM Distinguished Engineer and member of the IBM Academy of Technology. I am a Fellow of the British Computer Society (bsc.org) I'm an information technology optimist.


I was a member of the Linux Foundation Core Infrastructure Initiative Steering committee. Read more about it here.

Subscribe to updates via rss:

Feed Icon

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 810 other followers

Blog Stats

  • 86,503 hits