Announcements

The Linux Foundation’s Core Infrastructure Initiative Announces New Backers, First Projects to Receive Support and Advisory Board Members

By | Announcements | No Comments

News Highlights

* Additional founding members Adobe, Bloomberg, HP, Huawei and salesforce.com join CII

* Network Time Protocol, OpenSSH and OpenSSL first projects to receive support; Open Crypto Audit Project to conduct security audit of OpenSSL

* Advisory Board members include longtime Linux kernel developer and open source advocate Alan Cox; Matt Green of Open Crypto Audit Project; Dan Meredith of the Radio Free Asia’s Open Technology Fund; Eben Moglen of Software Freedom Law Center; Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School; Eric Sears of the MacArthur Foundation; and Ted Ts’o of Google and the Linux kernel community

SAN FRANCISCO, May 29, 2014 – The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund open source projects that are in need of assistance, today announced five new backers, the first projects to receive funding from the Initiative and the Advisory Board members who will help identify critical infrastructure projects most in need of support.

CII provides funding for fellowships for key developers to work fulltime on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support. The Steering Committee, comprised of members of the Initiative, and the Advisory Board of industry stakeholders and esteemed developers, are tasked with identifying underfunded open source projects that support critical infrastructure, and administering the funds through The Linux Foundation.

The computing industry has increasingly come to rely upon shared source code to foster innovation. But as this shared code has become ever more critical to society and more complex to build and maintain, there are certain projects that have not received the level of support commensurate with their importance. CII changes funding requests from the reactive post-crisis asks of today to proactive reviews identifying the needs of the most important projects. By raising funds at a neutral organization like The Linux Foundation, the industry can effectively give these projects the support they need while ensuring that open source projects retain their independence and community-based dynamism.

“All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Jim Zemlin, executive director at The Linux Foundation. “CII implements the same collaborative approach that is used to build software to help fund the most critical projects. The aim of CII is to move from the reactive, crisis-driven responses to a measured, proactive way to identify and fund those projects that are in need. I am thrilled that we now have a forum to connect those in need with those with funds.”

Additional Backers Represent Overwhelming Support for Open Source Projects

Additional founding members of CII include Adobe, Bloomberg, HP, Huawei and salesforce.com. These companies represent the ongoing and overwhelming support for the open source software that provides the foundation for today’s global infrastructure. They join other members of CII who include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace and VMware. Comments from some of the newest members are included below.

Range of Projects Prioritized for First Round of Funding

Upon an initial review of critical open source software projects, the CII Steering Committee has prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding. OpenSSL will receive funds from CII for two, fulltime core developers. The OpenSSL project is accepting additional donations, which can be coordinated directly with the OpenSSL Foundation (contact at info@opensslfoundation.com).

The Open Crypto Audit Project (OCAP) will also receive funding in order to conduct a security audit of the OpenSSL code base. Other projects are under consideration and will be funded as assessments are completed and budget allows.

Esteemed Industry Experts Will Advise CII on Projects Most in Need

The CII Advisory Board will inform the CII Steering Committee about the open source projects most in need of support. With highly esteemed experts from the developer, security and legal communities, the CII Advisory Board plays an important role in prioritizing projects and individuals who are building the software that runs our lives.

Alan Cox is a longtime Linux kernel developer and has been recognized by the Free Software Foundation for advancing free software.

Matthew Green is a Research Professor of Computer Science at the Johns Hopkins University and a co-founder of the Open Crypto Audit Project. His research focuses on computer security and cryptography, and particularly the way that cryptography can be used to promote individual privacy.

“Whether we acknowledge it or not, the security of today’s Internet depends on a small number of open source projects. This initiative puts the resources in place to ensure the long-term viability of those projects. It makes us all more secure,” said Green.

Dan Meredith is a director at Radio Free Asia’s Open Technology Fund. He has been an activist and technologist exploring emerging trends intersecting human rights, transparency, global communication policy, the Internet, and information security for over a decade.

Eben Moglen is a professor of law and legal history at Columbia University and is the founder, director-counsel and chairman of Software Freedom Law Center. He is considered the foremost expert on open source legal practices and represents a variety of open source projects and developers.

Bruce Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School and a well-recognized expert on computer security and privacy. He is also a fellow at New America Foundation’s Open Technology Institute.

Schneier commented on the Core Infrastructure Initiative: “This is an important step towards improving the security of the Internet. I’m happy to see the technology companies that rely on the security of open source software investing in that security.”

Eric Sears is a Program Officer for Human Rights for MacArthur Foundation. His grant-making portfolio includes efforts to strengthen digital free expression and privacy through advancing a more open and secure Internet.

Ted Ts’o has been recognized as the first Linux kernel developer in North America and today is a file system developer at Google who is also the Linux /dev/random maintainer.

Member Comments

Adobe

“Adobe believes that open development and open source software are fundamental building blocks for software development,” said Dave McAllister, director of open source at Adobe. “The Core Infrastructure Initiative allows us to extend our support through a neutral forum that can prioritize underfunded yet critical projects. We’re excited to be a part of this work.”

Bloomberg

“Open source software provides a critical foundation for the technologies we build for our clients,” said Shawn Edwards, CTO, Bloomberg. “We are proud to support the Core Infrastructure Initiative so we can contribute to building the foundational technologies that make future innovation possible.”

HP

“HP strongly believes in the quality of open source software, as evidenced by its use, participation in, and support of open source projects and software,” said Eileen Evans, vice president and deputy general counsel, cloud and open source, HP.  “As a member of the Core Infrastructure Initiative, HP will lend its expertise and resources to further improve the technology of open source global information infrastructure, and in particular, work to reduce the likelihood of security-related incidents.”

Salesforce.com

“Open source software has fueled the advancements we’ve seen over the last decade in cloud and mobile computing,” said Parker Harris, co-founder, salesforce.com. “That is why supporting the Linux Foundation’s Core Infrastructure Initiative is an absolute necessity in today’s software industry, and salesforce.com is delighted to contribute to this effort and foster the next generation of open source computing innovation.”

Anyone can donate to the Core Infrastructure Initiative fund. To join or donate or find out more information about the Core Infrastructure please visithttps://www.linuxfoundation.org/programs/core-infrastructure-initiative

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds

# # #

Thales Joins Linux Foundation’s Core Infrastructure Initiative

By | Announcements

New Gold Member Partners with CII to Improve Internet Security and Fortify Open Source Infrastructure

San Francisco, June 6, 2017 – The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that collaboratively works to improve the security and resilience of critical open source projects, today announced that Thales is joining as a new gold member.

A leader in critical information systems, cybersecurity and data security, Thales offers advanced data security solutions and services, delivering trust wherever information is created, shared or stored. It is recognized for its deep information and cryptographic security expertise that enables organizations to confidently accelerate their digital transformation. Thales technology is found right across the enterprise, in financial services, retail, healthcare and government and secures more than 80% of debit card transactions around the world.

The CII’s mission is to ensure that the open source code that underpins business today is secure and resilient. Many of the world’s largest technology companies already belong to CII, and Thales is the first global security business to join the initiative.

“CII is incredibly excited to see our membership base expand and add a security-focused company like Thales, which has a vast understanding of the complex information technology demands we face in today’s digital world,” said Nicko van Someren, CII Executive Director. “Its investment validates the importance of CII and is a great vindication of our work to security harden open source infrastructure to combat today’s complicated threat landscape.”

“Thales has implemented open source building blocks and standards both internally and for customers for two decades,” said Jon Geater, Chief Technology Officer at Thales e-Security. “Open Source in general and Linux in particular have become core to delivery of modern products and system, offering distinct utility, cost and performance advantages that we increasingly leverage to solve real-world problems. By joining CII we can bring our expertise and focus on security to bear on strengthening core open source infrastructure and working to eliminate the security weaknesses that can emerge from less well maintained or directed inclusion of Open Source technology into products and infrastructure in the Cloud and IoT era. This shared vision of Thales and the Linux Foundation is critical to Thales’s strategic development objectives, our ability to serve our customers, and to improving the state of the Connected World more generally.”

CII recently celebrated its three-year anniversary and announced a new governance structure to enable it to scale up its operations going forward.

About Thales e-Security

Thales e-Security is the leader in advanced data security solutions and services, delivering trust wherever information is created, shared or stored. We ensure that company and government data is secure and trusted in any environment – on premise, in the cloud, in data centers and in big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and meeting the highest standards of certification for high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales e-Security is part of Thales Group. www.thales-esecurity.com

About Thales

Thales is a global technology leader for the Aerospace, Transport, Defense and Security markets. With 64,000 employees in 56 countries, Thales reported sales of €14.9 billion in 2016. With over 25,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customers all over the world.

About The Core Infrastructure Initiative

CII is a multimillion-dollar project that funds and supports critical open source elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, Huawei, Intel, Microsoft, NetApp, NEC, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing preemptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For more information, please visit: https://www.coreinfrastructure.org/.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation, Linux Standard Base, MeeGo, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. OpenDaylight is a trademark of the OpenDaylight Project, Linux is a trademark of Linus Torvalds.

OpenSSL Re-licensing to Apache License v. 2.0 To Encourage Broader Use with Other FOSS Projects and Products

By | Announcements | No Comments

OpenSSL Launches New Website to Organize Process, Seeks to Contact All Contributors

SAN FRANCISCO, March 23, 2017 — The OpenSSL project, home of the world’s most popular SSL/TLS and cryptographic toolkit, is changing its license to the Apache License v 2.0 (ASLv2). As part of this effort, the OpenSSL team launched a new website and has been working with various corporate collaborators to facilitate the re-licensing process.

“This re-licensing activity will make OpenSSL, already the world’s most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software,” said Mishi Choudhary, Legal Director of Software Freedom Law Center (SFLC) and counsel to OpenSSL. “OpenSSL’s team has carefully prepared for this re-licensing, and their process will be an outstanding example of ‘how to do it right.’ SFLC is pleased to have been able to help the team bring this process to this point, and looks forward to its successful and timely completion.”

The website will aid the OpenSSL team’s efforts to contact everyone who has contributed to the project so far, which includes nearly 400 individuals with a total of more than 31,000 commits. The current license dates back to the 1990’s and is more than 20 years old. The open source community has grown and changed since then, and has mostly settled on a small number of standard licenses.

After careful review, consultation with other projects, and input from the Core Infrastructure Initiative and legal counsel from the SFLC, the OpenSSL team decided to relicense the code under the widely-used ASLv2.

“The Linux Foundation is excited to see the OpenSSL project re-licensing under the Apache License,” said Nicko van Someren, Chief Technology Officer, the Linux Foundation. “Using a standard and well-understood license is a huge benefit when incorporating a FOSS project into other projects and products. OpenSSL has made huge progress in recent years, in part through support from the Linux Foundation’s Core Infrastructure Initiative, and this license move will further help to ensure it remains one of the most important and relied-upon open source projects in the world.”

The website contains a list of every email address mentioned in every single commit, a searchable database of authors, and the ability to send email and approve the license change. Because email addresses change, the website will also be updated over time to record email bounces and the names of people the project is still trying to reach.

“Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography,” said Jim Wright, Chief Architect of Open Source Policy, Strategy, Compliance and Alliances, Oracle. “OpenSSL is a critical component in both Oracle products and the infrastructure of the Internet, and we strongly believe the increased use of cryptography fostered by OpenSSL will benefit the entire enterprise software community.”

“Intel is thrilled to see OpenSSL moving to the standard Apache 2.0 license, improving license compatibility within the Open Source ecosystem,” said Imad Sousou, Vice President and General Manager of the Open Source Technology Center, Intel. “This will help defragment the open source cryptography ecosystem, leading to stronger and more pervasive use of crypto to improve privacy and security in the global technology infrastructure.”

Additional details on the decision to move to ASLv2 are available here. For progress updates on re-licensing, which is expected to take several months, check the website and project mailing lists.

To reach the OpenSSL team involved in this effort, email license@openssl.org. The team also asks that anyone who knows of other people who should be contacted, such as “silent collaborators” on code contributions, to also send email.

The Linux Foundation’s Core Infrastructure Initiative Renews Funding for Reproducible Builds Project

By | Announcements | No Comments

Grant Helps Fund New Developers Working on Debian GNU/Linux and FreeBSD to  Improve Software Security and Control

SAN FRANCISCO, November 11, 2016 — The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and developers to collaboratively identify, fund and improve the security of critical open source projects, today announced continued financial support for the Reproducible Builds Project.

The grant extends the contribution to include Debian developers Chris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well as extending funding for Holger Levsen. Furthermore, this contribution adds support for Ed Maste, working with FreeBSD.
While anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or compiled) packages to end users. The motivation behind “reproducible” builds is to allow verification that no flaws have been introduced during the compilation process by endeavouring that identical binary packages are generated from a given source. This prevents the installation of backdoor-introducing malware on developers’ machines as an attacker would need to simultaneously infect all developers attempting to reproduce the build.
“Ensuring that no flaws are introduced during the build process greatly improves software security and control,” said Lamb. “Our work has already made significant progress in Debian GNU/Linux, and we are making our tools available for Fedora, Guix, Ubuntu, OpenWrt and other distributions. Support from CII will allow us to expand our efforts to work on longer-term commitments such as upstream patches requiring significant technical and time investment, as well as work on the infrastructure required to make Reproducible Builds both meaningful and approachable for end-users.”
Technical advantages of a reproducible build include removing unsafe behavior, such as downloading third-party code from the internet, detecting corrupted build environments, reducing time-to-detection of a build host compromise, as well as numerous other debugging and testing advantages.
Last year CII funded Levsen and Jérémy Bobbio’s efforts to eliminate unneeded variations from the build processes of thousands of free software projects. They also delivered new tools to understand the source of these differences and an infrastructure update to allow developers to independently verify the authenticity of binary distributions. Their efforts, combined with those from the rest of the Reproducible Builds Project, have resulted in 91% of the packages within the Debian testing distribution becoming reproducible.
About The Core Infrastructure Initiative

CII is a multimillion-dollar project that funds and supports critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing preemptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For a full list of CII grantees, please visit:https://www.coreinfrastructure.org/grantshttps://www.coreinfrastructure.org/grants.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The Linux Foundation’s Core Infrastructure Initiative Invests in Security Tool for Identifying Web Application Vulnerabilities

By | Announcements | No Comments

Grant Accelerates Work to Deliver OWASP ZAP as a Service, Making it Accessible to More Developers

SAN FRANCISCO, June 3, 2016  The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify, fund and improve the security of critical open source projects, today announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP).

This testing tool helps developers automatically find security vulnerabilities in web applications during development and testing. Both easy to use and freely available, it appeals to a wide range of users with varying security knowledge, even first-time testers.

CII’s sponsorship adds a full-time core developer to work on accelerating ZAP as a Service, which will allow ZAP to also be deployed as a long running, highly scalable, distributed service accessed by multiple users with different roles.

Recently voted the most preferred open source testing tool for the second time in three years by users and ToolsWatch readers, OWASP ZAP is one of the world’s most popular security tools. Hundreds of volunteers around the globe help to continually improve and enhance OWASP ZAP, according to Project Lead Simon Bennetts, who works for Mozilla as part of its security team.

“OWASP ZAP is a proven and powerful security tool that will gain even broader applicability with an increase in dedicated resources,” said Emily Ratliff, senior director of infrastructure security, The Linux Foundation. “CII is excited to help advance work that’s already underway to run ZAP in new, different ways, especially in partnership with like-minded organizations like OWASP and Mozilla as they work to ensure the Internet is a safe, global resource.”

OWASP ZAP joins projects like OpenSSL, OpenSSH, NTPd and other fundamental projects CII and its members invest in to encourage software development best practices and secure coding processes.

“The CII grant has had an immediate impact on OWASP ZAP. We’ve added a developer, improved coding best practices, set up a predictable release schedule and roadmap and performed audits to help future-proof our code,” said Bennetts.

“I’m very excited to see ZAP get the commitment of a full time developer,” said Michael Coates, former chairperson of the OWASP board, a not-for-profit that ensures ongoing availability and support for OWASP. “ZAP is a pivotal tool for use in assessing the security of a web site. As an open source project that is free for everyone to use, the commitment of development resources from CII will greatly advance its capabilities and usability for all.”

“With a service-based offering, ZAP will extend itself to a whole new level of maturity and usability that will amplify its value to the community,” said Matt Konda, chair of the OWASP Board of Directors. “Even more than that, ZAP continues to be a model for what OWASP can achieve.”

CII funds projects that help the open source community’s ability to deliver and maintain secure secure code. Additionally communication security is a critical need, so funding is also prioritized for projects that improve related, often at-risk services like embedded, IoT, mobile, server and web applications. To submit a grant proposal, apply online using the CII grants management solution. Funding decisions are made on a rolling basis, so grants are issued at any time.

About Core Infrastructure Initiative

CII is a multimillion-dollar project that funds and supports critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Adobe, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing pre-emptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For a full list of CII grantees, please visit: https://www.coreinfrastructure.org/grantshttps://www.coreinfrastructure.org/grants.

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.

###

The Linux Foundation and Linux Standard Base are trademarks of the Linux Foundation. Linux is a trademark of Linus Torvalds.