Linux Foundation: The internet is crumbling

Foundation says poorly paid open source developers are struggling to maintain web

The open source infrastructure of the internet is crumbling because of poor maintenance, the Linux Foundation warned today.

Likening open source to the "roads and bridges of the internet", Linux Foundation CTO Nicko van Someren said that underpaid developers are struggling to patch dangerous bugs and keep the open aspects of the web up to date.

Speaking at Cloud Expo Europe, van Someren told delegates: "These pieces of software that form the roads and bridges of the internet are actually quite old pieces of infrastructure and they're not necessarily being looked at by that many people.

"Our bridges and roads are crumbling because we are not spending enough time and effort and money looking after these pieces of infrastructure."

Advertisement - Article continues below
Advertisement - Article continues below

One example he gave was the developers maintaining cryptographic tool OpenSSL receiving just $2,000 in donations in 2014, which the OpenSSL Software Foundation has derided as "nowhere near enough" to pay for people to look after code properly.

Until recently, van Someren added, NTP engineers could expect to earn just $25,000 a year.

Such underinvestment has allowed damaging bugs like Poodle, Bash and Heartbleed to proliferate, the CTO warned.

"We've got this great community of people building these things but then once they're built they often sit there and they crumble and there's nobody to do the maintenance work on," he said.

Heartbleed, which targeted a flaw in OpenSSL, became a "wake-up call" for open source engineers, van Someren argued, leading the Linux Foundation to launch the Core Infrastructure Initiative in response.

"We said we've got to do something about this'," he told delegates. With 20 leading tech giants like Google signed up, the CII seeks to work collaboratively to tackle open source bugs, with plans to sign up non-tech firms like banks and public bodies who also rely on open source software.

Advertisement - Article continues below

The Linux Foundation has also identified four key schemes it wants to address outside of the CII. The first is to identify open source projects at risk of crumbling.

"We have engaged in a census project to locate open source projects and try to identify the ones at risk. Identifying the code that is complex, whether it's well-maintained, whether it has people maintaining it, whether the projects are responsive to security vulnerabilities that are reported to them, whether they have a threat model in place, documentation about how they handle their security process," van Someren said.

The second is a badge programme the Linux Foundation plans to introduce to certify open source projects as secure, while the third will see the foundation try to educate developers in the value of abiding by more secure practices when putting together their code.

Lastly, the Linux Foundation will build "shared tools and resources that we can make available to developers for free", said van Someren.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
operating systems

Best Linux distros 2019

24 Dec 2019

Best free malware removal tools 2019

23 Dec 2019
open source

View from the airport: Linux Open Networking Summit 2019

1 Oct 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020