Linux Foundation: The internet is crumbling

Foundation says poorly paid open source developers are struggling to maintain web

The open source infrastructure of the internet is crumbling because of poor maintenance, the Linux Foundation warned today.

Likening open source to the "roads and bridges of the internet", Linux Foundation CTO Nicko van Someren said that underpaid developers are struggling to patch dangerous bugs and keep the open aspects of the web up to date.

Speaking at Cloud Expo Europe, van Someren told delegates: "These pieces of software that form the roads and bridges of the internet are actually quite old pieces of infrastructure and they're not necessarily being looked at by that many people.

"Our bridges and roads are crumbling because we are not spending enough time and effort and money looking after these pieces of infrastructure."

Advertisement - Article continues below

One example he gave was the developers maintaining cryptographic tool OpenSSL receiving just $2,000 in donations in 2014, which the OpenSSL Software Foundation has derided as "nowhere near enough" to pay for people to look after code properly.

Until recently, van Someren added, NTP engineers could expect to earn just $25,000 a year.

Such underinvestment has allowed damaging bugs like Poodle, Bash and Heartbleed to proliferate, the CTO warned.

"We've got this great community of people building these things but then once they're built they often sit there and they crumble and there's nobody to do the maintenance work on," he said.

Heartbleed, which targeted a flaw in OpenSSL, became a "wake-up call" for open source engineers, van Someren argued, leading the Linux Foundation to launch the Core Infrastructure Initiative in response.

"We said we've got to do something about this'," he told delegates. With 20 leading tech giants like Google signed up, the CII seeks to work collaboratively to tackle open source bugs, with plans to sign up non-tech firms like banks and public bodies who also rely on open source software.

The Linux Foundation has also identified four key schemes it wants to address outside of the CII. The first is to identify open source projects at risk of crumbling.

"We have engaged in a census project to locate open source projects and try to identify the ones at risk. Identifying the code that is complex, whether it's well-maintained, whether it has people maintaining it, whether the projects are responsive to security vulnerabilities that are reported to them, whether they have a threat model in place, documentation about how they handle their security process," van Someren said.

The second is a badge programme the Linux Foundation plans to introduce to certify open source projects as secure, while the third will see the foundation try to educate developers in the value of abiding by more secure practices when putting together their code.

Lastly, the Linux Foundation will build "shared tools and resources that we can make available to developers for free", said van Someren.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
open source

View from the airport: Linux Open Networking Summit 2019

1 Oct 2019

What is open source?

13 Sep 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019