Linux Foundation: The internet is crumbling

Foundation says poorly paid open source developers are struggling to maintain web

The open source infrastructure of the internet is crumbling because of poor maintenance, the Linux Foundation warned today.

Likening open source to the "roads and bridges of the internet", Linux Foundation CTO Nicko van Someren said that underpaid developers are struggling to patch dangerous bugs and keep the open aspects of the web up to date.

Speaking at Cloud Expo Europe, van Someren told delegates: "These pieces of software that form the roads and bridges of the internet are actually quite old pieces of infrastructure and they're not necessarily being looked at by that many people.

"Our bridges and roads are crumbling because we are not spending enough time and effort and money looking after these pieces of infrastructure."

One example he gave was the developers maintaining cryptographic tool OpenSSL receiving just $2,000 in donations in 2014, which the OpenSSL Software Foundation has derided as "nowhere near enough" to pay for people to look after code properly.

Until recently, van Someren added, NTP engineers could expect to earn just $25,000 a year.

Such underinvestment has allowed damaging bugs like Poodle, Bash and Heartbleed to proliferate, the CTO warned.

"We've got this great community of people building these things but then once they're built they often sit there and they crumble and there's nobody to do the maintenance work on," he said.

Heartbleed, which targeted a flaw in OpenSSL, became a "wake-up call" for open source engineers, van Someren argued, leading the Linux Foundation to launch the Core Infrastructure Initiative in response.

"We said we've got to do something about this'," he told delegates. With 20 leading tech giants like Google signed up, the CII seeks to work collaboratively to tackle open source bugs, with plans to sign up non-tech firms like banks and public bodies who also rely on open source software.

The Linux Foundation has also identified four key schemes it wants to address outside of the CII. The first is to identify open source projects at risk of crumbling.

"We have engaged in a census project to locate open source projects and try to identify the ones at risk. Identifying the code that is complex, whether it's well-maintained, whether it has people maintaining it, whether the projects are responsive to security vulnerabilities that are reported to them, whether they have a threat model in place, documentation about how they handle their security process," van Someren said.

The second is a badge programme the Linux Foundation plans to introduce to certify open source projects as secure, while the third will see the foundation try to educate developers in the value of abiding by more secure practices when putting together their code.

Lastly, the Linux Foundation will build "shared tools and resources that we can make available to developers for free", said van Someren.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

New Trickbot variant can interfere with UEFI and BIOS
malware

New Trickbot variant can interfere with UEFI and BIOS

3 Dec 2020
Most Docker container images have critical flaws
containers

Most Docker container images have critical flaws

2 Dec 2020
How to automate your infrastructure with Ansible
automation

How to automate your infrastructure with Ansible

2 Dec 2020
Log-On Wave for IBM Z simplifies highly virtualized environments
virtualisation

Log-On Wave for IBM Z simplifies highly virtualized environments

16 Nov 2020

Most Popular

Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020
Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020