It took a Heartbleed-sized emergency, but the OpenSSL Project is getting some of the financial support it needs. That doesn’t guarantee the same will happen for other worthy open-source projects, however.
Nokia Solutions and Networks (NSN) announced today that it’s made the largest single contribution in OpenSSL’s history, to be spread across two years. NSN is also becoming the project’s first platinum sponsor. And Thursday, the Linux Foundation launched its Core Infrastructure Initiative, describe as a multimillion-dollar project to fund open-source development. Thirteen vendors are part of the initiative; NSN isn’t listed among them.
NSN notes that its own contribution “increases funding so far received by a factor of five.” Hopefully, that’s not a factor of five over typical donations, because according to a blog by OpenSSL Software Foundation President Steve Marquess (the guy in charge of OpenSSL funding), donations amount to about $2,000 per year. That’s not counting the week of the Heartbleed disclosure, when donations poured in — adding up to about $9,000, Marquess estimated.
A lot more funding comes from contracting and consulting, but the OSF “has never raised more than $1 million in a year,” Wired noted earlier this month. Marquess doesn’t directly confirm that figure in his blog, but he mentions it without comment.
What This Means to SDN
Heartbleed was a wake-up call for Internet security, and it had implications for software-defined networking (SDN) too, as we noted previously.
Perhaps more importantly, Heartbleed shows what happens when software development is understaffed and underfunded. The vulnerability was created partly because OpenSSL has only four coders, three of them part-time, as Wired explained earlier this month.
While many customers love the idea of using open-source software, especially when it’s for free, someone ultimately has to pay developers to work on it, either directly or by giving them leeway to spend day-job time on a project. Waiting for “somebody” to do everything over a weekend won’t cut it. There’s no guarantee that a larger team could have spotted Heartbleed earlier, but the odds would have been better.
This relates to SDN because so much of the technology is being developed by open-source initiatives such as the OpenDaylight Project. Staffing issues have already emerged there; the first code release, Hydrogen, was delayed partly due to the initial lack of a test-and-interoperability team.
In the case of Quagga, the open-source routing package, it’s as much about funding as it is about staffing. Some very big companies reportedly use Quagga, but they use home-tailored versions of the code and aren’t required to give anything back, a situation that’s left Quagga gasping for funding despite its popularity.