Why All Linux (Security) Bugs Aren't Shallow
With Heartbleed and Shellshock, the open source community realized that Linus' law can be challenged.
In 2014 the open source community faced more security challenges than it has at any other point in recent memory. The Heartbleed vulnerability in the OpenSSL project and ShellShock in the Bash shell undermined the confidence many had in a core premise of the open source movement.
Jim Zemlin, executive director of the Linux Foundation, addressed the issue head-on during last week's Linux Collaboration Summit.
"In open source, we put our laundry out to air in the front yard," Zemlin said.
The Code Has Eyes
Zemlin quoted the oft-repeated Linus' law, which states that given enough eyes all bugs are shallow. That "law" essentially promises that many eyes provide a measure of quality and control and security to open source code. So if Linus' law is true, Zemlin asked, why are damaging security issues being found now in open source code?
"In these cases the eyeballs weren't really looking," Zemlin said.
Modern software security is hard because modern software is very complex, Zemlin said. But open source can provide a unique response to growing software complexity and the associated risk of security vulnerabilities.
"We all have access and can all work together," Zemlin said. "Open source by its nature lets us have a collective response to a collective problem."
That's where the Linux Foundation's Core Infrastructure Initiative (CII) that was announced in the wake of Heartbleed comes into play. Zemlin said there are three key initiatives under way at the CII now.
Key Linux Foundation Initiatives
The first is to fund projects that need help. To date, CII has helped out the NTP, OpenSSL and GNUPG projects, with more likely to come.
The second key initiative is the Core Infrastructure Census, which aims to find the next Heartbleed before it occurs. The census is looking to find underfunded projects and those that may not have enough eyeballs looking at the code today.
The third key initiative is building out a set of security best practices that can be applied to all open source projects. The goal is to create documentation and define processes for practices that can help provide security for any type of project.
With the security best practices, Zemlin said the CII is aiming to be more like a personal trainer than a surgeon. While a surgeon will fix a specific problem, a personal trainer helps a person live a better life and get stronger over time.
"These are the programs that will get us ahead in the game," Zemlin said. "The security, privacy and stability of the Internet matters to all of us."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.