Linux golden age threatened by bug army

bugA top Linux geek has warned that its golden age is about to be bought to a close by security problems.

Golden ages are normally brought to an end by a rebellion of giants, titans or plagues. Jim Zemlin, executive director of the Linux Foundation said that Linux will be killed off by giant, titanic plagues of security bugs.

Several high profile zero-day vulnerabilities in popular open source technologies last year served not only to show the importance of open source to the internet and IT world, but how how badly it projects were under-resourced.

Heartbleed which impacted OpenSSL, Poodle, a vulnerability in SSL, and the Shellshock vulnerability in Bash damaged the reputation of open sauce badly and resulted in the creation of the Core infrastructure Initiative (CII), a Linux-Foundation led initiative to improve open source security.

CII’s financial backers include Adobe, Bloomberg, HP, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco.

Zemlin said that this support was proof we’re living in a “golden age” of open source.

“Almost the entirety of the internet is entirely reliant on open source software. We’ve reached a golden age of open source. Virtually every technology and product and service is created using open source,” he said.

Open source was not immune to the security threat faced by the entire computing industry and said Heartbleed, and others, served as a wakeup call for the IT industry. It is believed 200,000 devices are still vulnerable.

“Heartbleed literally broke the security of the internet,” he explained. “Over a long period of time, whether we knew it or not, became dependent on open source for the security and Integrity of the internet.”

Zemlin said many people had asked him why had the peer review process not highlighted these vulnerabilities, but the answer was blindingly obvious.

Many of these projects were being worked by one part-time volunteer. Before Heartbleed, OpenSSL received less than $2,000 a year in donations, while OpenSSH and Bash had similarly meagre support.

“It’s completely out of proportion to the attention these projects play in society and the Internet,” said Zemlin. “OpenSSL for a long period of time was essentially maintained by two guys named Steve. Think about that.”