Will Open-Source Money Prevent the Next Heartbleed?
Marquess added that, in his view, the ones who should be contributing real resources are the commercial companies and governments that use OpenSSL extensively and take it for granted. "There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," Marquess wrote. "If you're a corporate or government decision maker in a position to do something about it, give it some thought. Please." Having more people dedicated to OpenSSL seems like an obviously good idea, although I'm not sure that donating money directly to the OSF is necessarily the only, or even the best, approach to improve OpenSSL. For other open-source projects, like Linux or the OpenStack cloud, what typically happens is that the big companies that benefit most dedicate their own full-time staff to a given project or feature. The open-source model means that even though developers are working for their own companies, the code is open and shared across the entire community of a given project.In addition to more humans, there is always a need for more testing automation. Most automated development and continuous integration testing suites today are focused on making sure that code commits don't break existing functionality. I'm not sure that automated testing suites would have caught the Heartbleed flaw when it was committed, but having automated test suites that look for security flaws in code is the right thing to do. Through a combination of automation, people and funding, the open-source model can further be improved and hopefully prevent the next Heartbleed flaw from ever occurring. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
So what I'd suggest for the OSF is to open up its model, take on corporate sponsorships, which include both money as well as full-time equivalent developers. In that manner, in addition to core OSF dedicated staff, there will be multiple core contributors working full-time across the multiple vendors that actively consume OpenSSL.