The Core Infrastructure Initiative revisited

Core Values

© Lead Image © Maxim Kazim,

© Lead Image © Maxim Kazim,

Article from Issue 199/2017

How does the Core Infrastructure Initiative fare three years in?

The Linux Foundation started the Core Infrastructure Initiative (CII) [1] after the discovery of several security vulnerabilities in 2014. As serious as the bugs themselves was the discovery that many core Linux projects were unequipped to respond to them. The CII was started in an effort to alleviate and prevent such bugs in the future. But how is the CII doing three years after its founding? For answers, I talked with Nicko van Someren of the CII.

According to van Someren, 2014 was marked by the discovery of a number of vulnerabilities. They included the ShellShock bug in Bash and a denial of service attack through the Network Time Protocol. However, the bug that received the most public attention was Heartbleed [2], which had infected the OpenSSL cryptography library for two years before its discovery. As Heartbleed was patched, it became obvious that the OpenSSL project, like many other Linux packages, lacked both the funding and the developers to respond adequately to such a threat.

The discovery of Heartbleed – deliberately named to attract attention – marked "the realization as to just how dependent commercial software has become on open source components," van Someren says. "The urgency of Heartbleed meant that vendors needed to fix things immediately and needed to tell people why." However, the CII is not just the software equivalent of a fire department responding to each crisis as it emerges. "Our goal with identifying projects that are at risk is so that we can provide help and resources – before – there is an urgent problem," von Someren says.


Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • New Attack Targets Wireless Logins

    A first cousin of the recent Heartbleed attack affects EAP-based wireless and peer-to-peer authentication.

  • Financing Crypto Projects

    Although open source crypto software is used virtually all over the world, the projects behind it are often small and chronically underfunded. Heartbleed, however, brings a possibility of improvement.

  • Welcome

    The Linux Foundation launched the Core Infrastructure Initiative (CII) as a bold stroke in 2014. The foundation, which stands astride the FOSS world and mediates between the realm of business and the hacker culture, started the CII as a reaction to the infamous Heartbleed bug, which shocked the open source faithful and left doubts about the security of FOSS technologies. The original goal of the CII was to "fund and support critical elements of the global information infrastructure," which sounded like a good idea. I didn't have high hopes for them doing much besides giving out money, but money is always good. In the business world, where the Linux Foundation keeps one foot, if you can't make a problem go away by denying it, the next best thing is to pounce on it dramatically and say, "We've got this under control!"

  • LinuxCon take-aways
  • Heartbleed Bleeds On

    According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia