Many of the projects in our ecosystem are critically important to developers and users, but on their own lack the resources to keep them viable. The Linux Foundation provides support to a number of these projects through grants and human capital to make sure we have a safe, stable, and secure internet.

The Linux Foundation provides significant resources to keep critical projects up and running. We provide a large amount of assistance to the Linux Kernel, but we have many other programs, too. These programs are helping to keep the plumbing of the Internet safe and secure as well as provide the means for those developers who work on this infrastructure to build critically needed software.

We provide full-time tech support and hardware/software for many community workgroups, including Open Printing, OpenChain, SPDX, and Core Embedded Linux workgroups. Through the Core Infrastructure Initiative (CII), we raised and funded major projects to improve open source security. Two full-time OpenSSL core developers have been sponsored and a complete audit of OpenSSL has been initiated. This has resulted in a reduction of bug backlog, refactoring critical code paths, improved testing, and security/vulnerability handling policy put into place.

Infrastructure Projects and Initiatives Supported By The Linux Foundation

Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. Released in 1989, Unix has been distributed widely as the shell for the GNU operating system and as a default shell on Linux and OS X. The Linux Foundation provides equipment to maintain the development of the Bash shell.

For distributions like Debian and Fedora, it is essential that the machines used to build binaries distributed to users have not been compromised by attackers. Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said to have been derived. Without it, even with software containing carefully audited source code, it is much harder to detect if binaries have been tampered with before they get in the hands of users.

The Census represents Core Infrastructure Initiative’s (CII) current view of the open source ecosystem and which projects are at risk. The Heartbleed vulnerability in OpenSSL highlighted that while some open source software (OSS) is widely used and depended on, vulnerabilities can have serious ramifications, and yet some projects have not received the level of security analysis appropriate to their importance. Some OSS projects have many participants, perform in-depth security analyses, and produce software that is widely considered to have high quality and strong security. However, other OSS projects have small teams that have limited time to do the tasks necessary for strong security. The trick is to identify quickly which critical projects fall into the second category.

Core Embedded Linux is focused on finding new requirements or topics for embedded Linux systems. The needs identified by member companies are based on real-world requirements that would best be solved in collaboration with the open source community. The project can be used to research and discuss topics that are not covered by another collaborative project. For example, the Civil Infrastructure Platform project started as an investigation inside the Core Embedded Linux project.

In its first year, The Linux Foundation’s Core Infrastructure Initiative (CII) has awarded $2.5 million in funding to shore up security in open source projects we all use. With our Core Infrastructure Initiative, we’re taking a collaborative, pre-emptive approach to strengthening cybersecurity. Many industry giants have signed on to harden the security of key open source projects.

The Linux Foundation hosts DiaMon, a project that aims to improve open source diagnostic and monitoring software. The project creates de facto standards and tools for tracing, monitoring, and diagnostics. It also focuses on increasing interoperability among tools, as well as improving Linux-based tracing, profiling, logging, and monitoring features.

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications, and features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command-line tool with features for easy integration with other applications. A wealth of front-end applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh). Support for one part-time GnuPG developer is being provided with funding from the Core Infrastructure Initiative.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It’s a service provided by the Internet Security Research Group (ISRG) and hosted by The Linux Foundation. During their beta period from September 2015 through April 2016, they’ve issued more than 1.7 million certificates for more than 3.8 million websites. Let’s Encrypt provides free certificates to anyone who owns a domain name to use Let’s Encrypt to obtain a trusted certificate at zero cost. Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.

The Linux Foundation provides full-time tech support for the Linux kernel. This includes full-time senior sysadmins, hardware, and software. Prior to The Linux Foundation taking this on, it was done via volunteers. We manage and fund (with our partners) The Linux Kernel Organization, which provides full technical, financial, and staffing support for running and maintaining the infrastructure. We also fund Linus Torvalds and Greg Kroah-Hartman as fellows at The Linux Foundation, with no obligations other than to continue to develop the Linux Kernel.

The Linux Foundation hosts The Linux Standard Base, which was created to lower the overall costs of supporting the Linux platform. By reducing the differences between individual Linux distributions, the LSB greatly reduces the costs involved with porting applications to different distributions, as well as lowering the cost and effort involved in after-market support of those applications.

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest internet protocols in current use. If you have communicating programs running on different computers, time still should advance if you switch from one computer to another. Obviously, if one system is ahead of the others, the others are behind that particular one. From the perspective of an external observer, switching between these systems would cause time to jump forward and back, a non-desirable effect. Two part-time developers have been sponsored via a grant from the Core Infrastructure Initiative: One works on the core network timecode, and the other works on ntimed, a new client-only implementation of the network time protocol.

The NTPsec project is a secure, hardened, and improved implementation of Network Time Protocol derived from NTP Classic, Dave Mills’s original. NTPsec, as its name implies, is a more secure NTP. We employ best practices and state-of-the art technology in code auditing, verification, and testing to deliver code that can be used with confidence in deployments with the most stringent security, availability, and assurance requirements.

OpenChain is a community effort focused on identifying common best practices in compliance programs that should be applied across a supply chain for efficient and effective compliance with open source licenses.

The Linux Foundation provides hosting of the OpenPrinting project to help with printing under free operating systems like GNU/Linux and the BSDs or under commercial UNIX-like systems such as Solaris and Mac OS X.

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.

The R Consortium awarded the first grant in November 2015 to R-Hub, a service for developing, building, testing, and validating R packages. The R Consortium is providing funding for additional initiatives to develop tools and resources for the R user community, bringing total grant funding to $200,000 (as of 3/23/2016).

The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating the components, licenses, and copyrights associated with a software package hosted by The Linux Foundation. The objective of the SPDX Report program is to create a repository of articles to capture and share community knowledge about anything and everything SPDX. For example, this knowledge base covers a diverse collection of topics including (but not limited to) technical issues, best practices, relevant legal topics, tool proposals, adoption strategies and analysis, license compliance considerations, and position papers.

TIS Interpreter, released as open source software in March 2016, uses existing test cases to detect bugs with no false positives, which saves developers time. CII is investing in this work, which combines existing technologies to test this new technique on OpenSSL; if successful, it can be extended to other open source software to help developers better identify potential bugs and improve security.