Jim Zemlin, executive director of the Linux Foundation, addressed the issue open-source code security, during last week’s Linux Collaboration Summit. Zemlin quoted the oft-repeated Linus’ law, which states that given enough eyes all bugs are shallow. That “law” essentially promises that many eyes provide a measure of quality and control and security to open source code. So if Linus’ law is true, Zemlin asked, why are damaging security issues being found now in open source code?
“In these cases the eyeballs weren’t really looking,” Zemlin said.
Modern software security is hard because modern software is very complex, Zemlin said. But open source can provide a unique response to growing software complexity and the associated risk of security vulnerabilities.
“We all have access and can all work together,” Zemlin said. “Open source by its nature lets us have a collective response to a collective problem.”
That’s where the Linux Foundation’s Core Infrastructure Initiative (CII) that was announced in the wake of Heartbleed comes into play. Zemlin said there are three key initiatives under way at the CII now.