Steve Marquess, the sort of leader of the OpenSSL development group and of OpenSSL Software Foundation, penned a blog post on his personal blog to talk about the lack of funding that the widely-used, open source software protocol enjoys. In the years since it was founded, the OpenSSL Sofwtare Foundation (SSLSF) has never raised more than $1 million per year. Usually far less than that.
Yet this is the foundation that is responsible for one of the most-used protocols on the Internet. One which recently came under attack and was compromised by hackers to the tune of millions, perhaps billions, of attacks across the world.
Despite this and the warning signs that it could happen again, patch or no patch, SSLSF still has not received much, if any, support from the governments and large corporations that use it.
Because the work-for-hire contracts that are the bulk of the income for SSLSF and its members are not guaranteed work (there are, Marquess says, usually unfilled contracts due to time constraints), none of them work the job full-time. Most either work freelance or have a “day job” instead, depending on their needs. This is a better way to guarantee income for them personally.
Now, says Marquess, if the companies were to pony up more funding to SSLSF so that they could hire some of these people full-time, things might change. They can make it on the contracts they receive, but they cannot guarantee a “living wage” and benefits without foundational support from those who use the protocol for the most benefit – government and large business entities.
According to Marquess, the only full-time OpenSSL employee: “There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.”
Do you agree?