The health of the global Internet and digital infrastructure relies heavily on volunteer-maintained open source projects. Various organizations and initiatives now provide funding to make security fixes or improve features for some of these projects.
Last week, the FreeBSD Foundation announced a €686,400 (approximately $762,540) investment from Germany’s Sovereign Tech Fund. The foundation drives development and maintenance of the FreeBSD operating system, a Unix-based operating system similar to Linux. The funding from STF is intended to cover work for the rest of 2024 and extend into 2025 and will focus on security features and improvements.
STF is supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK) and hosted by the German Federal Agency for Disruptive Innovation (SPRIND). The fund has actively supported open source projects that are important components of the global digital infrastructure, such as €1 million ($1.1 million) for GNOME (a widely used desktop application for Linux operating systems) development at the end of last year and €203,000 ($225,487) to GStreamer (a multimedia framework used widely in streaming apps, embedded devices, and browsers) earlier this year. Several of STF’s recent investments are tied to security improvements, such as making the encrypted home directory a GNOME feature and rewriting GStreamer’s various Web and networking protocols (RTP/RTCP, RTSP, and WebRTC) from C to Rust in order to eliminate recurring memory-based vulnerabilities.
The FreeBSD investment will also focus on several security initiatives such as zero trust builds, continuous integration/continuous delivery (CI/CD) automation, reducing technical debt, enhancing security controls, and improving tools related to the software bill of materials. Reducing technical debt is important since many vulnerabilities linger on in years-old components that are no longer being maintained or even looked at.
Zero trust builds refers to being able to prove where all the source code and tooling used in FreeBSD came from and are trusted. This is necessary to ensure that the tools used (such as compilers) are not introducing backdoors or malware into the code.
The focus on CI/CD automation is necessary to streamlining software delivery and operations. It will allow for constantly running security tests to ensure that changes have not introduced and vulnerabilities and fixing them as they are found.
“This investment in critical digital infrastructure will accelerate modernization of FreeBSD, enhance security hygiene, and improve developer experiences,” Fiona Krakenbürger, co-founder of STF, said in a statement.
STF has supported a slew of other open source projects including curl, ffmpeg, Rustls (a TLS library written in Rust), and Coreutils uutils (the coreutils library with basic file, shell, and text functions rewritten in Rust).