This week has been most notable for security, as previous news suggests. TrueCrypt, the popular file encryption suite, lost its developers when they wanted to call it quits — right in the middle of its audit. While on that topic, OpenSSL is being given money and full-time developers, in response to the recent Heartbleed fiasco. OpenSSH and Network Time Protocol, and others in the future, are also being given love.
Yes, these are two separate pieces of news that are combined into a single article.
Earlier, we reported on TrueCrypt's mysterious implosion. The developers' alleged last advice, use closed source solutions or whatever comes up on a random package manager search, I considered too terrible to have been from them. Seriously, from "Trust No-One" to "Trust Who Knows". Just does not seem right…
Since the article, they have apparently been contacted and confirmed that the project is being shut down. That said, it seems like basically every source cites the third-party auditors and no-one else seemed to have direct contact with them — so who knows. Regardless, the audit is apparently still going on and might lead to a usable fork maintained by someone else.
As for the second piece of news — several other libraries are getting serious security audits. Apparently, The Linux Foundation has arranged for a long list of companies to commit $5.4 million, over three years, to audit and maintain these projects. As mentioned, OpenSSL, OpenSSH, and Network Time Protocol are the first three mentioned, but others will be included later. Also, that budget can increase as other companies and donors step up.
Currently, the donors are: Adobe, Amazon, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, Salesforce, and VMware. Eighteen companies, each pledging $100,000 per year for three years.
All in all, it seems like the world is on the path to righting itself, somewhat.