Linux Foundation Offers Badges to Certify Open Source Code Quality

Which open source projects can users trust? That’s a question the Linux Foundation hopes to help answer by the introduction of “badges” from the Core Infrastructure Initiative (CII) project, which recognize open source platforms deemed to be safe and stable.

Launched in 2014 in the wake of Heartbleed, which exposed an embarrassing security vulnerability in the widely used open source toolkit OpenSSL, CII is an effort to shore up security and quality in important open source projects. Previously, the support focused on providing financial resources to assist open source developers in honing their code.

The initial level of support was relatively small, but the Linux Foundation now calls CII a “multimillion-dollar project.”  It enjoys backing from a range of big-name tech companies like Cisco, Facebook, Dell, Google and many others.

On Tuesday, CII added a sort of certification initiative to its purview, too. It is now offering what it calls Best Practices Badges to signify that open source code is secure and of high quality. “The program is an open source project designed in collaboration with the community and seeks ongoing input to ensure the most relevant criteria for the badge is included and continually updated,” according to the Linux Foundation.

“Open source projects often have very good security practices in place but need a way to validate those against industry and community best practices and ensure they’re always improving,” said Nicko van Sommeren, the Linux Foundation’s CTO. “Thanks to the generous contributions by the Core Infrastructure Initiative supporters, we’re able to provide this program to educate developers on security best practices and provide a directory for developers and CIOs to understand what projects have an understanding and methodology that focuses on security.”

Open source programmers can apply for badges using an online app. The app asks for information covering a range of areas, from the type of open source license used to cryptography solutions to build system.

The information is self-reported, which may raise some concerns about accuracy. But since the code in question is all open, it’s easy enough to verify any claims deemed potentially dubious.

For the open source ecosystem, the badges are a helpful solution toward solving the longstanding problem of verifying the usefulness of open source code. There are now at least hundreds of thousands of open source projects (depending on how you count), and with some of them containing millions of lines of code, checking by hand that the software can be trusted in production environments is usually not a feasible proposition.

Badges based on self-reported data are not a perfect answer, but they may be the best solution the open source community can realistically offer as it seeks to place the era of Heartbleed-type bugs behind it. This type of certification will also likely prove important for the channel as organizations consider which open source software to include in integrated platforms.