The European Union's second FOSSA project has ended with incredible results. EU-FOSSA undoubtedly made free software way more secure.
But does that mean free software is more secure now? Putting the initial excitement aside, we have to remember that EU-FOSSA is reactionary. It is a massive effort to deal with a huge problem. But EU-FOSSA is not a structured approach to the problem which can really help long-term. Moreover, with just Heartbleed's damage estimated over €500M, it is obvious that a few million euros cannot suffice to make most free software reasonably insecure. A real solution needs real will.
Thankfully, there are 2 efficient approaches for long-term solutions:
- The bazaar management approach is to rate projects/products, so that users can make better security choices.
- The cathedral approach is to get permanently involved in product development.
Of course, these approaches are not really exclusive. The EU could get involved in core software, while merely rating less important projects.
Until the EU or the world gets really serious about limiting vulnerabilities, it may be that the problem - unfortunately - keeps getting worst.