"We're not going to create own versions of OpenSSL and GPG," says Kirkland. "But having alternatives to encryption libraries is important. There needs to be diversity, especially as we're learning how vulnerable some of these components are."
We're all open source now
As uncomfortable as that may be, experts say there's no going back. Weinberg spent a good part of his career as what he calls a "defender of the faith," countering attempts by commercial vendors like Microsoft to discredit the open source movement. He says the wall that once separated "open source" and "closed source" was torn down long ago.
"There's no such thing as proprietary software anymore because there's very little software without some dependency on open source," he said. "The world has moved to community developed' software in one form or another."
"I really think it's a shared responsibility," says Kirkland of Canonical. "When you consider how dependent all of us are on a whole stack of open source software, you have to hope that [security] becomes a shared responsibility and that it isn't left up to the the Linux Foundation and Red Hat to figure out this stuff."
In other words, we can gnash our teeth and tear at our hair over the likes of Heartbleed, but in 2015, all companies that make, use, or rely upon software are de-facto open source software companies whether they know it or not. That makes them part of the problem and its solution.
Sign up for CIO Asia eNewsletters.