The Linux Foundation

Decentralized innovation, built on trust.

Updated: 16 min 14 sec ago

Healthcare industry proof of concept successfully uses SPDX as a software bill of materials format for medical devices

Thu, 08/06/2020 - 03:30

Overview

Software Package Data Exchange (SPDX) is an open standard for communicating software bill of materials (SBOM) information that supports accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component. The SPDX format has recently been submitted by the Linux Foundation and the Joint Development Foundation to the JTC1 committee of the ISO for international standards approval.

A group of eight healthcare industry organizations, composed of five medical device manufacturers and three healthcare delivery organizations (hospital systems), recently participated in the first-ever proof of concept (POC) of the SPDX standard for healthcare use.

This blog post is a summary of the results of this initial trial.

Why do we care about SBOMs and the medical device industry?

A Software Bill of Materials (SBOM) is a nested inventory or a list of ingredients that make up the software components used in creating a device or system. This is especially critical in the medical device industry and within healthcare delivery organizations to adequately understand the operational and cyber risks of those software components from their originating supply chain.

Some cyber risks come from using components with known vulnerabilities. Known vulnerabilities are a widespread problem in the software industry, such as known vulnerabilities in the Top 10 Web Application Security Risks from the Open Web Application Security Project (OWASP). Known vulnerabilities are especially concerning in medical devices since the exploitation of those vulnerabilities could lead to loss of life or maiming. One-time reviews don’t help, since these vulnerabilities are typically found after the component has been developed and incorporated. Instead, what is needed is visibility into the components of a medical device, similar to how food ingredients are made visible.

A measured path towards using SBOMs in the medical device industry

In June 2018, the National Telecommunications and Information Administration (NTIA) engaged stakeholders across multiple industries to discuss software transparency and to participate in a limited proof of concept (POC) to determine if SBOMs can be successfully produced by medical device manufacturers and consumed by healthcare delivery organizations. That initial POC was successfully concluded in the early fall of 2019.

Despite the limited scope, the NTIA POC results demonstrated that industry-agnostic standard formats can be leveraged by the healthcare vertical and that industry-specific formats are unnecessary.

Next, the participants in the NTIA POC explored whether a standardized SBOM format could be used for sharing information between medical device manufacturers and healthcare delivery organizations. For this next phase, the NTIA stakeholders engaged the Linux Foundation’s SPDX community to work with the NTIA Healthcare working group. The goal was to demonstrate through a proof of concept whether the open source SPDX SBOM format would be suitable for healthcare and medical device industry uses. The first phase of that trial was conducted in early 2020.

Objectives of the 2020 POC

The stated goals of this 2020 proof of concept (POC) were to prove the viability of the framing document created by the NTIA SBOM Working group (of which the Linux Foundation was a contributor) from their earlier POC for the medical device and healthcare industry.

This NTIA framing document defines specific baseline data elements or fields that should be used to identify software components in any SBOM format, which can be mapped into corresponding field elements in SPDX:

NTIA Baseline SPDX Supplier Name (3.5) PackageSupplier: Component Name (3.1) PackageName: Unique Identifier (3.2) SPDXID: Version String (3.3) PackageVersion: Component Hash (3.10) PackageChecksum; Relationship (7.1) Relationship: CONTAINS Author Name (2.8) Creator:

The 2020 POC conducted by NTIA working group had a stated objective to determine if SBOMs generated by Medical Device Manufacturers (MDMs) using SPDX could be ingested into SIEM (Security, Information and Event Management) solutions operated by the participating Healthcare Delivery Organizations (HDOs).

The MDMs included in this POC included Abbott, Medtronic, Philips, Siemens, and Thermo Fisher. The HDOs included Cedars-Sinai, Christiana Care, Mayo Clinic, Cleveland Clinic, Johns Hopkins, New York-Presbyterian, Partners/Mass General, and Sutter Health.

Execution and implementation of the SPDX SBOMs

The participating HDOs provided an inventory of the deployed medical devices in use within their organizations.
A best-effort approach was used to determine software identity as the names that software packages are known by are “ambiguous” and could be misinterpreted.
An example SPDX was created along with a guidance document for the MDMs to follow for use with the medical devices identified by the HDO inventory exercise.
The MDMs produced 17 distinct SPDX-based SBOMs manually and with generator tooling.
The SBOMs were delivered via secure transfer using enterprise Box accounts, simulating delivery via secure customer portals offered by each MDM.

Consumption of the SBOMs in the SPDX POC

As a result of the 2020 POC, all participating HDOs successfully ingested the SPDX SBOM into their respective SIEM solutions, immediately making the data searchable to identify security vulnerabilities across a fleet of products. This information can also be converted into a human-readable, tabular format for other data analysis systems.

Multiple HDOs are already collaborating with vendor partners to explore direct ingestion into medical device asset/risk management solutions as part of their device procurement. One of the HDOs is working with one of their vendor partners to explore direct ingestion into a healthcare Vendor Risk Management (VRM) solution, and another has developed a ”How-To Guide,” focusing on how to correctly parse out the Packages fields using regular expressions (regex).

As a positive indicator of SPDX’s suitability when used with asset management systems, two HDOs have begun configuring their respective internal tracking systems to track software dependencies and subcomponents. Additionally, multiple HDOs are collaborating with vendor partners to manage devices into medical device asset/risk management solutions through the device’s life by allowing for periodic updates and an audit trail.

Ongoing considerations for SPDX-based SBOMs for medical devices in healthcare organizations

Risk management, vulnerability management, and legal considerations are ongoing at the participating HDOs related to the use of SPDX-based SBOMs.

Risk management

All of the responding HDOs are exploring vulnerability identification upon procurement (i.e., SIEM through initial ingestion of the SBOM) and on an on-going basis (i.e., SIEM, CMDB/CMMS, VRM). The participating HDOs intend to explore mitigation plan / compensating control exercises that will be performed to identify vulnerable components, measure exploitability, implement risk reduction techniques, and document this data alongside the SBOM.

The SPDX community intends to learn from these exercises and improve future versions of SPDX specification to include requested information determined to be needed to manage risk effectively.

Vulnerability management at HDOs

An HDO is already working with its Biomed team to manually perform vulnerability management processes on information extracted from SBOM data.

Another is working with their Vulnerability Management team to evaluate correlated SBOM data to credentialed/non-credentialed scans of the same device, which may prove useful in an information audit use case. A second HDO is currently working with their Vulnerability Management team on leveraging the SBOM data to supplement regular scanning results.

Legal

Participating HDOs have been developing SBOM product security language to add cybersecurity safeguards to the contract documentation.

Conclusion

The original POC was able to validate the conclusions of the NTIA Working Group that proprietary SBOM formats specific to healthcare industry verticals are not needed. This 2020 POC showed that the SPDX standard could be used as an open format for SBOMs for use by healthcare industry providers. Additionally, the ability to import the SPDX format into SIEM solutions will help HDOs adequately understand the operational and cyber risks of medical device software components from their originating supply chain.

There is work ahead to improve automation of SPDX-based SBOMs, including the automated identification of software components and determining which component vulnerabilities are exploitable in a given system. Participating HDOs intend to perform compensating control exercises to identify and implement risk reduction techniques building on this information. HDOs are also evaluating how SPDX can support other improvements to vulnerability management. In summary, this POC showed that SPDX could be an essential part of addressing today’s operational and cyber risks.

The post Healthcare industry proof of concept successfully uses SPDX as a software bill of materials format for medical devices appeared first on The Linux Foundation.

Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

Mon, 08/03/2020 - 22:55

New collaboration called Open Source Security Foundation (OpenSSF) consolidates industry efforts to improve the security of open source software

SAN FRANCISCO, Calif., Aug 3, 2020 – The Linux Foundation, today announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalization of the group, the open governance structure is established and includes a Governing Board (GB), a Technical Advisory Council (TAC) and a separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub.

For more information and to contribute to the project, please visit https://openssf.org

Resources

Threats, Risks & Mitigations of the Open Source Ecosystem, Open Source Security Coalition
Vulnerabilities in the Core, Harvard’s Lab for Innovation Science and Linux Foundation
Red Hat Product Security Risk Report, Red Hat

Governing Board Member Quotes

GitHub
“Every industry is using open source software, and it is our collective responsibility to help maintain a healthy and secure ecosystem,” said Jamie Cool, Vice President of Product Management, Security at GitHub. “GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition and serving as a founding member of the Open Source Security Foundation.”

Fledge, an LF Edge Project, Enters Growth Stage as Release 1.8 Enables Open Industrial Edge Software with AI/ML, and Public Cloud Integration

Fri, 07/31/2020 - 02:56

Expanded community includes integrations and contributions from Google, Nokia, Flir, OSIsoft, Nexcom, RoviSys, Advantech, Wago, Zededa and Dianomic
Supports complementary products and services from a global open ecosystem, with commercial support, developer support, training, ML/AI applications and scale-up and out management
Use cases include Gradient Racing, which uses Fledge and Google Cloud to optimize complex machine configurations and operations using ML/AI, car and driver simulators and race track digital twins

SAN FRANCISCO – July 30, 2020 – LF Edge, an umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system, today announced maturing of its Fledge project, which has issued it’s 1.8 release and moved to the Growth Stage within the LF Edge umbrella. Fledge is an open source framework for the Industrial Internet of Things (IIoT), used to implement predictive maintenance, situational awareness, safety and other critical operations. Deployed in industrial use cases since early 2018, Fledge integrates IIoT, sensors, machines, ML/AI tools-processes-workloads, and cloud/s with the current industrial production systems and levels, as per ISA-95.

Fledge v1.8 is the first release since moving to the Linux Foundation. However, this is the ninth release of the project code that has over 60,000 commits, averaging 8,500 commits/month. Concurrently, Fledge has matured into a Stage 2 or “Growth Stage” project within LF Edge. This maturity level is for projects interested in reaching the Impact Stage, and have identified a growth plan for doing so. Growth Stage projects receive mentorship from the Technical Advisory Committee (TAC) and are expected to actively develop their community of contributors, governance, project documentation, and other variables identified in the growth plan that factor in to broad success and adoption.

“Fledge, initially seeded by OSISoft and Dianomic and now a diverse project within LF Edge, is a great example of open source integration. By working closely with Google and other ecosystem partners on new and emerging use cases, we are bringing the power of LF Edge to a broader market,” said Arpit Joshipura, general manager, Networking, Edge and IoT, the Linux Foundation. “We look forward to building an open community of industrial users, suppliers and integrators.”

Utilizing Fledge to gather and analyze machine, process, environment and operator data in context, improved efficiency, quality and safety is achieved. Gradient Racing used Fledge, Google Cloud, and Motorsports.AI to build IIoT based digital twins of each track, a machine simulator and an operator simulator to optimize car configurations and driving strategy before each race. Using Fledge, TensorFlow and Kubernetes, two all-time track records were broken in the GT3 2019 season. See the full story here.

“Google Cloud helps customers deliver artificial intelligence to applications from the edge to the cloud,” said Craig Wiley, director of Product Management for Google Cloud AI. “Fledge’s ability to collect, process, transform and send machine data as well as run TensorFlow Lite on the edge makes it an excellent complement to Google’s AI platform. As an active member of the Linux Foundation, Google is proud to support this open source community through contributions to the Fledge project, empowering next generation industrial processes and machines.”

Fledge has rapidly become one of the most active open source IIoT projects. Adding to the momentum are new contributors, contributions and integrations. Highlights include:

Google’s contribution of its IoT Core North Plugin, enables secure, reliable transfer of data to Google cloud services like machine learning.
OSIsoft’s contribution of the Web API North Plugin, enables Fledge secure, reliable transfer of telemetry and metadata to existing ISA95 systems like PI, OCS and EDS.
Nexcom’s contribution of CAN bus 2.0, J1708 and J1939 south plugins provide real-time monitoring for fleet management of cars and heavy duty trucks.
Dianomic’s contribution of new core services, alert services and orchestration services enable advanced vibration-based applications, more security and scalable management.
Nokia integrated Fledge with the Nokia Digital Automation Cloud (NDAC), Nokia’s industrial-grade private wireless network.
Google and Nexcom completed integration of Fledge within Google’s Coral line of ML processors and Nexcom’s industrial gateways.
Flir and Dianomic completed a south plugin integration with Flir’s line of industrial infrared cameras.

Industrial Operational Technology (OT) markets are new to the Linux Foundation, and open source projects are new to OT use cases. Like the LAMP stack enabled web application development, the Fledge project’s mission is to enable IIoT application development. Together we can solve the diversity and complexity issues when collecting and processing data beyond current control networks and eliminate silos of data by integrating with mission-critical ISA95 systems, ML systems, and the cloud.

Learn more about Fledge in an upcoming On the Edge with LF Edge webinar, entitled “How Google, OSIsoft, FLIR and Dianomic use Fledge to implement Industrial 4.0,” August 13 at 9 am PT. Details and registration here:https://zoom.us/webinar/register/9215960636525/WN_1jGqjfJoT4-Iv2y6YDGgYg

Join Fledge and other LF Edge projects at the Open Networking & Edge Summit (ONES), a virtual experience happening September 28-30. ONES is the industry’s premier open networking event now expanded to comprehensively cover Edge Computing, Edge Cloud & IoT. Open Networking & Edge Summit (ONES) enables collaborative development and innovation across enterprises, service providers/telcos and cloud providers to shape the future of networking and edge computing. Learn more and register today: https://events.linuxfoundation.org/open-networking-edge-summit-north-america/

Industry Support for Fledge

Advantech
“Advantech is pleased to be part of the Linux Foundation Fledge 1.8 project along with our solution partner, Dianomic,” said David Liu, director of IoT solutions and strategic alliances at Advantech. “Our company vision is to ‘Enable an Intelligent Planet.’ Open source application stacks for an industrial transformation, along with our rugged hardware, help complete that vision. As a leader in IoT intelligent systems and embedded platforms, we strive every day to better assist partners and customers in connecting their industrial chains through IoT hardware and software solutions with edge intelligence. The field-tested Fledge solution will play a key part in our continued efforts to co-create advanced solutions for a wide range of industries in the Industrial IoT.”

Dianomic
“Dianomic and OSIsoft were pleased to contribute the FogLAMP code to seed the Linux Foundation’s Fledge project for the Industrial IoT Edge.” said Tom Arthur, CEO Dianomic. “This first release of Fledge 1.8 is a mature, field-tested solution already operating in power generation, power transmission & distribution, water & wastewater processing, discrete manufacturing, mining and professional auto racing. We invite manufacturers, equipment suppliers, system integrators and partners to join our community as we grow THE open source application stack for industrial transformations.”

FLIR
“For more than 40 years, FLIR thermal imaging has provided technologies for industrial users to improve their capabilities and safety on the job,” said Chris Bainter, Director Global Business Development. “Partnering with Dianomic we deployed our Ax8 and 300 series cameras using Fledge in energy substations and wastewater plants. Fledge easily and successfully integrated our sensor’s video, IR video and temperature reading outputs into our client’s existing operational, maintenance and safety systems. Fledge proved to Flir the future of open source for industrial 4.0 applications has arrived.”

Nexcom
“NEXCOM is proud to support FLEDGE from the Linux Foundation, establishing a growing line of preloaded and edge-enabled industrial gateways.” said Alexander Su, “The pre-configured products include the NIFE 105 for fixed assets, and the VTC 1910 targeted at transportation related use cases. In addition, NEXCOM has contributed code to the Linux Foundation supporting FLEDGE southbound plugins for CAN 2.0, J1708 and J1939, to provide real-time monitoring for fleet management. The MVS2623 with Coral intelligence, provides a powerful purpose-built gateway combining the flexibility of FLEDGE with the strength of Google’s Edge TPU, better enabling edge use cases like real-time object detection from IP or USB cameras.”

Nokia
Janne Parantainen, head of technology, Nokia Digital Automation said: “We run Fledge 1.8 on our edge platform bringing the benefits of optimized wireless communication to the industrial protocol domain and enabling new use cases across multiple industries. Deployed as part of our Nokia Digital Automation Cloud, it offers a way to transfer legacy industrial protocol data to new solutions. Nokia Digital Automation Cloud provides 5G-ready, reliable wireless connectivity, industrial applications and industrial ruggedized devices for addressing Industry 4.0 needs” www.dac.nokia.com

OSIsoft
“OSIsoft’s PI System is the most trusted source of real-time operational data. We enable the collection, standardization, contextualization and federation of large volumes of industrial, operational data.“ said Richard Beeson, CTO OSIsoft. “Fledge solves the diversity and complexity issues when collecting and processing data beyond the process control network. OSIsoft recommends all our industrial customers and partners begin their IIoT journey by integrating Fledge into their industrial 4.0 deployments and asks them to join our growing community.”

Rovisys
“As an Operation Technology (OT) solution provider that is actively venturing into the world of Industrial AI, RoviSys sees value in using Fledge to collect manufacturing and IIoT data from the plant floor, including connecting to historians and cloud-based advanced data analytic platforms.” said Bryan DeBlois, Director of Industrial AI RoviSys. “Furthermore, commercially supported FogLAMP enables us to implement vibration analysis, apply machine learning models and detect anomalies to predict quality, improve maintenance, and monitor setpoints. This helps our customers minimize downtime and maximize production efficiencies across their entire operation.”

TQS Integration
“With Fledge, industrial manufacturing now gets the technology needed to acquire datasets from sources that had previously not been able to cross the threshold of traditional cost-benefit analyses. Fledge is uniquely placed to solve data collection on the edge, and within existing process control networks, providing customers the flexibility to apply Industry 4.0 technologies with their entire infrastructure,” said Tom Quilty, director of Technology for TQS Integration. “With Fledge, we can advance our customer’s ability to maximize their current investments, maximize the value gained from IIoT devices and accelerate time-to-value for Industry 4.0 applications.”

WAGO
“WAGO, a technology leader of industrial control and interconnect products, strives to be the backbone of a smart connected world. This backbone is created through constant innovation and empowered connections with our customers and industry partners. Technologies like the Linux Foundation’s Fledge 1.8, and partners like Dianomic help our customers realize their true potential and expand on what is possible in an industrial control system. The WAGO 750 Series has millions of units installed globally and supports applications with over 300 IO modules and more than 16 industrial fieldbus protocols offered. Leveraging WAGO with Linux & Docker capabilities provides the means to add IIoT platforms like Fledge and benefit from all that Fledge offers to simplify cloud integration, management, and orchestration. Employing WAGO for ease of field wiring, data collection and/or control tasks while using the IEC 61131-3 PLC runtime and integrating it with the possibilities of Fledge creates a powerful platform for a smart connected world.”

ZEDEDA
“The most successful organizations going forward will have a model strongly rooted in an open philosophy that facilitates interoperability and agility, and the industrial market is no exception,” said Jason Shepherd, VP Ecosystem, ZEDEDA. “Dianomic’s FogLAMP offer is tailored to the unique needs of industrial customers and their open source foundation hosted in LF Edge helps customers mitigate lock-in and focus on value creation rather than reinvention. We look forward to working with Dianomic within our growing ecosystem to address critical business needs for industrial customers.”

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post Fledge, an LF Edge Project, Enters Growth Stage as Release 1.8 Enables Open Industrial Edge Software with AI/ML, and Public Cloud Integration appeared first on The Linux Foundation.

Open Mainframe Project Announces the Full Schedule for the Inaugural Open Mainframe Summit on September 16-17

Fri, 07/31/2020 - 02:51

The open source mainframe virtual event features keynote speakers from Broadcom, Hyperledger, IBM, and The Linux Foundation

SAN FRANCISCO, July 30, 2020 – The Open Mainframe Project (OMP), an open source initiative that enables collaboration across the mainframe community to develop shared tool sets and resources, today announces the complete schedule of the inaugural Open Mainframe Summit. The virtual event takes place September 16-17 and will feature Ross Mauri, General Manager of IBM Z and LinuxONE at IBM; Greg Lotko, Senior Vice President and General Manager, Mainframe Division at Broadcom; Brian Behlendorf, Executive Director of Hyperledger; and The Linux Foundation’s Jim Zemlin, Executive Director, and John Mertic, Director of Program Management.

Open Mainframe Summit will focus on all open source projects and technologies impacting the mainframe. The event enables a collaborative environment that offers seasoned professionals, developers, students and leaders a forum to share best practices, discuss hot topics, and network with like-minded individuals who are passionate about the mainframe industry.

Conference Sessions Include:

COBOL and the Modern Mainframe Movement – Jessielaine Punongbayan, Senior Software Engineer and Richelle Anne Craw, Senior Software Engineer, Broadcom
Beyond the Mainframe Security Features, it is Time to Learn about Open Source Software Security – Javier Perez, Open Source Program Office Manager, IBM
How Two Millennials Built a Mainframe Security Model on Top of Zowe in Six Weeks (and yes it works on all ESMs) – Kyle Beausolei, Software Engineer and Jordan Filteau, Software Engineer, Rocket Software
Cloud Foundry Orchestrated by Kubernetes on Linux on IBM Z – Vlad Iovanov, Software Engineer, SUSE and Dan Pavel Sinkovicz, Student Mentee
How Zowe and Open Source Made me Talk to the Mainframe (literally) – Youngkook Kim, Z/LinuxONE Solutions Architect, Vicom Infinity
Zowe Conformance: High-reliability Extensions for Mainframe Tools, Guaranteed – Rose Sakach, Global Product Manager, Broadcom
Open Source infrastructure-as-a-Service Automation for IBM z/VM – Mike Friesenegger, Solutions Architect, SUSE and Ji Chen, IBM Cloud Infrastructure Center Architect, IBM
A 360 Degree View on LinuxONE Security & Compliance – Pradeep Parameshwaran, Technical Security Lead, LinuxONE & Linux on IBM Z, IBM

See the full conference schedule here. Conference Registration for the online event is $50 for general attendance and $15 for academia.

Open Mainframe Summit is made possible thanks to Platinum Sponsor Broadcom and Gold Sponsors SUSE and Vicom Infinity. For information on becoming an event sponsor, click here.

Members of the press who would like to request a press pass to attend should contact Maemalynn at maemalynn@linuxfoundation.org.

About the Open Mainframe Project

The Open Mainframe Project is intended to serve as a focal point for deployment and use of Linux and Open Source in a mainframe computing environment. With a vision of Open Source on the Mainframe as the standard for enterprise class systems and applications, the project’s mission is to build community and adoption of Open Source on the mainframe by eliminating barriers to Open Source adoption on the mainframe, demonstrating value of the mainframe on technical and business levels, and strengthening collaboration points and resources for the community to thrive. Learn more about the project at https://www.openmainframeproject.org.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

###

The post Open Mainframe Project Announces the Full Schedule for the Inaugural Open Mainframe Summit on September 16-17 appeared first on The Linux Foundation.

Linux Foundation Newsletter: July 2020

Thu, 07/23/2020 - 07:34

Click the image above to read the July 2020 newsletter

The post Linux Foundation Newsletter: July 2020 appeared first on The Linux Foundation.

Solving technical debt with open source

Thu, 07/23/2020 - 01:20

Overview

In a new Linux Foundation paper, Technical Debt and Open Source Development co-authored by Ibrahim Haddad, Ph.D. and Cedric Bail, M.Sc., the causes and consequences of technical debt are explored in detail. It includes discussions on identifying technical debt, how to minimize it, the role of open source development, and strategies to address the issue at scale.

The authors worked together within the Open Source Group at Samsung Research and directly experienced minimizing internally carried technical debt via working with upstream open source projects. That experience covered dozens of open source projects used across multiple products and business units with varying degrees of involvement and expertise with upstream development.

The definition of technical debt

Technical debt, a term used in software development, refers to the cost of maintaining source code that was caused by a deviation from the main branch where joint development happens.

A broader interpretation of what constitutes technical debt is proprietary code by itself:

A single organization has developed it.
It is source code that the organization alone needs to carry and maintain.
In some cases, the organization depends on a partner’s ability to maintain the code and carry that said debt.

The following symptoms can identify technical debt:

Slower release cadence Time increases between the delivery of new features
Increased onboarding time for new developers Onboarding new developers become highly involved due to code complexity where only insider developers are familiar with the codebase. The second manifestation of this symptom is the difficulty in retaining developers or hiring new developers.
Increased security issues At least, experiencing more security issues than the main upstream branch.
Increased efforts to maintain the code base Maintenance tasks become more time consuming as the body of code to maintain becomes larger and more complex.
Misalignment with the upstream development cycle illustrated in the inability to keep pace, be aligned with the upstream development and release cycles.

Consequences of technical debt

Creating and carrying technical debt will have several negative effects on development efforts, including:

The higher cost of code maintenance.
Slower innovation and development cycles.
Paying interest on the debt — payment of technical debt is in the form of additional development needed to keep up with the main branch, the competition, and the rest of the world.
Possibly missing on new features in the main branch or having to backport all new development into the forked branch internally.
Duplicate work with the main branch arising due to the delta between the internal and public branches being too large.

The worst possible consequence is the effect on the long term maintainability of the code base where organizations often find themselves maintaining their fork.

In many cases, tech debt is unavoidable short term. Carrying technical debt is mostly a decision that developers need to make all the time. The long term goals of any engineering effort should be to minimize and eliminate any tech debt resulting from any development effort. With proper policies, processes, training, and tooling, organizations can help mitigate and guide the engineering efforts towards lowering tech debt.

Open source has a significant role, and aligning your development efforts with upstream open source projects can result in a direct positive impact on the amount of the tech debt an organization carries. Just as financial debt involves paying interest, technical debt has a different kind of interest that needs to be carried: It’s not interest-free!

Technical debt is hindering your development and preventing your new growth, transferring your technical debt to become part of the open source world infrastructure, lowering it, and building on the giant’s shoulder that keeps growing.

To download Technical Debt and Open Source Development click on the button below Download Whitepaper

The post Solving technical debt with open source appeared first on The Linux Foundation.

How open source development provides a roadmap for digital trust, security, safety, and virtual work

Wed, 07/22/2020 - 21:00

Introduction

During COVID-19, we’ve all seen our daily lives, and those of many of our colleagues, friends, and family around the world completely changed. Many are adjusting to working from home and homeschooling their children, or caring for family and those with the virus. At the same time, billions worldwide are connected, sharing, and working together virtually despite their daily routines and working arrangements changing drastically.

While there’s no disputing that the pandemic will dominate our collective attention for months to come, it’s a natural time to reflect on what is essential. It’s also a natural time as open source developers to consider how we should prioritize the most impactful work, and collaborate on technology development that can influence our world, for the better, after COVID-19.

We’ve seen an uptick in interest around open source, in particular, as a means of helping humanity through these challenging times. What better way to solve a problem that affects all of us, collectively, than to share and build solutions to our problems, together?

Here we outline the trends we’re seeing shape technology development in this unprecedented time. We believe this can also provide insight into what a post-COVID world may look like.

Open collaboration embraces remote work and provides a guide for others

Open source developers have always fostered a sense of adaptability. It’s always been a critical skill needed to work on any open source project — we’re ready to meet the challenges of this moment. All of us hope for a quick return to normalcy, but we know that it will likely be months (hopefully not years).

The Linux Foundation is also conscious of the economic reality facing the world as economists and accountants tally the cost of this pandemic. Like our communities, we are seeking to optimize for a new reality, but also working to redeploy and transition employees into new areas to fill in gaps where they can be most helpful to our communities.

Open source communities during this time have been resilient. Open source software development by its very nature happens, and thrives, amongst a distributed group around the world. Many individuals in our communities are already working in a distributed virtual environment on their open source collaboration efforts.

Open source communities are still moving forward. As the world quickly migrated to virtual work environments, the online developer communities familiar with working together virtually had a pretty smooth transition, or in some cases, no disruptions at all. We are seeing many open source communities push forward despite all the challenges around them at home and in their local communities. Given their experience working in virtual environments, many open source community members and organizations are sharing their best practices and helping others adapt to working virtually.

Developers helping coronavirus response with open source software and hardware solutions

It’s uplifting to see so many in our community contributing to the fight against this virus, whether it be providing supercomputer access to scientific researchers, open source personal protective equipment (PPE), offering bots to help people assess their symptoms, empowering doctors with access to diagnostic tools, supporting families struggling to transition to work and school from home, or contributing to relief efforts. We’ve also seen the medical industry and open source coming together to solve problems, such as an OpenLung project. As locals are starting to “reopen,” contact tracing will become critical, and we’re seeing communities form to address contract tracing application needs.

Governance and trust through applied open source governance models

We believe that the broader technology industry can use open source governance models to address more widespread industry challenges that could not be as easily solved with more traditional, proprietary solutions. Many blockchain open source software projects have arisen over the last few years that are now ready to support industry ecosystem and utility networks. We see early adopters moving beyond just software to addressing challenges with trust and verification in blockchain systems in our recently announced Trust over IP project.

In open source software communities, many organizations leverage nonprofits like the Linux Foundation to have a neutral home for an open governance model that no one company in the industry controls. We see a trend that those same principles apply in the case of the governance of an industry service built on blockchain technology with nodes contributed by multiple organizations.

We expect to see initial governance communities emerge in 2020, focusing on identity and tracking and tracing use cases. Those initial communities will likely enable new applications and innovations that can be built on top of these industry and ecosystem platforms.

Open source at the edge of the network to address security, safety, and growth challenges

We’re also seeing trends of open source technologies becoming critical systems that are often viewed as the “last mile.”

With open source becoming pervasive, we now have to think about these technologies as they support critical infrastructures. LF Energy and LF Networking are becoming more focused on economic and financial systems (see FINOS), and also safety systems (see ELISA).

Many other critical infrastructure systems have a severe impact if they fail. With open source software underpinning these critical systems, we need to figure out how to manage these systems. To succeed, our members started with identifying and tracking what software is in a system (see SPDX) and how to maintain software over a very long lifespan (see Civil Infrastructure Platform).

Additionally, LF Networking & LF Edge are seeing a significant uptake in Developer contribution as 5G, Edge, IoT, and Network Automation become increasingly crucial in the enterprise.

Securing the software supply chain

Beyond identifying the software (open source or not) in a system, the software supply chain deserves more security attention. We started exploring this issue within our Core Infrastructure Initiative and its Census I and Census II studies, and the practical challenges of managing supply chains in our OpenChain project. Looking out through the end of the year, we expect to explore the problem from the perspective of maintainers. We hope to see additional resources to help fix broken projects, increase the adoption of standards, and help address the entire challenge’s entirety. A challenge this large requires the community to come together and focus its efforts on solving security problems, together. We think the industry is ready and able to take this on.

Embracing and creating open standards

The fourth trend we’re looking at this year is a convergence of standards and open source. This trend has been increasing over the past few years, but we’re now at a point where organizations better understand where standards play a role and where open source plays a role. Standards development is a collaboration that can happen with open source implementations, often trailing an open source implementation, open source software development has turned conventional standards development upside down — and inside out.

Within the Linux Foundation ecosystem, we have open technical communities building software and specifications. We also have communities that have identified interoperability points, processes, or frameworks for technology or managing technologies, that all benefit from being formally written as specifications. Standards are a natural next step in their journey as ecosystems coalesce around a common specified way of doing things. This year started with the Joint Development Foundation (JDF) being approved as an ISO PAS Submitter, making it possible for our communities to go from a specification repository to an international standard. We expect to see many more communities forming that is focused on a hybrid of standards and open source development.

In addition to its work with the JDF, LF Networking also has a great collaboration with other established standards development organizations to ensure harmonization of specifications and code in the open source projects that facilitate deployment for carriers globally.

Conclusion: Life after defeating the virus

Finally, the last trend we wish to highlight goes back to the beginning of this article — we see a pattern of our communities adapting to help society move forward in the face of a pandemic. I’ve already covered some of the COVID-19 response initiatives above, but this is a different point.

We’re seeing a shift to virtual events, remote work cultures, virtual “happy hours,” and other means of productively working together, virtually. Many of these practices will stick with us post-pandemic. Our organization is already exploring how to use virtual events to augment future physical events (yes, they will exist again).

Virtual conferences may be a great path to offering more inclusive events where those of us unable to travel to an event physically can still find a way to participate at some level. We’re seeing the impact of virtual training and certifying professionals in freely available open source technologies — and it has a real impact on job prospects and employment. Virtual testing proctors have become an effective way to certify professionals. Similarly, virtual platforms can help facilitate mentorship and enable less experienced developers to find and connect with more skilled developers willing to lend a hand.

The coronavirus has opened the world’s eyes to the needs of systems and plans for pandemic situations. This year we will likely see technology communities and organizations adapt and develop the “playbook” for how the world does business in the face of a pandemic. But many of those practices will likely stay with us long after we defeat COVID-19.

The post How open source development provides a roadmap for digital trust, security, safety, and virtual work appeared first on The Linux Foundation.

The ACRN™ Open Source Hypervisor for IoT Development Announces ACRN v2.0 and Functional Safety Certification Concept Approval

Tue, 07/21/2020 - 23:00

New hybrid-mode architecture expands the scope of the project to include industrial IoT and edge device use cases, delivers new flexibility in resource sharing across virtual machines and new levels of real-time and functional safety

San Francisco, Calif., July 21, 2020 – Project ACRN, an open source IoT hypervisor hosted at the Linux Foundation, today is announcing ACRN v2.0, which expands the scope of the project and introduces a new hybrid-mode architecture with a focus on industrial IoT and edge device use cases, delivering flexibility in resource sharing and new levels of real-time and functional safety for demanding workloads in both the automotive and industrial segments.

“The ACRN project is moving fast to address the increasingly complex requirements for IoT devices, networks and environments,” said Mike Dolan, senior vice president and general manager of projects at the Linux Foundation. “This speed and agility in development can only be achieved through collaboration and we’re happy to be able to support this important work.”

Eddie Dong, senior Principal Engineer, architect, and maintainer of Project ACRN said, “The rapid evolution and development from version 1.0 to 2.0 in a year demonstrates the momentum of this project and the demand for a flexible, real-time, safety-critical, open source hypervisor for industrial players that are architecting mission-critical technologies.”

ACRN version 2.0
ACRN 2.0 uses a hybrid-mode architecture to support real-time industrial IoT workloads and edge devices and simultaneously supports both traditional resource sharing among Virtual Machines (VMs) and complete VM resource partitioning required for functional safety. Workload management and orchestration are also enabled now with ACRN, allowing open source orchestrators such as OpenStack to manage ACRN VMs. ACRN supports secure container runtimes such as Kata Containers orchestrated via Docker or Kubernetes.

ACRN 2.0 main features include:

ACRN architecture upgrade to support hybrid mode
New hardware platform support
Pre-launched Safety VM support
Post-launched VM support via OVMF
Post-launched Real-time VM support
Real-time VM performance optimizations
CPU sharing support
Large selection of OSes for user VMs
GRUB bootloader
SR-IOV support
Both passthrough and shared Graphics support
Shared memory based inter-VM communication
Configuration tools support
Kata Containers Support
VM orchestration
Improved Documentation

Rina Raman, Vice President and General Manager of the Embedded Acceleration Division at Intel Corporation said, “The fourth industrial revolution, characterized by a fusion of disruptive technologies, requires agility and the ability to consolidate heterogeneous workloads, some of which carry very strict requirements of Functional Safety certification or Real-Time behavior. With its 2.0 release, Project ACRN is now offering an open source hypervisor that makes such workload consolidation possible.”

Thomas Berndorfer, CTO, TTTech Industrial said, “ACRN 2.0 prioritizes the three key requirements for hypervisors today in the Industrial IoT and edge environments: functional safety, real-time, and flexibility for resource sharing among virtual machines. This set of features is uniquely found in ACRN. Contributing actively to the project allows us to shape the future of this critical and rapidly developing technology. ACRN delivers a flexible, real-time, open source hypervisor for industries that have the world’s most demanding mission-critical requirements.”

You can find details about these features and more in the ACRN 2.0 release notes: https://projectacrn.github.io/latest/release_notes/release_notes_2.0.html

ACRN Functional Safety Certification – Safety Concept Approval
ACRN has successfully received concept approval from TÜV SÜD Rail GmbH for its functional safety concept, design and management process in place. The concept approval letter claims that “ACRN Hypervisor is able to fulfill the requirements in accordance with SIL 3 of the IEC 61508 standard.” TÜV SÜD is a trusted partner of choice for safety, security, and sustainability solutions. IEC 61508 is considered as the “Golden Standard” in the functional safety industry. ACRN is on track to receive the final functional safety certification by the end of 2020.

About the ACRN Project
ACRN is a flexible, lightweight reference hypervisor that is built with real-time and safety-criticality in mind. It is optimized to streamline embedded development through an open source platform. ACRN Project members include ADLINK, Aptiv, Intel Corporation, LGE, and Neusoft Corporation. To learn more about the project, visit projectacrn.org.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

###

Media Contact
Jennifer Cloer
jennifer@rethinkitmedia.com
503-867-2304

The post The ACRN™ Open Source Hypervisor for IoT Development Announces ACRN v2.0 and Functional Safety Certification Concept Approval appeared first on The Linux Foundation.

3D Printing Effort Becomes Linux Foundation Open Standards Project, Announces New Executive Director

Tue, 07/21/2020 - 23:00

3MF Consortium joins Linux Foundation, announces new executive director as it moves from development to adoption

San Francisco, Calif., July 21, 2020 – The 3MF Consortium, the organization dedicated to advancing a universal specification for 3D printing, today announced it is becoming a Linux Foundation member and that HP’s Luis Baldez is its new Executive Director (ED). Baldez supersedes Microsoft’s Adrian Lannin, who has served as ED since the 3MF Consortium was founded in 2015. Among the original creators of the 3MF Consortium, Lannin will remain a strategic advisor to the group.

The 3MF Consortium is among the original members of the Joint Development Foundation (JDF), which became part of the Linux Foundation in recent years to enable smooth collaboration among open source software projects and open standards. 3MF will take advantage of the combined strengths of the Linux Foundation/JDF alliance to advance 3D printing specifications and formats. With the majority of the world’s largest players in the 3D printing industry, 3MF Consortium represents the core of the industry’s innovation in this area.

“The 3MF Consortium has done the important work to create an open standard for 3D printing. The time is now to drive the evolution of 3MF from development to adoption,” said Luis Baldez, executive director, 3MF Consortium. “We would not be where we are today without Adrian Lannin’s leadership and contributions, and we’re looking forward to his insights as our ongoing advisor.”

Baldez was recently elected Executive Director by the 3MF Consortium membership to expand upon the technical progress and success of the 3MF standard by building new functionalities for the standard through collaboration with Linux Foundation and JDF. Baldez is a 3D printing veteran with experience across new technology business development. It is this combination of expertise that makes him well-suited for the ED role at 3MF Consortium, where the focus is maturing from standards development to implementation and adoption. Baldez has also held R&D engineering leadership positions at other multinationals and startups.

“Luis is a longtime champion of open standards and is an expert in the 3D printing space,” said Alex Oster, chairman of the 3MF technical working group and director of additive manufacturing at Autodesk. “Luis’ leadership and our collaboration with Linux Foundation will accelerate our work on 3D printing and help us build an even more vibrant network of contributions.”

The 3MF Consortium has grown rapidly since its formation in 2015, garnering new member investments and adoption across the industry’s leaders in 3D printing. It is supported by 3D Systems, Autodesk, GE, HP, Materialise, Microsoft, nTopology, Stratasys, and Siemens among 16 companies and has been implemented in nearly 40 products across 22 companies. The 3MF specification is robust and includes six extensions that range from core and production to slice, material and property (including color), beam lattice and security. The Secure Content specification was recently released and establishes an underlying mechanism for payload encryption of sensitive 3D printed data based on modern web standards. For the detailed specifications for all extensions, please visit the 3MF Consortium github repository: https://github.com/3MFConsortium/

For more information about the 3MF Consortium, please visit: https://3mf.io/

About the 3MF Consortium
The 3MF Consortium is comprised of leading AM hardware and software companies driving the Industry 4.0 revolution. The consortium releases and maintains the 3MF specifications that allow design applications to send full-fidelity 3D models to a mix of other applications, platforms, services, and printers. For more information, please visit: https://3mf.io/.

About the Joint Development Foundation
Launched in 2015, the Joint Development Foundation (the Joint Development Foundation) is an independent non-profit organization that provides the corporate and legal infrastructure to enable groups to quickly establish and operate standards and source code development collaborations. More information about the Joint Development Foundation is available at http://www.jointdevelopment.org/.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

###
Media Contact
Jennifer Cloer
jennifer@rethinkitmedia.com
503-867-2304

The post 3D Printing Effort Becomes Linux Foundation Open Standards Project, Announces New Executive Director appeared first on The Linux Foundation.

Open Source Communities and Trademarks: A Reprise

Thu, 07/09/2020 - 04:37

Intellectual property and how it is shared have been the cornerstone of open source. Although it is more common to discuss “code” or “copyright,” there are other IP concerns around patents and trademarks that must be considered before investing time and effort in a major open-source project. There are long-established practices that govern these matters. Companies and lawyers involved in open source have been working on and evolving open source project trademark matters for decades.

Neutral control of trademarks is a key prerequisite for open source projects that operate under open governance. When trademarks of an open source project are owned by a single company within a community, there is an imbalance of control. The use of any trademark must be actively controlled by its owner or the owner will lose the right to control its use. The reservation of this exclusive right to exercise such control necessarily undermines the level playing field that is the basis for open governance. This is especially the case where the trademark is used in association with commercial products or solutions.

Open source licenses enable anyone to fork the code and distribute and modify their own version. Trademarks, however, operate differently. Trademarks identify a specific source of the code. For example, we all know MariaDB is not the same as MySQL. They’ve each developed their own brand, albeit they’re derived from a common codebase. The key question is who decides when a company should be allowed to associate its product or solution with the brand of the community?

A trademark is a word, phrase or design that denotes a “brand” that distinguishes one source of product or solution from another. The USPTO describes the usage of trademarks “to identify and distinguish the goods/services of one seller or provider from those of others, and to indicate the source of the goods/services.” Under US trademark law you are not able to effectively separate ownership of a project mark from control of the underlying open source project. While some may create elaborate structures around this, at the end of the day an important principle to follow is that the project community should be in control of what happens to their brand, the trademark they collectively built up as their brand in parallel with building up the functionality of their code.

For this reason, in communities that deem their brand important, we also file registrations for trademark protection to reserve the rights in the mark for the project, commonly in the United States, China, European Union, Japan, and other countries around the world. Registered marks will often have a ® symbol. This is different from a common law trademark right where you often see a symbol with the mark. Having a registered trademark is often important because it enables us to better protect the community against misrepresentation, misuse, and confusion in the ecosystem between what is actually the community-built project, and what is not. This is often based on specific benefits that arise from the registration, which may vary from country to country.

The Linux Foundation started hosting projects outside of Linux a decade ago. From the outset, the brand of a project community we host has been an important asset that we have been asked to protect for our communities. The communities’ goals and motivations are always different, but, in general, the organization contributing a trademark usually wants to ensure it denotes the community they’re helping to establish at the LF, and the other participants in the ecosystem want the confidence that one company can’t tell them what they can or cannot do with a project we host because they retained ownership of the trademark.

This neutrality is the very essence of what we try to establish at the Linux Foundation with our projects. Our projects are set up to be neutral – the Linux Foundation or our project entities own the mark. We then put the control over decisions about the mark into the hands of our project communities, to be determined by them in an open and transparent manner to achieve their collective goals.

For example, in March of 2017, we participated in a meeting hosted at a KubeCon in Berlin, where the organizations involved in Kubernetes sat down in a packed room to discuss what they wanted to do with the Kubernetes brand as it related to companies using Kubernetes in conjunction with their commercial products or solutions. When drafting the governance for CNCF, Google had insisted it was important for the Linux Foundation to also own the Kubernetes mark as part of CNCF—so that branding control would go hand in hand with neutral, community-driven governance.

However, the LF was not in a position to determine when one company should or should not be able to say their solution was a “Kubernetes”-based product. We needed a program to allow companies and other organizations to use the trademark commercially to denote their distribution or compatibility with the community’s Kubernetes releases. That initial group worked for months to define what it means to have a conformant Kubernetes distribution. That’s also why the promise of portability amongst cloud providers actually works today. Those technical experts from the community as a whole defined exactly what it would take to deliver on the promise of portability. And then the definition of conformance that they established has been backed up by the neutral ownership of the Kubernetes trademark, in the Linux Foundation. What’s even more important is that the community remains in control of the program. In fact, the definition of conformance is controlled by Kubernetes’s SIG Architecture and changes in a carefully controlled process in each release as new APIs become stable and obsolete ones are deprecated.

This same story has played out in other communities we have hosted. We’ve had many communities build consensus around what it means to be compatible or conformant with the releases coming from our project communities. So many that we recently wrote an entire blog just about the topic.

What these examples show is that a community can neutrally manage a trademark within the LF’s structure. We tend to refer to these as “community-managed trademark” programs. The marks are owned by the LF entity for the project, and we work with the communities we serve to establish the rules around usage of our marks.

Recently there has been a new round of conversations about open source projects and ownership of trademarks. Understandably there has even been concern that open source hasn’t addressed issues of trademarks as it relates to major OSS projects. This is not the case. While the motivations vary, one aspect remains constant: trademark law.

We’ve been asked, “can we have the LF manage our trademark too?” The answer is yes. Let us know what project you’re managing and we’re happy to help you understand what’s involved in setting up a community-managed trademark program for your project. To date, we have successfully done this for the most important open source projects in the world and projects that are the most important to a few people. We can probably help support you as well.

The post Open Source Communities and Trademarks: A Reprise appeared first on The Linux Foundation.

Understanding US export controls with open source projects

Wed, 07/08/2020 - 21:01

Chinese Language Version Available

Introduction

One of the greatest strengths of open source development is how it enables collaboration across the entire world. However, because open source development is a global activity, it necessarily involves making available software across national boundaries. Some countries’ export control regulations, such as the United States, may require taking additional steps to ensure that an open source project is satisfying obligations under local regulations.

The Linux Foundation has recently published a whitepaper on considerations for open source communities in detail, which can be downloaded here. This blog post is a summary of the general principles open source communities should be aware of and follow as it relates to both US export control requirements and open source encryption.

Export controls in the United States and other countries

The primary source of United States federal government restrictions on exports are the Export Administration Regulations or EAR. The EAR is published and updated regularly by the Bureau of Industry and Security (BIS) within the US Department of Commerce. The EAR applies to all items “subject to the EAR,” and may control the export, re-export, or transfer (in-country) of such items.

Under the EAR, the term “export” has a broad meaning. Exports can include not only the transfer of a physical product from inside the US to an external location but also other actions. The simple act of releasing technology to someone other than a US citizen or lawful permanent resident within the United States is deemed to be an export, as is making available software for electronic transmission that can be received by individuals outside the US.

This may seem alarming for open source communities, but the good news is open source technologies that are published and made publicly available to the world are not subject to the EAR. Therefore, open source remains one of the most accessible models for global collaboration.

For the purposes of compliance with the EAR, if the open source technology is publicly available without restrictions upon its further dissemination, then it is “published” and therefore “not subject to” the EAR.

In addition to the United States, the European Union has similar provisions under its own export control regulations.

What kind of open source projects are not subject to the EAR and export restrictions?

All of them. Open source software from the Linux Foundation and project communities we work with is published and made available to the public without restrictions on further dissemination or distribution of the software.

The following typical scenarios (but not an exhaustive list) are not subject to the EAR because “open source” is “published”:

Open source software that is published publicly is not subject to the EAR
Open source specifications that are published publicly are not subject to the EAR
Open source files that describe the designs for hardware that are published publicly are not subject to the EAR
Open source software binaries that are published publicly are not subject to the EAR

To meet the requirement of “published” under the EAR, however, open source communities may need to take an additional step if the project includes encryption technology.

Projects that use encryption

The EAR regulates exports of certain encryption software and technology. The definition of “encryption software” is very broad and can include software that merely activates or enables encryption features in another software or hardware product.

However, as with the EAR exemption for software that is published, there is also an exemption for software that uses encryption that is (1) it is “publicly available,” and (2) an email notification has been sent for it to the addresses listed in that section.

To meet the first of the exemption requirements, the meaning of “publicly available” refers to the EAR’s definition of “published,” which includes public dissemination by posting on the Internet on sites available to the public. Given this, the first part of the test should be met for all fully-public open source software projects: if the project’s source code is openly available on the Internet, then it should be considered “publicly available.”

To meet the second of the exemption requirements, it is additionally necessary to send an email to two specified addresses, one at BIS at crypt@bis.doc.gov and the other at the US National Security Agency (NSA) at enc@nsa.gov. The email should include the URL of the publicly-available code (or a copy of the code itself). An updated notification should be sent later if the previously-provided URL or copy has changed.

After these two requirements are satisfied, then its corresponding object code counterpart for the project is also not subject to the EAR.

At The Linux Foundation, the source code for all of our projects, including encryption software, is publicly available, and we have provided email notices as described above. We also make copies of these email notices publicly available for viewing on the LF’s website. As a result, the Linux Foundation’s project source code and corresponding object code are not subject to EAR encryption restrictions.

Please keep in mind that this applies only to the open source project itself. Downstream redistributors of modified project code or products derived from it, where the source code is not publicly available, would still need to evaluate their own compliance with the EAR (just as with any other software that they export).

In addition to projects that use encryption, the EAR added a new regulation in January 2020 for systems that employ a certain use of neural network-driven geospatial analysis training. As with other open source technologies that are publicly available, open source software that is published and publicly available, even in this category of neural network-driven geospatial analysis training, would also not be subject to the EAR. Please refer to our full whitepaper for more explanation.

Best practices for open source software communities

While open source projects are exempt from EAR restrictions, there are a few practices we have learned or developed that may be helpful for all open source communities as it relates to export regulations.

We often use the word “open” to mean many things: an open source license, open and transparent discussions, open community, openly available source code on a public repository. “Open” may seem an obvious practice for open source communities, but the following are some specific recommendations for communities to consider.

Be open and be public

First, communities should strive to keep their technical conversations open and public. If private technical conversations happen within communities, that’s normal, but it is recommended to make the community decisions and outcomes publicly available. It is important for our projects to make information available transparently and publicly as the private exchange of technology or technical information may not meet the “publicly available” standard according to the EAR.

One question that has come up has to do with exchanges of information related to security issues under a security disclosure process. As a best practice, projects may want to consider making exchanges like this public upon the availability of fixes, and not limit this information to only a confidential disclosure list.

Send notifications of encryption to BIS and the NSA

If your open source software project implements or uses encryption functionality classified under ECCN 5D002, you will likely want to deliver a notification of encryption to the BIS and the NSA according to the EAR requirements. The EAR describes these requirements:

- Send an email to crypt@bis.doc.gov and enc@nsa.gov. If your project is an LF project and your notice is not listed on our export website, please notify legal@linuxfoundation.org.
- The email should contain either the URL of the publicly available encryption source code or a copy of the source code itself.
- If you provided a URL to a site where you posted the source code on the Internet, you must notify by email again each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location.
- If you provided a copy of the source code, and you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified.

The Linux Foundation suggests a few additional details as best practices:

Make publicly available copies of the notices that were delivered to BIS and NSA, in order to increase transparency and visibility of compliance. This also helps with your community of downstream users who may wonder “do they send notices?” You can prevent concerns by making the notices themselves public.
Include contact information and, where applicable, the name of the particular legal entity that is responsible for the project.
Establish a system to ensure that you maintain evidence, for a medium- to long-term period of time, that the notification emails to BIS and NSA were in fact delivered. Relying solely on an individual’s “Sent” mailbox records may not be preferable if a question arises in the future, or if that individual loses access to that Sent mailbox (e.g. if they change employers).

Additionally, If you are distributing publicly available encryption software in object code form, then you will also want to ensure that it is publicly available in source code form as well.

If it is necessary to distribute encryption software in binary or object code form, then ensure that the corresponding source code is publicly available. The easiest way to do this is to make available the source code for that version of the encryption software yourself, as part of the project’s own code. (In fact, depending on the applicable open source license, this may be necessary or at least useful in complying with that open source license as well!)

In addition to manual review, there are some scanning tools (such as Fossology and exportctl) with varying degrees of ability to scan source code and detect usage of encryption functionality. No automated scanning tool is likely to be a perfect detector of all applicable uses, but these may be helpful in identifying copies of encryption software in a large codebase.

To download the “Understanding Open Source Technology and US Export Controls” whitepaper, click on the button below.

Download Whitepaper

The post Understanding US export controls with open source projects appeared first on The Linux Foundation.

了解美国对开源项目的出口管制

Wed, 07/08/2020 - 21:01

简介

开源开发的最大优势之一是它实现了整个世界的协作。然而，由于开源开发是一项全球性的活动，它必然涉及跨国界提供可用的软件。一些国家的出口管制条例，例如美国，可能需要采取额外的步骤来确保一个开源项目符合当地条例规定的义务。

Linux基金会最近发布了一份关于开源社区如何详细解决这些问题的白皮书，点击此处可下载。本文概述了开源社区应该了解并遵循的与美国出口管制要求和开源加密相关的一般性原则。

美国和其他国家的出口管制

《出口管理条例》（Export Administration Regulations，以下简称“EAR”）是美国联邦政府限制出口的主要条例，由美国商务部（US Department of Commerce）下的产业与安全局（Bureau of Industry and Security，以下简称“BIS”）发布并定期修订。《出口管制条例》适用于所有”受《出口管制条例》管制的物品，并可管制这些物品的出口、再出口或(在国内)转让。

EAR下“出口”的定义较为宽泛。出口不仅包括从美国境内向境外输送实物产品，还包括其他行为，例如向在美国居住的非美国公民或非美国合法永久居民传送技术，2以及向美国境外人员提供用于电子传输的软件。

这EAR似乎给开源社区敲响了警钟，但是好消息是，公开发布给全世界享用的开源技术是不受制于EAR的。因此，开源至今仍然是一个最为便利的全球协作的模式。

为了符合EAR的要求，如果开源技术是公开的，不受进一步传播的限制，那么它是“已发布的”，因此“不受制”于EAR。

除美国外，欧盟在其出口管制条例中也有类似规定

什么样的开源项目不受EAR和欧盟出口限制?

所有。Linux基金会以及与我们合作的项目社区制作的开源软件均已发布，并且在没有任何传播限制的前提下供公众通过公开渠道获取。

以下情形（但不仅限于此）不受到EAR限制，因为“开源”“已发布”：

已公开发布的开源软件不受制于EAR
已公开发布的开源规范不受制于EAR
已公开发布的，说明硬件设计的开源文档不受制于EAR
已公开发布的开源软件二进制不受制于EAR

然而，若项目涉及加密技术，则开源社区可能需要采取一些其他的措施以满足EAR “已发布”的要求。

使用加密技术的项目

EAR规范了特定加密软件和技术的出口。“加密软件”的定义非常广泛，并可能包括仅激活或启用其他软硬件产品的加密功能的软件。

但是，与已发布的软件不受制于EAR一样，使用加密技术的软件即如符合以下两个条件，则不受制于EAR：（1）该源代码是“可公开获取”的，以及（2）已向第742.15（b）部分所提供的电子邮箱地址发送了邮件以示通知。

为符合第一项豁免要求，“可公开获取”指的是在EAR法下“已发布”的定义，这包括通过公共站点进行发布（即公开传播）。9只要完全公开的开源软件项目达到该标准，则应当视为通过了衡量标准的第一部分要求：如果项目的源代码可在互联网上公开获取，则应被视为“可公开获取”。

为满足上述衡量标准的第二部分要求，还需要向两个指定的邮箱地址发送邮件（一个是BIS的邮箱地址：crypt@bis.doc.gov，另外一个是国家安全局（National Security Agency，简称“NSA”）的邮箱地址：enc@nsa.gov）。邮件内容需要包括可公开获取的源代码的URL地址（或源代码本身）。如URL或源代码发生任何变更，则需要再次以邮件形式通知上述邮箱地址。

当该可公开获取的加密源代码通过了上述两项衡量标准后，那么相应的目标代码也将不受EAR管辖。

Linux基金会的所有项目源代码，包括加密软件，均可公开获取，我们也已经提供了如上所述的电子邮件通知。我们也在LF官网上公开了上述电子邮件通知的副本。所以，Linux基金会的项目源代码及对应的物件代码均不受制于EAR关于加密的限制。

请注意，上述情况只适用于开源项目本身。如源代码并未公开，修改了项目代码的下游分销商或其衍生产品的下游分销商仍然需要自行评估是否符合EAR的规定（和其出口的其他软件一样）。

除了使用加密技术的项目外，EAR还在2020年1月为采用神经网络驱动的地理空间分析培训的系统增加了一项新法规。与其他公开提供的开源技术一样，公开发布的开源软件，即使是在神经网络驱动的地理空间分析培训这一类别中，也不会受到EAR的约束。请参阅我们的完整白皮书了解更多说明。

开源软件社区的最佳实践

虽然开源项目不受EAR限制，但我们已经学习或者掌握了一些可能对所有开源社区有所助益的实践，都与出口管理条例相关。

我们经常用“公开”这个词来形容许多事情：开源许可、公开和透明的讨论、公开的社区、公共智库里储存的可公开获取的源代码。对于开源社区来说，“公开”似乎是显而易见的做法，但以下是一些社区需要考虑的具体建议。

开放，公开

首先，社区应该尽量保持技术对话的开放和公开。如果私人技术对话在社区内发生，这是正常的，但建议将社区决策和结果公开。对于我们的项目来说，使信息公开透明是很重要的，因为技术或技术信息的私人交流可能不符合EAR的“公开可得”标准。

出现的一个问题与在安全披露过程中交换与安全问题有关的信息有关。作为一种最佳实践，项目可能会考虑在修复程序可用时公开此类交换，而不是将此信息限制在一个机密的公开列表中。

向BIS和NSA发送加密通知

如果您的开源软件项目实施或使用属于ECCN 5D002规定的加密功能，那么根据EAR的要求，您将需要向BIS和NSA发送加密通知。EAR的具体要求如下：

发送电邮至crypt@bis.doc.gov及enc@nsa.gov。如果您的项目是LF的项目，并且您的通知没有出现在我们的出口管理页面上，请发送通知至legal@linuxfoundation.org。
邮件应该包括含有可公开获取加密源代码的网站地址，或源代码本身。
如果您提供的是网站地址，那么每次更换网站地址时，您都必须通过电子邮件发送通知，但是您不需要通知有关源代码本身的更新或者变更。
如果您提供的是源代码本身，那么每当加密功能进行更新或者变更后，您都必须提供最新的源代码。

Linux基金会建议将其他的一些细节作为最佳实践：

为了加强透明度和展现合规性，将提交给BIS和NSA的通知公开化。这也有助于解决下游用户对社区是否发送了通知的疑惑。通过公开通知的方式，您可以避免这些困扰。
附加联系方式和负责项目的法人实体的名称。
设计一个保留中期至长期证据的系统（证明发送给BIS和NSA的通知电邮实际上已经送达）。因为如果将来发生问题，或者如果个人无法访问该“已发送”邮箱，仅依靠“已发送”邮箱记录不是个好办法（例如发件人跳槽了）。

此外，如果您正在以目标代码的形式分发公开可用的加密软件，那么您还需要确保它也以源代码的形式公开可用。

如果必须以二进制或目标代码形式分发加密软件，那么就必须确定相应的源代码是可公开获取的。最简便的方式就是自主将该加密软件版本的源代码公开，作为项目本身的源代码。（事实上，根据适用的开源许可，这对遵守开源许可可能也是必要的，或者至少是有用的！）

除人工审核外，还有一些性能各异的扫描工具(例如 Fossology 和 exportctl)，可以扫描源代码并探测加密功能的应用。没有一种自动扫描工具能够完美地检测出所有的应用，但这些工具可能有助于识别大型代码库中的加密软件。

请点击下面的按钮，下载“了解开放源码技术和美国出口控制”白皮书，。

下载

The post 了解美国对开源项目的出口管制 appeared first on The Linux Foundation.

Understanding Open Source Technology & US Export Controls

Wed, 07/08/2020 - 21:00

Understanding Open Source Technology & US Export Controls 了解开源科技和美国出口管制 Open development enables global collaboration: a guide for companies using and developing open source technology 开源发展使全球协作成为可能：一份致使用与开发开源科技公司的指南 Author: The Linux Foundation Download Now

The post Understanding Open Source Technology & US Export Controls appeared first on The Linux Foundation.

Driving Compatibility with Code and Specifications through Conformance Trademark Programs

Thu, 07/02/2020 - 23:54

A key goal of some open collaboration efforts — whether source code or specification oriented — is to prevent technical ‘drift’ away from a core set of functions or interfaces. Projects seek a means to communicate — and know — that if a downstream product or open source project is held out as compatible with the project’s deliverable, that product or component is, in fact, compatible. Such compatibility strengthens the ecosystem by providing end-users with confidence that data and solutions from one environment can work in another conformant environment with minimal friction. It also provides product and solution providers a stable set of known interfaces they can depend on for their commercially supported offerings.

A trademark conformance program, which is one supporting program that the LF offers its projects, can be used to encourage conformance with the project’s code base or interfaces. Anyone can use the open source project code however they want — subject to the applicable open source license — but if a downstream solution wants to describe itself as conformant using the project’s conformance trademark, it must meet the project’s definition of “conformant.” Some communities choose to use words other than “conformant” including “certified”, “ready”, or “powered by” in association with commercial uses of the open source codebase. This is the approach that some Linux Foundation projects take to maintain compatibility and reduce fragmentation of code and interfaces.

Through this approach, we enable our projects to create flexible, custom-tailored conformance programs to meet the needs of their respective communities. In fact, our conformance programs can operate as open source projects themselves (see, for example, https://cncf.io/ck ). They incorporate a balance of interests from vendors, end-users, and contributors to the project and enable the community to define how the commercial ecosystem participants can leverage the use of the community’s mark.

Products or solutions that meet the requirements of the trademark conformance program can use the conformance program’s trademark. Those that do not meet its requirements, cannot. If the project community learns that someone is misusing a conformance program trademark — say using the mark to show compatibility without achieving all of the requirements of the conformance program — the community could work with the LF to take steps to advise them on how they can come into conformance with the program requirements, or discontinue their use of the trademark.

How Can an Open Project Establish a Conformance Trademark Program?

When our projects establish a conformance program, we recommend that they follow the following basic steps:

1. Determine what you want the trademark to signify.

Are you interested in showing compatibility with a core segment of project code or interfaces? Do you want this mark to indicate backward compatibility? Do you want the mark to imply a certain level of ‘rigorousness’ of compatibility? How broad or narrow a focus of compatibility are you interested in (e.g., all of the code base, or a key portion)? Does a “compatible” solution necessarily need to use the underlying open source codebase at all, or just present a compatible interface?

This question is best addressed by involving interested stakeholders across business, marketing, and technical functions including discussions to resolve upon the intended meaning for the mark. Relevant stakeholders will likely include the project developers; downstream vendors who develop products based on the project’s outputs; and potential customers and end-users of those vendors.

A conformance program’s guiding star should be to ensure neutrality and objectivity in the conformance definition’s metrics. In order for an ecosystem to accept that the conformance trademark has relevance, it should be tied to a specific, articulated definition of what it does and doesn’t include. If the definition of conformance includes aspects of subjective evaluations by the project members, the result may be a perception that non-technical considerations such as favoritism were used as factors — and that the mark is not a reliable indicator of technical functionality. Objective criteria that are applied neutrally can help to avoid such a perception. In addition, the process by which the mark or requirements are defined should be specified and made known.

1. Decide upon the specific requirements of conformance.

Once you have identified what you want the trademark to signify, you can craft a specific set of requirements necessary for a product to be able to use the conformance trademark. These requirements should also be developed within the community, and the development of these requirements is often closely tied to the work in item 1 above.

Additional questions to consider are:

- - How long can a product or solution provider claim compatibility, and against what version(s) of the open source project? How many future versions will that conformance be valid for?
  - Will the community create a test suite to provide an objective “pass / fail” determination for compatibility, or rely on more subjective considerations? (ideally, the answer should be the former)
  - What triggers a requirement for a vendor to re-test and confirm that their solution remains conformant — every time a change is made, or after a set period of time, or only if/when complaints are received from the community, or something else?

1. Determine how products and solutions will be qualified as meeting the requirements of the conformance program.

There are many approaches that our projects take with respect to qualifying products or solutions, and they range in expense from none/nominal to significant. A common approach is to publish the requirements and allow self-certification with the requirements via a registration page. The project would then publish a current list of all registrants so that end-users could — by way of the project’s web site — know that a particular vendor had self-certified their product as meeting the requirements. Depending on the nature of the project and the conformant vendors’ solutions, end-users themselves might be able to run the same set of self-tests on the solutions, to confirm compatibility for themselves. In some cases, end users may use the same tests to keep their internal teams conformant in their internal deployments. Tooling costs are also a consideration for projects in setting up automated testing systems.

Another approach is to engage with third-party test labs that will test whether submitted products or solutions, in fact, meet the conformance program requirements. This model may also be setup by publishing criteria or requirements that a test lab can follow to offer conformance program testing.

As you can imagine, the expense involved in contracting with third-party test labs can be significant. Many of our communities choose to lower barriers to entry for the ecosystem and keeping costs low is often a priority.

1. Publish the requirements and begin operating the trademark conformance program.

Maintain the program’s requirements in a highly visible manner, and begin accepting registration applications! Keep a list of certified solutions on the project’s website or code repository.

In fact, the development and administration of the conformance program itself can even be run as an open source project (see: https://github.com/cncf/k8s-conformance).

Keep in mind that these programs will need to be maintained as well, especially as the project evolves and makes significant changes to its modules and interfaces. We often treat these conformance programs as their own open source collaboration that evolve with the project.

Example Programs Employed by Projects Supported by the Linux Foundation

A number of our projects have trademark conformance programs. These include:

1. Certified Kubernetes®

The Certified Kubernetes program is run by the Cloud Native Computing Foundation (CNCF) and is intended to ensure that open source code and vendor products based on Kubernetes support the core APIs that make up Kubernetes. Vendors that are interested in using the Certified Kubernetes mark are required to submit conformance testing results to CNCF for review and approval. Additional information on the program can be found here: https://www.cncf.io/certification/software-conformance/.

2. ODPi Egeria Conformant

The ODPi Egeria Conformance program is intended to ensure both consistency and alignment with the interfaces developed by the ODPi Egeria project. The participation form and the terms and conditions of the program can be found here: https://www.odpi.org/projects/egeria/conformance.

3. OPNFV Verification Program (OVP)

Created through collaboration between OPNFV and ONAP, two projects within LF Networking, OVP focuses on compliance, validation, performance, and interoperability testing for commercial NFVI (cloud platform infrastructure) implementations and VNFs (telco cloud applications). This conformance program is used to indicate that an OVP-branded product or solution:

- - Supports key behaviors, functions, and related APIs and packaging requirements of the OPNFV and ONAP release
  - Implements defined NFV functions
  - Supports end-to-end life cycle management interoperability among an NFVI/VIM built on the conformant products, applications designed to run on that infrastructure, and ONAP
  - Is a good candidate for internal testing by the operator in their own specific environment

Products or solutions that meet these requirements are then able to use the OPNFV VerifiedTM brand under the appropriate usage guidelines. The program supports both self-certification by vendors and testing via approved third-party labs. Detailed information on OVP can be found here: https://www.lfnetworking.org/ovp/

4. Powered by OpenDaylight®

OpenDaylight is one of the technical code projects within our LF Networking umbrella which has a “Powered by OpenDaylight” conformance trademark program. Products using the mark are required to implement certain core sections of the open source code with the current release of OpenDaylight or the prior two releases. A FAQ on the program can be found here: https://www.opendaylight.org/ecosystem-solutions/for-solution-providers/powered-by-faq-page

The registration page for a company interested in applying to use the “Powered by…” trademark can be found here: https://www.opendaylight.org/ecosystem-solutions/for-solution-providers/powered-by-reg-form

The post Driving Compatibility with Code and Specifications through Conformance Trademark Programs appeared first on The Linux Foundation.

FinOps Will Drive Efficiency for DevOps

Thu, 07/02/2020 - 05:33

FinOps Foundation to Become Linux Foundation Effort

DevOps in the cloud has broken traditional procurement, which is now outsourced to engineers. Engineers spend company money at will and make financial decisions on cloud providers like AWS, GCP and Azure at rapid speed with little time to consider cost efficiency. Finance teams struggle to understand what is being spent on the cloud. Leadership doesn’t have enough input into how much will be spent or ability to influence priorities. Enter the concept of FinOps, and the need for a community of practitioners to advance best practices beyond vendor tooling, whose aim is to increase the business value of cloud by bringing together technology, business and finance professionals with a new set of processes.

That’s why we’re so excited to announce our intent to host the FinOps Foundation with the Linux Foundation to advance the discipline of Cloud Financial Management through best practices, education and standards. The FinOps Foundation focuses on codifying and promoting cloud financial management best practices and standards to help the community. It currently includes 1,500 individual members representing more than 500 companies and $1B in revenue. They include Atlassian, Autodesk, Bill.com, HERE Technologies, Just Eat, Nationwide, Neustar, Nike, and Spotify among founding charter members.

Also part of today’s announcement is a new edX course, Intro to FinOps, which will give anyone interested in this area a primer on what it is and how to advance their career by becoming an expert in this emerging and critical discipline.

As the cloud native movement continues within organizations, understanding how to optimize the cloud infrastructure footprint through cultural change and engineering practices is critical. Technology and business leaders are seeking support for understanding how to manage cloud technologies and spending across their enterprises. The FinOps Foundation brings to bear the resources required to enable innovation inside the organization and will work together to define cloud financial management standards and advance the ubiquity of this discipline across industries.

The FinOps Foundation has grown significantly since its inception back in February 2019. We expect to support this burgeoning community and further accelerate growth and engagement. We invite you to get involved in this effort, no matter your role inside your company. As with any emerging discipline, the earlier you get involved, the better for your career.

The post FinOps Will Drive Efficiency for DevOps appeared first on The Linux Foundation.

The Linux Foundation Brings Together IT and Finance Teams to Advance Cloud Financial Management and Education

Mon, 06/29/2020 - 22:30

FinOps Foundation is becoming a Linux Foundation effort to increase education and best practices for emerging FinOps discipline; new edX course provides foundation for education and community growth

San Francisco, Calif., June 29, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the intent to host the FinOps Foundation to advance the discipline of FinOps through best practices, education, and standards.

The FinOps Foundation includes 1,500 individual members across the globe, representing more than 500 companies with more than $1 billion in revenue each. In the same way that DevOps revolutionized development by breaking down silos and increasing agility, FinOps increases the business value of cloud by bringing together technology, business and finance professionals with a new cultural set, knowledge skills and technical processes. Companies represented among membership include Atlassian, Autodesk, Bill.com, HERE Technologies, LiveRamp, Just Eat, Nationwide, Neustar, Nike, and Spotify, among others. To become a member and contribute to this work, please visit: https://www.finops.org/

“Where there is technology disruption, there is opportunity for business transformation. FinOps is exactly this and represents a shift in operations strategy, process, and culture,” said Mike Dolan, vice president and general manager, Linux Foundation Projects. “This type of disruption and transformation is also where community and industry-wide collaboration play critical roles in enabling a whole new market opportunity. We’re pleased to be the place where that work can happen.”

The FinOps community is defining cloud financial management standards and is increasing access to education and certification for this discipline across industries. As part of this effort, the Linux Foundation is announcing a new, free edX course, Introduction to FinOps, to advance education and knowledge in this emerging area and to cultivate a growing community of professionals. This introductory course will cover the basics of FinOps and how it can positively impact an organization by building a culture of accountability around cloud use that helps companies make good, timely, data-backed decisions in the cloud. The course is open for enrollment now, and content will be available to begin on the edX platform July 21.

The FinOps Foundation is offering the FinOps Certified Practitioner Exam (FOCP) through the Linux Foundation, and more training and certification programs are expected later this year. Follow @LF_Training on Twitter or watch https://training.linuxfoundation.org for more information and updates.

“Technology and business leaders are seeking support for understanding how to manage cloud technologies and spending across their enterprises and the FinOps Foundation brings to bear the resources required to enable them to innovate inside their companies,” said J.R. Storment, executive director of the FinOps Foundation. “With the Linux Foundation’s support, especially across its world-class training organization, we can serve this growing community.”

FinOps is the operating model for the cloud, which is resulting in a shift that combines systems, best practices, and culture to increase an organization’s ability to understand cloud costs and make informed business decisions. FinOps ensures that companies get the most value from every dollar spent in the cloud. It pushes accountability for spending to the edge where developers control purchasing decisions, and provides a new set of centralized processes to maximize efficiency of purchases and the ability to allocate spending to teams.

Cloud spending is forecast to exceed $360B by 2022, according to research firm Gartner, but finance teams have very little insight into where that spend is being allocated within their organizations. The result is uncontrolled costs that aren’t properly forecast or documented along with lack of standardized tooling, which can lead to major losses or errors in critical accounting practices. Procurement of IT infrastructure has moved from taking days or weeks to seconds or minutes, which has dramatically accelerated application development but dramatically decreased efficiencies in financial operations.

“As the cloud native movement deepens inside organizations large and small, understanding how to optimize the infrastructure footprint through cultural change and engineering practices is critical,” said Chris Aniszczyk, CTO, Cloud Native Computing Foundation (CNCF). “CNCF welcomes the FinOps Foundation to the Linux Foundation and we look forward to collaborating across communities to improve cloud financial management for all.”

Supporting Quotes

Atlassian

“The FinOps Foundation has helped us validate and grow our cloud financial management practices. Having the FinOps Foundation join the Linux Foundation is a great opportunity to see this community continue to develop FinOps practices from which we all benefit,” said Simon Beckett, team lead, Atlassian Cloud FinOps.

Nationwide

“As enterprises leverage public cloud providers, speed of development is increasing and also a risk of out of control costs. FinOps provides a framework that brings together IT, Finance and Procurement teams and gives them a common language and processes that helps keep costs under control and keeps the focus on delivering business value. My team and I have connected with peers in the industry to get their insights and perspectives on common problems and to see what is coming next. In addition there are opportunities for training and certification to take advantage of,” said Joseph Daly, director of cloud optimization, Nationwide.

Pearson

“Pearson joined the FinOps Foundation in Feb 2019 as we launched our global team internally. Since then we have leveraged resources from the F2 membership calls, networked within Slack with other practitioners and been able to present back to the share many of our lessons learned along this journey. Being an education company it’s critical we are always learning. Early 2020, Pearson was able to do a private workshop with the foundation where all 8 of our team members attended the 8 hour workshop and successfully received certification. We immediately leveraged discussions in the workshop and started building our 2020 roadmap. We began mapping our milestones to the F2 principals and using the “crawl, walk, run” approach. The FinOps Foundation has personally helped me connect with many other practitioners that are very mature in Cloud Financial Management process and allowed me to bring best practices and automation ideas back to Pearson to implement, said Ashley Hromatko, senior cloud FinOps manager, Pearson.

About the FinOps Foundation

The FinOps Foundation (F2) is a nonprofit trade association made up of FinOps practitioners around the world. Grounded in real world stories, expertise and inspiration for and by FinOps practitioners, the F2 is focused on codifying and promoting cloud financial management best practices and standards to help community members and their teams become better at cloud financial management. For more information or to join, please visit: https://www.finops.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,500 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

Media Contact
Jennifer Cloer
reTHINKit Media
503-867-2304
jennifer@rethinkitmedia.com

The post The Linux Foundation Brings Together IT and Finance Teams to Advance Cloud Financial Management and Education appeared first on The Linux Foundation.

SODA Foundation Gains New Investments, Expands Charter to Address Increasing Need for Data Autonomy

Mon, 06/29/2020 - 22:30

China Unicom, Fujitsu, Huawei, NTT Communications and Toyota Motor Corporation lead list of participants advancing open source software and standards for data mobility and autonomy
China Unicom contributes its S3-compatabile object storage YIG project
Foundation releases Faroe, the 1.0 version of its Open Data Framework software for cloud native and more

SAN FRANCISCO, Calif., June 29, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the SODA Foundation, previously OpenSDS, is expanding to include both open source software and standards to support the increasing need for data autonomy. SODA Foundation hosts an open source, unified and autonomous data management framework for data mobility from edge to core to cloud.

Premiere members include China Unicom, Fujitsu, Huawei, NTT Communications and Toyota Motor Corporation. Other members include China Construction Bank Fintech, Click2Cloud, GMO Pepabo, IIJ, MayaData, LinBit, Scality, Sony, Wipro and Yahoo Japan.

As part of the expansion, China Unicom is contributing its S3-compatible object storage YIG project to the SODA Foundation. YIG is the first in a line of projects that are joining the Foundation through the SODA Incubator program designed to foster an ecosystem of data and storage projects by supporting their growth through community outreach, collaboration and adoption.

The SODA Foundation today is also announcing the release of Faroe, the 1.0 version of its Open Data Framework software for cloud native and more. With support for block, file, and object storage, multi cloud data control, telemetry and resource management across heterogeneous storage, Faroe eliminates data silos, delivers integrated data management and enables seamless data mobility between on-premise and multicloud. Faroe also includes Container Storage Interface (CSI) storage plug-and-play as an experimental feature that simplifies Kubernetes storage management by abstracting CSI storage with SODA.

“Providing a neutral forum where both vendors and end users can contribute to building and integrating data management solutions for mobility and autonomy is our goal,” said Steven Tan, chairman, SODA Foundation and VP & CTO of Cloud Solution at Futurewei. “These new investments and our expanding scope will help us support a growing community of open source data professionals who are pushing the envelope on these technologies.”

As data moves between the cloud, on premise and, increasingly, the Edge, data management is becoming more complex. And the increasing number of technologies supporting data management has created even more difficulty, including unintentional silos for data storage. During a time when data mobility and autonomy is more important than ever, it’s critical that we simplify management, unify storage pools and provide a vendor neutral forum and platform that can accelerate innovation for end users. SODA Foundation seeks to reduce silos by integrating efforts across platforms for overall data mobility and autonomy.

“With data privacy and treatment at the top of every company’s priority list, the SODA Foundation serves an important role across industries,” said Mike Dolan, senior vice president and GM of projects at the Linux Foundation. “With new membership commitments, from vendors and end users alike, and an expanded scope to integrate software and standards, we believe this community will have an incredible impact in the coming months and years.”

For more information about the SODA Foundation, please visit: https://sodafoundation.io/

Member Statements

China Construction Bank Fintech
“CCB Fintech is a financial technology subsidiary of China Construction Bank. We are always interested in the open source community contribution and it’s our honor to join SODA. Glad to see its breakthroughs in multi-cloud environments and heterogeneous storage management. We will work with SODA to solve the container storage management challenges in cloud-native scenarios from now on. Hope to see more pioneers of the financial industry join SODA and join us to improve the innovation and development of open source technology in the global financial area,” said CCB Fintech Technology Platform Department General Manager Zhan Shu.

China Unicom
“It’s a great honor for China Unicom Wo Cloud to join the SODA community. We think the openness of the SODA project is great. In fact, we have been very active in this project in the previous year. We contributed the core code of our object storage project named YIG to the community. On Wo Cloud Summit 2019, we have witnessed the launch of SODA in China with many other partners. In the future, we will bring more friends into this community and make more innovations together,” said Zhong Xin, CTO, China Unicom Wo Cloud.

Fujitsu
“FUJITSU LIMITED has been supporting society as an IT company. Over the years, we have been providing comprehensive storage solutions. Now, as we are transforming into a DX company, we are looking to support our customers to transform their business model and to help them to create new businesses by modernizing systems and leveraging cloud native technologies. SODA is a powerful solution for simplifying storage management that has been very complex for many years, and enabling ties to the cloud. FUJITSU believes that SODA will accelerate the accomplishment of its mission and has been contributing to the ecosystem since OpenSDS, the direct predecessor of SODA,” said Shinya Hamano, manager, development department, infrastructure software division, Fujitsu.

IBM
“Managing the data coming from heterogeneous sources and formats is an interesting problem along with the regulatory requirements. SODA foundation attempts to address these challenges in an open manner which would help companies build reliable AI enabled solutions,” said Rakesh Jain, SODA Foundation board member and Researcher & Architect at IBM Corporation.

NTT Communications
“Storage silos in our services make a barrier among customers and the services. The barriers like individual storage software/API have hindered not only us from managing our services, but also customers from utilizing their data across the services. We’re expecting SODA to help service providers and customers overcome the barrier by using an open data management platform,” said Kei Kusunoki, Storage Architect, Innovation Center, NTT Communications.

Scality
“Scality supports SODA Foundation because we share the belief that data proliferation has a huge impact on data management challenges. Organizations are increasingly leveraging the benefits of hybrid cloud, which brings new challenges that demand proven solutions to store, govern and orchestrate massive volumes of data across geographies and clouds. We believe that collaborating with the open source community is vitally important as the velocity of change demands faster, better delivery of solutions,” said Paul Speciale, Chief Product Officer, Scality.

Sony
“As a cold data archive system provider, we are excited about joining the SODA. We have just released the third generation of Optical Disc Archive, and we believe that integrating it into the SODA system will provide more diverse and rich value to this community and its customers. We are looking forward to collaborating with other SODA members to create a full data lifecycle management platform in the aim of solving data/storage management challenges,” said Mikio Kita, VP, Sony Corporation, Senior General Manager of Media Solution Business Div. Sony Imaging Products & Solutions Inc.

Toyota Motor Corporation
“Connected vehicles on a street would generate significant volume of data, and they are widely spread in many locations. Managing those data and data storage is going to be a key challenge for us to get a variety of benefits from those data,” said Kenichi Murata, Project General Manager of Connected Strategy, Toyota Motor Corporation. “We expect that SODA Foundation would be the best place to seek the solution of our future issues, and we would be happy to collaborate in the Foundation with many people who have the same issues.”

Wipro
“Wipro is proud of its association with the SODA foundation. Our passion for latest technology, and access to a diverse ecosystem to deliver value to our customers has been the foundation for Wipro’s EngineeringNXT offerings. Driven by our deep domain expertise in Data management and storage across industries, Wipro understands and supports the need for open standards in data management for advanced storage solutions. Being part of the SODA foundation will not only enable us to innovate in this space and deliver cloud-and-vendor agnostic solutions for hybrid cloud data management, but also give us a platform to connect and collaborate with like-minded members for thought leadership and industry best practices,” said Supriyo Das, Vice President, Industrial & Engineering Services (I&ES)

Yahoo Japan
“As our services continue to grow, data is getting bigger day by day. We are facing the challenge of managing storage systems more efficiently. We strongly endorse the purpose of SODA to provide a standardized API between multiple storage backends and multiple cloud systems. We believe that SODA can help reduce storage complexity,” said Yusuke Sato, Storage Architect, Yahoo! JAPAN.

###
Media Contact
Jennifer Cloer
jennifer@rethinkitmedia.com
503-867-2304

The post SODA Foundation Gains New Investments, Expands Charter to Address Increasing Need for Data Autonomy appeared first on The Linux Foundation.

SPDX Specification Becomes the Second ISO/IEC JTC 1 Submission From JDF

Mon, 06/29/2020 - 22:30

Last month, the Joint Development Foundation (JDF), which became part of the Linux Foundation family in 2019, was recognized as an ISO/IEC JTC 1 PAS (“Publicly Available Specification”) submitter. With that recognition, Linux Foundation can put forward specifications to JTC 1 for national body approval and international recognition. Once JTC 1 approves a PAS submission, it becomes an international standard. Also in May, the JDF announced that The OpenChain Specification was the first specification submitted for JTC 1 review for recognition as an international standard.

The Linux Foundation today announced that the latest SPDX release (version 2.2) is the second specification to be submitted through the JDF to ISO/IEC JTC 1 for approval. In brief, the Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance. The first version of the SPDX specification was 10 years ago, and it has continued to improve and evolve to support the automation of more software bill of materials information over the years.

SPDX serves to verify the accuracy software bill of materials information metadata which is important both from a security and compliance standpoint. Consider that there are millions of open source software projects (34m open repositories are on GitHub alone) making it hard to know which are most critical, who created them and what are their security vulnerabilities? SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed. While many consider SPDX a defacto standard already, JTC1 certification will encourage accelerated adoption and acceptance on a global scale.

“The SPDX specification has played a vital role over the last 10 years in enabling open source adoption and establishing a foundation for automating compliance,” said Jim Zemlin. “Through the submission to the ISO/IEC JTC 1 by JDF, we are hopeful that it can become a accepted international standard that addresses how open source metadata information is shared, while reducing the risks and costs of compliance for organizations.”

The post SPDX Specification Becomes the Second ISO/IEC JTC 1 Submission From JDF appeared first on The Linux Foundation.

Accelerating Open Standards development with Community Specifications

Mon, 06/29/2020 - 21:00

Introduction

In an earlier post back in May, the Linux Foundation and Joint Development Foundation (JDF) announced its ability to propose international standards by being recognized as an ISO/IEC JTC1 PAS submitter and that it had submitted its first standard, OpenChain, for international review. We also discussed why Open Standards were essential to the Linux Foundation’s efforts, just as Open Source projects are.

Today, we’re announcing a new way for communities to create Open Standards. We call it the Community Specification, and it allows communities to develop standards and specifications using the tools and approaches that are inspired and proven by open source developers. It’s standards development explicitly designed for Git-based workflows. The Community Specification brings the frictionless approach of open source collaborations to standards development.

It’s flexible, enabling small and large standards collaborations. And it’s built for growth. When or if the time is right, Community Specification projects can move to the Joint Development Foundation or another standards body. From there, the Joint Development Foundation can provide a path to international standardization.

Standards play a role in everyone’s life. Think about the things you touch every day, as simple as a power plug, the USB connector on your phone or laptop, or the WiFi that you use in your business and your home to connect your mobile devices wirelessly. All of these devices need to be able to interoperate with each other.

Open Standards are best defined as specifications made available to the public, developed, and maintained via an inclusive, collaborative, transparent, and consensus-driven process. Open standards facilitate interoperability and data exchange among different products or services and are intended for widespread adoption.

Setting up a well-formed standards project is important. Items like due process, balance, inclusiveness, and intellectual property clarity are vital to developing technology that meets the needs of the broader community that can be implemented without intellectual property surprises.

The Community Specification builds on these best practices and brings them to the Git repository development environments that developers are already using. And it makes it easy to get started. You can start using the Community Specification by bringing its terms into your repository and getting to work — just like starting an open source project.

Lowering the costs and reducing the level of effort of creating specifications

Starting a new standards effort is traditionally a time consuming and expensive project. It takes time, money, and effort — from negotiating multi-party agreements to dealing with the legal and corporate formalities to obtaining professional support.

The Joint Development Foundation created a much-streamlined alternative to setting up a traditional standards-setting activity. We created a standardized set of formation documents and procedures that allow the collaborators to choose from a predefined set of licensing terms.

JDF took this expensive multi-month process and replaced it with a “check-the-box” approach that has already enabled over 13 communities like Open Manufacturing Platform, GraphQL, and Trust Over IP to get up and running quickly, and allowing these communities to create technologies with worldwide impact.

For these projects, the JDF shortened the process of creating a new standards project from many months to as quickly as a few days and removed much of the ongoing legal overhead of creating a new non-profit company to host the project.

And while JDF has streamlined the creation of new standards organizations by providing a “standards organization in a box,” sometimes an even lighter-weight approach is desired. Today, the JDF is pleased to announce its latest innovation, the Community Specification.

The Community Specification is the next step in reducing the friction of standards development. By incorporating the Community Specification materials into a Git-based repository, communities can now start a standards development effort as quickly as an open source project, using proven standards-based best practices for governance and intellectual property. And it’s free. The Community Specification provides a “standards-organization-in-a-repo.” All you have to do is clone or copy the Community Specifications repository, fill in a few details, and get started.

JDF takes its inspiration from the developer community. We know the ultimate consumer of a specification is the implementer, and implementers are by and large developers. So it is no accident that the Community Specification relies on Git-based repositories like GitHub and GitLab as its platform for creating new standards.

The tools that are natively available for managing contributions in a Git-based repository via an open and inclusive process are based on best practices from standards and open source development models. To make this process attractive to developers, we have adopted a single set of agreements for technical contributions, source code, governance, code of conduct, patents, and copyright.

The Community Specification will allow communities to employ a fast and easy way to start a specification development process using software development-style tools and workflows that they already know.

Conclusion

The new Community Specification process allows contributors to start a specification collaboration with a simple set of licenses and procedures at no cost. The Community specification is efficient and runs using tools and approaches that lower the administrative burden on the organizers and ensures contribution integrity. The project can run as a repository-based collaboration or as a legal entity under JDF, depending on the project’s needs.

From this starting point, the collaborative can move seamlessly into a more structured JDF project that allows the project to scale up the support services to allow for broader member participation, collections of membership dues, test events, and marketing services. As part of the Joint Development ecosystem, the projects may also enjoy the benefits of being part of the world’s largest developer ecosystem at the Linux Foundation.

In the ultimate expression of a standard’s success, the project may apply to submit the specification to JTC1/ISO/IEC through the JDF PAS submitter program, which allows the specification to reach national standards bodies worldwide.

The Community Specification can dramatically reduce the time developers spend on building and meeting spec requirements and ensure important work is not lost and time is not wasted. By democratizing the specification build process, developers have more time to innovate and build the technologies that differentiate their work from others.

We invite interested projects and people with great ideas to benefit from an organized collaboration platform to reach out to the Joint Development Foundation.

Access Community Specifications

The post Accelerating Open Standards development with Community Specifications appeared first on The Linux Foundation.

Linux Foundation interview with NASA Astronaut Christina Koch

Sat, 06/27/2020 - 00:00

Jason Perlow, Editorial Director at the Linux Foundation, had a chance to speak with NASA astronaut Christina Koch. This year, she completed a record-breaking 328 days at the International Space Station for the longest single spaceflight by a woman and participated in the first all-female spacewalk with fellow NASA astronaut Jessica Meir. Christina gave a keynote at the OpenJS Foundation’s flagship event, OpenJS World, on June 24, 2020, where she shared more on how open source JavaScript and web technologies are being used in space. This post can also be found on the OpenJS Foundation blog.

JP: You spent nearly a year in space on the ISS, and you dealt with isolation from your friends and family, having spent time only with your crewmates. It’s been about three months for most of us isolating at home because of the COVID-19 pandemic. We haven’t been trained to deal with these types of things — regular folks like us don’t usually live in arctic habitats or space stations. What is your advice for people dealing with these quarantine-type situations for such long periods?

CK: Well, I can sympathize, and it can be a difficult challenge even for astronauts, and it can be hard to work through and come up with strategies for. For me, the #1 thing was making sure I was in charge of the framework I used to view the situation. I flipped it around and instead about thinking about all the things I was missing out on and the things that I didn’t have available to me, I tried to focus on the unique things that I did have, that I would never have again, that I would miss one day.

So every time I heard that thought in my head, that “I just wish I could…” whatever, I would immediately replace it with “this one thing I am experiencing I will never have again, and it is unique”.

So the advice I have offered since the very beginning of the stay at home situation has been finding that thing about our current situation that you truly love that you’ll know you will miss. Recognize what you know is unique about this era, whether it is big, or small — whether it is philosophical or just a little part of your day — and just continually focus on that. The biggest challenge is we don’t know when this is going to be over, so we can quickly get into a mindset where we are continually replaying into our heads “when is this going to be over? I just want to <blank>” and we can get ourselves into a hole. If you are in charge of the narrative, and then flip it, that can really help.

I have to say that we are all experiencing quarantine fatigue. Even when it may have been fun and unique in the beginning — obviously, nobody wanted to be here, and nobody hopes we are in this situation going forward, but there are ways we can deal with it and find the silver lining. Right now, the challenge is staying vigilant, some of us have discovered those strategies that work, but some of us are just tired of working at them, continually having to be our best selves and bringing it every day.

So you need to recommit to those strategies, but sometimes you need to switch it up — halfway through my mission, I changed every bit of external media that was available to me. We have folks that will uplink our favorite TV shows, podcasts, books and magazines, and other entertainment sources. I got rid of everything I had been watching and listening to and started fresh with a new palette. It kind of rejuvenated me and reminded me that there were new things I could feast my mind on and unique sensory experiences I could have. Maybe that is something you can do to keep it fresh and recommit to those strategies.

JP: I am stuck at home here, in Florida, with my wife. When you were up in the ISS, you were alone, with just a couple of your crewmates. Were you always professional and never fought with each other, or did you occasionally have spats about little things?

CK: Oh my goodness, there were always little spats that could affect our productivity if we allowed it. I can relate on so many levels. Being on the ISS for eleven months, with a lot of the same people in a row, not only working side-by-side but also socializing on the weekends, and during meals at the end of the day. I can relate because my husband and I were apart for almost two years if you take into account my training in Russia, and then my flight. Of course, now, we are together 24 hours a day, and we are both fortunate enough that we can work from home.

It is a tough situation, but at NASA, we all draw from a skill set called Expeditionary Behavior. It’s a fancy phrase to help us identify and avoid conflict situations and get out of those situations if we find ourselves in them. Those are things like communication — which I know we should all be doing our best at, as well as group living. But there are other things NASA brought up in our training are self-care, team care, leadership, and particularly, followership. Often, we talk about leadership as an essential quality, but we forget that followership and supporting a leader are also very important. That is important in any relationship, whether it is a family, a marriage, helping the other people on your team, even if it is an idea that they are carrying through that is for the betterment of the whole community or something like that. The self-care and team care are really about recognizing when people on your team or in your household may need support, knowing when you need that support, and being OK with asking for it and being clear about what needs you may have.

A common thread among all those lines is supporting each other. One way, in my opinion, the easiest way to get yourself out of feeling sorry for whatever situation you might be in is to think about the situation everyone else is in and what they might need. Asking someone else, “Hey, how are you doing today, what can I do for you?” is another way to switch that focus. It helped me on my mission, and it is helping me at home in quarantine and recognizing that it is not always easy. If you are finding that you have to try hard and dig deep to use some of these strategies, you are not alone — that is what takes right now. But you can do it, and you can get through it.

JP: I have heard that being in the arctic is not unlike being on another planet. How did that experience help you prepare for being in space, and potentially places such as the moon or even mars?

CK: I do think it is similar in a lot of ways. One, because of the landscape. It’s completely barren, very stark, and it is inhospitable. It gives us this environment to live where we have to remember that we are vulnerable, and we have to find ways to remain productive and not be preoccupied with that notion when doing our work. Just like on the space station, you can feel quite at home, wearing your polo shirt and Velcro pants, going about your day, and not recognizing that right outside that shell that you are in is the vacuum of space, and at any second, things could take a turn for the worse.

In Antarctica and some of the Arctic areas that were very isolated, should you have a medical emergency, it can often be harder to evacuate or work on a person in those situations than even working on the ISS. At the ISS, you can undock and get back to earth in a matter of hours. At the south pole, weather conditions could prevent you from getting a medevac for weeks. In both situations, you have to develop strategies not to be preoccupied with the environmental concerns but still be vigilant to respond to them should something happen. That was something I took away from that experience — ways to not think about that too much and to rely on your training should those situations arise. And then, of course, all the other things that living in isolation gives us.

The one thing that I found in that realm is something called sensory underload. And this is what your mind goes through when you see all the same people and faces, you keep staring at the same walls, you’ve tasted all the same food, and you’ve smelled all the same smells for so long. Your brain hasn’t been able to process something new for so long that it affects how we think and how we go about the world. In these situations, we might have to foster new sensory inputs and new situations and new things to process. NASA is looking into a lot of those things like reality augmentation for long-duration spaceflight, but in situations like the Arctic and Antarctic, even bringing in a care package, just to have new things in your environment can be so important when you are experiencing sensory underload.

JP: The younger people reading this interview might be interested in becoming an astronaut someday. What should the current, or next generation — the Gen Y’s, the Gen Z’s — be thinking about doing today — to pursue a career as an astronaut?

CK: I cannot wait to see what that generation does. Already they have been so impressive and so creative. The advice I have is to follow your passions. But in particular, what that means is to take that path that allows you to be your best self and contribute in the maximum possible way. The story I like to tell is that when I was in high school, I was a true space geek, and I went to space camp, and there we learned all the things you need to do to become an astronaut.

There was a class on it, and they had a whiteboard with a checklist of what you should do — so everyone around me who wanted to be an astronaut was just scribbling this stuff down. And at that moment, I realized if I were ever to become an astronaut, I would want it to be because I pursued the things that I was naturally drawn to and passionate about, and hopefully, naturally good at. If one day that shaped me into someone who could contribute as an astronaut, only then would I become truly worthy of becoming one. So I waited until I felt I could make that case to apply to become an astronaut, and it led me to this role of focusing on the idea of contributing.

The good news about following a path like that is even if you don’t end up achieving the exact dream that you may have. Whether that’s to become an astronaut or something else that may be very difficult to achieve, you’ve done what you’ve loved along the way, which guarantees that you will be successful and fulfilled. And that is the goal. Eyes on the prize, but make sure you are following the path that is right for you.

JP: Some feel that human-crewed spaceflight is an expensive endeavor when we have extremely pressing issues to deal with on Earth — climate change, the population explosion, feeding the planet, and recent problems such as the Coronavirus. What can we learn from space exploration that could potentially solve these issues at home on terra firma?

CK: It is a huge concern, in terms of resource allocation, so many things that are important also warrant our attention. And I think that your question, what can we learn from space exploration, is so important and there are countless examples — the Coronavirus, to start. NASA is studying how the immune system functions at a fundamental level for humans by the changes that occur in a microgravity environment. We’re studying climate change — numerous explorations, on the space station and other areas of NASA. Exploration is enabled by discovery and by technological advances. Where those take us, we can’t even determine. The camera in your smartphone or in your tablet was enabled by NASA technology.

There are countless practical examples, but to me, the real answer is bigger than all of that — and what it can show us is what can be accomplished when we work together on a common goal and a shared purpose. There are examples of us overcoming things on a global scale in the past that seemed insurmountable at the beginning, such as battling the hole in the ozone layer. When that first came out, we had to study it, we had to come up with mitigation strategies, and they had to be adopted by the world, even when people were pointing out the potential economic drawbacks to dealing with it.

But the problem was more significant than that, and we all got together, and we solved it. So looking towards what we can do when we work together with a unified purpose is really what NASA does for us on an even bigger scale. We talk about how exploration and looking into space is uplifting — I consider it to be uplifting for all across the spectrum. There are so many ways we can uplift people from all backgrounds. We can provide them with the tools to have what they need to reach their full potential, but then what? What is across that goal line? It is bigger things that inspire them to be their best, and that is how NASA can be uplifting for everyone, in achieving the big goals.

JP: So recently, NASA resumed human-crewed spaceflight using a commercial launch vehicle, the SpaceX Crew Dragon capsule. Do you feel that the commercialization of space is inevitable? Is the heavy lifting of the future going to come from commercial platforms such as SpaceX, Boeing, et cetera for the foreseeable future? And is the astronaut program always going to be a government-sponsored entity, or will we see private astronauts? And what other opportunities do you see in the private sector for startups to partner with NASA?

CK: For sure. I think that we are already seeing that the commercial aspect is playing out now, and it’s entirely a positive thing for me. You asked about private astronauts — there are already private astronauts training with a company, doing it at NASA through a partnership, and having a contract to fly on a SpaceX vehicle to the ISS through some new ways we are commercializing Low Earth Orbit. That’s already happening, and everyone I know is excited about it. I think anyone with curiosity, anyone who can carry dreams and hopes into space, and bring something back to Earth is welcome in the program.

I think that the model that NASA has been using for the last ten years to bring in commercial entities is ideal. We are looking to the next deeper set, going back to the moon, and then applying those technologies to go on to Mars. At the same time, we sort of foster and turn over the things we’ve already explored, such as Low Earth Orbit and bringing astronauts to and from the space station to foster a commercial space industry. To me, that strategy is perfect; a government organization can conduct that work that may not have that private motivation or the commercial incentives. Once it is incubated, then it is passed on, and that is when you see the commercial startups coming.

The future is bright for commercialization in space, and I think that bringing in innovation that can happen when you pass off something to an entirely new set of designers is one of the most exciting aspects of this. One of the neat examples of that is SpaceX and their spacesuits — I heard that they did not consult with who we at NASA use as our spacesuit experts that have worked with us in the past. I think that is probably because they did not want to be biased by legacy hardware and legacy ways of doing things. They wanted to re-invent it from the start, to ensure that every aspect was re-thought and reengineered and done in a potentially new way. When you’ve been owners of that legacy hardware that’s difficult to do — especially in such a risky field and in a place where something tried and true has such a great magnetic draw. So, to break through the innovation barrier, bringing commercial partners onboard is so exciting and important.

JP: Let’s get to the Linux Foundation’s core audience here, developers. You were an engineer, and you used to program. What do you think the role of developers is in space exploration?

CK: Well, it cannot be understated. When I was in the space industry before becoming an astronaut, I was a developer of instrumentation for space probes. I built the little science gadgets and was typically involved in the sensor front-end, the intersection of the detectors’ physics and the electronics of the readouts. But that necessitated a lot of the testing, and it was fundamentals testing. Most of the programming I did was building up the GUIs for all the tests that we needed to run, and the I/O to talk to the instruments, to learn what it was telling us, to make sure it could function in a wide variety of environmental states and different inputs that it was expected to see, once it eventually got into space.

That was just my aspect — and then there is all the processing of the data. If you think about astronomy, there is so much we know about the universe through different telescopes, space-based and ground-based, and one of the things we do is anticoincidence detection. We had to come up with algorithms that detect only the kind of particles or on wavelengths that we want to identify, and not the ones that deposit energy in different ways that we are trying to study. Even just the algorithms to suss out that tiny aspect of what those kinds of X-Ray detectors on those telescopes do, is entirely software-intensive. Some of it is actual firmware because it has to happen so quickly, in billionths of a second, but basically, the software enables the entire industry, whether it is the adaptive optics that allow us to see clearly, or the post-processing, or even just the algorithms we use to refine and do the R&D, it’s everywhere, and it is ubiquitous. The first GUIs I ever wrote were on a Linux system using basic open source stuff to talk to our instruments. As far as I know, there is no single person who can walk into any job at NASA and have no programming experience. It’s everywhere.

JP: Speaking of programming and debugging, I saw a video of you floating around in the server room on the ISS, which to me looked like a bunch of ThinkPad laptops taped to a bulkhead and sort of jury-rigged networked there. What’s it like to debug technical problems in space with computer systems and dealing with various technical challenges? It’s not like you can call Geek Squad, and they are going to show up in a van and fix your server if something breaks. What do you do up there?

CK: That is exactly right, although there is only one thing that is inaccurate about that statement — those Lenovos are Velcroed to the wall, not taped (laugh). We rely on the experts on the ground as astronauts. Interestingly, for the most part, just like an IT department, just like at any enterprise, the experts, for the most part, can remotely login to our computers, even though they are in space. That still happens. But if one of the servers is completely dead, they call on us to intercede, we’ve had to re-image drives, and do hardware swaps.

JP: OK, a serious question, a religious matter. Are you a Mac or a PC user, an iOS or an Android user, and are you a cat or a dog person? These are crucial questions; you could lose your whole audience if you answer this the wrong way, so be careful.

CK: I am terrified right now! So the first one I get to sidestep because I have both a Mac and a PC. I am fluent in both. The second — Android all the way. And as the third, I thought I was a cat person, but since I got my dog Sadie, I am a dog person. We don’t know what breed she is since she is from the Humane Society and is a rescue, so we call her an LBD — a Little Brown Dog. She is a little sweetheart, and I missed her quite a bit on my mission.

JP: Outside of being an astronaut, I have heard you have already started to poke around GitHub, for your nieces and nephews. Are there any particular projects you are interested in? Any programming languages or tools you might want to learn or explore?

CK: Definitely. Well, I want to learn Python because it is really popular, and it would help out with my Raspberry Pi projects. The app that I am writing right now in Android Studio, which I consulted on with my 4-year-old niece, who wanted a journal app. I’m not telling anyone my username on GitHub because I am too embarrassed about what a terrible coder I am. I wouldn’t want anyone to see it, but it will be uploaded there. Her brother wants the app too, so that necessitated the version control. It’s just for fun, for now, having missed that technical aspect from my last job. I do have some development boards, and I do have various home projects and stuff like that.

JP: In your keynote, you mentioned that the crew’s favorite activity in space is pizza night. What is your favorite food or cuisine, and is there anything that you wished you could eat in space that you can’t?

CK: My favorite food or cuisine on Earth is something you can’t have in space, sushi, or poke, all the fresh seafood type things that I got introduced to from living in American Samoa and visiting Hawaii and places like that, I missed those. All the food we have in space is rehydrated, or from MREs, so it doesn’t have a lot of texture, it has to have the consistency of like mac and cheese or something like that. So what I really missed is chips — especially chips and salsa. Because anything crunchy is going to crumble up is going to go everywhere. So we don’t have anything crunchy. Unfortunately, I have eaten enough to have made up for without chips and salsa since I was back.

JP: Thank you very much, Christina, for your time and insights! Great interview.

Watch Christina’s full OpenJS World keynote here:

The post Linux Foundation interview with NASA Astronaut Christina Koch appeared first on The Linux Foundation.

The Linux Foundation

Pages