The Linux Foundation

First End-to-End Machine Learning Platform Is Embraced by the Community with over 2 Million Downloads Per Month and over 200 Contributors in Only 2 Years

San Francisco, JUNE 25, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced that MLflow, an open source machine learning (ML) platform created by Databricks, will join the Linux Foundation. Since its introduction at Spark + AI Summit two years ago, MLflow has experienced impressive community engagement from over 200 contributors and is downloaded more than 2 million times per month, with a 4x annual growth rate in downloads. The Linux Foundation provides a vendor neutral home with an open governance model to broaden adoption and contributions to the MLflow project even further.

“The steady increase in community engagement shows the commitment data teams have to building the machine learning platform of the future. The rate of adoption demonstrates the need for an open source approach to standardizing the machine learning lifecycle,” said Michael Dolan, VP of Strategic Programs at the Linux Foundation. “Our experience in working with the largest open source projects in the world shows that an open governance model allows for faster innovation and adoption through broad industry contribution and consensus building.”

Databricks created MLflow in response to the complicated process of ML model development. Traditionally, the process to build, train, tune, deploy, and manage machine models was extremely difficult for data scientists and developers. Unlike traditional software development that is only concerned with versions of code, ML models need to also track versions of data sets, model parameters, and algorithms, which creates an exponentially larger set of variables to track and manage. In addition, ML is very iterative and relies on close collaboration between data teams and application teams. MLflow keeps this process from becoming overwhelming by providing a platform to manage the end-to-end ML development lifecycle from data preparation to production deployment, including experiment tracking, packaging code into reproducible runs, and model sharing and collaboration.

Matei Zaharia, the original creator of Apache Spark and creator of MLflow, shared the news with the data community during his keynote presentation today at Spark + AI Summit. “MLflow has become the open source standard for machine learning platforms because of the community of contributors, which consists of hundreds of engineers from over a hundred companies. Machine learning is transforming all major industries and driving billions of decisions in retail, finance, and health care. Our move to contribute MLflow to the Linux Foundation is an invitation to the machine learning community to  incorporate the best practices for ML engineering into a standard platform that is open, collaborative, and end-to-end.“

Organizations are presenting their experience with MLflow at Spark+ AI Summit, including Starbucks, Exxonmobil, T-Mobile and Accenture. New features that continue to simplify MLflow and the ML lifecycle are also being announced today, including autologging for experiments, and enhanced model management and deployment in the MLflow model registry.

Spark + AI Summit is taking place virtually this week, offering free registration and access to keynotes, sessions and industry forums on-demand. Register and learn more about MLflow or visit MLflow.org.

 

About The Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

###

Media Contacts
Jennifer Cloer
ReTHINKitMedia
jennifer@rethinkitmedia.com
503-867-2304

The post The MLflow Project Joins Linux Foundation appeared first on The Linux Foundation.

Zephyr also Welcomes Laird Connectivity and teenage engineering to its Open Source RTOS Ecosystem

SAN FRANCISCO, June 25, 2020 – The Zephyr Project, an open source project at the Linux Foundation that builds a safe, secure and flexible real-time operating system (RTOS) for the Internet of Things (IoT) in space-constrained devices, announces continued momentum by marking critical milestones for security and product-ready maturity.

Earlier this year, the NCC Group, a global expert in cyber security and risk mitigation, notified the Zephyr Project of a number of security issues found as part of their independent research into the security posture of Zephyr. The research, which was driven by growing interest from their clients, found Zephyr to be a mature, and a highly active and growing project with increasing market share. The May 2020 report outlines the issues discovered in detail and acknowledges the proactive work of the Zephyr Project Security Committee to fix these issues and follow-up on recommendations of the report.  Priority fixes have been backported into Zephyr’s Long Term Support (LTS) and a maintenance release published. Learn more about Zephyr’s security assessment and response in this blog.

“The Zephyr Project brings together a community of experts to participate on all aspects of the solution, from the standards to adopt, policies and processes to follow, and methodologies for build, test, maintenance, distribution and incident response,” said Joel Stapleton, Zephyr Project Governing Board Chair and Technical Product Manager at Nordic Semiconductor. “Our aim is to make a solution that developers can trust for the lifecycle of their products. This third party research and our security team’s swift and proactive response to the vulnerabilities is the strength of open source and a testament to this community.”

The Zephyr community of more than 700 contributors recently launched the Zephyr 2.3.0 release. The 2.3.0 release includes integration with the Trusted Firmware M open source Trusted Execution Environment framework, which implements Arm’s Platform Security Architecture specification. Zephyr has long included support for Arm’s TrustZone hardware, including being able to target the secure side of the firmware, but by adding integration with the standard Trusted Firmware M project, it now also offers the option to combine TF-M and Zephyr to create a PSA-certified solution. Learn more about Zephyr 2.3.0 in this blog.

Product Makers Need Security

The Zephyr RTOS is unique as it is vendor-neutral, with a scope from multi-architecture board support packages, to cloud connectivity for IoT products. Several high-profile products have leveraged Zephyr including Intellinium Safety Shoes, ProGlove and HereO Core Box.

In fact, during this pandemic, Zephyr community members are doing their best to help find solutions to various challenges. For example, Adafruit has volunteered to make Personal Protection Equipment (PPE) and other medical devices. The Phytec Distance Tracker, which features Nordic Semiconductor technology, Bluetooth Low Energy (BLE), Ultra-wideband (UWB) and Zephyr RTOS, tracks distance measurement between two or more people. With this product, businesses will be able to help employees maintain and track the 6-feet distance between others.

As a sign of commitment to developers like these, the Zephyr Project created a form that will notify product makers, who are not currently members, of vulnerabilities that may impact their products during the embargo window. Zephyr Project members receive this information already. To learn more about Zephyr’s commitment to product makers or to sign up for the notifications, click here.

A Growing IoT Ecosystem

Today, the Zephyr Project welcomes Laird Connectivity and teenage engineering to its growing IoT ecosystem. The new members join Adafruit, Antmicro, Eclipse Foundation, Foundries.io, Intel, Linaro, Nordic Semiconductor, NXP®, Oticon, SiFive, Synopsys, Texas Instruments and more to create an open hardware and software ecosystem using the Zephyr OS.

“Developers have many options when it comes to selecting an RTOS for embedded microcontrollers, but the Zephyr Project is one of the fastest growing open-source and broadly contributed RTOS projects of its kind,” said Jonathan Kaye, Senior Director, Product Management at Laird Connectivity.  “Joining the Zephyr Project allows Laird Connectivity to deliver more design flexibility than ever across our wireless modules, IoT Devices and Gateways. Our customers can leverage community support, better device security, high performance in resource-light environments, and license-free use for commercial applications. And by using one shared platform, they can build a highly reusable code base that rapidly accelerates their IoT development with Laird Connectivity products.”

“teenage engineering is developing embedded products in a wide range of complexity: from single core Cortex-M0 to multicore and multiprocessor systems with totals of up to 5 different mcu’s from various vendors,” said David Eriksson Head of Hardware at teenage engineering. “Our goal is to build the perfect multi-chip system where we capture what each breed of processor does best and allow them to work together in harmony. With Zephyr, we can develop anywhere. We make sure that code can run on host as well as device, and that interconnectivity is platform agnostic allowing a mix of real hardware and desktop emulation. We prefer to develop with open tools, so Zephyr is really the only sane choice for an RTOS where it is possible to achieve true transparency on all layers of the stack. We are happy to become members of The Linux Foundation and the Zephyr Project and to take part in shaping and influencing the future of embedded systems.”

In April, Zephyr celebrated 40,000 commits on Github and has now completed more than 41,000 to date with support for more than 200 boards.

Open Source Summit

The Zephyr Project will be present at the Linux Foundation’s Open Source Summit Virtual event on June 29-July 2. Several members will be giving presentations that include Zephyr including a keynote by Kate Stewart about open source in safety critical applications on July 1 at 9 am CST. Additional talks will be given by Zephyr project members from the Eclipse Foundation, Intel and Linaro. Learn more here.

Additionally, on July 2 from 2-3:30 pm, Zephyr will host a Mini-Summit that will offer an overview to the RTOS, introduction to west, how Bluetooth works with Zephyr and insight into security, safety certification and a product use case. Registration is free for OSS + ELC attendees. Learn more here.

To learn more about Zephyr RTOS, visit the Zephyr website and blog.

About the Zephyr Project

The Zephyr Project is a small, scalable real-time operating system for use on resource-constrained systems supporting multiple architectures. To learn more, please visit www.zephyrproject.org.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The post The Zephyr Project Marks Critical Milestones for Security and Product-Ready Maturity appeared first on The Linux Foundation.

• The LTS Release and Zowe V1 Conformance Program supports product stability, security and interoperability
• Open Mainframe Project continues momentum with two new global members and new COBOL resources
• Open Mainframe Project will have sessions at the Open Source Summit on June 29-July 2

SAN FRANCISCO, June 24, 2020 – The Open Mainframe Project (OMP) announced today that Zowe, an open source software framework for the mainframe that strengthens integration with modern enterprise applications, marks a major technical milestone with the first Long Term Support (LTS) release. The Zowe LTS release will offer vendors and customers product stability, security, interoperability as well as easy installation and upgrades.

OMP launched Zowe, the first-ever open source project based on z/OS, in 2018 to serve as an integration platform for the next generation of   administration, management and development tools on z/OS mainframes.  The Zowe framework uses the latest web technologies among products and solutions from multiple vendors. Zowe enables developers to use   familiar, industry-standard, open source tools to access mainframe resources and services.

“Mainframes are the foundation of businesses in every industry,” said John Mertic, Director of Program Management for the Linux Foundation and Open Mainframe Project. “Zowe continues to evolve rapidly due to numerous contributions from the open source community. The LTS release is our first major step into longevity and security that will offer innovative possibilities for the next generation of products and solutions.”

Benefits of the Zowe LTS release include:

• Stability: Organizations can confidently adopt the technology for enterprise use and upgrade when appropriate for their environment, minimizing the risk of disruption
• Interoperability: Zowe consumers can be assured LTS-conformant extensions have adapted to and support LTS features
• Longevity: Zowe is designed for years of use and plans are in place for continued updates and support
• Ease of Use: Mainframe System Administrators can use standard z/OS processes to install and upgrade Zowe z/OS components including SMP/E, Unix Shell Scripts, and z/OSMF workflows
• Smaller Footprint: The updated install process leverages standard z/OS technology. In addition to being more intuitive, by eliminating optional services at install time the process lowers the number of configuration changes required for software updates and reduces the complexity of the Zowe footprint

The Zowe Conformance Program is Updated with LTS Guidelines

Aimed to build a vendor-neutral ecosystem around Zowe, Open Mainframe Project’s Zowe Conformance Program launched last year.  The program has helped Open Mainframe Project members such as Broadcom, IBM, Phoenix Software and Rocket Software incorporate Zowe with new and existing products that enable integration of mainframe applications and data across the enterprise. To date, more than 28 products have implemented extensions based on the Zowe framework and earned these members conformance badges.

“The extensible nature of Zowe offers an infinite number of pluggable products, processes and services,” said Leonard J Santalucia, Chair of the Open Mainframe Governing Board and CTO of Vicom Infinity.  “Extenders can creatively address business challenges with their own service APIs, web applications or drive product actions from off-platform using a command line plug-in. Consumers of these extensions need the same assurance that they are stable, reliable, interoperable, and consistent with core Zowe. The updated Zowe Conformance Program does just that.”

“When it comes to mission critical software, end users want to know that it will behave as expected, period,” said David Stokes, senior director engineering, Mainframe Division, Broadcom. “Achieving Zowe Conformant status for our products provides our customers with the assurance that they can expect smooth compatibility and a superior overall user experience from the extensions they adopt. As a major contributor to the program, Broadcom fully embraces the customer value that conformance delivers as a priority for all of our open and commercial Zowe extensions.”

“Rocket Software, as original authors and contributors to Zowe’s mainframe virtual desktop, is uniquely positioned to leverage the Zowe Application Framework for developing new virtual desktop products,” said Milan Shetti, President, Z Systems Business Unit, Rocket Software. “Rocket® is excited to see the Zowe Conformance Program taken to the next level as part of the broader effort to get Zowe ready for production deployment and drive Zowe adoption. Rocket has more Zowe plug-ins in the pipeline for 2020 as we develop a portfolio of apps for the virtual desktop.”

Each vendor follows the Testing Guidelines to ensure their offering is aligned with the conformance standards. For the LTS release, each extensible component’s test criteria was modified to allow exploitation of the new Zowe LTS capabilities. Applications that satisfy the new testing criteria requirements will earn a Zowe “V1” conformance badge as soon as they submit for / are approved for V1.

New products or solutions recently accepted into the updated Zowe Conformance Program include:

• CA SYSVIEW® PERFORMANCE MANAGEMENT
• CA File Master Plus
• CA JCLCheck Workload Automation
• CA Endevor® Bridge for Git
• IBM RSE API Plug-in for Zowe CLI v1.0.0

The Open Mainframe Project hosted a Zowe LTS Release webinar earlier this month that shares more details. To watch the webinar on-demand, click here.

Open Mainframe Project Momentum Continues

Hosted by The Linux Foundation, the Open Mainframe Project is comprised of business and academic leaders within the mainframe community that collaborate to develop shared tool sets and resources. Today, the project welcomes YADRO, the largest technology vendor in Russia with full-cycle in-house R&D, manufacturing and services, and SOFTWARE ENGINEERING GmbH, providing strong Db2 z/OS solutions for more than 40 years.

“International technology collaboration and global partnerships are the core drivers in the YADRO strategy,” said Anna Egorova, Chief Delivery Officer for YADRO. “In this journey, we contribute significantly to the development and support of open source technologies and communities. The Open Mainframe Project ecosystem is perfect to leverage our hardware expertise and knowledge of local customers’ needs along with the resources available worldwide through the project community.”

“As experts in the mainframe industry continue to evolve, there is still time to modernize the mainframe and join forces with 3rd party vendors to work out a unified framework that merges proven and latest technology,” said Ulf Heinrich, Managing Director of SOFTWARE ENGINEERING GmbH. “With ZOWE being the very first open source project on z/OS designed to make the mainframe an agile, integrated platform. The common UI for senior mainframe staff and the new workforce will simplify the architecture and reduce the operational costs. For SOFTWARE ENGINEERING GmbH, Zowe is THE  ecosystem addressing everything from application developers, system programmers, DBA’s and DevOps architects.”

Last year, the number of projects that are hosted under the Open Mainframe Project doubled and include ADE, Ambitus, ATOM, Feilong, Mentorship, Polycephaly, TerseDecompress, Zorow. This year, the momentum continues with resources and a new project for COBOL.

In April, Open Mainframe Project announced several COBOL resources in response to the desperate call for help from government officials. The project followed this up with the availability of a COBOL Training Course that offers introductory-level COBOL materials with Microsoft’s Visual Studio Code editor (VS Code). The free COBOL Training Course educates those developers or students who would like to learn COBOL skills with VS Code and extensions. These materials provide an overview of the language with hands-on labs. The course has already gained lots of traction with more than 100,000 views and 27,000 unique visitors.

Open Mainframe Project will host a booth and several sessions at the Linux Foundation’s Open Source Summit + Embedded Linux Conference virtual event on June 29-July 2 and a Mini-Summit on July 2 from 2-3:30 pm. The Mini-Summit is free to OSS + ELC attendees. To register, click here. Learn more about the OMP sessions here.

Additional Resources:

• Zowe GitHub Repository
• Zowe Community Page
• OMP’s I am a Mainframer Podcast
• OMP’s Mentorship Program

About the Open Mainframe Project

The Open Mainframe Project is intended to serve as a focal point for deployment and use of Linux and Open Source in a mainframe computing environment. With a vision of Open Source on the Mainframe as the standard for enterprise class systems and applications, the project’s mission is to Build community and adoption of Open Source on the mainframe by eliminating barriers to Open Source adoption on the mainframe, demonstrating value of the mainframe on technical and business levels, and strengthening collaboration points and resources for the community to thrive. Learn more about the project at https://www.openmainframeproject.org.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

###

The post Open Mainframe Project Announces Major Technical Milestone with Zowe’s Long Term Support Release appeared first on The Linux Foundation.

Click the screenshot above to read the June 2020 newsletter

The post Linux Foundation Newsletter: June 2020 appeared first on The Linux Foundation.

Community growth and engagement, coupled with new member support, offers additional approaches for assessing safety in applications using Linux.

 

SAN FRANCISCO, June 18, 2020 – As ELISA (Enabling Linux in Safety Applications) nears its year and a half anniversary, the project continues to hit key milestones showing its value for delivering foundational support for safety-critical applications.   ELISA, formed in February 2019 and a hosted project of the Linux Foundation, aims to create a shared set of tools and processes to help companies build and certify Linux-based safety-critical applications and systems whose failure could result in loss of human life, significant property damage, or environmental damage. 

As Linux continues to be a key component in safety applications, autonomous vehicles, medical devices, and even rockets, ELISA will make it easier for companies to build and expand these safety-critical systems. As a show of support for this business-critical initiative, several new members have joined the ELISA project. New members include Premier Member Intel/Mobileye, General Members ADIT, Elektrobit, Mentor, SiFive, Suzuki, Wind River and Associate Members Automotive Grade Linux and Technical University of Applied Sciences Regensburg. 

“Since forming ELISA, we’ve had incredible support from members and the community. As we near 18 months as a project, we’ve agreed on a strategy for partitioning the problem into manageable pieces, and have working groups making progress towards approaches to bridge between the linux and safety standards communities and are looking forward to continuing the path we’ve been on,” said Kate Stewart, Senior Director of Strategic Programs, The Linux Foundation. “We are encouraged by broad participation, as demonstrated by our nine new members, including Intel, as well as very active working groups. These kinds of activities are indicators of achieving the critical mass needed to establish a widely discussed and accepted methodology.”

“Intel and Mobileye see the Linux Operating system as an important player in the functional safety software ecosystem,” said Simone Fabris, ELISA Governing Board member and senior director of system safety at Mobileye, an Intel Company.  “The impact and skills of the open source community will be harnessed through the ELISA project to increase the safety integrity of future embedded systems while, at the same time, contributing to a better quality, reduction of development costs and speed up the delivery of complex functional safety systems across multiple industry domains including autonomous driving and avionics.”

“Linux has evolved ever since its inception to run on devices small and large while serving the needs of a wide spectrum of technology, from an elevator to a supercomputer,” said Shuah Khan, ELISA Technical Steering Committee Member and Linux Foundation Fellow. “Each of these evolutions requires identifying what is needed and what is missing in the existing code base and enhancing existing features and adding new ones. ELISA project’s mission is to evolve Linux to serve an emerging and important safety-critical space that spans medical devices, civil infrastructure, caregiving robots, automotives, and others.”

In addition to incredible member growth, ELISA has established several work groups to further the crucial work of the cross-industry project and its work toward advancing open source in safety-critical systems. These groups include Kernel Development Process,  Safety Architecture, Medical Devices and is now forming an Automotive working group.

Community members will have the chance to learn more about this important work during the Linux Foundation’s Open Source Summit North America where Kate Stewart, Senior Director of Strategic Programs, The Linux Foundation, is set to give a keynote speech, “Keynote: Open Source in Safety Critical Applications: The End Game.” For the first time, this event will also include an Open Source Dependability track. See the full schedule for Open Source Summit North America taking place virtually from June 29, 2020 to July 2, 2020.

In addition, ELISA will continue to hold regular workshops to discuss approaches to solving the missing pieces and better tooling. Listen to previous workshops and get notified of upcoming events at https://elisa.tech/news/.

New Member Quotes

ADIT, a joint venture of Robert Bosch GmbH and DENSO Corporation

“Having followed ELISA since May 2019 and having participated in all workshops so far, I am excited to see the recent increase of interest in the field of Automotive and Linux; the core competence of ADIT. The enthusiastic collaboration between functional safety participants combined with the recent excellent contributions from Linux experts are adding the value and momentum needed to enable Linux in safety applications and to make ELISA a success story”, said Philipp Ahmann, manager at ADIT, a joint venture of Robert Bosch GmbH and DENSO Corporation.

Automotive Grade Linux 

“Functional safety is an increasingly important topic for Automotive Grade Linux as we expand into Instrument Cluster and eventually into Autonomous Vehicle solutions”, said Dan Cauchy, Executive Director of Automotive Grade Linux at the Linux Foundation. “With the support of eleven car manufacturers and over 150 companies, we look forward to collaborating with ELISA Project and help drive the requirements from an automotive perspective.”

Elektrobit

“The research done in the ELISA project defines the future of enabling Linux for functional safety applications,” said Martin Schleicher, Executive Vice President Business Management, Elektrobit. “Vehicles are clearly products with special sensitivity.  EB is pleased to be part of this exciting project and looks forward to contributing its broad experience in automotive software and functional safety expertise to drive the development of mission critical automotive software.”

Mentor, a Siemens business

“The ELISA project enables Safety and Linux experts to work hand in hand on the future topics in using Linux in safety-related systems. Under the umbrella of the Linux Foundation the organizational frame allows constructive discussions about the main challenges for ‘making Linux safe,’” said Michael Ziganek, General Manager, Automotive Business Unit, Mentor, a Siemens business. “For us as Mentor, a Siemens business, being part of ELISA is an accelerator to have more customized technology offerings for our customers regarding our automotive software solutions, especially to integrate and maintain Linux in safety-critical systems.”

Technical University of Applied Sciences Regensburg

“After closely, but informally collaborating with the ELISA project via research, student and development projects, we are excited about joining ELISA as an associate member! Combining the industrial experience and insights of the world leaders in safety-critical Linux systems with the group’s research portfolio will bring marked benefits to both, industrial and academic communities, who are still too often at a distance from one another,” says Prof. Dr. Wolfgang Mauerer, head of the digitalization laboratory at OTH Regensburg.

Wind River

“Companies in all sectors will greatly benefit from the ELISA project’s goal of advancing open source to building and certifying Linux-based safety-critical applications and systems. When stakes are high and failure is not an option, it is vital for the ecosystem to work together to make safety a priority. Wind River has a long history in Linux and mission-critical systems and we look forward to contributing in order to help the ELISA project advance Linux for safety-critical applications,” said Gareth Noyes, senior vice president, Products, Wind River.

About ELISA

ELISA, Enabling Linux in Safety Applications, is an open source project hosted by the Linux Foundation. ELISA’s goal is to create a shared set of tools and processes to help companies build and certify Linux-based safety-critical applications and systems whose failure could result in loss of human life, significant property damage or environmental damage. Building off the work being done by SIL2LinuxMP project and Real-Time Linux project, ELISA will make it easier for companies to build safety-critical systems such as robotic devices, medical devices, smart factories, transportation systems and autonomous driving using Linux. Founding members of ELISA include Arm, BMW Car IT GmbH, KUKA, Linutronix, and Toyota.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post ELISA Project Momentum Continues appeared first on The Linux Foundation.

“Open source software is everywhere. Now, more than ever, we need to get a better understanding of it to help make it even more secure.” – David A. Wheeler, Director of Open Source Supply Chain Security, Linux Foundation

In 2020, given the wide proliferation of Free/Libre and Open Source Software (FOSS), we aim to identify how to improve security, including the sustainability of the FOSS ecosystem, especially the FOSS systems heavily relied upon by organizations worldwide.

To do this, the Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) have developed a survey for contributors to FOSS. If you contribute to FOSS, we would love for you to participate in our study. This voluntary survey takes around 15-20 minutes to complete and allows you to advocate for the FOSS projects you care about. 

Please participate now; we intend to close the survey in early August. In appreciation of your participation, we would like to offer our participants the option to have your name included in the overall results. If you opt to be attributed in the final report, you will still have the opportunity to keep your detailed survey responses confidential.

The CII takes a collaborative, pre-emptive approach for strengthening cybersecurity by improving open-source software security. We aim to support, protect, and fortify open software, especially software, critical to the global information infrastructure. We take a holistic view of security; we include security risks in critical projects that are inadequately sustained or vulnerable to supply chain attacks. We intend to use this survey information to help guide this approach.

To take the FOSS Contributor Survey, click the button below:

Take the CII 2020 FOSS Contributor Survey

The post Linux Foundation & Harvard Announce Free/Libre and Open Source Software (FOSS) Contributor Survey appeared first on The Linux Foundation.

“A CII Best Practices badge, especially a gold badge, shows that an OSS project has implemented a large number of good practices to keep the project sustainable, counter vulnerabilities from entering their software, and address vulnerabilities when found.” – David A. Wheeler, Director of Open Source Supply Chain Security

Open source software (OSS) is now widely used by many organizations. But with that popularity, that means the security of OSS is now more important than ever. The CII Best Practices badge project — including its top-ranked “gold” badge — helps improve that security.

In June 2020, two different projects managed to earn a gold badge: the Linux kernel and curl. Both are widely depended on, and yet in many other ways, they are radically different. The Linux kernel has a large number of developers, and as a kernel, it must directly interact with a variety of hardware. Curl has a far smaller set of developers and is a user-level application. They join other projects with gold badges, including the Zephyr kernel and the CII Best Practices badge application itself. Such radically different projects managed to earn a gold badge and thus demonstrated their commitment to security. It also shows that these criteria can be applied even to such fundamentally different programs.

But what are these badges? A Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices badge is a way for Open Source Software (OSS) projects to show that they follow best practices. The badges let others quickly assess which projects are following best practices and are more likely to produce higher-quality secure software. It also helps OSS projects find areas where they can improve. Over 3,000 projects participate in the badging project, a number that grows daily.

There are three badge levels: passing, silver, and gold. Each level requires that the OSS project meet a set of criteria; for silver and gold that includes meeting the previous level. Each level requires effort from an OSS project, but the result is reduced risks from vulnerabilities for both projects and the organizations that use that project’s software.

The “passing” level captures what well-run OSS projects typically already do, and has 66 criteria grouped into six categories. For example, the passing level requires that the project publicly state how to report vulnerabilities to the project, that tests are added as functionality is added, and that static analysis is used to analyze software for potential problems. Getting a “passing” badge is an achievement, because while any particular criterion is met by many projects, meeting all the requirements often requires some improvements to any specific project. As of June 14, 2020, there were 3195 participating projects, and 443 had earned a passing badge.

The silver and gold level badges are intentionally more demanding. The silver badge is designed to be harder but possible for one-person projects. Here are examples of silver badge requirements (in addition to the passing requirements):

• The project MUST have FLOSS automated test suite(s) that provide at least 80% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language.
• The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (a whitelist) and reject invalid inputs if there are any restrictions on the data.

The gold badge adds additional requirements. Here are examples of gold badge requirements (in addition to the silver requirements):

• The project MUST have a “bus factor” of 2 or more (a “bus factor” is the minimum number of project members that have to suddenly disappear from a project before the project stalls due to lack of knowledgeable or competent personnel).
• The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author.
• The project MUST have a reproducible build. 
• The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values.

Historically the LF has focused on getting projects to the passing level because projects not even at the passing level have a higher risk. But many projects are widely depended on or are especially important for security, and we love to see them earning higher-level badges.

Of course, a gold badge doesn’t mean that there are no vulnerabilities in the existing code, or that it’s impossible to improve their development processes. Perfection is rare in this life. But a CII Best Practices badge, especially a gold badge, shows that an OSS project has  implemented a large number of good practices to keep the project sustainable, counter vulnerabilities from entering their software, and address vulnerabilities when found. Projects take many such steps to earn a gold badge, and it’s a good thing to see.

We hope other projects will be inspired to pursue — and earn — a gold badge. Of course, the real goal isn’t a badge — the real goal is to make our software much more secure. But good practices can help make our software more secure, and we want to praise and encourage projects to have good practices.

For more background information on the best practices badge, see the presentation “Core Infrastructure Initiative (CII) Best Practices Badge in 2019”.

OSS projects can go to the CII Best Practices badge website to begin the process of earning a badge. If you’re considering the use of some OSS, we encourage you to check that website to see which projects have earned a badge.

Those who wish to learn more are welcome to contact David A. Wheeler, Director of Open Source Supply Chain Security at The Linux Foundation, at dwheeler AT linuxfoundation DOT org.

The post Why CII best practices gold badges are important appeared first on The Linux Foundation.

Training and professional certifications are an important part of how open source technologies establish themselves as industry-leading solutions and adopted in commercial ecosystems Introduction

In an earlier piece, we discussed how, over the last 20 years, the Linux Foundation has grown from a single project, the Linux kernel, to an organization that has helped to convene and host hundreds of the world’s most important open source communities. 

The Linux Foundation’s support programs add value for our communities as they enable our projects to engage and grow a technology ecosystem worldwide.  

The Linux Foundation has over 1,600 member companies, representing 100% of the Fortune 100 tech and telecommunication firms, small businesses and startups, hundreds of end-user companies, and everything in between. It also has over 25,000 software developers contributing code, a shared investment that we estimate to be valued at $15.7B – and growing. Our hosted projects enable advancements in many technology areas and across many vertical industries, from security to networking, edge computing, cloud, automotive, blockchain, embedded systems, and web applications.

With the increased demand and adoption of open source technologies comes the desire for professionals with the skill sets to deploy, manage, and operate systems and support end-users. According to the Linux Foundation’s most recent Jobs Report, some key findings were revealed about open source employment opportunities:

Source: Linux Foundation 2018 Jobs Report

• Hiring open source talent is a priority for 83% of hiring managers, a 7% increase from 76% in 2017. 
• Hiring managers cited cloud (66%) as the technology most affecting their hiring decisions. Containers placed second at 57%, followed by security (49%) and networking (47%).
• Finding the right mix of experience and skills is difficult for 87% of hiring managers. That included the 44% who rated it very difficult, a percentage that leaped from 34% in 2017.
• Thirty percent of respondents working in open source technologies improved their ability to work on exciting projects, collaborate with a global community (19%), and work on the most cutting-edge technology challenges (16%). 

This report will be updated this autumn, and early indications show that these trends are accelerating given current market conditions.

The Linux Foundation provides a complete portfolio of support programs for training and certification, which align with the technologies that its communities develop. The support programs currently focus on eight primary domain areas:

• Linux Internals
• Open Source Developer Compliance
• Systems Administration
• Security 
• Networking/Edge Computing
• Cloud
• Web Development
• Blockchain

These programs are co-developed with the communities, and we add programs all the time as communities request support. 

Why training and certification are critical for open source communities

The Linux Foundation’s communities request support for training and certification because it creates a cadre of professionals that can implement solutions using their collaboratively developed technologies, with demonstrated expertise. Additionally, without trained and certified professionals, these technologies will face challenges achieving or scaling both industry adoption and commercial ecosystems supporting them. Having end-users adopt the technology, and commercial solution and support providers also provide a pipeline of future contributors back to the project’s codebase. As the open source technology is deployed, it gets tested, bugs are found, new features are requested, and all that feedback cycles its way into the upstream project, sustaining and making the project better for everyone dependent on its continued success.

For many open source projects, to gain adoption and generate a commercial support ecosystem, they will ultimately need to have training and certification programs. While this may sound similar to how other professional communities have matured and have become validated for developer and engineering certifications for commercial clouds and proprietary software systems, there are some important distinctions as to why a commitment to developing training and certification for open source technologies is critical to their long-term success.

The open source community works more organically and cyclically, which necessitates that a cadre of expertise is built for it not just to be deployed (as the commercial training and ecosystem have worked historically over the past 40 years) but also as part of its continuing development and for it and all of its participants to thrive. 

An open source software community develops software, and it gets deployed by professionals. Those professionals often eventually move on to different organizations and implement the same software. Those organizations will ultimately need more people to support deployments and write applications to extend and customize the software. These organizations also need system administration professionals and cloud providers to support solutions based on these open source software systems.

Why should communities create training and certification programs with the Linux Foundation? 

Straight from the source, and integrated into how communities are built and run. As the home of Linux and other major open source technologies, nobody is closer to these projects than The Linux Foundation itself — its training programs are uniquely integrated with our communities and projects. We understand how to align instruction with a community development model. Training is one of the support pillars that also enable the developers and engineers to focus on the open source project’s development and leave educating users and implementers of the code to the Linux Foundation’s training team. 

Accelerating community growth through free training. Thanks to our members’ support of the Linux Foundation and its projects, we are often able to provide free training courses from our communities. Free training is one of the fastest ways to bring more people into our open source communities as they learn, test, deploy and support solutions based on the open source technology, as they usually come back to offer suggestions, feedback, and fixes.

Vendor-neutral courseware. The Linux Foundation is a nonprofit organization and does not promote any particular commercial product, solution, or service.

Excess funds received go back to the project community. Although the Linux Foundation keeps pricing affordable and frequently offers further discounts, the overall program does generate a surplus. Since we are a nonprofit, the surplus is invested back into the open source community in a variety of ways: we provide scholarships to deserving individuals to become trained and certified at no cost, and the Foundation supports projects that are important to the world but do not receive individual or corporate financial support. Surplus funding is also used for linux.com as well as other digital assets and key initiatives such as CommunityBridge. 

Up-to-date Curriculum. Linux Foundation courses are current with the most recent version of the software or technology. As the host of many of the most critical open source projects that are continually changing, the Linux Foundation is in an excellent position to find experts and ensure the materials are maintained and updated alongside the project’s evolution. Additionally, enrolled students receive access to the latest course versions at no additional cost.

Current and cutting-edge technologies. The Linux Foundation hosts the fastest-growing and most influential open source projects and is the first to release courses about them. 

Expert instruction. The Linux Foundation’s courses are created and taught by some of the top developers and practitioners in open source, with decades of collective open source experience behind their belts and a deep familiarity with our open source communities.

Relevant material. The Linux Foundation’s courses are created using feedback from its massive community of open source practitioners and companies. Students can be confident that the topics they are learning are applicable in today’s business environment. Companies and organizations can integrate certifications in their hiring search and evaluations to find professionals with qualified skills.

Conclusion

With the most popular open source projects receiving upwards of 90% of their code from commercial companies, they are continually seeking trained people with the skills to deploy, support, and operate the open source technology. With Linux Foundation training, in most cases being free to access, our communities can efficiently train a vast ecosystem of people with skills companies are seeking to employ. The online delivery of our courses also makes our training accessible to people from low-income regions around the world, where access to training can provide a considerable boost to their career prospects.

Enterprises especially value certifications as evidence that employees are qualified and have demonstrated their expertise in a particular technology. Enterprises also want to train their existing employees on new technologies in an organized, efficient manner, which professional training courses can provide.

Offering training and certification is one of the best ways to scale any growing open source project community. For a project to continue growing and get more contributors involved, the community will need individuals to be able to gain an understanding of the project in a relatively quick and straightforward way. Our organized training curriculum was designed to fill this expertise gap.

The Linux Foundation’s training and certification offerings, combined with its community-organized events, provides a well rounded and neutral path to build skills and enable people to contribute back to its projects, sustaining their efforts into the future. 

The post Building a sustainable open source community: training and certifications appeared first on The Linux Foundation.

All: I want to formally congratulate the Linux kernel project for earning a gold badge!! You can see their details here:

https://bestpractices.coreinfrastructure.org/en/projects/34

The Linux kernel has been close for a while. The final one they completed was to add some HTTP hardening headers to key websites.

Of course, a gold badge doesn’t mean that there are no vulnerabilities, or that it’s impossible to improve their development processes. Perfection is rare in this life. But it *does* mean that they’ve implemented a large number of good practices to keep the project sustainable, to counter vulnerabilities from entering their software, and to address vulnerabilities when they are found. The Linux kernel project takes many steps to do this, and it’s good to see.

The Linux kernel joins some of the few other gold applications, such as the Zephyr project, who have been at gold for a while. You can see the current gold holders here:

https://bestpractices.coreinfrastructure.org/en/projects?gteq=300

My thanks to Greg Kroah-Hartman, who spearheaded getting the badge “over the finish line.” Thank you for your effort.

I hope that this result will help inspire other projects to pursue — and earn — a gold badge. Of course, the real goal isn’t a badge — the real goal is to make our software much more secure. But I think it’s clear that good practices can help make our software more secure, and we want to praise & encourage projects to have good practices.

David A. Wheeler

Director of Open Source Supply Chain Security, The Linux Foundation

The post Linux kernel earns CII best practices gold badge appeared first on The Linux Foundation.

The Linux Foundation and its communities stand in solidarity voicing support for the Black community. The system under which we operate requires change to make justice and equality a reality. We support the individuals and organizations offering solutions for such changes, and we will be planning how we can support change as well.

We are proud (and privileged) to work with communities and members that support our initiatives and reflect the same values. We have collected statements from across our communities that voice this collective support.

Statement from Arpit Joshipura, General Manager of Networking, IoT and Edge (LF Networking and LF Edge)

Members,

We at LFN and LF Edge are disheartened by the current situation of injustice, hate, and division we are seeing and believe recent actions are the opposite of our values. LFN and LF Edge are global umbrella organizations based on diversity, collaboration, mutual understanding, and respect. It is the essence of the very community building we engage in professionally.

The Linux Foundation has long stood for inclusion and open participation and has supported individuals and collective communities in our knowledge that diversity is a strength. We will continue to promote those values and do more.

Finally and most importantly, this is a time for most of us to listen, to listen to the experiences of our members who experience racism in their personal and professional lives. This is not a time to be defensive; this is a time to hear about experiences of our fellow members. We at LFN and LF Edge are here to listen. If you would like to have a discussion about this topic, please send me a note as well.

Statement from Kate Stewart, Sr. Director of Strategic Programs (Zephyr Project)

Dear Zephyr Project Community

When we started the Zephyr project, one of the goals was to come up with a solution to a very fragmented ecosystem for applications where Linux was just too big. Thanks to you, we have been succeeding, step by incremental step. We are focused on the common goal of building the best RTOS in the landscape while establishing a diverse and inclusive community. And while we may not always agree with each other in all details, one of the things that stands out for me is we’re all willing to listen to each other.

As we watch the news, the events in the U.S. over inequality and the ongoing COVID-19 pandemic, it’s hard to figure out how we can make a difference as individuals and as a larger group. Injustice, division, and isolation are causing harm in our society, and the effects are touching every single one of us. We’ve seen Zephyr members and our community start creating solutions to help with COVID-19, and it would be wonderful if the same creativity can be focused on the wider diversity problems as well.

While I don’t have the answers here, I do see this as a moment for us to listen and build from. We must seek to understand the enormous injustice and pain that results from inequality and isolation. Please take the time to engage on this topic with your families, friends, local and global communities, and use the creativity I see being demonstrated every day by the Zephyr community to help us come up with ideas for change.

If you would like to have a discussion about this topic, please send me a note as well.

Above all, let us continue to be examples within our broader and local communities, while staying engaged so that we can be a part of a larger change for the better.

Statement from John Mertic, Director (Open Mainframe)

We are all disheartened by the current issues in the US brought to the forefront of the news. Injustice and division are causing harm in our society, and the effects are touching every single one of us. I’ve personally seen the effects of this amongst my immediate family and close friends, which saddens me deeply. This is the opposite of our values as humans and my hope is that this brings the conversation of diversity to the forefront.

The Open Mainframe Project, along with The Linux Foundation, is an organization based on collaboration and mutual understanding. It is the essence of the very community-building we engage in professionally. All of us are stronger than one of us and diverse communities have always driven greater outcomes.

Our strength over the past decades has been the community’s desire to continue its legacy well past our lifetime. The only way to achieve this is by emphasising the focus on diversity – and events like what we’ve seen unfold nationwide illustrate how far we still need to go.

While I don’t have the answers here, I do see this as a moment for us to listen. We must seek to understand the enormous injustice and pain that results from inequality in our society. Please take the time to engage on this topic with your families, friends, local and global communities.

If you would like to have a discussion about this topic, please send me a note as well.

Above all, let us continue to be examples within our broader and local communities, while staying engaged so that we can be part of a larger change for the better.

We’ve decided to postpone the Node.js Security Working Group AMA this week. We’ll share a new date soon. In pressing pause we want to express our support to our entire community, and especially those facing racial inequity.

— OpenJS Foundation (@openjsf) June 1, 2020

The Power of Together. We Stand For Justice. #BlackLivesMatter pic.twitter.com/p4WpaCQqM6

— Continuous Delivery Foundation (@CDeliveryFdn) June 3, 2020

The power of together. We stand for justice.

Support the movement: https://t.co/UXGrBru8Sn pic.twitter.com/uEEWuiDWvA

— LF Energy Foundation (@LFE_Foundation) June 2, 2020

We stand in solidarity with the Black community.
Racism is unacceptable.
It conflicts with the core values of the Kubernetes project and our community does not tolerate it.#BlackLivesMatter https://t.co/AUNfkB3WOe

— Kubernetes (@kubernetesio) June 5, 2020

pic.twitter.com/3drrFjwOnL

— Cloud Foundry (@cloudfoundry) June 2, 2020

Racism is unacceptable, is incompatible with the Helm project goals, and has no place in our open source community. #BlackLivesMatter https://t.co/lJ8D1KP9Io

— Helm (@HelmPack) June 4, 2020

To our Black, Indigenous, and People of Color members of the @Linkerd community: just know that you are welcome here, you are celebrated, and we will make space for you and amplify your voices. You are a vital part of everything we’re building together. #BlackLivesMatter

— Linkerd (@Linkerd) June 3, 2020

We have changed the design of our documentation page to pay respect to George Floyd and show solidarity to the events happening in the United States right now. We ask that you consider financially supporting orgs mentioned in the banner. #BlackLivesMater #BlackOutTuesday Thanks! pic.twitter.com/TYdTssV3zk

— WebdriverIO (@webdriverio) June 2, 2020

The @webpack documentation will be temporarily down for today to pay respects to George Floyd and countless others who are the victims of police violence in the Black community and around the world. #blackoutday #BlackOutDay2020 https://t.co/FPy0JITmjs pic.twitter.com/CgSndheO4A

— webpack module bundler (@webpack) June 2, 2020

The post Linux Foundation Support for the Black Community appeared first on The Linux Foundation.

Why do you need program management as part of your open source project? We asked a few of the Linux Foundation’s program managers to tell us how they each approach the task. How does coordination and facilitation help improve my project? 

We tend to think of the primary goals of the Linux Foundation’s projects as producing open software, open hardware, open standards, or open data artifacts — the domain of participating programmers & engineers, system architects, and other technical contributors. 

However, successful projects engaging a broader ecosystem of commercial organizations, particularly when raising funds, benefit from active leadership besides pure technical contributions. Contributors often have work outside the project that often puts demands on their time. It takes real time to build and coordinate a commercial ecosystem, ensure stakeholders are engaged, recruiting and onboarding members, create a neutral governance culture (often amid competitors competing), and to keep various aspects of the ecosystem aligned such as when end users begin to participate.

Many Linux Foundation projects fundraise to provide resources for their community. This is an excellent benefit for the technical community when the business ecosystem comes together to invest and help the community obtain resources to build a thriving community and ecosystem. A typical fundraising model in our community is to offer an annual membership structure that provides a yearly fund for the project. 

The Linux Foundation’s approach to governance separates decisions about funds and business affairs from the technical project’s governance. The companies contributing money to a project’s fund can decide how those funds are spent and any related business decisions. The technical community can operate independently with open source best practices and continue to make decisions about what code to accept, how to build releases, etc. based on the technical merit of decisions in front of them and not based on what companies contributed funding.

We will always have representation from the technical community involved in the budget and business decisions to ensure funding decisions are well informed. This is how the Linux Foundation model preserves the development best practices of open source while enabling a community to benefit from the commercial ecosystem dependent on their work.

Guidance for your community

Within a technical project, there are roles for organizing how releases are built. Often some committers decide which code is accepted, and maintainers decide what to put into a release.  When scaling the project to create an ecosystem around it, there are other key roles and responsibilities that a project needs to stay on track and to continue to scale. These functions include:

• • Planning and Building.  Building a cohesive strategy is critical to the success of a project and requires investments in outcomes the core stakeholders want to see happen, and prioritize
  • Measuring KPIs. Tracking a project’s mission, goals, and objectives while moving those through the swim lanes is key to iterating on things that work and addressing things that don’t.
  • Facilitating. To be successful at facilitating, a coordinator must understand the landscape, and remain neutral. This can be difficult and is often the most challenging part of the job, NOT weighing in unless asked. 
  • Advising. Coordinators are a sounding board for these things with some expertise. To mature an organization, you must craft mechanisms for self-governance and sustainability.
  • Iterating and Reflecting. What happens along the way is that stakeholders in the community want to get things done — but when that happens without reflection, you lose sight of what and where you’re going. It’s essential to see the forest AND the trees, especially from an above-the-canopy view.

In the past, we have had a few communities with respected, neutral leaders who have provided these roles. The Xen Project is one example of a member of the community who has offered to perform this role for many years. There is a significant time investment from the community’s leadership to make it work, which is an excellent benefit for the community to have someone able and willing to spend their work time on this function. 

Many other projects are not able to find someone in the community to help. This is often where the Linux Foundation builds a support program to assist the projects we host that need help to obtain neutral coordination and facilitation professionals. We call the people who provide this support Program Manager (PM). PMs are often the first point of contact for community participants and potential members, and are usually involved in the following activities:

• • Program Managers help the governing and technical boards shape the project’s directions and goals. 
  • Program Managers will work with a project’s technical leadership to understand their technical goals. 
  • They work with the members to fill positions such as Chair and Treasurer and are involved with the voting process.
  • They ensure that both the governing and technical boards act within the agreed-upon guidelines of the project’s charter. 
  • They help onboard new members into the project community. 
  • They will engage resources from the Foundation’s Marketing, PR, Events, and Training teams to coordinate the support programs delivered for a project.  
  • Program Managers also oversee the delivery of other support programs provided by the Foundation and any services provided by vendors or contractors.
  • Program managers will pull in the Foundation’s IT service team members for a consultative discussion on the right development infrastructure, tools, and managed IT support programs based on the project community’s needs and roadmap. 
  • Program managers actively engage in community management and help the project’s leaders coordinate meetups, developer hackfests, and participation at events.

Setting strategic goals for your community

Identifying and articulating a project’s mission is essential with an open source project as it is with any business activity. Setting concrete goals enables the participants in a project to discuss and align around a single narrative that can guide their activities and inform decisions. 

Program Managers work with the project’s membership and technical leadership to define a strategy with goals, milestones, and metrics for the project. They coordinate discussions to assist the governing board in coming to a consensus on a budget that supports the technical community’s needs and aligns with the project strategy. 

For open source, very often, the goals include maximizing a project’s footprint in order to help the most people. Goals are often articulated to a fine granular level — enabling contributors to engage more easily, growing the membership from a particular sector of the ecosystem, or increase contributions from end users. 

The CHAOSS project is a community focused on defining community metrics around engagement, risks, etc. that are often helpful to project leaders in setting and establishing goals for measurably improving their ecosystem. 

Implementing a project lifecycle for your community

Open source projects often have subprojects and various efforts to innovate on new ideas that may not be ready to be included in an official release or as their independent release. We often refer to these communities as using an “umbrella” model with several coordinated sub-projects within the community. Within an umbrella community, the projects will typically follow a lifecycle. The lifecycle generally follows a path from imagination to planning to initial execution, expansion, and eventually maintenance and eventual retirement. 

Program managers often work with the technical leadership to codify this lifecycle according to milestones so that participants in the project can immediately understand where a project stands in terms of maturity and resources. CNCF, for example, has project phases that include Sandbox, Incubation, and Graduation. OpenJS Foundation has project phases that include Incubation, At-Large, Growth, Impact, and Emeritus, which map to the needs of their community.

A project lifecycle is an essential tool for a foundation to signal the maturity of multiple projects and identify for the community what the path towards a fully mature project requires. It is both a pathway and a signal, noting that projects grow and change, and what the community thinks a project should rely on to guide itself. 

In most projects, there is an entry-level, a mid-level, and a graduate level. The entry-level projects indicate a promising start for an emerging project and something to be considered. Mid Level projects show growth and development for an audience that might consider using this project, and graduated projects indicate full maturity and a project that many in the ecosystem rely upon.

“Within the Cloud Native Computing Foundation, the various project stages have been beneficial for encouraging projects to grow, not only from a development standpoint but from a community standpoint. A project looking to graduate has to demonstrate both a strong codebase and a strong community.”

Amye Scavarda Perrin, CNCF Program Manager

Linux Foundation Networking (LFN) Program Manager Trishan De Lanerolle notes how the Technical Advisory Council plays an active role in a project’s lifecycle management:

“Linux Foundation Networking project (LFN) technical leadership (Technical Advisory Council) developed and published a model that lays out criteria and checkpoints for projects in various stages of maturity, including an LFN Entry review and evaluation for new candidate projects to the LFN umbrella. The entry process provides a mechanism to amicably and fairly assess upcoming projects. In LFN, that entails asking whether a proposed project: falls within the LFN scope, provides a snapshot into the status or health of the community, and ensures the project’s documented governance is clear, complete, and easily accessible.”

Through facilitating the work of the Strategy Subcommittee, whose primary goal is to assist the Governing Board with developing and implementing Continuous Delivery Foundation (CDF) strategic planning, Program Manager Dan Lopez was able to guide CDF toward sustainable, long-lasting strategic goals. 

“The immense value of a Program Manager lies in their ability to foster a space for progress to happen. It’s not their role to necessarily make the tough decisions, but rather be the ‘glue’ of a program, ask the tough questions, and spark inspiration and critical thinking within their stakeholder group to create, in this case, sustainable goals that will create long term value for the CDF,”

Dan was able to approach strategic planning, as a neutral party who understood the landscape of the CDF, and assist the Governing Board in creating well-aligned goals that mapped to key performance indicators that can be measured and managed over time. 

The importance of open governance in your community

The Program Manager is also a vital member of the leadership team, working collaboratively to facilitate and operationalize the wants, needs, and priorities of the governing bodies. Each Linux Foundation Program Manager works with each project community to establish a transparent, open governance model for the technical community.

In open governance, a project is managed by a group of people representing the stakeholders in a project — generally project members and leaders of the project’s technical efforts. The concept of conducting a major technical effort using an open form of governance, in which all stakeholders’ needs must be addressed, and people are required to cooperate to get work done, is founded on the basic concept of democracy. It differs from closed or proprietary governance due to the transparency and coordination required to reach consensus.

Open governance provides a balance that can never be found in a proprietary, restrictive environment — the dynamics of that activity drive creativity and innovation, and significantly increase the speed of development. Program managers and community managers often guide these processes and help keep governance bodies on track with each other.

DPDK’s Program Manager Trishan de Lanerolle discusses how his project is divided into two bodies of equal responsibility:

“DPDK is one model of open governance, with co-equal governing bodies; the Governing Board has ownership and oversight, over budget, marketing, lab resources, administrative, legal, and licensing issues, and a Technical Board with ownership and oversight on technical issues including approval of new sub-projects, deprecating old sub-projects, the project’s technical roadmap, recruiting maintainers, defining the processes for contributing, testing, and managing security. The Technical Board comprises individuals from various organizations, that are not necessarily corporate members of the project, recognized for their technical contributions. The governing board comprises representatives from member organizations, who financially support the project, working hand in hand to make the project mission a reality.” 

Other projects, such as LF Energy, take a somewhat different path towards how their governance is structured. 

LF Energy represents an example of open, representative governance within a rapidly growing open source foundation. LF Energy has a board of directors, like most foundations, made up of Premier members, and includes a representative from the General members and a representative from the Technical Advisory Council (TAC), which is made up of technical project leaders. No single company has more than one representative on the board, which provides corporate as well as cultural diversity and voices from all over the industry, not just focused on one niche. 

The Linux Foundation’s neutral program management support program can help

Active program management and program management support is one of the main reasons why open source projects join an organization like the Linux Foundation. Our program management professionals provide a unique set of operational skills and capabilities that nearly all of our projects take advantage of — which is to offload operational and facilitation work from the community. 

In summary, a successful project should have community coordination and program managers that can plan and build, that can measure a project’s performance, that can act as prime facilitators and advise, and can help project stakeholders iterate and reflect to learn from their experiences in order to move a project forward.

“Managing Open source projects can be compared to nurturing a young sapling as it grows into a mature, healthy tree — or in this case, a community. Our job is to supply it with the right balance of nutrients and conditions for successful growth. Following proven governance models with strategic program management, helps increase the odds of nurturing a healthy community. Program Managers help clear the path, allowing communities to focus on the code and achieving technical goals. We are horticulturalists, toiling away in the background, and if we are doing our job correctly, you shouldn’t notice us.” 

Trishan de Lanerolle, Technical Program Manager & Community Architect, LF Networking

The post Building a successful open source community: How coordination and facilitation helps projects scale and mature appeared first on The Linux Foundation.

• EdgeX’s sixth release (Geneva) offers more scalable and secure solutions to move more data faster from multiple edge devices to cloud, enterprise and on-premises applications.

• As one of LF Edge’s Stage 3 Projects, EdgeX Foundry is seeing increased community growth and adoption and deployments.
• New LF Edge project Open Horizon is building an integration project that will demonstrate automated delivery and lifecycle management of EdgeX Foundry as a containerized application.

SAN FRANCISCO – May 21, 2020 – EdgeX Foundry, a project under the LF Edge umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for IoT edge computing independent of connectivity protocol, hardware, operating system, applications or cloud, today announced a major milestone of hitting 5 million container downloads and the availability of its “Geneva” release. This release offers more robust security, optimized analytics, and secure connectivity for multiple devices.

“EdgeX Foundry is committed to developing an open IoT platform for edge-related applications and shows no signs of slowing down the momentum,” said Arpit Joshipura, general manager, Networking, Edge and IoT, the Linux Foundation. “As one of the Stage 3 projects under LF Edge, EdgeX Foundry is a clear example of how member collaboration and diversity are the keys to creating an interoperable open source framework across IoT, Enterprise, Cloud and Telco Edge.”

Launched in April 2017, and now part of the LF Edge umbrella, EdgeX Foundry is an open source, loosely-coupled microservices framework that provides the choice to plug and play from a growing ecosystem of available third-party offerings or to augment proprietary innovations. With a focus on the IoT Edge, EdgeX simplifies the process to design, develop and deploy solutions across industrial, enterprise, and consumer applications.

Currently, there are more than 170 unique contributors to the project and EdgeX Foundry averages one million container downloads a month, with a total of 5 million reached last month, and rising.

“The massive volume of devices coming online represents a huge opportunity for innovation and is making edge computing a necessity,” said Keith Steele, EdgeX Foundry Chair of the Technical Steering Committee. “With at least 50% of data being stored, processed and analyzed at the edge we need an open, cloud-native edge ecosystem enabled by EdgeX to minimize reinvention and facilitate building and deploying distributed, interoperable applications from the edge to the cloud. In 3 short years, EdgeX has achieved incredible global momentum and is now being designed into IOT systems and product roadmaps.”

The Geneva Release

As the sixth release in the EdgeX Foundry roadmap, Geneva offers simplified deployment, optimized analytics, secure connectivity for multiple devices and more robust security. Key features include:

• Automate on-boarding: simplify, scale and quicken connection of devices by allowing automatic provisioning of devices
• Improved Performance: A new rules engine that is written in Go for faster performance, a smaller footprint and more memory
• Connectivity: Improved bandwidth utilization and efficiency through use of new batch and send capabilities provided in the App Functions SDK
• Secure Authentication: Store and use/authenticate secrets to connect with cloud providers
• Testing: New integration and backward compatibility testing along with enhanced security and blackbox testing

EdgeX Foundry works closely with several of the other LF Edge projects such as Akraino Edge Stack and new project Open Horizon. During this release cycle, EdgeX was made to work under the Akraino Edge Lightweight IOT (ELIOT) Blueprint and tested under the Akraino Community Lab.

Launched last month, Open Horizon is a platform for managing the service software lifecycle of containerized workloads and related machine learning assets. Open Horizon is building an integration project that will demonstrate delivery and management of EdgeX Foundry as a containerized solution in stages, beginning with a single deployable unit and then progressing to a more modular set of services and alternate delivery targets.

Support from Contributing Members and Users of EdgeX Foundry:

“To further enhance use in production environments, EdgeX Foundry’s Geneva release brings simplified deployments and improved security,” said Tony Espy, Technical Architect at Canonical. “With EdgeX available as a snap, this aligns to the fundamentals of snaps’ core principles which allow developers to benefit from confinement and transactional updates to ensure deployments are secure and with minimal need for manual intervention. As the EdgeX ecosystem continues to see strong traction, we look forward to continuing our contribution to building an open, interoperable framework for edge computing.”

“EdgeX Foundry’s middleware solution is an important component of an open, vendor-neutral pipeline connecting IoT devices and their data to analytics and data management at the on-premise edge,” said Joe Pearson, Engineering Strategy & Innovation Leader, Edge Computing, IBM. “This latest release underscores the importance of working within LF Edge to encourage interoperability as we build a comprehensive open edge computing framework, beginning with Open Horizon.”

“With the evolution of IoT and edge computing, there is a growing realization to deploy and run compute engines near the data source in a truly globally distributed manner. This architecture requires running intelligent AI-based functionality at the edge while processing a significant amount of data at high-throughput and low latency on small form-factor devices,” said Yiftach Shoolman, CTO and co-founder at Redis Labs. “EdgeX Foundry with Redis as the primary data store provides an open-source data platform to meet these expectations by combining in-memory data processing with modern data-models, and can be extended with a serverless engine and AI-serving platform.”

Additional resources:

• EdgeX Foundry Geneva release blog
• EdgeX Foundry Geneva landing page
• EdgeX Foundry Webinar

For more information about LF Edge and its projects, visit https://www.lfedge.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

 ###

The post EdgeX Foundry Hits Major Milestone with 5 Million+ Container Downloads and a New Release that Simplifies Deployment for AI, Data Analytics and Digital Transformation appeared first on The Linux Foundation.



The post Linux Foundation Newsletter: May 2020 appeared first on The Linux Foundation.

In its role as an ISO PAS submitter, JDF and LF now can move from idea to code, to standard, to an internationally recognized standard, vastly improving the reach and availability of the technologies created by our amazing communities. Introduction

This week, we are proud to announce that the Joint Development Foundation (JDF), which became part of the Linux Foundation family in 2019, has been accepted as an ISO/IEC JTC 1 PAS (“Publicly Available Specification”) Submitter. The OpenChain Specification is the first specification submitted for JTC 1 review and recognition as an international standard. 

The JDF was formed to simplify the process of creating new technical specification collaboration efforts.  Standards and specifications are vitally important for the creation or advancement of new technologies, ensuring that the resulting products are well defined, provide predictable performance and that different implementations can interoperate with one another.  

Why the Linux Foundation cares about standards

The Linux Foundation itself was formed out of the merger of the Free Standards Group, which maintained the LSB (“Linux Standards Base”) and the Open Source Development Labs. Open standards and open source software have been part of the mission from the very beginning.

Standards play a role in everyone’s life. Think about the things you touch every day, as simple as a power plug, the USB connector on your phone or laptop, or the WiFi that you use in your business and your home to connect your mobile devices wirelessly. All of these devices need to be able to interoperate with each other.

A pragmatic and sensible approach to solving interoperability issues would be to create open source software projects everyone can use. However, there are cases where open source software alone will not solve all the implementation challenges that open standards can achieve. 

Open source software in and of itself may not solve particular situations where there will be many implementations in many different device or delivery models (e.g., video codecs or 3D printer designs with many software design tools and many hardware printers and scanners). Still, in other cases, that fragmentation is due to different device capabilities, implementation details, or limitations that open source software cannot resolve alone.

The design and capacities of many things are defined by industry stakeholders as a standard so that every plug and device is interoperable and capable of the same connectivity.  Every country in the world has its own national standards bodies that define the standards it deems necessary, from power transmission, radio spectrum, food safety, and others.

Not all standards bodies are national standards bodies, with standards organizations coming in many shapes and sizes. Many standards are developed by industry-specific organizations that have a common set of technical objectives and are seeking a common set of use cases, a shared set of key design and performance criteria, and a common test specification to ensure interoperability.  

For the Linux Foundation, our collaborations can range in size from small to large, but their impact can extend internationally. There is not a Linux kernel per country or an Open Container Initiative specification per country, and so on. The world is dependent on our communities.

Like Linux Foundation source code projects, JDF standards and specification development projects can range from small, industry-specific efforts, to large multi-industry collaborations. And it is the JDF’’s goal to serve these various communities.  By obtaining PAS status, JDF can help specification and standards communities ranging from the smallest collaborations through to international standardization.   

How Open Standards differ from Open Source projects

Open standards are best defined as specifications made available to the public, which are developed and maintained via an inclusive, collaborative, transparent, and consensus-driven process. Open standards facilitate interoperability and data exchange among different products or services and are intended for widespread adoption.

Open source software is defined by the OSI’s Open Source Definition. In practice, we generally care more about communities that form to work on open source software in a public, transparent collaboration where the code evolves over time to address new use cases, features, requirements, and gaps.  

Sustainable open source software communities also see continuous improvements as bugs and security issues are identified and fixed. Open source code is typically created as a collaborative effort in which programmers improve upon the code and often share the changes among the programming community for such projects. At a high level, open source licenses allow users the freedom to use, modify, and distribute the source code without requiring any further permission.

So, for example, software such as the Linux kernel is open source software in an open community, whereas the IETF curates open standards that enable the world to connect through an open Internet.

Another excellent example of how standards come into play across different hardware and software platforms are web servers. There are many web server platforms, both open source, and proprietary — such as Apache’s and Microsoft’s IIS. Some are optimized for speed, others for large deployments, some for low power devices, and for other applications. But as long as they can all speak HTTP (and other standards), they can still all communicate across the spectrum of devices.

The process of creating standards

Standards bodies are usually formed by industry stakeholders to support the activities needed to develop a specific solution to a common problem. The resulting solution is generally referred to as a specification, a blueprint for building an implementation of a solution to the problem. In some cases, the same group may also create an open source implementation, but the implementation will be specific to a set of use cases and requirements.

A standards body is the legal organization often created to provide a neutral home to the collaboration, including financial and legal support, guardrails against antitrust issues, managing copyrights and other intellectual property terms that might bear on the specification. Many will say the most important role of a standards body is to provide a neutral governance model that enables inclusive participation from all parties, where no one organization controls the specification.

The challenges in creating specifications

For something as crucial as a specification, the process of creating a specification setting body can be complicated.  

And even when the participants are aligned, the devil is always in the details. The negotiations to establish a new standards organization often involves hundreds of hours of lawyer time and a method of negotiating the nuances of the working rules and the license terms for copyrights, patents, and trademarks related to the effort.  The entire process can take many months — and it’s a requisite precursor in most cases to the technical contributors getting started. So before anyone knows what the output will be, or if it will even work, many organizations collectively invest thousands to millions of dollars on months of negotiations that delay the start.

Once the mass negotiation is done, the legal entity needs to file for non-profit status, set up bank accounts, set up accounting, finance, and HR operations, collect fees from its members, and file its taxes, just like a commercial company. These activities need to occur even if all the initiating organizations are 100% aligned on the need for the specification. Once that is all done, the engineers can get together to develop a specification, often a year after the initial idea was created.

The JDF was founded to make the entire process of forming a new standards body faster, and remove the negotiations. The JDF has created a set of default terms that reflect industry best practices and proven widely accepted legal terms.  By providing a choice of pre-existing, industry-accepted terms, JDF replaces custom negotiation with a “check the box” model. This model adopts best practices while giving flexibility through a few commonly known choices to the founders about essential terms such as copyright, intellectual property licensing, source code licensing, and governance structures.  It also allows JDF projects to be customized to meet the needs of the community, without resorting to time-consuming line-by-line negotiations.  

And once those terms are in place, the new project is formed as an entity under the non-profit JDF.  In combination with world-class operational support programs, a new project can get started in a matter of days, with resources ready to go, rather than the months to the years-long process required to form a traditional standards body. The cost of this effort is so low that a specification project can be established without any funding needed for the creation or ongoing entity management.

In essence, the JDF provides a “standards organization in a box.” Just pick a few menu options, give the effort a name and off you go creating specifications. 

The net impact of the JDF process means that companies with the need to collaborate can form the project, define the technical scope and begin inviting engineers to contribute to the project in a matter of days with minimal friction.

Internationally recognized standards through the ISO/IEC JTC 1 PAS process

One method of recognizing international standards is via the ISO/IEC JTC 1 PAS (Publicly Available Specification) Process. Once accepted through this process, the specification is recognized as an international standard. 

ISO is an independent, non-governmental international organization with a membership of 164 national standards bodies, and its standards are among the most universally recognized and accepted throughout the world.  

The IEC (International Electrotechnical Commission) is the world’s leading organization for the preparation and publication of International Standards for all electrical, electronic, and related technologies. 

ISO and IEC joined together to create ISO/IEC JTC 1, which is the international group dedicated to developing worldwide Information and Technology (ICT) standards. JTC 1 has been responsible for many key IT standards — including video compression technology and programming languages, among many others.

The Publicly Available Specification (“PAS”) process was created by a collaboration between ISO/IEC JTC 1 to allow for transposition of technical specifications from recognized standards bodies, which will enable them to become an ISO/IEC recognized standard. 

PAS Submitters must first be approved after a review of an extensive set of criteria by the external standards bodies. Once approved, a PAS Submitter may put forward some of its specifications (the publicly available specifications, PAS) to JTC 1 for national body approval and thereby international recognition. 

And once ISO/IEC JTC 1 approves a PAS submission, it becomes an international standard.

The JDF’s acceptance as a PAS Submitter is vital to the industry because it reduces friction on the path from great ideas, to well-formed technical specifications, to international recognition of the best of those specifications. JDF has the responsibility for ensuring that the process of creating the specifications is rigorous, inclusive, and conforms to the quality standards set by ISO/IEC JTC 1. The benefit of having a professionally managed standards organization like JDF is that we help ensure those requirements are met.  

And it also means that JDF provides a capability that few other organizations can — a path for communities to start from a small collaboration and grow to become an international standard.  

Understanding the OpenChain specification, our first PAS submission

The OpenChain Specification identifies the key requirements of a quality open source compliance program. It is intended to foster a software supply chain where open source is delivered with trusted and consistent compliance information. It provides a clear way to achieve effective management of open source for software supply chain participants, such that the requirements and associated collateral are developed collaboratively and openly by representatives from the software supply chain, open source community, and academia.

“The OpenChain Project is a clear example of cooperative development to share a common challenge,” says Shane Coughlan, OpenChain General Manager. “Hundreds of companies have come together, shared knowledge, and built a clear, focused industry standard based on their experience. The result is a compact but effective standard suitable for companies of all sizes in all markets.”

The OpenChain Specification has been in the market since late 2016 and has seen increasingly broad adoption to-date. The OpenChain participants include national user groups exceeding 100 participants and over 3,500 subscribers to the primary communication channel mailing list. ISO/IEC JTC 1 recognition will help to guide the evolution of the specification from de facto to de jure standard, and in the process assist procurement, sales, and other departments around the world adopt and manage OpenChain specification-related activities easily.

Conclusion

With its recognition as a PAS Submitter, JDF now provides the broadest range of support to standards communities – from small collaborations to those seeking international standards. As part of the Linux Foundation family, JDF is providing communities with new ways to collaborate.  

By affiliating with JDF, the Linux Foundation ecosystem can benefit from the support and expertise to move open source specifications into an open standards-track, that empowers engineers and developers to collaborate in the creation of a specification and standard. By using this new submissions process, they can take their standard a step further to achieve international recognition. Conversely, the importance of the JDF joining the Linux Foundation family is significant because it is in alignment with the organization’s overall goal of furthering the commitment to neutral governance and alignment of open source software and open standards. — Jim Zemlin, Executive Director, The Linux Foundation

The post Joint Development Foundation recognized as an ISO/IEC JTC 1 PAS submitter and submits OpenChain for international review appeared first on The Linux Foundation.

 JDF projects now have a clear path from open source project or specification to an internationally recognized standard, OpenChain is the first submission

SAN FRANCISCO, Calif., May 12, 2020 – The Joint Development Foundation (JDF) today announced it has been formally approved as an ISO/IEC JTC 1 Publicly Available Specification (PAS) Submitter[1] and that the OpenChain specification is the first standard to be submitted. This status offers JDF’s standards development projects a path to international standardization and benefits the global business and technical ecosystem by enabling accelerated adoption of open standards and specifications.

ISO and IEC are organizations that develop and promote international standards that touch almost all aspects of daily life. ISO and IEC joined together to create ISO/IEC JTC 1, which is the international group dedicated to developing worldwide Information and Technology (ICT) standards. JTC 1 has been responsible for many important IT standards – including video compression technology and programming languages, among many others. PAS submitters like JDF play an important role in establishing international standards by submitting their specifications to JTC 1 for a vote to adopt them as ISO/IEC JTC 1 international standards. The Linux Foundation, home to JDF, is experienced in this process, having previously submitted the Linux Standard Base for adoption as ISO/IEC 23360-1:2006[2].

The JDF’s first PAS submission is for OpenChain, a specification that identifies the key requirements of an open source compliance program. It is designed to build trust between companies in the supply chain while reducing internal resource costs. The outcome is increased trust and consistency in open source software across the supply chain. International standardization will help to guide the evolution of the OpenChain Specification from de facto to de jure standard, a process that will assist procurement, sales and other departments to increasingly engage with OpenChain-related activities.

“Open source is now a mainstream means of building infrastructure and providing a platform for innovation. While open source development models focus on lowering the barriers to innovate and change, there comes a time when industries decide the next step is to agree on one approach to an issue and work together on that solution,” said Seth Newberry, executive director at Joint Development Foundation. “These de facto standards are just one step away from becoming recognized standards, and JDF provides a path to international recognition as a standard by ISO/IEC JTC 1. This is a key additional capability to further support our open project communities with a path to engage on standards with the worldwide business and industry ecosystems.”

To become a JTC 1 PAS Submitter, the Joint Development Foundation had to meet a rigorous set of criteria. It was required to demonstrate its process for developing the specifications that are neutral to all of the contributors (no one company may dominate the process); the specification must be developed with sufficient industry participation to ensure that the resulting work is representative of an industry-wide consensus, and the specification must be formed in accordance with standard PAS editing standards so that each specification is easily understood by the readers.

About the Joint Development Foundation

The Joint Development Foundation is a nonprofit organization within the Linux Foundation ecosystem that provides turnkey corporate and legal infrastructure to enable groups to quickly establish and begin working on standards and open source code development collaborations. JDF offers Linux Foundation communities and members a ‘standards in a box’ approach to advancing industry-wide transformation. JDF includes more than 250 participation companies and projects that include the Open Manufacturing Platform, GraphQL, DIF, Alliance for Open Media and more.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

 

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

 

Media Contacts
Jennifer Cloer
reTHINKit Media
jennier@rethinkitmedia.com
503-867-2304

 

[1] https://jtc1info.org/page-3/page-4/jtc-1-pas-submitters/
[2] https://www.iso.org/standard/43781.html

The post Joint Development Foundation Adds a Path for Formal International Standardization appeared first on The Linux Foundation.

The SPDX technical community is delighted to announce that the 2.2 version of the specification has been released!  We started working on the first version of the SPDX specification 10 years ago, and it has continued to improve and evolve to support the automation of more software bill of materials information over the years.  This release incorporates a significant amount of input from our tooling and user communities to enable new use cases to be better represented.

Some of the highlights for this release include:

• Updated Charter to broaden applicable scenarios that SPDX documents can be used to represent that have been requested by users, and align with NTIA SBOM efforts.
• Extended the valid file formats that can be used to represent an SPDX document to include JSON, YAML, and a development version of XML.  A set of example documents illustrating use of these formats can be found in v2.2/examples
• Extended Relationships by addition of 13 new relationship types requested from tool creators (mostly to represent dependencies), as well as support for relationships to NOASSERTION or NONE as a way to indicate “known unknown” and “no relationships” respectively.
• Added new fields to Packages, Files, and Snippets to capture “Attribution text”.
• Extended Appendix VI: Appendix VI: External Repository Identifiers to include support for PURL (Package URLs)  and SWHIDs (Software Heritage Persistent Identifiers).
• Added Appendix VIII: SPDX Lite as a first recognized SPDX profile.  This subset of SPDX 2.2 originated from the use cases that the OpenChain Japan workgroup highlighted. They created it to be able to accept basic information from their suppliers who were not able to generate full SPDX documents with all optional fields.
• Added Appendix IX: SPDX File Tags to enable use of file-specific information from SPDX defined fields in source code as supported by Version 3.0 of the REUSE Software Specification.
• Updated Appendix V: Using SPDX License List short identifiers in Source Files to include support for use of LicenseRef- identifiers, to express custom identifiers for licenses that are not on the SPDX License List. This has been coordinated with Version 3.0 of the REUSE Software Specification to enable projects to provide a standardized format that can optionally be used for providing the corresponding license text for these identifiers.
• Updated Appendix II: License Matching Guidelines to allow embedded rules within optional rules for generated SPDX license templates.
• Updated Appendix IV: SPDX License Expressions to add some clarification on the case sensitivity of license expressions and handling of multi-line license expressions.
• Updated Appendix I: License List to now reference version 3.8.
• And numerous formatting, grammatical, and spelling fixes that escaped our reviewers in version 2.1.1

The project members would like to thank our recent contributors to this release, who have enriched it with their new perspectives, as well as our ongoing participants.  A full list of those who have contributed by participating in the many discussions, adding comments, and making suggestions for improvements to the SPDX specification as it’s evolved over the last 10 years can be found at the Credits page!

The post SPDX 2.2 Specification Released appeared first on The Linux Foundation.

Governments, nonprofits and private sectors across finance, health care, enterprise software and more team up with Linux Foundation to enhance universal security and privacy protocols for consumers and businesses in the digital era

The ToIP Foundation is being developed with global, pan-industry support from leading organizations with sector-specific expertise. Founding Steering members include Accenture, BrightHive, Cloudocracy, Continuum Loop, CULedger, Dhiway, esatus, Evernym, Finicity, Futurewei Technologies, IBM Security, IdRamp, Lumedic, Mastercard, MITRE, the Province of British Columbia and SICPA. Contributing members include DIDx, GLEIF, The Human Colossus Foundation, iRespond, kiva.org, Marist College, Northern Block, R3, Secours.io, TNO and University of Arkansas.

Businesses today are struggling to protect and manage digital assets and data, especially in an increasingly complex enterprise environment that includes the Internet of Things (IoT), Edge Computing, Artificial Intelligence and much more. This is compounding the already low consumer confidence in the use of personal data and is slowing innovation on opportunities like digital identity and the adoption of new services that can support humanity.

Without a global standard for how to ensure digital trust, these trends are bound to continue. The ToIP Foundation will use digital identity models that leverage interoperable digital wallets and credentials and the new W3C Verifiable Credentials standard to address these challenges and enable consumers, businesses and governments to better manage risk, improve digital trust and protect all forms of identity online.

“The ToIP Foundation has the promise to provide the digital trust layer that was missing in the original design of the Internet and to trigger a new era of human possibility,” said Jim Zemlin, executive director at the Linux Foundation. “The combination of open standards and protocols, pan-industry collaboration and our neutral governance structure will support this new category of digital identity and verifiable data exchange.”

The Linux Foundation’s open governance model enables the ToIP Foundation to advance a combination of technology and governance standards for digital trust in a neutral forum that supports pan-industry collaboration. An open governance model that can be integrated into the development of the standards for digital trust is essential where the business, legal and social guidelines for technology adoption impacts human trust and behavior.

The ToIP Foundation will initially host four Working Groups. The Technical Stack Working Group and the Governance Stack Working Group will focus on building out and hardening the Technical and Governance halves of the ToIP stack, respectively. The Utility Foundry Working Group and the Ecosystem Foundry Working Group will serve as communities of practice for projects that wish to collaborate on the development of ToIP utility networks or entire ToIP digital trust ecosystems.

The ToIP Foundation will host an all-digital launch event on May 7, 2020 at 9AM PDT that will feature a panel discussion, interoperability demonstration and live Q&A. Register now for the live event. A second event will be hosted for the APAC region.

For more information about the ToIP Foundation, please visit www.trustoverip.org

Steering Member Comments

Accenture

“The internet and digital technologies are a critical part of the way we engage with each other and with organizations. Accenture has a deep commitment to developing solutions to build trust, protect privacy and put control of an individual’s data squarely in their hands. The Trust over IP (ToIP) Foundation is bringing together a powerful mix of experts and doing it at the exact right time given the urgent need to encourage greater adoption and increase trust in data privacy and ownership,” said Christine Leong, managing director, global lead for Decentralized Identity & Biometrics at Accenture.

BrightHive

“Now, perhaps more than ever, networks of public and private sector organizations know the value that can be created by collaborating with one another around their combined data to create novel insights and better align their work. But they also want to collaborate in the most responsible way possible. The work of the Trust over IP Foundation will radically strengthen the infrastructure of responsible data sharing by establishing a global standard for digital trust—ensuring that the very way that data is exchanged and verified creates a much-needed layer of security, privacy and trust. BrightHive is excited by the promise of this standard, and proud to partner with the other members to help see it realized,” said Matt Gee, CEO, BrightHive.

Cloudocracy

“Trust is the foundational element of all relationships between government, organizations, and each of us as individuals. Trust at Internet-scale, serves our greater global community and is best accomplished by communities of trust ecosystems. The Trust Over IP Foundation is the next stage of enabling this journey globally. The paradigm-shifting model of decentralized, person-centric identity is likely one of the most important breakthroughs in data privacy, cyber security and unlocking business value in many years. Cloudocracy seeks to facilitate coalitions of government, supply-chains and individuals to embark on journeys to establish value-based trust ecosystems towards achieving highly secure and empowered private ecosystems and the public-private ‘Internet of Value.’ The global shift will go beyond enabling government and organizations to reduce costs, complexity and add value but will also help steer to a better compass heading in protecting individual data privacy, health and biometric information, while also reducing risks and economic impacts of cyber security data breaches,” said Will Groah, executive director, Cloudocracy.

Continuum Loop

“The leaders we work with know that trust on the Internet isn’t working. They want to start building deep trust with their customers and partners. Our clients are investing, as are we, in the Trust Over IP Foundation. We all want to make sure we are involved in building the digital trust layer that the Internet needs. The technology works – now it is about building business cases and governance,” said Darrell O’Donnell, president and CEO, Continuum Loop.

CULedger

“The credit union movement is based on the idea that trusted interactions between people connected by a common bond are the best interactions.  A self-sovereign, secure, trusted identity, like MemberPass, is essential in the world ahead, and CULedger is paving the way for credit unions and financial cooperatives worldwide to pioneer this important effort and bring this frictionless digital experience to more than 270 million credit union members.  The work developed out of the Trust over IP Foundation will be the cornerstone to facilitate these trusted interactions in the new digital age.  We are excited about the opportunity to be working with other leading organizations in support of this effort,” said John Ainsworth, president/CEO, CULedger.

Dhiway

“Dhiway is happy to join the Trust over IP (ToIP) Foundation as one of the founding members. Our strategic initiatives are designed to bring a higher degree of assurance to the exchange of data between peers, over the Internet and other digital networks. Our participation is aligned with our vision to make the world more transparent and trusted, using digital frameworks that can be universally referenced, understood and consumed.  We intend to contribute our knowledge and expertise to support the ToIP foundation in its mission to build an interoperable architecture for Internet-scale digital trust –  empowering a growing ecosystem of companies and communities to exercise control over their digital assets. It’s encouraging to see the open collaboration that has led to the formation of this Foundation, and we are humbled and thrilled to be a part of this pioneering effort,” said Satish Mohan, Founder & CTO, Dhiway.

esatus

“On our mission of enforcing information security, strong trust relationships are essential. We need them to be equally strong in the real world and online. The Trust over IP Foundation facilitates easy composition, ramp-up and maintenance of digital trust components. Conveying real-world trust online is ultimately possible at flexibility and scale. esatus enterprise solutions employ digital trust components already, making next-gen security and privacy available to its customers today. Being a founding member of the Trust over IP Foundation is a natural fit,” said Dr. André Kudra, CIO at esatus AG. 

Evernym

“Evernym believes the only way to truly solve the avalanche of trust problems on the Internet is with an open standard and open governance model that is as universal as the TCP/IP stack that created the Internet itself. We have helped build the architecture of the ToIP stack layer by layer for the past three years, including the W3C Verifiable Credentials and Decentralized Identifiers standards that are at the heart of this new model, because we believe it will unlock a new explosion of value for every person, business, community and government using digital communications. We are thrilled to help stand up the ToIP Foundation at the Linux Foundation and hope that it attracts every company and contributor who wants to build a strong and lasting trust layer for the Internet,” said Drummond Reed, chief trust officer at Evernym and co-editor of the W3C Decentralized Identifier (DID) specification.

Finicity

“The Internet has fueled incredible innovation over that past few decades. And yet it has been significantly handicapped due to a general lack of trust. As we solve the trust dilemma, we will see a rapid acceleration of innovations that will change the way we do business, connect with others and consume information and entertainment,” said Nick Thomas, president & chief scientist and innovation officer, Finicity. “Finicity looks forward to advancing digital trust standards through its participation in the Trust over IP (ToIP) Foundation.”

IBM

“In today’s digital economy, businesses and consumers need a way to be certain that data being exchanged has been sent by the rightful owner and that it will be accepted as truth by the intended recipient. Many privacy focused innovations are now being developed to solve this challenge, but there is no ‘recipe book’ for the exchange of trusted data across multiple vendor solutions,” said Dan Gisolfi, CTO, Decentralized Identity, IBM Security. “The new Trust over IP Foundation marks an evolutionary step which goes beyond standards, specs and code, with the goal of creating a community-driven playbook for establishing ‘ecosystems of trust.’ IBM believes that the next wave of innovation in identity access management will be for credential issuers and verifiers to partake in these ecosystems, where trusted relationships are built upon cryptographic proofs.”

IdRamp

“Formation of The ToIP Foundation will transform and improve how digital services operate. Traditional centralized identity systems are hinged to vast security vulnerabilities that are not sustainable in a growing digital economy. Centralized services for things like mufti-factor authentication or social login encumber user flow and unnecessarily expose sensitive information to third parties. Decentralized systems resolve these problems but struggle with interoperability and standards to accelerate mass adoption. The Trust Over IP Foundation will help formalize and simplify adoption of Trust as a basic digital utility for everyone. The TOIP stack provides the foundation for a new generation of digital identity services. These services will provide high security frictionless interaction that put the user in control of their personal data. Organizations will establish personal connections with employees and user communities that are immune to the vulnerabilities of centralized systems. Individuals will be able to connect with one another without exposing personal information to the mediators that regulate digital interactions today. This will help businesses move beyond complex identity security investments that erode the bottom line and slow innovation. Verifiable digital trust in a decentralized data economy will open a world of possibilities for all individuals and businesses. As a founding member of the ToIP foundation, IdRamp is committed to helping businesses build a new decentralized digital economy that will evolve organically from traditional centralized systems,” said Mike Vesey, CEO, IdRamp.

Lumedic

“As the first representative of the health care industry on the Steering Committee, Lumedic sees tremendous potential for the Trust over IP Foundation to contribute to health care interoperability,” said Chris Ingrao, chief operating officer of Lumedic. “In confronting the challenges raised by the COVID-19 pandemic, we’ve seen that modern technologies can make a powerful difference when paired with strong governance models. The TOIP stack ensures that the way we exchange trusted health care information meets industry needs at a global scale.”

Mastercard

“We are building a bridge to a world where a person’s identity can be verified immediately, safely and securely for use in the digital world – where now, more than ever, identity is essential for delivery of digital health, education and government services. This cannot be accomplished in isolation. We are collaborating and innovating with governments, technology companies, financial institutions and industry sectors to make this a reality. Our participation within the Trust over IP Foundation builds atop the groundwork we currently have in place to ensure industry standards to guarantee we all transact and interact in a secure, convenient and trusted manner,” said Charles Walton, senior vice president, Digital Identity, Mastercard.

MITRE

“Advances in digital technologies and the Internet have brought great convenience to our lives.  But they also present risk – the inability to verify with confidence the identity of those you are connected with leaves us vulnerable to cyberattacks, identity theft, human trafficking, and financial fraud,” said Jim Cook, vice president of Strategic Engagement and Partnerships at MITRE. “As a not-for-profit company working in the public interest with a mission to solve problems for a safer world, we at MITRE are committed to creating a digital world in which people can interact safely and with confidence.  We applaud the Linux Foundation initiative to launch the Trust over IP Foundation, and we are honored to be a founding member.  We believe real innovation is made possible through open partnership, collaboration and cooperation, and we look forward to contributing to a safer internet through the Trust over IP Stack project.”

The Province of British Columbia

“The Province of British Columbia sees our collective potential to enable global-scale digital trust. The Trust over IP Foundation will be a significant leap forward in establishing a standards-based way for individuals and businesses around the world to interact and transact in safe and secure ways over the Internet,” said Dave Nikolejsin, Deputy Minister of Energy, Mines and Petroleum Resources and Chair of the Board of Digital Identity and Authentication Council of Canada. “From our perspective, this work augments our foundational regulatory role in the economy. In the natural resources sector, we see the potential to empower companies to have a new digitally trusted means to demonstrate due diligence on environmental and social impacts of projects as they work with Indigenous peoples and government. The Province of British Columbia is a founding member of the Trust over IP Foundation to help promote this new era of trusted digital services that everyone can rely on.”

SICPA

“For over 90 years, SICPA has partnered with governments, companies and organizations worldwide, to enable trust in banknotes, identities, products and brands. Our customers’ physical and digital lives are increasingly entwined, at work and at home, and our mission is to help shape trusted digital interactions by collaborating in enabling initiatives like the Trust over IP Foundation.  Building trust at a distance and at scale is a global challenge that will form the keystone in delivering the ultimate promise of an interconnected world: to respect the rights, privacy and security of everyone online and offline,” said Kalin Nicolov, Head of Digital Currency, SICPA.

 

Contributing Member Comments

DIDx

“The Internet lacks a digital trust layer that is not centrally controlled and managed. It is more important than ever to take control of our digital identities and data. The ToIP stack provides full control of digital identities and enables secure, privacy-preserving trust channels with verifiable data exchange. The digital trust layer of the internet. DIDx (a South African based startup) is excited to contribute and build interoperable trust ecosystems across Africa using the ToIP stack and are pleased to join the establishment of the ToIP Foundation together with the Linux Foundation,” said Lohan Spies, CEO DIDx.

GLEIF

“Trust is paramount within today’s digital world and we shouldn’t be afraid to challenge existing online processes for the greater good. The Trust over IP Foundation provides a neutral environment for these important conversations and will facilitate industry collaboration to create a global standard which businesses and consumers can trust. This aligns closely with GLEIF’s work to date as a not-for-profit organization which enables smarter, less costly and more reliable decisions about who to do business with. Our Global LEI System solves the problem of trust for legal entities worldwide, and we look forward to applying our expertise alongside many leading organizations within the foundation,” said Stephan Wolf, CEO, Global Legal Entity Identifier Foundation (GLEIF).

kiva.org

“As internet connectivity and digital services reach the world’s most vulnerable populations, it is paramount that we implement standardized, interoperable systems,” said Matthew Davie, chief strategy officer at Kiva. “The Trust over IP Foundation provides a framework to bring trust to this emerging segment of the digital economy and does so in a way that is consumer-centric and privacy-centric by design.”

The Human Colossus Foundation

“The synergistic domains of trusted identity and immutable semantics are required for organizations to integrate into a new decentralized data economy. The Human Colossus Foundation mission to implement decentralized semantics is aligned with the Trust over IP Foundation. We are proud to contribute to the collaborative projects and initiatives being launched,” said Paul Knowles, Head of the Advisory Board at The Human Colossus Foundation.

iRespond

“Trust is the foundation of every ecosystem, and governance is critical to build trust.  The creation of the ToIP foundation is a critical step toward both trust and governance, built on inclusion, transparency and open standards. We expect ToIP to be part of the essential glue that binds decentralized networks and identity.  The disadvantaged beneficiaries we serve will likely gain from this critical step to address challenges of guardianship and disruption of traditional barriers to establishing identity,” said Scott Reid, CEO, iRespond.

Marist College

“Marist College has long been on the cutting edge of technology innovation. We are excited to be a founding member of this effort to address digital trust and decentralized identity management at a time when internet transactions are a vital part of higher education and our growing digital economy,” said Michael Caputo, MS, vice president for Information Technology/CIO, Marist College.

Northern Block

“Northern Block is committed to empowering the mass adoption of digital verifiable credentials, which we believe won’t be possible without robust and common standards. The launch of the ToIP Foundation is the beginning of a new chapter for any organization who has been working diligently to enhance trust in life’s experiences. We look forward to supporting increasing participation in trusted ecosystems and burgeoning innovation in consumer experiences through digital trust,” said Mathieu Glaude, CEO at Northern Block.

R3

“R3 remains committed to supporting the development of secure, trusted and privacy preserving digital identity ecosystems and our participation in the Trust over IP Foundation is a reflection of that commitment. Our customers across industries including banking, insurance health care and telecommunications all agree that identity cannot be solved in isolation. With the industry coming together under the Trust Over IP Foundation we can work on the standards that will enable interoperability and unlock new opportunities for all. Our Corda platform is designed to enable private transactions, and by incorporating the work of the ToIP Foundation, we can develop solutions uniquely suitable for self-sovereignty in the digital world,” said Abbas Ali, Head of Digital Identity at R3.

Secours.io

“Our past inability to deal with privacy has cost human lives, because it limits innovation that can save lives. Trust over IP gives government the verification and governance it needs, and the public gets the trust it needs now allowing innovation to save lives,” said Sgt. J. Stirling Ret., Ontario Provincial Police, Provincial SAR Coordinator.

TNO

“TNO has deep involvement in the standardization and ecosystems of self-sovereign identity, including W3C, DIF, Hyperledger, Sovrin, RWoT and IIW. Our national and international partners and customers are looking for full-stack Trust-over-IP solutions. The ToIP approach is unique, as it includes the complexities of the top ‘business’ parts of the Trust-over-IP stack, as well as the governance of all layers. We believe that ToIP provides an excellent ground to contribute and further develop this knowledge base and apply it to many projects in ‘admintech’ and other industry sectors where trust in the provenance of data is essential,” said Dr. Oskar van Deventer, senior scientist Self-Sovereign Identity, TNO.

University of Arkansas

“The Internet was built in the 1970s and 1980s to allow machine-to-machine transfer of information, but it was missing the trust layer that identifies the people, organizations, or objects running those machines. The Trust over IP (ToIP) Foundation is building the technical and governance standards to provide that missing layer, which will enable trusted, secure, peer-to-peer transfers of value.  Voices from industry, governments and academia are needed to realize the vision. As an academic partner, the Blockchain Center of Excellence at the University of Arkansas is pleased to join this effort to develop open standards for a trust layer over the Internet,” said Mary Lacity, Walton Professor and Director of the Blockchain Center of Excellence at the University of Arkansas.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

 

Media Contacts
Beth Handoll
ReTHINKitMedia
beth@rethinkitmedia.com
+1 415 535 8658

The post Cross-Industry Coalition Advances Digital Trust Standards appeared first on The Linux Foundation.

A new Linux Foundation whitepaper provides guidance in negotiating software contracts that have open source components. Introduction

The first and most important step in negotiating any agreement is always to get the facts.  For example, when negotiating a software development agreement, the developers for both parties probably assume that the software will include many pre-existing components written by third parties.  If the procurement and legal personnel negotiating the agreement assume that there should be no code that is not written by the vendor, the process will be inefficient and waste a lot of everyone’s valuable time.   

If developers are confronted with ridiculous assumptions about writing software from scratch, the credibility of the procurement process is undermined, and, in the future, they will find ways to avoid or delay involving procurement and their legal counsel.

The Linux Foundation recently published a whitepaper written by Karen Copenhaver and Steve Winslow that aims to help procurement professionals and their legal counsel avoid making erroneous factual assumptions that will undermine their credibility and delay negotiations through a better understanding of software development and the use of open source software assets. This is a summary of its findings.

Software is not static

The software that will be developed will evolve as it is developed. The reality is that if we required a detailed, final specification for development before the parties can begin work, the only assurance we would have is that the results would be too late to market to be valuable. 

Agreements today have to be focused on establishing the process for working together to develop something which neither party can fully define or envision. Requiring that a fixed list of the specific software components that will be used in development be included in the agreement may not make sense to the people who will perform the work. 

They may know that the list will change often, and they do not want to amend the agreement every time they consider, include, or replace a component. A process acceptable to both parties that allows for the rapid evolution of the work to be performed will be welcomed.

Software will change over its normal life

Software is never “finished” until it is uninstalled. Constant updating is required to accommodate changes in the operating environment, including the hardware, opportunities for enhancement, and to apply patches that become available to eliminate potential security vulnerabilities. If the software is not updated, then necessary software maintenance is not occurring. Agreements should not be written based on the assumption that all development will conclude at any point before the end of the life of the software.

Software providers will not author or “own” the copyright in all of the software that is being delivered

The software will include components owned and developed by third parties and will rely on dependencies that may not be part of the distributed package of software. 

Because the software does not operate in a vacuum, components and interfaces written by third parties are necessary for the software to function. For example, applications installed on laptops use interfaces in the operating system. Without using the libraries and/or interfaces that provide access to this infrastructure, the software cannot be developed, tested, or deployed.

In addition to what is developed and delivered as part of the agreement, all software operates within one or more ecosystems of third-party dependencies that are necessary for its optimal use and performance.

The use of these dependencies will directly influence the price at which the software provider offers their software for sale. 

Tools are important to the delivery of software and solutions

Just as lawyers rely on a word processing program to write an agreement, software developers use software tools to make development more efficient. These tools are often the most complex software involved in the development project, and the amount of code in this development environment will almost always far exceed the amount of code in the developed deliverable. And these tools will change and evolve just as the software that is being developed will change and evolve. Knowing the specific facts related to the collection of tools used to develop this software is essential to avoid unworkable approaches.

Sometimes the development environment will be a third-party product that can be acquired directly from the third party. If a version of the third-party product that is being used is specified, the customer will be able to replicate and maintain that development environment should it ever be needed. 

Other times, the reason to hire a specific company to do the work is that they have a well-established, unique development environment, and, just as important, a set of highly skilled developers trained to use it.  

However, to “deliver” the entire development environment is often impractical for a number of reasons. The company asking for it to be delivered may not have sufficient equipment or technical employees even to install the software, much less maintain it. 

To deliver any code at a single point in time, without a plan for someone to maintain the code going forward, is not useful.  

The continuous delivery of code in a development environment is an enormous amount of work that must be performed by highly skilled individuals – often the same individuals who are required to complete the work you have engaged the vendor to perform.  

Requiring delivery of the development environment as a contract solution where the technical employees of both companies know that the delivered code will never be used is considered by developers as a frustrating waste of valuable resources that will delay the work everyone wants the vendor to perform.

Many of the most valuable third-party components and tools are made available under open source licenses

Most estimates suggest 70-90% of all the code in a system will be built from open source software. And even proprietary, purchased solutions that any IT organization currently uses are very likely built in large part with open source components.

Unless your technical people agree that there should be no open source code of any kind used in its development, do not ask for a representation or warranty that there will be no open source from a contractor or supplier. 

If software made available under an open source license will be used, the relevant questions you should ask should be related to the selection of the code, maintenance of the code, and compliance with the applicable license terms in your specific use case. And all of these are questions that should be asked about both open source and non-open source software. 

If your competitors are using these valuable open source assets and you do not, it will be hard to be competitive on cost, quality, maintenance, and security. One of the most important reasons to use open source is to benefit from the advantages of shared support across an ecosystem. 

Software licenses can be categorized in unlimited ways

There are many software licenses. Some are licenses that the Open Source Initiative (https://opensource.org/) has approved as consistent with the Open Source Definition (https://opensource.org/osd-annotated). There are also licenses that are similar to those licenses but that have never been approved, and some of those variations are not considered by people familiar with this terminology to be “open” or may even be of a proprietary or commercial nature. 

The SPDX License List (https://spdx.org/licenses/) has been curated by lawyers working in the open source ecosystem and identifies many of the licenses that frequently come up in reviews and negotiations.

The question is: does any practical difference arise in any specific contractual context based on exactly where a license falls on that spectrum? In our estimation, spending time and energy trying to define a separate category of Open Source Software is not helpful in reaching an agreement. Aside from how the open source ecosystem may categorize licenses, all software licensed from third parties should be evaluated under the same criteria for your project.

Some of the most essential and widely used software are provided under the GPL and other copyleft licenses

GPL-licensed software such as the GCC Compiler and the Linux operating system is used by the vast majority of companies and industries around the world. The distribution of this software usually triggers copyleft obligations to provide source code. Many businesses are built on top of the GPL-licensed Linux operating system and other copyleft software that is used in the business to provide services but are not distributed. 

A common perception of the GPL and its variants as being unworkable open source licenses is inaccurate. Keep in mind that the GPL, like all free and open source licenses, does not restrict your usage. As a recipient of GPL software, you have far more expansive license rights to use the software than you have under a proprietary software license agreement. Compliance with the GPL upon a redistribution of the code may be a factor to consider but should be compared with the fact that you would likely not have the right to redistribute proprietary software at all. 

A company can have a “no GPL policy,” yet it cannot operate in most industries without dependence upon the Linux operating system, which is GPL-licensed software.  

Unless your technical people agree that there should be no GPL or copyleft licensed code of any kind used in its development or provided in the work product, do not ask for a representation or warranty that there will be no copyleft software. Once again, the relevant questions related to the selection of the code, maintenance of the code, and compliance with the applicable license terms in the relevant use case.  

Conclusion

Lawyers and procurement professionals should not even attempt to dictate how software development will be accomplished. If negotiations hit a rough patch, take the time to confirm that the real issue is risk allocation. Make sure that the dispute is not due to insistence on facts that your technical team does not believe to be true. This is particularly difficult when longstanding corporate policies are out of step with current realities.   

To download “Fact gathering: The first and most important task in software negotiations”, click on the button below. Download whitepaper

The post A guide to open source software for procurement professionals appeared first on The Linux Foundation.

 

• China Mobile brings XGVela to the Linux Foundation, focusing on open telco PaaS platform for 5G network functions and related applications

• Accelerating LFN collaboration across open source projects within CNCF, LF Edge, LF AI, Hyperledger, ORAN-SC to enhance 5G, Cloud Native, and Edge as ecosystem moves to deployment

• Growing developer participation in critical projects through virtual technical conferences, new Training courses, and expanded Mentorship programs 

 

SAN FRANCISCO– April 30, 2020 – LF Networking (LFN), which facilitates collaboration and operational excellence across open source networking projects, today announced continued successes with cross-industry, global collaboration. Progress includes the Linux Foundation induction of new project, XGVela, an open source telco Platform as a Service (PaaS) for 5G network functions and related applications; new LFN silver member everis; expanded mentorship and training opportunities; and a new verified product by the OPNFV Verification Program (OVP). Together, these efforts bring additional support for future automation and deployment of 5G, edge, and cloud native networking technologies. 

“In a new normal, networking serves as the critical foundation for everything we do. That said, we are pleased to see strong growth in developer participation of our projects, including training with close to 30,000 enrollees to date, and a recent virtual developer event with over two-times the registration of past physical events,” said Arpit Joshipura, general manager, Networking, Edge and IOT, the Linux Foundation. “We’re expanding our global footprint that enables open source networking and related technologies to grow and thrive. Other examples include the addition of XGVela as a Linux Foundation project aimed to accelerate telco cloud adoption, new silver member everis, and new training and mentorship opportunities.” 

Donated by LFN member China Mobile, XGVela provides a PaaS platform to accelerate the design, development and innovation of telco-related services. The project refines common capabilities of upper layer services as PaaS functions on platform layer. The platform brings General PaaS functions from existing open source PaaS component projects (e.g.  Grafana, Envoy, Zookeeper, etc.) to be enhanced with telco requirements, and Telco PaaS which has strong telecommunication characteristics and is under exploration. 

Currently, XGVela has gathered partners including China Mobile, China Unicom, China Telecom, ZTE, Ericsson, Nokia, H3C, CICT and Beijing University of Post and Telecommunications, and received high attention from Intel, and Red Hat. XGVela hopes to expand the telco cloud native ecosystem and enable more cloud deployments among telcos.

“Exploring the future direction of network transformation has always been one of China Mobile’s core missions,” said Xiaodong Duan, director of network and IT department, China Mobile Research Institute. “ With the deployment of 5G, applications of containers and microservice technologies, we believe operator networks will eventually evolve into a cloud native network. Hence China Mobile is pleased to launch a new project within the  Linux Foundation – XGVela, a 5G cloud native PaaS. We hope XGVela will gather the most intelligent technicians from operators, vendors and IT companies to help accelerate operators’ cloud native transformation and promote vertical industrial prosperity.”

Welcome everis

LFN welcomes its newest Silver member, everis, an NTT DATA company dedicated to  consulting and outsourcing in all sectors. Everis joins recently-announced Silver members A10 Networks, AMD, Codilime, Mirantis, Robin.io, Solutions by STC, ULAK, and Xilinx. These organizations work alongside the plethora of existing member organizations to drive development, testing and implementation of LFN’s existing networking projects, including FD.io, ONAP, OPNFV, OpenDaylight, OpenSwitch, PNDA, SNAS, and Tungsten Fabric.

“We are really excited to join LFN. everis, as a networking system integrator, finds in LFN a key lever to unleash industry Data Openness, Network Process Automation and 5G future networks,” said Hugo Alberto Nava, Telecom Director at everis. “This area is so important for us that we have designed a new area, #everisOpenNetworks, in charge of uniquely integrated networks and systems, helping CSPs achieve more efficient and low-cost operations. Our vision in relation to the future of OSS is directly connected with a disaggregated, open, cloud-based and data-driven architecture with the main purpose of enabling value through close loop automation inside the most important network processes. We believe the Linux Foundation Networking is essential to go deep into this approach, helping us to make a difference by sharing knowledge and taking our proposal into a superior level.” 

About everis

everis is a consulting and outsourcing company that covers all sectors of the economy, with a turnover of nearly 1.437 million euros in the last fiscal year, made up of 27,000 professionals distributed throughout Europe, the USA and Latin America. everis is firmly committed to talent and innovation and its main objective is to attract the best professionals and help them develop their careers in the company https://www.everis.com/

Mentorship & Training

LFN is kicking off an expanded mentorship program with 9 active projects; opportunities for students (mentees) include building a portal for ONAP Automation Testing; Hardware Delivery Verification Tool; ONAP Security Requirements; Conformance Testing for ETSI NFV APIs; and more. More details on the LFN Mentorship program are available here. 

Additionally, the Linux Foundation offers a robust package of networking training courses. Given the current global situation, the Linux Foundation is making it easier to use this time to brush up on open source skills, or gain new ones. All certification exams, and nearly all  training courses, are available remotely, making them a good option for those home during this time. 

Included is the entire catalog of open networking training courses, covering everything from DevOps for Network Engineers to courses on ONAP, OPNFV and more. An ONAP certification exam will be launching in the coming months, so this is a great chance to get prepared. The LF also offers dozens of completely free training courses. Edge training courses will be available in May. 

OVP Badging

The OPFV Verification Program (OVP), which has verified 12 products with the NFVI “Infrastructure” badge, is pleased to announce its first product to be verified with the “VNF” Badge – Çınar, a 5G Core VNF from LFN member Ulak Communications. The team from Ulak participated in the LFN Developer & Testing Forum in Prague and the VNF Hacking Track designed to help VNF vendors jumpstart their VNF testing efforts. 

New LFN Assets

A new whitepaper, prepared by a Working Group of the LFN Technical Advisory Council (TAC), has been published that illustrates the state-of-the-art in networking technology and provides an overview for how the LF Networking (LFN) projects may be used as building blocks for modern networks. An introductory guide for the edge is also now available that gives an overview of the edge compute market opportunity, where open source fits in, the role of Linux Foundation projects in your edge strategy, and how to get involved. 

Looking Ahead

2020 will continue to be a productive year for LFN. The community will host a virtual developer event June 1-4 (details to come) for developers to collaborate and engage across LFN communities, including ONAP, OPNFV, CNTT, and more. 

The Open Networking & Edge Summit (ONES),  the industry’s premier open networking event now expanded to comprehensively cover Edge Computing, Edge Cloud & IoT will take place in Los Angeles September 28-29. ONES enables collaborative development and innovation across enterprises, service providers/telcos and cloud providers to shape the future of networking and edge computing. Register today for Early Bird pricing: https://events.linuxfoundation.org/open-networking-edge-summit-north-america/register/

ONAP will soon issue its sixth platform release, ONAP Frankfurt, which enhances support for cloud native with deeper Kubernetes integration and for 5G through network slicing and an initial O-RAN integration. Frankfurt will also include security improvements and begin the shift to Python 3 and Java 11.  

More LFN content is on the way with an LFN End User Advisory Group (EUAG) whitepaper on ONAP consumption, a CNTT whitepaper, and introductory guides for cloud native and 5G.

Support for XGVela

“Cloud Native has reached broad consensus as the target architecture of telecom networks,” said Xiongyan Tang, chief scientist of China Unicom Network Technology Research Institute and the Chief Architect of China Unicom Intelligent Network Center, China Unicom. “China Unicom believes that the telecom cloud native architecture is a key path towards agile operations, and would provide a great foundation for the digital transformation of operators. XGVela is committed to work together towards a telecom PaaS functions platform for 5G and Cloud-oriented services，which will play an important role in the cloud native evolution of  thetelecom industry. China Unicom is pleased to join XGVela project, and will work together with community partners to nurture a vibrant technical community.”

“In the 5G era, services innovation needs a fast-paced, continuous change of technology to promote network transformation,” said Yongbing Fan, vice director of Network Evolution Department, China Telecom Research Institute. “The integration of CT and IT technology, network and cloud-native are currently recognized to be telco-industry trends. China Telecom attaches great importance to the combination of network and services, and is committed to accelerating its cloudification. The cloud-native telecom PaaS platform, XGVela, perfectly meets the needs of the 5G era. China Telecom is pleased to join this project and work with community partners to cultivate a dynamic technical community.”

“Cloud native paradigm and design principles are key to Ericsson, being the first 5G provider to include cloud native container-based technologies as part of its 5G Core offering,” said Anders Rpsengren, head of Architecture & Technology, Business Area Digital Services, Ericsson. “Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. As a leading vendor of cloud native telco applications we see significant value in both standardization and open source projects in the cloud native area including CNCF, CNTT and now XGVela, that help push the boundaries of tomorrow’s networks in terms of agility, efficiency and reliability.”

“Network transition has become a consensus among global operators. NFV, SDN and 5G have accelerated the progress of telecommunication network and cloud computing combination,” said Chen Fang, technical director, H3C Carrier Departemnet. “XGVela will further promote the introduction of cloud-native concepts into telecommunications networks. By constructing a carrier-grade PaaS platform and restructuring the organization of 5G network elements, it will promote the full opening of 5G network capabilities and support the network transition and success of 5G networks. H3C is committed to promoting the digital transition of society and is willing to work with China Mobile to promote the maturity and industrialization of XGVela.”

“The telecommunications industry is in the middle of two key transitions that will shape the world to come – the deployment of 5G and the transition to cloud native,” said Jonne Soininen, head of Open Source Initiatives, Nokia  “The industry needs to work closely together in order to succeed in this transition. Nokia is strongly committed to contribute to achieve this goal. We welcome the leadership from CMCC in proposing the XGVela project. Nokia is looking forward to working closely with CMCC and the rest of the industry to make sure the transition to cloud native in telecommunications is successful.”

“ZTE is honored to participate in the XGVela project as a major telecommunications equipment manufacturer. We believe that XGVela attempts to use containerization technology and reasonably divide the telecommunications capabilities and general capabilities in PaaS, which will help the flexible deployment of network elements and the rapid scheduling of resources in 5G networks,” said Wang Weibin, CTO of ZTE Telecom Cloud & CN Product Operation. “ZTE hopes to contribute our experience accumulated in the long-term research and development of telecommunications core networks in this project. We sincerely hope that industry peers will work closely together in this new open source project to enrich the ecosystem, create extraordinary value, and achieve complete success!”

About the Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

 

The post LF Networking Accelerates 5G, Cloud Native, and Edge Readiness with Expanded Projects and Growing Community Ecosystem appeared first on The Linux Foundation.

 

• Initiatives across the Common NFVI Telco Taskforce (CNTT), LF Networking’s Compliance and Verification program (OVP), ONAP Cloud Native, and OPNFV holistically address cloud native architecture, deployment challenges, and Cloud Native Network Function (CNF) requirements 

• Open source groups preemptively address interoperability and performance to accelerate networking industry cloud native transformation

 

 

SAN FRANCISCO– April 30, 2020 – LF Networking (LFN), which facilitates collaboration and operational excellence across open source networking projects, today announced a turning point for the industry, with integrated initiatives focused on cloud native interoperability and deployment for telcos. Consolidated efforts among the Common NFVI Telco Taskforce (CNTT), LF Networking’s Compliance and Verification Committee (or OPNFV Verification Program, “OVP”), and the OPNFV project through CNTT’s cloud native “R2” workstreams, OVP’s cloud native “OVP 2.0,” and OPNFV’s renewed commitment to testing and integration alignment with end users indicate a deep commitment to  address challenges faced in cloud native adoption. 

“NFV continues to evolve as telcos increasingly adopt cloud native technologies,” said Heather Kirksey, vice president, Community & Ecosystem Development, the Linux Foundation. “Change, however, brings challenges, especially to areas like compliance, testing, automation, and integration. With input from telcos directly, collaborative efforts across CNTT, OVP, and OPNFV enable our ecosystem to benefit from cloud native adoption.”  

Celebrating its first year, CNTT – developed to create a  reference model, implementations and conformance requirements to reduce cost, time-to-market and complexity of telco operations in development and adoption of VNFs and CNFs – has augmented its VM-based specifications with several cloud native focused workstreams focused on container technologies. These workstreams will enable service providers to specify infrastructure and CNF requirements to empower operators to drive forward with their cloud native implementations with an early emphasis on streamlining operations, ease of CNF deployment, and implementation consistency. These requirements will enable strong integration and conformance to streamline operational efficiency and new service agility. The group is also on track for its third release, Baldy, in early June. 

“China Mobile started the world’s largest NFV cloud deployment in 2019. Taking into consideration cross-vendor and scalability challenges, China Mobile put in a huge effort on interoperability and integration automation, and established a mature integration process and automation toolsets, which help improve the overall efficiency and quality of NFV cloud,” said Xiaodong Duan, director of Network and IT department of China Mobile Research Institute. “We believe these practices and experiences could also provide help and reference to other operators. Open source communities provide de-facto standards, open interfaces and automation tools, which are crucial for NFV adoption. We are expecting CNTT and OPNFV 2.0 to take the leading role for promoting NFV to the next phase of integrated innovation.”

In tandem with CNTT, OPNFV – which reduces time to integrate and deploy NFV infrastructure and onboard VNF/CNFs for those who supply components and those who operationalize these platforms – has adapted its mission based on the evolving needs of telcos. The next stage of OPNFV takes the initial foundations laid by the project to the next level by providing support for CNTT architectures and introducing reference implementation and test automation ahead of 5G deployments while continuing and refining the testing and integration work OPNFV is known for.  Providing the code implementation of CNTT platform references and testing requirements, OPNFV further accelerates the telecom ecosystem’s commitment to improving adoption and easing operational headaches.

Pivot points include improved developer resources, such as more refined testing and deployment tools for conformance and performance of NFV infrastructure, aligned with industry reference architectures.

“Having successfully completed the roll-out of our network virtual infrastructure, Vodafone is accelerating it’s journey to Cloud Native,” said Rabi Abdel, principal cloud architect and senior manager at Vodafone Group. “Industry initiatives such as CNTT, empowered by a compliance program, can help us simplify the management of our sophisticated, feature-rich, complex Cloud Networks, and enable an open, inter-operable & fully integrated architecture eco-system.This is a key factor to enable the delivery of high quality new Services to our Customers, faster than ever, in the 5G era.” 

 Also taking on a concerted effort to address cloud native for telcos, the OPNFV Verification Program (OVP) –  which combines open source-based automated compliance and verification testing for cloud stack specifications established by ONAP, multiple SDOs such as ETSI and GSMA, and the LF Networking End User Advisory Group (EUAG) – has launched a Cloud Native OVP sub-committee focused on conformance, validation, and performance testing for cloud native infrastructure and CNFs. Working closely with the CNTT requirements workstreams, the automated integration and testing work with OPNFV, and ONAP cloud native orchestration initiatives, the cloud native OVP initiative further enhances operator and vendor abilities to more easily transition to cloud native in a cost effective and interoperable fashion.These requirements feed tool-sets and testing scripts developed within OPNFV, ONAP, and the CNCF Telecom User Group (TUG) communities.

To date, OVP’s VM-based program has verified 12 products with the NFVI “Infrastructure” badge and one product with the VNF badge. OVP 2.0 will enhance this effort with badges for cloud native telecom platforms and CNFs.

Looking Ahead

Taken as a whole, these initiatives spanning architecture specifications, implementation integration and deployment, automated testing, and compliance badging provide a solid foundation to advance the telecom industry’s cloud native journey. Moving forward, the groups will continue alignment and collective integration with other related groups including the CNCF Telecom User Group (TUG), ETSI, the GSMA, and other open source and SDO groups. As 5G becomes more pervasive, telcos need to find new paths to adopt technologies in ways that did not exist five plus years ago when NFV came onto the scene. 

The community expects to issue two CNTT releases this year, with an updated Reference Architecture, Reference Model and Reference Conformance to start. Reference Implementations and more OVP Badging updates are also in the works. 

Additional Resources

• OVP Wiki
• OVP Bootstrap page 
• OPNV Mission page
• CNTT 

About the Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post Telcos Increase Focus on Cloud Native as LF Networking and Ecosystem Groups Solve Interoperability Challenges appeared first on The Linux Foundation.