The Linux Foundation

Last week I had the privilege of participating in the Open Source Software Security Summit II in Washington, DC. The Linux Foundation and OpenSSF gathered around 100 participants from enterprise, the U.S. government, and the open source community to agree on an action plan to help increase the security of open source software. 

If you were to look at the attendee list, you would likely be struck by the amount of collaboration among competitors on this issue. But, it isn’t a surprise to the open source community. Security is an excellent example of why organizations participate in open source software projects. 

This is organizations coming together on a joint solution to a common problem so they can focus on innovating.

A question I often receive when I tell people where I work is, Why would for-profit companies want to participate in open source projects? There are lots of reasons, of course, but it boils down to organizations coming together on a joint solution to a common problem so they can focus on innovating. For instance, film studios coming together around software for saving video files or color management or the finance industry improving trader’s desktops or web companies supporting the languages and tools that make the web possible. And these are just a handful of examples.

Security is everyone’s concern and solutions benefit everyone. As one summit participant noted, “My direct competitors are in the room, but this is not an area where we compete. We all want to protect our customers, shareholders, and employees. . . 99% of the time we’re working on the same problems and trying to solve them in a smarter way.”

99% of the time we’re working on the same problems and trying to solve them in a smarter way.

Everyone is better off by sharing vulnerabilities and solutions and working together towards a common goal of a more resilient ecosystem. No company is immune,  everyone relies on multiple open source software packages to run their organization’s software. It is no surprise that competitors are working together on this – it is what the open source community does. 

As we gathered in DC, my colleague Mark Miller talked to participants about their expectations and their perspectives on the meeting. When asked what he hoped to accomplish during the two day summit, Brian Fox of Sonatype said, “The world is asking for a response to make open source better. We are bringing together the government, vendors, competitors, [and] open source ecosystems to see what we can collectively do to raise the bar in open source security.” 

We are bringing together the government, vendors, competitors, [and] open source ecosystems to see what we can collectively do to raise the bar in open source security.

Another participant painted a picture which I find especially helpful, “I remember the old saying, we built the Internet on sand. I thought about that, underscoring the fact that sand is a part of concrete. This process means that we have an opportunity to shore up a lot of the foundation that we built the Internet on, the code that we’re developing.  It is an opportunity to improve upon what we currently have, which is a mixture of sand and concrete. How do we get it all to concrete?”

Enterprise companies and community representatives were at the summit, as well as key U.S. government decision makers. The high-level government officials were there the entire day, participating in the meeting, and listening to the discussions. Their level of participation was striking to me.  I have worked in and around government at the policy level for 25 years – and it is more common than not – for government officials to be invited to speak, come and speak, and then leave right after they deliver their remarks. To see them there one year after implementing the Executive Order on Improving the Nation’s Cybersecurity and engaged signals the importance they place on solving this problem and the respect they have for the group that gathered last week  Kudos to Anne Neuberger, her team, and the others who joined from around the U.S. government. 

By the end of the first day, agreement was reached on a plan, comprised of 10 key initiatives:

• Security Education Deliver baseline secure software development education and certification to all. 
• Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
• Digital Signatures Accelerate the adoption of digital signatures on software releases.
• Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
• Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
• Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
• Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year. 
• Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
• SBOMs Everywhere Improve SBOM tooling and training to drive adoption. 
• Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

The full document, The Open Source Software Security Mobilization Plan,  is available for you to review and download.

Of course, a plan without action isn’t worth much. Thankfully, organizations are investing resources. On the day it was delivered, already $30 million was pledged to implement the plan. Organizations are also setting aside staff to support the project: 

Google announced its “new ‘Open Source Maintenance Crew’, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects.” 

Amazon Web Services committed $10 million in funding in addition to engineering resources, “we will continue and increase our existing commitments of direct engineering contributions to critical open source projects.

Intel is increasing its investment: “Intel has a long history of leadership and investment in open source software and secure computing. Over the last five years, Intel has invested over $250M in advancing open source software security. As we approach the next phase of Open Ecosystem initiatives, Intel is growing its pledge to support the Linux Foundation by double digit percentages.”

Microsoft is adding $5 million in additional funding because, “Open source software is core to nearly every company’s tech strategy. Collaboration and investment across the ecosystem strengthens and sustains security for everyone.” 

These investments are the start of an initiative to raise $150M toward implementation of the project. 

Last week’s meeting and the plan mark the beginning of a new and critical pooling of resources – knowledge, staff, and money – to further shore up the world’s digital infrastructure, all built upon a foundation of open source software. It is the next step (well, really several steps) in the journey.

If you want to join the efforts, start at the OpenSSF. 

The post Open Source Software Security: Turning Sand into Concrete appeared first on Linux Foundation.

This article originally appeared on the Open Mainframe Project’s blog. It is written by Earl Dixon, Principal Client Services Management at Broadcom. 

.avia-image-container.av-l3c1buxo-fc128b67fbda5d23f1f6237697dabff4 .av-image-caption-overlay-center{ color:#ffffff; }

After watching the first Making Our Strong Community Stronger panel on “How Personal Experiences Shape Corporate Inclusion,” I was very interested in the topic and engaged my management team to see what I could do to help in the effort. As a result, I was given the opportunity to participate in the second panel discussion focused on UNMASKING in the work place. I was very eager to participate as I felt the panel would be a great way for me to share my experiences.

As we started to discuss the structure and questions, I did get a little nervous.  I would be going from “not unmasking at work” to “unmasking” for my peers, management, and others in the industry.  We had a dry run for the panel, and I left that being even more nervous.  The other panelists (outside of my peers) were executives and managers who were white and had no issue with unmasking at work.  It was intimidating, but as I talked with Dr. Chance about my feelings, she made me feel more comfortable about moving forward.  As the days wound down closer to the event, I actually grew nervously excited.  Once that day came, I wanted to make sure that my story would be told the way that I needed it to be told. I wanted my story to be real and give an understanding of what it is like being a black man coming up in a white dominated field.

Much to my surprise, the panel went very well, and immediately after doing it, I felt a great sense of relief. It was as if a weight had been lifted off my shoulders.  The experience was very therapeutic for me.  The next day, the Making Our Strong Community Stronger initiative hosted a Town Hall for webinar attendees that had attended the panel discussion live and wanted to ask questions or provide feedback.  I felt even more confident in answering the questions posed by the audience, and it actually made me feel even better that I had been involved.

For the next few days, I received numerous emails, LinkedIn notes, and friend requests from individuals who applauded the webinar and the conversation we were able to have. I also heard stories from others who had similar experiences. Someone even asked me to discuss how my experiences could help him better understand how to support his diverse workforce.

In fact, I met with some of my own management team to discuss what they could be doing better from a DEI perspective. Having leaders from my company ask me questions and listen to what I had to say gave me a sense of appreciation that what we did in our panel was not only being heard, but real action was also occurring to help others coming into this mainframe space to work.

Overall, I am proud of the fact that I was able to participate in the DEI panel and look forward to doing more to help with DEI in the future.  It was a pleasure to work with Dr. Chance and her team in this effort to bring awareness to the truly important DEI issues that go unnoticed in the industry.

The post My DEI Journey appeared first on Linux Foundation.

Open source is a global phenomenon impacting all industries in all parts of the world. To better understand the regional dynamics of open source, Linux Foundation Research is conducting a series of new research projects under the World of Open Source umbrella to explore the state of open source, beginning with a European perspective, focusing on government, enterprise, and non-profit initiatives. 

Commencing with Europe, these studies will investigate ecosystem-wide trends, including:

• The size and scope of the open source communities in each region 
• The motivation for contributions to open source
• Opportunities and challenges in the private and public sector engagement in open source
• The landscape for consumption and adoption of open source technologies and best practices, such as OSPO formation

This project will seek to understand the state of open source across different European individuals and organizations for decision-makers and influencers alike.

Take Survey

Funded by the Linux Foundation, this research will be led by LF Research in collaboration with FINOS, LF Training & Certification, and LF Public Health. Additional support will be provided by several organizations across the non-profit, for-profit, and academic sectors including Codemotion, Esade, Friedrich Alexander University, Institut de Govern i Polítiques Públiques (IGOP) de la Universitat Autònoma de Barcelona, OpenForum Europe, Sailboard, Scott Logic, TU/Berlin, TU/Eindhoven, TODO Group Europe Chapter, Università di Roma Tre, and the University of Southampton.

The survey will take no more than 10 minutes of your time and will provide valuable data against future studies and serve as a template for studies conducted in other regions. Findings will be shared at Open Source Summit Europe in Dublin in September.

We thank you for your participation. Upon completion of the survey, you will receive a coupon for 25% off any purchase of training and certification from the LF Training & Certification course catalog.

The post Announcing the World of Open Source: 2022 Europe Spotlight Survey appeared first on Linux Foundation.

Key executives to discuss the state of open source initiatives at KubeCon Europe this week

VALENCIA, Spain, May 16, 2022 — The Linux Foundation, a global nonprofit organization enabling mass innovation through open source, today launches the World of Open Source research series with its initial focus on the European community. The initiative will be championed by LF Research in collaboration with several European distribution and research partners. Furthermore, key executives of the Linux Foundation and partners will be speaking at KubeCon in Valencia, Spain this week as they kickstart the research series and meet with the extended open source and cloud native communities.

The Supporting the Flourishing European Open Source Ecosystem birds-of-a-feather session will be hosted on Thursday,19 May at 14:30 CEST by Gabriele Columbro (Executive Director of FINOS), Hilary Carter (VP, Linux Foundation Research), Astor Nummelin Carlberg (CEO, OpenForum Europe), and Matthew Dunderdale (Delivery Principal, Scott Logic). KubeCon Europe is one of the largest open source developer events hosted on the continent each year.

“FINOS is one of the most globally distributed entities under the Linux Foundation and we are truly excited to support this deep research initiative backed by so many respected institutions across the EU, UK, and Switzerland“, said Gabriele Columbro, Executive Director of FINOS. “A clear European perspective will enhance how we forge deeper collaboration across the FINOS community and will shed new light on cross-border challenges like cybersecurity and sustainability that are important to the Linux Foundation and the open source ecosystem at large.”

“Scott Logic is a UK-based consultancy who, alongside our peers, have greatly benefited from the plethora of open source tools and technologies that have recently emerged. However, our collective reliance on open source can reveal the sometimes fragile nature of community-run digital commons. We are delighted to partner with Linux Foundation to better understand the state of open source in Europe“, said Colin Eberhardt, CTO of Scott Logic. “Armed with the research findings, our goal is to ensure everyone can capitalize on the amazing innovations happening within open source and that our ‘digital commons’ are sustained for the long-term”.

“OpenForum Europe is pleased to partner with the Linux Foundation to promote this timely research series and upcoming survey on the state of open source in Europe. Open source software has already been shown to boost the European economy by between EUR 65 to 95 billion annually and to have positive effects on the number of startups and SME growth. As the EU and its Member States continue to invest in digital transformation, better understanding will allow the EU to further benefit from the innovative power of open source software.”

About the World of Open Source Research series

The World of Open Source series will explore the state of open source from a global perspective, focusing on government, enterprise, and non-profit initiatives. The research initiative kicks off on Wednesday, 18 May with a “World of Open Source: 2022 Europe Spotlight” survey.

The European open source survey will investigate ecosystem-wide trends, including: (1) the size and scope of the open source communities in the region, (2) the motivation for contributions to open source, (3) opportunities and challenges in the private and public sector engagement in open source, and (4) the landscape for consumption and adoption of open source technologies and best practices, such as open source program office (OSPO) formation. This project will seek to understand key opportunities for collaboration and perceived challenges in the European open source community across sectors for decision-makers and influencers alike.

Funded by the Linux Foundation, this research will be led by LF Research in collaboration with FINOS, LF Training & Certification, and LF Public Health. Additional support will be provided by several organizations across the non-profit, for-profit, and academic sectors including: Codemotion, Esade, Friedrich Alexander University, Institut de Govern i Polítiques Públiques (IGOP) de la Universitat Autònoma de Barcelona, OpenForum Europe, Sailboard, Scott Logic, TU/Berlin, TU/Eindhoven, TODO Group Europe Chapter, Università di Roma Tre, and the University of Southampton.

This research further expands the Linux Foundation’s investment in fostering a flourishing local European ecosystem which already supports critical intra- and inter-region open source collaborations, training, and events. The Linux Foundation will reveal the survey results at Open Source Summit Europe, in Dublin, Ireland, to be hosted 13 – 16 September.

Additional Resources

• Attend the Birds of a Feather session at KubeCon in Valencia (Spain) on Thursday, 18 May at 14:30 CEST to learn more about the “World Of Open Source” research series
• Contact us about Linux Foundation activities in Europe
• Register for Open Source Summit Europe

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Dan Whiting
+1 202-531-9091
dwhiting@linuxfoundation.org

The post The Linux Foundation Initiates “World of Open Source” Research Series appeared first on Linux Foundation.

Newest release introduces performance and usability improvements, and marks welcome of O3DCon speaker proposals and discussion suggestions due July 15

SAN FRANCISCO, May 13, 2022 – The Open 3D Foundation (O3DF), home of a vibrant, diverse community focused on building a first-class, open source engine for real-time 3D development, has released 22.05, the latest version of the Open 3D Engine, with a focus on performance, stability and usability enhancements. 

With over 1,460 code merges, this new release offers several improvements aiming to make it easier for developers to build 3D simulations for AAA games and various applications across robotics, AI, metaverse, digital twin, automotive, healthcare, and more. Significant advancements include core stability, installer validation, motion matching updates, user-defined property (UDP) support for the asset pipeline, and automated testing advancements. 

Artists can focus on bringing their visions to life using the tools they feel most comfortable with, such as Blender or Autodesk® Maya®. The Open 3D Engine (O3DE) can now integrate user-defined properties (UDP) metadata into its asset pipeline from source assets so that scene-building and asset-processing logic can be customized using this metadata. UDP metadata can be assigned in content creation tools to store custom properties for mesh, light, animation, and other elements to power asset generation workflows for O3DE.

Animation artists can now utilize motion matching, a data-driven animation technique that synthesizes motions based on existing animation data and current character and input contexts to deliver photorealistic experiences. This feature, introduced as an experimental gem, includes a prefabricated character example that can be controlled using a gamepad. 

Other improvements include: 

• Simpler customization of the render pipeline is now possible using a new set of APIs. Examples of gems that currently exploit this capability include Terrain, LyShine and TressFx. 
• Developers can now re-use Material Types much more easily.
• Developers can now control the spawning of player-controlled, networked entities using an improved interface, a capability that is essential for building multiplayer games.
• Automated tests now verify that an installer build is valid, and ensures that all of the steps within the build are successfully executed. These tests are run nightly for O3DE, and have been designed so that anyone can plug them into their quality verification process. 

The 22.05 Release marks the Open 3D Engine’s first major release of 2022. Releases occur on a bi-annual cadence, in the first half and second half of each year. The next release is scheduled for October 2022, which will coincide with the Open 3D Foundation’s flagship conference, O3DCon.

To learn more about this release and all of its features, read the release notes, or join the community on Discord. You can download the 22.05 Release today. 

O3DCon Call for Proposals Now Open

The Open 3D Foundation also announced the call for proposals (CFPs) for its annual flagship conference, O3DCon. On October 18-19, 2022, in Austin, Texas, technology leaders, independent 3D developers, and the academic community spanning the 3D landscape will come together to share ideas, discuss hot topics and help shape the future of open 3D development across a variety of industries and disciplines. O3DCon will be presented as a hybrid event—attendees can join and participate in person or virtually. Workshops and pre-registration will be held on October 17, a day ahead of the actual conference events.

With over 25 member companies since its public announcement in July 2021, the Open 3D Foundation boasts a healthy, thriving community, adding Microsoft as its latest member. Other premier members include Adobe, AWS, Huawei, Intel and Niantic. The O3D Engine averages up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos.

“I’m proud of the O3DE community’s focus on core stability while delivering new capabilities aimed to simplify and enhance 3D development for developers around the globe,” said Royal O’Brien, Executive Director of O3DF and General Manager of Games and Digital Media at the Linux Foundation. “I’m also incredibly excited about the opportunity O3DCon offers in bringing together diverse minds to collaborate on advancing the state of open 3D development across so many industries.”

Proposals to speak at O3DCon are being accepted now through Friday, July 15, 2022, at 11:59 pm PDT. All those interested are invited to submit proposals. Those who have submitted proposals will be notified of a decision by Tuesday, August 2. Learn more and submit your proposal today.

Submission types requested include:

• Lightning talks
• Session presentations
• Birds-of-a-feather discussions
• Panel discussions
• Hands-on workshops/training

Suggested topics include:

• 3D Development & Open 3D Engine 101
• Building & Sustaining Open Source in 3D Development
• Game Development
• Metaverse
• AI
• Robotics
• Digital Twin
• Automotive
• Healthcare

Sponsors have the unique opportunity to demonstrate their leadership in this burgeoning arena, forge valuable connections and help shape the future of 3D development. O3DCon offers multiple sponsorship levels for your consideration. To explore all of the sponsorship benefits, please click here. The sponsorship deadline is September 2, 2022. O3DF Members receive a 3% discount on all exhibitor packages. For questions about sponsorships and contract requests, or to become a sponsor, please contact us. 

Visit the O3DF website and follow O3DE on Twitter, Facebook and LinkedIn for all the latest O3DCon updates and announcements.

About the Open 3D Engine Project

Open 3D Engine (O3DE) is the flagship project managed by the Open 3D Foundation (O3DF). The open source project is a modular, cross-platform 3D engine built to power anything from AAA games to cinema-quality 3D worlds to high-fidelity simulations. The code is hosted on GitHub under the Apache 2.0 license. To learn more, please visit o3de.org. To get involved and connect with the O3DE community, please join us on Discord and GitHub.

About the Open 3D Foundation

Established in July 2021, the mission of the Open 3D Foundation (O3DF) is to make an open-source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations, available to every industry. The Open 3D Foundation is home to the O3D Engine project. To learn more, please visit o3d.foundation.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Media Inquiries:

pr@o3d.foundation

The post The Open 3D Foundation Announces Latest Enhancements to Open 3D Engine, Invites O3DCon ‘Call for Proposals’ appeared first on Linux Foundation.

10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M

WASHINGTON, DC – May 12, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to to reach a consensus on key actions to take to improve the resiliency and security of open source software. 

Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House’s National Security Council. Today’s meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity. 

The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future. 

A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel;, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.

This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.

KEY QUOTES

Jim Zemlin – Executive Director, Linux Foundation:  “On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself.  This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF):  “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it.  The plan we have put together represents the 10 flags in the ground as the base for getting started.  We are eager to get further input and commitments that move us from plan to action.”

Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:

“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure.  Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software.  The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress.  We are appreciative of all participants’ work on this important issue.”

Atlassian Adrian Ludwig, Chief Trust Officer

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”

Cisco Eric Wenger, Senior Director, Technology Policy, Cisco Systems

“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”

Dell

John Roese, Dell Technologies CTO

“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers  to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open-source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open-source software community, to our supply chain and to our national security.”

Ericsson

“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.

“As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”

GitHub

Mike Hanley, Chief Security Officer

“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain. As home to 83M developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and npm, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab. 

“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”

Google Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow

“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”

IBM Jamie Thomas, Enterprise Security Executive

“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software  community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today  for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”

Intel Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group

“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”

Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution

“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”

JFrog Stephen Chin, Vice President of Developer Relations

“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.” 

JPMorgan Chase Pat Opet, Chief Information Security Officer

“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”

Microsoft Mark Russinovich, CTO, Microsoft Azure

“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”

OWASP Foundation Andrew van der Stock, Executive Director

“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.” 

Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators

“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.” 

SAP Tim McKnight, SAP Executive Vice President & Chief Information Security Officer

“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.

“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”

Sonatype Brian Fox, CTO of Sonatype and steward of Maven Central

“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.” 

Wipro Andrew Aitken, Global Head of Open Source

“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.

“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams. 

“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”

KEY BACKGROUND

Three Goals of the 10-Point Plan

• Securing Open Source Security Production

1. 1. 1. Make baseline secure software development education and certification the new normal for pro OSS developers
      2. Establish a public, vendor-neutral, objective-metrics based risk assessment dashboard for the top 10,000 open source components.
      3. Accelerate the adoption of digital signatures on software releases
      4. Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.

• Improving Vulnerability Discovery and Remediation

1. 1. 1. Accelerate discovery of new vulnerabilities by maintainers and experts.
      2. Establish the corps of “volunteer firefighter” security experts to assist open source projects during critical times.
      3. Conduct third-party code reviews (and any necessary remediation work) of 200 of the most-critical open source software components yearly
      4. Coordinate industry-wide data sharing to improve the research that helps determine the most critical open source software.

• Shorten ecosystem Patching Response Time

1. 1. Software Bill of Materials (SBOM) Everywhere – improve SBOM tooling and training to drive adoption
   2. Enhance the 10 most critical open source security build systems, package managers, and distribute systems with better supply chain security tools and best practices.

The 10-Point Plan Summarized (available in full here)

1. Security Education Deliver baseline secure software development education and certification to all. 
2. Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures Accelerate the adoption of digital signatures on software releases.
4. Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
5. Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year. 
8. Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. SBOMs Everywhere Improve SBOM tooling and training to drive adoption. 
10. Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Media Contact

Edward Cooper
openssf@babelpr.com

The post The Linux Foundation and Open Source Software Security Foundation (OpenSSF) Gather Industry and Government Leaders for Open Source Software Security Summit II appeared first on Linux Foundation.

This post originally appeared on OpenSSF’s blog. 

On Wednesday, May 11, 2022, Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.

A copy of Brian’s written remarks are below and linked here (PDF). Visit the Committee’s website to view a recording of the hearing.

Also testifying at the hearing were:

• Ms. Lauren Knausenberger, Chief Information Officer, Department of the Air Force
• Ms. Amélie Erin Koran, Non-Resident Senior Fellow, The Atlantic Council
• Dr. Andrew Lohn, Senior Fellow, Center for Security and Emerging Technology, Georgetown University

May 9th, 2022 

The Honorable Eddie Bernice Johnson, Chairwoman
The Honorable Frank Lucas, Ranking Member
Committee on Science, Space, and Technology
2321 Rayburn House Office Building
Washington, DC 20515-6301 

Dear Chairwoman Johnson, Congressman Lucas, and distinguished members of the Committee on Science, Space and Technology, 

Thank you for your invitation to address you today, and the opportunity to share with you the work being done within the Open Source Security Foundation and the broader open source software community to raise the level of security and trustworthiness of open source software. 

1. What are the consequences of insecure open-source software and what is industry as a whole, and the Open Source Security Foundation in particular, doing to tackle such Vulnerabilities? 

Open source software (“OSS”) has become an integral part of the technology landscape, as inseparable from the digital machinery of modern society as bridges and highways are from the physical equivalent. According to one report, typically 70% to 90% of a modern application “stack” consists of pre-existing OSS, from the operating system to the cloud container to the cryptography and networking functions, sometimes up to the very application running your enterprise or website. Thanks to copyright licenses that encourage no-charge re-use, remixing, and redistribution, OSS encourages even the most dogged of competitors to work together to address common challenges, saving money by avoiding duplication of effort, moving faster to innovate upon new ideas and adopt emerging standards. 

However, this ubiquity and flexibility can come at a price. While OSS generally has an excellent reputation for security, the developer communities behind those works can vary significantly in their application of development practices and techniques that can reduce the risk of a defect in the code, or in responding quickly and safely when one is discovered by others. Often, developers trying to decide what OSS to use have difficulty determining which ones are more likely to be secure than others based on objective criteria. Enterprises often don’t have a well-managed inventory of the software assets they use, with enough granular detail, to know when or if they’re vulnerable to known defects, and when or how to upgrade. Even those enterprises who may be willing to invest in increasing the security of the OSS they use often don’t know where to make those investments, nor their urgency relative to other priorities. 

There are commercial solutions to some of these problems. There are vendors like Gitlab or Red Hat who sell support services for specific open source software, or even entire aggregate distributions of OSS. There are other vendors, like Snyk and Sonatype, who sell tools to help enterprises track their use of OSS and flash an alert when there is a new critical vulnerability in software running deep inside an enterprise’s IT infrastructure.

However, fighting security issues at their upstream source – trying to catch them earlier in the development process, or even reduce the chances of their occurrence at all – remains a critical need. We are also seeing new kinds of attacks that focus less on vulnerabilities in code, and more on the supply chain itself – from rogue software that uses “typosquatting” on package names to insert itself unexpectedly into a developer’s dependency tree, to attacks on software build and distribution services, to developers turning their one-person projects into “protest-ware” with likely unintended consequences. 

To address the urgent need for better security practices, tools, and techniques in the open source software ecosystem, a collection of organizations with deep investments into the OSS ecosystem came together in 2020 to form the Open Source Security Foundation, and chose to house that effort at the Linux Foundation. This public effort has grown to hundreds of active participants across dozens of different public initiatives housed under 7 working groups, with funding and partnership from over 75 different organizations, and reaching millions of OSS developers. 

The OpenSSF’s seven working groups are: 

1. Best Practices for Open Source Developers: This group works to provide open source developers with best practices recommendations, and easy ways to learn and apply them. Among other things, this group has developed courseware for teaching developers the fundamentals of secure software development, and implement the OpenSSF Best Practices Badge program. 
2. Securing Critical Projects: This group exists to identify and help to allocate resources to secure the critical open source projects we all depend on. Among other things, this has led to a collaboration with Harvard Business School to develop a list of the most critical projects. 
3. Supply Chain Integrity: This group is helping people understand and make decisions on the provenance of the code they maintain, produce and use. Among other things, this group has developed a specification and software called “SLSA”, for describing and tracking levels of confidence in a software supply chain. 
4. Securing Software Repositories: This group provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories, which are key points of leverage for security practices and the promotion to developers of more trustworthy software. 
5. Identifying Security Threats in Open Source Projects: This group enables informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. For example, it is developing a database of all known security reviews of OSS. 
6. Security Tooling: This group’s mission is to provide the best security tools for open source developers and make them universally accessible. Among other activities, this group has released code to better enable a security testing technique called “fuzzing” among open source projects. 
7. Vulnerability Disclosures: This group is improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication. For example, this group has produced a Guide to Coordinated Vulnerability Disclosure for OSS. 

There are also a series of special projects under the OpenSSF worthy of special mention: 

• Project sigstore: an easy-to-use toolkit and service for signing software artifacts, ensuring that the software you are holding is the same as what the developer intended, addressing a wide array of supply chain attacks. 
• The Alpha-Omega Project: an effort to systematically search for new vulnerabilities in open source code, and work with critical open source projects to improve their vulnerability handling and other security practices. 
• The GNU Toolchain Initiative: this effort supports the build ecosystems for perhaps the most critical set of developer libraries and compilers in the world, the GNU Toolchain, as a means to ensure its safety and integrity. 

All the above efforts are public-facing and developed using the best practices of open source software communities. Funding from our corporate partners goes towards supporting the core staff and functions that enable this community, but all the substance comes from voluntary efforts. In some cases funds flow to assist with specific efforts – for example, recently the Alpha-Omega project decided to allocate funding towards the NodeJS community to augment its security team with a part-time paid employee and to fund fixes for security issues. 

The Linux Foundation has also begun to adapt its “LFX” platform, a set of services designed to support the open source communities hosted by the Foundation, to incorporate security-related data such as vulnerability scans from Snyk and BluBracket, along with information from the OpenSSF Best Practices Badge program and the OpenSSF Security Scorecards initiative, to provide a unified view of the security risks in a particular collection of open source code, and what maintainers and contributors to those projects can do to improve those scores and reduce those risks. We expect to see more kinds of risk-related data coming into a unified view like this, helping developers and enterprises make better decisions about what open source components and frameworks to use, and how to reduce risk for those components they depend upon. 

Guiding all of this is a deep conviction among the OpenSSF community that while there are many different ways in which security issues manifest themselves in the OSS ecosystem, every one of them is addressable, and that there are lots of opportunities for investment and collective action that will pay a return many times over in the form of lower risk of a future major vulnerability in a widely-used package, and lesser disruption if one is discovered. 

Other efforts at the Linux Foundation include “Prossimo”, an effort focused on moving core Internet-related services to “memory-safe” languages like Rust, Go, or Java, which would eliminate an entire category of vulnerabilities that other languages allow too easily. Another is the SPDX standard for Software Bill of Materials (“SBOMs”), addressing the needs identified by White House Executive Order 14028 in a vendor-neutral and open way. 

This is by no means a comprehensive list of all such efforts in the OSS ecosystem to improve security. Every OSS foundation either has a security team in operation today or is scrambling to identify volunteers and funding to establish one. There is a greater emphasis today than I’ve seen in my 30 years of using and contributing to OSS (since before it was called OSS) on the importance of such efforts. Clear metrics for progress are elusive since we lack clear metrics for evaluating software risk; in fact developing ways to measure and represent that risk is a key priority for OpenSSF. We will never see a time when open source software is free from security defects, but we are getting better at determining the tools and techniques required to more comprehensively address the risk of vulnerabilities in open source code. Scaling up those tools and techniques to address the tens of thousands of widely used OSS components and to get them more quickly updated remains a challenge. 

2. How can the Federal government improve collaboration with industry to help secure open-source software? 

I’ll focus here on principles and methods for collaboration that will lead to more secure OSS, and then for question 3 on specific opportunities to collaborate on. 

First, focus on resourcing long-term personal engagements with open source projects. 

Over the last few years, we have seen a healthy degree of engagement by the Federal government with OSS projects and stakeholders on the topic of improving security. The push established by Executive Order 14028 for the adoption of SBOMs aligned nicely with the standardization and growing adoption of the SPDX standard by a number of OSS projects, but it was aided substantially by the involvement of personnel from NIST, CISA, and other agencies engaging directly with SPDX community members. 

Often the real secret to a successful OSS effort is in the communities of different stakeholders that come together to create it – the software or specification is often just a useful byproduct. The Federal government, both through its massive use of open source code and the role that it traditionally performs in delivering and protecting critical infrastructure, should consider itself a stakeholder, and like other stakeholders prioritize engagement with upstream open source projects of all sizes. That engagement need not be so formal; most contributors to open source projects have no formal agreement covering that work aside from a grant of intellectual property in those contributions. But as they say, “history is made by those who show up.” If the IT staff of a Federal agency (or of a contractor under a Federal contract) were authorized and directed to contribute to the security team of a critical open source project, or to addressing known or potential security issues in important code, or to participating in an OpenSSF working group or project, that would almost certainly lead to identifying and prioritizing work that would result in enhanced security in the Federal government’s own use of open source code, and likely to upstream improvements that make OSS more secure for everyone else. 

Second, engage in OSS development and security work as a form of global capacity building, and in doing so, in global stability and resilience. OSS development is inherently international and has been since its earliest days. Our adversaries and global competitors use the same OSS that we do, by and large. When our operating systems, cloud containers, networking stacks and applications are made to be more secure, there are fewer chances for rogue actors to cause disruption, and that can make it harder to de-escalate tensions or protect the safety of innocent parties. Government agencies in France, Taiwan, and more have begun to establish funded offices focused on the adoption, development, and promotion of OSS, in many ways echoing the Open Source Program Offices being set up by companies like Home Depot and Walmart or intergovernmental agencies like the WHO. The State Department in recent years has funded the development of software like Tor to support the security needs of human rights workers and global activists. The Federal government could use its convening authority and statecraft to bring like-minded activities and investment together in a coordinated way more effectively than any of us in the private sector can. 

Third, many of the ideas for improving the security of OSS involve establishing services – services for issuing keys to developers like Project sigstore does, or services for addressing the naming of software packages for SBOMs, or services for collecting security reviews, or providing a comprehensive view of the risk of open source packages. Wherever possible, the Federal government should avoid establishing such services themselves when suitable instances of such services are being built by the OSS community. Instead of owning or operating such services directly, the Federal Government should provide grants or other resources to operators of such services as any major stakeholder would. Along similar lines, should the Federal government fund activities like third party audits of an open source project, or fund fixes or improvements, it should ensure not only that such efforts don’t duplicate work already being done, it should ensure that the results of that work are shared (with a minimum of delay) publicly and upstream so that everyone can benefit from that investment. 

These three approaches to collaboration would have an outsized impact on any of the specific efforts that the Federal government could undertake. 

3. Where should Congress or the Administration focus efforts to best support and secure the open-sourced software ecosystem as a whole? 

The private sector and the Federal government have a common cause in seeing broad improvements in the security of OSS. I’m happy to share where I see the private sector starting to invest in enhanced OSS security, in the hopes that this may inspire similar actions from others. 

1. Education. Very few software developers ever receive a structured education in security fundamentals, and often must learn the hard way about how their work can be attacked. The OpenSSF’s Secure Software Fundamentals courses are well regarded and themselves licensed as open source software, which means educational institutions of all kinds could deliver the content. Enterprises could also start to require it of their own developers, especially those who touch or contribute to OSS. There must be other techniques for getting this content into more hands and certifications against it into more processes. 
2. Metrics and benchmarks. There are plenty of efforts to determine what are suitably objective metrics for characterizing the risks of OSS packages. But running the cloud systems to perform that measurement across the top 100,000 or even 10,000 open source projects may cost more than what can be provided for free by a single company, or may be fragile if only provided by a single vendor. Collective efforts funded by major stakeholders are being planned-for now, and governments as a partner to that would not be turned away. 
3. Digital signatures. There is a long history of U.S. Government standards for identity proofing, public key management, signature verification, and so on. These standards are very sophisticated, but in open source circles, often simplicity and support are more important. This is pulling the open source ecosystem towards Project sigstore for the signing of software artifacts. We would encourage organizations of all sorts to look at sigstore and consider it for their OSS needs, even if it may not be suitable for all identity use cases. 
4. Research and development investments into memory-safe languages. As detailed above, there are opportunities to eliminate whole categories of defects for critical infrastructure software by investing in alternatives written in memory-safe languages. This work is being done, but grants and investments can help accelerate that work. 
5. Fund third-party code reviews for top open source projects. Most OSS projects, even the most critical ones, never receive the benefit of a formal review by a team of security experts trained to review code not only for small bugs that may lead to big compromises, but to look at architectural issues and even issues with the features offered by the software in the search for problems. Such audits vary tremendously in cost based on the complexity of the code, but an average for an average-sized code base would be $150K-250K. Covering the top 100 OSS projects with a review every other year, or even 200 every year, seems like a small price compared to the costs on US businesses to remedy or clean up after a breach caused by just one bug. 
6. Invest into better supply chain security support in key build systems, package managers, and distribution sites. This is partly about seeing technologies like SBOMs, digital signatures, specifications like SLSA and others built into the most widely used dev tools so that they can be adopted and meaningfully used with a minimum of fuss. Any enterprise (including the Federal government) that has software certification processes based on the security attributes of software should consider how those tools could be enhanced with the above technologies, and automate many processes so that updates can be more frequent without sacrificing security. 

These activities, if done at sufficient scale, could dramatically lower the risks of future disruptive events like we have seen. As a portfolio of different investments and activities they are mutually reinforcing, and none of them in isolation is likely to have much of a positive impact. Further econometrics research could help quantify the specific reduction of risk from each activity. But I believe that each represents a very cost-effective target for enhancing security in OSS no matter who is writing the check. 

Thank you again for the opportunity to share these thoughts with you. I look forward to answering any questions you may have or providing you with further information. 

Sincerely,

Brian Behlendorf
General Manager, Open Source Security Foundation
The Linux Foundation

The post Brian Behlendorf Testifies on Open Source Software Security to the US House Committee on Science and Technology appeared first on Linux Foundation.

This past week, we lost our dear friend, colleague, and a true champion of the open source community. Our CTO, Shubhra Kar, passed away suddenly while he was with his entire LF family at our first in-person, all-hands gathering since before the pandemic. 

Those who had the honor to work with him will know, he was a special leader and a wonderful human being.  Above all, Shubhra was the kind of leader who quickly passed the credit for accomplishments to his team over himself. His humble spirit and ever-present smile was admired by all around him. He was so proud of the world class team he had built here, and did that in part with engineers who followed him from one organization to another throughout his career.

We also knew Shubhra as a selfless leader – one who was more interested in the work than the reward. At the same time, he was incredibly ambitious – wanting to build a platform that would not only transform The Linux Foundation but support open source development communities around the world.  This was the week his team unveiled significant new enhancements across the LFX platform. It was a project he led from vision to reality, after many – even members of his own team – had told him the path to success was impossible. He was a transformational leader that has left his legacy here.

While he was passionate about his work and his team, he loved his family even more. In fact, his children were often spotted behind him during video calls throughout the day. He was a fantastic husband and father, and we are so grateful for his wife, son, and daughter sharing him with us. 

Sharing Memories

Our thoughts and prayers remain with Shubhra’s family in this incredibly difficult time. If you would like to leave a memorial message for Shubhra, please submit a pull request on GitHub here. His family would love to hear from you and especially appreciates stories that are shared of his life and career.

Memorial Fund

The Linux Foundation has made arrangements with the family to establish Shubhra’s memorial fund that will provide support for his family and his children’s education.  Donations can be made to the family here.

.avia-image-container.av-l30eojwa-6b98ca1039ffe435dfb5ce6c0cc79c46 .av-image-caption-overlay-center{ color:#ffffff; }

The post In Memory of Shubhra Kar appeared first on Linux Foundation.

I am always amazed at the impact we all have coming together, using our collective talents for good. Combining our collective brain power, skills, time, and resources produces stellar results – maybe it is better rendering management for films that entertain with mind-bending CGIs or improving automated software testing and deployment so developers can spend more time on innovation. Human ingenuity is amazing! 

Imagine our impact when we come together for good. When we see communities who need a collective leg up in life, or when we see injustice and foresee ways to balance the scale, or when we see the devastation in the wake of natural disasters and know there is a better way. We want to make the lives of everyone better – it might seem daunting, but innovation is bred from not knowing what you can’t do. 

Facilitating this drive to help is what the Call for Code® project is about. It is, “creating and deploying open source technologies to tackle some of the world’s greatest challenges.” It is about thinking beyond yourself – using your talents to help others. 

Call for Code was created by David Clark Cause with Founding Partner IBM and in partnership with United Nations Human Rights and The Linux Foundation. The goal is to inspire “developers to create practical, effective, and high-quality applications that can have an immediate and lasting impact on humanitarian issues as sustainable open source projects.” The Linux Foundation helps take the raw innovation and put in place the right tools to enable an impact across the world: instill best practices, engage external partners, provide feedback, and test them in the real world.

Call for Code 2022

The Call for Code 2022 is now open for registration. The focus this year is on sustainability. Do you have an idea to improve sustainable production, consumption, and management of resources, reduce pollution creation, and protect biodiversity? Keep reading. You don’t have a world-changing idea. Keep reading – you just might light a spark of ingenuity. 

For this year, specifically, your solution should address: carbon emissions; clean energy; supply chain transparency and traceability; water scarcity and quality; reducing waste footprints; biodiversity; food insecurity; and education access and job opportunities to further environmental justice. And, no, this isn’t just for software developers. Each well-rounded team needs builders, designers, communicators, and humanitarians.  

There is a total of $285,000 in prizes, all winners will receive open source support from The Linux Foundation, and all participants will receive a variety of support, such as IBM Cloud services, accelerators, expert webinars, mentors, and more.

Registration opened April 26, 2022 and final submissions are due October 31, 2022. Visit callforcode.org for detailed information and requirements and to register. 

Call for Code 2021 Winners

Do you still need some inspiration? Take a few minutes to read about the 2021 winners. Half of the projects focus on racial justice – and those are the ones I want to take a moment to highlight. If you see one that inspires you, click through to learn more and for ways you can contribute: 

Fair Change allows people to easily record public safety incidents in a safe and secure way with a goal of more transparency, reeducation, and reform. 

TakeTwo utilizes machine learning to highlight potentially racially insensitive language on websites you are browsing in Chrome. 

Legit-Info provides information on policy proposals at various levels of government. It communicates the potential impact without legalese and facilities sharing opinions with policy makers. It also gives policy makers visibility into how diverse citizens will be impacted.

Open Sentencing helps public defenders understand and document any racial disparities in the judicial system.

Five Fifths Voter helps remove impediments to voting by providing information on voter registration, voter ID laws, restrictions, purging, gerrymandering, and tools that make it easier to vote, such as childcare at the voting stations.

Incident Accuracy Reporting System enables victims and witnesses to contribute to incident reports to help give law enforcement and the public a 360-degree view of events that took place at any incident. It utilizes Hyperledger blockchain to ensure transparency, trust, and that information can’t be altered. 

Truth Loop is a mobile-friendly tool to see pending legislation, learn about it, record your own story related to the legislation and its impact, and share that with policy makers.

Call for Code also has seven other projects related to natural disasters and stemming the impact of climate change, including monitoring the real-time air health for wildland firefighters, democratizing earthquake monitoring, inspecting buildings, facilitating drone canvassing and delivery of supplies following a natural disaster, and helping farmers optimize water use. Finally – they have a project, Rend-o-Matic, that enables musicians to remotely record their individual track in a composition and stitches them all together into the final, virtual performance. 

Join a Call for Code Project

Let’s show the world the impossible is possible.

Call for Code is making a difference! Are you experiencing some FOMO? Want to join in? Good news – fear no more. You can! And you don’t even have to be a technical person. Besides the need for a wide range of technical specialists, the projects can also utilize individuals for documentation, testing, design, UI/UX, legal, subject matter experts, advocacy, and community building. Just head over to our Call for Code page and help work on these projects. 

Do you have another idea around sustainability?  Register for the Call for Code 2022 now and pull together your team.  

Let’s show the world the impossible is possible.

Demi Ajayi and Daniel Krook joined forces at a keynote session for the 2021 All Day DevOps conference to talk about the Call for Code, the 14 current projects, and how individuals can become involved with them. 

The post Create Impact Change with the 2022 Call for Code appeared first on Linux Foundation.

Expands core working groups ahead of OpenSSF Day

SAN FRANCISCO, May 9, 2022 – The Open Source Security Foundation (OpenSSF) a cross-industry organization hosted at the Linux Foundation that brings together the world’s most important software supply chain security initiatives, today announced 15 new members from leading software development, cybersecurity, financial services, communications, and academic sectors.

This round of commitments is led by two new premier members, Atlassian and Sonatype, who will join the OpenSSF governing board. New general member commitments come from Arnica, Bloomberg, Comcast, Cycode, F5 Networks, Futurewei Technologies, Legit Security, Sectrend, SUSE, and Tenable.

“We are thrilled to welcome Atlassian and Sonatype, two companies who play critical roles in modern software development and security, to the OpenSSF governing board”, Brian Behlendorf, General Manager at OpenSSF. “Open source software supply chain attacks threaten the very foundations of innovation that billions of people rely upon. Our 15 new members join a growing community of organizations, developers, researchers, and security professionals that are investing time and resources required to respond in this constantly evolving threat landscape.”

Open source software has become the foundation on which our digital economy is built. As noted in the Linux Foundation’s 2022 Software Bill of Materials (SBOM) and Cybersecurity Readiness report, 98% of organizations use open source regularly. The same study revealed that 72% of organizations are very or extremely concerned about software security. Recent vulnerabilities, such as the one impacting Log4j, have caused many organizations to prioritize software supply chain security and realize the need to be fully abreast of the open source ecosystem, as well as contributing to it. From governments to businesses, open source security has been brought to the top of the agenda as a priority issue to address and as a result, OpenSSF is seeing membership rise at a rapid pace.

The latest commitments follow a productive period for OpenSSF in which the foundation expanded its core working groups to include Securing Software Repositories. This group aims to improve cybersecurity practices where developers download open source packages most often. 

Furthermore, on June 20th, the foundation will host a full day of sessions at OpenSSF Day. Presentations, delivered by working group leaders, will include subjects such as Best Practice Badges and Other Good Practices, Three Things Your Open Source Project Must Consider, and Securing Critical Projects. The day will conclude with a panel discussion on the Future of Securing Open Source Software. Registration and attendance are free for all those attending the Open Source Summit conference.

Premier Member Quotes

Atlassian

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be joining OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. As a premier member, we’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.” – Adrian Ludwig, Chief Trust Officer, Atlassian

Sonatype

“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become in recent years. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this battle. Our key mission at Sonatype is to help people understand their software supply chain, and harness all of the good that open source has to offer, without any of the risk. OpenSSF and its members share a similar vision. I’m excited to play a bigger role in OpenSSF as a board member and collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.” – Brian Fox, CTO and co-founder, Sonatype

General Member Quotes

Arnica

“Software supply chain attack vectors have consistently caught the security community off-guard. Based on Arnica’s research across all attacks since 2018, we found two consistent root causes. One, improper access management to source code and two, inability to detect abnormal behavior in the developer toolset. The journey to solve these gaps is long and we are working on perfecting each risk mitigation strategy one-by-one, starting with introducing the first-ever self-service access management for GitHub.” – Nir Valtman, Co-Founder and CEO, Arnica

Bloomberg

“We are incredibly excited to join the Open Source Security Foundation (OpenSSF), whose values of public good, openness and transparency, and diversity, inclusion, and representation, align with those of Bloomberg. As an ‘Open Source First’ organization, we greatly value open source and its use within the finance sector, and we are fully committed to helping secure the open source software supply chain, something we have invested in via an ongoing collaboration between our CTO Office and Engineering organization.” – Gavin McNay, Security Architect in Bloomberg’s CTO Office

Comcast

“Comcast is committed to open source software. We use it to build products, attract talent, and develop our technology to improve the customer experience. When it comes to open source security, everyone plays a role. We are thrilled to join OpenSSF with the global open-source community to see how we can continue to evolve to make open-source development even more secure.” – Shilla Saebi, Open Source Program Office Lead, Comcast Cable

F5 Networks

“The growth of open source usage has magnified the importance of advancing OSS supply chain security for all, which can only be achieved as a shared priority among the industry. At F5, we are committed to ensuring our customers’ apps are fast, available and secure in any environment. That is why we value the work of the Open Source Security Foundation and its participating members, and look forward to sharing our domain expertise to help advance this important work.” – Geng Lin, EVP and Chief Technology Officer, F5

Futurewei Technologies

“OpenSSF is a premier and leading organization on open source security. Futurewei is very excited to join OpenSSF, and to engage in the conversations on the important topics of open source security and sustainability. We look forward to exciting discussions and collaborations with OpenSSF.” – Chris Xie, Head of Open Source Strategy and Business Development 

Legit Security

“Legit Security is pleased to join OpenSSF to advance the security of software supply chains within the open-source ecosystem as well as giving organizations tools to secure the infrastructure that makes up the SDLC – such as pipelines and systems. Attacks on software supply chains are estimated to increase between three to six times per year and are a global threat. We look forward to working with OpenSSF to publish security research and contribute tools and code for more secure software delivery and consumption across the entire community.” – Liav Caspi, CTO of Legit Security

Sectrend

“We feel very excited to be a part of this industry-leading Open Source Security foundation (OpenSSF). Together with other top-notch peers around the globe in various sectors under this initiative, we, Sectrend, are aiming to assist organizations of any size address the security and license compliance risks from open-source software. Securing the software supply chain is very critical for every company. Within the framework of OpenSSF or the Linux Foundation, Sectrend will make a tremendous contribution to this community-driven process in tooling, training, research, best practices, and consulting. Beyond Security, More than Open Source.” – Alex Xue, CEO, Sectrend

SUSE

“According to recent research in an Economist Impact survey, 95% of organizations are practicing open innovation, demonstrating how open source software is critical to business’s infrastructure and applications. With this comes the need for software to be secure and is why SUSE takes a proactive stance against security and compliance risks, leveraging tools for full lifecycle security including vulnerability management, CI/CD pipeline security, run-time security and government security certifications. SUSE is joining OpenSSF to further collaborate with the efforts to ensure the security of the open source software supply chain.” – Brent Schroeder, Head of SUSE’s Office of the CTO

Tenable

“We’re proud to be part of OpenSSF and join so many industry peers who understand the critical importance of securing open-source software and its associated supply chain. Log4j showed the world how pervasive OSS use is and how vulnerable it can be if the proper development and controls are not put in place to protect it. Tenable’s commitment to increasing visibility in attack surfaces includes shifting left to secure software development and helping organizations understand where the risks are throughout their systems.” – Glen Pendley, CTO, Tenable

The foundation also announced new Associate Members, including the Eclipse Foundation, China Academy of Information and Communications Technology (CAICT) and Chinese Academy of Sciences (ISCAS). 

Additional Resources

• View the complete list of the OpenSSF members
• Attend OpenSSF Day at the Linux Foundation’s Open Source Summit on June 20 
• Contribute efforts to one or more of the active OpenSSF working groups
• Read the OpenSSF and Harvard’s Census II Report, shedding light on the most commonly used FOSS packages at the application library level

About OpenSSF

Hosted by the Linux Foundation, the OpenSSF (launched in August 2020) is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab to build a community to support open source security for decades to come. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit: https://openssf.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, ONAP, Node.js, Hyperledger, RISC-V, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at: linuxfoundation.org

Media Contacts

Babel for OpenSSF

openssf@babelpr.com

The post OpenSSF Announces 15 New Members To Further Strengthen Open Source Software Supply Chain Security appeared first on Linux Foundation.

This post originally appeared on Linux.com. The author, Stephen Jacobs, is the director of Open@RIT and serves on the Steering Committee of the TODO Group and served as a pre-board organizer of the O3DE Foundation. Open@RIT is an associate member of the Linux Foundation. 

What Is An Academic OSPO?

The academic space has begun to see activity around the idea of Open Source Program Offices at colleges and universities.  Like their industry counterparts, these offices lead or advise administrative efforts around policy, licensing compliance, and staff education.  But they can also be charged with efforts around student education, research policies and practices, and the faculty tenure and promotion process tied to research.

Johns Hopkins University (JHU) soft-launched their OSPO 2019, led by Sayeed Choudhury, Associate Dean for Research Data Management and Hodson Director of the Digital Research and Curation Center at the Sheridan Libraries in collaboration with Jacob Green with MOSS Labs. Other universities and academic institutions took notice.

Case Study: Open@RIT

I met Green at RIT’s booth at OSCON in the summer of 2019 and learned about JHU’s soft launch of their OSPO.  Our booth showcased RIT’s work with students in Free and Open Source humanitarian work. We began with a 2009 Honors seminar course in creating educational games for the One Laptop per Child program. That seminar was formalized into a regular course, Humanitarian Free and Open Source Software. (The syllabus for the course’s most recent offering can be found at this link)

By the end of 2010, we had a complete “Course-to-Co-Op lifecycle.” Students could get engaged in FOSS through an ecosystem that included FOSS events like hackathons and guest speaker visits, support for student projects, formal classes, or a co-op experience. In 2012, after I met with Chris Fabian, co-founder of UNICEF’s Office of Innovation, RIT sent FOSS students on Co-Op to Kosovo for UNICEF. We later formally branded the Co-Op program as LibreCorps. LibreCorps has worked with several FOSS projects since, including more work with UNICEF. In 2014 RIT announced what Cory Doctorow called a “Wee Degree in Free,” the first academic minor in Free and Open Source Software and Free Culture. 

All of these efforts provided an excellent base for an RIT Open Programs Office. (more on that missing “s” word in a moment) With the support of Dr. Ryne Raffaelle, RIT’s VP of Research, I wrote a “white paper” on how such an office might benefit RIT. RIT’s Provost, Dr. Ellen Granberg, suggested a university-wide meeting to gauge interest in the concept, and 50 people from 37 units across campus RSVP’d to the meeting. A subset of that group worked together (online, amid the early days of the pandemic) to develop a “wish list” document of what they’d like to see Open@RIT provide in terms of services and support. That effort informed the creation of the charter for Open@RIT approved by the Provost in the summer of 2020.

An Open Programs Office

Open@RIT is dedicated to fostering an “Open Across The University” as a collaborative engine for Faculty, Staff, and Students. Its goals are to discover and grow the footprint, of RIT’s impact on all things Open including, but not limited to, Open Source Software, Open Data, Open Science, Open Hardware, Open Educational Resources, and Creative Commons licensed efforts; what Open@RIT refers to in aggregate as “Open Work.” To highlight the wide constituency being served the choice was made to call it an Open Programs Office to avoid being misread as an effort focusing exclusively on software. The IEEE (which Open@RIT partners with), in their SA Open effort , made the same choice.

In academia, there’s growing momentum around Open Science efforts. Open Science (a term that gets used interchangeably with “Open Research” and “Open Scholarship”) refers to a process that keeps all aspects of scientific research, for the formation of a research plan onward, in the Open. This Scientific American Op-Ed (that mentions Open@RIT) points to the need for academia to become more Open. Open Educational Resources (I.E., making course content, texts, etc., Free and Open) is another academic effort that sees broad support and somewhat lesser adoption (for now).

While the academic community favors Open Science and Open Educational Resource practices, it’s been slow to adopt them. This recently released guide from the National Academies of Science, Engineering, and Mathematics, a bellwether organization, adds pressure to academia to make those changes.

What’s Open@RIT Done Since The Founding? Drafting Policies and Best Practices Documents

Policy creation in academia is and should be slow and thoughtful.  Open@RIT’s draft policy on Open Work touches every part of the research done at the university.  It’s especially involved as it needs to cover three different classes of constituents.  Students own their IP at RIT (a rarity in academia) except when the university pays them for the work that they do (research assistance ships, work-study jobs, etc.), Staff (the University owns their IP in most cases), and Faculty. The last are a special case in that researchers and scientists are expected to publish their work but may need to work with the university to determine commercialization potential.  It also needs to address Software, hardware, data, etc.

Our current draft is making the rounds to the different constituencies and committees, and that process will be completed at some point in academic year 21-22.  In the meantime, parts of it will be published as Open@RIT’s best practices in our playbook, targeted for release before the end of Fall semester. Our recommendations for citing and supporting Open Work in Tenure and Promotion will also be part of the playbook and its creation is supported by the Alfred P. Sloan Foundation grant and by the LFX Mentorship program.

Faculty and Staff Professional Development

In October of 2020, The Alfred P. Sloan Foundation funded a proposal by Open@RIT funding some general efforts of the unit and, in particular, a LibreCorps team to support what we’re now calling the Open@RIT Fellows Program. We’re charged with supporting 30 faculty projects over two years and already have twenty-one that have registered, with about one-third of those project support requests completed or in progress. In many ways, the Open@RIT Fellows program could be considered an “Inner Source” effort.

This Zotero curated collection of articles, journal papers, book chapters, and videos on various aspects of Open Work and Open scholarship is the first step in our professional development efforts. It includes links to drafts of our recommendations around releasing Open Work and on building your evaluation, tenure and promotion cases with Open Work. We hope to offer professional development-related workshops in late fall or early spring of the coming AY.

Student Education

Open@RIT is wrapping up our “Open Across the Curriculum” efforts.  While we’ve had several courses and a minor in place, they mostly were for juniors and seniors.  Those classes were modified to begin accepting sophomores, and some new pieces are being brought into play.

At RIT, students are required to take an “Immersion,” a collection of three courses, primarily from liberal arts, designed to broaden students’ education and experiences outside of their majors. The Free Culture and Free and Open Source Computing Immersion does just that and opens to students this fall.

Within the month, Open@RIT will distribute a set of lecture materials to all departments for opt-in use in their freshman seminars that discuss what it means for students to own their IP in general and, specifically, what Opening that IP can mean in science, technology, and the arts.

Once the last pieces fall into place, students will be able to learn about Open as Freshmen, take one or both of our foundational FOSS courses Humanitarian Free and Open Source Software and Free and Open Source Culture as Sophomores and then go on to the Immersion (three courses) or the Minor (five courses) should they so choose.

Advisory Board and Industry Service

Open@RIT meets three times/year with our advisory board, consisting of our alums and several Open Source Office members from Industry and related NGOs.

Open@RIT is active in FOSS efforts and organizations that include IEEE SA Open, Sustain Open Source’s Academic and Specialized Projects Working Group and CHAOSS Community’s Value working group.

Next Steps

By the end of 2022, Open@RIT will complete all of the points in its charter, hold a campus conference to highlight Open Work being done across the university, and complete a sustainability plan to ensure its future.

The post Open@RIT: The Birth of an Academic OSPO appeared first on Linux Foundation.

Microsoft joins over 25 organizations committed to democratizing 3D software development for games and simulations

SAN FRANCISCO – April 29, 2022 – The Open 3D Foundation (O3DF) is proud to welcome Microsoft as a Premier member alongside Adobe, AWS, Huawei, Intel, and Niantic. Microsoft’s participation in the project brings a wealth of knowledge and thought leadership that continues to reinforce how important the industry believes in working to make a high-fidelity and fully-featured open-source 3D engine available to every industry unencumbered by commercial terms. 

Microsoft Principal Group Program Manager Paul Oliver will join the Governing Board of O3DF, supporting the Foundation’s commitment to ensure balanced collaboration and feedback that meets the needs of the Open 3D community. The Governing Board cultivates innovative relationships among stakeholders to drive the Foundation’s strategic direction and its stewardship of 3D visualization and simulation projects. 

“Microsoft’s roots in creativity run deep, and we want to help creators wherever they are, whoever they are, and whatever platform they’re creating for. Having the Linux Foundation create the Open 3D Foundation is a fantastic step towards helping more creators everywhere and we are excited to be a part of it.”

This move builds on Microsoft’s continued commitment to democratizing game development and making its tools and technologies available to game creators worldwide. Last year, the company made its Game Development Kit available to all developers through GitHub. With its new engagement with O3DF, Microsoft is extending a commitment to opening up technology to everyone.

“We are elated to have Microsoft join the Open 3D Foundation as a Premier member,” said Royal O’Brien, Executive Director of O3DF and General Manager of Games and Digital Media at the Linux Foundation. “Having incredible industry veterans like Microsoft contributing and helping drive innovation with the community for 3D engines is a huge benefit to the open-source community and the companies that use it alike.”

A Growing Community

Microsoft is one of 25 member companies since the public announcement of the Open 3D Foundation in July 2021. In November 2021, Open 3D Engine (O3DE) announced its first major release. The 21.11 Release allows simulation developers to create 3D content with the new O3DE Linux editor and engine runtime. This release also added a new Debian package and Windows installer that provides a faster route to getting started with the engine. The O3DE community is very active, averaging up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos.

Where to See the Open 3D Engine Next

On June 20, the Open 3D Foundation will host Open 3D Connect, a half-day interactive meet-up, co-located with the Linux Foundation’s Open Source Summit North America in Austin, Texas. Learn more here.

Additionally, on October 18-19, the Open 3D Foundation will host its flagship conference, bringing together technology leaders, indie and independent 3D developers, and the academic community to share ideas, discuss hot topics and foster the future of 3D development across a variety of industries and disciplines. For those interested in sponsoring this event, please contact pr@o3d.foundation. 

Anyone interested in the Open 3D Engine is invited to get involved and connect with the community on Discord.com/invite/o3de and GitHub.com/o3de. 

About the Open 3D Engine (O3DE) project

The Open 3D Engine (O3DE) is the flagship project managed by the Open 3D Foundation (O3DF). The open-source project is a modular, cross-platform 3D engine built to power anything from AAA games to cinema-quality 3D worlds to high-fidelity simulations. The code is hosted on GitHub under the Apache 2.0 license. To learn more, please visit o3de.org.

About the Open 3D Foundation

Established in July 2021, the mission of the Open 3D Foundation (O3DF) is to make an open-source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations, available to every industry. The Open 3D Foundation is home to the O3DE project. To learn more, please visit o3d.foundation.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Media Inquiries:

pr@o3d.foundation

The post The Open 3D Foundation Welcomes Microsoft as a Premier Member to Advance the Future of Open Source 3D Development appeared first on Linux Foundation.

APIs (Application Programming Interfaces) provide exponential growth opportunities for what the web and its data and applications can do for us. Since APIs allow for sharing of data between applications, doors open to what is possible as the strengths of disparate systems are combined into a new one. 

While we live in an API-driven world, it can be difficult and burdensome to connect and maintain systems via an API. Reducing those barriers opens even more doors and lets people like me, who have more ideas than skills, try things out. Enter API gateways to help ease the burden. 

But not all API gateways are created equal. The Lura Project, formerly the KrakenD open source project, is a framework for building API gateways that goes beyond simple reverse proxy, functioning as a stateless, distributed, high-performance aggregator for many microservices. It is also a declarative tool (tell it what you need rather than how to do it) for creating endpoints. Albert Lombarte, the executive director of The Lura Project and the CEO of KrakenD, elaborates, “An API gateway framework is a tool that is between the clients, the consumers of an API, and the backend services, which actually have the data that the users want to consume. So an API gateway is a product that makes possible things like security, where rate-limiting, authorization, load balancing, all of that happens without needing to implement that in the backend part.”

KrakenD was created six years ago as a library for engineers to create fast and reliable API gateways and has since been in production among some of the world’s largest Internet businesses. In order to keep up with the demand from the community, in 2021 KrakenD decided to host the project at The Linux Foundation. Lombarte said, “By being hosted at the Linux Foundation, the Lura Project will extend the legacy of the KrakenD open source framework and be better poised to support its massive adoption among more than one million servers every month. The Foundation’s open governance model will accelerate development and community support for this amazing success.”

To learn more about the project, watch Albert’s interview with Swapnil Bhartiya of TFiR and go to the project’s website. Then, join the community. You can help create better tools so we can utilize APIs for even more than we can imagine today. 

The post How Project Lura is Improving APIs appeared first on Linux Foundation.

This article is written by Kris Sharma, Financial Services Sector Lead, Canonical and originally appeared on the FINOS blog. 

The banking sector is facing rapid and irreversible changes across technology, customer behaviour, and regulation. While customers are demanding ever higher levels of service and value and regulations are impacting business models and economics, technology can be a potent enabler of both customer experience and effective operations.

The banking industry will look radically different in the near future as new banking models will bring a lot of product and service innovation. There is a new wave of digital-only banks across the globe challenging traditional banking players. The digital-only banks are tightening the competitive landscape and the competition would create the impetus for banks to do more with technology and provide better customer services. In this quickly shifting landscape, financial institutions of all shapes and sizes need to find every possible way to respond and compete. This is where technology and innovation matters – having an open and flexible technology architecture driving business agility.

Open source technologies and open innovation have the potential to level the playing field and accelerate the pace of digital business transformation enabling financial institutions to get products and services to market faster and help solve the challenges facing the financial services industry.

Open Source is Everywhere

A recent report by The Linux Foundation and The Lab for Innovation Science at Harvard highlights that open source constitutes 80% of any given piece of modern software. In the last few years, financial institutions have already been leveraging open source across a broad spectrum, from its use in back-end technologies to regulator mandated Open Banking in the UK and PSD2 in Europe. The massive compute landscape, data storage and processing capabilities of financial institutions, and the trading infrastructure is largely run on open source Linux platforms. By plugging-in open source technology solutions, financial institutions are able to free up valuable resources to focus efforts on integration and create business value.

Open Source Drives Innovation and Delivers Business Value

The real draw of open source in financial services is the ability to explore and innovate with new technologies, to easily scale the solutions that deliver real competitive advantage and to reduce the overall cost of managing vast IT infrastructures through the use of common, best-of-breed open source technologies.

Open source platforms can be likened to working or playing with building blocks because developers are uninhibited by design constraints – they are free to innovate and develop new business value and differentiation for enterprise applications. The flexibility and adaptability is unmatched by any proprietary platform.

Open source often provides the foundational technology, including languages, libraries, and database technologies that lays a rich foundation to quickly develop enterprise applications. Financial institutions can maintain cost-effectiveness while tapping into the expertise of the open-source user community.  Open source communities fuel the developer velocity and developers have a lot of access to tools through APIs and services.

Financial institutions are under pressure to increase business flexibility and the velocity of innovation with the same or fewer resources. Open source technologies are paving the way for financial services software development towards a future in which service offerings and applications can be rapidly constructed by assembling and integrating a wide variety of technical building blocks. By adding additional proprietary capabilities and functionality, banks can differentiate their offerings and drive consumer benefits.

FINOS and the Future of Open

The Fintech Open Source Foundation, which includes members and contributions from the financial services industry, develops open source software, standards and special interest groups whilst providing an independent setting to deliver solutions that address common banking challenges and drive innovation within the regulated industry.

Banks, fintechs and technology companies, at the forefront of the financial services industry and engineering in banking, are making long-term commitments to open source by collaborating within the foundation as FINOS members and uniting with a shared goal of “shaping the future of open source in financial services.”

Open source projects that have been contributed to FINOS by foundation member banks include Legend by Goldman Sachs, Morphir by Morgan Stanley, Perspective by JPMorgan Chase, and Waltz by Deutsche Bank. FINOS open source projects can be used directly from the FINOS GitHub Organisation and solve real world banking problems ranging from financial objects modeling through Legend to the mapping out internal banking systems through Waltz.

.avia-image-container.av-l2j82f3t-aa72f3b0755ed95c835aa60dd8c62f25 .av-image-caption-overlay-center{ color:#ffffff; }

About the Author

Srikrishna ‘Kris’ Sharma is the Financial Services Sector Lead at Canonical. Over the last two decades, Kris has held various leadership positions at management consulting firms providing advisory services to Fortune 100 and FTSE 100 clients. As a trusted C-level advisor and Business- Technology Leader, Kris partners with organisations across industry sectors on open source and business transformation strategies and builds innovative solutions by leveraging open source. Kris focuses on creating strong ecosystem partnerships and sees himself as a change agent with a passion for transformation, open source product strategy and innovation.

The post The Future of Banking is Open appeared first on Linux Foundation.

This article originally appeared on the LF Public Health project’s blog. We republished it here to help spread the word about another impactful project made possible through open source. 

Linux Foundation Public Health (LFPH) launched the Global COVID Certificate Network (GCCN) project in June 2021 to facilitate the safe and free movement of individuals globally during the COVID pandemic. After nine months of dedicated work, LFPH completed the proof-of-concept (POC) of the GCCN Trust Registry Network in partnership with Fraunhofer Institute for Industrial Engineering (Fraunhofer IAO), Symsoft Solutions and Finema in March 2022.

With the ambition to provide a complete suite of technology to address the many challenges for COVID certificates, such as interoperability, data security and privacy protection, LFPH began the GCCN project focusing on one of the challenges not being addressed—a global trust architecture that allows seamless integration of the disparate COVID credential types. At the time, many small and large centralized trust ecosystems that implemented different technical standards and policies, such as the EU Digital COVID Certificate, emerged and began to gain traction. However, without a platform that allows these ecosystems to discover and establish trust with each other, there wouldn’t be interoperability at the global level. The GCCN Trust Registry Network was created to solve exactly this problem.

“We started the GCCN work in response to COVID, but everything we do has a vision for solving the challenge of people needing multiple credentials and constant verifications. The GCCN Trust Registry Network makes possible a new, decentralized way of trust management, which helps revolutionize how identities are shared in a privacy-preserving way. At LFPH, we are dedicated to open source innovation for public health and patient identity. We look forward to working with our members, community and stakeholders to advance the GCCN work both in the US and internationally.” – Jim St.Clair, Executive Director of LFPH

Building on the open source TRAIN Trust Management Infrastructure funded by the European Self-Sovereign Identity Framework (ESSIF) Lab, the GCCN Trust Registry Network allows different COVID certificate ecosystems, which can be a political and economic union (e.g. the EU), a nation state (e.g. India), a jurisdiction (e.g. the State of California), an industry organization (e.g. ICAO) or a company (e.g. a COVID test administrator), to join and find each other on a multi-stakeholder network, and validate each other’s COVID certificate policies. This interaction is known as a discovery mechanism. Then based on the discovery, verifiers will decide whose certificates they accept and use the Trust Registry Network to build a customized trust list based on their entry rules and check the source of incoming certificates against their known list to determine if it’s from a trusted source. If the certificate is from a trusted source, the verifiers will be able to use the public key to decrypt and decode a COVID certificate. For more information about the technical mechanism behind the GCCN Trust Registry Network and how it works, please see our two recent articles, “How does a border control officer know if a COVID certificate is valid?” and “How does a border control officer know if a traveler meets entry rules?”.

.avia-image-container.av-l2hq8cav-e4484434c22ad27d0013ca334b9deea7 .av-image-caption-overlay-center{ color:#ffffff; }

The GCCN Trust Registry Network PoC is composed of two parts, onboarding to the Network and verification of COVID certificates using the Network. The PoC wouldn’t have been a success without the contributions of these partners and the ongoing support of the LFPH community. Fraunhofer IAO, the German research organization that developed the TRAIN Infrastructure, supported the effort throughout. Symsoft Solutions, a US-based enterprise web solutions provider, built the initial demo web application of the Network and web interface for the onboarding process of the POC. Savita Farooqui, the founder of Symsoft Solutions, has been co-leading the design and technical development of GCCN with LFPH staff. Finema, a Thai company specializing in decentralized identity solutions, developed the verifier app for the POC that demonstrates how a verifier can leverage the Network for verifications.

“By working with the LFPH team on the GCCN Trust Registry Network initiative, we had the opportunity to explore and extend the TRAIN Infrastructure for COVID certificate trust management. Prior to this work, TRAIN was already implemented for a variety of use cases such as IoT/Industry 4.0, verification of refugee educational documents. We believe that TRAIN will be able to provide lightweight solutions pertaining to trust management on a global scale for a wide range of public health scenarios. We are looking forward to working on the further developments of the GCCN Trust Registry Network based on the stakeholders’ needs for COVID and beyond.” – Isaac Henderson, Technical Architect, Fraunhofer IAO.

The GCCN Trust Registry Network provides a model for managing global, distributed trust registries/authorities. The Network enrolls trust registries/authorities as entries and supports the structure and meta-data for a variety of trust registries, along with a mechanism to access and update the entries using machine and human accessible formats. We worked with the LFPH team to define the meta-data and workflows for enrollment, and developed the demo application to validate these requirements and the POC interface to integrate with the TRAIN infrastructure. We look forward to continuing to work with LFPH and other partners to further develop the GCCN Trust Registry Network and create a reusable trust management solution for use cases beyond COVID. – Savita Farooqui, Founder, Symsoft Solutions

Finema’s solution plays a big part in the verification of different digital vaccine credentials for the Thailand Pass portal that has been a major factor in reopening Thailand’s borders and encouraging global travel. Through that work, we saw and experienced a clear need for a highly secure global trust network that promotes greater interconnectivity and interoperability between various COVID vaccination credentials from different nations, organizations and individuals throughout the world. Finema was happy to support the POC development of the GCCN Trust Registry Network through our solutions, and we look forward to building further on this work for border reopening and other use cases.  – Pakorn Leesakul, CEO, Finema Co. Ltd.

LFPH will host two webinars about the POC: on May 10, 2022 at 8 am ET / 2 pm CEST, and May 11, 2022 at 7 pm PT / (+1d) 10 am HKT, to have a live demo and Q&A session.

In the meantime, if you have any questions about the GCCN Trust Registry Network and the POC, please email the LFPH team at info@lfph.io.

The post LFPH Completes the Proof-of-Concept of its GCCN Trust Registry Network appeared first on Linux Foundation.

When I started at The Linux Foundation (LF) a few weeks ago, our research was one of the first things I dug into as I absorbed and learned what all the LF does to advance open source. Plus, since I started, it seems like the LF Research team has published a new report every few days. What a wealth of information!

So, imagine my surprise when I learned that LF Research has just been around for one year. April 15th marked their one year birthday – and they have set the bar high in their first year. 

But are they making a difference? I know my inclination, especially having spent time working in government, is that research reports get published and then sit on virtual shelves, never to be seen again. But LF Research uses the open source model of bringing people together to solve problems and to share the solutions widely. They engage LF members and the community, across the ecosystem, to answer the question, what are the tools we can create, together, for shared value. And, importantly, their reports focus on action items.

Over the past twelve months, LF Research has published 12 reports across a variety of topics and industry verticals. Each of them are presented below. Take time to look at their work, dig in deeper on topics that interest you, and then go, make a difference. 

And  stay tuned for more impactful research in 2022 on topics such as cybersecurity insights in the developer process, mentorship, a guide to enterprise open source, an updated state of the open source program office, a new jobs report, and much, much more.

The Carbon Footprint of NFTs – NFTs are simultaneously overhyped and met with both skepticism and a general lack of understanding on what they are and how they work. Serious concerns have also been raised over energy-intensive proof-of-work (PoW) consensus mechanisms. The report, just released last week, studies the concern that energy-intensive PoW consensus mechanisms for NFTs have a significant impact on the climate. The report details the changes taking place in the blockchain industry to address this issue, and describes howNFTs can have varying carbon footprints depending on their underlying technology stacks. Read it to learn how we can make a difference now.

.avia-image-container.av-l2glvuf9-85cfb1e32eae7a047ddafb5b48fac3ff .av-image-caption-overlay-center{ color:#ffffff; }

AI and Data in Open Source – The report reviews critical challenges in the open source AI ecosystem, such as the talent shortage, the trust gap for AI-enabled products, implementing and verifying trusted and responsible AI systems and processes, and more. But, with challenges are opportunities – opportunities that could change the world. Imagine how marrying AI with edge computing enhances performance and real-time decision making, or how CDLA licenses enable wider sharing and use of open data and the innovation that sparks in AI and machine learning models. The report also reviews how the LF AI & Data Foundation is empowering innovators and accelerating open source development. Read the full report and get excited!

.avia-image-container.av-l2gmqdgs-730ca10469013cbed693e38e7a4e6426 .av-image-caption-overlay-center{ color:#ffffff; }

Paving the Way to Battle Climate Change: How Two Utilities Embraced Open Source to Speed Modernization of the Electric Grid – New technology has to be easy to use and workable to be adopted widely enough to make a difference – this holds true in electricity production. As the energy sector innovates to do its part to arrest climate change, it must find solutions to ease the adoption of new energy sources. As the electricity infrastructure modernizes, electricity is provided into the grid from a variety of sources – homes, business, wind and solar farms, etc. – rather than just from the local power plant. It goes from TSOs (main power lines) to DSOs (the “last mile” so to speak). Netherlands’ Alliander, a DSO, and France’s RTE, a TSO, contributed to three LF Energy projects (SEAPATH, CoMPAS, and OpenSTEF) so their electrical substations will become more modular, interoperable, and scalable. This report digs into the case studies to show how working together via open source enables them to develop more software solutions up to ten times faster than working on their own proprietary solutions.

.avia-image-container.av-l2gmvkqf-89f270ecb094f56080e225d1c0ba27c7 .av-image-caption-overlay-center{ color:#ffffff; }

Open Source in Entertainment: How the Academy Software Foundation Creates Shared Value – Truth be told, when I try to explain open source software and what we foster at the LF among my friends and family, I use the Academy Software Foundation as an example. I mean, let’s be honest, movies are way more interesting and relatable than software supply chains or licensing. The ASWF also serves as a stellar example of why companies would want to join forces and collaborate on a common software solution – let’s share resources to make the foundational tools together and then innovate on top of that on our own. We can all grow together by raising the foundation we start at. This report is a story about industry competitors, who, by working together, have shared and developed the technologies used to create mesmerizing visual effects for professional studios and filmmaking enthusiasts alike. It should spark open source innovation in other industries too (see FINOS below). 

.avia-image-container.av-l2gmxpct-6b50f22002f4248083d47fe21ec9678e .av-image-caption-overlay-center{ color:#ffffff; }

Census II of Free and Open Source Software – Application Libraries – There are more software vulnerabilities out there than there are resources available to fix them, so knowing which ones are more widely utilized and which ones are used in more critical instances allows for better resource prioritization. Makes sense, right? This report builds on the Census I report, which focused on the lower level critical operating system libraries and utilities. It utilizes data from partner Software Composition Analysis (SCA) companies including Synk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.  They looked at over half a million observations of Free and Open Source Software libraries used in production applications at thousands of companies.  See the data and read the report written by and see the data here. 

.avia-image-container.av-l2gmzh06-81f434c4ff7809c1d120d7053981b0ba .av-image-caption-overlay-center{ color:#ffffff; }

The Evolution of the Open Source Program Office – The TODO Group is an LF project community to help organizations run successful and effective open source program offices or similar open source initiatives. This report was produced in partnership with them to provide rich insight, direction, and tools to implement an OSPO or an open source initiative with corporate, academic, or public sector environments. It also has case studies from Bloomberg, Comcast, and Porsche – the last of which was especially cool for the car geek in me. Check it out here. 

.avia-image-container.av-l2gn5yxz-b1abc7e248db7dd19588861708260053 .av-image-caption-overlay-center{ color:#ffffff; }

The State of the Software Bill of Materials (SBOM) and Cybersecurity Readiness – An SBOM is a formal and machine-readable metadata that uniquely identifies a software package and its contents. It allows organizations to quickly and accurately determine which software applications and libraries are used and where so they can effectively address vulnerabilities. The report offers fresh insight into the state of SBOM readiness and helps organizations looking to better understand SBOMs as an important tool in securing software supply chains. They need to be adopted now – so go read the report.

.avia-image-container.av-l2gnst64-9c822f544821ebd0da3e4ff02a84759f .av-image-caption-overlay-center{ color:#ffffff; }

Diversity, Equity, and Inclusion in Open Source – Diversity, equity, and inclusion (DEI) in the technology industry — and within open source specifically—is an opportunity we need to continuously leverage for the benefits it brings. In addition to the survey findings on the state of DEI, this research explores a number of DEI initiatives and their efficacy and recommends action items for the entire stakeholder ecosystem to further their efforts and build inclusion by design. Access the report here.

.avia-image-container.av-l2gnvha9-e142861f31e3a41ecd2bf92fa78990da .av-image-caption-overlay-center{ color:#ffffff; }

Data and Storage Trends Report – The SODA Foundation is an open source project under the Linux Foundation that fosters an ecosystem of open source data management and storage software for data autonomy. The report is based on a survey in English, Chinese, and Japanese-speaking markets to identify the current challenges, gaps, and trends for data and storage in the era of Cloud Native, edge, AI, and 5G. The intention is to use this survey data to help guide the SODA Foundation and its surrounding ecosystem on important issues and help its members be better equipped to make decisions, improve their products, and the SODA Foundation to establish new technical directions.

.avia-image-container.av-l2goc9sk-d07f7a6347c5a40cd6486df21cf8d265 .av-image-caption-overlay-center{ color:#ffffff; }

The State of Open Source in Financial Services Report – While the financial services industry has been a long-time consumer of open source software, contributing to software and standards development has not been at the core of their business models and tech strategies. This report creates a baseline of their current activities, highlights obstacles and challenges to improving industry-wide collaboration, and lays out a set of actionable insights for improving the state of open source in financial services. You can read the report here. 

.avia-image-container.av-l2goebpw-6a86ebc14b3202739bbd1df8bb4d50f0 .av-image-caption-overlay-center{ color:#ffffff; }

9th Annual Open Source Jobs Report – ​​ The LF partnered with edX to shed light on the changes and challenges in the global open source jobs market. Employers can use its actionable insights to inform their hiring, training, and diversity awareness efforts. It also gives professionals clear, unbiased insights on which skills are most marketable and how reskilling and certifications benefit job seekers. Dig in here. 

.avia-image-container.av-l2goo8hy-b523b3be036e6444bd470c34d8ea4248 .av-image-caption-overlay-center{ color:#ffffff; }

Hyperledger Brand Study – The study explores the state of the enterprise blockchain market and the Hyperledger brand. It looks at whether enterprises have or are considering adopting blockchain, which solutions they are familiar with, what are desirable attributes of solutions, what problems they are addressing with blockchain technology, and much, much more. You can read the results and access the underlying data here. 

.avia-image-container.av-l2goj7v2-7da491a0d633aab25bce59401e0440e1 .av-image-caption-overlay-center{ color:#ffffff; }

The post LF Research: One Year Recap and Imagining the Future appeared first on Linux Foundation.

Non-Fungible Tokens (NFTs) are an invention unique in human history whose role is fast extending beyond the speculative trends around collectibles to use cases that have a positive social impact. 

Through NFTs, a broad range of physical and virtual assets can be authenticated, providing transparency on ownership and underlying attributes of tokenized assets while preserving the privacy of individual owners. The cryptographic guarantees of NFTs make them well suited for use cases such as anti-counterfeiting, provenance tracking, and title transfer.

However, due to the high level of computational power required to mint an NFT on Proof of Work (PoW) blockchains, and the energy required to achieve the necessary computational power — which is primarily supplied by non-renewable fuel sources — the emissions from minting, transferring, and burning NFTs can be quite high. 

It’s estimated that the mining activities associated with cryptocurrencies emit as much as 114.06 megatons of CO2 per year, equivalent to the same amount produced by the entire Czech Republic.

Most of this effect is caused by electricity usage, as blockchain networks are frequently energy-intensive due to their PoW consensus mechanisms. Based on current patterns, blockchain technology will account for 1% of global electricity consumption by 2025. However, not all digital assets qualify as energy-intensive.

In a new study, Linux Foundation Research and Hyperledger Foundation collaborated with Palm NFT Studio to conduct a study on the design architecture of NFTs and how they may have varying carbon footprints depending on their underlying technology stacks. In essence, not all blockchains are equally hazardous to the environment.

Download Report

The report also provides recommendations for how NFT creators can reduce the environmental impact of their work, such as by using an alternative consensus mechanism that is not carbon-intensive. Those mechanisms need to be robust enough to:

• Reduce blockchain’s carbon footprint
• Protect against coordinated blockchain attacks by increasingly consolidated mining computing power
• Overcome blockchain scaling challenges, which are limited by both slow finality times and low volumes of transactions per second (on Ethereum and many other blockchains)

One such alternative in use today is the Proof of Stake (PoS) consensus mechanism, which is less computationally intensive than PoW, among others. Rather than calculating to solve computational issues, in a PoS system, those in control of the blockchain’s upkeep stake (i.e., “pledge”) their currency, putting it in a type of escrow as a guarantee against fraud. If everything goes well, those who stake their tokens may earn a little profit through a share in block rewards. 

While we believe that a move to more environmentally-friendly NFTs by using alternative consensus mechanisms is an essential first step, it is not the only one needed to make the industry more sustainable. Sustainable practices for NFTs (and for the blockchain industry as a whole) start with reduction. Using renewable energy sources, such as solar and wind, can further reduce blockchain emissions. 

Beyond choosing sustainable blockchain architecture for issuing NFTs, carbon offsets are an important add-on to the sustainability equation. Offset projects can include a wide range of activities, from planting new forests to capturing methane gas from landfills. 

Measured, verified, and certified offsets allow a price to be placed on more carbon-intensive activities providing companies and businesses with a way to incorporate these into their budgets. While embracing offset projects can lead to greenwashing claims, it’s important to choose certified initiatives in tandem with other efforts.

NFTs are here to stay, so now is the time for the industry to reduce its carbon footprint and become more sustainable by leveraging existing technologies and carbon offset opportunities. We hope this report serves as a starting point to inform such decisions.

Subscribe to LF Research

The post NFTs should be green, too appeared first on Linux Foundation.

The leading vendor-neutral open source event for technical and community contributors continues to focus on covering the most critical topics, innovative technologies and pivotal open source projects through its 14 sub-conferences.

SAN FRANCISCO, April 21, 2022 —  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the full schedule for Open Source Summit North America, the leading conference for open source developers and community leaders, taking place June 21-24 in Austin, Texas and virtually. The schedule can be viewed here and the previously announced keynote speakers can be viewed here.

Comprised of 14 events, including LinuxCon, Embedded Linux Conference, SupplyChainSecurityCon, CloudOpen, OSPOCon, Emerging OS Forum, ContainerCon and more, Open Source Summit North America 2022 will cover the most important and cutting edge topics and technologies touching open source today.  The schedule features 300 talks (keynote presentations, conference sessions, tutorials, and BoFs) and includes something for everyone, across a range of topics and skill levels.

“The 14 events that make up Open Source Summit North America’s conference umbrella cover the open source projects and technologies that are fundamental across software and other industries, while also highlighting those that are poised for growth and widespread use. The event provides the collaborative environment and knowledge sharing needed to drive innovation across the fold,” says Angela Brown, SVP & General Manager of Events at The Linux Foundation.

2022 Conference Session Highlights Include:

• LinuxCon: Memory Folios – Matthew Wilcox, Oracle
  
• CloudOpen: Peta Scale Telemetry Backend With Opentelemetry – Kranti Vikram Anugola & Weain Deng, Walmart Global Tech
  
• Embedded Linux Conference: V4L2 M2M as the Driver Framework for Video Processing IP – Karthik Poduval, Amazon Lab126
  
• OSPOCon: F5’s Open Source Journey – Christine Abernathy, F5, Inc.
  
• Open AI + Data Forum: Delta Lake: Diving into Data Lakes Without the Downsides – Kelly O’Malley, Databricks
  
• SupplyChainSecurityCon: Authenticating Supply-Chain Metadata: Building Remote Code Attestations on GitHub – Asra Ali & Laurent Simon, Google
  
• Embedded IoT Summit: AI/ML at the Extreme Edge with WebAssembly: A Path Forward – Michael Tanenbaum, Mycelial
  
• Global Security Vulnerability Summit: Scalable Management of Vulnerabilities in Open Source – Oliver Chang, Google & Kate Catlin, GitHub
  
• Emerging OS Forum: OpenCost: An Open Source Tool for Your K8s Cost Management Problem – Webb Brown & Ajay Tripathy, Stackwatch
  
• Diversity Empowerment Summit: “Did You Miss My Comment or What?” Understanding Toxicity in Open Source Discussions – Courtney Miller, Carnegie Mellon University
  
• ContainerCon: Sustainability the Container Native Way – Huamin Chen, Red Hat & Chen Wang, IBM
  
• Community Leadership Conference: Scaling Your Community From a Few Hundred to Tens of Thousands – Anna Filippova, dbt Labs
  
• Open Source On-Ramp: Peeling Back the Layers of Storage – John Hawley, VMware
  
• Critical Software Summit: Using FOSS as Part of a System Safety Mechanism – Paul Albertella, Codethink
  

2022 Keynote Speakers Include:

• Alena Analeigh, Founder, Brown STEM Girl
• Jennings Aske, Senior Vice President & Chief Information Security Officer, NewYork-Presbyterian Hospital
• Aeva Black, Open Source Hacker, Ethical Agitator, and Consent Advocate
• Eric Brewer, Vice President of Infrastructure, Google
• Matt Butcher, Chief Executive Officer, Fermyon Technologies
• Taylor Dolezal, Head of Ecosystem, Cloud Native Computing Foundation
• Melissa Evers, Vice President & General Manager, Strategy to Execution, Software and Advanced Technology Group, Intel Corporation
• Amy Gilliland, President, General Dynamics Information Technology (GDIT)
• Orion Jean, TIME 2021 Kid of the Year, Author and Kindness Activist
• Todd Moore, Vice President – Open Technology and Developer Advocacy, CTO DEG, IBM
• Melissa Smolensky, Vice President, Corporate Marketing, GitLab
• Linus Torvalds, Creator of Linux & Git in conversation with Dirk Hohndel, Founder, DH Consulting
• Chris Wright, Senior Vice President and Chief Technology Officer, Red Hat

Additional keynote speakers will be announced in the coming weeks. 

Registration (in-person) is offered at the early price of $850 through April 26. Registration to attend virtually is $25. Members of The Linux Foundation receive a 20 percent discount off registration and can contact events@linuxfoundation.org to request a member discount code. 

Applications for diversity and need-based scholarships are currently being accepted. For information on eligibility and how to apply, please click here. The Linux Foundation’s Travel Fund is also accepting applications, with the goal of enabling open source developers and community members to attend events that they would otherwise be unable to attend due to a lack of funding. To learn more and apply, please click here.

Health and Safety
In-person attendees will be required to be fully vaccinated against the COVID-19 virus and will need to comply with all on-site health measures, in accordance with The Linux Foundation Code of Conduct. To learn more, visit the Health & Safety webpage.

Event Sponsors
Open Source Summit North America 2022 is made possible thanks to our sponsors, including Diamond Sponsors: Google and IBM, Platinum Sponsors: Cloud Native Computing Foundation, Databricks, Intel and Red Hat, and Gold Sponsors: Camunda, Checkmarx, Coder, Dell Technologies, GitLab, InfluxData, Kubecost, Styra and Whitesource. For information on becoming an event sponsor, click here or email us.

Press
Members of the press who would like to request a press pass to attend should contact Kristin O’Connell.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###

Media Contact
Kristin O’Connell
The Linux Foundation
koconnell@linuxfoundation.org

The post The Linux Foundation Announces Conference Schedule for Open Source Summit North America 2022 appeared first on Linux Foundation.

SAN FRANCISCO, April 21, 2022 – The Open Mainframe Project, an open source initiative that enables collaboration across the mainframe community to develop shared tool sets and resources, today announced the launch of the Call for Proposals (CFPs) for the 3rd annual Open Mainframe Summit. The premier mainframe event of 2022, the Summit will take place in person on September 21-22 at Convene at Commerce Square in Philadelphia, PA.

“We are excited to host Open Mainframe Summit in person this year,” said John Mertic, Director of Program Management at the Linux Foundation. “The last two events were successful in that we enabled our messages to reach more users around the world. We hope to continue that momentum while also giving our community a safe place to engage and collaborate face-to-face.”

Open Mainframe Summit is open to students, developers, users and contributors of projects from around the globe looking to learn, network and collaborate. It will feature content tracks that tackle both business and technical strategies for enterprise development and deployment.

Submit a Proposal

The Call for Proposals is now open and will be accepting submissions until Friday, June 10, 2022. Interested speakers can submit proposals in 10 tracks with options for lightning talks, 30-minute sessions and panel discussions. Tracks include:

• AI & Machine Learning
  • From open source projects with a focus on AI, Machine Learning, and Data Analytics that currently run on Z to the AI accelerator on the recently announced IBM Telum processor, the mainframe will continue to be a key component of how organizations process their data. This track will look at projects, tools, and strategies currently used by organizations tackling these topics today.
• Building the Next Workforce
  • Building the next workforce in today’s evolving mainframe and post-COVID environment can be challenging. This track will provide strategies for helping onboard newcomers to the platform to learn from the veterans as well as detailed opportunities for the veterans to learn tooling from the newcomers that can now be leveraged for mainframe!
• Business
• Cloud Native on the Mainframe + Hybrid Cloud
  • Explore the solutions for and benefits of integrating  mainframe into your hybrid cloud environment. Topics range from incorporating mainframe into enterprise DevOps pipelines and enabling the use of popular distributed tooling such as VS Code to running containers directly on z/OS.
• Diversity + Inclusion
• Education + Training
  • Discover opportunities to add more tools to your tech toolkit! Whether you are just getting started with mainframe or you are an experienced veteran, there are programs to expand your skill set & to also share your knowledge with others.
• Languages
  • The mainframe supports a variety of programming languages, both on z/OS and Linux. This track will showcase some of the latest technical updates, usage statistics, and more from several of them.
• Linux on Z
• Open Source Security on Mainframe
  • From security scans performed in the course of software development to security scans and audits that can be done within an organization to make sure all software is in compliance, this track will focus on what software vendors and open source software projects are doing to ensure that software being provided on the mainframe is secure.
• z/OS

Submit a proposal: https://events.linuxfoundation.org/open-mainframe-summit/program/cfp/.

Meet the Program Committee

A program committee, which includes maintainers, active community members and project leaders, will review and rate the proposals once all the submissions are in. This year, Open Mainframe Project welcomes Alan Clark, CTO Office and Director for Industry Initiatives, Emerging Standards and Open Source at SUSE, Donna Hudi, Chief Marketing Officer at Phoenix Software, Elizabeth K. Joseph, Developer Advocate at IBM and Michael Bauer, Staff Product Owner at Broadcom, Inc.

Whether a company is a member or contributor of Open Mainframe Project or is sponsoring the event has no impact on whether talks from their developers will be selected. However, being a community leader does have an impact, as program committee members will often rate talks from the creators or leaders of an open source project more highly. A key focus will be on work within Open Mainframe Project’s 21 hosted projects/working groups, or contributions that otherwise add value to the ecosystem.

Early Bird pricing of $500 for general admission or $40 for academic attendees will end July 8. Click here to register.

Sponsor Now

Open Mainframe Summit is made possible with support from sponsors, especially our first Gold Sponsor Vicom Infinity, a Converge Company. To become a sponsor, click here.

For more details about Open Mainframe or to watch the videos for Open Mainframe Summit 2021, check out the Open Mainframe Project 2021 Annual Report.

For more about Open Mainframe Project, visit https://www.openmainframeproject.org/. 

About the Open Mainframe Project

The Open Mainframe Project is intended to serve as a focal point for deployment and use of Linux and Open Source in a mainframe computing environment. With a vision of Open Source on the Mainframe as the standard for enterprise class systems and applications, the project’s mission is to build community and adoption of Open Source on the mainframe by eliminating barriers to Open Source adoption on the mainframe, demonstrating value of the mainframe on technical and business levels, and strengthening collaboration points and resources for the community to thrive. Learn more about the project at https://www.openmainframeproject.org.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

###

The post Open Mainframe Project Launches Call for Proposals for the 3rd Annual Open Mainframe Summit on September 21-22 in Philadelphia, PA appeared first on Linux Foundation.

For many of us, it has been several years since we’ve been in conference settings, or around many people at all. As we close in on a broader return to in-person events next month, this is the perfect time to reiterate that our events are gatherings intended for professional networking and collaboration for the open source community, that exist to encourage the open exchange of ideas. Thus, they require an environment that recognizes the inherent worth of every person and group. All event participants, whether they are attending an in-person or a virtual event, are expected to behave in accordance with our Event Code of Conduct. In short: Be kind. Be professional. Treat everyone with respect. 

The importance of a diverse, welcoming and inclusive open source community has been widely understood for some time. Progress is slowly being made, but there is a long way to go. We created our Event Code of Conduct in 2011 as one of many ways we at the Linux Foundation could help create a more welcoming community. Events play a huge role in how open source communities collaborate, and it is critical that these are safe spaces, free of harassment and discrimination. 

In the earlier years of our Event Code of Conduct, we received very few incident reports, but that number has grown, especially in recent years. This is a good thing. It means our event participants feel more comfortable speaking up. And the more people speak up, the sooner we can reach our shared goal of a truly inclusive community. 

To that end, we will begin publishing a round-up of Event Code of Conduct reports, starting with this 2021 summary. We only held a few in-person events in 2021, so expect these reports to be longer in the future as we continue to hold more in-person events. Moving forward, these reports will be published bi-annually. We will also publish event-specific reports for events with 2,000+ in-person attendees.

We look forward to seeing you all soon, online or in person.  

The Linux Foundation Events Team
events@linuxfoundation.org

———

2021 Code of Conduct Incidents By Event

KubeCon Europe (Virtual) 

• 2 reports of concern that several CNCF ambassadors were airing grievances about not having talks accepted at the event, which belittled the work of the program committee
  • Resolution: A warning was issued, and we published this blog outlining the review process
• 1 report of inappropriate sexual advance in a virtual session via chat
  • Resolution: A warning was issued

Open Source Summit North America (In Person + Virtual)

• 1 person videotaping other attendees without their consent (In Person)
  • Resolution: A warning was issued
• 1 report of attendee violating the mask mandate
  • Resolution: A warning was issued

KubeCon North America (In Person + Virtual) 

• 1 person videotaping other attendees without their consent (In Person) 
  • Resolution: A 2nd and final warning was issued and letting them know their action is illegal in California
• 2 reports of attendees violating the mask mandate 
  • Resolution: warnings were issued 
• 1 report of staff at a sponsor booth ignoring a woman attendee
  • Resolution: A warning was issued
• 1 person banned from attending the event due to behavior prior to event showed up to the JW Marriott multiple times
  • Resolution: The individual was escorted out of the venue each time
• 1 attendee was speaking unprofessionally to a member of the LF staff when asked to abide by Covid health + safety protocols
  • Resolution: A warning was issued
• 2 sponsors were handing out collateral with profanity on them
  • Resolution: A warning was issued, and they refrained from passing out the offending materials thereafter
• 1 attendee reported (on social media) a staff member at the JW Marriott restaurant was racially profiling them
  • Resolution: LF notified JW Marriott hotel management and LF staff followed up with the attendee that alerted LF of the issue
• Multiple reports of harassment were received against the same attendee. Additional reports were received post-KubeCon as well, for a total of 5 reports.
  • Resolution: The LF conducted an in-depth investigation, involving a neutral outside investigator, and the accused individual participated in the process as well as the reporters. At the conclusion of the investigation, the decision was to ban this person from attending any future Linux Foundation (or LF project) events, and from participating in any leadership position on any Linux Foundation project. The individual was notified of this decision.

PrestoCon Day (Virtual)

• 1 Attendee was spamming links to YouTube videos and memes for competitors in the virtual chat.
  • Resolution: LF staff deleted posts and removed the user from the event platform. The attendee’s registration information was fake, so no further follow up could be done.

The post Linux Foundation Events Code of Conduct Transparency Report – 2021 Event Summary appeared first on Linux Foundation.