The Linux Foundation

Subscribe to The Linux Foundation feed The Linux Foundation
Decentralized innovation, built on trust.
Updated: 46 min 7 sec ago

Open Source Collaboration is a Global Endeavor

Thu, 08/13/2020 - 08:36

The Linux Foundation would like to reiterate its statements and analysis of the application of US Export Control regulations to public, open collaboration projects (e.g. open source software, open standards, open hardware, and open data) and the importance of open collaboration in the successful, global development of the world’s most important technologies. At this time, we have no information to believe recent Executive Orders regarding WeChat and TikTok will impact our analysis for open source collaboration. Our members and other participants in our project communities, which span many countries, are clear that they desire to continue collaborating with their peers around the world.

As a reminder, we would like to point anyone with questions to our prior blog post on US export regulations, which also links to our more detailed analysis of the topic. Both are available in English and Simplified Chinese for the convenience of our audiences.

Click to read blog post on Open Source and Export Controls

The post Open Source Collaboration is a Global Endeavor appeared first on The Linux Foundation.

LF Edge’s Akraino Project Release 3 Now Available, Unifying Open Source Blueprints Across MEC, AI, Cloud and Telecom Edge

Thu, 08/13/2020 - 01:29

  • 6 New R3 Blueprints (total of 20) covering use cases across Telco, Enterprise, IoT
  • Akraino Blueprints cover areas including MEC, AI/ML, Cloud, Connected Vehicle, AR/VR, Android Cloud Native, smartNICs, Telco Core & Open- RAN, with — ongoing support for R1-R2 blueprints and more
  • Community delivers open edge API specifications — to standardize across devices, applications (cloud native), orchestrations,  and multi-cloud — via new white paper 

SAN FRANCISCO  August 12, 2020LF Edge, an umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system, today announced the availability of Akraino Release 3 (“Akraino R3”).  Akraino’s third and most mature release to date delivers fully functional edge solutions– implemented across global organizations– to enable a diversity of edge deployments across the globe. New blueprints include a focus on  MEC, AI/ML, and Cloud edge. In addition, the community authored the first iteration of a new white paper to bring common open edge API standards to align the industry. 

Launched in 2018, and now a Stage 3 (or “Impact” stage) project under the LF Edge umbrella, Akraino Edge Stack delivers an open source software stack that supports a high-availability cloud stack optimized for edge computing systems and applications. Designed to improve the state of carrier edge networks, edge cloud infrastructure for enterprise edge, and over-the-top (OTT) edge, it enables flexibility to scale edge cloud services quickly, maximize applications and functions supported at the edge, and to improve the reliability of systems that must be up at all times. 

“Akraino has evolved into a fully-functional edge stack,” said Arpit Joshipura, general manager, Networking, Automation, Edge and IoT, the Linux Foundation. “With a growing set of blueprints that enable more and more use cases, we are seeing the power of open source impact every aspect of the edge and how the world accesses and consumes information.”  

About Akraino R3

Akraino Release 3 (R3) delivers a fully functional open source edge stack that enables a diversity of edge platforms across the globe. With R3, Akraino Edge Stack  brings deployments and PoCs from a swath of global organizations including Aarna Networks, China Mobile, Equinix, Futurewei, Huawei, Intel, Juniper, Nokia, NVIDIA, Tencent, WeBank, WiPro, and more.

Akraino enables innovative support for new levels of flexibility that scale 5G, industrial IoT, telco, and enterprise edge cloud services quickly, by delivering community-vetted and tested edge cloud blueprints to deploy edge services.  New use cases and new and existing blueprints provide an edge stack for Connected Vehicle, AR/VR, AI at the Edge, Android Cloud Native, SmartNICs, Telco Core and Open-RAN, NFV, IOT, SD-WAN, SDN, MEC, and more. 

 Akraino R3 includes 6 new blueprints for a total of 20, all tested and validated on real hardware labs supported by users and community members — the Akraino community has established a full-stack, automated testing with strict community standards to ensure high-quality blueprints. 

The 20 “ready and proven” blueprints, include both updates and long-term support to existing R1 & R2 blueprints, and the introduction of six new blueprints:

  • The AI Edge – School/Education Video Security Monitoring
  • 5G MEC/Slice System–  Supports Cloud Gaming, HD Video, and Live Broadcasting
  • Enterprise Applications on Lightweight 5G Telco Edge (EATLEdge)
  • Micro-MEC (Multi-access Edge Computing) for SmartCity Use Cases
  • IEC Type 3: Android Cloud Native Applications on Arm®-based  Servers on the Edge 
  • IEC Type 5: Smart NIC: Edge hardware acceleration 

More information on Akraino R3, including links to documentation, code, installation docs for all Akraino Blueprints from R1-R3, can be found here. For details on how to get involved with LF Edge and its projects, visit

API  White Paper

The Akraino community published the first iteration of a  new white paper to bring common open edge API standards to the industry. The new white paper makes available, for the first time, generic edge APIs for developers to standardize across devices, applications (cloud native), orchestrations,  and multi-cloud. The paper serves as a stepping stone for broad industry alignment on edge definitions, use cases, APIs. Download the paper here:

Looking Ahead

The community is already planning R4, which will include more implementation of open edge API guidelines, more automation of testing, increased alliance with upstream and downstream communities, and development of public cloud standard edge interfaces. Additionally, the community is expecting new blueprints as well as additional enhancements to existing blueprints. 

Don’t miss the Open Networking and Edge Summit (ONES) virtual event happening September 28-29, where Akraino and other LF Edge communities will collaborate on the latest open source edge developments. Registration is now open!

Ecosystem Support for Akraino R3

“The demands on compute, networking, and storage infrastructure are changing significantly as we connect billions of intelligent devices, many of which live at the edge of the 5G network,” said Kevin Ryan, senior director of software ecosystem development, Infrastructure Line of Business, Arm. “By working closely with the Akraino community on the release of Akraino R3, and through our efforts with Project Cassini for seamless cloud-native deployments, Arm remains committed to providing our partners with full- edge solutions primed to take on the 5G era.”

Mazin Gilbert, VP of Technology and Innovation, AT&T, said: “As a founding member of the Akraino platform, AT&T has seen first-hand the remarkable progress as a result of openness and industry collaboration. AI and edge computing are essential when it comes to creating an intelligent, autonomous 5G network, and we’re proud to work together with the community to deliver the best possible solutions for our customers.”

In the 5G era, AI+ Edge Computing is not only an important guarantee for updating the consumer and industrial Internet experience (such as video consumption re-upgrading, scene-based AI capabilities, etc.), but also a necessary infrastructure for the development of the Internet industry,” said Ning Liu, Director of AI Cloud Group, Baidu. “Providing users with AI-capable edge computing platforms, products and services is one of Baidu’s core strategies. Looking towards the future, Baidu will continue to adhere to the core strategy of open source and cooperate with partners to build a more open and improved ecosystem.” 

China Unicom
“Commercial 5G is going live around the world. Edge computing will play an important role for large bandwidth and low delay services in the 5G era. The key to the success of edge computing is to provide integrated ICT PaaS capabilities, which is beneficial for the collaboration between networks and services, maximizing the value of 5G,” said Xiongyan Tang, Chief Scientist and CTO of the Network Technology Research Institute of China Unicom. “The PCEI Blueprint will define a set of open and common APIs, to promote the deep cooperation between operators and OTTs, and help to build a unified network edge ecosystem.”  

“High bandwidth, low latency, and massive connections are 5G typical features. Based on MEC’s edge computing and open capabilities, 5G network could build the connection, computing, and capabilities required by vertical industries and enables many applications. In the future, 5G MEC will be an open system that provides an application platform with rich atomic capabilities,” said by Bill Ren, Huawei Chief Open Source Liaison Officer. “Managing a large number of applications and devices on the MEC brings great challenges and increases learning costs for developers. We hope to make 5G available through open source, so that more industry partners and developers can easily develop and invoke 5G capabilities. Build a common foundation for carriers’ MEC through open source to ensure the consistency of open interfaces and models. Only in this way can 5G MEC bring tangible benefits to developers and users.”

Juniper Networks
“Juniper Networks is proud to have been an early member of the Akraino community and supportive of this important work. We congratulate this community for introducing new blueprints to expand the use cases for managed edge cloud with this successful third release,” said Raj Yavatkar, Chief Technology Officer at Juniper Networks. “Juniper is actively involved in the integration of multiple blueprints and we look forward to applying these solutions to evolve edge cloud and 5G private networks to spur new service innovations – from content streaming to autonomous vehicles.”

“The new generation network is coming, IoT and Edge Computing are developing rapidly. At the same time, it also brings great challenges to technological innovation. High performance, low latency, high scalability, large-scale architecture is a must for all applications. TARS has released the latest version to meet the adjustment of 5G and Edge Computing. Massive devices can easily use TARS Microservice Architecture to realize the innovation of edge applications. The Connect Vehicle Blueprint and AR/VR Blueprint in Akraino are all using the TARS Architecture,” said Mark Shan, Chairman of Tencent Open Source Alliance, Chairman of TARS Foundation, and Akraino TSC Member. “The blueprints on the TARS Architecture solve the problem of high throughput and low latency. TARS is a neutral project in the Linux Foundation, which can be easily used and helped by anyone from the open-source community.”

“We are proud to be part of the Edge Cloud community. Zenlayer is actively exploring edge solutions and integrating the solutions to our bare metal product. We hope the edge products will empower rapid customer innovation in video streaming, gaming, enterprise applications and more,” said Jim XU, chief engineering architect of Zenlayer.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.

The post LF Edge’s Akraino Project Release 3 Now Available, Unifying Open Source Blueprints Across MEC, AI, Cloud and Telecom Edge appeared first on The Linux Foundation.

The Linux Foundation, Grillo and IBM Announce New Earthquake Early-Warning Open Source Project

Tue, 08/11/2020 - 23:00

Grillo is open sourcing ‘OpenEEW,’ its IoT-based earthquake early-warning system that will accelerate the creation of low-cost, community-driven projects around the world, with support from IBM, USAID, the Clinton Foundation and Arrow Electronics

San Francisco, Calif., Aug. 11, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced it will host Grillo’s OpenEEW project in collaboration with IBM to accelerate the standardization and deployment of earthquake early-warning systems (EEWs) for earthquake preparedness around the world. The project includes the core components of the Grillo EEW system comprised of integrated capabilities to sense, detect and analyze earthquakes as well as alert communities. OpenEEW was created by Grillo with support from IBM, USAID, the Clinton Foundation and Arrow Electronics.

Earthquakes often have the most severe consequences in developing countries, due in part to construction and infrastructure issues. Timely alerts have the potential to help save lives in the communities where earthquakes pose the greatest threat. EEW systems provide public alerts in countries including Mexico, Japan, South Korea and Taiwan, but nearly three billion people globally live with the threat of an earthquake and don’t have access to nation-wide systems, which can cost upwards of one billion U.S. dollars. OpenEEW wants to help reduce the costs of EEW systems, accelerate their deployments around the world and has the potential to save many lives.

“The OpenEEW Project represents the very best in technology and in open source,” said Mike Dolan, Senior Vice President and GM of Projects at the Linux Foundation. “We’re pleased to be able to host and support such an important project and community at the Linux Foundation. The open source community can enable rapid development and deployment of these critical systems across the world.”

The OpenEEW Project includes several core IoT components: sensor hardware and firmware that can rapidly detect and transmit ground motion; real-time detection systems that can be deployed on various platforms from a Kubernetes cluster to a Raspberry Pi; and applications that allow users to receive alerts on hardware devices, wearables, or mobile apps as quickly as possible. The open source community aims to help advance earthquake technology by contributing to OpenEEW’s three integrated technology capabilities: deploying sensors, detecting earthquakes and sending alerts.

“For years we have seen that EEWs have only been possible with very significant governmental financing, due to the cost of dedicated infrastructure and development of algorithms. We expect that OpenEEW will reduce these barriers and work towards a future where everyone who lives in seismically-active areas can feel safe,” said Andres Meira, Founder, Grillo.

IBM and The Linux Foundation have a rich history of deploying projects that fundamentally make change and progress in society through innovation – and remain committed during COVID-19. The winner of the 2018 Call for Code Global Challenge, Project Owl, contributed its IoT device firmware in March 2020 as the ClusterDuck Protocol, and now, Grillo’s OpenEEW is the most recent project to be open sourced for communities that need them most.

Originally connected to Grillo through the Clinton Foundation at a convening of the Clinton Global Initiative (CGI) Action Network, IBM is now playing a role supporting Grillo by adding the OpenEEW earthquake technology into the Call for Code deployment pipeline supported by The Linux Foundation.

IBM has deployed a set of six of Grillo’s earthquake sensor hardware and is conducting tests in Puerto Rico, complementing Grillo’s tools with a new Node-RED dashboard to visualize readings. IBM is also extending a Docker software version of the detection component that can be deployed to Kubernetes and Red Hat OpenShift on the IBM Cloud.

“IBM is thrilled to continue collaborating with Grillo and to contribute to the new open source OpenEEW project with The Linux Foundation,” said Daniel Krook, Chief Technology Officer, Call for Code. “Grillo technology has the potential to help save lives, which is just the type of innovation we look for in Call for Code projects. This is an exciting opportunity for the developer community to help us improve the software, hardware, and global network as an open source project.”

Grillo sensors have generated more than 1TB of data since 2017 in Mexico, Chile, Puerto Rico and Costa Rica, including information from large earthquakes of magnitudes 6 and 7. Researchers from Harvard University and the University of Oregon are already working with this data, which will enable new machine learning earthquake characterization and detection methods.

“Understanding the ground on which Mexico City is built is an important facet of earthquake hazards. With support from the David Rockefeller Center for Latin American Studies at Harvard University and the David and Lucile Packard Foundation, we are working with Grillo to deploy a dense network of sensors across Mexico City and analyze the seismic behavior and local seismicity beneath the ancient lake basin. Our collaboration also enables open source software development for the next generation of seismology on the cloud,” said Harvard Professor Maine Denolle.

The primary aim of the project is to encourage a variety of people – makers, data scientists, entrepreneurs, seismologists – to build EEWs in places like Nepal, New Zealand, Ecuador, and other seismic regions. This community may also contribute to OpenEEW by advancing the sensor hardware design, improving detection and characterization of earthquakes through machine learning, and creating new methods for delivering alerts to citizens.

For more information and to begin contributing, please visit:


About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,500 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: Linux is a registered trademark of Linus Torvalds.

The post The Linux Foundation, Grillo and IBM Announce New Earthquake Early-Warning Open Source Project appeared first on The Linux Foundation.

Healthcare industry proof of concept successfully uses SPDX as a software bill of materials format for medical devices

Thu, 08/06/2020 - 03:30

Software Package Data Exchange (SPDX) is an open standard for communicating software bill of materials (SBOM) information that supports accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component. The SPDX format has recently been submitted by the Linux Foundation and the Joint Development Foundation to the JTC1 committee of the ISO for international standards approval.

A group of eight healthcare industry organizations, composed of five medical device manufacturers and three healthcare delivery organizations (hospital systems), recently participated in the first-ever proof of concept (POC) of the SPDX standard for healthcare use.

 This blog post is a summary of the results of this initial trial.

Why do we care about SBOMs and the medical device industry?

A Software Bill of Materials (SBOM) is a nested inventory or a list of ingredients that make up the software components used in creating a device or system. This is especially critical in the medical device industry and within healthcare delivery organizations to adequately understand the operational and cyber risks of those software components from their originating supply chain.

Some cyber risks come from using components with known vulnerabilities. Known vulnerabilities are a widespread problem in the software industry, such as known vulnerabilities in the Top 10 Web Application Security Risks from the Open Web Application Security Project (OWASP). Known vulnerabilities are especially concerning in medical devices since the exploitation of those vulnerabilities could lead to loss of life or maiming. One-time reviews don’t help, since these vulnerabilities are typically found after the component has been developed and incorporated. Instead, what is needed is visibility into the components of a medical device, similar to how food ingredients are made visible.

A measured path towards using SBOMs in the medical device industry

In June 2018, the National Telecommunications and Information Administration (NTIA) engaged stakeholders across multiple industries to discuss software transparency and to participate in a limited proof of concept (POC) to determine if SBOMs can be successfully produced by medical device manufacturers and consumed by healthcare delivery organizations. That initial POC was successfully concluded in the early fall of 2019. 

Despite the limited scope, the NTIA POC results demonstrated that industry-agnostic standard formats can be leveraged by the healthcare vertical and that industry-specific formats are unnecessary. 

Next, the participants in the NTIA POC explored whether a standardized SBOM format could be used for sharing information between medical device manufacturers and healthcare delivery organizations. For this next phase, the NTIA stakeholders engaged the Linux Foundation’s SPDX community to work with the NTIA Healthcare working group. The goal was to demonstrate through a proof of concept whether the open source SPDX SBOM format would be suitable for healthcare and medical device industry uses. The first phase of that trial was conducted in early 2020.

Objectives of the 2020 POC

The stated goals of this 2020 proof of concept (POC) were to prove the viability of the framing document created by the NTIA SBOM Working group (of which the Linux Foundation was a contributor) from their earlier POC for the medical device and healthcare industry. 

This NTIA framing document defines specific baseline data elements or fields that should be used to identify software components in any SBOM format, which can be mapped into corresponding field elements in SPDX:

NTIA Baseline SPDX Supplier Name (3.5) PackageSupplier: Component Name (3.1) PackageName: Unique Identifier (3.2) SPDXID: Version String (3.3) PackageVersion: Component Hash (3.10) PackageChecksum; Relationship (7.1) Relationship: CONTAINS Author Name (2.8) Creator:

The 2020 POC conducted by NTIA working group had a stated objective to determine if SBOMs generated by Medical Device Manufacturers (MDMs) using SPDX could be ingested into SIEM (Security, Information and Event Management) solutions operated by the participating Healthcare Delivery Organizations (HDOs).

The MDMs included in this POC included Abbott, Medtronic, Philips, Siemens, and Thermo Fisher. The HDOs included Cedars-Sinai, Christiana Care, Mayo Clinic, Cleveland Clinic, Johns Hopkins, New York-Presbyterian, Partners/Mass General, and Sutter Health.

Execution and implementation of the SPDX SBOMs
  • The participating HDOs provided an inventory of the deployed medical devices in use within their organizations.
  • A best-effort approach was used to determine software identity as the names that software packages are known by are “ambiguous” and could be misinterpreted.
  • An example SPDX was created along with a guidance document for the MDMs to follow for use with the medical devices identified by the HDO inventory exercise.
  • The MDMs produced 17 distinct SPDX-based SBOMs manually and with generator tooling.
  • The SBOMs were delivered via secure transfer using enterprise Box accounts, simulating delivery via secure customer portals offered by each MDM.
Consumption of the SBOMs in the SPDX POC

As a result of the 2020 POC, all participating HDOs successfully ingested the SPDX SBOM into their respective SIEM solutions, immediately making the data searchable to identify security vulnerabilities across a fleet of products. This information can also be converted into a human-readable, tabular format for other data analysis systems.

Multiple HDOs are already collaborating with vendor partners to explore direct ingestion into medical device asset/risk management solutions as part of their device procurement. One of the HDOs is working with one of their vendor partners to explore direct ingestion into a healthcare Vendor Risk Management (VRM) solution, and another has developed a ”How-To Guide,” focusing on how to correctly parse out the Packages fields using regular expressions (regex). 

As a positive indicator of SPDX’s suitability when used with asset management systems, two HDOs have begun configuring their respective internal tracking systems to track software dependencies and subcomponents. Additionally, multiple HDOs are collaborating with vendor partners to manage devices into medical device asset/risk management solutions through the device’s life by allowing for periodic updates and an audit trail.

Ongoing considerations for SPDX-based SBOMs for medical devices in healthcare organizations

Risk management, vulnerability management, and legal considerations are ongoing at the participating HDOs related to the use of SPDX-based SBOMs.

Risk management

All of the responding HDOs are exploring vulnerability identification upon procurement (i.e., SIEM through initial ingestion of the SBOM) and on an on-going basis (i.e., SIEM, CMDB/CMMS, VRM). The participating HDOs intend to explore mitigation plan / compensating control exercises that will be performed to identify vulnerable components, measure exploitability, implement risk reduction techniques, and document this data alongside the SBOM.

The SPDX community intends to learn from these exercises and improve future versions of SPDX specification to include requested information determined to be needed to manage risk effectively.

Vulnerability management at HDOs

An HDO is already working with its Biomed team to manually perform vulnerability management processes on information extracted from SBOM data. 

Another is working with their Vulnerability Management team to evaluate correlated SBOM data to credentialed/non-credentialed scans of the same device, which may prove useful in an information audit use case. A second HDO is currently working with their Vulnerability Management team on leveraging the SBOM data to supplement regular scanning results.


Participating HDOs have been developing SBOM product security language to add cybersecurity safeguards to the contract documentation.


The original POC was able to validate the conclusions of the NTIA Working Group that proprietary SBOM formats specific to healthcare industry verticals are not needed. This 2020 POC showed that the SPDX standard could be used as an open format for SBOMs for use by healthcare industry providers. Additionally, the ability to import the SPDX format into SIEM solutions will help HDOs adequately understand the operational and cyber risks of medical device software components from their originating supply chain. 

There is work ahead to improve automation of SPDX-based SBOMs, including the automated identification of software components and determining which component vulnerabilities are exploitable in a given system. Participating HDOs intend to perform compensating control exercises to identify and implement risk reduction techniques building on this information. HDOs are also evaluating how SPDX can support other improvements to vulnerability management. In summary, this POC showed that SPDX could be an essential part of addressing today’s operational and cyber risks.

The post Healthcare industry proof of concept successfully uses SPDX as a software bill of materials format for medical devices appeared first on The Linux Foundation.

Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

Mon, 08/03/2020 - 22:55

New collaboration called Open Source Security Foundation (OpenSSF) consolidates industry efforts to improve the security of open source software

SAN FRANCISCO, Calif., Aug 3, 2020 – The Linux Foundation, today announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike. Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.

The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

“We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on,” said Jim Zemlin, executive director at The Linux Foundation. “Ensuring open source security is one of the most important things we can do, and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.”

With the formalization of the group, the open governance structure is established and includes a Governing Board (GB), a Technical Advisory Council (TAC) and a separate oversight for each working group and project. OpenSSF intends to host a variety of open source technical initiatives to support security for the world’s most critical open source software, all of which will be done in the open on GitHub.

For more information and to contribute to the project, please visit


Threats, Risks & Mitigations of the Open Source Ecosystem, Open Source Security Coalition
Vulnerabilities in the Core, Harvard’s Lab for Innovation Science and Linux Foundation
Red Hat Product Security Risk Report, Red Hat

Governing Board Member Quotes

“Every industry is using open source software, and it is our collective responsibility to help maintain a healthy and secure ecosystem,” said Jamie Cool, Vice President of Product Management, Security at GitHub. “GitHub founded the Open Source Security Coalition in 2019 to bring together industry leaders around this mission and ensure the consumption of open source software is something that all developers can do with confidence. We look forward to this next step in the evolution of the coalition and serving as a founding member of the Open Source Security Foundation.”

Read more in GitHub’s blog.

“Security is always top of mind for Google and our users. We have developed robust internal security tools and systems for consuming open source software internally, for our users, and for our OSS-based products. We believe in building safer products for everyone with far-reaching impacts, and we are excited to work with the broader community through the OpenSSF. We look forward to sharing our innovations and working together to improve the security of open source software we all depend on,” said Director of Product Security, Google Cloud, James Higgins.

“Open source has become mainstream in the enterprise. As such, the security of the open source supply-chain is of paramount importance to IBM and our clients,” said Christopher Ferris, IBM Fellow and CTO Open Technology. “The launch of the Open Source Security Foundation marks an important step towards giving open source communities the information and tools they need to improve their secure engineering practices, and the information developers need to choose their open source wisely.”

JPMorgan Chase
“Developing, growing and using open source software is a top priority for JPMorgan Chase. We are committed to partner with the community through the Open Source Security Foundation to ensure trust and security in open source software for everyone,” stated Lori Beer, Global Chief Information Officer, JPMorgan Chase.

“As open source is now core to nearly every company’s technology strategy, securing open source software is an essential part of securing the supply chain for every company, including our own,” said Mark Russinovich, Chief Technology Officer, Microsoft Azure. “As with everything open source, building better security is a community-driven process. All of us at Microsoft are excited to be a founding member of the Open Source Security Foundation and we look forward to partnering with the community to create new security solutions that will help us all.”

Read more in Microsoft’s blog.

NCC Group
“The security and privacy of the internet is essential for the protection of individuals, organizations and critical infrastructure, and also the future of democracy and our civil liberties. Given the fundamental role open source plays in powering our world, creating scalable resources and tools to help software maintainers, developers, and users understand and improve their projects’ security is a significant step toward a safer and more secure world. By bringing together a dedicated group of technologists with a shared desire to improve the security of open source software, together we can begin to remediate – or even prevent – security vulnerabilities at a scale not previously possible,” stated Jennifer Fernick, Head of Research at global cyber security expert NCC Group.”

“Joining the Linux Foundation and the Open Source Security Foundation is central to our mission to advance the state of application security, especially as OpenSSF is already aligned with OWASP’s core philosophies of openness, transparency and innovation,” said Andrew van der Stock, Executive Director of OWASP, the Open Web Application Security Project. “We look forward to working with all of the participating organizations to improve the state of software security and work together on projects of vital interest to software developers, organizations, and governments around the world.”

Red Hat
“Red Hat is unrelenting in our commitment to open source and in participating to make upstream projects successful. We believe security is an essential part of healthy project communities,” said Chris Wright, CTO of Red Hat. “Now, more than ever, is the time for us to join together with other leaders to help ensure key projects are secure and consumable in our products, across enterprises, and as part of the hybrid cloud. We are excited to help found this Open Source Software Foundation.”

Additional Founding Member Quotes

“The security of an enterprise application or services depends mainly on the security of all its components. The vast majority of business applications and services are not fully developed in-house as they make use of open source components that help accelerate the development cycle and extend their functionality. Therefore, it is essential to ensure that all open source components comply with the best practices of secure development and periodic reviews are carried out to positively impact all software that makes use of these components. Joining the Open Source Security Foundation is fully aligned with our vision and principles.”

“GitLab is excited to play a part in the creation of the Open Source Security Foundation (OpenSSF) to further cross-industry collaboration and move the security of open source projects forward as it is key to the future of technology,” said David DeSanto, director of product for Secure and Defend at GitLab. “Aligning with GitLab’s mission of ‘everyone can contribute,’ we look forward to supporting and contributing to the community to bring together security-conscious developers to change open source development in a collaborative and fundamental way.”

“Open source software powers HackerOne,” said Reed Loden, Head of Open Source Security, HackerOne. “It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for open source projects to remain secure. For over three years, we’ve given the open source community our platform for free, and we’ve been long-time supporters of initiatives like Internet Bug Bounty. Joining the Linux Foundation and the Open Source Security Foundation allows us to continue on our mission and make the internet safer alongside some of the foremost visionaries in security. We look forward to seeing the change we can make together.”

“It takes the industry working together to advance technology and accelerate open source security initiatives. Hardware and software are inextricably linked to deliver security, transparency and trust in open source software. Together with the OpenSSF, Intel will continue to play a key role in mobilizing the industry at large and solving security challenges from the cloud to the edge,” said Anand Pashupathy, GM of System Security Software, Intel.

“Open source software is a major component in today’s software supply chain and thus comprises a significant fraction of the software that individuals and organizations rely upon. Supporting the secure development of open source software is of critical importance to SAFECode members and the software community,” said Steve Lipner, executive director of SAFECode. “We are looking forward to bringing our software security experience to bear as we participate in the Open Source Security Foundation’s mission to build a collaborative, cross-industry community to support the security of open source software.”

“The use of open source has undoubtedly reached critical mass, with ever increasing dependency trees and software complexity. Equipping engineering teams to deliver secure applications simply and scalably is core to our mission at StackHawk. We are excited to be one of the founding members of the Open Source Security Foundation to ensure that this can be a reality across software development as a whole and look forward to continued partnership with the community,” said StackHawk’s Founder & CEO, Joni Klippert.

“Security and Privacy is always top of mind at Uber to ensure we are responsible stewards of our user’s data. We’re always focused on mitigating all types of software vulnerabilities and as such the security of open source software is a top priority. Historically, we’ve worked with other industry leaders to help build a strong security community around open source software and we are excited to expand those efforts with the OpenSSF,” said Rob Fletcher, Sr Manager, Security Engineering.

“Strengthening the security posture, policies, and processes in the open source community and in widely used open source projects is strengthening the whole software ecosystem – for all players,” said Joshua Lock, security tech lead, Open Source Technology Center, VMware. “VMware strongly supports the goal of making our software ecosystem more resilient and more secure.”


About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
reTHINKit Media

The post Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security appeared first on The Linux Foundation.

Fledge, an LF Edge Project, Enters Growth Stage as Release 1.8 Enables Open Industrial Edge Software with AI/ML, and Public Cloud Integration

Fri, 07/31/2020 - 02:56

  • Expanded community includes integrations and contributions from Google, Nokia, Flir, OSIsoft, Nexcom, RoviSys, Advantech, Wago, Zededa and Dianomic
  • Supports complementary products and services from a global open ecosystem, with commercial support, developer support, training, ML/AI applications and scale-up and out management
  • Use cases include Gradient Racing, which uses Fledge and Google Cloud to optimize complex machine configurations and operations using ML/AI, car and driver simulators and race track digital twins  

SAN FRANCISCO – July 30, 2020 –  LF Edge, an umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system, today announced maturing of its Fledge project, which has issued it’s 1.8  release and moved to the Growth Stage within the LF Edge umbrella. Fledge is an open source framework for the Industrial Internet of Things (IIoT), used to implement predictive maintenance, situational awareness, safety and other critical operations.  Deployed in industrial use cases since early 2018, Fledge integrates IIoT, sensors, machines, ML/AI tools-processes-workloads, and cloud/s with the current industrial production systems and levels, as per ISA-95.

Fledge v1.8 is the first release since moving to the Linux Foundation. However, this is the ninth release of the  project code that has over 60,000 commits, averaging 8,500 commits/month. Concurrently, Fledge has matured into a Stage 2 or “Growth Stage” project within LF Edge. This maturity level is for projects interested in reaching the Impact Stage, and have identified a growth plan for doing so. Growth Stage projects receive mentorship from the Technical Advisory Committee (TAC) and are expected to actively develop their community of contributors, governance, project documentation, and other variables identified in the growth plan that factor in to broad success and adoption.

“Fledge, initially seeded by OSISoft and Dianomic and now a diverse project within LF Edge, is a great example of open source integration. By working closely with Google and other ecosystem partners on new and emerging use cases, we are bringing the power of LF Edge to a broader market,” said  Arpit Joshipura, general manager, Networking, Edge and IoT, the Linux Foundation. “We look forward to building an open community of industrial users, suppliers and integrators.”

Utilizing Fledge to gather and analyze machine, process, environment and operator data in context, improved efficiency, quality and safety is achieved.  Gradient Racing used Fledge, Google Cloud, and Motorsports.AI to build IIoT based digital twins of each track, a machine simulator and an operator simulator to optimize car configurations and driving strategy before each race.  Using Fledge, TensorFlow and Kubernetes, two all-time track records were broken in the GT3 2019 season. See the full story here.

“Google Cloud helps customers deliver artificial intelligence to applications from the edge to the cloud,”  said Craig Wiley, director of Product Management for Google Cloud AI.  “Fledge’s ability to collect, process, transform and send machine data as well as run TensorFlow Lite on the edge makes it an excellent complement to Google’s AI platform. As an active member of the Linux Foundation, Google is proud to support this open source community through contributions to the Fledge project, empowering next generation industrial processes and machines.”

Fledge has rapidly become one of the most active open source IIoT projects. Adding to the momentum are new contributors, contributions and integrations. Highlights include:

  • Google’s contribution of its IoT Core North Plugin, enables secure, reliable transfer of data to Google cloud services like machine learning.
  • OSIsoft’s contribution of  the Web API North Plugin, enables Fledge secure, reliable transfer of telemetry and metadata to existing ISA95 systems like PI, OCS and EDS.
  • Nexcom’s contribution of CAN bus 2.0, J1708 and J1939 south plugins provide real-time monitoring for fleet management of cars and heavy duty trucks.
  • Dianomic’s contribution of new core services, alert services and orchestration services enable advanced vibration-based applications, more security and scalable management.
  • Nokia integrated Fledge with the Nokia Digital Automation Cloud (NDAC), Nokia’s industrial-grade private wireless network.
  • Google and Nexcom completed integration of Fledge within Google’s Coral line of ML processors and Nexcom’s industrial gateways.
  • Flir and Dianomic completed a south plugin integration with Flir’s line of industrial infrared cameras.

Industrial Operational Technology (OT) markets are new to the Linux Foundation, and open source projects are new to OT use cases. Like the LAMP stack enabled web application development, the Fledge project’s mission is to enable IIoT application development.  Together we can solve the diversity and complexity issues when collecting and processing data beyond  current control networks and eliminate silos of data by integrating with mission-critical ISA95 systems, ML systems, and the cloud.

Learn more about Fledge in an upcoming On the Edge with LF Edge webinar, entitled “How Google, OSIsoft, FLIR and Dianomic use Fledge to implement Industrial 4.0,” August 13 at 9 am PT. Details and registration here:

Join Fledge and other LF Edge projects at the Open Networking & Edge Summit (ONES), a virtual experience happening September 28-30. ONES is the industry’s premier open networking event now expanded to comprehensively cover Edge Computing, Edge Cloud & IoT. Open Networking & Edge Summit (ONES) enables collaborative development and innovation across enterprises, service providers/telcos and cloud providers to shape the future of networking and edge computing. Learn more and register today:

Industry Support for Fledge

“Advantech is pleased to be part of the Linux Foundation Fledge 1.8 project along with our solution partner, Dianomic,” said David Liu, director of IoT solutions and strategic alliances at Advantech. “Our company vision is to ‘Enable an Intelligent Planet.’ Open source application stacks for an industrial transformation, along with our rugged hardware, help complete that vision. As a leader in IoT intelligent systems and embedded platforms, we strive every day to better assist partners and customers in connecting their industrial chains through IoT hardware and software solutions with edge intelligence. The field-tested Fledge solution will play a key part in our continued efforts to co-create advanced solutions for a wide range of industries in the Industrial IoT.”

“Dianomic and OSIsoft were pleased to contribute the FogLAMP code to seed the Linux Foundation’s Fledge project for the Industrial IoT Edge.”  said Tom Arthur, CEO Dianomic.  “This first release of Fledge 1.8 is a mature, field-tested solution already operating in power generation, power transmission & distribution, water & wastewater processing, discrete manufacturing, mining and professional auto racing. We invite manufacturers, equipment suppliers, system integrators and partners to join our community as we grow THE open source application stack for industrial transformations.”

“For more than 40 years, FLIR thermal imaging has provided technologies for industrial users to improve their capabilities and safety on the job,”  said Chris Bainter, Director Global Business Development.  “Partnering with Dianomic we deployed our Ax8 and 300 series cameras using Fledge in energy substations and wastewater plants. Fledge easily and successfully integrated our sensor’s video, IR video and temperature reading outputs into our client’s existing operational, maintenance and safety systems. Fledge proved to Flir the future of open source for industrial 4.0 applications has arrived.”

“NEXCOM is proud to support FLEDGE from the Linux Foundation, establishing a growing line of preloaded and edge-enabled industrial gateways.” said Alexander Su, “The pre-configured products include the NIFE 105 for fixed assets, and the VTC 1910 targeted at transportation related use cases. In addition, NEXCOM has contributed code to the Linux Foundation supporting FLEDGE southbound plugins for CAN 2.0,  J1708 and J1939, to provide real-time monitoring for fleet management. The MVS2623 with Coral intelligence, provides a powerful purpose-built gateway combining the flexibility of FLEDGE with the strength of Google’s Edge TPU, better enabling edge use cases like real-time object detection from IP or USB cameras.”

Janne Parantainen, head of technology, Nokia Digital Automation said: “We run Fledge 1.8 on our edge platform bringing the benefits of optimized wireless communication to the industrial protocol domain and enabling new use cases across multiple industries. Deployed as part of our Nokia Digital Automation Cloud, it offers a way to transfer legacy industrial protocol data to new solutions. Nokia Digital Automation Cloud provides 5G-ready, reliable wireless connectivity, industrial applications and industrial ruggedized devices for addressing Industry 4.0 needs”

“OSIsoft’s  PI System is the most trusted source of real-time operational data. We enable the collection, standardization, contextualization and federation of large volumes of industrial, operational data.“  said Richard Beeson, CTO OSIsoft. “Fledge solves the diversity and complexity issues when collecting and processing data beyond the process control network.  OSIsoft recommends all our industrial customers and partners begin their IIoT journey by integrating Fledge into their industrial 4.0 deployments and asks them to join our growing community.”

“As an Operation Technology (OT) solution provider that is actively venturing into the world of Industrial AI, RoviSys sees value in using Fledge to collect manufacturing and IIoT data from the plant floor, including connecting to historians and cloud-based advanced data analytic platforms.”  said Bryan DeBlois, Director of Industrial AI RoviSys.  “Furthermore, commercially supported FogLAMP enables us to implement vibration analysis, apply machine learning models and detect anomalies to predict quality, improve maintenance, and monitor setpoints.  This helps our customers minimize downtime and maximize production efficiencies across their entire operation.”

TQS Integration
“With Fledge, industrial manufacturing now gets the technology needed to acquire datasets from sources that had previously not been able to cross the threshold of traditional cost-benefit analyses. Fledge is uniquely placed to solve data collection on the edge, and within existing process control networks, providing customers the flexibility to apply Industry 4.0 technologies with their entire infrastructure,” said Tom Quilty, director of Technology for TQS Integration. “With Fledge, we can advance our customer’s ability to maximize their current investments, maximize the value gained from IIoT devices and accelerate time-to-value for Industry 4.0 applications.”

“WAGO, a technology leader of industrial control and interconnect products, strives to be the backbone of a smart connected world.  This backbone is created  through constant innovation and empowered connections with our customers and industry partners.  Technologies like the Linux Foundation’s Fledge 1.8, and partners like Dianomic help our customers realize their true potential and expand on what is possible in an industrial control system.   The WAGO 750 Series has millions of units installed globally and supports applications with over 300 IO modules and more than 16 industrial fieldbus protocols offered.  Leveraging WAGO with Linux & Docker capabilities  provides the means to  add IIoT platforms like Fledge and benefit from all that Fledge offers to simplify cloud integration, management, and orchestration. Employing WAGO for ease of field wiring, data collection and/or control tasks while using the IEC 61131-3 PLC runtime and integrating it with the possibilities of Fledge creates a powerful platform for a smart connected world.”

“The most successful organizations going forward will have a model strongly rooted in an open philosophy that facilitates interoperability and agility, and the industrial market is no exception,” said Jason Shepherd, VP Ecosystem, ZEDEDA. “Dianomic’s FogLAMP offer is tailored to the unique needs of industrial customers and their open source foundation hosted in LF Edge helps customers mitigate lock-in and focus on value creation rather than reinvention. We look forward to working with Dianomic within our growing ecosystem to address critical business needs for industrial customers.”

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.


The post Fledge, an LF Edge Project, Enters Growth Stage as Release 1.8 Enables Open Industrial Edge Software with AI/ML, and Public Cloud Integration appeared first on The Linux Foundation.

Open Mainframe Project Announces the Full Schedule for the Inaugural Open Mainframe Summit on September 16-17

Fri, 07/31/2020 - 02:51

The open source mainframe virtual event features keynote speakers from Broadcom, Hyperledger, IBM, and The Linux Foundation

SAN FRANCISCO, July 30, 2020 The Open Mainframe Project (OMP), an open source initiative that enables collaboration across the mainframe community to develop shared tool sets and resources, today announces the complete schedule of the inaugural Open Mainframe Summit. The virtual event takes place September 16-17 and will feature Ross Mauri, General Manager of IBM Z and LinuxONE at IBM; Greg Lotko, Senior Vice President and General Manager, Mainframe Division at Broadcom; Brian Behlendorf, Executive Director of Hyperledger; and The Linux Foundation’s Jim Zemlin, Executive Director, and John Mertic, Director of Program Management.

Open Mainframe Summit will focus on all open source projects and technologies impacting the mainframe. The event enables a collaborative environment that offers seasoned professionals, developers, students and leaders a forum to share best practices, discuss hot topics, and network with like-minded individuals who are passionate about the mainframe industry.

Conference Sessions Include:

  • COBOL and the Modern Mainframe Movement – Jessielaine Punongbayan, Senior Software Engineer and Richelle Anne Craw, Senior Software Engineer, Broadcom
  • Beyond the Mainframe Security Features, it is Time to Learn about Open Source Software Security – Javier Perez, Open Source Program Office Manager, IBM
  • How Two Millennials Built a Mainframe Security Model on Top of Zowe in Six Weeks (and yes it works on all ESMs) – Kyle Beausolei, Software Engineer and Jordan Filteau, Software Engineer, Rocket Software
  • Cloud Foundry Orchestrated by Kubernetes on Linux on IBM Z – Vlad Iovanov, Software Engineer, SUSE and Dan Pavel Sinkovicz, Student Mentee
  • How Zowe and Open Source Made me Talk to the Mainframe (literally) – Youngkook Kim, Z/LinuxONE Solutions Architect, Vicom Infinity
  • Zowe Conformance: High-reliability Extensions for Mainframe Tools, Guaranteed – Rose Sakach, Global Product Manager, Broadcom
  • Open Source infrastructure-as-a-Service Automation for IBM z/VM – Mike Friesenegger, Solutions Architect, SUSE and Ji Chen, IBM Cloud Infrastructure Center Architect, IBM
  • A 360 Degree View on LinuxONE Security & Compliance – Pradeep Parameshwaran, Technical Security Lead, LinuxONE & Linux on IBM Z, IBM

See the full conference schedule here. Conference Registration for the online event is $50 for general attendance and $15 for academia.

Open Mainframe Summit is made possible thanks to Platinum Sponsor Broadcom and Gold Sponsors SUSE and Vicom Infinity.  For information on becoming an event sponsor, click here.

Members of the press who would like to request a press pass to attend should contact Maemalynn at

About the Open Mainframe Project

The Open Mainframe Project is intended to serve as a focal point for deployment and use of Linux and Open Source in a mainframe computing environment. With a vision of Open Source on the Mainframe as the standard for enterprise class systems and applications, the project’s mission is to build community and adoption of Open Source on the mainframe by eliminating barriers to Open Source adoption on the mainframe, demonstrating value of the mainframe on technical and business levels, and strengthening collaboration points and resources for the community to thrive. Learn more about the project at

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: Linux is a registered trademark of Linus Torvalds.


The post Open Mainframe Project Announces the Full Schedule for the Inaugural Open Mainframe Summit on September 16-17 appeared first on The Linux Foundation.

Solving technical debt with open source

Thu, 07/23/2020 - 01:20

In a new Linux Foundation paper, Technical Debt and Open Source Development co-authored by Ibrahim Haddad, Ph.D. and Cedric Bail, M.Sc., the causes and consequences of technical debt are explored in detail. It includes discussions on identifying technical debt, how to minimize it, the role of open source development, and strategies to address the issue at scale.

The authors worked together within the Open Source Group at Samsung Research and directly experienced minimizing internally carried technical debt via working with upstream open source projects. That experience covered dozens of open source projects used across multiple products and business units with varying degrees of involvement and expertise with upstream development. 

The definition of technical debt

Technical debt, a term used in software development, refers to the cost of maintaining source code that was caused by a deviation from the main branch where joint development happens. 

A broader interpretation of what constitutes technical debt is proprietary code by itself:

  • A single organization has developed it.
  • It is source code that the organization alone needs to carry and maintain.
  • In some cases, the organization depends on a partner’s ability to maintain the code and carry that said debt.

The following symptoms can identify technical debt:

  • Slower release cadence Time increases between the delivery of new features
  • Increased onboarding time for new developers Onboarding new developers become highly involved due to code complexity where only insider developers are familiar with the codebase. The second manifestation of this symptom is the difficulty in retaining developers or hiring new developers.
  • Increased security issues At least, experiencing more security issues than the main upstream branch.
  • Increased efforts to maintain the code base Maintenance tasks become more time consuming as the body of code to maintain becomes larger and more complex.
  • Misalignment with the upstream development cycle illustrated in the inability to keep pace, be aligned with the upstream development and release cycles.
Consequences of technical debt

Creating and carrying technical debt will have several negative effects on development efforts, including:

  • The higher cost of code maintenance. 
  • Slower innovation and development cycles.
  • Paying interest on the debt — payment of technical debt is in the form of additional development needed to keep up with the main branch, the competition, and the rest of the world.
  • Possibly missing on new features in the main branch or having to backport all new development into the forked branch internally. 
  • Duplicate work with the main branch arising due to the delta between the internal and public branches being too large.

The worst possible consequence is the effect on the long term maintainability of the code base where organizations often find themselves maintaining their fork.

In many cases, tech debt is unavoidable short term. Carrying technical debt is mostly a decision that developers need to make all the time. The long term goals of any engineering effort should be to minimize and eliminate any tech debt resulting from any development effort. With proper policies, processes, training, and tooling, organizations can help mitigate and guide the engineering efforts towards lowering tech debt.

Open source has a significant role, and aligning your development efforts with upstream open source projects can result in a direct positive impact on the amount of the tech debt an organization carries. Just as financial debt involves paying interest, technical debt has a different kind of interest that needs to be carried: It’s not interest-free!

Technical debt is hindering your development and preventing your new growth, transferring your technical debt to become part of the open source world infrastructure, lowering it, and building on the giant’s shoulder that keeps growing.

To download Technical Debt and Open Source Development click on the button below Download Whitepaper

The post Solving technical debt with open source appeared first on The Linux Foundation.

How open source development provides a roadmap for digital trust, security, safety, and virtual work

Wed, 07/22/2020 - 21:00

During COVID-19, we’ve all seen our daily lives, and those of many of our colleagues, friends, and family around the world completely changed. Many are adjusting to working from home and homeschooling their children, or caring for family and those with the virus. At the same time, billions worldwide are connected, sharing, and working together virtually despite their daily routines and working arrangements changing drastically. 

While there’s no disputing that the pandemic will dominate our collective attention for months to come, it’s a natural time to reflect on what is essential. It’s also a natural time as open source developers to consider how we should prioritize the most impactful work, and collaborate on technology development that can influence our world, for the better, after COVID-19. 

We’ve seen an uptick in interest around open source, in particular, as a means of helping humanity through these challenging times. What better way to solve a problem that affects all of us, collectively, than to share and build solutions to our problems, together? 

Here we outline the trends we’re seeing shape technology development in this unprecedented time. We believe this can also provide insight into what a post-COVID world may look like. 

Open collaboration embraces remote work and provides a guide for others

Open source developers have always fostered a sense of adaptability. It’s always been a critical skill needed to work on any open source project — we’re ready to meet the challenges of this moment. All of us hope for a quick return to normalcy, but we know that it will likely be months (hopefully not years). 

The Linux Foundation is also conscious of the economic reality facing the world as economists and accountants tally the cost of this pandemic. Like our communities, we are seeking to optimize for a new reality, but also working to redeploy and transition employees into new areas to fill in gaps where they can be most helpful to our communities. 

Open source communities during this time have been resilient. Open source software development by its very nature happens, and thrives, amongst a distributed group around the world. Many individuals in our communities are already working in a distributed virtual environment on their open source collaboration efforts.

Open source communities are still moving forward. As the world quickly migrated to virtual work environments, the online developer communities familiar with working together virtually had a pretty smooth transition, or in some cases, no disruptions at all. We are seeing many open source communities push forward despite all the challenges around them at home and in their local communities. Given their experience working in virtual environments, many open source community members and organizations are sharing their best practices and helping others adapt to working virtually. 

Developers helping coronavirus response with open source software and hardware solutions

It’s uplifting to see so many in our community contributing to the fight against this virus, whether it be providing supercomputer access to scientific researchers, open source personal protective equipment (PPE), offering bots to help people assess their symptoms, empowering doctors with access to diagnostic tools, supporting families struggling to transition to work and school from home, or contributing to relief efforts. We’ve also seen the medical industry and open source coming together to solve problems, such as an OpenLung project. As locals are starting to “reopen,” contact tracing will become critical, and we’re seeing communities form to address contract tracing application needs.

Governance and trust through applied open source governance models

We believe that the broader technology industry can use open source governance models to address more widespread industry challenges that could not be as easily solved with more traditional, proprietary solutions. Many blockchain open source software projects have arisen over the last few years that are now ready to support industry ecosystem and utility networks. We see early adopters moving beyond just software to addressing challenges with trust and verification in blockchain systems in our recently announced Trust over IP project.

In open source software communities, many organizations leverage nonprofits like the Linux Foundation to have a neutral home for an open governance model that no one company in the industry controls. We see a trend that those same principles apply in the case of the governance of an industry service built on blockchain technology with nodes contributed by multiple organizations. 

We expect to see initial governance communities emerge in 2020, focusing on identity and tracking and tracing use cases. Those initial communities will likely enable new applications and innovations that can be built on top of these industry and ecosystem platforms.

Open source at the edge of the network to address security, safety, and growth challenges

We’re also seeing trends of open source technologies becoming critical systems that are often viewed as the “last mile.” 

With open source becoming pervasive, we now have to think about these technologies as they support critical infrastructures. LF Energy and LF Networking are becoming more focused on economic and financial systems (see FINOS), and also safety systems (see ELISA).

Many other critical infrastructure systems have a severe impact if they fail. With open source software underpinning these critical systems, we need to figure out how to manage these systems. To succeed, our members started with identifying and tracking what software is in a system (see SPDX) and how to maintain software over a very long lifespan (see  Civil Infrastructure Platform). 

Additionally, LF Networking & LF Edge are seeing a significant uptake in Developer contribution as 5G, Edge, IoT, and Network Automation become increasingly crucial in the enterprise.

Securing the software supply chain

Beyond identifying the software (open source or not) in a system, the software supply chain deserves more security attention. We started exploring this issue within our Core Infrastructure Initiative and its Census I and Census II studies, and the practical challenges of managing supply chains in our OpenChain project. Looking out through the end of the year, we expect to explore the problem from the perspective of maintainers. We hope to see additional resources to help fix broken projects, increase the adoption of standards, and help address the entire challenge’s entirety. A challenge this large requires the community to come together and focus its efforts on solving security problems, together. We think the industry is ready and able to take this on.

Embracing and creating open standards

The fourth trend we’re looking at this year is a convergence of standards and open source. This trend has been increasing over the past few years, but we’re now at a point where organizations better understand where standards play a role and where open source plays a role. Standards development is a collaboration that can happen with open source implementations, often trailing an open source implementation, open source software development has turned conventional standards development upside down — and inside out. 

Within the Linux Foundation ecosystem, we have open technical communities building software and specifications. We also have communities that have identified interoperability points, processes, or frameworks for technology or managing technologies, that all benefit from being formally written as specifications. Standards are a natural next step in their journey as ecosystems coalesce around a common specified way of doing things. This year started with the Joint Development Foundation (JDF) being approved as an ISO PAS Submitter, making it possible for our communities to go from a specification repository to an international standard. We expect to see many more communities forming that is focused on a hybrid of standards and open source development. 

In addition to its work with the JDF, LF Networking also has a great collaboration with other established standards development organizations to ensure harmonization of specifications and code in the open source projects that facilitate deployment for carriers globally. 

Conclusion: Life after defeating the virus

Finally, the last trend we wish to highlight goes back to the beginning of this article — we see a pattern of our communities adapting to help society move forward in the face of a pandemic. I’ve already covered some of the COVID-19 response initiatives above, but this is a different point.  

We’re seeing a shift to virtual events, remote work cultures, virtual “happy hours,” and other means of productively working together, virtually. Many of these practices will stick with us post-pandemic. Our organization is already exploring how to use virtual events to augment future physical events (yes, they will exist again). 

Virtual conferences may be a great path to offering more inclusive events where those of us unable to travel to an event physically can still find a way to participate at some level. We’re seeing the impact of virtual training and certifying professionals in freely available open source technologies — and it has a real impact on job prospects and employment. Virtual testing proctors have become an effective way to certify professionals. Similarly, virtual platforms can help facilitate mentorship and enable less experienced developers to find and connect with more skilled developers willing to lend a hand.

The coronavirus has opened the world’s eyes to the needs of systems and plans for pandemic situations. This year we will likely see technology communities and organizations adapt and develop the “playbook” for how the world does business in the face of a pandemic. But many of those practices will likely stay with us long after we defeat COVID-19. 

The post How open source development provides a roadmap for digital trust, security, safety, and virtual work appeared first on The Linux Foundation.

The ACRN™ Open Source Hypervisor for IoT Development Announces ACRN v2.0 and Functional Safety Certification Concept Approval

Tue, 07/21/2020 - 23:00

New hybrid-mode architecture expands the scope of the project to include industrial IoT and edge device use cases, delivers new flexibility in resource sharing across virtual machines and new levels of real-time and functional safety

San Francisco, Calif., July 21, 2020 – Project ACRN, an open source IoT hypervisor hosted at the Linux Foundation, today is announcing ACRN v2.0, which expands the scope of the project and introduces a new hybrid-mode architecture with a focus on industrial IoT and edge device use cases, delivering flexibility in resource sharing and new levels of real-time and functional safety for demanding workloads in both the automotive and industrial segments.

“The ACRN project is moving fast to address the increasingly complex requirements for IoT devices, networks and environments,” said Mike Dolan, senior vice president and general manager of projects at the Linux Foundation. “This speed and agility in development can only be achieved through collaboration and we’re happy to be able to support this important work.”

Eddie Dong, senior Principal Engineer, architect, and maintainer of Project ACRN said, “The rapid evolution and development from version 1.0 to 2.0 in a year demonstrates the momentum of this project and the demand for a flexible, real-time, safety-critical, open source hypervisor for industrial players that are architecting mission-critical technologies.”

ACRN version 2.0
ACRN 2.0 uses a hybrid-mode architecture to support real-time industrial IoT workloads and edge devices and simultaneously supports both traditional resource sharing among Virtual Machines (VMs) and complete VM resource partitioning required for functional safety. Workload management and orchestration are also enabled now with ACRN, allowing open source orchestrators such as OpenStack to manage ACRN VMs. ACRN supports secure container runtimes such as Kata Containers orchestrated via Docker or Kubernetes.

ACRN 2.0 main features include:

  • ACRN architecture upgrade to support hybrid mode
  • New hardware platform support
  • Pre-launched Safety VM support
  • Post-launched VM support via OVMF
  • Post-launched Real-time VM support
  • Real-time VM performance optimizations
  • CPU sharing support
  • Large selection of OSes for user VMs
  • GRUB bootloader
  • SR-IOV support
  • Both passthrough and shared Graphics support
  • Shared memory based inter-VM communication
  • Configuration tools support
  • Kata Containers Support
  • VM orchestration
  • Improved Documentation

Rina Raman, Vice President and General Manager of the Embedded Acceleration Division at Intel Corporation said, “The fourth industrial revolution, characterized by a fusion of disruptive technologies, requires agility and the ability to consolidate heterogeneous workloads, some of which carry very strict requirements of Functional Safety certification or Real-Time behavior. With its 2.0 release, Project ACRN is now offering an open source hypervisor that makes such workload consolidation possible.”

Thomas Berndorfer, CTO, TTTech Industrial said, “ACRN 2.0 prioritizes the three key requirements for hypervisors today in the Industrial IoT and edge environments: functional safety, real-time, and flexibility for resource sharing among virtual machines. This set of features is uniquely found in ACRN. Contributing actively to the project allows us to shape the future of this critical and rapidly developing technology. ACRN delivers a flexible, real-time, open source hypervisor for industries that have the world’s most demanding mission-critical requirements.”

You can find details about these features and more in the ACRN 2.0 release notes:

ACRN Functional Safety Certification – Safety Concept Approval
ACRN has successfully received concept approval from TÜV SÜD Rail GmbH for its functional safety concept, design and management process in place. The concept approval letter claims that “ACRN Hypervisor is able to fulfill the requirements in accordance with SIL 3 of the IEC 61508 standard.” TÜV SÜD is a trusted partner of choice for safety, security, and sustainability solutions. IEC 61508 is considered as the “Golden Standard” in the functional safety industry. ACRN is on track to receive the final functional safety certification by the end of 2020.

About the ACRN Project
ACRN is a flexible, lightweight reference hypervisor that is built with real-time and safety-criticality in mind. It is optimized to streamline embedded development through an open source platform. ACRN Project members include ADLINK, Aptiv, Intel Corporation, LGE, and Neusoft Corporation. To learn more about the project, visit

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.



Media Contact
Jennifer Cloer

The post The ACRN™ Open Source Hypervisor for IoT Development Announces ACRN v2.0 and Functional Safety Certification Concept Approval appeared first on The Linux Foundation.

3D Printing Effort Becomes Linux Foundation Open Standards Project, Announces New Executive Director

Tue, 07/21/2020 - 23:00

3MF Consortium joins Linux Foundation, announces new executive director as it moves from development to adoption

San Francisco, Calif., July 21, 2020 – The 3MF Consortium, the organization dedicated to advancing a universal specification for 3D printing, today announced it is becoming a Linux Foundation member and that HP’s Luis Baldez is its new Executive Director (ED). Baldez supersedes Microsoft’s Adrian Lannin, who has served as ED since the 3MF Consortium was founded in 2015. Among the original creators of the 3MF Consortium, Lannin will remain a strategic advisor to the group.

The 3MF Consortium is among the original members of the Joint Development Foundation (JDF), which became part of the Linux Foundation in recent years to enable smooth collaboration among open source software projects and open standards. 3MF will take advantage of the combined strengths of the Linux Foundation/JDF alliance to advance 3D printing specifications and formats. With the majority of the world’s largest players in the 3D printing industry, 3MF Consortium represents the core of the industry’s innovation in this area.

“The 3MF Consortium has done the important work to create an open standard for 3D printing. The time is now to drive the evolution of 3MF from development to adoption,” said Luis Baldez, executive director, 3MF Consortium. “We would not be where we are today without Adrian Lannin’s leadership and contributions, and we’re looking forward to his insights as our ongoing advisor.”

Baldez was recently elected Executive Director by the 3MF Consortium membership to expand upon the technical progress and success of the 3MF standard by building new functionalities for the standard through collaboration with Linux Foundation and JDF. Baldez is a 3D printing veteran with experience across new technology business development. It is this combination of expertise that makes him well-suited for the ED role at 3MF Consortium, where the focus is maturing from standards development to implementation and adoption. Baldez has also held R&D engineering leadership positions at other multinationals and startups.

“Luis is a longtime champion of open standards and is an expert in the 3D printing space,” said Alex Oster, chairman of the 3MF technical working group and director of additive manufacturing at Autodesk. “Luis’ leadership and our collaboration with Linux Foundation will accelerate our work on 3D printing and help us build an even more vibrant network of contributions.”

The 3MF Consortium has grown rapidly since its formation in 2015, garnering new member investments and adoption across the industry’s leaders in 3D printing. It is supported by 3D Systems, Autodesk, GE, HP, Materialise, Microsoft, nTopology, Stratasys, and Siemens among 16 companies and has been implemented in nearly 40 products across 22 companies. The 3MF specification is robust and includes six extensions that range from core and production to slice, material and property (including color), beam lattice and security. The Secure Content specification was recently released and establishes an underlying mechanism for payload encryption of sensitive 3D printed data based on modern web standards. For the detailed specifications for all extensions, please visit the 3MF Consortium github repository:

For more information about the 3MF Consortium, please visit:

About the 3MF Consortium
The 3MF Consortium is comprised of leading AM hardware and software companies driving the Industry 4.0 revolution. The consortium releases and maintains the 3MF specifications that allow design applications to send full-fidelity 3D models to a mix of other applications, platforms, services, and printers. For more information, please visit:

About the Joint Development Foundation
Launched in 2015, the Joint Development Foundation (the Joint Development Foundation) is an independent non-profit organization that provides the corporate and legal infrastructure to enable groups to quickly establish and operate standards and source code development collaborations. More information about the Joint Development Foundation is available at

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer

The post 3D Printing Effort Becomes Linux Foundation Open Standards Project, Announces New Executive Director appeared first on The Linux Foundation.

Open Source Communities and Trademarks: A Reprise

Thu, 07/09/2020 - 04:37

Intellectual property and how it is shared have been the cornerstone of open source. Although it is more common to discuss “code” or “copyright,” there are other IP concerns around patents and trademarks that must be considered before investing time and effort in a major open-source project. There are long-established practices that govern these matters. Companies and lawyers involved in open source have been working on and evolving open source project trademark matters for decades.

Neutral control of trademarks is a key prerequisite for open source projects that operate under open governance. When trademarks of an open source project are owned by a single company within a community, there is an imbalance of control.  The use of any trademark must be actively controlled by its owner or the owner will lose the right to control its use. The reservation of this exclusive right to exercise such control necessarily undermines the level playing field that is the basis for open governance. This is especially the case where the trademark is used in association with commercial products or solutions. 

Open source licenses enable anyone to fork the code and distribute and modify their own version. Trademarks, however, operate differently. Trademarks identify a specific source of the code. For example, we all know MariaDB is not the same as MySQL. They’ve each developed their own brand, albeit they’re derived from a common codebase. The key question is who decides when a company should be allowed to associate its product or solution with the brand of the community?

A trademark is a word, phrase or design that denotes a “brand” that distinguishes one source of product or solution from another. The USPTO describes the usage of trademarks “to identify and distinguish the goods/services of one seller or provider from those of others, and to indicate the source of the goods/services.” Under US trademark law you are not able to effectively separate ownership of a project mark from control of the underlying open source project. While some may create elaborate structures around this, at the end of the day an important principle to follow is that the project community should be in control of what happens to their brand, the trademark they collectively built up as their brand in parallel with building up the functionality of their code. 

For this reason, in communities that deem their brand important, we also file registrations for trademark protection to reserve the rights in the mark for the project, commonly in the United States, China, European Union, Japan, and other countries around the world. Registered marks will often have a ® symbol. This is different from a common law trademark right where you often see a symbol with the mark. Having a registered trademark is often important because it enables us to better protect the community against misrepresentation, misuse, and confusion in the ecosystem between what is actually the community-built project, and what is not. This is often based on specific benefits that arise from the registration, which may vary from country to country.

The Linux Foundation started hosting projects outside of Linux a decade ago. From the outset, the brand of a project community we host has been an important asset that we have been asked to protect for our communities. The communities’ goals and motivations are always different, but, in general, the organization contributing a trademark usually wants to ensure it denotes the community they’re helping to establish at the LF, and the other participants in the ecosystem want the confidence that one company can’t tell them what they can or cannot do with a project we host because they retained ownership of the trademark.

This neutrality is the very essence of what we try to establish at the Linux Foundation with our projects. Our projects are set up to be neutral – the Linux Foundation or our project entities own the mark. We then put the control over decisions about the mark into the hands of our project communities, to be determined by them in an open and transparent manner to achieve their collective goals.

For example, in March of 2017, we participated in a meeting hosted at a KubeCon in Berlin, where the organizations involved in Kubernetes sat down in a packed room to discuss what they wanted to do with the Kubernetes brand as it related to companies using Kubernetes in conjunction with their commercial products or solutions. When drafting the governance for CNCF, Google had insisted it was important for the Linux Foundation to also own the Kubernetes mark as part of CNCF—so that branding control would go hand in hand with neutral, community-driven governance. 

However, the LF was not in a position to determine when one company should or should not be able to say their solution was a “Kubernetes”-based product. We needed a program to allow companies and other organizations to use the trademark commercially to denote their distribution or compatibility with the community’s Kubernetes releases. That initial group worked for months to define what it means to have a conformant Kubernetes distribution. That’s also why the promise of portability amongst cloud providers actually works today. Those technical experts from the community as a whole defined exactly what it would take to deliver on the promise of portability. And then the definition of conformance that they established has been backed up by the neutral ownership of the Kubernetes trademark, in the Linux Foundation. What’s even more important is that the community remains in control of the program. In fact, the definition of conformance is controlled by Kubernetes’s SIG Architecture and changes in a carefully controlled process in each release as new APIs become stable and obsolete ones are deprecated. 

This same story has played out in other communities we have hosted. We’ve had many communities build consensus around what it means to be compatible or conformant with the releases coming from our project communities. So many that we recently wrote an entire blog just about the topic.

What these examples show is that a community can neutrally manage a trademark within the LF’s structure. We tend to refer to these as “community-managed trademark” programs. The marks are owned by the LF entity for the project, and we work with the communities we serve to establish the rules around usage of our marks.

Recently there has been a new round of conversations about open source projects and ownership of trademarks. Understandably there has even been concern that open source hasn’t addressed issues of trademarks as it relates to major OSS projects. This is not the case. While the motivations vary, one aspect remains constant: trademark law. 

We’ve been asked, “can we have the LF manage our trademark too?” The answer is yes. Let us know what project you’re managing and we’re happy to help you understand what’s involved in setting up a community-managed trademark program for your project. To date, we have successfully done this for the most important open source projects in the world and projects that are the most important to a few people. We can probably help support you as well.

The post Open Source Communities and Trademarks: A Reprise appeared first on The Linux Foundation.

Understanding US export controls with open source projects

Wed, 07/08/2020 - 21:01

Chinese Language Version Available


One of the greatest strengths of open source development is how it enables collaboration across the entire world. However, because open source development is a global activity, it necessarily involves making available software across national boundaries. Some countries’ export control regulations, such as the United States, may require taking additional steps to ensure that an open source project is satisfying obligations under local regulations.

The Linux Foundation has recently published a whitepaper on considerations for open source communities in detail, which can be downloaded here. This blog post is a summary of the general principles open source communities should be aware of and follow as it relates to both US export control requirements and open source encryption.

Export controls in the United States and other countries

The primary source of United States federal government restrictions on exports are the Export Administration Regulations or EAR. The EAR is published and updated regularly by the Bureau of Industry and Security (BIS) within the US Department of Commerce. The EAR applies to all items “subject to the EAR,” and may control the export, re-export, or transfer (in-country) of such items.

Under the EAR, the term “export” has a broad meaning. Exports can include not only the transfer of a physical product from inside the US to an external location but also other actions. The simple act of releasing technology to someone other than a US citizen or lawful permanent resident within the United States is deemed to be an export, as is making available software for electronic transmission that can be received by individuals outside the US. 

This may seem alarming for open source communities, but the good news is open source technologies that are published and made publicly available to the world are not subject to the EAR. Therefore, open source remains one of the most accessible models for global collaboration.

For the purposes of compliance with the EAR, if the open source technology is publicly available without restrictions upon its further dissemination, then it is “published” and therefore “not subject to” the EAR. 

In addition to the United States, the European Union has similar provisions under its own export control regulations

What kind of open source projects are not subject to the EAR and export restrictions?

All of them. Open source software from the Linux Foundation and project communities we work with is published and made available to the public without restrictions on further dissemination or distribution of the software. 

The following typical scenarios (but not an exhaustive list) are not subject to the EAR because “open source” is “published”:

  • Open source software that is published publicly is not subject to the EAR
  • Open source specifications that are published publicly are not subject to the EAR
  • Open source files that describe the designs for hardware that are published publicly are not subject to the EAR
  • Open source software binaries that are published publicly are not subject to the EAR

To meet the requirement of “published” under the EAR, however, open source communities may need to take an additional step if the project includes encryption technology.

Projects that use encryption

The EAR regulates exports of certain encryption software and technology. The definition of “encryption software” is very broad and can include software that merely activates or enables encryption features in another software or hardware product.

However, as with the EAR exemption for software that is published, there is also an exemption for software that uses encryption that is (1) it is “publicly available,” and (2) an email notification has been sent for it to the addresses listed in that section.

To meet the first of the exemption requirements, the meaning of “publicly available” refers to the EAR’s definition of “published,” which includes public dissemination by posting on the Internet on sites available to the public. Given this, the first part of the test should be met for all fully-public open source software projects: if the project’s source code is openly available on the Internet, then it should be considered “publicly available.”

To meet the second of the exemption requirements, it is additionally necessary to send an email to two specified addresses, one at BIS at and the other at the US National Security Agency (NSA) at The email should include the URL of the publicly-available code (or a copy of the code itself). An updated notification should be sent later if the previously-provided URL or copy has changed.

After these two requirements are satisfied, then its corresponding object code counterpart for the project is also not subject to the EAR.

At The Linux Foundation, the source code for all of our projects, including encryption software, is publicly available, and we have provided email notices as described above. We also make copies of these email notices publicly available for viewing on the LF’s website. As a result, the Linux Foundation’s project source code and corresponding object code are not subject to EAR encryption restrictions.

Please keep in mind that this applies only to the open source project itself. Downstream redistributors of modified project code or products derived from it, where the source code is not publicly available, would still need to evaluate their own compliance with the EAR (just as with any other software that they export).

In addition to projects that use encryption, the EAR added a new regulation in January 2020 for systems that employ a certain use of neural network-driven geospatial analysis training. As with other open source technologies that are publicly available, open source software that is published and publicly available, even in this category of neural network-driven geospatial analysis training, would also not be subject to the EAR. Please refer to our full whitepaper for more explanation.

Best practices for open source software communities

While open source projects are exempt from EAR restrictions, there are a few practices we have learned or developed that may be helpful for all open source communities as it relates to export regulations. 

We often use the word “open” to mean many things: an open source license, open and transparent discussions, open community, openly available source code on a public repository. “Open” may seem an obvious practice for open source communities, but the following are some specific recommendations for communities to consider. 

Be open and be public

First, communities should strive to keep their technical conversations open and public. If private technical conversations happen within communities, that’s normal, but it is recommended to make the community decisions and outcomes publicly available. It is important for our projects to make information available transparently and publicly as the private exchange of technology or technical information may not meet the “publicly available” standard according to the EAR.

One question that has come up has to do with exchanges of information related to security issues under a security disclosure process. As a best practice, projects may want to consider making exchanges like this public upon the availability of fixes, and not limit this information to only a confidential disclosure list.

Send notifications of encryption to BIS and the NSA

If your open source software project implements or uses encryption functionality classified under ECCN 5D002, you will likely want to deliver a notification of encryption to the BIS and the NSA according to the EAR requirements. The EAR describes these requirements:

    • Send an email to and If your project is an LF project and your notice is not listed on our export website, please notify
    • The email should contain either the URL of the publicly available encryption source code or a copy of the source code itself. 
    • If you provided a URL to a site where you posted the source code on the Internet, you must notify by email again each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location.
    • If you provided a copy of the source code, and you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. 

The Linux Foundation suggests a few additional details as best practices:

  • Make publicly available copies of the notices that were delivered to BIS and NSA, in order to increase transparency and visibility of compliance. This also helps with your community of downstream users who may wonder “do they send notices?” You can prevent concerns by making the notices themselves public.
  • Include contact information and, where applicable, the name of the particular legal entity that is responsible for the project.
  • Establish a system to ensure that you maintain evidence, for a medium- to long-term period of time, that the notification emails to BIS and NSA were in fact delivered. Relying solely on an individual’s “Sent” mailbox records may not be preferable if a question arises in the future, or if that individual loses access to that Sent mailbox (e.g. if they change employers).

Additionally, If you are distributing publicly available encryption software in object code form, then you will also want to ensure that it is publicly available in source code form as well.

If it is necessary to distribute encryption software in binary or object code form, then ensure that the corresponding source code is publicly available. The easiest way to do this is to make available the source code for that version of the encryption software yourself, as part of the project’s own code. (In fact, depending on the applicable open source license, this may be necessary or at least useful in complying with that open source license as well!)

In addition to manual review, there are some scanning tools (such as Fossology and exportctl) with varying degrees of ability to scan source code and detect usage of encryption functionality. No automated scanning tool is likely to be a perfect detector of all applicable uses, but these may be helpful in identifying copies of encryption software in a large codebase.

To download the “Understanding Open Source Technology and US Export Controls” whitepaper, click on the button below.

Download Whitepaper

The post Understanding US export controls with open source projects appeared first on The Linux Foundation.


Wed, 07/08/2020 - 21:01





《出口管理条例》(Export Administration Regulations,以下简称“EAR”)是美国联邦政府限制出口的主要条例,由美国商务部(US Department of Commerce)下的产业与安全局(Bureau of Industry and Security,以下简称“BIS”)发布并定期修订。《出口管制条例》适用于所有”受《出口管制条例》管制的物品,并可管制这些物品的出口、再出口或(在国内)转让。








  • 已公开发布的开源软件不受制于EAR
  • 已公开发布的开源规范不受制于EAR
  • 已公开发布的,说明硬件设计的开源文档不受制于EAR
  • 已公开发布的开源软件二进制不受制于EAR

然而,若项目涉及加密技术,则开源社区可能需要采取一些其他的措施以满足EAR “已发布”的要求。





为满足上述衡量标准的第二部分要求,还需要向两个指定的邮箱地址发送邮件(一个是BIS的邮箱地址,另外一个是国家安全局(National Security Agency,简称“NSA”)的邮箱地址。邮件内容需要包括可公开获取的源代码的URL地址(或源代码本身)。如URL或源代码发生任何变更,则需要再次以邮件形式通知上述邮箱地址。












如果您的开源软件项目实施或使用属于ECCN 5D002规定的加密功能,那么根据EAR的要求,您将需要向BIS和NSA发送加密通知。EAR的具体要求如下:

  • 发送电邮至。如果您的项目是LF的项目,并且您的通知没有出现在我们的出口管理页面上,请发送通知至
  • 邮件应该包括含有可公开获取加密源代码的网站地址,或源代码本身。
  • 如果您提供的是网站地址,那么每次更换网站地址时,您都必须通过电子邮件发送通知,但是您不需要通知有关源代码本身的更新或者变更。
  • 如果您提供的是源代码本身,那么每当加密功能进行更新或者变更后,您都必须提供最新的源代码。


  • 为了加强透明度和展现合规性,将提交给BIS和NSA的通知公开化。这也有助于解决下游用户对社区是否发送了通知的疑惑。通过公开通知的方式,您可以避免这些困扰。
  • 附加联系方式和负责项目的法人实体的名称。
  • 设计一个保留中期至长期证据的系统(证明发送给BIS和NSA的通知电邮实际上已经送达)。因为如果将来发生问题,或者如果个人无法访问该“已发送”邮箱,仅依靠“已发送”邮箱记录不是个好办法(例如发件人跳槽了)。



除人工审核外,还有一些性能各异的扫描工具(例如 Fossologyexportctl),可以扫描源代码并探测加密功能的应用。没有一种自动扫描工具能够完美地检测出所有的应用,但这些工具可能有助于识别大型代码库中的加密软件。



The post 了解美国对开源项目的出口管制 appeared first on The Linux Foundation.

Understanding Open Source Technology & US Export Controls

Wed, 07/08/2020 - 21:00
Understanding Open Source Technology & US Export Controls 了解开源科技和美国出 口管制 Open development enables global collaboration: a guide for companies using and developing open source technology 开源发展使全球协作成为可能:一份致使用与开发开源科技公司的指南 Author: The Linux Foundation Download Now

The post Understanding Open Source Technology & US Export Controls appeared first on The Linux Foundation.

Driving Compatibility with Code and Specifications through Conformance Trademark Programs

Thu, 07/02/2020 - 23:54

A key goal of some open collaboration efforts — whether source code or specification oriented — is to prevent technical ‘drift’ away from a core set of functions or interfaces. Projects seek a means to communicate — and know — that if a downstream product or open source project is held out as compatible with the project’s deliverable, that product or component is, in fact, compatible. Such compatibility strengthens the ecosystem by providing end-users with confidence that data and solutions from one environment can work in another conformant environment with minimal friction. It also provides product and solution providers a stable set of known interfaces they can depend on for their commercially supported offerings. 

A trademark conformance program, which is one supporting program that the LF offers its projects, can be used to encourage conformance with the project’s code base or interfaces. Anyone can use the open source project code however they want — subject to the applicable open source license — but if a downstream solution wants to describe itself as conformant using the project’s conformance trademark, it must meet the project’s definition of “conformant.” Some communities choose to use words other than “conformant” including “certified”, “ready”, or “powered by” in association with commercial uses of the open source codebase. This is the approach that some Linux Foundation projects take to maintain compatibility and reduce fragmentation of code and interfaces. 

Through this approach, we enable our projects to create flexible, custom-tailored conformance programs to meet the needs of their respective communities. In fact, our conformance programs can operate as open source projects themselves (see, for example, ). They incorporate a balance of interests from vendors, end-users, and contributors to the project and enable the community to define how the commercial ecosystem participants can leverage the use of the community’s mark. 

Products or solutions that meet the requirements of the trademark conformance program can use the conformance program’s trademark. Those that do not meet its requirements, cannot. If the project community learns that someone is misusing a conformance program trademark — say using the mark to show compatibility without achieving all of the requirements of the conformance program — the community could work with the LF to take steps to advise them on how they can come into conformance with the program requirements, or discontinue their use of the trademark.

How Can an Open Project Establish a Conformance Trademark Program?

When our projects establish a conformance program, we recommend that they follow the following basic steps:

    1. Determine what you want the trademark to signify.

Are you interested in showing compatibility with a core segment of project code or interfaces? Do you want this mark to indicate backward compatibility? Do you want the mark to imply a certain level of ‘rigorousness’ of compatibility? How broad or narrow a focus of compatibility are you interested in (e.g., all of the code base, or a key portion)? Does a “compatible” solution necessarily need to use the underlying open source codebase at all, or just present a compatible interface? 

This question is best addressed by involving interested stakeholders across business, marketing, and technical functions including discussions to resolve upon the intended meaning for the mark. Relevant stakeholders will likely include the project developers; downstream vendors who develop products based on the project’s outputs; and potential customers and end-users of those vendors.

A conformance program’s guiding star should be to ensure neutrality and objectivity in the conformance definition’s metrics. In order for an ecosystem to accept that the conformance trademark has relevance, it should be tied to a specific, articulated definition of what it does and doesn’t include. If the definition of conformance includes aspects of subjective evaluations by the project members, the result may be a perception that non-technical considerations such as favoritism were used as factors — and that the mark is not a reliable indicator of technical functionality. Objective criteria that are applied neutrally can help to avoid such a perception. In addition, the process by which the mark or requirements are defined should be specified and made known.

    1. Decide upon the specific requirements of conformance.

Once you have identified what you want the trademark to signify, you can craft a specific set of requirements necessary for a product to be able to use the conformance trademark. These requirements should also be developed within the community, and the development of these requirements is often closely tied to the work in item 1 above.

Additional questions to consider are:

      • How long can a product or solution provider claim compatibility, and against what version(s) of the open source project? How many future versions will that conformance be valid for?
      • Will the community create a test suite to provide an objective “pass / fail” determination for compatibility, or rely on more subjective considerations? (ideally, the answer should be the former)
      • What triggers a requirement for a vendor to re-test and confirm that their solution remains conformant — every time a change is made, or after a set period of time, or only if/when complaints are received from the community, or something else?
    1.   Determine how products and solutions will be qualified as meeting the requirements of the conformance program. 

There are many approaches that our projects take with respect to qualifying products or solutions, and they range in expense from none/nominal to significant. A common approach is to publish the requirements and allow self-certification with the requirements via a registration page. The project would then publish a current list of all registrants so that end-users could — by way of the project’s web site — know that a particular vendor had self-certified their product as meeting the requirements. Depending on the nature of the project and the conformant vendors’ solutions, end-users themselves might be able to run the same set of self-tests on the solutions, to confirm compatibility for themselves. In some cases, end users may use the same tests to keep their internal teams conformant in their internal deployments. Tooling costs are also a consideration for projects in setting up automated testing systems.

Another approach is to engage with third-party test labs that will test whether submitted products or solutions, in fact, meet the conformance program requirements. This model may also be setup by publishing criteria or requirements that a test lab can follow to offer conformance program testing.

As you can imagine, the expense involved in contracting with third-party test labs can be significant. Many of our communities choose to lower barriers to entry for the ecosystem and keeping costs low is often a priority.

    1. Publish the requirements and begin operating the trademark conformance program.

Maintain the program’s requirements in a highly visible manner, and begin accepting registration applications! Keep a list of certified solutions on the project’s website or code repository.

In fact, the development and administration of the conformance program itself can even be run as an open source project (see: 

Keep in mind that these programs will need to be maintained as well, especially as the project evolves and makes significant changes to its modules and interfaces. We often treat these conformance programs as their own open source collaboration that evolve with the project. 

Example Programs Employed by Projects Supported by the Linux Foundation

A number of our projects have trademark conformance programs. These include:

1. Certified Kubernetes®

The Certified Kubernetes program is run by the Cloud Native Computing Foundation (CNCF) and is intended to ensure that open source code and vendor products based on Kubernetes support the core APIs that make up Kubernetes. Vendors that are interested in using the Certified Kubernetes mark are required to submit conformance testing results to CNCF for review and approval. Additional information on the program can be found here:

2. ODPi Egeria Conformant

The ODPi Egeria Conformance program is intended to ensure both consistency and alignment with the interfaces developed by the ODPi Egeria project. The participation form and the terms and conditions of the program can be found here:

3. OPNFV Verification Program (OVP)

Created through collaboration between OPNFV and ONAP, two projects within LF Networking, OVP focuses on compliance, validation, performance, and interoperability testing for commercial NFVI (cloud platform infrastructure) implementations and VNFs (telco cloud applications). This conformance program is used to indicate that an OVP-branded product or solution:

      • Supports key behaviors, functions, and related APIs and packaging requirements of the OPNFV and ONAP release
      • Implements defined NFV functions
      • Supports end-to-end life cycle management interoperability among an NFVI/VIM built on the conformant products, applications designed to run on that infrastructure, and ONAP
      • Is a good candidate for internal testing by the operator in their own specific environment

Products or solutions that meet these requirements are then able to use the OPNFV VerifiedTM brand under the appropriate usage guidelines. The program supports both self-certification by vendors and testing via approved third-party labs. Detailed information on OVP can be found here:

4. Powered by OpenDaylight®

OpenDaylight is one of the technical code projects within our LF Networking umbrella which has a “Powered by OpenDaylight” conformance trademark program. Products using the mark are required to implement certain core sections of the open source code with the current release of OpenDaylight or the prior two releases. A FAQ on the program can be found here: 

The registration page for a company interested in applying to use the “Powered by…” trademark can be found here: 

The post Driving Compatibility with Code and Specifications through Conformance Trademark Programs appeared first on The Linux Foundation.

FinOps Will Drive Efficiency for DevOps

Thu, 07/02/2020 - 05:33

FinOps Foundation to Become Linux Foundation Effort

DevOps in the cloud has broken traditional procurement, which is now outsourced to engineers. Engineers spend company money at will and make financial decisions on cloud providers like AWS, GCP and Azure at rapid speed with little time to consider cost efficiency. Finance teams struggle to understand what is being spent on the cloud. Leadership doesn’t have enough input into how much will be spent or ability to influence priorities. Enter the concept of FinOps, and the need for a community of practitioners to advance best practices beyond vendor tooling, whose aim is to increase the business value of cloud by bringing together technology, business and finance professionals with a new set of processes.

That’s why we’re so excited to announce our intent to host the FinOps Foundation with the Linux Foundation to advance the discipline of Cloud Financial Management through best practices, education and standards. The FinOps Foundation focuses on codifying and promoting cloud financial management best practices and standards to help the community. It currently includes 1,500 individual members representing more than 500 companies and $1B in revenue. They include Atlassian, Autodesk,, HERE Technologies, Just Eat, Nationwide, Neustar, Nike, and Spotify among founding charter members.

Also part of today’s announcement is a new edX course, Intro to FinOps, which will give anyone interested in this area a primer on what it is and how to advance their career by becoming an expert in this emerging and critical discipline.

As the cloud native movement continues within organizations, understanding how to optimize the cloud infrastructure footprint through cultural change and engineering practices is critical. Technology and business leaders are seeking support for understanding how to manage cloud technologies and spending across their enterprises. The FinOps Foundation brings to bear the resources required to enable innovation inside the organization and will work together to define cloud financial management standards and advance the ubiquity of this discipline across industries.

The FinOps Foundation has grown significantly since its inception back in February 2019. We expect to support this burgeoning community and further accelerate growth and engagement. We invite you to get involved in this effort, no matter your role inside your company. As with any emerging discipline, the earlier you get involved, the better for your career.

The post FinOps Will Drive Efficiency for DevOps appeared first on The Linux Foundation.

The Linux Foundation Brings Together IT and Finance Teams to Advance Cloud Financial Management and Education

Mon, 06/29/2020 - 22:30

FinOps Foundation is becoming a Linux Foundation effort to increase education and best practices for emerging FinOps discipline; new edX course provides foundation for education and community growth

San Francisco, Calif., June 29, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the intent to host the FinOps Foundation to advance the discipline of FinOps through best practices, education, and standards.

The FinOps Foundation includes 1,500 individual members across the globe, representing more than 500 companies with more than $1 billion in revenue each. In the same way that DevOps revolutionized development by breaking down silos and increasing agility, FinOps increases the business value of cloud by bringing together technology, business and finance professionals with a new cultural set, knowledge skills and technical processes. Companies represented among membership include Atlassian, Autodesk,, HERE Technologies, LiveRamp, Just Eat, Nationwide, Neustar, Nike, and Spotify, among others. To become a member and contribute to this work, please visit:

“Where there is technology disruption, there is opportunity for business transformation. FinOps is exactly this and represents a shift in operations strategy, process, and culture,” said Mike Dolan, vice president and general manager, Linux Foundation Projects. “This type of disruption and transformation is also where community and industry-wide collaboration play critical roles in enabling a whole new market opportunity. We’re pleased to be the place where that work can happen.”

The FinOps community is defining cloud financial management standards and is increasing access to education and certification for this discipline across industries. As part of this effort, the Linux Foundation is announcing a new, free edX course, Introduction to FinOps, to advance education and knowledge in this emerging area and to cultivate a growing community of professionals. This introductory course will cover the basics of FinOps and how it can positively impact an organization by building a culture of accountability around cloud use that helps companies make good, timely, data-backed decisions in the cloud. The course is open for enrollment now, and content will be available to begin on the edX platform July 21.

The FinOps Foundation is offering the FinOps Certified Practitioner Exam (FOCP) through the Linux Foundation, and more training and certification programs are expected later this year. Follow @LF_Training on Twitter or watch for more information and updates.

“Technology and business leaders are seeking support for understanding how to manage cloud technologies and spending across their enterprises and the FinOps Foundation brings to bear the resources required to enable them to innovate inside their companies,” said J.R. Storment, executive director of the FinOps Foundation. “With the Linux Foundation’s support, especially across its world-class training organization, we can serve this growing community.”

FinOps is the operating model for the cloud, which is resulting in a shift that combines systems, best practices, and culture to increase an organization’s ability to understand cloud costs and make informed business decisions. FinOps ensures that companies get the most value from every dollar spent in the cloud. It pushes accountability for spending to the edge where developers control purchasing decisions, and provides a new set of centralized processes to maximize efficiency of purchases and the ability to allocate spending to teams.

Cloud spending is forecast to exceed $360B by 2022, according to research firm Gartner, but finance teams have very little insight into where that spend is being allocated within their organizations. The result is uncontrolled costs that aren’t properly forecast or documented along with lack of standardized tooling, which can lead to major losses or errors in critical accounting practices. Procurement of IT infrastructure has moved from taking days or weeks to seconds or minutes, which has dramatically accelerated application development but dramatically decreased efficiencies in financial operations.

“As the cloud native movement deepens inside organizations large and small, understanding how to optimize the infrastructure footprint through cultural change and engineering practices is critical,” said Chris Aniszczyk, CTO, Cloud Native Computing Foundation (CNCF). “CNCF welcomes the FinOps Foundation to the Linux Foundation and we look forward to collaborating across communities to improve cloud financial management for all.”

Supporting Quotes


“The FinOps Foundation has helped us validate and grow our cloud financial management practices. Having the FinOps Foundation join the Linux Foundation is a great opportunity to see this community continue to develop FinOps practices from which we all benefit,” said Simon Beckett, team lead, Atlassian Cloud FinOps.


“As enterprises leverage public cloud providers, speed of development is increasing and also a risk of out of control costs.  FinOps provides a framework that brings together IT, Finance and Procurement teams and gives them a common language and processes that helps keep costs under control and keeps the focus on delivering business value. My team and I have connected with peers in the industry to get their insights and perspectives on common problems and to see what is coming next.  In addition there are opportunities for training and certification to take advantage of,” said Joseph Daly, director of cloud optimization, Nationwide.


“Pearson joined the FinOps Foundation in Feb 2019 as we launched our global team internally. Since then we have leveraged resources from the F2 membership calls, networked within Slack with other practitioners and been able to present back to the share many of our lessons learned along this journey.  Being an education company it’s critical we are always learning. Early 2020, Pearson was able to do a private workshop with the foundation where all 8 of our team members attended the 8 hour workshop and successfully received certification. We immediately leveraged discussions in the workshop and started building our 2020 roadmap. We began mapping our milestones to the F2 principals and using the “crawl, walk, run” approach. The FinOps Foundation has personally helped me connect with many other practitioners that are very mature in Cloud Financial Management process and allowed me to bring best practices and automation ideas back to Pearson to implement, said Ashley Hromatko, senior cloud FinOps manager, Pearson.


About the FinOps Foundation

The FinOps Foundation (F2) is a nonprofit trade association made up of FinOps practitioners around the world. Grounded in real world stories, expertise and inspiration for and by FinOps practitioners, the F2 is focused on codifying and promoting cloud financial management best practices and standards to help community members and their teams become better at cloud financial management. For more information or to join, please visit:

 About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,500 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at



The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
reTHINKit Media

The post The Linux Foundation Brings Together IT and Finance Teams to Advance Cloud Financial Management and Education appeared first on The Linux Foundation.

SODA Foundation Gains New Investments, Expands Charter to Address Increasing Need for Data Autonomy

Mon, 06/29/2020 - 22:30
  • China Unicom, Fujitsu, Huawei, NTT Communications and Toyota Motor Corporation lead list of participants advancing open source software and standards for data mobility and autonomy
  • China Unicom contributes its S3-compatabile object storage YIG project
  • Foundation releases Faroe, the 1.0 version of its Open Data Framework software for cloud native and more

SAN FRANCISCO, Calif., June 29, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the SODA Foundation, previously OpenSDS, is expanding to include both open source software and standards to support the increasing need for data autonomy. SODA Foundation hosts an open source, unified and autonomous data management framework for data mobility from edge to core to cloud.


Premiere members include China Unicom, Fujitsu, Huawei, NTT Communications and Toyota Motor Corporation. Other members include China Construction Bank Fintech, Click2Cloud, GMO Pepabo, IIJ, MayaData, LinBit, Scality, Sony, Wipro and Yahoo Japan.


As part of the expansion, China Unicom is contributing its S3-compatible object storage YIG project to the SODA Foundation. YIG is the first in a line of projects that are joining the Foundation through the SODA Incubator program designed to foster an ecosystem of data and storage projects by supporting their growth through community outreach, collaboration and adoption.


The SODA Foundation today is also announcing the release of Faroe, the 1.0 version of its Open Data Framework software for cloud native and more. With support for block, file, and object storage, multi cloud data control, telemetry and resource management across heterogeneous storage, Faroe eliminates data silos, delivers integrated data management and enables seamless data mobility between on-premise and multicloud. Faroe also includes Container Storage Interface (CSI) storage plug-and-play as an experimental feature that simplifies Kubernetes storage management by abstracting CSI storage with SODA.


“Providing a neutral forum where both vendors and end users can contribute to building and integrating data management solutions for mobility and autonomy is our goal,” said Steven Tan, chairman, SODA Foundation and VP & CTO of Cloud Solution at Futurewei. “These new investments and our expanding scope will help us support a growing community of open source data professionals who are pushing the envelope on these technologies.”

As data moves between the cloud, on premise and, increasingly, the Edge, data management is becoming more complex. And the increasing number of technologies supporting data management has created even more difficulty, including unintentional silos for data storage. During a time when data mobility and autonomy is more important than ever, it’s critical that we simplify management, unify storage pools and provide a vendor neutral forum and platform that can accelerate innovation for end users. SODA Foundation seeks to reduce silos by integrating efforts across platforms for overall data mobility and autonomy.

“With data privacy and treatment at the top of every company’s priority list, the SODA Foundation serves an important role across industries,” said Mike Dolan, senior vice president and GM of projects at the Linux Foundation. “With new membership commitments, from vendors and end users alike, and an expanded scope to integrate software and standards, we believe this community will have an incredible impact in the coming months and years.”

For more information about the SODA Foundation, please visit:

Member Statements

China Construction Bank Fintech
“CCB Fintech is a financial technology subsidiary of China Construction Bank. We are always interested in the open source community contribution and it’s our honor to join SODA. Glad to see its breakthroughs in multi-cloud environments and heterogeneous storage management. We will work with SODA to solve the container storage management challenges in cloud-native scenarios from now on. Hope to see more pioneers of the financial industry join SODA and join us to improve the innovation and development of open source technology in the global financial area,” said CCB Fintech Technology Platform Department General Manager Zhan Shu.

China Unicom
“It’s a great honor for China Unicom Wo Cloud to join the SODA community. We think the openness of the SODA project is great. In fact, we have been very active in this project in the previous year. We contributed the core code of our object storage project named YIG to the community. On Wo Cloud Summit 2019, we have witnessed the launch of SODA in China with many other partners. In the future, we will bring more friends into this community and make more innovations together,” said Zhong Xin, CTO, China Unicom Wo Cloud.

“FUJITSU LIMITED has been supporting society as an IT company. Over the years, we have been providing comprehensive storage solutions. Now, as we are transforming into a DX company, we are looking to support our customers to transform their business model and to help them to create new businesses by modernizing systems and leveraging cloud native technologies. SODA is a powerful solution for simplifying storage management that has been very complex for many years, and enabling ties to the cloud. FUJITSU believes that SODA will accelerate the accomplishment of its mission and has been contributing to the ecosystem since OpenSDS, the direct predecessor of SODA,” said Shinya Hamano, manager, development department, infrastructure software division, Fujitsu.

“Managing the data coming from heterogeneous sources and formats is an interesting problem along with the regulatory requirements. SODA foundation attempts to address these challenges in an open manner which would help companies build reliable AI enabled solutions,” said Rakesh Jain, SODA Foundation board member and Researcher & Architect at IBM Corporation.

NTT Communications
“Storage silos in our services make a barrier among customers and the services. The barriers like individual storage software/API have hindered not only us from managing our services, but also customers from utilizing their data across the services. We’re expecting SODA to help service providers and customers overcome the barrier by using an open data management platform,” said Kei Kusunoki, Storage Architect, Innovation Center, NTT Communications.

“Scality supports SODA Foundation because we share the belief that data proliferation has a huge impact on data management challenges. Organizations are increasingly leveraging the benefits of hybrid cloud, which brings new challenges that demand proven solutions to store, govern and orchestrate massive volumes of data across geographies and clouds. We believe that collaborating with the open source community is vitally important as the velocity of change demands faster, better delivery of solutions,” said Paul Speciale, Chief Product Officer, Scality.

“As a cold data archive system provider, we are excited about joining the SODA. We have just released the third generation of Optical Disc Archive, and we believe that integrating it into the SODA system will provide more diverse and rich value to this community and its customers. We are looking forward to collaborating with other SODA members to create a full data lifecycle management platform in the aim of solving data/storage management challenges,” said Mikio Kita, VP, Sony Corporation, Senior General Manager of Media Solution Business Div. Sony Imaging Products & Solutions Inc.

Toyota Motor Corporation
“Connected vehicles on a street would generate significant volume of data, and they are widely spread in many locations. Managing those data and data storage is going to be a key challenge for us to get a variety of benefits from those data,” said Kenichi Murata, Project General Manager of Connected Strategy, Toyota Motor Corporation. “We expect that SODA Foundation would be the best place to seek the solution of our future issues, and we would be happy to collaborate in the Foundation with many people who have the same issues.”

“Wipro is proud of its association with the SODA foundation. Our passion for latest technology, and access to a diverse ecosystem to deliver value to our customers has been the foundation for Wipro’s EngineeringNXT offerings. Driven by our deep domain expertise in Data management and storage  across industries, Wipro understands and supports the need for open standards in data management for advanced storage solutions. Being part of the SODA foundation will not only enable us to innovate in this space and deliver cloud-and-vendor agnostic solutions for hybrid cloud data management, but also give us a platform to connect and collaborate with like-minded members for thought leadership and industry best practices,” said Supriyo Das, Vice President, Industrial & Engineering Services (I&ES)

Yahoo Japan
“As our services continue to grow, data is getting bigger day by day. We are facing the challenge of managing storage systems more efficiently. We strongly endorse the purpose of SODA to provide a standardized API between multiple storage backends and multiple cloud systems. We believe that SODA can help reduce storage complexity,” said Yusuke Sato, Storage Architect, Yahoo! JAPAN.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer

The post SODA Foundation Gains New Investments, Expands Charter to Address Increasing Need for Data Autonomy appeared first on The Linux Foundation.