Lightbend Changes Licensing Model for Akka Amid Accusations of 'Cakeism'

Lightbend, the company behind the Scala JVM language and developer of the Reactive Platform, is changing the license on its Akka technology from Apache 2.0 to the BSL v1.1 (Business Source License), starting with Akka v2.7, which is set for release in October.

Under the new licensing model, companies with an annual income of less than $25m will not be required to pay license fees for production usage of Akka, though a $0 commercial license must still be granted by Lightbend, the company says. Organizations with annual revenue exceeding $25m will be required to pay for a license plus a subscription for production usage. Back-porting of any software released under the new license is not permitted.

Previously available via an open-core license, Akka is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala. Akka has spread far and wide since Swedish programmer Jonas Bonér (now the company's CEO) pushed out the first public release back in 2009. The company now includes some big names on its Akka user list, including Apple, Disney, GM, HPE, Norwegian Cruise Lines, Starbucks, and Tesla.

More than a few in the open-source community were not happy to hear about this decision. When the licensing change was announced, accusations of "cakeism" began appearing on social media (as in, "they want to have their cake and eat it, too"), along with assertions that this and other companies implementing similar license adjustments could no longer claim to be true open-source vendors.  

But this seems to have been a pragmatic decision by the company to address an existential moment for this enormously popular project that goes beyond ideology.

"We have decided to change Akka’s license to ensure a healthy balance between all parties, shared responsibility, and, by extension, contribute to Akka’s future development," Bonér said in a blog post. "This will enable Akka to remain at the forefront of building innovative solutions that are used by many globally recognized brands to build and run some of their most business-critical applications."

I talked with Lightbend EVP Brad Murdoch about the new licensing scheme. "Akka is an old project by open-source standards," he told me. "More and more organizations have gotten very comfortable with the idea that they can use this infrastructure and just not pay anything for it. We've had an open-core model and we've generated revenue by adding commercial software and services around the core product, but we've reached a point where there's too great a mismatch between the importance of the software and the users' willingness to invest in it."

The BSL was developed by the creators of the MariaDB relational database management system, David Axmark and Michael Widenius, to provide a "mutually beneficial balance between the user benefits of true Open Source software that is free of cost and provides open access to all of the product code for modification, distribution, etc., and the sustainability needs of software developers to continue delivering product innovation and maintenance," the company's website reads.

As Lightbend is implementing it, the BSL unfolds in two stages:

  1. Commercial: Software is viewable (source available), downloadable, and usable in non-production environments. Production usage requires a software license from Lightbend.
  1. Open-source: After three years, the source for that version will be released under the current Apache 2.0 license. A customizable "additional use grant" is also available, which allows usage for other open-source software (such as Lightbend's Play Framework).

The Apache 2.0 license is a "permissive" (as opposed to "copyleft') open-source, license written by the Apache Software Foundation. It allows licensees to use of the software for any purpose, distribute it, modify it, and distribute modified versions of it under the terms of the license, without paying royalties.

Lightbend has been briefing its customers quietly about the new licensing plan for a few weeks, and Murdock says the feedback has been "pretty balanced."

"There have been people who are up in arms, calling us a traitor to open-source," he said. "But there are others who recognize that there will be no Akka without engineers to pay to work on it, because it doesn't just happen magically."

"There has to be a model for sustainable open-source, and whether this is the right one or not, I can't speak for the industry," he added. "But we had to find a model that allowed us to monetize the software that people are using to run the world. We want to be able to invest in the future of Akka, and we looked at a number of different licenses, and the BSL fit the situation best."

Posted by John K. Waters on September 8, 2022 at 1:18 PM0 comments

Microsoft Amps up its Support for Java Developers with a New Website

Microsoft today announced the launch of a new website designed to provide Java developers with a new level of support in the form of tools and resources that enable them to code, deploy, and scale their apps more productively.

The website is another brick in the foundation of support for Java developers that Microsoft has been building over the last couple of years (which my colleague, David Ramel, has been tracking quite diligently in Visual Studio Magazine.) The new site is chock-a-block (pun intended) with content and links to technical documentation, learning paths, and on-demand videos from Microsoft conferences and its Java Cloud Developer Advocacy team.

The list of resources provided by the site includes:

  • Documentation, videos, and samples designed to help Java developers build and scale efficiently on Microsoft Azure and other operating systems
  • A PDF that outlines how to code, deploy, and scale Java development meant to empower developers to use any tool, framework, and/or application server on any operating system
  • A white paper that illustrates best practices from Microsoft on how the company itself uses Java, including significant parts of its business.

"Many people are surprised to learn that we’re using Java to run significant parts of Microsoft," wrote Julia Liuson, President of Microsoft's Developer Division, in a blog post, "and to empower thousands of customers to do the same."

Liuson pointed out that Bing, Microsoft’s web search engine, which also powers the search feature in the Windows Start menu, uses Java to perform indexing-related functions. She also cited Azure’s infrastructure control plane and other divisions, such as LinkedIn, Minecraft, and Yammer, that use Java extensively. And Microsoft has deployed more than two million Java virtual machines (JVMs) for the company's "internal systems and business needs," she said.

As I reported in July, Microsoft joined two working groups in the Eclipse Foundation this year: the Jakarta EE Working Group, which focuses on the overall evolution of enterprise Java, and the MicroProfile Working Group, which focuses on optimizing enterprise Java for a microservices architecture. Microsoft also supports several other Java community organizations, including OpenJDK, and Eclipse Adoptium, Jakarta EE, and the venerable Java Community Process. And in 2019, it acquired leading Java app optimizer jClarity.

Redmond has partnered with a truly impressive number of leading vendors in the Java ecosystem. Azure Spring Apps, for example, was developed jointly with Pivotal /VMWare to provide native integrations with third-party application performance monitoring (APM) tools from New RelicApp DynamicsDynatrace, and Elastic. Microsoft's list of jointly developed solutions also includes Red Hat JBoss EAP on Azure App ServiceWebSphere Application Server, WebSphere Liberty, and Open Liberty on Azure, Oracle WebLogic Server on Azure VMs and Azure Kubernetes Service, and Apache Kafka for Confluent Cloud. The has also attracted marquee names to Java on its Azure cloud platform, including  AdobeAIABoschDaimlerFedExJ.B. HuntKrogerMaerskMercedes Benz, and Swiss Re
The new website also links to an ebook entitled Code, Deploy, And Scale Java Your Way: Empowered Java Application Development in The Cloud. It's about building, migrating, and scaling Java apps on Azure. In the foreword, the author, Asir Selvasingh, a Principal Architect for Java on Microsoft Azure, writes: "I have witnessed Microsoft’s commitment to the Java ecosystem from the first row consistently for many years now…. Today, more and more Java developers are looking at how they can bring their existing Java applications to the cloud, or at how to build new cloud-native applications. This e-book covers the entire journey for developers and operators to code, deploy, and scale with confidence." (The author is worth following on Twitter.)

Another ebook linked to the site, How Microsoft Applies Java: The Inside Story, was written by Bruno Borges, Principal PM Manager in Microsoft's Java Engineering Group, and Theresa Nguyen, Senior Product Manager in that group. It's a great timeline of Microsoft's evolution from days of the Holy War on Anything Not .NET or Windows to its all-in embrace of open-source technologies.

Microsoft's commitment to Java has been real for some time, so that's not actually news, but I do think this latest step in the company's evolving investment in Java is worth reporting—and for you Java jocks out there, the website is worth a look.


Posted by John K. Waters on August 30, 2022 at 5:12 PM0 comments

Survey Says: 'Python Going Through the Roof'

I haven't reported on the TIOBE Index in a while, but that headline is a real attention grabber. Since 2001, TIOBE Software has published the results of its monthly search for the languages in which the most lines of code were written. And year after year, Java and C++ have topped the list—but not always, and when they don't, obituaries for these two venerable languages spread like crabgrass.

Which is crazy. The enterprise is effectively running on Java, and… okay, C++ is pretty long in the tooth, but it's been around for 40-plus years, which means, currently generating new lines of code or not, there are millions of programs out there written in C++.

And the rising popularity of Python is not exactly news. It's an interpreted, high-level, general-purpose programming language that's easy to learn, so it's the go-to language taught in beginning computer programming courses in high school. And its readability, extensibility, and maintainability have made it a popular second or third language for the pros.

But it is worth noting that Python ranked No.1 in the TIOBE Index for August with an all-time high of 15.42%. Paul Jansen, CEO TIOBE Software, has described Python as "unstoppable."

"It is hard to find a field of programming in which Python is not used extensively nowadays," Jansen wrote in the intro to the latest index. "The only exception is (safety-critical) embedded systems, because of Python being dynamically typed and too slow."

In a previous posting, Jansen offered his theory about the spread of Python. "I believe that Python's popularity has to do with general demand," he wrote. "In the past, most programming activities were performed by software engineers. But programming skills are needed everywhere nowadays and there is a lack of good software developers. As a consequence, we need something simple that can be handled by non-software engineers, something easy to learn with fast edit cycles and smooth deployment. Python meets all these needs."

The TIOBE Index ratings are based on the number of skilled engineers worldwide, language courses, and third-party vendors, the company says. TIOBE uses 25 search engines to collect key words from the highest ranked websites of Web traffic monitor Alexa and calculates the most lines of code written in a given month to determine its percentage share of developers' attention. Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube, and Baidu are all used to calculate the ratings.

Since the last TIOBE Index posting, Swift and PHP swapped places at No. 10, Rust is getting close to the top 20, and Kotlin returns to the top 30. Google's new experimental replacement for C++, called Carbon, entered the TIOBE Index at No. 192. C came in behind Python at 14.59%, up 2.03%. It was followed by Java at 12.40%, up 1.96%, C++ at 10.17%, up 2.81%, and C# at 5.59%, up 0.45%.

I do think the Index can be useful if you want to get a quick read on whether your programming skills are still up to date, and if you look at a few of them (the company publishes old ratings) they might help  with a strategic decision about which programming language should be adopted when starting to build a new software system.

A detailed definition of the TIOBE Index can be found here.


Posted by John K. Waters on August 24, 2022 at 9:40 AM0 comments

Spring Authorization Server Set for November GA

The Spring Security team says it will release version 1.0 of its long-in-the-works Spring Authorization Server in November of this year.

The new authorization framework, which was announced in April 2020, provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specs. It's built on top of Spring Security, which is a highly customizable authentication and access-control framework. The result, say the project's leaders, is a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

This version of the framework will come with a full feature set (it's a long list), and the APIs have stabilized and matured since the project was launched, said Joe Grandja, Spring Security senior engineer, in a blog post. " A lot of effort and care was put into this project to ensure that it can grow and adapt over the next few years," he wrote.

Spring Authorization Server 1.0 will be based on Spring Security 6.0, which will be based on Spring Framework 6.0 (it takes a village). It will require a minimum of Java 17 at runtime, as well as a minimum of Tomcat 10 or Jetty 11 (for Jakarta EE 9 compatibility). Also, this release will inherit the VMware Tanzu OSS support policy Commercial support, which offers an extended support period, is also available from VMware.

When the project was first announced, the team was careful to give credit where credit was due regarding the projects Spring Authorization Server would effectively be replacing:

"Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects," Rob Winch, Spring Security project lead, wrote in a blog post at the time. "Since its inception, it has evolved into a mature project that supports a large portion of the OAuth specification, including resource servers, clients, login, and the authorization server. It is no wonder that it has become the basis for UAA, which, among other things, acts as the identity management service for all Cloud Foundry installations. The Spring Security OAuth project has become a model project and is a testament to what our wonderful community can accomplish."

The need for the new framework emerged gradually. As Winch explained, the original support for OAuth open-standard authorization protocol was provided very early, and the team could not have anticipated the myriad ways in which it would need to be used. With the new framework, the team was able to address the needs of the entire Spring portfolio and provide a single cohesive OAuth library, Winch explained

The Spring Security team has posted the release schedule for the Spring Authorization Server on GitHub.

"Over the next couple of months, we will focus on fine-tuning the public APIs and enhancing the configuration model to allow for easier configuration and greater extensibility," Grandja said. "We will also make some minor API changes, resulting in breaking changes, which may require updates to consuming applications."

The Spring Framework continues to be one of the most popular programming and configuration models for building modern Java-based enterprise applications on any type of deployment platform. It's an open-source, layered Java/J2EE framework based on code published in SpringSource founder Rod Johnson's book Expert One-on-One Java EE Design and Development (Wrox Press, October 2002).

Posted by John K. Waters on August 22, 2022 at 9:45 PM0 comments

Microsoft Joins Eclipse Jakarta EE and MicroProfile Working Groups

Microsoft boosted its support for Java developers yet again this week by expanding its participation in the Eclipse Foundation to include memberships in two working groups: the Jakarta EE Working Group, which focuses on the overall evolution of enterprise Java, and the MicroProfile Working Group, which focuses on optimizing enterprise Java for a microservices architecture.

"Our goal is to help advance these technologies to deliver better outcomes for our Java customers and the broader community," said Julia Liuson, president of Microsoft's Developer Division, in a blog post. "We’re committed to the health and well-being of the vibrant Java ecosystem, including Spring (Spring utilizes several key Jakarta EE technologies)."

Joining these working groups complements the company's participation in the Java Community Process (JCP) "to help advance Java SE," Liuson said, adding, "We believe our experience with running Java workloads in the cloud will be valuable to the working groups, and we look forward to building a strong future for Java together with our customers, partners, and the community."

Eclipse working groups provide the governance structure for Eclipse projects, making it possible for organizations—even competitors—to collaborate on new technology development. The working groups provide a set of basic services, including intellectual property management and licensing, development processes, IT infrastructure, and ecosystem development.

Microsoft has been a member of the Eclipse Foundation since 2016, when it joined as a Solutions Member. The company became a Strategic Member in 2021. Among other privileges, Strategic Members have a seat on the foundation's board of directors, its architecture council, and expanded board voting rights on key aspects of the Eclipse ecosystem, including licensing, governing policy development, and amendments to membership agreements and bylaws.

"Microsoft has warmly embraced all things Java across its product and service portfolio, particularly Azure," said the foundation's executive director, Mike Milinkovich, in a statement. "Its enterprise customers can be confident that they will be actively participating in the further evolution of the Jakarta EE specifications, which are defining enterprise Java for today's cloud-native world."

Microsoft has been investing in its support for Java and related technologies for a number of years, including Jakarta EE, MicroProfile, and Spring technologies on Azure in collaboration with its strategic partners. With Red Hat, for example, the company built a managed service for JBoss EAP on the Azure App Service, Liuson noted. Redmond is also collaborating with Red Hat to enable solutions for JBoss EAP on Virtual Machines (VMs) and Azure Red Hat OpenShift (ARO). Working with VMware, Microsoft jointly develops and supports Azure Spring Apps, a fully managed service for Spring Boot applications. And with Oracle and IBM, the company has been building solutions for customers to run WebLogic and WebSphere Liberty/Open Liberty on VMs, Azure Kubernetes Service, and ARO (WebSphere).

"It is great to see Microsoft officially join both MicroProfile and Jakarta EE, as they'd been informally involved in these efforts for a long time," said Mark Little, vice president of the Software Engineering group at Red Hat, in a statement. "I hope to see Microsoft's participation bring experience from their many users and partners who have developed and deployed enterprise Java applications on Azure for several years."

The Eclipse Foundation announced the released the first Jakarta EE specification in August 2019, almost exactly two years after Oracle declared its intention to transfer the responsibility for enterprise Java to that open-source standards organization.

Posted by John K. Waters on July 14, 2022 at 11:35 AM0 comments

Fifth Annual Call for Code Challenges Devs to Use their Powers for Good

Organizers of the fifth annual Call for Code Global Challenge have launched their annual invitation to software developers from around the world to create open-source solutions that accelerate sustainability and combat climate change.

Given the growing animus toward so-called Big Tech in some quarters and what I think can fairly be described as generalized opposition to technological innovation, it’s never been more important to remind the world that tech can be an incredibly powerful force for good. The annual Call for Code has grown since the first challenge was announced to become one of the world’s largest “tech for good” programs. It now attracts developers from 180 countries responding to this clarion call to use advanced technologies to design cutting-edge open source-powered hybrid cloud and AI solutions that can tackle the world’s most pressing societal issues.

There’s a refreshing idealism in this program. Call for Code participants are invited to identify the particular sustainability issue they want to solve, form a team, and start building by registering on the new Global Challenge resource site hosted by BeMyApp. Once they’ve registered, participants will be able to attend Challenge Accelerator events to help fast-track their projects, learn from subject matter experts, access exclusive skills-building materials, and use exclusive toolkits, APIs, and data sets from The Weather Company and participating IBM Ecosystem partners.

But that idealism is undergirded by a pragmatic understanding that we need technology to address problems that are having a global impact. Ruth O. Davis, director of the Call for Code Challenge in IBM’s Worldwide Ecosystems group, put it succinctly in a press release, “Technology is the catalyst for scaling solutions to global problems,” she said, “from climate change to humanitarian issues, and even the global pandemic.”

“Of course, the people who participate in the Challenge are idealists in some ways,” Davis told me in an interview. “They’re very passionate about what they’re doing and want what they’re doing to make a difference. But they also know they need resources to make that happen.”

The awards to the winners of this year’s competition are commensurate with the stakes (you know, saving the world). The Grand Prize is $200,000 plus solution implementation support from IBM Ecosystem partners. First runner up gets $25,000, and third and fourth runners up get $10,000. It’s big money focused on solving big problems.

But even those participants who don’t manage to nab the brass ring have access to some incredible resources while they develop their ideas. They get a trial IBM Cloud account for 2022 that provides access to many free services without a credit card, including the ability to create Kubernetes clusters. They have access to toolkits, APIs, and data sets from Call for Code sponsors. And there are expert webinars, skill-building plans, and even mentors available.

Among the most exciting components of this program are the Challenge Accelerator events. Each Accelerator is a roughly two-week competition designed to help fast-track participants’ projects towards submission to the Global Challenge. (Global Challenge submission is not required). Each participant builds a project to address a specific and targeted use case​ under the theme of “Sustainability.” Each Accelerator is different; some may include technical workshops, mentoring, and additional educational content. And participants may be eligible for additional prizes.

College students will also have the opportunity to compete for the University Prize in a program created by IBM and the Clinton Global Initiative University. In 2021, more than 90,000 students across hundreds of universities around the world surpassed the program goal by nine times, the organizers said. 

David Clark, the CEO of David Clark Cause, is the original Call for Code organizer. He founded the program in 2018, and launched it with IBM, the United Nations Human Rights group, and the Linux Foundation. The list of organizations supporting Call for Code this year includes: Arrow ElectronicsClinton Foundation and Clinton Global Initiative UniversityClemson University, Esri, EYIngram MicroIntuitthe Linux Foundation, Morgan StanleyNew RelicPersistent SystemsTeach For All, United Nations Human Rights, and United Nations Office for Disaster Risk Reduction, among others. 

It's worth noting, too, that Call for Code has been selected as the preferred innovation platform of the Right Here, Right Now Global Climate Alliance, one of the largest public/private climate partnerships in the world. 

Solutions can be submitted to this year’s event any time before the deadline of October 31, 2022. You don’t need to be on an existing team to participate. The organizers will be hosting a team building session to help participants form and build teams.

Must-read information about Call for Code winners is available here.

Posted by John K. Waters on May 16, 2022 at 11:15 AM0 comments

Why Should You Care About JDK 18?

The latest update of the Java Development Kit (JDK 18) goes GA next week, and though it's not a Long-Term Support (LTS) release, it does implement nine JEPs (listed here). And while it's probably also true that your organization is going to want you to wait for the LTS coming in September 2023 (JDK 21), the JEPs implemented in this release are worth a look.

I joined a Zoom presser this week with two Java mavens, Simon Ritter and Steve Poole, to talk about the latest incarnation of the JDK and what it brings to developers.

Ritter is the Deputy CTO of Azul Systems, one of the leading open-source Java development tools and runtimes providers. He's a former Head of Java Technology Evangelism at Oracle, and he's a Java champion who's been working with the language and platform for more than two decades—all the way back to his days at Sun Microsystems.

Ritter said the very fact that this release isn't a headline grabber is a demonstration that Oracle's decision to provide JDK updates on a six-month release cadence is working.

"It's a time-based release model, rather than a feature-based release model," he said. "It doesn't mean that, since JDK 17, we've had six months of development and the people at Oracle and the rest of the contributors to the JDK haven't really been very busy. They've all been getting on with things. It's just that certain features haven't got to the point where they're ready for inclusion in the JDK in this six-month cycle."

Ritter pointed to Foreign Function & Memory API (JEP 419) as one of the more important JEPs implemented in this release, because it's one of those incubated components being included in Project Panama. Those following this years-long project will know that Panama is about simplifying the process of connecting Java programs to non-Java components. This particular feature, in its second incubation iteration, introduces an API through which Java programs call native libraries and process native data without the brittleness and danger of the Java Native Interface (JNI).

"This is a big thing because it's part of Project Panama," Ritter explained. "But also, because replacing the JNI is one of those features that will really help us as Java developers, because there are lots of libraries out there not written in Java—important things, like machine learning, for example."

Poole agreed that the JNI has been the Achilles Heel of Java ever since it was created. And he should know: He was there when it happened.

Currently a developer advocate at Sonatype, a leader in the DevSecOps and repository management space, Poole has been working on Java software development kits and JVMs for 25 years—since the dawn of Java, you could say. He has also been a developer advocate at Red Hat and IBM, as well as a member of the AdoptOpenJDK group, which is now the Eclipse Adoptium project, championing community involvement in OpenJDK.

"The JNI was deliberately created to be complicated," Poole said. "But you have to look at it in context. When Java came out, there was all this legacy code people wanted to connect to. But at the time, we did not want to encourage developers to use dated languages and propagate those environments. So that's the history, but since then, Sun, IBM, Oracle, and others have spent years experimenting with different ways of getting around this JNI thing. And we have to do it. If you look at, say, Python; it can call native code really, really easily. And that makes it very valuable. I would love to see this all finally hit the streets as a good solid practical API, because it's way overdue."

The only JEP implemented in this release that actually impacts the Java language is Pattern Matching for switch (JEP 420), which was first previewed in Java 17 (this is the second preview). Its purpose is to "enhance the Java programming language with pattern matching for switch expressions and statements, along with extensions to the language of patterns."

"We've seen in the last couple of iterations of the platform the introduction of much more pattern machine," Ritter said. "We're going have pattern matching for records and arrays, and I'm sure there will be other situations where we'll use pattern matching. This is one of those things that, again, is really helping developers, because it takes some of those rough edges off the language and eliminates boilerplate code."

JEP 420 is another example of an incubated components that's part of a larger project, in this case Project Amber, which aims to bring features to the language that can make writing Java code more readable and concise, and target specific use cases such as using generic enums or data classes.

"It's those little steps that are keeping things moving along quite nicely," Ritter said.

They both also pointed to JEP 421: Deprecate Finalization for Removal, which deprecates finalization for removal in a future release.Although the feature remains enabled by default for now, it can be disabled to facilitate early testing.

Finalization is a method used to perform cleanup operations on unmanaged resources held by the current object before the object is destroyed. It allows Java developers to perform "postmortem" cleanup on objects that the garbage collector has found to be unreachable. It has typically been used to reclaim native resources associated with an object.

"Let's be honest," Poole said, "two things were hacked into Java—and I do use the work 'hacked'—way back at the very beginning. One was serialization; the other was finalization. And again, finalization was added because, at the time, there were lots of resources that were in, say, C code, or database handles, and there needed to be a way to explicitly tell databases to close their resources or whatever. And we wanted to do it when Java objects were no longer needed when they were being destroyed. Also, it wasn't specified. The behavior was completely VM-specific, GC-specific, and what threading model you have—so it's a complete nightmare. Now it's finally being deprecated, and I really, really hope that by now there's nothing out there that relies on finalization, because that would be a very bad thing."

Both Poole and Ritter expect few people to use JDK 18 in production, because it's not an LTS release. The JDK 17 LTS release was much more significant, so there was something of a surge in the uptake of that release. Also, Oracle announced last year that it would begin providing an LTS every two years instead of every three, which means next LTS release (JDK 21) will ship in September 2023.

"For this release," Poole said, "mostly we'll see people kicking the tires."

Posted by John K. Waters on March 16, 2022 at 3:41 PM0 comments

Open Source Security Foundation Grows After White House Summit

It's less than two years old, but the Open Source Security Foundation (OpenSSF,) a cross-industry group hosted at the Linux Foundation, is attracting an impressive (and growing) roster of members signing up to pitch in on efforts to identify and fix security vulnerabilities in open-source software (OSS), while improving everything from tooling and training to research and vulnerability disclosure practices.

This week, the OpenSSF announced that 19 new organizations have joined that effort, including Citi, Huawei Technologies, Spotify, Alibaba Cloud, and JFrog, bringing the total current membership (by my count) to 60. They're joining a group that already includes Google, Microsoft, AWS, Meta, Cisco, GitHub, Intel, Red Hat, and Snyk. (A complete list of members is available here.)

"The importance of open-source software security is well recognized by the customer, industry, and government," said Dr. Kai Chen, chief security strategist at Huawei, a new Premium Member of the OpenSSF, in a statement. "It is time for the community to take strategic, continuous, effective ,and efficient actions to advance the open-source software security posture…."

The foundation's expanding membership represents what the OpenSSF calls "cross-industry momentum," spurred at least in part by the White House Open Source Security Summit in January. The OpenSSF was there, representing hundreds of communities and projects by highlighting collective cybersecurity efforts and sharing their desire to work with the administration across public and private sectors.

Brian Behlendorf, executive director at OpenSSF, was optimistic about that meeting when I talked with him last week. He said the participants from the administration were well informed on the topic.

"They asked good questions, and we tried to make the point that the government is a major user of open-source software," he told me. "And consequently, has a vested interest in improving its consumption of that software. But also, that there are increasing amounts of code being contributed by governments, or by them through contractors, so they're effectively publishers of open-source software, actually a peer in the community. And we talked about what role they should play."

Behlendorf, who assumed his current role in October, is probably best known as a primary developer of the Apache Web Server and a founding member of the Apache Software Foundation. "We're calling this job 'general manager' to de-emphasize that title," he said. "But even that overstates it. Orchestrator, maybe? I'm really more of a circus ringmaster."

The OpenSSF combines the Linux Foundation’s Core Infrastructure Initiative (CII), an effort to improve OSS security in response to the 2014 Heartbleed bug, and the Open Source Security Coalition (OSSC), which was founded by the GitHub Security Lab to build a community to support open-source security for decades to come.

"As all industries increasingly rely upon open-source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem," said Lena Smart, chief information security officer at MongoDB, a new general member of the foundation. "You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program…"

Since it was launched in August 2020, the OpenSSF has reached some important milestone across a variety of its technical initiatives, including:

Alpha-Omega Project Launch
The Alpha-Omega Project focuses on improving global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code, and get them fixed. The "Alpha" component will work with the maintainers of open-source projects to help them identify and fix security vulnerabilities and to improve their security posture. The "Omega" component aims to identify at least 10,000 widely deployed OSS projects for which it can apply automated security analysis, scoring, and remediation guidance in their open-source maintainer communities. Microsoft and Google are supporting the project with a $5 million investment.

Scorecards Increases Scans to 1 million Projects
Scorecards is an OpenSSF project that helps open-source users understand the risks of the dependencies they consume. GitHub and Google recently announced Scorecards v4, and the project has increased the scale of its scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies.

Sigstore Project Gains Momentum
Sigstore is a set of tools developers, software maintainers, package managers and security experts. The recently released a project update reported nearly 500 contributors, more than 3,000 commits, and more than one million entries in Rekor.

Nearly 1,000 Codes for Free MFA Tokens
The Securing Critical Projects Working Group coordinated the distribution of nearly 1,000 codes for free multi-factor authentication (MFA) tokens donated by Google and GitHub to developers of the 100 "most critical" open-source projects. "This is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers," the foundation said in a press release.

Posted by John K. Waters on March 2, 2022 at 3:41 PM0 comments

DevOps Institute Announces New Certifications, Expanded Lineup of 'Educational Experiences'

I recently had a great Tech Talk with Stephen Walters, Solution Architect at xMatters, which was recently acquired by Everbridge ("DevSecOps: Securely Navigating a Shifting Landscape"). Among his other credentials, Stephen is a DevOps Institute Ambassador, so when I saw that the Institute's lineup for 2022 events and webinars included plans for two new DevOps certifications, I just had to pass along the news.

The DevOps Institute is a professional member association and certification authority "for advancing the human elements of DevOps." Basic membership is free, and there's a fee from Premium membership ($199, aimed at or full or part-time employees working in the DevOps field), Enterprise (based on team size), and Government ($99). Lots of goodies here, even for basic members, who get access to the Assessment of DevOps Capabilities (ADOC), the entire library of SKILbooks, the DevOps Institute Career Center, Perks Marketplace, and a 30% discount on exams.

The institute's goal in 2022, according to the announcement, is "to advance the humans of DevOps through skills, knowledge, ideas, and learning," with is the "SKIL Framework."

"In 2022, DevOps Institute continues to lead the charge toward human transformation with an exciting lineup of new and expanded opportunities for DevOps professionals," said Jayne Groll, CEO of DevOps Institute, in a statement. "As we ramp up our education and certification programs, we aim to empower the global member community with the skills and knowledge they need to further their careers and advance the DevOps initiatives at their organizations."

This, of course, is great news for anyone who believes in the potential of the DevOps model, now about 20 years old, and yet still not as fully (or effectively) embraced as is probably should be. You know that thing that has been making it possible for developers to collaborate with operations to deploy software into production faster and with fewer errors? You know.

The list of new certifications the DevOps Institute announced includes:

  • DevSecOps Practitioner is the next level in the DevSecOps certification series. Building on DevSecOps Foundation, the Practitioner certification covers advanced DevSecOps practices and methods, architecture and infrastructure, technical implementation, practical maturity guides, and metrics to deliver better DevSecOps outcomes.
  • DevOps Engineering Foundation explains many aspects of DevOps engineering that leaders and practitioners can execute upon. An engineering approach is critical to DevOps journeys. This certification covers the foundations of knowledge, principles and practices needed to engineer a successful DevOps solution.

Learn more about the Institute's certifications here.

Under the category of "educational experiences," the Institute is adding:

  • SKILup Educational Experiences: IT professionals have always dealt with change, but never at the speed of the current digital transformation. The humans of DevOps are being asked to learn and implement new technologies at a pace that often outruns their current skill level. Upskilling has never been more important.

"SKILup Educational Experiences" are DevOps-focused events designed to provide what the institute calls "just-in-time insights" and education needed by DevOps pros in a range of disciplines. The Institute "aims to disrupt the typical technical conference format and focus on providing relevant content and learning in a safe and fun environment." These are insights attendees "can immediately put… into practice to meet the demands of business agility.

The list of SKILup Educational Experiences include:

  • SKILup Days: One-day virtual micro conferences with a singular, how-to focus. Featuring experts from the industry as well as enterprise DevOps leaders, SKILup Days include all elements of an in-person conference, including virtual sponsor booths, competitions and networking opportunities with other attendees and Speakers.
  • SKILup Hours: Educational Webinars for IT Professionals. Each SKILup Hour includes a panel session that is moderated by industry experts; providing discreet buildable how-to knowledge on topics crossing people, process and technology.
  • SKILup Festival 2022: A Live DevOps Educational Experience: DevOps Institute is excited to announce that our in-person experiences include high-level content as well as deep-dive technical sessions and workshops with some festival fun and entertainment mixed in. (Dates and locations to be determined.)

The DevOps Institute considers itself "a unifying force of an open and growing professional community of IT practitioners, consultants, talent acquisition and executives helping pave the way to support digital transformation and the New IT."

I do, too.

Posted by John K. Waters on January 20, 2022 at 3:10 PM0 comments