Open Source Security Foundation Grows After White House Summit

It's less than two years old, but the Open Source Security Foundation (OpenSSF,) a cross-industry group hosted at the Linux Foundation, is attracting an impressive (and growing) roster of members signing up to pitch in on efforts to identify and fix security vulnerabilities in open-source software (OSS), while improving everything from tooling and training to research and vulnerability disclosure practices.

This week, the OpenSSF announced that 19 new organizations have joined that effort, including Citi, Huawei Technologies, Spotify, Alibaba Cloud, and JFrog, bringing the total current membership (by my count) to 60. They're joining a group that already includes Google, Microsoft, AWS, Meta, Cisco, GitHub, Intel, Red Hat, and Snyk. (A complete list of members is available here.)

"The importance of open-source software security is well recognized by the customer, industry, and government," said Dr. Kai Chen, chief security strategist at Huawei, a new Premium Member of the OpenSSF, in a statement. "It is time for the community to take strategic, continuous, effective ,and efficient actions to advance the open-source software security posture…."

The foundation's expanding membership represents what the OpenSSF calls "cross-industry momentum," spurred at least in part by the White House Open Source Security Summit in January. The OpenSSF was there, representing hundreds of communities and projects by highlighting collective cybersecurity efforts and sharing their desire to work with the administration across public and private sectors.

Brian Behlendorf, executive director at OpenSSF, was optimistic about that meeting when I talked with him last week. He said the participants from the administration were well informed on the topic.

"They asked good questions, and we tried to make the point that the government is a major user of open-source software," he told me. "And consequently, has a vested interest in improving its consumption of that software. But also, that there are increasing amounts of code being contributed by governments, or by them through contractors, so they're effectively publishers of open-source software, actually a peer in the community. And we talked about what role they should play."

Behlendorf, who assumed his current role in October, is probably best known as a primary developer of the Apache Web Server and a founding member of the Apache Software Foundation. "We're calling this job 'general manager' to de-emphasize that title," he said. "But even that overstates it. Orchestrator, maybe? I'm really more of a circus ringmaster."

The OpenSSF combines the Linux Foundation’s Core Infrastructure Initiative (CII), an effort to improve OSS security in response to the 2014 Heartbleed bug, and the Open Source Security Coalition (OSSC), which was founded by the GitHub Security Lab to build a community to support open-source security for decades to come.

"As all industries increasingly rely upon open-source software to deliver digital experiences, it is our collective responsibility to help maintain a vibrant and secure ecosystem," said Lena Smart, chief information security officer at MongoDB, a new general member of the foundation. "You can have all the tools in the world, but at the end of the day, it is people across multiple organizations around the world working together that will ensure an expansive cybersecurity program…"

Since it was launched in August 2020, the OpenSSF has reached some important milestone across a variety of its technical initiatives, including:

Alpha-Omega Project Launch
The Alpha-Omega Project focuses on improving global OSS supply chain security by working with project maintainers to systematically look for new, as-yet-undiscovered vulnerabilities in open-source code, and get them fixed. The "Alpha" component will work with the maintainers of open-source projects to help them identify and fix security vulnerabilities and to improve their security posture. The "Omega" component aims to identify at least 10,000 widely deployed OSS projects for which it can apply automated security analysis, scoring, and remediation guidance in their open-source maintainer communities. Microsoft and Google are supporting the project with a $5 million investment.

Scorecards Increases Scans to 1 million Projects
Scorecards is an OpenSSF project that helps open-source users understand the risks of the dependencies they consume. GitHub and Google recently announced Scorecards v4, and the project has increased the scale of its scans from 50,000 projects to one million projects identified as most critical based on their number of direct dependencies.

Sigstore Project Gains Momentum
Sigstore is a set of tools developers, software maintainers, package managers and security experts. The recently released a project update reported nearly 500 contributors, more than 3,000 commits, and more than one million entries in Rekor.

Nearly 1,000 Codes for Free MFA Tokens
The Securing Critical Projects Working Group coordinated the distribution of nearly 1,000 codes for free multi-factor authentication (MFA) tokens donated by Google and GitHub to developers of the 100 "most critical" open-source projects. "This is a small but critical step in avoiding supply chain attacks based on stolen credentials of key developers," the foundation said in a press release.

Posted by John K. Waters on March 2, 20220 comments

DevOps Institute Announces New Certifications, Expanded Lineup of 'Educational Experiences'

I recently had a great Tech Talk with Stephen Walters, Solution Architect at xMatters, which was recently acquired by Everbridge ("DevSecOps: Securely Navigating a Shifting Landscape"). Among his other credentials, Stephen is a DevOps Institute Ambassador, so when I saw that the Institute's lineup for 2022 events and webinars included plans for two new DevOps certifications, I just had to pass along the news.

The DevOps Institute is a professional member association and certification authority "for advancing the human elements of DevOps." Basic membership is free, and there's a fee from Premium membership ($199, aimed at or full or part-time employees working in the DevOps field), Enterprise (based on team size), and Government ($99). Lots of goodies here, even for basic members, who get access to the Assessment of DevOps Capabilities (ADOC), the entire library of SKILbooks, the DevOps Institute Career Center, Perks Marketplace, and a 30% discount on exams.

The institute's goal in 2022, according to the announcement, is "to advance the humans of DevOps through skills, knowledge, ideas, and learning," with is the "SKIL Framework."

"In 2022, DevOps Institute continues to lead the charge toward human transformation with an exciting lineup of new and expanded opportunities for DevOps professionals," said Jayne Groll, CEO of DevOps Institute, in a statement. "As we ramp up our education and certification programs, we aim to empower the global member community with the skills and knowledge they need to further their careers and advance the DevOps initiatives at their organizations."

This, of course, is great news for anyone who believes in the potential of the DevOps model, now about 20 years old, and yet still not as fully (or effectively) embraced as is probably should be. You know that thing that has been making it possible for developers to collaborate with operations to deploy software into production faster and with fewer errors? You know.

The list of new certifications the DevOps Institute announced includes:

  • DevSecOps Practitioner is the next level in the DevSecOps certification series. Building on DevSecOps Foundation, the Practitioner certification covers advanced DevSecOps practices and methods, architecture and infrastructure, technical implementation, practical maturity guides, and metrics to deliver better DevSecOps outcomes.
  • DevOps Engineering Foundation explains many aspects of DevOps engineering that leaders and practitioners can execute upon. An engineering approach is critical to DevOps journeys. This certification covers the foundations of knowledge, principles and practices needed to engineer a successful DevOps solution.

Learn more about the Institute's certifications here.

Under the category of "educational experiences," the Institute is adding:

  • SKILup Educational Experiences: IT professionals have always dealt with change, but never at the speed of the current digital transformation. The humans of DevOps are being asked to learn and implement new technologies at a pace that often outruns their current skill level. Upskilling has never been more important.

"SKILup Educational Experiences" are DevOps-focused events designed to provide what the institute calls "just-in-time insights" and education needed by DevOps pros in a range of disciplines. The Institute "aims to disrupt the typical technical conference format and focus on providing relevant content and learning in a safe and fun environment." These are insights attendees "can immediately put… into practice to meet the demands of business agility.

The list of SKILup Educational Experiences include:

  • SKILup Days: One-day virtual micro conferences with a singular, how-to focus. Featuring experts from the industry as well as enterprise DevOps leaders, SKILup Days include all elements of an in-person conference, including virtual sponsor booths, competitions and networking opportunities with other attendees and Speakers.
  • SKILup Hours: Educational Webinars for IT Professionals. Each SKILup Hour includes a panel session that is moderated by industry experts; providing discreet buildable how-to knowledge on topics crossing people, process and technology.
  • SKILup Festival 2022: A Live DevOps Educational Experience: DevOps Institute is excited to announce that our in-person experiences include high-level content as well as deep-dive technical sessions and workshops with some festival fun and entertainment mixed in. (Dates and locations to be determined.)

The DevOps Institute considers itself "a unifying force of an open and growing professional community of IT practitioners, consultants, talent acquisition and executives helping pave the way to support digital transformation and the New IT."

I do, too.

Posted by John K. Waters on January 20, 20220 comments

Microsoft Joins the Java Community Process

You'd think I'd have seen it coming. All the signs were there. There was the day Microsoft announced that it had joined the OpenJDK project back in 2019. Then there was the company's decision to upgrade its status at the Eclipse Foundation to Strategic Member in August of this year. And when Microsoft CEO Satya Nadella proclaimed in September that "We use more Java than one can imagine," I just should have known that Redmond would soon be joining the venerable technology standards and specifications organization behind the evolution of the Java language and platform, the Java Community Process (JCP).

Bruno Borges, Principal Program Manager for Microsoft's Java Engineering Group, revealed that the company had signed the Java Specification Participation Agreement (JSPA) to officially join the JCP in a blog post earlier this month.

"As we have collectively learned since the announcement of the Microsoft Build of OpenJDK in April 2021," Borges said, "Java usage within Microsoft has grown way beyond Minecraft. We have more than 500,000 JVMs in production running hundreds of internal Microsoft systems. In addition to significant internal Java usage, there are many customers and developers coding and running Java on Microsoft Azure and GitHub. Joining the JCP is a major, yet natural step forward for Microsoft in helping shape the future of the Java Platform."

And the Chair and Director of the JCP, Heather VanCura, gave the new member her blessing: "For the past 23 years, the JCP program has guided the specification of the Java platform in cooperation with the international Java developer community. The JCP program welcomes participation and membership from corporate, open source, individual, and Java User Group participants. We are delighted to welcome Microsoft to the JCP program; it continues to represent the vibrant Java ecosystem. We look forward to seeing their contributions.

I sent her an email, but she hasn't gotten back to me. When she does, I'll try for a less PR-sculpted comment. To be fair, the JCP has been through the ringer over the past decade, and VanCura helmed that troubled ship through some treacherous waters. She helped developers and vendors adapt to the faster Java release cadence, spending most of 2019 demonstrating, teaching, and working with developers and teams. She also led the JCP through the often-painful process of untangling that JSPA Nadella and company just signed, which was notoriously byzantine, and which her predecessor, Patrick Curra,n once described to me simply as "big and scary."

Then there's that other Bruno, Mr. Souza, the one in South America who founded the Brazil-based SouJava, largest Java User Group (JUG) in the world. He was one of the initiators of the Apache Harmony project to create a non-proprietary Java virtual machine. He serves on the Executive Committee of the JCP, and was one of my first guests on "The WatersWorks Podcast."

"The JCP is the place where we define and discuss the future of Java, and where we need the collaboration of all the Java community," Souza said. "Microsoft has been an important part of this community, with their involvement in OpenJDK but also supporting Java User Groups and community events. Because of all that, Microsoft has become a strong partner of SouJava, and we are excited to have them go even deeper on their commitment with the Java community."

RedMonk analyst James Governor sees this development as further evidence of Microsoft's commitment to a future in which Java continues matter. "Java remains a key context for IT today and for the foreseeable future," Governor said.

Boy howdy.

Posted by John K. Waters on November 16, 20210 comments

The Eclipse Foundation Partners with China's OpenAtom on a New Operating System

The Eclipse Foundation today announced the launch of a top-level project to develop a new open-source, vendor-neutral OS designed to provide an alternative to existing IoT and edge operating systems.

Called Oniro, the new OS is an implementation of OpenHarmony, a distributed multi-kernel operating system developed by OpenAtom, China’s first open-source foundation. The purpose of Oniro is to provide the same operating system across a much wider range of devices, Mike Milinkovich, the executive director of the Eclipse Foundation, told me, such as a tiny leak sensor in a home and a Raspberry Pi.

"The interesting thing about Oniro from a technical point of view is that it's a single operating system that will run on multiple kernels," Milinkovich said. "The two we're working on first are Yocto, which is, of course a variant of Linux that's particularly relevant in the embedded space. And the second one is Zephyr, which is a sort of a lightweight operating system that you would put on much smaller devices."

The Eclipse Foundation announced that it would be collaborating with the OpenAtom on the OS last September.

According to its website, OpenAtom is a non-profit, independent legal entity "dedicated to public welfare undertakings in the open-source industry." The purpose of the OpenHarmony project is "to build an open, distributed operating system framework for smart IoT devices in the full-scenario, full-connectivity, and full-intelligence era."

The HarmonyOS is a commercial distribution of OpenHarmony developed by Huawei, the Chinese telecom giant. The company announced the developer preview release of HarmonyOS 3.0 last week. Version 2.0 was launched in June of this year, and Huawei has been rolling out HarmonyOS on selected smartphone models that offer users an alternative to Google's Android platform.

The main code base for OpenHarmony is hosted on Gitee, China's version of GitHub. The maintainers of the project wanted to grow its addressable market beyond China, Milinkovich explained, and they needed a Europe-based partner to do that. The Eclipse Foundation, now based in Belgium, was a natural partner, he said.

"I think this is evidence that our strategy of moving to Europe was the right one," Milinkovich said. "If we had still been a North American organization, I doubt that this opportunity would have come to us. People who would never have thought of us before are coming to us with projects."

The Eclipse Foundation announced that it would be moving its legal headquarters from the US last year and formally established its official headquarters in Belgium in January of this year.

To facilitate the governance for the Oniro device ecosystem, the Eclipse Foundation is also launching a new dedicated working group. The Eclipse Foundation’s working group structure provides the vendor neutrality and legal framework that enables transparent and equal collaboration between companies, Milinkovich said.

The initial working group membership roster includes Eclipse, OpenAtom, Linaro, a UK-based open-source organization focused on Linux for Arm-based devices, and Seco, an Italian IoT device manufacturer.

"To my knowledge, this is the first time three open-source foundations (Eclipse, OpenAtom, and Linaro) have collaborated on a single piece of technology," Milinkovich said.

Although he acknowledged that there's "a ton of work to do" on this project, Milinkovich emphasized that it's not starting from scratch.

"I saw some numbers today, and it's like 50 percent of the packages that are going into the initial Oniro build are essentially identical to what you'd get in a Debian distribution," he said. "And we're building initially on the Yocto and Zephyr kernels. I always say, don't reinvent the wheel, stand on the shoulders of giants. And that's what we're trying to do here with as much reuse as possible from all the existing work that has been done."

The roadmap for the project includes the development of a number of "blueprints" targeting an initial set of devices, Milinkovich explained.

"That's how we're going to grow the developer enablement and build out the ecosystem," he said, "by making it as simple as possible for developers to grab a blueprint that closely matches their requirements, and then modify it to deliver the piece of functionality they're working on."

I asked Milinkovich what it was like working with a Chinese organization.

"Other than getting phone calls really early in the morning, it's not so bad," he quipped. "But seriously, we don't think of China as a place where open source starts, but primarily as a consumer of open source. I think this is sort of a step in their maturation, of them becoming a first-class citizen in the global supply chain of open-source software, which is really driving innovation everywhere around the world. So, from that, from that point of view I think this is a major step."

Davide Ricci, director of the Huawei’s Consumer Business Group European Open-Source Technology Center, expressed his organization's enthusiasm for the project the press release.

"It is so exciting to see everything moving under the expert governance of the Eclipse Foundation," he said. "Under the Eclipse Foundation the project will have its greatest chance at onboarding new contributing members and bringing real products on the shelves of consumer electronics stores around the world. We reckon Oniro is not a sprint, rather a marathon, and we are thrilled and committed to this world changing journey."

Posted by John K. Waters on October 26, 20210 comments

New Trusted AI Dev Tool from IBM Research Communicates 'Uncertainty'

IBM Research added to its growing family of "trusted AI" tools recently with the release of a new open-source developer toolkit called Uncertainty Qualification 360 (UQ360). The new toolkit focuses on what IBM believes will be the next big area of advancing trust in artificial intelligence: communicating an AI's "uncertainty."

Uncertainty quantification is just what it sounds like: a determination of the level of confidence an AI system has in its decisions. The new UQ360 toolkit was designed to give data science practitioners and developers a set of algorithms to streamline the process of quantifying, evaluating, improving, and communicating uncertainty of machine learning models.

What we're talking about here, IBM AI researchers Prasanna Sattigeri and Q. Vera Liao explained in a blog post, is a way to enable an AI system or application to express that it is unsure, "giving it intellectual humility and boosting the safety of its deployment."

IBM is billing UQ360, which was released at the 2021 IBM Data & AI Digital Developer Conference, as one of the first toolkits designed to provide both a comprehensive set of algorithms for quantifying uncertainty and the capabilities to measure and improve uncertainty quantification to streamline the development process. The tool comes as a Python package with a taxonomy and guidance for choosing these capabilities based on a developer's needs, the company says.

UQ360 is just the latest toolkit to emerge from IBM Research, alongside AI Fairness 360, the Adversarial Robustness ToolboxAI Explainability 360 and AI Factsheets 360, all released over the last few years to advance various dimensions of AI trust.

"Trust" in this context refers to the ability of humans to have confidence in the output of an AI-enabled app or system. AI systems have traditionally been black boxes, but, as IBM puts it, "To trust a decision made by an algorithm, we need to know that it is fair, that it’s reliable and can be accounted for, and that it will cause no harm." That level of trust requires transparency.

The fatal highway crash of a Tesla vehicle operating in self-driving mode in June threw another spotlight on the AI safety issue and the growing interest in shining a light in the AI black box. But Sattigeri, with whom I spoke over Zoom, said "miscalibrated uncertainties" are about more than just this kind of obviously critical application of AI.  

"The self-driving example is a scary one," he allowed, "but take the loan approval process, where somebody is using an AI system to assist them in making a prediction that impacts your interest rate. Or in a healthcare setting, where the doctor needs to trust the AI to assist in making a diagnosis."

Quantifying uncertainty can show gaps in the knowledge of the training model, Sattigeri said, so the model can be improved.

"If we know [that the systems] are overconfident or underconfident," he said, " we can use recalibration algorithms to make them either loser, so you're increasing the margin of error, or [tighter] so you're decreasing the margin of error. And then it's up to the decision maker how they want to use it. If the uncertainty is too large, the loan officer can go ahead and do certain other investigation, maybe collecting addition information about the person."

If you've never visited Big Blue's R&D division website, you've just gotta. On the Trusted AI page alone, you'll find projects ranging from AI Explainability to Adversarial Robustness, Casual Inference to AI Fairness—all concepts behind research projects leading to the development of tools "to make AI more explainable, fair, robust, private, and transparent," IBM says.

AI software development continues to be a land of evolving concepts and esoteric nomenclature that coders with little to no experience in this terrain are increasingly required to navigate. But even AI road warriors need effective tools to keep up with the accelerating pace of software delivery that increasingly includes AI, machine learning, and deep learning. With its open-source trusted AI toolkits, IBM has put up some useful signposts.

Posted by John K. Waters on August 6, 20210 comments

Microsoft Steps Up Java Support at Eclipse with a New Strategic Membership

Microsoft has amped up its support of Java developers by expanding its participation in the Eclipse Foundation to become a Strategic Member, the company announced this week.

Microsoft's Stephen Walli, principal program manager in the Azure Office of the CTO, will be joining the foundation's board of directors.

"The Eclipse Foundation is expanding its role through working groups and many of these working groups are important to Microsoft and its partners," Walli said in a blog post. "Recent work around the Eclipse Dataspace Connector and Eclipse Tractus-X are examples of new work beginning at the Eclipse Foundation in working groups in which Microsoft has an interest in participating."

Among other privileges, Strategic Members have a seat on the foundation's board of directors, its architecture council, and expanded board voting rights on key aspects of the Eclipse ecosystem, including licensing, governing policy development, and amendments to membership agreements and bylaws."

"Strategic Members play an integral role in the Eclipse Foundation ecosystem," the foundation explains on its website, because they are "investing significant developer and other resources to further drive Eclipse Foundation technology."

How much of an investment? According to the foundation's membership agreement, Strategic Members must commit "the full-time equivalent" of at least two developers assigned to work on Eclipse technology projects on an on-going basis. Strategic Members are encouraged (but not required) to lead an Eclipse project or a Project Management Committee (PMC). They also pay dues based on a combination of membership class and the organization's annual revenues. A company making more than €250M (just under $3M) annually pays €250,000 for a Strategic membership. (You can check my math on the membership agreement.)

"The Eclipse Foundation has a long history of providing a strong, collaborative culture supporting open-source-licensed projects," Walli said in his post, "and many of those projects are important to Microsoft, our partners, and our customers. It is important for Microsoft to support the organization that supports those projects, and to work within the organization towards those collective goals."

Another reason for Redmond's accelerated involvement: the foundation's recent decision to establish its official headquarters in Belgium.

"The [Eclipse] team showed initiative and forethought and pivoted to become a European-based international non-profit organization to align with its membership," Walli said in his post. "The Eclipse Foundation is a natural place for Microsoft to collaborate on new initiatives beginning with European partners."

Walli posts occasionally on Microsoft's Open-Source Blog. He has a long history of working with open source.

"Having a rich ecosystem of healthy non-profits supporting different groups of open-source-initiative-licensed projects and their project ecosystems is a must," Walli said. "At Microsoft, we are committed to continuing to support and participate across the non-profit ecosystem, as well as engage in projects themselves."

Of course, Microsoft supports its own thriving developer community, but Redmond has been a member of the Eclipse Foundation since 2016, when it joined as a Solutions Member. The company announced the Microsoft Build of OpenJDK, a new no-cost, open-source, Long-Term Support (LTS) distribution of OpenJDK, in April of this year, and released it in May. And Java on Visual Studio Code has become an increasingly popular code editor.

But Microsoft has seemed especially interested in supporting Java on Azure. The Azure Toolkit for Eclipse, which is available on the Eclipse Marketplace, provides "functionality that allows you to easily create, develop, configure, test, and deploy lightweight, highly available and scalable Java web apps and HDInsight Spark jobs to Azure using the Eclipse development environment. The Java SDK for Azure is an open-source Azure SDK for Java designed to simplify provisioning, managing, and using Azure resources from Java application code.

The Eclipse Foundation is a good place from which to pursue at least one dimension of these interests. It's one of the world’s leading open-source software development and specifications organizations. It's the non-profit steward of the Eclipse IDE, enterprise Java (Jakarta), and the Eclipse MicroProfile. And its roster of Strategic Members includes IBM, Oracle, Huawei, and SAP, among others—now including Microsoft.

Posted by John K. Waters on August 4, 20210 comments

Eclipse Foundation Launches New Eclipse IDE Working Group

The Eclipse Foundation today announced the formation of the Eclipse IDE Working Group, a new community-driven initiative that will "support the continued evolution, adoption, and sustainability of the Eclipse IDE suite of products, related technologies, and ecosystem."

Specifically, the new working group will provide governance, guidance, and funding for the communities that support the delivery and maintenance of Eclipse IDE products. The stated goals of the group are "to ensure the continued success, vibrancy, quality and sustainability of the Eclipse Platform, desktop IDE and underlying technologies, including related planning and delivery processes, as well as related delivery technology."

The animating idea here is to provide a governance structure that will enable broad collaboration while maintaining standards and addressing market requirements. That structure will be supported by an impressive list of working group founders that includes Bosch, EclipseSource, IBM, Kichwa Coders, Renesas, SAP, VMware, and Yatta Solutions.

The Eclipse IDE was not only the Foundation's flagship offering when the organization was created by IBM and set loose upon the world in 2001, it was its only offering, its raison d'ê·tre. Looking back to my first report on the then-fledgling dev tool, I found this description: "The Java-based, open-source software, code-named Eclipse, will enable developers to use tools from multiple suppliers together, allowing them to integrate processes used to create e-business applications, such as those for Web services." (Code-named? E-business?)

When IBM announced that it was releasing its Eclipse code, Gartner analysts Joseph Feiman and Mark Driver called the move "an ambitious project and an ambitious product foundation." If it succeeded, they said, it would revive the concept of best tools combined in a single workbench, which they called "an application developer's dream."

It would be an understatement to say that the open-source community—heck, the tech world at large—viewed IBM's largesse at the time with skepticism. And yet, Big Blue managed to keep from big-footing the Foundation, participating, instead, as a regular-sized-foot member organization.

"Two decades ago, IBM and the community launched what has become the Eclipse IDE family of projects, and these tools are even more useful to developers today as they were then," said Todd Moore, VP of IBM's Open Technology, group, in a statement. "As a founding member of the Eclipse IDE Working Group, IBM is eagerly looking forward to collaborating with the other members, supporters and the community to nurture a thriving ecosystem that keeps these projects relevant now and into the future."

Since then, the Foundation has evolved into a steady, competent specification organization and the true shepherd of a vast expanse of solutions and services. And ever at the heart of that expanse has been its venerable, namesake IDE. With millions of users, tens of millions of downloads, and billions of dollars in shared investment, the Eclipse IDE continues to be one of the most popular desktop development environments on the planet.

"For 20 years, the Eclipse IDE has provided developers around the world with a powerful open-source tooling platform used to create world-class applications and products," said Mike Milinkovich, executive director of the Eclipse Foundation, in a statement. "This new working group will ensure the Eclipse IDE platform is set to fulfill the needs of the millions of developers who use the Eclipse IDE today and in the future."

The launch of the Eclipse IDE Working Group coincides with the 2021-06 release of the Eclipse IDE, itself, and the second quarterly simultaneous release of more than 70 participating projects, 110 committers, 174 contributors, and almost 80 million lines of code, the Foundation says.

A partial list of new features for this release includes:

  • Support for Java 16 and the necessary tooling for development
  • Improved Java development tooling with new cleanups added, improved debug hover, and evaluation over chain of variables
  • Support for Mac AArch64 for Apple M1 based systems
  • Improved embedded terminal that supports opening files and links with Ctrl+Click, remembers working directory, shell, and other settings

The Eclipse IDE 2021-06 is available now for download.

Unsurprisingly, the Eclipse Foundation is welcoming interested parties to the new working group. To learn more about how to get involved with the Eclipse IDE Working Group, visit the Eclipse Foundation membership page or see the working group’s Charter and Participation Agreement.


Posted by John K. Waters on June 17, 20210 comments

Lightbend Launches 'Stateful' Serverless Akka Platform

Lightbend, the company behind the Scala JVM language and developer of the Reactive Platform, today unveiled "a unique, first-of-its-kind Platform-as-a-Service (PaaS) offering" for cloud native application development.

I put quotation marks around that marketing phrase (it's a reflex), but the newly available Akka Serverless does look to be a unique offering.

Akka Serverless is based on a new architecture that removes limitations that have, historically, prevented the development of general-purpose applications using the serverless model. With those limitations removed, the new PaaS enables the creation of cloud native apps using any programming language and eliminates the need for databases in deploying business-critical applications.

Brad Murdoch, Lightbend's EVP of Strategy, talked with me about the concept of a "stateful serverless" developer platform.

"The challenge with stateless, of course, is that, to build certain classes of applications, you need state," Murdoch said. "And you need state management at scale, and you need state to be a first class citizen, and you need your data available in real time, and all of those great things that are basically not possible to do in a stateless serverless model today.

"We're changing that, but we're not just sort of adding state to serverless. We've built a declarative API-first programming model where the developer basically defines the API contract and the data they want their function to be able to operate on at runtime. Then Akka, under the covers, delivers that data to the function at runtime automatically."

What this does, effectively, is to remove whole swathes of middleware and database concerns from the developer, Murdoch said. And with Akka "under the covers," this model scales, so the developer doesn't need to worry about that, either.

"The big change here is that we're kind of reversing the paradigm, so that instead of the developer needing to understand the complexities of distributed computing in order to take advantage of it for scale and performance, now we've got a service on the cloud that can do all that for you," Murdoch added.

Akka Serverless also delivers on a goal of the company that dates back to its origins as Typesafe: it is a fully polyglot platform that can support any programming language that can talk to the API.

The other big change with this announcement is that Jonas Bonér, Lightbend’s CTO and founder, inventor of the Akka Project, and co-author of the “Reactive Manifesto,” has also taken the helm of Lightbend as CEO.

“Until now, the challenges of dealing with state at scale have meant that a serverless approach has not been able to address many more complex applications, such as IoT platforms, real-time financial services, modern eCommerce systems, streaming media, internet-based gaming, factory automation, telemedicine, and more,” Bonér said in a statement. “What is needed is a data-centric backend application architecture that can handle the volume of data required for today’s applications at extremely high performance. Akka Serverless is the first to achieve these capabilities and I’m excited to continue Lightbend's growth leveraging this superior model for cloud native development.”

Bonér, a Swedish programmer who had built compilers, runtimes, and open source frameworks for distributed applications for vendors such as BEA and Terracotta, was frustrated by the scale and resilience limitations of CORBA, RPC, XA, Enterprise JavaBeans, SOA, and the Web Services standards and abstraction techniques Java developers used at the time. He turned to the Actor Model, which emphasizes loose coupling and embracing failure in software systems and dataflow concurrency, used by the Erlang and Oz languages.

Bonér developed the concept of the Akka Actor Kernel (later shortened to Akka) in 2009 and shared the first public release of Akka 0.5 on GitHub. It would eventually become the de facto model for concurrency in the Java Virtual Machine (JVM). Today Akka is used by PayPal, LinkedIn, and Capital One, among many others, to handle billions of transactions at massive scale in their cloud-native systems. It’s also used by the popular online game Fortnite.

Akka Serverless was two years in the making, Murdoch said, and is now available in open beta, with general availability expected later this year. Developers can learn more about Akka Serverless and become a beta participant today.

Posted by John K. Waters on June 10, 20210 comments

Google I/O: From Android 12 to Firebase and Flutter

There are so many announcements coming out of this year's Google I/O virtual conference this week that I couldn't cover it all it in one post. So, here's a quick rundown of other announcements from this (very well produced) event. (Loved the outdoor keynotes.)

Google's Jacob Lehrbaum, director of Android developer relations, advised Android developers to get ready for Android 12, due later this year, but available now in beta for some devices. This release will come with "one of the biggest design changes ever" in Android's history, he said. And that's not an understatement.

The stunningly refreshed UI includes a new "color extractions" feature that changes the system’s theme based on your current algorithm, a dynamic lighting feature, and a Quick Wallet Access feature on the lock screen.

Android 12 also comes with some new safety features, including the ability audit app data requests, which is similar to the privacy features in the recently updated iOS 14.5. Developers can learn more about how their apps and their dependencies access private data from users by performing data access auditing. (Details on this Android Developer page.)

The Android 12 beta is available to anyone with a Pixel 3 or newer, the Xiaomi Mi 11 and devices from ZTE, Asus, OnePlus, Oppo, realme, Sharp, TECNO, Vivo, and TCL. The Nokia X20 is also on that list, though no link was available on the Android 12 'eligible devices' page at press time.

Google also announced new features for its Firebase mobile web app development platform "after taking a hiatus in 2020." The platform, which Google says is now used by more than 3 million apps per month, gets a new AI-powered Personalization enhancement of its Remote Config service. Currently in alpha, Personalization uses Android's on-device machine learning (ML) capabilities to allow devs to deliver optimized individual user experiences automatically. The only thing current Firebase devs will need to do is provide different configuration options and Personalization will monitor app users and tailor aspects of those configuration options to what it "thinks" will improve engagement. 

Google also announced that devs can now use the Firebase Storage API locally through the Emulator Suite, a feature that lets developers run local versions of some of the tools in Firebase. The Firebase Local Emulator Suite is a set of advanced tools for developers "looking to build and test apps locally using Cloud Firestore, Realtime Database, Cloud Storage, Authentication, Cloud Functions, Pub/Sub, and Firebase Hosting," the company says.

Anything that uses this API can now be tested completely offline, which means devs can take advantage of cost savings and enhanced testing automation.

Android 12 also comes with new hardware APIs for Chrome designed to provide access to device peripherals, and new Privacy Sandbox APIs now available to test. Remember that Google plans to phase out third-party cookies from Chrome.

And then there's Flutter, version 2.2 of which was announced at the conference. This release of Google's open-source mobile UI toolkit comes with several new features, including a way for developers to monetize their apps with in-app purchases and ads. This release also makes it possible for developers to connect to cloud services, and it comes with APIs that extend apps to support new capabilities. 

Based on Google's in-house language, Dart, Flutter was released by Google in 2017, and it's star has been on the rise ever since.

Google also launched a very cool new MLOps platform called Vertex AI, which you can read about in our sister publication, Pure AI.

Posted by John K. Waters on May 19, 20210 comments