Through LF Research, the Linux Foundation is uniquely positioned to create the definitive repository of insights into open source. By engaging with our community members and leveraging the full resources of our data sources, including a new and improved LFX, we’re not only shining a light on the scope of the projects that comprise much of the open source paradigm but contextualizing their impact. In the process, we’re creating both a knowledge hub and an ecosystem-wide knowledge network. Because, after all, research is a team sport.

Taking inspiration from research on open innovation, LF Research will explore open source amidst the challenges of the current era. These include challenges like the COVID-19 pandemic, climate risk, and accelerating digital transformation — all changing what it means to be a technology company or an organization that deeply relies on innovation. By publishing a new suite of research deliverables that aid in strategy formation and decision-making, LF Research intends to create shared value for all stakeholders in our community and inspire greater levels of participation in it. 

Completed Core Research

  • The 2021 Linux Foundation Report on Diversity, Equity, and Inclusion in Open Source, produced in partnership with AWS, CHAOSS, Comcast, Fujitsu, GitHub, GitLab, Hitachi, Huawei, Intel, NEC, Panasonic, Red Hat, Renesas, and VMware, seeks to understand the demographics and dynamics concerning overall participation in open source communities and to identify gaps to be addressed, all as a means to advancing inclusive cultures within open source environments. This research aims to drive data-driven decisions on future programming and interventions to benefit the people who develop and ultimately use open source technologies. Enterprise Digital Transformation, Techlash, Political Polarization, Social Media Ecosystem, and Content Moderation are all cited as trends that have exposed and amplified exclusionary narratives and designs, mandating increased awareness, and recalibrating individual and organizational attention. Beyond the survey findings that identify the state of DEI, this research explores a number of DEI initiatives and their efficacy and recommends action items for the entire stakeholder ecosystem to further their efforts and build inclusion by design.

Core Research in Progress

  • The Software Bill of Materials (SBOM) Readiness Survey (estimated release: Q1 2022), produced in partnership with the Open Source Security Foundation, OpenChain, and SPDX, is the Linux Foundation’s first project in a series designed to explore ways to better secure the software supply chains. With a focus on SBOMs, the findings are based on a worldwide survey of IT professionals who understand their organization’s approach to software development, procurement, compliance, or security. An important driver for this survey is the recent U.S. Executive Order on Cybersecurity, which focuses on producing and consuming SBOMs. 

Completed Project-Focused Research

  • The Fourth Annual Open Source Program Management (OSPO) Survey, produced In collaboration with the TODO Group and The New Stack, examines the prevalence and outcomes of open source programs, including the key benefits and barriers to adoption.
  • The 2021 State of Open Source in Financial Services Report produced in partnership with FINOS, Scott Logic, Wipro, and GitHub, explores the state of open source in the financial services sector. The report identifies current levels of consumption and contribution of open source software and standards in this industry and the governance, cultural, and aspirational issues of open source among banks, asset managers, and hedge funds.
  • The 2021 Data and Storage Trends Survey, produced in collaboration with the SODA Foundation, identifies the current challenges, gaps, and trends for data and storage in the era of cloud-native, edge, AI, and 5G.
  • The 9th Annual Open Source Jobs Report, produced in partnership with edX, provides actionable insights on the state of open source talent that employers can use to inform their hiring, training, and diversity awareness efforts.

We could not imagine what was on the horizon ahead of us as we saw COVID peek its head in late 2019. Locally and globally, we’ve weathered many challenges, adjusted our sails, and applied new tools and approaches to continue our momentum. As we now approach 2022, our hopes aim even higher as we pursue new horizons and strengthen our established communities. We’re emerging stronger and better equipped to tackle these great challenges and your help has made it all possible. 

Your willingness to engage in our local, virtual, and large-scale in-person events were invaluable. These meetings demonstrated that the bonds within our hosted communities and families of open source foundations remain strong. Thank you for coming back to the events and making them successful.

In 2021, we continued to see organizations embrace open collaboration and open source principles, accelerating new innovations, approaches, and best practices. Not only have we seen compelling new project additions this year, but these projects are bringing new organizations into our community. In 2021, the LF welcomed a new organization nearly every day.

As we look to 2022, we see a diverse and growing pipeline of new projects across open source and standards. We see new demand to guide and develop projects in 5G, supply chain security, open data, and open governance networks. Throughout the continuing challenges of 2021, we remain focused on open collaboration as the means for enabling the technologies and solutions of the future. 

We thank our communities and members for your continued confidence in our ability to navigate a challenging business environment and your lasting and productive partnerships. We wish you prosperity and success in 2022.

Our yearly achievements would not be possible without the efforts of the Linux Foundation’s communities and members. Read our 2021 Annual Report here.

In 2021‭, ‬we continued to double down on our commitment to enact positive change for underrepresented and marginalized people by introducing new and progressing existing programs for inclusivity‭, ‬racial justice‭, ‬and diversity‭.‬

The LF is Committed to Building Diverse and Inclusive Communities

Unique ideas and contributions — that originate from a diverse community, from all walks of life, cultures, countries, and skin colors — are vital for building sustainable and healthy open source communities. Individuals from diverse backgrounds inject new and innovative ideas to advance an inclusive and welcoming ecosystem for all.

Creating diverse communities requires effort and commitment. The Linux Foundation is addressing the need to build inclusive and welcoming spaces through various initiatives, including some of those expanded upon below.

LF Research Publishes 2021‭ ‬Open Source Diversity‭, ‬Equity‭, ‬and Inclusion Study

The Linux Foundation has put diversity, equity, and inclusion (DEI) at the top of its inaugural research agenda, and for a good reason. It is the social imperative of our time. New research identifies the state of DEI in open source communities, the challenges and opportunities within them, and draws conclusions around what initiatives are helpful and where we need to do more collectively. 

Earlier this year, we engaged member organizations from the Linux Foundation Board to provide financial support for survey translation into ten different languages and enable further qualitative research to be conducted for a richer perspective. LF Research is grateful to AWS, CHAOSS, Comcast, Fujitsu, GitHub, GitLab, Hitachi, Huawei, Intel, NEC, Panasonic, Red Hat, Renesas, and VMware for their support and leadership in this important piece of research.

We are also grateful to the members of our community who participated in the DEI survey. In addition, more than two dozen individuals across the open source community participated in interviews with the research team adding further insight to the survey findings.

The research shows that while a majority of respondents feel welcome in open source, many in underrepresented communities do not. We hope that the data and insights that this project provides will be a catalyst for strengthening existing DEI initiatives and creating new ones. 

Download and Read The 2021 Linux Foundation Report on Diversity, Equity, and Inclusion in Open Source

Inclusive Language Efforts Continue

Communities that adopt inclusive language and actions will be able to attract and retain individuals from diverse backgrounds. The Linux kernel community adopted inclusive language in the Linux 5.8 release, showing its commitment to Diversity and Inclusion. 

For other projects, the Inclusive Naming Initiative launched at KubeCon North America to standardize inclusive language across the industry. It released a training course, LFC103: Inclusive Strategies for Open Source Communities, to support this.

Software Developer Diversity and Inclusion Project

We are also focusing on Science and Research to Advance Diversity and Inclusion in Software Engineering. Our new Software Developer Diversity and Inclusion (SDDI) project will draw on science and research to deliver resources and best practices in increasing diversity in software engineering. 

Open Hardware‭ ‬Diversity Alliance‭ ‬

The Open Hardware Diversity Alliance is a RISC-V incubating project with the mission of bringing together the open hardware community to provide programs, networking opportunities, and learning to encourage participation and support to the professional advancement of women and underrepresented individuals in open source hardware.

Diversity, Equity,‭ ‬and Inclusion‭ ‬Micro-Conference

Creating diverse communities requires effort and commitment to creating inclusive and welcoming spaces. Recognizing that communities that adopt inclusive language and actions attract and retain more individuals from diverse backgrounds, the Linux kernel community adopted inclusive language in the Linux 5.8 release. Understanding if this sort of change has been effective is a topic of active research. The Diversity, Equity, and Inclusion Micro-Conference at Linux Plumbers Conference 2021 took the pulse of the Linux kernel community as it turned 30 this year and discussed some next steps. Experts from the DEI research community shared their perspectives and preliminary research with Linux community members.

A multifaceted discussion on various research topics related to diversity was informative. A few takeaways are:

  • Diversity spans geography, gender, and language.
  • Inclusive language efforts have to take language barriers into account.
  • Implicit and explicit mentoring efforts help attract developers from diverse backgrounds.
  • Mentoring programs with opportunity to work with experts are successful in attracting developers from diverse backgrounds.

The challenges to work on:

  • How do we retain new developers?
  • How do we evolve new developers into maintaining code?

LFX Mentorships

As we look back at the year, the LFX Mentorship program will wrap 2021 with 23 new Linux kernel developers, 181 new open source developers across all LFX projects, and 5285 received applications. We started the LFX Mentorship program in 2019 with just three new developers, and we’ve come a long way since then. As we look back at the year, the LFX Mentorship program will wrap 2021 with 23 new Linux kernel developers and 181 new open source developers across all LFX projects, with 5285 applications received.

The LF Mentorship program, with the help from the Event teams, reached out to Historically Black Colleges (HBCUs) and colleges with a larger number of Hispanic students before the Summer session and to all 2021 applicants to get feedback on the programs and platform.

We have had limited success from the first reach out in attracting and selecting applicants, and the second one was successful. Here is what people had to say about what attracted them to our program:

The top two responses tied at 83%:

  • Ability to work 1:1 with experienced open source contributors.
  • Opportunity to experiment and ability to learn to contribute effectively to current open source projects.

The opportunity to facilitate jobs and internships came in second place with 55%, and paid opportunities came in third place at 49%.

The important takeaways are that the program offers the ability to work with experts and the opportunity to experiment. A few mentioned that the program’s emphasis on support for students and developers who are entirely new to open source is why they applied, aligning with the program’s goals and objectives.

Learn more about LFX Mentorships at

Mentorship + Events

The LFX Mentorship program and the LF Events teams collaborated with 22 experts in the open source communities to provide unstructured self-learning resources under the LF Live Mentorship Series umbrella. The series provides expert knowledge and valuable interactive discussion across various topics related to the Linux Kernel and other OS projects, primarily development. We made these 22 webinars available for free, and we will conclude this year with two more. We thank all our mentors for taking the time to share their knowledge and expertise.

Let’s take a look at how these programs enable new developers to find jobs and career opportunities. You can read the stories of Linux Kernel Mentorship program graduates breaking the open source glass ceiling by Nithya Ruff and Jennifer Cloer.

We are also planning to reach out to all our graduates since the inception of this program in 2019. The goal is to see where their open source journeys took them after graduating, and we will share the results.

The LFX Mentorship and LF Events team collaborated on a Mentee Showcase to connect our graduates with prospective employers from our member companies. In this virtual event, mentees will share their accomplishments with others. There are plenty of open source jobs, and employers are looking for talent. Additionally, this event allows us to thank our mentors who share their knowledge to train new talent. Some of our mentors do this in their spare time without expectations. We are hoping to make this an annual event.

A recent Linux kernel community research confirmed the busy maintainer problem we talked about for a couple of years. Next year, this is one area of focus to add mentorship projects and webinars to provide resources to develop maintainer talent within open source communities.

As we talk about the stats and numbers, let’s not lose sight of the big picture. It’s all about:

  • Making a difference and empowering people by offering both structured and unstructured learning opportunities. 
  • We are paying them to learn and making the resources available for free and accessible to all.
  • Developing new talent and making the new talent available to the Linux ecosystem. 
  • Helping build communities to continue developing open source code to keep the Linux ecosystem healthy and sustainable.

Addressing Racial Justice Efforts Through Code

In February of 2021, the Linux Foundation announced it would host seven Call for Code for Racial Justice projects, an initiative driven by IBM and Creator David Clark Cause to urge the global developer ecosystem and open source community to contribute to solutions that can help confront racial inequalities. These include two new cloud-based Solution Starter applications:

  • Fair Change is a platform to help record, catalog, and access evidence of potentially racially charged incidents to help enable transparency, reeducation, and reform as a matter of public interest and safety. 
  • TakeTwo aims to help mitigate bias in digital content, whether overt or subtle, focusing on text across news articles, headlines, web pages, blogs, and even code. 

In addition to the two new apps, the Linux Foundation now hosts five evolving open source projects from Call for Code for Racial Justice:

  • Five Fifths Voter: This web app empowers minorities to exercise their right to vote and helps ensure their voice is heard by determining optimal voting strategies and limiting suppression issues.
  • Legit-Info: Local legislation can significantly impact areas as far as jobs, the environment, and safety. Legit-Info helps individuals understand the legislation that shapes their lives.
  • Incident Accuracy Reporting System: This platform allows witnesses and victims to corroborate evidence or provide additional information from multiple sources against an official police report.
  • Open Sentencing: To help public defenders better serve their clients and make a stronger case, Open Sentencing shows racial bias in data such as demographics.
  • Truth Loop: This app helps communities understand the policies, regulations, and legislation that will most impact them. 

Open source fuels the world’s innovation, yet building impactful, innovative, high-quality, and secure software at scale can be challenging when meeting the growing requirements of open source communities. Over the past two decades, we have learned that ecosystem building is complex. A solution was needed to help communities manage themselves with the proper toolsets in key functional domains.

From infrastructure to legal and compliance, from code security to marketing, our experience in project governance among communities within the Linux Foundation has accumulated years of expertise and proven best practices. As a result, we have spent the year productizing the LFX Platform, a suite of tools engineered to grow and sustain and grow the communities of today and build the communities of tomorrow. 

LFX: The Open Source Community Management Toolsuite for Continued Growth

The LFX Platform tools provide our members and projects with tools to support every stage of an open source project, from funding to community management to application security. LFX is built to support the needs of all community participants; maintainers, contributors, community managers, security professionals, marketers, and more.

  • Open source communities need access to better tools to scale.
  • Developers need to be able to make effective code contributions, scan for security vulnerabilities, and deploy.
  • Community managers need to facilitate meetings, host meet-ups online or in-person, support governing boards, and decide on proper governance structures.
  • Project leadership needs to be responsive, provide support, engage in training, and promote their latest developments. 

We aim to help reduce the complexity of building and managing open source ecosystems by delivering a new platform that brings people, information, tools, and supporting programs together.

We want to invite you to explore LFX. First, . Then jump into experiencing LFX elements such as your Individual Dashboard, Mentorship, EasyCLA, Insights, or Security. The LFX platform provides open source communities the following areas of key functionality:

LFX Platform Key Functional Areas

LFX Platform: New Features and Capabilities

Global Trends and Compare Projects capabilities extend LFX insights with new reports and enable community members to easily answer common questions about their open source ecosystem or quickly compare open source communities to identify and drive best practices.

Global Trends and Compare Projects Dashboards

Security Vulnerabilities and Code Secrets Scanning, with Remediation powered by Snyk and BluBracket, is now available in LFX Security. Enabling communities to automatically scan code and detect potential vulnerabilities or exposed code secrets then recommend fixes to remediate the identified issues.

Security Vulnerabilities and Code Secrets Scanning with Remediation

Non-Inclusive Language Detection is now a part of LFX Security through integration with BluBracket, enabling the identification and elimination of non-inclusive language to attract and retain more participants and deliver on the power and promise of more diverse and inclusive open source communities.

Tool Highlight: LFX Security

The world’s most critical infrastructure is built on open source, and therefore the security of open source software is essential. LFX Security builds on the Core Infrastructure Initiative and the Open Source Security Foundation and years of learned security best practices to provide communities with the capabilities required to secure their code continuously. LFX Security is powered by integrations with leading security vendors and supports existing tools and languages.

  • Automatic vulnerability scanning, with recommended fixes and inline remediation
  • Risk analysis with intuitive and informative scoring 
  • Automatic detection of potential code secrets
  • Identification of non-inclusive language in code 

Learn more about LFX Security at

Tool Highlight: LFX Insights

Successful open source communities require effective management of everything from code quality and build to collaboration and marketing. But to manage them effectively, data has to be gathered across disparate repositories, tools, and activities. LFX Insights integrates data from source code repositories to issue trackers, social media platforms to mailing lists and contextualizes projects, project groups, or the entire Linux Foundation ecosystem.

Learn more about LFX Insights at

The LFX platform is designed to address these issues and more. LFX aggregates dozens of data sources and commonly used management. It provides visualization tools with an added layer of intelligence to reveal best practices for numerous open source stakeholders, including developers, project leaders, open source program offices, legal, operations, and even marketing. 

LFX is a suite of elements engineered to grow and sustain and grow the communities of today and build the communities of tomorrow. By automating and consolidating many of the most critical activities needed by open source projects and stakeholders, we hope to reduce complexities that sometimes hinder innovation and progress. 

The LFX platform provides our members and project with tools to support every stage of an open source project. As we head into 2022, we plan to release even more functionality to support our growing community.

and Explore LFX at

Our recently published Open Source Jobs Report examined the demand for open source talent and trends among open source professionals. What did we find?

Open Source Career Opportunities are Strong

The good news is that hiring is rebounding in the wake of the pandemic, as organizations look to continue their investments in digital transformation. This is evidenced by 50% of employers surveyed who stated they are increasing hires this year. There are significant challenges though, with 92% of managers having difficulty finding enough talent and struggling to hold onto existing talent in the face of fierce competition. Other key findings from this year’s report included:

  • Cloud is on the rise. Cloud and container technology skills are most in-demand by hiring managers, surpassing Linux for the first time, with 46% of hiring managers seeking cloud talent.
  • DevOps has become the standard method for developing software. Virtually all open source professionals (88%) report using DevOps practices in their work, a 50% increase from three years ago.
  • Demand for certified talent is spiking. Managers are prioritizing hires of certified talent (88%).
  • Training is increasingly helping close skills gaps. 92% of managers report increasing requests for training. Employers also report that they prioritize training investments to close skills gaps, with 58% using this tactic.
  • Discrimination is a growing concern in the community. Open source professionals having been discriminated against or made to feel unwelcome in the community increased to 18% in 2021 — a 125% increase over the past three years.

Enabling Training and Certification

This year, ‬vendor-neutral training and certification grew in importance as demand for professionals with critical skills in open cloud technologies and DevOps increased‭.‬ Over 2 million individuals have enrolled in free Linux Foundation training courses, providing them a great way to explore different open source technologies and decide which is the best fit for them; this includes over a million students who have enrolled in our Introduction to Linux course on the edX platform. To date, over 50,000 individuals have been certified for their technical competence through Linux Foundation programs.

This year, our Training & Certification team launched over 20 new offerings. We now host over 70 eLearning courses, deliver over 20 instructor-led courses, and offer more than a dozen certification exams that enable certified professionals to demonstrate their skills, with more being released regularly. 

This year saw the addition of exam simulators to our Kubernetes certification exams, enabling exam registrants to familiarize themselves with the exam environment before sitting for their exam. In late 2021, we will launch a new Kubernetes and Cloud Native Associate certification exam, which will serve as an entry-level certification for new cloud professionals.

In 2021, The Linux Foundation directly awarded 500 scholarships for free training and certification to individuals worldwide. Hundreds more were awarded via partnerships with nonprofits, including Blacks in Technology, TransTech Social Enterprises, and Women Who Code.

New training and certification offerings launched in 2021 include:

  • Building a RISC-V CPU Core
  • Certified Kubernetes and Cloud Native Associate (KCNA)
  • Certified TARS Application Developer (CTAD)
  • FinOps for Engineering
  • Generating a Software Bill of Materials
  • GitOps: Continuous Delivery on Kubernetes with Flux
  • Hyperledger Besu Essentials:
  • Creating a Private Blockchain Network
  • Kubernetes and Cloud Native Essentials
  • Kubernetes Security Essentials
  • Kubernetes Security Fundamentals
  • Implementing DevSecOps
  • Introduction to Cloud Foundry
  • Introduction to FDC3 Standard
  • Introduction to GitOps
  • Introduction to Kubernetes on Edge with K3s
  • Introduction to Magma:
  • Cloud Native Wireless Networking
  • Introduction to Node.js
  • Introduction to RISC-V
  • Introduction to WebAssembly
  • Open Source Management and Strategy
  • RISC-V Toolchain and Compiler Optimization
  • Techniques
  • WebAssembly Actors: From Cloud to Edge

Explore the full catalog of courses at

In 2021 the Linux Foundation (“LF”) emerged from the worst pandemic in a century and embraced new horizons. The collaborative activities in our project communities weathered the COVID-19 crisis exceptionally well, and many communities are now pushing forward with a renewed sense of purpose. 

Jim Zemlin
Jim Zemlin

Our organization’s namesake project, the Linux kernel, has celebrated an amazing milestone: its 30th birthday. Over the years, more than 55,000 people have contributed code to improve Linux, and today, Linux can be found everywhere. Over 5.4 billion people rely on Linux as it powers the vast majority of smartphones, the world’s largest cloud environments, and the world’s fastest computers. It’s also assisting in scientific discovery on Mars. After three decades of development, the project continues to ship new code, features, and performance enhancements. 

While our community continues to accelerate innovation in software development, the rising tide of cybersecurity threats has planted itself firmly on our shores. We all rely on software supply chains that are constantly under attack by an increasingly sophisticated adversary, causing us to reflect on our role and responsibility in securing the world’s critical technology infrastructure. 

In 2021 we saw much progress in our quest to “harden” the software supply chain. The Software Package Data Exchange® (SPDX®) community received formal recognition as an international ISO/IEC standard (5962:2021), making it easier for organizations to require a Software Bill of Materials (SBOM) with suppliers and customers. This came on the heels of OpenChain receiving ISO/IEC approval as an international standard (5230:2020) for open source licensing compliance. We also saw new collaborations emerge this year, like sigstore, which is on its way to becoming a de facto standard for signing packages and digital artifacts used throughout a supply chain.

The Open Source Security Foundation (OpenSSF), launched in August 2020, brought together a community of experts focused on software supply chain security challenges. This community had an amazing start publishing guidance for best practices (e.g., badges and scorecards), creating new tools and frameworks (e.g., SLSA), establishing and collecting metrics, developing free, globally accessible training materials, and publishing research, such as the findings of its FOSS Contributor Survey in collaboration with Harvard’s Laboratory for Innovation Science. 

Our members responded to the progress by doubling down and making significant additional investments in OpenSSF as a vehicle for solving the world’s supply chain security challenges. In October, we announced that the Linux Foundation and OpenSSF raised over $10 million to invest in leadership and initiatives, boldly aspiring to impact supply chain security dramatically. The LF could not have done this without significant support from our members, including OpenSSF’s premier members 1Password, AWS, Cisco, Citi, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, Huawei, Intel, IBM, JP Morgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMWare.

The importance of open source in the world’s cybersecurity efforts highlights its importance to our modern society. As new organizations, new industries, and policymakers have approached the LF for guidance on open source, we recognize there is a need for modern insights into why and how open collaboration works. There is a need to understand the dynamics of communities, where and how value is derived, and the intersection of supply chains and open source collaboration. To that end, this year, we launched Linux Foundation Research to explore the role of open source software, standards, and communities as a framework for mass innovation, collaboration, and problem-solving. 

Research into important topics such as cybersecurity and SBOM readiness is already underway, along with project-specific insights sought by our project communities. We think this investment will provide actionable data and insights supporting more informed decision-making across technology and industry ecosystems. Finally, while most research organizations hoard data privately, our research approach has an open flair — we’re making all non-personally identifiable data available under the Community Data License Agreement — Permissive, Version 2.0, a revised data-sharing framework our legal community worked to release this year.

Having a research capability also provides new opportunities to more deeply explore challenges and opportunities in community collaboration. For example, this year LF Research partnered with AWS, CHAOSS, Comcast, Fujitsu, GitHub, GitLab, Hitachi, Huawei, Intel, NEC, Panasonic, Renesas, Panasonic, Red Hat, and VMware to examine the state of diversity, equity, and inclusion (DEI) in open source communities. To nurture and grow open source, we need to understand better how DEI is practiced and encouraged in open source communities. We hope this research will also support other collaborative efforts supporting DEI goals, such as the Inclusive Naming Initiative, the Software Developer Diversity and Inclusion Project (SDDI), Fair Change, and Open Sentencing.

And with our industry partners, such as Microsoft and Accenture, we’ve launched several new projects and foundations that are meaningful to humanity. The Green Software Foundation seeks to add sustainability to software engineering efforts. The AgStack Foundation, launched in May 2021, is building an open source digital infrastructure for agriculture to accelerate that industry’s digital transformation and address climate change.

While open source drove innovation across the technology landscape, it also saw acceleration within industry verticals. The LF helped launch several new collaborations focused on driving 5G and telecommunications, including the 5G Super Blueprint, a partnership with Next Generation Mobile Network Alliance (NGMN), Magma Foundation, and the new Mobile Native Foundation. Our members also expanded open source innovation in the media and entertainment industry with the launch of Open 3D Engine (O3DE), a new open source AAA 3D engine for gaming, simulation, and storytelling. The O3DE ecosystem complements our existing Academy Software Foundation (ASWF). ASWF’s community added a new project for shading materials in graphics this year called MarterialX. Moviegoers may have experienced the effects of this project in Star Wars: The Force Awakens.

Our project communities’ ambitions often lead to a focus on building communities. We’ve seen many experts continue to collaborate on community engagement in the highly active TODO Group. However, there comes a time when our communities need tools to help scale and support their growth. In 2020, the LF embarked on a journey with key community leaders to build tools that enable those leaders and others to better understand and more effectively engage with a project community. The results of these investments are now starting to roll out as the LFX platform. I’d like to thank all those in our community who provided feedback, guidance, suggestions, and sometimes the raw critiques we needed to build something better. 

We started with tools we knew would make maintainers more efficient on tasks they really did not want to spend time on, such as processing Contributor License Agreements (CLAs) electronically in EasyCLA. Many maintainers were also interested in understanding their community dynamics leading to the creation of LFX Insights, which aggregates, analyzes, and contextualizes data across all of a community’s repositories, communication channels, and contributors. Conversations about community health led to requests for tools to recruit and engage new project participants, particularly from diverse sources, and LFX Mentorship was born. Once engineers on our projects saw what LFX could do, they requested additional capabilities to configure and manage their projects. LFX Project Control Center now promises to enable engineers to provision and configure resources online in minutes with API-driven automation for common open source project tasks such as provisioning new cloud resources, managing DNS, and more. 

The LF also heard the needs of our corporate members to have better visibility into how their organization is engaged in our communities. We’ve developed the LFX MyOrg tool to help corporate managers get a better view across their organization’s participation, find paths to collaborating in projects, exercise the benefits available to them as members, and more — all from a single system. All of these tools are now available to our communities and members through

Many of our members have been faced with a skills shortage. The LF’s 2021 Jobs Report, released in October with edX, shows trained and certified open source professionals, particularly with cloud and container expertise, are in high demand and are in short supply. Such data points highlight the need to train people and enable new opportunities to grow their careers in open source. Our training and certification efforts continued to gain steam this year. Over 68,00 individuals registered for new certifications in the past year, a 50% increase over 2020, while 2 million people enrolled in the LF’s free training courses. 

And finally, I’ll wrap up by saying we sincerely missed seeing our communities in person. The last two years have been difficult — to harrowing — for many suffering from the lingering pandemic. However, this year we have seen hope on the horizon. We produced dozens of successful virtual conferences throughout 2021, but the feedback was clear: people wanted to meet in person again. Our events team did a thorough job researching and soliciting advice from experts and public health authorities. That preparation enabled us to welcome our communities back together, in-person, this fall at events like Open Source Summit in Seattle, Open Source Strategy Forum and OSPOCon Europe in London, and KubeCon+CloudNativeCon North America in Los Angeles, the latter of which gathered over 3,000 community members in person. These events would not have been possible without our commitment to attendee safety by requiring vaccinations and using vaccine verification technologies, diligent on-site health checks, and strict enforcement of the use of masks and social distancing protocols. With borders opening up shortly, we are ecstatic to see even more of our community, live and in-person, again in 2022.

On behalf of the entire Linux Foundation team, I congratulate our communities for their exceptional outcomes under another extraordinarily challenging year and wish all of you a happy and prosperous 2022, when I hope we get to see you in person once again.


Jim Zemlin
Executive Director,
The Linux Foundation

These efforts are made possible by our members. To learn how your organization can get involved with the Linux Foundation, click here.

In 2021, after six years of community building and expanding from two projects to 18 projects, to over 50 labs, 16 Special Interest and Working Groups, and over 200 members, Hyperledger became a Foundation. 

This newfound identity arches over all of its projects, labs, regional chapters, and community groups. Hyperledger Foundation is now leading the collective effort to advance enterprise blockchain technology and fulfill its mission to foster and coordinate the premier open source enterprise blockchain community.

At Hyperledger Foundation, being open is core to what we do. We’re here to lead an open, global and welcoming enterprise blockchain ecosystem—a community where no contribution is seen as too small or insignificant. Our foundation comprises organizations, developers, executives, students, teachers, government leaders, and more. It’s supported by the Technical Steering Committee, various working groups, special interest groups, and Meetup communities all across the globe, now numbering more than 80,000 participants. 

According to LFXInsights, there has been a 53% growth in the total commits in the last three years, and new code contributors increased by 37%. A total of 366 organizations from both large and small companies have made code commits since 2016. And the pace of activity among new community members is accelerating as commits by new contributors have increased by 286% in the last year.

Some of the largest and most important production enterprise blockchain projects today are built using Hyperledger technologies. They include:

  • Supply chain networks, like IBM and Walmart’s Food Trust (Hyperledger Fabric)
  • Circulor’s mine to manufacturer traceability of a conflict-mineral for automobile sustainable supply chains (Hyperledger Fabric
  • Top trade finance platforms such as TradeLens (Hyperledger Fabric), which has more than 300 orgs, across 600 ports and terminals and has tracked over 42 million container shipments, with close to 2.2 billion events 
  •, who have already onboarded 16 banks across 15 countries to join their blockchain-enabled trade finance platform (Hyperledger Fabric)

Over 13 Central Bank Digital Currency production and pilots using multiple Hyperledger projects have been identified this year alone.

With this transition, Hyperledger Foundation also gained new leadership with the appointment of Daniela Barbosa as its new Executive Director. Barbosa is a seasoned veteran of the open source community with over 20 years of enterprise technology experience, including previously serving as Hyperledger’s Vice President of Worldwide Alliances, where she was responsible for the project’s community outreach and overall network growth.

New Growth in Hyperledger Technologies 

According to research from Blockdata, Hyperledger Fabric is used by more of the top 100 public companies in the world than any other blockchain platform. 

Hyperledger-based networks are used by some of the largest corporations around the world, including more than half of the companies on the Forbes Blockchain 50, a list of companies with revenue or a valuation of at least $1 billion that lead in employing distributed ledger technology.

As an ever-growing library of case studies shows, Hyperledger technologies are already transforming many market spaces, including supply chains, trade finance, and healthcare. Hyperledger technologies are used in everything from powering global trade networks and supply chains to fighting counterfeit drugs, banking “unbanked” populations, and ensuring sustainable manufacturing. 

In addition, Hyperledger technologies are being applied to a number of new markets and business models. These include digital identity and payments, Central Bank Digital Currencies (CBDCs), and NFTs like Damien Hirst’s The Currency project and DC Comics powered by Palm NFT with a near-zero carbon footprint using Hyperledger Besu.

Digital Identity 

Hyperledger technologies are being adopted to put individuals in charge of their own identity. People often need to verify their status, prove a birthdate, board a plane, comply with vaccine mandates, prove their education, or access money. Leveraging Hyperledger Aries and Hyperledger Indy, organizations worldwide are reshaping how digital information is managed and verified to increase online trust and privacy. These digital identity solutions create verified credentials that are effective, secure, accessible, and privacy-preserving. 

  • The Aruba Health App makes it easy for visitors who have provided required health tests to the Aruba government to share a trusted traveler credential — based on their health status — privately and securely on their mobile device. Launched initially as a trial, the Aruba Health App is built using Cardea, an open-source code base that has since been contributed to the Linux Foundation Public Health (LFPH) project by Indicio. Cardea leverages Hyperledger Indy, Hyperledger Aries, and Hyperledger Ursa.
  • IDUnion addresses the demand for migrating centralized identity systems towards decentralized self-sovereign management of digital identities for people, organizations, and machines. The service has 39 cross-sector partners building production-level infrastructure to verify identity data in finance, manufacturing, the public sector, and healthcare. IDunion has launched a Hyperledger Indy test network, built components for allocating, verifying, managing digital identities, and more. This consortium includes Hyperledger member companies Siemens, Bosch, Deutsche Telecom, and others.
  • The International Air Transport Association IATA Travel Pass, built in partnership with Evernym using Hyperledger Indy and Hyperledger Aries, is a mobile app that helps travelers store and manage their verified certifications for COVID-19 tests or vaccines. 
  • MemberPass, built on Hyperledger Indy by Bonifii, is the first global digital identity ecosystem for credit unions and their members. It provides consumer identity while protecting personal information. Adopted by more than seven credit unions and counting, 20,000+ credentials issued. 

Digital Currency

Blockchain technology has already helped rewrite some of the rules for currencies and payments. Governments worldwide are now moving towards Central Bank Digital Currencies (CBDCs) or digital forms of their official currency. These will give central banks a more flexible, more secure form of their national currencies and lower the risks from alternative cryptocurrencies. Backed by a central bank, any CBDC, whether developed for wholesale or retail use, will be legal tender with the stability that regulation confers.

Governments are moving carefully, but many of the early projects are using Hyperledger platforms. The goals range from modernizing payment processes to removing barriers and costs associated with back-end settlement to boosting financial inclusion.

This fireside chat from Hyperledger Global Forum on CBDCs by experts from Accenture and DTTC offers a great overview of the benefits and different approaches to these new currencies and a look at the current landscape of CBDC research and experimentation across the globe.

  • The Eastern Caribbean Central Bank launched DCash, built on Hyperledger Fabric, as a mobile phone app for person-to-person and merchant payments. ECCB stated at an OECD event in 2020 that it selected Hyperledger Fabric because of its strong security architecture (a private permissioned blockchain with strong identity management) and open source code, contributing to its security, flexibility, and scalability, among other desired attributes.
  • The National Bank of Cambodia created Bakong, a fiat-backed digital currency, using Hyperledger Iroha to promote its national currency use, giving the large percentage of its population without bank accounts a mobile payment system and cutting costs for interbank transfers.
  • Additionally, a mix of retail and wholesale CBDCs trials using Hyperledger Besu has helped several other countries, including Thailand and Spain, to advance planning for new digital fiat currencies.

These efforts are made possible by the hundreds of enterprises that support the Hyperledger Foundation. To learn how your organization can get involved, click here

The FinOps Foundation team is beyond excited to launch the 2022 State of FinOps Survey. Yes, there are plenty of self-published industry reports out there, but what makes this one different is that it’s built by and for the FinOps community.

Why do we create the State of FinOps each year?

FinOps, the operating model for cloud finance management, is a fundamental practice for organizations leveraging the cloud to align those costs with business value and outcomes. The FinOps Foundation community represents a broad spectrum of practitioners, including many leaders and forerunners in the space. Annual surveys help gather a snapshot of the current activities and perspectives across the community to deepen the understanding and surface trends. 

The results of each State of FinOps Survey become a report that delivers insights and benchmarks that helps us inform the roadmap of how the Foundation can improve the educational materials to advance practitioners and their practices. The more we understand how our community and practitioners are growing, maturing their practices, and the challenges they are struggling with, the richer the community projects can support everyone.

Evolving from the previous year

The first State of FinOps Survey and Report was released in 2021, creating a report template, data visualization style, and a first test at how our information and insights would help the community. We found success in gaining constructive analyst, press, and community feedback. 

In our first year:

  • We created the industry’s first community-focused and led survey and report on the FinOps discipline
  • Community members held us accountable for achieving key outcomes that we promised would be built from the report’s insights
  • We strengthened our FinOps Framework by adding user-generated projects and stories by practitioners of various skill levels and from all types of organizations across the world

For the 2022 report, we focused on ways to incorporate even more practitioner and leadership feedback from the beginning. We also made a significant investment into the academic and data integrity of the report.

As FinOps practitioners and leaders worldwide look to this resource as a means of guiding and building their practices, we needed to ensure that the body of work contained a blend of academic merit and data-driven depth.

Doubling down on community and practitioner involvement

We created several working groups of staff and FinOps practitioners to help us build a better survey and report for 2022. These groups looked at the 2021 report and gave us constructive feedback to help us create a better asset and resource for the community.

“By refining the survey for 2022 on community feedback, it can be used for multiple areas and projects by the community in the coming year – it will be exciting to understand all the different perspectives in the FinOps category.” Joe Daly, Director of Community, FinOps Foundation

Leveraging Linux Foundation’s research team

A majority of the FinOps Foundation staff have FinOps experience, but we were honest with ourselves about needing more data analysis help with this year’s survey and report. Fortunately, we were able to utilize the expertise of the Linux Foundation’s newly established Research Team.

The team was with us from the outset, where they integrated with FinOps experts so that they could understand more about our community-centric approach.

“Designing the State of FinOps 2022 survey was a truly collaborative effort. It was clear from the beginning that establishing a Working Group to aid in the survey instrument’s design was necessary to generate the kind of data that would add value across the FinOps ecosystem.” Stephen Hendrick, VP Research

With LF Research’s help and support, we also decided to translate the 2022 survey to engage FinOps practitioners in French-speaking regions, who represent a significant demographic of our community. LF Research helped to achieve the French language translation as a new element in this year’s research effort to make the survey more accessible and inclusive.

We are very thankful for their guidance in structuring our survey and look forward to their expertise once we start analyzing results and building the 2022 report.

Building a long-lasting resource for our community

We learned a lot of lessons from the 2021 survey and report. One of the biggest lessons was an internal one in that this survey collects such a variety of information and data. It informed us that we could go one of two ways with this research tool: keep building one-off reports, or do the work and build something long-term for the community.

Our community leaders advised us that we needed to focus more on generating annual benchmarking and insights based on key practices. They also helped us iron out the method and approach to our questions to align more with the framework to get the best data possible from the survey.

Our goal is to have something more than another data report to add to the Internet. We want to create a valuable tool for FinOps practitioners and partners to improve their practice. We want this tool to be informed and built by the community, for the community.

Ideal outcomes from the 2022 survey

With the survey into its first weeks of collecting data, we’re very interested in measuring and understanding the following:

  • Are practitioners maturing their FinOps practices? What FinOps “maturity level” do they self-identify as?
  • What phase in the FinOps lifecycle are practitioners operating for specific capabilities, how did they get there, and what are they planning to do next?
  • What are the benchmarks practitioners use for FinOps capabilities?
  • How do practitioners measure their success when implementing their FinOps capabilities?

We’re looking forward to seeing how the results inform our hypotheses and questions.

Building upon this report with open source standards

When done right, it turns out you can use open source software standards to encourage contribution and community even with a topic like cloud financial management. We’re very proud to find a way to work closely with our community while championing Linux Foundation open source principles.

Do you know someone who qualifies in taking the State of FinOps Survey? If so, feel free to share it with them. The survey is open, and we look forward to learning more about the FinOps community and industry to help strengthen it.

Vertical industries are under constant pressure to innovate, facing the challenges of supply chains, diverse customer requirements, regulations, and a lack of talent to do everything leadership may envision in any complex business. 

These industries understand that their ownership of intellectual property for parts of their software stack is limiting business opportunities and expensive to develop and maintain. To accelerate adoption, openly working together on common infrastructure components presents more opportunities for business growth.

Our members in the automotive, motion picture, fintech, telecommunications, energy, and public health verticals have transformed their business processes and assets into software-defined assets. They are now building strategic frameworks that give them a competitive edge that only open source can provide. In 2021, verticals and new members continued innovating with newly formed communities in the agriculture industry and AAA-class 3D engines for entertainment and simulation.

While all of these vertical industries have unique open source projects and communities, they also share a common thread: All realize that open collaboration presents opportunities to reduce costs, cut time to market, increase quality, and open new areas of competition. The ability to achieve these results on a collective basis pushes innovation forward across respective industries.

Gaming and Simulation: Open3D Foundation and Open3D Engine

The Linux Foundation welcomed the Open 3D Foundation into its community of families in July of 2021. The first project in the foundation was the Open 3D Engine known as O3DE. Amazon Web Services donated it under an Apache 2.0 and MIT licensing model. The mission of the Open 3D Engine is to make an open source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations available to every industry.

Since its inception, it has raised $2.7 million in commitments from 26 partners in over two years. It has received signed commitments from a range of companies such as Adobe, Intel, AWS, Niantic, Huawei, SideFX, HERE, and others.

The foundation is focused on industries that utilize 3D technologies. This includes video games, automotive, simulation, robotics, energy, real estate, training, film, special effects, machine learning, aerospace, and many other verticals.

Since its inception, it has grown to over 3600 stars, 1100 forks of the repository, 1,500 Discord users, and 500+ active members are online. It has increased to over 130 authors of code, 7000 file changes, 2,000,000 changes to lines of code, and a vibrant & active self-sustaining support community averaging 500 messages & minutes per day.

Motion Pictures and Visual Effects: The Academy Software Foundation

The Academy Software Foundation (ASWF) has continued to make an impact on the open source technologies that empower the motion picture and visual effects industries. To date, ASWF boasts 32 members and hosts 14 projects and working groups. 

Key achievements in 2021 include:

MaterialX being contributed as a project by Lucasfilm. MaterialX originated at Lucasfilm in 2012. It has grown into the central format for material description at Industrial Light & Magic (ILM) since the production of Star Wars: The Force Awakens.

The launch of the ASWF Assets Repository that gives open communities access to production-grade digital assets for testing, demonstration, and education purposes.

The launch of OpenColorIO v2.0, which is the output of three years in development and boasts numerous feature and performance improvements. In addition, a growing number of vendors are adopting their products and services, which is cementing OpenColorIO as an industry standard.

ASWF has seen the collaboration and sustainability of each of the projects and working groups it hosts increase, with each project seeing increases in organizational diversity and contributions in 2021 compared to the year before joining the ASWF.

ASWF looks forward to 2022 as it focuses on addressing new technology spaces such as virtual production.

Automotive Grade Linux (AGL)

Over the last decade, the Linux Foundation worked with industry leaders like Toyota and others to launch Automotive Grade Linux (AGL). AGL was established to build a common open source software platform to eliminate the fragmentation plaguing the automotive industry. AGL is the only organization with a mission to address all in-vehicle software, including infotainment, instrument cluster, telematics, heads-up display, advanced driver assistance systems (ADAS), and autonomous driving.

The AGL community is reducing that fragmentation by combining the best of open source to create the AGL Unified Code Base (UCB), a single, shared, open source software platform for the entire industry. The UCB includes an operating system, middleware, and application framework and can serve as the de facto industry standard for infotainment, telematics, and instrument cluster applications. Sharing an open source platform allows for code reuse and a more efficient development process as developers and suppliers can build their solution once and deploy that same solution for multiple automakers. 

Supported by eleven major automotive manufacturers, including the top three producers by worldwide volume (Volkswagen, Toyota, Daimler), AGL is deployed  in production vehicles today:

Amazon AWS joined AGL as a Platinum member in January 2021 and is leading AGL initiatives around IoT and Connected Car. 

In early 2021, AGL announced a new Expert Group for Container and Service Mesh, led by Amazon AWS. The Container and Mesh Expert Group are developing an in-vehicle container solution for AGL and creating a service mesh and orchestration framework that can be deployed as part of AGL.

The IVI Production Readiness Expert Group, led by Toyota, has made significant progress in 2021. This EG is focused on bringing AGL closer to a production-ready state. By early 2022, major code contributions are expected from Toyota on Flutter for embedded IVI, a new cutting edge UI and App development framework for infotainment systems. This will allow manufacturers to cut the development time and cost of deploying innovative new applications in the vehicle. 

The Virtualization EG, led by Panasonic, has been busy working on cutting-edge VirtIO technology. This allows consolidation of vehicle cockpit systems such as IVI, Instrument Cluster, and Heads-Up-Display to run on a single processor. It also enables innovative use cases such as using Android for infotainment and AGL for Instrument Cluster on a single virtualized CPU. The consolidated cockpit is a vision of the future, and it’s being developed today at AGL. 

AGL also had two milestone platform releases this year, Unified Code Base (UCB) 11.0 Kooky Koi in February and 12.0 Lucky Lamprey in July. These releases included several updates to graphics, audio, speech recognition, application and security frameworks, web apps, and Chromium. Both releases are based on the Yocto 3.1 Long-Term-Support board support packages.

New Industry Vertical‭: ‬Agriculture

In May 2021, the Linux Foundation announced the launch of the AgStack Foundation, the open source digital infrastructure project for the world’s agriculture ecosystem. Thirty-three percent of all food produced is wasted, while nine percent of the people in the world are hungry or malnourished. These societal drivers are compounded with legacy technology systems that are too slow and inefficient and can’t work across the growing and more complex agricultural supply chain. AgStack Foundation will improve global agriculture efficiency by creating, maintaining, and enhancing free, reusable, open, and specialized digital infrastructure for data and applications. AgStack will use collaboration and open source software to build the 21st-century digital infrastructure that will be a catalyst for innovation on new applications, efficiencies, and scale.

AgStack consists of an open repository to create and publish models, free and easy access to public data, interoperable frameworks for cross-project use, and topic-specific extensions and toolboxes. It will leverage existing technologies such as agriculture standards (AgGateway, UN-FAO, CAFA, USDA, and NASA-AR); public data (Landsat, Sentinel, NOAA and Soilgrids; models (UC-ANR IPM), and open source projects like Hyperledger, Kubernetes, Open Horizon, Postgres, Django and more.

Founding members and contributors include leaders from both the technology and agriculture industries and across sectors and geographies. Members and partners include Agralogics, Call for Code, Centricity Global, Digital Green, Farm Foundation, farmOS, HPE, IBM, Mixing Bowl & Better Food Ventures, NIAB, OpenTeam, Our Sci, Produce Marketing Association, Purdue University / OATS & Agricultural Informatics Lab, the University of California Agriculture and Natural Resources (UC-ANR) and University of California Santa Barbara SmartFarm Project.

New Industry Vertical‭: ‬AI Voice Technologies

In June, the Linux Foundation announced the Open Voice Network, an open source association dedicated to advancing open standards that support the adoption of AI-enabled voice assistance systems. Founding members include Target, Schwarz Gruppe, Wegmans Food Markets, Microsoft, Veritone, and Deutsche Telekom.

Organizations are beginning to develop, design, and manage their own voice assistant systems independent of today’s general-purpose voice platforms. This transition is being driven by the desire to manage the entirety of the user experience — from the sound of the voice, the sonic branding, and the content — to integrating voice assistance into multiple business processes and brand environments from the call center, to the branch office and the store. Perhaps most importantly, organizations know they must protect the consumer and the proprietary data that flows through voice. The Open Voice Network will support this evolution by delivering standards and usage guidelines for voice assistant systems that are trustworthy, inclusive, and open.

Voice is expected to be a primary digital interface going forward and will result in a hybrid ecosystem of general-purpose platforms and independent voice assistants that demand interoperability between conversational agents of different platforms and voice assistants. Open Voice Network is dedicated to supporting this transformation with industry guidance on the voice-specific protection of user privacy and data security.

Much as open standards in the earliest days of the Internet brought a uniform way to exchange information and connect with any site anywhere, the Open Voice Network will bring the same standardized ease of development and use to voice assistant systems and conversational agents, leading to huge growth and value for businesses and consumers alike. Voice assistance depends upon technologies like Automatic Speech Recognition (ASR), Natural Language Processing (NLP), Advanced Dialog Management (ADM), and Machine Learning (ML).

The Open Voice Network will initially be focused on the following areas:

  • Standards development: research and recommendations toward the global standards that will enable user choice, inclusivity, and trust.
  • Industry value and awareness: identification and sharing of conversational AI best practices that are both horizontal and specific to vertical industries, serving as the source of insight and value for voice assistance.
  • Advocacy: working with and through existing industry associations on relevant regulatory and legislative issues, including those of data privacy.

These efforts are made possible by the dozens of enterprises that support  Open3D Foundation, ASWF, AGL, AgStack, and Open Voice Network 

To learn how your organization can get involved with Open 3D Foundationclick here

To learn how your organization can get involved with ASWFclick here

To learn how your organization can get involved with AGLclick here

To learn how your organization can get involved with AgStackclick here

To learn how your organization can get involved with Open Voice Networkclick here

Attackers are increasingly targeting software supply chains (the processes, repositories, and toolchains used for developing and delivering software). The European Union Agency for Cybersecurity, ENISA, estimated in “Threat Landscape for Supply Chain Attacks” that there would be four times as many software supply chain attacks in 2021 as compared to 2020. The report states due to “…more robust security protection that [many] organizations have put in place [today], attackers successfully shifted towards suppliers.”

Governments around the world have noted and responded to this growing risk to the software supply chain. In May 2021, the US released an Executive Order on Improving the Nation’s Cybersecurity to enhance software supply chain security, including providing software purchasers with a Software Bill of Materials (SBOM). Similar efforts are underway around the world.

In 2021, our communities rose to the challenge of providing tools and best practices for the security hardening of the global software supply chains. Our efforts included launching Open Source Security Foundation (OpenSSF) as a funded project, expanding Let’s Encrypt — the world’s largest certificate authority, ensuring the ISO standardization of SPDX as the SBOM standard, directing funds to identify and fix vulnerabilities in critical open source software, and building new training curriculum to improve secure coding practices.

Community Highlight: OpenSSF

The Open Source Security Foundation (OpenSSF) was elevated to a funded project at the LF in October 2021. The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices. The OpenSSF premier members include: 1Password, AWS, Cisco, Citi, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, Huawei, Intel, IBM, JP Morgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMWare.

The OpenSSF began many initiatives in 2021, including:

The OpenSSF also continued to refine its existing work, including its free courses on how to develop secure software (over 4,000 registrants combined) and the CII Best Practices Badge Program (over 4,000 participating projects and over 600 passing projects). 

Shepherding Software Standards

The Linux Foundation strongly supports efforts to build and drive the adoption of open source standards and infrastructure. These efforts include:

  • SPDX — an international standard for representing the metadata for SBOMs (ISO/IEC 5962)
  • OpenChain — a standardized process management approach to identify inbound, internal, and outbound open software. It is primarily designed for compliance and has clear secondary use cases in security ( ISO 5230) 
  • Compliance tooling from Automating Compliance Tooling (ACT) projects (including OSS Review Toolkit, FOSSology, Tern), and the OpenChain reference workflow, being extended to add new use cases. 
  • Training on software transparency topics, including “Generating an SBOM

We are thankful for all the participants in the SPDX community. Special thanks go to Gary O’Neall for his work developing the SPDX tooling; this work made it easier for developers across the ecosystem to adopt SPDX in their workflows. Special thanks also go to Steve Winslow and Jilayne Lovejoy for their tireless efforts in maintaining the SPDX License List over the past ten years. The SPDX standard continues to evolve thanks to the tireless efforts of many talented developers, including Alexios Zavras, William Bartholomew, Thomas Steenbergen, and Nisha Kumar.

Kate Stewart, VP of Dependable Systems, The Linux Foundation

Establishing Projects and Conferences to Improve Security

In addition to the projects listed earlier, the LF funds various projects to improve open source security. Some notables among them include:

  • sigstore — development work on this technology suite to enable developers to sign software artifacts securely. Signing materials are stored in a tamper-resistant public log. (The project is managed by Google, Red Hat, and Purdue University)
  • Alpine Linux — vulnerability processing for this security-oriented, lightweight Linux distribution.
  • Alpine Linux, Arch Linux — reproducible builds for these two Linux distributions.
  • OpenSSH, RPKI — development of infrastructure “plumbing” 
  • Clang, Linux kernel — compiling Linux kernel with clang and fix warnings found during the compiling process
  • Linux kernel — security audits for signing/key management policies and vulnerability reporting modules, respectively)

The LF also fostered approaches to discuss and address supply chain attacks online and in virtual venues, including Building Cybersecurity into the Software Supply Chain Town Hall and SupplyChainSecurityCon.

Community Highlight: Internet Security Research Group ‬

Let’s Encrypt provides the digital infrastructure for a more secure and privacy-respecting Internet. It operates the world’s largest certificate authority, securing traffic for more than 250 million websites.

In late 2020, ISRG launched Prossimo, a project whose goal is to move the Internet’s security-sensitive software infrastructure to memory-safe code. Many of the most critical software vulnerabilities are memory safety issues in C and C++ code. While deploying fuzzing, static analysis, and code reviews can catch vulnerabilities, such mitigations do not eliminate all risks. Moreover, these security mitigation tactics consume considerable resources on an ongoing basis. In contrast, using memory-safe languages eliminates the entire class of issues. This year, Prossimo worked with Linux kernel, cURL, and Apache maintainers to introduce new memory-safe code to these critical, widely-used pieces of software.

ISRG’s latest project effort, Prio, is to operate a privacy-preserving metrics service. Prio uses a system that enables the collection of aggregate statistics such as application metrics. Apple and Google’s Covid-19 Exposure Notification Express app uses this service. ISRG Prio has processed over two billion metrics and is helping operators optimize the user experience based on aggregate, privacy-respecting telemetry metrics.

These standardization efforts are made possible by the OpenSSF, the SPDX and OpenChain projects, and the ISRG.

To learn more about and get involved with OpenSSF, click here

To learn more about and get involved with the ISRG, click here

To learn more about the SPDX SBOM standard, click here

To learn more about the OpenChain standard, click here