Authors: John Mertic, Maemalynn Meanor, Jason Perlow

The mainframe is a foundational technology that has powered industries for decades, including government, financial, healthcare, and transportation. With the help of surrounding communities, the technologies built around this platform have paved the way for the emergence of a new set of technologies we see deployed today. Notably, a significant number of mainframe technologies are profoundly embracing open source.

Linux comes to the mainframe

As Linux began to take the world by storm in the 1990s, a small group of mainframe enthusiasts started experimenting with Linux on IBM System 390 (a previously current generation of mainframe hardware). Over the last 20 years, others like Hitachi and Fujitsu also invested in enabling open source and Linux on their mainframe platforms. Linux on mainframe marked its official start on December 18, 1999, with IBM publishing a collection of patches and additions to the Linux 2.2.13 kernel. 

The year 2000 brought momentum to Linux on the mainframe. The first true “Linux distribution” for these systems came in early 2000 as a collaboration between Marist College in Poughkeepsie, N.Y., and Think Blue Linux by Millenux in Germany. By October of that year, SUSE became the first vendor-supported Linux Distribution, in the first release of what’s now known as SUSE Enterprise Linux. SUSE’s first s390x distro represented an early example of the mainframe leading the way in the evolution of computing technology.

Today, nine known Linux distributions currently provide an s390x architecture variant: Alpine, ClefOS, Debian, Fedora, Gentoo, OpenSUSE, RHEL, SUSE, and Ubuntu.

The expansion of the mainframe as a platform for Linux continues to be nurtured in the Open Mainframe Project, with key projects outlined below helping Linux on the mainframe continue to be a platform used by Fortune 100 companies worldwide.

  • Feilong, which provides an interface between z/VM (the primary hypervisor for mainframe, is directly based on technology and concepts dating back to the 1960s) and modern cloud stack systems such as OpenStack, is jointly developed by IBM, SUSE, and others.
  • Tessia is a tool that automates and simplifies the installation, configuration, and testing of Linux systems running on the Z platform.

Developments in COBOL 

COBOL, which stands for “Common Business-Oriented Language,” is a compiled, English-like computer programming language developed for use as a business applications language. Its roots go back to the 1950s, and COBOL is still frequently used in many industries for key applications.

The COVID-19 pandemic in April 2020 put high levels of stress on various government services due to the unprecedented number of unemployment applications and other similar needs. This put the spotlight on COBOL, as it was then the predominant technology used for these systems. This also highlighted the perceived lack of talent to support these systems, which have code going back to the 1960s. 

The vast COBOL and mainframe communities quickly addressed this need and made several efforts to provide a sustainable home for COBOL.

  • Calling all COBOL Programmers Forum – an Open Mainframe Project forum where developers and programmers who would like to volunteer can post their profiles or are available for hire. Whether they are actively looking for employment, retired skilled veterans looking to stay involved, students who have completed COBOL courses, or are professionals wanting to volunteer, the forum offers the opportunity for job seekers to specify their level of expertise and availability to assist. Employers can then connect with these individuals as needed. 
  • COBOL Technical Forum – a new forum created specifically to address COBOL technical questions in which experienced COBOL programmers monitor activity. The forum allows all programmers to quickly learn new techniques and draw from a broad range of community expertise to address common questions and challenges exacerbated during this unprecedented time. 
  • Open Source COBOL Training – the Open Mainframe Project Technical Advisory Council has approved hosting a new open source project that will lead collaborative efforts to create training materials on COBOL. The courseware was contributed by IBM based on its work with clients and institutions for higher education and is provided under an open source license. 

These initiatives were followed by a formal COBOL Working Group established later in 2020 to address the long-term challenges in building a sustainable COBOL ecosystem. 

In early 2021, attention turned to the tooling ecosystem for COBOL developers with the launch of the COBOL Check project. This initiative enables test-driven development (TDD) practices for COBOL by providing a unit testing framework.

Zowe brings together the industry leaders to drive the future development paradigms of the mainframe

Traditionally, organizations have been challenged by integrating mainframe applications and data with the other systems that power their enterprise. This integration task further created a talent development challenge, as the paradigms between mainframe and other enterprise computing systems differed enough to make skills not easily transferable.

Broadcom, IBM, and Rocket Software saw this challenge and independently developed various frameworks to close this gap with the mainframe development experience. These include:

  • An API Mediation Layer for standardizing the API experience for mainframe applications and services
  • A CLI tool that could be run on a developer’s laptop or other non-mainframe systems and used for DevOps tooling integration.
  • A Web Desktop interface to make it easier to develop web-based applications that leverage mainframe services and data using common development toolkits.

These components came together in August 2018 in Zowe, which was the first open source project launched that targeted the z/OS operating system (the predominant operating system on mainframe systems). The intention of bringing this project into the vendor-neutral Open Mainframe Project was to establish Zowe as the dominant development and integration tool for mainframe systems, aligning the mainframe community around Zowe.

After Zowe 1.0 was released in February 2019, the project quickly turned to enable a downstream ecosystem of vendor offerings to flourish by establishing the Zowe Conformance Program in August 2019. To date, there are more than 50 Zowe Conformant offerings from 6 different vendors in the mainframe industry.

In addition, Zowe has brought new projects into its scope, with the following incubator projects as of August 2021:

  • ZEBRA, which provides re-usable and industry compliant JSON formatted RMF/SMF data records so that many other ISV SW and users can exploit them using open-source SW in many ways (contributed by Vicom Infinity).
  • Workflow WiZard helps developers and systems programmers simplify the generation and management of z/OSMF workflows (contributed by BMC).

Zowe boasts more than 300 contributors with more than 34,000 contributions as of August 2021.

Mentorship to support the mainframes of tomorrow

Open Mainframe Project has experienced record growth in contributions this year, with more than 105.31 Million Lines of Code written and over 9,600 commits submitted by Open Mainframe Project communities to date— a 100 percent increase across 20 projects and working groups. These numbers will only increase as Open Mainframe continues to be the cornerstone of governance and innovation for modernizing the mainframe and its path to IoT, Cloud, and Edge Computing.

But the mainframe workforce is aging — in fact, many organizations employ mainframers who half or more of their staff will be eligible for retirement soon. The aging workforce will be a global issue as many schools have shifted from teaching mainframe skills and important languages like COBOL and assembler. Some students don’t even know what a mainframe is or aren’t aware they use one each day. 

The mainframe isn’t going away, so that means we need to get younger mainframers on board.

That’s why the Linux Foundation chose to help close the skills gap through education and training. Through the Open Mainframe Project’s Mentorship program, the project offered a hands-on experience in an open source environment with leaders from member companies such as BMC/Compuware, Broadcom, IBM, Micro Focus, Rocket Software, and many others.

This year, the mentorship program welcomed its largest mentee class from around the globe that worked on popular projects such as ATOM, COBOL Programming Course, COBOL Working Group, Mainframe Open Education, Polycephaly, Software Discovery Tool, and Zowe. Through one-on-one conversations, collaborative community meetings, technical development, and accessibility to mainframe technology, Open Mainframe helped lay the groundwork for the next generation of mainframers. 

Additionally, as COBOL continues to be on-demand this year, Open Mainframe continued to enhance resources: 

  • The COBOL Programming Course, which also became the first Open Mainframe project to complete the lifecycle and graduate to become a mature active project, went through an extensive overhaul to provide more detailed content for a better experience and deeper understanding for students and developers looking for a refresher course.
  • COBOL Check launched in March to improve the design, understandability, maintainability, and longevity of core business applications. It supports IBM’s mainframe modernization program by enabling restructuring of existing applications of APIs. COBOL Check will complement the COBOL Programming Course and will leverage the support of the COBOL Working Group.

The future is bright for the mainframe

The mainframe has seen a resurgence in the past five years, with the launch of the Open Mainframe Project and the industry coming together in key open source projects in the COBOL, Linux on System Z, and z/OS ecosystems. The Open Mainframe Project hosts more than 20 projects and working groups supported by over 45 organizations as of August 2021, with no signs of slowing anytime soon.

Open Mainframe Summit 2021

For the second consecutive year, Open Mainframe Project hosted its flagship event virtually on September 22-23.

The theme of this year’s Open Mainframe Summit expanded beyond the mainframe to highlight influencers with strengths in the areas supporting or leveraging the technology like continuous delivery, edge computing, financial services, and open source. Keynote speakers for the event included Gabriele Columbro, Executive Director of Fintech Open Source Foundation (FINOS); Jason Shepherd, Vice President of Ecosystem at ZEDEDA and Chair of the LF Edge Governing Board; Jono Bacon, a leading community and collaboration speaker and founder of Jono Bacon Consulting; Steve Winslow, Vice President of Compliance and Legal at The Linux Foundation; Tracy Ragan, CEO and Co-Founder of DeployHub and Continuous Delivery Foundation Board Member, and more.

The event also highlighted projects, diversity, and business topics that offered seasoned professionals, developers, students, and leaders an opportunity to share best practices and network with like-minded individuals.

Open Mainframe Summit ended with 219 registered attendees that represented 83 companies. During the conference, there were 167 unique users on the platform, a 77% attendance rate, which is a slight increase when compared to last year.

The conference videos are available on the Open Mainframe Project Youtube Channel. Click here for the complete playlist.

These efforts are made possible by the dozens of enterprises that support the Open Mainframe Project. To learn how your organization can get involved, click here

Author: Chris Friedt, Sofware Release Manager, Zephyr Project

Here we are – 2 ½ years since the release of Zephyr Long Term Support (LTS) V1.

In what seems like the blink of an eye, Linux has turned 30 and has gone where no penguin has gone before. Some may forget that the Zephyr Real-Time Operating System went to space, too (albeit under a different name).

Meanwhile, here on Earth, the Zephyr Project received 26,845 commits, 1,764,230 lines of code added, and published ten tagged releases since the LTS V1.

Our contributing community continues to grow – 500 to 1384. If you haven’t met our Embla Flatlandsmo, our 1000th contributor, you can do so here. Numerous Zephyr-based products have been launched (one day, I would like to know just how many). Companies have been formed around Zephyr, and many of them contribute back to the Zephyr Project on GitHub.

Zephyr is now a common theme at technical conferences:

Let’s take a quick look at some of the changes that have enabled Zephyr’s success.

What’s New in LTS V2

In September, when we said that this is the biggest release of Zephyr ever, we weren’t kidding! Below are some of the highlights extracted from the complete v2.7.0 ChangeLog.

  • Zephyr SDK users should adopt the new Zephyr 0.13.1 SDK release
  • The new SDK includes
    • initial support for building Zephyr on macOS
    • updated Qemu version to 6.0.0
    • updated to GCC 10.3
    • updated to support ARC64
    • improved C++ support
    • switched to using newlib-nano
    • updated to Yocto 3.2.3 baseline
    • updated OpenOCD snapshot

Major enhancements with this release include

  • Bluetooth Audio, Direction Finding, and Mesh improvements
  • Support for Bluetooth Advertisement PDU Chaining
  • Added support for armclang / armlinker toolchain via toolchain abstraction
  • Added support for MWDT C / C++ toolchain via toolchain abstraction
  • Update to CMSIS v5.8.0 (Core v5.5.0, DSP v1.9.0)
  • Support for M-Profile Vector Extensions (MVE) on ARMv8.1-M
  • Improved thread safety for Newlib and C++ on SMP-capable systems
  • IEEE 802.15.4 Software Address Filtering
  • New Action-based Power Management API
  • USB Device Framework now includes all Chapter 9 defines and structures
  • Generic System Controller (syscon) driver and emulator
  • Linker Support for Tightly-Coupled Memory in RISC-V
  • Additional Blocking API calls for LoRa
  • Support for extended PCI / PCIe capabilities and improved MIS-X support
  • Added Service Type Enumeration (STE) with mDNS / DNS Service Discovery
  • Added Zephyr Thread Awareness for OpenOCD to West
  • EEPROM now can be emulated in flash
  • Added both Ethernet MDIO and Ethernet generic PHY drivers

Growth Since LTS V1

Since LTS 1.14.0, the number of unique contributors to the Zephyr Project has nearly tripled from 500 to 1384. Zephyr is now supported on more than twice as many boards, increasing from 160 to 400, and now runs on 12 different architectures (counting ARM cortex-a, cortex-r, and ARC64). Our peak commit velocity has nearly doubled from 1.4 to 2.5 commits per hour.

Zephyr’s team of maintainers has doubled from approximately 25 to 50 and our team of collaborators has nearly tripled from 30 to 81.

The total number of distinct areas (subsystems, OS features, etc.) requiring maintainership in Zephyr has increased from 80 to 113, and there are no signs of slowing down.

1.14.0 (LTS V1)2.7.0 (LTS V2)
Commit Velocity1.4 commits per hour2.5 commits per hour
# of Maintainers~2550
# of Collaborators~3081
# of Areas~80113

Major Enhancements Since LTS V1

Most of our community members have eagerly adopted tagged releases. Still, for companies that have based products on the LTS V1 release, there have been a tremendous number of major enhancements since then.

  • The kernel now supports both 32- and 64-bit architectures
  • We added support for SOCKS5 proxy
  • Introduced support for 6LoCAN, a 6Lo adaption layer for Controller Area Networks
  • We added support for Point-to-Point Protocol (PPP)
  • We added support for UpdateHub, an end-to-end solution for over-the-air device updates
  • We added support for ARM Cortex-R Architecture
  • Normalized APIs across all architectures
  • Expanded support for ARMv6-M architecture
  • Added support for numerous new boards and shields
  • Added numerous new drivers and sensors
  • Added BLE support on Vega platform
  • Memory size improvements to Bluetooth host stack
  • We added initial support for 64-bit ARMv8-A architecture
  • CANopen protocol support through 3rd party CANopenNode stack
  • LoRa support was added along with the SX1276 LoRa modem driver
  • A new Zephyr CMake package has been introduced
  • A new Devicetree API which provides access to virtually all DT nodes and properties
  • The kernel timeout API has been overhauled
  • A new k_heap/sys_heap allocator, with improved performance
  • Zephyr now integrates with the TF-M (Trusted Firmware M) PSA-compliant framework
  • The Bluetooth Low Energy Host now supports LE Advertising Extensions
  • The CMSIS-DSP library is now included and integrated
  • Introduced initial support for virtual memory management
  • Added Bluetooth host support for periodic advertisement and isochronous channels.
  • Added a new TCP stack which improves network protocol testability
  • Introduced a new toolchain abstraction with initial support for GCC and LLVM/Clang
  • Moved to using C99 integer types and deprecate Zephyr integer types
  • Introduced support for the SPARC architecture and the LEON implementation
  • Added Thread Local Storage (TLS) support
  • Added support for per-thread runtime statistics
  • Added support for building with LLVM on X86
  • Added new synchronization mechanisms using Condition Variables
  • Add support for demand paging, initial support on X86
  • Logging subsystem overhauled
  • Added support for 64-bit ARCv3
  • Split ARM32 and ARM64, ARM64 is now a top-level architecture
  • Added initial support for Arm v8.1-m and Cortex-M55
  • Removed legacy TCP stack support which was deprecated in 2.4
  • Tracing subsystem overhaul / added support for Percepio Tracealyzer
  • Device runtime power management (PM) completely overhauled
  • Automatic SPDX SBOM generation has been added to West
  • Added an example standalone Zephyr application

Areas to Improve

New technical features and enhancements are proposed every day. However, it’s also important to periodically step back and look at how efficiently our wheels are turning as an organization. At the request of our valued community members, several areas have been tagged for improvement.

  • We need more Collaborators and Maintainers (Reviewers) to match our growth
    • More reviewers mean less time in review for each PR; on average
    • Some Maintainers oversee multiple areas, giving them less time to focus
    • We want you! (if you have what it takes)
    • Technical expertise, patience, time, and a good track record of contributing
    • See Project Roles for Maintainer responsibilities
  • Record and publish Zephyr commit statistics similar to the Linux kernel
  • Use a finer granularity of permissions on GitHub (currently in progress)
  • Provide a qualification process and Rolodex of Zephyr consultants

Looking to the Future

There are currently 107 RFC tickets open for virtually every kind of enhancement. Below are just a few that I am personally quite excited about!

  • native_posix board support for macOS
  • A sensor and message-bus framework (based on Android’s CHRE)
  • A generic State Machine Framework
  • Addition of a Pin Control API and Devicetree bindings
  • A USB-C Driver Framework (based on the ChromeOS stack)
  • A unified framework for multiple clock sources, domains, and timer resolutions
  • Multiple network interface auto-configuration via Devicetree
  • Improved support for multiple radio devices and wireless coexistence
  • Improved Language and Runtime Support: MicroPython, C++, Rust, eBPF
  • Improved support for ISO C, C++, and POSIX standards
  • Additional support for Remote Procedure Call frameworks like gRPC and Thrift

Of course, one of the greatest facets of Zephyr’s future is the community, and we welcome all of our future community members with open arms. For those new to Zephyr, the best place to begin is the Zephyr Getting Started Guide. At any time, please feel free to reach out to us on Discord to chat.

Closing Remarks

Every second of every day, millions of Zephyr-based Internet-enabled devices wake up, process a few bytes of data, resonate at GHz frequencies, and then quietly go back to sleep, consuming precious micro-amps of battery power. While others, at the opposite end, never get to sleep at all and process immense payloads in custom hardware accelerators in some of the world’s largest data centers.

This is our community. We scale. We solve categorically hard problems. We hold each other to high standards. We help one another through thick and thin, and in doing so, we are able to achieve the most incredible things!

We’re excited to announce the release of Zephyr LTS V2. And to our community, I say thank you!

These efforts are made possible by the dozens of enterprises that support the Zephyr project. To learn how your organization can get involved, click here

Imagine you have created an open source project that has become incredibly popular.  Thousands, if not millions, of developers worldwide, rely on the lines of code that you wrote. You have become an accidental hero of that community — people love your code, contribute to improving it, requesting new features, and encouraging others to use it. Life is amazing, but with great power and influence comes great responsibility.

When code is buggy, people complain. When performance issues crop up in large scale implementations, it needs to be addressed. When security vulnerabilities are discovered — because no code or its dependencies are always perfect — they need to be remediated quickly to keep your community safe.  

To help open source projects better address some of the responsibilities tied to security, many communities hosted by the Linux Foundation have invested countless hours, resources, and code into some important efforts. We’ve worked to improve the security of the Linux kernel, hosted Let’s Encrypt and sigstore, helped steward the ISO standardization for SPDX, and brought together a community building metrics for OSS health and risk through the CHAOSS project — among many others.

Today, we are taking steps with many leading organizations around the world to enhance the security of software supply chains. The Linux Foundation has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF) and its initiatives. This cross-industry collaboration brings together an ecosystem to collectively identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. We are also proud to announce that open source luminary, Brian Behlendorf, will serve the OpenSSF community as General Manager. 

Financial commitments for OpenSSF include Premier members such as AWS, Cisco, Dell Technologies, Ericsson, Meta, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members, including Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

To learn more about how to join the OpenSSF or to get involved in one of its six working groups, listen in to this brief introduction from Brian Behlendorf recorded this week at KubeCon:

In 2021, the Linux Foundation and its community will continue to support education and share resources critical to improving open source cybersecurity.  For example, this week, we also hosted SupplyChainSecurityCon, where the SLSA and sigstore projects were heavily featured.

If you are an open source software developer, user, or other community participant who just wants to help further protect the software that accelerates innovation around the world, please consider joining one of our six OpenSSF working groups, or suggest a new working group that addresses gaps in software supply chain security needs.

You can follow the latest news from OpenSSF here on our blog, Twitter (@TheOpenSSF), and LinkedIn.


The Academy Software Foundation (ASWF), a project hosted by The Linux Foundation, provides a neutral forum for open source software developers in the motion picture and broader media industries to share resources and collaborate on image creation, visual effects, animation, and sound technologies. 

It was created in 2018 after the conclusion of an investigation by the Academy of Motion Pictures Arts and Sciences (AMPAS) Science and Technology Council holding an 18-month investigation on the state of open source in the industry. This aligned with the need for a vendor-neutral foundation to provide a sustainable home for open source projects that are key to the growth of the industry.

Identifying the need for exemplar assets for community use

As of August 2021, The Academy Software Foundation provides a home for Open Shading Language, OpenColorIO, OpenCue, OpenEXR, OpenTimelineIO, OpenVDB, and MaterialX.

As these projects have progressed in development, there was a need identified to have production-grade digital assets (e.g.,3D scene data, images, image sequences, volumetric data, animation rigs, edit decision lists) available for use in development and testing environments to ensure these projects can scale to the demands of the movie and content creation processes. 

Furthermore, the ASWF identified an additional need to have production-grade assets for general research and learning purposes. 

The ASWF identified two objectives to address these requirements:

  • Provide a vendor-neutral home for both homing the assets and being a curator for exemplar assets that would align with the industry needs.
  • Create a licensing framework striking a balance between the needs in research, learning, and open source development, with the intellectual property concerns of production-grade assets (as they often come from real productions).

An open community comes together

There was some precedent in the industry, with the 2018 release of the Moana Island Scene by Disney Animation. This sparked several discussions in the industry on how to have a larger set of similar assets available for community use leading to the creation of an Asset Repository Working Group at the Academy Software Foundation in 2020.

The culmination of this working group came in July 2021, with the transition of the working group to a formal project that will establish the infrastructure and governance of the Assets Repository. The intention is for the project to function and work like any other open source project, with full transparency and community participation, to identify and curate exemplar assets. 

At the same time, the legal counsel across Academy Software Foundation members came together to align on the ASWF Digital Assets License, which was created in the spirit of licenses used previously in the industry and designed to specifically ensure these assets can be used for education, learning, research, and open source development. The ASWF Digital Assets License helped create a bridge between producers and consumers of these assets, establishing standardized terms to enable collaboration and the re-use of content in an industry where it had previously been limited.

As of August 2021, there is interest from multiple organizations in contributing assets to this repository as it takes form over the next few months.


The Linux Foundation has been the home for vendor-neutral collaboration in both horizontal technology spaces and vertical markets such as automotive, networking, energy, and here motion pictures. In supporting over 750 open source projects, we are starting to see more and more efforts such as these where the collaboration outside of traditional software development and into educational materials, community development, and standards. The Assets Repository project at the Academy Software Foundation is a great example of the unique collaboration opportunities that open source brings and are driven by our open communities.

We’re pleased to announce that Michael Cheng joined the Linux Foundation Board of Directors earlier this year. Michael is a product manager at Meta, currently supporting open source and standards work across the company. Michael is a former network engineer and M&A attorney. He previously led the product, commercial, and intellectual property functions on Meta’s M&A legal team.

Michael has built some of the world’s most valuable and innovative open source ecosystems, representing billions of dollars of value, including GraphQL, Magma, Diem, ML Commons, and many others.

In 2018, Michael helped design the Joint Development Foundation — a lightweight, turnkey solution for the development of technology standards and specifications. Michael then brought in GraphQL as the JDF’s first project. GraphQL now powers trillions of API calls every day for some of the world’s largest companies.

Michael Cheng

Michael was one of the founding members of ML Commons, an industry-wide consortium that aims to unlock the next stage of AI/ML adoption by creating useful measures of quality and performance, large-scale open data sets, and common development practices and resources. Michael served as ML Commons’ first treasurer, and it has since grown to more than 50 members and affiliates representing a broad cross-section of the ML ecosystem.

This year, Michael created the Magma Foundation, the first open source platform that enables telecom operators to build modern and efficient mobile networks at scale. Michael now chairs the board of the Magma Foundation — growing its ranks to more than 20 members this year.

Michael is also a champion of diversity. Late last year, at the height of the pandemic, Michael designed and launched the Major League Hacking (MLH) Fellowship program to address challenges faced by both early-career developers who saw many of their job and internship opportunities disappear open source maintainers struggling to keep projects afloat. The Fellowship has been effective at helping students land desirable jobs while increasing the aggregate health of the open source projects that participate in the program. Michael also launched the Black Developer Scholarship for developers who self-identify as Black or African diaspora to participate in the Fellowship.

Michael has also played an integral role in the creation of the Presto Foundation, eBPF Foundation, Ent Foundation, Reactive Foundation, Urban Computing Foundation, and OpenChain.

“Michael is one of the rare breeds of lawyers who possess both a strong technical background and a sharp mind for process improvement.  His leadership at Meta has made a meaningful impact within the OpenChain project and beyond.  I warmly welcome him to the Linux Foundation board.”

Dave Marr, Vice President, Legal Counsel at Qualcomm Technologies

“Facebook is built on top of open source and has shown a strong commitment to investing back into the communities from which we all benefit. Micheal’s legal background and technical knowledge make him an ideal member of the Linux Foundation board. His leadership is just another example of Facebook’s commitment to open source and collective innovation.” 

Jim Zemlin, Executive Director, Linux Foundation

“Successful open source work requires an intersection of legal, business, technical, and community thinking and Michael brings all those skills in one very integrated way.  And his perspectives from his experience shepherding multiple open source projects at scale and in production is of great value to the Linux Foundation board. I am excited to welcome him to the board and to work with him on advancing open source innovation.” 

Nithya Ruff – Chair, Linux Foundation Board of Directors, Head, Comcast Open Source Program Office

“Michael’s role in growing some of the Linux Foundation’s most valuable communities cannot be understated. He brings a level of technical depth, legal acumen, and industry credibility that has been instrumental in stitching together novel coalitions of companies, NGOs, and individuals into dynamic and sustainable communities. We’re thrilled to have him on the board.”

Chris Aniszczyk, CTO, CNCF

“Michael’s talents, skills, and experience have been brought to bear at Facebook to transform the company’s identity in the open source software community. His leadership, vision and understanding of the importance of collaboration and the development of consensus in the legal and technical communities of important projects have made Meta a key driver in open source.”

Keith Bergelt, CEO, Open Invention Network

Backed by many of the world’s largest companies for more than a decade, SPDX formally becomes an internationally recognized ISO/IEC JTC 1 standard during a transformational time for software and supply chain security

SAN FRANCISCO, September 9, 2021 – The Linux Foundation, Joint Development Foundation, and the SPDX community, today announced the Software Package Data Exchange® (SPDX®) specification has been published as ISO/IEC 5962:2021 and recognized as the international open standard for security, license compliance, and other software supply chain artifacts. ISO/IEC JTC 1 is an independent, non-governmental standards body. 

Intel, Microsoft, Siemens, Sony, Synopsys, VMware, and WindRiver are just a small sample of the companies already using SPDX to communicate Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains. 

“SPDX plays an important role in building more trust and transparency in how software is created, distributed, and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena,” said Jim Zemlin, executive director, the Linux Foundation. “SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.” 

Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. An SBOM accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software issues and risks and establish a starting point for their remediation.

SPDX results from ten years of collaboration from representatives across industries, including the leading Software Composition Analysis (SCA) vendors – making it the most robust, mature, and adopted SBOM standard. 

“As new use cases have emerged in the software supply chain over the last decade, the SPDX community has demonstrated its ability to evolve and extend the standard to meet the latest requirements. This really represents the power of collaboration on work that benefits all industries,” said Kate Stewart, SPDX tech team co-lead. “SPDX will continue to evolve with open community input, and we invite everyone, including those with new use cases, to participate in SPDX’s evolution and securing the software supply chain.”  

For more information on how to participate in and benefit from SPDX, please visit:

To learn more about how companies and open source projects are using SPDX, recordings from the “Building Cybersecurity into the Software Supply Chain” Town Hall that was held on August 18th are available and can be viewed at: 

ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland. Its membership represents more than 165 national standards bodies with experts who share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges.

Supporting Comments


“Software security and trust are critical to our Industry’s success. Intel has been an early participant in the development of the SPDX specification and utilizes SPDX both internally and externally for a number of software use-cases,” said Melissa Evers, Vice President – Software and Advanced Technology Group, General Manager of Strategy to Execution, Intel.


“Microsoft has adopted SPDX as our SBOM format of choice for software we produce,” says Adrian Diglio, Principal Program Manager of Software Supply Chain Security at Microsoft. “SPDX SBOMs make it easy to produce U.S. Presidential Executive Order compliant SBOMs, and the direction that SPDX is taking with the design of their next gen schema will help further improve the security of the software supply chain.”


“With ISO/IEC 5962:2021 we have the first official standard for metadata of software packages. It’s natural that SPDX is that standard, as it’s been the de facto standard for a decade. This will make license compliance in the supply chain much easier, especially because several open source tools like FOSSology, ORT, scancode, and sw360 already support SPDX,” said Oliver Fendt, senior manager, open source at Siemens. 


”The Sony team uses various approaches to managing open source compliance and governance,” says Hisashi Tamai, Senior Vice President, Deputy President of R&D Center, Representative of the Software Strategy Committee, Sony Group Corporation. “An example is the use of an OSS management template sheet that is based on SPDX Lite, a compact subset of the SPDX standard. It is important for teams to be able to quickly review the type, version, and requirements of software, and using a clear standard is a key part of this process.”


“The Black Duck team from Synopsys has been involved with SPDX since its inception, and I personally had the pleasure of coordinating the activities of the project’s leadership for more than a decade. Representatives from scores of companies have contributed to the important work of developing a standard way of describing and communicating the content of a software package,” said Phil Odence, General Manager, Black Duck Audits.


“SPDX is the essential common thread among tools under the Automating Compliance Tooling (ACT) Umbrella. SPDX enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption. SPDX is not just for compliance, either; the well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software,” said Rose Judge, ACT TAC Chair and open source engineer at VMware.

Wind River

“The SPDX format greatly facilitates the sharing of software component data across the supply chain. Wind River has been providing a Software Bill of Materials (SBOM) to its customers using the SPDX format for the past 8 years. Often customers will request SBOM data in a custom format. Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost,” said Mark Gisi, Wind River Open Source Program Office Director and OpenChain Specification Chair.

About SPDX

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. For more information, please visit us at


The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: Linux is a registered trademark of Linus Torvalds.

Media Contact

Jennifer Cloer

for the Linux Foundation


Today, the Linux Foundation announced that Ent, an entity framework for Go that was developed and open sourced by Facebook in 2019, has moved under the governance of the Linux Foundation to help accelerate its development and foster the community of developers and companies using it.

Ent was designed to enable developers to work on complex backend applications. Developers working on these applications faced the challenge of maintaining a codebase used to manage hundreds of different entity types with numerous, complex relationships between them. Ent uses graph concepts to model an application’s schema and employs advanced code-generation techniques to create type-safe, efficient code that greatly simplifies working with databases compared to other approaches.

Ent is similar to traditional ORMs (Object-Relational Mappers) but takes an opinionated approach that is especially effective in improving developer productivity. 

  • First, schemas are modeled in graph concepts (nodes and edges) instead of the more common table-oriented method that makes traversing through datasets and expressing complex queries easier and less error-prone. 
  • Second, the code generated by Ent is completely type-safe, which means that many classes of common bugs are caught very early on in the development process. In addition, code editing software can understand Ent code very well to offer developers useful hints and feedback as they are typing code. 
  • Finally, schemas are defined in actual Go code, which facilitates a very rich feature set ranging from integrations with observability systems to the definition of privacy (authorization) rules right at the data-access layer. 

“From the start it was obvious that Ent would present a unique and compelling value proposition to a diverse range of use cases across any industry with complex technology stacks,” said Ariel Mashraki, Ent’s creator and lead maintainer. “The promise of collaborating with a broad coalition of users was the main reason we open-sourced Ent.” 

Since it was open-sourced in 2019, engineers from many leading companies have contributed code to Ent, including Facebook, GitHub,, Scaleway and VirtaHealth. Ent has also been used by the CNCF projects and by other open source ecosystems. Ariel Mashraki recently started a new company, Ariga, to create a data fabric solutions provider that is built on Ent. “With the move to the Linux Foundation’s neutral governance model, we (on behalf of myself and the rest of the Ent maintainers) hope to double-down on growing Ent into the industry standard for data-access in Go. You should expect to see a lot of exciting developments in the next six months from the community and we invite all to participate,” said Mashraki.

Ent is just the latest in a variety of technologies that Facebook has first open sourced to the public and then transferred control to the community. “This additional step of enabling open source contributors to take direct ownership of a project’s technical vision is part of our longstanding commitment to open and sustainable innovation,” said Michael Cheng, product manager at Facebook. “Enabling a project’s maintainers to chart their course often sparks additional investment, contributions and new companies building products and platforms based on that project, for example, GraphQL, Presto, ONNX, and Magma, to name a few. We see that Ent is already following a similar pattern and we’ll be cheering on the Ent community as it enters this next stage of exciting growth.”

You can learn more about Ent framework for Go, sample the technology, and contribute back to the project at

Open source software (OSS) is vitally important to the functioning of society today; it underpins much of the global economy. However, some OSS is highly secure, while others are not as secure as they need to be.

By its very nature, open source enables worldwide peer review, yet while its transparency has the potential for enhanced software security, that potential isn’t always realized. Many people are working to improve things where it’s needed. Most of that work is done by volunteers or organizations outside the Linux Foundation (LF) who directly pay people to do the work (typically as employees). Often those people work together within a foundation that’s part of the Linux Foundation. Sometimes, however, the LF or an LF foundation/project (e.g., a fund) directly funds people to do security work.

At the Linux Foundation (LF), I have the privilege of overseeing focused work to improve OSS security by the very people paid to do it. This work is funded through various grants and foundations, with credits to organizations like Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself.

The LF and its foundations do much more that I don’t oversee, so I’ve only listed the ones I am personally involved with in the interest of brevity. I hope it will give you a sense of some of the things we’re doing that you might not know about otherwise.

The typical LF oversight process for this work is described in “Post-Approval LF Security Funding.” Generally, performers must provide a periodic summary of their work so they can get paid. Most of those summaries are public, and in those cases, it’s easy for others to learn about their interesting work!

Here’s a sample of the work I oversee:

  • Ariadne Conill is improving Alpine Linux security, including significant improvements to its vulnerability processing and making it reproducible. For example, as noted in the July 2021 report, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. Alpine Linux’s security is important because many containers use it. For more information, see “Bits relating to Alpine security initiatives in June” and “Bits relating to Alpine security initiatives in July.”
  • kpcyrd is doing a lot of reproducible build work on Linux distributions, especially Alpine Linux (including on the Raspberry Pi) and Arch Linux. Reproducible builds are a strong countermeasure against build system attacks (such as the devastating attack on SolarWinds Orion). More than half of the currently unreproducible packages in Arch Linux have now been reviewed and classified.
  • David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code; git is widely used to manage source code.
  • Theo de Raadt has also been receiving funding to secure the critical “plumbing” behind modern communications infrastructure:
    • This funding is being used towards improving OpenSSH (a widely-used tool whose security is critical). These include various smaller improvements, an updated configuration file parser, and a transition to using the SFTP protocol rather than the older RCP protocol inside the scp(1) program.
    • It is also being used to improve rpki-client, implementing Resource Public Key Infrastructure (RPKI). RPKI is an important protocol for protecting the Internet’s routing protocols from attack. These improvements implement the RPKI Repository Delta Protocol (RRDP) data transfer protocol and fix various edge cases (e.g., through additional validation checks). The service is even using rpki-client behind the scenes.
  • Nathan Chancellor is improving the Linux kernel’s ability to be compiled with clang (instead of just gcc). This includes eliminating warning messages from clang (which helps to reduce kernel bugs even when gcc is used) and fixing/extending the clang compiler (which helps clang users when compiling code other than the Linux kernel). Unsurprisingly this involves changing both the Linux kernel and the clang/LLVM compiler infrastructure, and sometimes other software as well.
    • In the long run, eliminating warnings that by themselves aren’t bugs is important; developers will ignore warnings if there are many irrelevant ones, but if there are only a few warnings, they’ll examine them (making warnings more useful).
    • Of notable mention for security implications is clang support for Control-Flow Integrity (CFI); this can counter many attacks on arm64, and work will eventually enable x86_64 support.
  • I oversee some security audits conducted via the Open Source Technology Improvement Fund (OSTIF) when funded through the LF. We (the LF) often work with OSTIF to conduct security audits. We work with OSTIF to define the audit scope, and then OSTIF runs a bidding process where qualified security audit firms propose to do the work. We then work with OSTIF to select the winner (who isn’t always the cheapest — we want good work, not a box-check). OSTIF & I then oversee the process and review the final result. 
    • Note that we don’t just want to do audits, we also want to fix or mitigate any critical issues the audits identify, but the audits help us find the key problems. Subject matter experts perform the audit reports, and handling bidding is OSTIF’s primary focus, so my main contribution is usually to help ensure these reports are clear to non-experts while still being accurate. Experts sometimes forget to explain their context and jargon, and it’s sometimes hard to fix that (you must know the terminology & technology to explain it).
    • This work included two security audits related to the Linux kernel, one for signing and key management policies and the other for vulnerability reporting and remediation. 
    • I’ve also overseen audits of the exposure notification applications COVID Shield and COVID Green: 
    • It’s not part of my oversight of OSTIF on behalf of the LF, but I also informally talk with OSTIF about other OSS they’re auditing (such as flux2, lodash, jackson-core, jackson-databind, httpcomponents-core, httpcomponents-client, laravel, and slf4j). A little coordination and advice-sharing among experts can make everything better.

The future is hard to predict, but we anticipate that we will be doing more. In late July, the OpenSSF Technical Advisory Council (TAC) recommended approving funding for a security audit of (part of) Symfony, a widely-used web framework. The OpenSSF Governing Board (GB) approved this on 2021-08-05 and I expect OSTIF will soon take bids on it.

The OpenSSF is also taking steps to raise more money via membership dues (this was delayed due to COVID; starting a new foundation is harder during a pandemic). Once the OpenSSF has more money, we expect they’ll be funding a lot more work to identify critical projects, do security audits, fix problems, and improve or create projects to enhance OSS security. The future looks bright.

Please remember that this is only a small part of ongoing work to improve OSS security. Almost all LF projects need to be secure, so most foundations’ projects include security efforts not listed here. As noted earlier, most development work is done by volunteers or by non-LF organizations directly paying people to do the work (typically employees). 

The OpenSSF has several working groups and many projects where people are working together to improve OSS security. These include free courses on how to develop secure software and the CII Best Practices badge project. We (at the LF) also have many other projects working to improve OSS security. For example, sigstore is making cryptographic signatures much easier; sigstore’s “cosign” tool just released its version 1.0. Many organizations have recently become interested in software bill-of-materials (SBOMs), and we’ve been working on SBOMs for a long time.

If you or your organization would like to fund focused work on improving OSS security, please reach out! You can contribute to the OpenSSF (in general or as a directed fund); just contact them (e.g., Microsoft contributed to OpenSSF in December 2020). If you’d prefer, you can create a grant directly with the Linux Foundation itself — just email me at <> if you have questions. For smaller amounts, say to fund a specific project, you can also consider using the LFX crowdfunding tools to fund or request funding. Many people & organizations struggle to pay individual OSS developers because of the need to handle taxes and oversight. If that’s your concern, talk to us. The LF has experience & processes to do all that, letting experts focus on getting the work done.

My sincere thanks to all the performers for their important work and to all the funders for their confidence in us!

About the author: David A. Wheeler is Director of Open Source Supply Chain Security for The Linux Foundation.

One of the greatest strengths of open source development is how it enables collaboration across the entire world. However, because open source development is a global activity, it necessarily involves making available software across national boundaries. Some countries’ export control regulations, such as the United States, may require taking additional steps to ensure that an open source project is satisfying obligations under local laws.

In July of 2020, The Linux Foundation published a whitepaper on how to address these issues in detail, which can be downloaded here. In 2021, the primary update in the paper is to reflect a change in the US Export Administration Regulations.

  • Previously, in order for publicly available encryption software under ECCN 5D002 to be not subject to the EAR, email notifications were required regardless of whether or not the cryptography it implemented was standardized.
  • Following the change, email notifications are only required for software that implements “non-standard cryptography”.

Please see the updated paper and the EAR for more specific details about this change.