John Mertic and his wife and children

This article originally appeared on the Open Mainframe Project’s blog. The author, John Mertic, is Director of Program Management at The Linux Foundation. 

One of the big things I celebrate about open source is the vast diversity of individuals that come together to build amazing technologies. A core belief that I have – and also that those at the Linux Foundation share – is that a diverse group of people coming together brings better outcomes, bigger innovations, and a more sustainable project. We at the Open Mainframe Project are truly fortunate to have such a global and diverse community, and with our hosted projects and working groups thriving, we see the impact of that diverse collaborative effort.

As many of you know, three of my children come from an Asian background – South Korea and China. I’ve shared in the past the joy they bring my wife and me, as well as those around us, but also the challenges and struggles of growing up in a culture different from where they were born.

Nowadays though, I worry about their safety and struggles even more – as there has been a rise in Asian American and Pacific Islander (AAPI) hate and crime. According to Stop AAPI Hate, from March 19, 2020 to December 31, 2021, a total of 10,905 hate incidents against AAPI persons were reported across the nation. This is sickening to me.

I was discussing this with a good friend recently and they shared that so much of diversity and inclusion is changing how you think about people, situations, and how you engage with others. This hits home for me now more than ever. I think about that with my children and me as a parent; seeing the world through their eyes has given me a new perspective on others and taught me empathy and understanding. But it has also given me an appreciation for others; who they are, where they come from, and what experiences and ideas they have.

In open source projects, it’s not a zero-sum game but a positive-sum game – open source development is based on the idea that, collectively, we are smarter than any one of us. That mindset is strong in our communities, and helps create that welcome space for all.

As we celebrate the last day of May and AAPI Heritage Month, I want to thank those Asian American and Pacific Islanders from our communities who have made a great impact. In fact, two of our members recently shared personal stories about their journeys. Thank you to Maemalynn Meanor, Senior Public Relations & Marketing Manager at the Linux Foundation, and Alex Kim, Technology Business Development Executive/OSS Incubator Advocate at IBM T.J. Watson Research Center, for offering a look into their personal and professional lives. You can read their blogs here:

I thank everyone from those backgrounds for their great contributions to not only our projects, but open source in general, and hope that we can continue to make our communities a safe and inclusive place for all.

Alex Kim family photo

This blog post originally appeared on the Open Mainframe Project’s blog. They invited Open Mainframe Projects community members, contributors, and leaders to share their stories in honor of Asian Americans and Pacific Islanders (AAPI) Heritage Month.  The author, Alex Kim, Open Mainframe Project Mentor, Zowe contributor and Technology Business Development Executive/OSS Incubator Advocate at IBM T.J. Watson Research Center, shares about how his family has influenced his life.  

Watching a recent TV show “Pachinko,” I was truly impressed by how the directors used screen arts and music.  Based on the New York Times bestseller, this show chronicles the hopes and dreams of a Korean immigrant family across four generations as they leave their homeland in an indomitable quest to survive. It was relatable and magical and wonderful to see how they focused on how three generations of a family dealt with biggest challenges of their times. After watching the first season,  I couldn’t help thinking about my parents and my own family here in U.S.

My dad was born in mid 1930’s from the Southern region of Korea, when Korea was still under Japanese colonial territory. His family endured a lot of hardships, loss and scary moments because they had to survive through the Korean War. In fact, one of his stories that he tells often is about how, when he was just 12-years old, he and his brother escaped a massacre that happened at their small town.


My dad when he was in army building peace house near DMZ in 1960s

alex kim dad's at military post in Korea in 1950s

Photo: My dad when he was in army building peace house near DMZ in 1960s.

Like most of the community, my dad’s family was very poor and couldn’t afford to have “normal” food. Young children were living on eating dregs from the liquor factory in the town.

The poverty, however, couldn’t stop my dad from learning and advancing . Eventually he went to naval academy and had a successful career where he then retired as an Army Lieutenant Colonel. He said he was the first person to ‘escape’ the poor rural town and successfully landed a job in Seoul, the capital of South Korea. He later oversaw the building of Panmunjom in 1965 – buildings in Joint Security Area near DMZ – a very famous landmark that you might even remember from when President Trump met with Kim Jong-un a few years ago.


Photo of recent Panmunjom – you can see they still have the buildings from when my dad used to work to build them in 1960s

panmunjom military post korea

Photo of recent Panmunjom – you can see they still have the buildings from when my dad used to work to build them in 1960s

My dad endured a lot in his life but what always stayed strong was his drive to survive and succeed, which is what he instilled in me.

In August 1999, I landed at New York’s JFK airport with one big luggage (called ‘E-Min Gah Bang’, meaning ‘immigration bag’) and two large carton boxes. My destination was somewhere in Brooklyn, where I was supposed to start attending Brooklyn Polytech for a graduate study. Sometimes, when I look back,  I am not sure how I did it.  I didn’t have any friends. I didn’t know the language well and I didn’t really know the country itself.

If I’m honest, it was a little scary, but my heart was filled with excitement. I would survive and succeed – just like my dad did. I could learn anything and become what I wanted. (Also, I still can’t forget the taste of Junior’s Cheesecake – where my roommate took me to celebrate my first night in the US.)

I was truly lucky that I got so much help from many people, as for one I  got to join a research lab for Professor Ramesh Karri, where his team was implementing AES candidates into circuits. I implemented the Rijndael algorithm, which was selected as ‘the standard’ in 2000. This experience later led to a job opportunity at IBM Poughkeepsie where designed the first AES engine in hardware format within the company.


Photo of IBM 4758 – which was replaced with IBM 4764 that I worked on. Learn more – IBM CryptoExpress HSM.

IBM 4758

Photo of IBM 4758 – which was replaced with IBM 4764 that I worked on. Learn more – IBM CryptoExpress HSM.

When I visited Korea after I got the job offer, my dad was proud of me. He reflected how me going to New York was the same as him leaving the small town he grew up. I didn’t realize much at the time what it means leaving families and going abroad for my own goals. I was just happy about the fact that I made my parents proud for the small success I could achieve. Thinking back now, my generation was still in this ‘make your parents proud’ lifestyle – it seemed very common in many Asian cultured families.

More than 20 years have passed since my first day at work. I have been through different jobs and different companies.  I got married and have my own family now. When my children were born and as they grew older, I had to face something that I didn’t realize I was going to miss.

I am the youngest of four siblings – so I never felt lonely growing up. We always had extended family members visiting during holidays and had big family events like weddings and New Years parties. Now, with my children in New York and far from my family in Korea, I am a little sad that I can’t give them the festive feelings and experiences that I was given. My wife and I celebrate with them as best we can but it is a little different when it’s a small family of four compared to an extended family with lots of cousins, aunts, uncles and grandparents.


Recent family gathering in Korea celebrating ‘Parents Day’ on May 8th 2022.

alex kim and his extended family in Korea

Photo: Recent family gathering in Korea celebrating ‘Parents Day’ on May 8th 2022.

I feel bad that I haven’t given them this opportunity yet – an opportunity to have days filled with fun, noisy family gatherings over the holidays. An opportunity to have a fight with cousins and rumble around the house screaming.

This is why, I am taking my kids to Korea this summer. It’s a little challenging as COVID is still a bad situation there but this will be a short trip. I hope I can give some of those ‘extended family’ memories to my kids as we visit with family.

I want to spend more time with my dad – I hope I can ask him how he felt when I was growing up. I want to ask him if he was worried like me. I want to ask him if it was hard for him sending me abroad and not being able to see me for many years.

Although I chose this career path and I love it – I don’t think I had enough thoughts about what my (and my own family’s) life would be like if I live abroad. I don’t regret on any of my choices – I rather feel I am truly blessed. However, growing up with the culture where ‘Hyo(filial duty)’ is one of the most important virtue in Korea – I am not doing it right as I can’t live near my parents and help them when they needed me.

I think many Asian cultures have this deep rooted family foundation in which the children take care of the parents when they get older. But for those of us who dreamed big and moved out of the countries we grew up in to search for a new life, an opportunity to build a better life, this is hard.

Yesterday I was talking to my mom and she told me my dad fell on the steps outdoor and hurt his leg. I wished I could run back to their house and help him visit a doctor’s office – but I can’t.  All I could do was make a few phone calls.

These thoughts and feelings never came up when I was younger. They were probably planted in my heart long ago when I was a still kid – but it took more than 30 years to grow and finally bloom into a more mature, grown-up heart.


Recent photo of my family

alex kim and his wife and children

Photo: Recent photo of my family

Now, I wonder how my kids will feel when they get to my age. How will they feel growing up in America as second generation Asian American immigrants? Will they fit in here? Will they want to know more of their Korean family?

I will probably never understand their feelings – but I hope they ask me their own questions about life as they grow up. I hope they remember all of the short visits to Korea and remember where their parents came from. I hope they aspire to visit Korea themselves someday with their families. It makes me smile thinking about these things. I think I am getting old now… I am thankful that we all are in this journey together.

My journey started with my dad in a small town in Korea and continued when I put roots down in Brooklyn. I can’t wait to see what happens next.

The Fintech Open Source Foundation continues to expand support across all constituents and geographies with increased buy-side, cloud and financial technology representation

New York, NY – May 31 – The Fintech Open Source Foundation (FINOS), the financial services umbrella of the Linux Foundation, announced today the addition of six new corporate members, including Google Cloud, Société Générale, American Express, Point72, Mirantis, and The Digital Dollar Project. Building upon its 19 new Members in 2021 and its recent addition of Wellington Management Company to its Governing Board, FINOS now has 57 corporate members ushering a new era in open collaboration across the global financial services industry. 

These new members, as well as the entire FINOS ecosystem will meet in London on July 13 at its annual Open Source in Finance Forum

This addition of new members reinforces FINOS’ position as the arena of choice to build the next generation of financial technologies on common standards and open source components for financial institutions on both the sell-side and buy-side, fintechs, cloud companies, regulators, industry consortia and individual contributors. FINOS continues to see growth in the number and diversity of its corporate members across the world, with more than a 35% increase in the number of members year-over-year, fueling a community of more than 1,200 active contributors. This announcement is particularly significant as the engagement of cloud vendors and new buy-side firms signals widespread reception of open source return on investment across the technology value chain as a whole.

“We are at a pivotal moment in our evolution as a Community, where literally every constituent of the industry has come to the realization that open source collaboration has the concrete potential to bring to life the vision of a highly efficient, interoperable and developer-friendly global financial technology stack,” said Gabriele Columbro, Executive Director of FINOS. “From cloud and open source leaders heading the charge to some of the historically most conservative firms in the world now rolling out Open Source Program Offices (OSPOs), we are incredibly proud to see global recognition of the value in open source and of the role FINOS played in this evolution.” 

Meet the new members 

Google Cloud becomes the first global cloud service provider joining FINOS as a Gold member. Google Cloud will contribute to critical efforts for cloud deployments in financial services like the FINOS Open RegTech and Compliant Financial Infrastructure initiatives, aimed at driving adoption of FINOS open source projects in the cloud. 

“For more than 20 years, Google has helped shape the future of computing with its technology leadership and support across the open source ecosystem,” said Zac Maufe, Director, Financial Services, Google Cloud. “We are thrilled to join FINOS and its community of companies and people dedicated to open source. As the financial services industry accelerates its adoption of cloud technologies, FINOS open source projects will deliver valuable support to both our customers and the financial services tech community at large.”

Société Générale (SocGen), a French multinational investment bank and financial services company, joins FINOS as a Gold member, representing an important addition to the European sell-side representation in FINOS. This comes on the heels of the Linux Foundation amplifying its global focus with the recently announced inaugural European World of Open Source: 2022 Europe Spotlight Survey, a testament to the truly global nature and potential of the open source Community.

“Société Générale implemented an ‘Open Source First’ policy in 2017 and established it’s Open Source Program office (OSPO) in 2020,” said Alain Voiment, CIO for Group digital foundations and corporate functions, Société Générale. “Over the years, our focus has been to evolve in the open source journey by deriving benefits from infrastructure layer to applicative layer to business value add while engaging our developers’ community. As we become a more ‘tech enabled’ company leveraging the power of IT, digital, and data, we continue to foster our innovation capacity in bringing added value for our clients. Collaboration with FINOS is the right step in this direction and there couldn’t be a better time to embark on this journey.”

Our third Gold member, American Express, is dedicated to delivering digital products and services that enhance the lives of their customers, and believe open-source is a key component in supporting innovative growth across the industry. 

“Our technology philosophy focuses on delivering increased scale and efficiency, improved speed to market, high-quality, and security, while always keeping our customer at the center of all we do,” said Hilary Packer, Executive Vice President & Chief Technology Officer, American Express. “We’re excited to join FINOS because of the opportunities it will provide to collaborate with and contribute to the community, while supporting our ongoing adoption of open-source software, standards, and best practices, which in turn will help drive the continued success and growth of our company.”

FINOS also continues to expand the open source technology footprint among buy-side institutions to deliver innovation among the investment and asset management industries. Firms now have the ability to leverage open source connectivity, through projects like FDC3 that bolster interoperability with the sell-side, to access the market quickly in a vendor agnostic fashion. Newest Silver member Point72, a global asset manager which invests in multiple strategies and asset classes, was the first buy-side firm to join FINOS earlier in 2022, signaling their leadership and strong focus on the use of open source in this industry sector.

“Open source has emerged as an increasingly important driver of innovation in leading technology organizations within financial services,” said Mark Brubaker, Chief Technology Officer at Point72. “Our decision to join FINOS reflects our belief that open source collaboration raises all boats, benefiting all organizations and technologists.”

Mirantis, an established open source leader and cloud management platform that helps organizations easily ship code on public and private clouds, also joined FINOS as a Silver member.

“We are proud and excited to join FINOS,” said Andy Wild, Chief Revenue Officer of Mirantis. “With the rapid adoption of Cloud Native Technologies driven by Kubernetes in the financial industry, Mirantis understands that collaboration is the fastest path to innovation, and our open source based products and services have helped to drive innovation and growth for our financial customers for years. Joining FINOS, we look forward to having the opportunity to further align with the needs of the financial industry.”

FINOS also welcomes its latest Associate member, The Digital Dollar Project, a leading private-public partnership advancing the study and exploration of a potential U.S. Central Bank Digital Currency (CBDC), an initiative FINOS recently announced its support for in Davos.

“New advances in financial technology, including CBDCs, have the power to transform economies and connect people, governments, and businesses, locally and globally,” said Jennifer Lassiter, Executive Director of The Digital Dollar Project. “We know that experimentation and information sharing are critical to innovation, which is why we are thrilled to contribute to open source solutions as a new addition to the vibrant FINOS community.”

The addition of new Gold, Silver and Associate members marks continued forward momentum of FINOS’ mission to drive mass open source adoption across all facets of the financial services industry, strengthening its position as the leading organization supporting the industry as they collaborate on vital areas, such as interoperability, data standards, and open source security.

To learn more about joining FINOS as a member, visit the Membership Benefits page. Meet the FINOS team in London on July 13 at its annual Open Source in Finance Forum

About FINOS

FINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster adoption of open source, open standards and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 50 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world. Get involved and join FINOS as a Member.

Media Contact:
Catharine Rybeck 
Caliber Corporate Advisers 
catharine@calibercorporateadvisers.com 

This is a classic article from the Linux.com archives. For more great SysAdmin tips and techniques check out our free intro to Linux course.

What’s the difference between absolute and relative path?

To understand this we have to know what is a path in Linux.

What Is A Path?

A path is a unique location to a file or a folder in a file system of an OS. A path to a file is a combination of / and alpha-numeric characters.

What Is An Absolute Path?

An absolute path is defined as the specifying the location of a file or directory from the root directory(/). In other words we can say absolute path is a complete path from start of actual filesystem from / directory.

Some examples of absolute path:

/var/ftp/pub
/etc/samba.smb.conf
/boot/grub/grub.conf

If you see all these paths started from / directory which is a root directory for every Linux/Unix machines.

What Is The Relative Path?

Relative path is defined as path related to the present working directory(pwd). Suppose I am located in /var/log and I want to change directory to /var/log/kernel. I can use relative path concept to change directory to kernel

changing directory to /var/log/kernel by using relative path concept.

pwd/var/logcd kernel

Note: If you observe there is no / before kernel which indicates it’s a relative directory to present working directory.

Changing directory to /var/log/kernel using absolute path concept.

cd /var/log/kernel

Note: We can use an absolute path from any location where as if you want to use relative path we should be present in a directory where we are going to specify relative to that present working directory.

Trust yourself. Let your heart work with your mind

This article originally appeared on the Open Mainframe Project’s blog. The author, Maemalynn Meanor, is a senior public relations and marketing manager at The Linux Foundation. 

In honor of Asian Americans and Pacific Islanders (AAPI) Heritage Month, I wanted to share something my mother passed on to me.

I’ve worked in communications and public relations for the technology maemalynn manor and her mom industry for almost 20 years. I’ve had to learn new industries, competitors, the intricacies of different technologies and how to interpret engineering language.

In all of these roles – no matter where I was – one thing remained the same. I was often the only Asian woman in the room. Without a roadmap or someone to look up to as an example of what to do I often leaned on my mom because standing in a room full of men who made me doubt myself was scary and intimidating. Always.

Whether it was in person or via webex or phone, nothing is worse than that moment when you say something and all the men in the room pause. Sometimes, they’ve agreed with my recommendations. Sometimes, they shot it down. One time, someone mansplained my idea back to me and then everyone in the room agreed that “that” idea was better than mine.

My mom always had the same advice. Trust yourself. Let your heart work with your mind – the strength of it encompasses not just things I learned in school but things my parents taught me about my family and my Thai heritage and culture.

She said this often. But there were times when I ignored her advice. I didn’t trust myself.

I remember one particular time more than a decade ago that I decided to distance myself from my heritage. I didn’t want to be the Asian woman in the room. I even tried to not be the woman in the room. I tried to be part of the “boy’s club.” I laughed at the inappropriate jokes. I was quiet when they complained about women leaders and used derogatory language.

This made me feel terrible about myself, my work and my life in general. I was going through the motions and no longer enjoyed my work and nor did I like my surroundings. But I kept going. It was my job after all.

A few months later, I was asked to go back to my college and meet with the Asian Students in Alliance (ASIA) club, which I was the former Vice President of, about my career in public relations and communications.

I struggled with this – am I really going to walk into a room full of bright Asian students and tell them that their culture doesn’t belong in the workplace? Am I okay with telling them to not highlight their differences and to not be proud of their culture? Am I really going to tell a room full of beautiful people from different Asian backgrounds – to just try to “blend in?”

No. My mom raised me better than that.

So I took her words and repeated them over and over again. Trust yourself. Believe in you. Let your heart and mind lead you where you need to be because they have the support of all your ancestors, your heritage and your traditions.

That night, I told my mom she’s right. I believe her response was “I know. I’m right about everything. Always. Don’t forget that.”

I am still sometimes the only Asian woman in the room but I’m happy to say that it’s not as often as it used to be. Now, there are more diverse backgrounds, more women, more voices – more of everything. It’s becoming easier to be who you are and love what you represent inside the workplace. This sense of belonging is something I don’t take for granted and will always be thankful for.

path through a keyhole in a book

I confess I am a lifelong learner – addicted to learning about new things and gaining new skills. So, when I started at The Linux Foundation, I was excited to see the depth and breadth of the training we offer (and employees have access to the catalog, so you should work here). It is truly impressive. And it makes sense. After all, the LF mission is to create the greatest shared technology investment in history by enabling open source collaboration across companies, developers, and users. Training is a necessary part of that. 

For starters, we practice what we preach. Every employee – and I mean every employee, from admin to engineering – is required to take 9 different LF training courses to get an in-depth overview of open source methodologies:

  • Open Source 101
  • Open Source Introduction
  • A Beginner’s Guide to Open Source
  • Open Source Licensing Basics for Software Developers
  • Open Source Business Strategy
  • Effective Open Source Program Management
  • Open Source Development Practices
  • Open Source Compliance Programs
  • Collaborating Effectively with Open Source Projects

Each of these courses is also offered to the public through the LF Training and Certification portal

LF Training and Certification Portal

Speaking of the portal, this is your one-stop-shop for all of our training and certification resources. It hosts our training programs created by well-respected developers that cover the most important open source projects and includes opportunities for certification exams. It is all vendor-neutral, providing foundational knowledge and skills in the technologies running the modern world. 

You can access 30+ e-learning courses, 20+ instructor-led classes, 12+ certification exams, and 40+ free massive open online courses (MOOCs) in partnership with edX. (I just signed up for a blockchain one with 96,000 of my closest friends).

If there is a specific field of study you want to focus on, there are learning paths for: 

  • Application Development
  • Blockchain
  • Cloud and Containers
  • Cybersecurity
  • DevOps and Site Reliability
  • Embedded Development
  • Linux Kernel Development
  • Networking
  • System Administration
  • Systems Engineering and Architecture

In short there is something for you, and you can join the 2 million+ students who have enrolled and 50,000+ professionals who already earned certifications.


Developing Secure Software Course

I do want to highlight a course that came up during the Open Source Software Security Summit II a couple of weeks ago. The importance of teaching secure software development principles was one of the recommendations to improve the resiliency of open source software. Good news – the LF offers the “Developing Secure Software” (LFD121) course. It focuses on the fundamentals of developing secure software. Both the course and certificate of completion are free. It is entirely online, takes about 14-18 hours to complete, and you can go at your own pace. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years. 

It is geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software. It focuses on practical steps that can be taken, even with limited resources, to improve information security. 

Why is it needed? Many software developers have never been told how to effectively counter the ever-increasing barrage of cyberattacks. This course explains the fundamentals of developing secure software. A basic security principle – build it more secure in the beginning and you will spend less time fending off attacks later. From the course description: 

This course starts by discussing the basics of cybersecurity, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. This first part of the course then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security. The second part of this course focuses on key implementation issues: input validation (such as why allowlists should be used and not denylists), processing data securely, calling out to other programs, sending output, and error handling. It focuses on practical steps that you (as a developer) can take to counter the most common kinds of attacks. The third part of the course discusses how to verify software for security. In particular, it discusses the various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities.

You can learn more about the course and enroll for free here

Future Announcements 

We are always working to improve and expand what we offer. There are a lot of exciting announcements coming up next month during the Open Source Summit North America, including insights from our 10th Annual Open Source Jobs Report, the winners of the 500 LiFT Scholarships for 2022, some new training courses, and more. Even if you aren’t able to attend, keep an eye out for our announcements. Some exciting stuff, but I have said too much already. Sign up for the newsletter so you are the first to know when new courses are offered, and – arguably more importantly – get access to promotions. I mean – new skills and saving money, how can you say no. 

I hope you have an opportunity to take some of our courses and become certified. You will be a better person for it.

SPDX

Software Metadata Standards Wrap Up Bigger Connections

This article originally appeared on Linux.com. The author, Cameron Laird, is vice president of Phaseit, Inc. where he implements software projects and publishes articles about the results. A long-time developer, manager, and author, he’s most recently concentrated on architectural challenges of “continuous everything”: continuous integration, continuous testing, and so on.

You’re in the news. But not with the headline you want.

You’re not getting attention because of your choice of text editor or the number of spaces you use to indent code blocks. However motivating those preferences are for you and me, the non-technical world sees them as private choices. You find your code in the headlines for a different and unpleasant reason: open source dependency management.

We have dependencies, of course, because we know not to “reinvent the wheel”; instead, we software experts re-use the implementations others have created. However, when done poorly, dependency management introduces more risk and degrades the quality of your application. For example, failure to comply with license requirements might be the problem.  Even worse: the absence of a license tied to a component you embedded in your application. In both cases, there are potential legal implications.

Still more traumatic is a media headline announcing that a vulnerability just breached your organization in one of those dependencies. Projects frequently re-use software components to simplify or accelerate development; but sometimes, it can have detrimental results by introducing said vulnerabilities.

That’s not all:  suppose you are experienced and thoughtful enough to recognize this hazard and commit to good dependency management.  It turns out that’s a harder problem than might first appear, and certainly not the kind of thing that can be slipped into a project on its last days, without significant time or other costs.

Building A Standard For Software Bill Of Materials

How, for instance, does an industrial oven manufacturer communicate that one of its products depends on a particular library with a known vulnerability?  How does it say that it does not have such a dependency?  One of the difficulties comes from mixing open and closed information sets. What happens in a scenario where an automotive chip uses an open source sorting algorithm, but the auto manufacturer wants to keep the use of that algorithm proprietary?

Without a better alternative, any discussion about the algorithm has to occur under cover of a non-disclosure agreement (NDA), often one written specifically for the business and technical situation.  Where developers investigating a particular piece of software might be accustomed to connecting to GitHub and inspecting the source in question in a few seconds, even the simplest proprietary questions sometimes take months of legal, security, and compliance negotiation to begin to examine. “Manual” inspection, in any case, is unscalable.  The average application contains 200 OSS components, and each component might manually take three hours to inspect.  Does your project have a better use for 600 hours of effort?  Open source truly begins to pay off when it’s inspected not just by expert engineers but by automatic tools.

Recognize, moreover, that transitive dependencies make dependency management a harder problem than first appears.  Many of the most notorious breaches occurred not because anything was wrong with the source of a product or even the source of the libraries on which it depends; the vulnerability only turned up in a library used by those other libraries.  Over and over again, CEOs who’ve asked, “does $SOME_PROBLEM affect us?” have received the answer, “we don’t know yet: we’re not sure where it shows up in our systems.” We need transparency about dependencies and enough intelligence and standardization around hierarchical relationships to “trace the whole tree.” Organizations must track dependencies through to the operating system run-time and sometimes down to “the silicon,” that is, the microprocessor on which the software runs.

It’s a hard problem but also a solvable one.  Part of any solution is a well-defined software bill of materials (SBOM or sometimes SBoM). That’s where Kate Stewart’s career began to track this story.  Stewart currently serves the Linux Foundation as a vice president of Dependable Embedded Systems.  In previous assignments with such employers as Motorola, Freescale Semiconductor, Canonical, and Linaro, she frequently faced challenges that mixed technical and legal aspects.  As she explained her long-time focus in a recent interview, “if open source components are going to be in safety-critical places … [we need] to be able to trust open source in those spaces …” Good SBOM practices are simply necessary for the level of trust we want to have not just in industrial ovens, but airplanes, medical devices, home security systems, and much more.  An SBOM organizes such metadata about a software artifact as its identity, verification checks it hasn’t been tampered with, copyright, license, where to look up known security vulnerabilities, dependencies to check, and so on. Think of an SBOM as an ingredients list for your software.  It makes those ingredients visible, trackable, and traceable.  It lets you know if you have used the highest quality and least risky open source components to build your software.

Enter SPDX

Stewart and other technologists eventually began to team with specialists in intellectual property, product managers, and others. They developed such concepts in the early years of this millennium as SBOM, the Software Package Data Exchange (SPDX), and the OpenChain Specification.  She co-founded SPDX in 2009 to pursue “[a]n open standard for communicating software bill of materials information ….” Among other features and benefits, these frameworks provide standard and scalable ways to discuss dependencies.

Instead of each vendor having to certify that each of its releases has been verified for security and license compliance of each of eight hundred JavaScript libraries, for example, many of the most time-consuming aspects of compliance can be automated.  When a new vulnerability is identified in an implementation of a networking protocol, automated methods can largely be applied to determine which products embed known vulnerable libraries, even while we developers remain largely unaware of the details of each component and dependency they use.  For Stewart, standards-based transparency and best practices are prerequisites for the security of safety-critical communities she helps serve.  As Stewart observes, “you can’t really be safe unless you know what you’re running.”

Daily Headlines

Does that sound mundane?  The reality’s far different:  SBOM and related technologies actually play roles in events on the world stage.  For example, on the 12th of May, 2021, US President Biden issued Executive Order 14028 on Cybersecurity Improvement; SBOMs play a prominent role there.  The Open Source Initiative just named Stefano Maffulli its first Executive Director precisely because of the need for mature open source licensing practices.  Dr. Gail Murphy argued in a recent interview that it’s time to recognize that open source software is a “triumph of information-hiding [and] modularity …” in enabling the remarkable software supply chains on which we depend.  Emerging information on breaches including SolarWindsRapid7Energetic Bear, and especially the latest on Juniper’s Dual-EC affair shows how disastrous it becomes when we get those supply chains wrong.  The most prominent breaches in computing history have been tied to component vulnerabilities that seemed peripheral until break-ins demonstrated their centrality.

Drone strikes?  Vaccine efficacy?  Voter fraud?  International commerce?  Nuclear proliferation?  Questions about software and data reliability and fidelity are central to all these subjects, not mere technical tangents.

That’s why SPDX’s management of hierarchical relationships is so crucial.

ISO/IEC 5926:2021 Introduces SBOM Standard

SPDX went live as an official international standard at the end of August.  With that milestone, standardization lowers many of the hurdles to the successful completion of an SBOM project.  Implementation becomes more consistent. “Bookkeeping” about external parts becomes largely a responsibility of the standard.  Software engineers focus more on the details specific to an application.  Then, as those external parts–the ingredients of an SBOM recipe–age and security vulnerabilities are discovered in them, developers can reliably track those components to the applications where they were used and update components to newer, hardened versions. What does that mean for you?  In your own work, the faster you identify and update vulnerable components, the less likely the chance you will have of becoming the next breach headline following an attack.

SPDX’s standardization fits in the frameworks of the International Organization for Standardization (ISO) the International Electrotechnical Commission (IEC).  ISO is a post-war transnational creation that originally focused on bolt sizes, temperature measurements, and medical supplies.  ISO tracks human affairs, of course, and its attention in recent years has shifted from materials to business processes and, in this millennium, to software.  IEC is a prior generation’s initiative to pursue the same kinds of standardization and cooperation, specifically in the realm of electrical machinery; the IEC and ISO often collaborate.

In bald terms, ISO and IEC matter to you as a programmer because governments trust them.  The new standard is sure to make its way rapidly into procurement specifications, especially for government purchases.  Suppliers become accustomed to compliance with such standards and apply them in their practices more generally.  The earlier ISO 9000 collection of standards has already greatly influenced software development.

Important Though Abstract

The impact and scope of ISO:IEC 5926:2021 is a challenge to understand, let alone explain.  On the one hand, millions of working programmers worldwide go about their daily chores with little thought of SPDX or even SBOMs.  While we all know we depend on packages, we largely leave it to Maven or npm, or RubyGems, etc., to handle the details for us.  Standardization of SPDX looks like a couple of layers of abstraction, even more remote from the priorities of the current sprint or customer emergency on our desks right now.

And it’s true:  SPDX is abstract, and its technical details look dry to some programmers, the opposite of the “sexy” story many start-ups aspire to.

Without this infrastructure, though, the development of many large, complex, or mission-critical projects would grind to a halt from the friction of communication about proprietary dependencies on open source artifacts.  Think of it on a weight basis:  as the Linux Foundation’s own press release underlines, “… between eighty and ninety percent of a modern application is assembled from open source software components.” SPDX is immensely important at the same time as it’s uninteresting to all but the most specialized practitioners.

Look to history for examples of how momentous this kind of standardization is.  The US’s Progressive movement at the beginning of the twentieth century is instructive.  While often taught in ideological terms, many of its greatest achievements had to do with mundane, household matters:  does a milk bottle actually contain milk?  Can standard doses of medicines be trusted?  Is a “pound” in a butcher’s shop a full sixteen ounces?  Standards in these areas resulted in more convenience and transformed commerce to enable new market arrangements and achievements. That’s the prospect for SPDX:  more transparent and effective management of software dependencies and interactions will have far larger consequences than are first apparent.  Notice, for instance, that while the standard examples of its use have to do with open-source software, the standard itself and the tools that support it can also be applied to proprietary software and other intellectual property.  SPDX doesn’t solve all problems of communicating about dependencies; it goes a long way, though, to clarify the boundaries between technical and legal aspects.

Long Lead Time

The significance and need for secure software supply chains haven’t made SPDX’s adoption easy, though.  Stewart reports that individual companies drag their feet: “why should we do something before we have to?” these profit-oriented companies reasonably wonder.  Even in the best of circumstances, when an industry has largely achieved a technical consensus, “From first proposal to final publication, developing a standard usually takes about 3 years.

Stewart herself cites this year’s Executive Order as crucial: “the one thing that made a difference” in pushing forward adoption of SPDX in 2021 was the emerging SBOM requirements that followed EO14028.  Much of her own emphasis and achievement of late has been to get decision-makers to face the reality of how crucial their dependence on open source is. No longer can they restrict focus to the 10% of a proprietary product because supply chain attacks have taught us that the 90% they re-use from the software community at large needs to be exposed and managed.

Publication of a standard mirrors application development in having so many dependencies “under the covers.” It’s not just Stewart who worked on this for more than a decade, but, as I’ll sketch in follow-ups through the next month, a whole team of organizations and individuals who each supplied a crucial requirement for completion of ISO/IEC 5926:2021.  When you or I think of great software achievements, our memories probably go to particular winning prototypes turned out over a weekend. Standards work isn’t like that.  The milestones don’t come at the rapid pace we relish. Successful standards hold out the promise, though, of impacting tens of thousands of applications at a time. That’s a multiplier and scalability that deserves more attention and understanding.

SBOMs For Everything

And that’s why ISO/IEC 5926:2021 is good news for us.  We still have licensing and security issues to track down. We still need to attend meetings on governance policies. Management of proprietary details remains delicate.  Every project and product needs its own SBOM, and vulnerabilities will continue to crop up inconveniently. With the acceptance of ISO/IEC 5926:2021, though, there’s enough standardization to implement continuous integration/continuous deployment (CI/CD) pipelines usefully. We can exchange dependency information with third parties reliably. SPDX provides a language for describing dependency management chores. SPDX gives answers that are good enough to focus most of our attention on delivering great new functionality.

The best practices of application development applied by developers as a learned methodology can be something more than an exercise in walking a tightrope of intellectual property restrictions. Enterprise-class proposal requests become more engineering than lawyering.  You have a better shot at being in the news for your positive achievements rather than the security calamities into which you’ve stumbled.

Check in over the next several weeks to learn more about what SPDX means to your own programming, how SPDX is a model for other large-scale collaborations the Linux Foundation enables, and how teamwork is possible across profit-making boundaries.  In the meantime, celebrate ISO/IEC 5926:2021 as one more problem that each project does not have to solve for itself.

SODA Foundation logo - dolphins

Welcomes SoftBank Group to its member ranks

TOKYO, May 25, 2022 – The SODA Foundation, which hosts the SODA Open Data Framework (ODF) for data mobility from edge to core to cloud, today announced two new open source projects: Kahu and Como. Kahu streamlines data protection for Kubernetes and its application data, and Como is a virtual data lake project to enable seamless access to data stored in different clouds. The SODA Foundation also welcomes SoftBank Group as an end-user supporter and key collaboration partner on the Como project.

According to the 2021 SODA Data and Storage Trends Report, two of the top challenges in managing data in containers and cloud-native environments are availability (46%) and management tools (38%).  In direct response to the report findings, the SODA Foundation community collaborated to introduce new tooling options through the Kahu project to improve backup and restore practices critical to data availability.  Furthermore, as enterprises become more data-driven and data growth for some enterprises can exceed 10PB per year, object data management offered by the Como Project will play an important role in performance and scalability requirements for cloud-native environments.

“Data collection, management, and consumption is becoming the new competitive battlefield in IT”, said Steven Tan, chairman, SODA Foundation. “We’re excited to announce Kahu and Como as the latest advances in open source data management and storage. Our 28 members are also excited to welcome the engineers and open source community within SoftBank Group to the Foundation.” 

“Data is the fuel of our global digital economy and harnessing its power requires collaboration on a massive scale”, said Kuniyoshi Suzuki, Senior Director, Cloud Engineering , SoftBank Group.  “Softbank is excited to be joining a community of open source software developers focused on enabling improvements toward data storage, recovery, and retention in cloud environments. We look forward to collaborating with the SODA Foundation and its members, while contributing to the future of this important community.”

New Open Source Releases

In addition to the announcement of Kahu and Como projects, the SODA Foundation also announced the:

  • Release of SODA Framework Madagascar v1.7.0: Formerly Open Data Framework (ODF), SODA Framework comprises independent projects initiated by the community to solve common data and storage problems faced by end users. It includes:
    • Terra: a universal SDS controller for connecting storage to Kubernetes, OpenStack, and VMware environments.
    • Delfin: a performance monitor for heterogeneous storage infrastructure in a single pane of glass.
    • Strato: a multi-cloud data controller using a common S3-compatible interface to connect to cloud storage.
    • Kahu : new project to streamline data protection for Kubernetes and application data.
  • Expansion of its Eco Project Initiative with the introduction of more open source projects: 

DAOS: a software-defined object store designed from the ground up for massively distributed Non Volatile Memory (NVM), providing features such as transactional non-blocking I/O, advanced data protection with self-healing on top of commodity hardware, end-to-end data integrity, fine-grained data control and elastic storage.

YIG: extends Minio backend storage aggregating multiple Ceph clusters to form a massive storage resource pool that can easily scale up to exabyte (EB) levels with minimal performance disruption.

CubeFS: a cloud-native storage platform used as the underlying storage infrastructure for online applications, database or data processing services and machine learning jobs orchestrated by Kubernetes.

Karmada: a Kubernetes management system that enables organizations to run cloud-native applications across multiple Kubernetes clusters and clouds, with no changes to your applications.

SBK: an open source software framework for the performance benchmarking of any storage system.

Conferences and Survey

  • SODACODE: this week, developers from around the world will participate in SODACODE 2022 – the Data & Storage Hackathon on May 25 – 26.  The first-of-its-kind coding event organized by SODA Foundation is open to developers from all levels ranging from beginner to advanced. The hackathon will conclude with project demonstrations, presentation sessions, panel discussions and an award ceremony for the hackathon winners.
  • Trend Survey: The SODA Foundation will release its second-annual Data and Storage Trends Survey on June 30, 2022.
  • SODACON: a technical conference held by SODA Foundation, will be held this year in Yokohama, Japan on December 7, 2022. The conference will bring together industry leaders, developers and end users to present and discuss the most recent innovations, trends, and concerns as well as practical challenges and solutions in the field of Data and Storage Management in the era of cloud-native, IoT, big data, machine learning, and more.

Additional Resources

  • Join the SODA Foundation
  • Attend SODACODE 2022 – The Data & Storage Hackathon
  • Read the 2021 Data and Storage Trends Report

About the SODA Foundation

Previously OpenSDS, the SODA Foundation is part of the Linux Foundation and includes both open source software and standards to support the increasing need for data autonomy. SODA Foundation Premiere members include China Unicom, Fujitsu, Huawei, NTT Communications and Toyota Motor Corporation. Other members include China Construction Bank Fintech, Click2Cloud, GMO Pepabo, IIJ, MayaData, LinBit, Scality, Sony, Wipro and Yahoo Japan.

Media Contact

info@sodafoundation.io

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

This is a classic article from the Linux.com archives. For more great SysAdmin tips and techniques check out our free intro to Linux course.

With Security being the top most priority in the e-commerce world, the importance of SSL Certificates has skyrocketed. Installing an SSL Certificate on an online portal has become the basic foundation of a company’s business structure.

But the question is ‘How to install an SSL Certificate on a server?’

It is not necessary that everyone who is into e-commerce has a technical background. E-commerce is all about business and the owners are mostly businessmen. So also the core team of an e-commerce industry is not fully technical. In such a situation it becomes very difficult for people with minimal technical knowledge to grasp concepts even as basic like SSL Certificates or its installation for that matter.

This article aims at giving a sneak peek into the process of installing an SSL Certificate on Linux server in lay man’s words. This would help the non-technical people also to get a grasp of what it is all about. Of course, every e-commerce company has a core technical team, so they can easily take over from here. But it is always good to have a know-how of the process.

The installation of SSL Certificates on a Linux server is very easy. It can be done using a Plesk control panel and also without it.

What is Plesk?

It is a web hosting platform that has a very simple configuration. This simple configuration helps all web hosting providers to manage a lot of virtual hosts easily and on a single server. Ever since its conception, Plesk has been coming up as a preferred choice for all the web hosting companies.

How to install an SSL certificate on a Linux Server that has Plesk

1. First Log into the control panel of Plesk.

2. Then, Select Domain;

3. The third step implies choosing the domain to be updated.

4. In the next step click on the ‘Add New Certificate’ icon.

5. Save the certificate name in the ‘Certificate Name’ box.

One would have the certificate and key files saved on the local computer. These certificate and key files are provided by the certificate authority and are important for the installation.

6. The next step is to find these files. Open these in a Notepad or in other similar text formats from where one can copy the text.

7. Copy the entire text of the files.

8. Paste them in the correct boxes. Reading through the content and the box name in Plesk will give one an idea where to paste it.

9. Next, click on the ‘Send Text’ button.

10. Go to the ‘Hosting Section’. It is on the domain screen.

11. Click ‘Set-up’ from this section. A drop down list will follow.

12. The next step is to click on the ‘new certificate’ from the drop down list.

13. Click ‘Ok’ to finish.

How to install SSL Certificate on Linux servers that do not have Plesk

1. The first and foremost step is to upload the certificate and important key files. One can upload the files to the server using –  S/FTP.

2. Login to Server. It is important to log in via SSH. Logging in via SSH will help the user to become the root user.

3. Give Root Password.

4. One can see /etc/httpd/conf/ssl.crt in the following step. Move the certificate file here

5. Next move key file also to /etc/httpd/conf/ssl.crt

It is important to ensure the security of the files that has been moved. One can keep the files secure by restricting permission. Using ‘chmod 0400’ will help users to securely restrict permission to the key.

6. Next Go to etc/httpd/conf.d/ssl.conf. Here the user will find Virtual Host Configuration set up for the domain.

7. Edit Virtual Host Configuration.

8. Restart Apache.

The technicality of installing an SSL certificate may baffle many non-technical people, but once one gets a hang of it, it becomes easy.

Ready to continue your Linux journey? Check out our free intro to Linux course!

brian behlendorf

The power of a story. I first wrote about this 7 years ago in a series I titled Lessons from a Two Year Old. But it is a reality as old as time itself – humans are wired for stories. We enjoy listening to them, telling them, and they help us to relate to others and to remember things. 

And everyone has a story to tell – many of which haven’t been told yet. 

The Linux Foundation is working on uncovering the previously untold stories of the people in open source. We are showcasing what made each person who they are today and how their journey resulted in some of the top open source projects of all time. Each person is making a positive difference in our world, and each one has their own unique journey.

We will be sharing these stories in our upcoming, aptly named podcast, The Untold Stories of Open Source. It will be formally launched at the Open Source Summit North America and OpenSSF Day in June, but you are in luck and we have soft-launched with a couple of our first episodes, including Priyanka Sharma and Brian Behlendorf. You can listen to the trailer below for a preview of the storytelling you will hear: 



I enjoy listening to the episodes, learning about my colleagues and others who are continuing to affect positive change in our world through open source software. I adore a good story! So, as episodes are released, I will also be writing about each story on the LF blog. You can read about Priyanka’s story here and keep reading to learn about Brian. 

As I was listening to Brian’s story unfold, I kept thinking, how many layers are in this onion? He has so many unique life and professional experiences that shaped his open source story. 

Like myself, Brian was coming of age when PCs were being introduced to the world, Oregon Trail was the game of choice (okay, it was about the only game), and the Internet was still a project at the National Science Foundation. Brian’s parents worked in the science and technology field – they even met at IBM. His father was a COBOL programmer, which gave Brian a look into the world of programming. Imagining a life of coding in basements, away from people, is why he decided against majoring in computer science. I can relate – we both started college in the fall of 1991, and, I too, decided against majoring in computer science because I envisioned a future of myself, a computer, a pot of coffee, and little social interaction. 

The Internet was just getting introduced to the world in 1991 – and Brian, like all incoming freshmen at the University of California – Berkeley, received an email address. With this, he connected with others who shared a common interest in R.E.M. and 4AD and the rave scene around San Francisco. He built a mailing list around this shared interest. Yada…yada… The first issue of Wired magazine mesmerizes Brian in 1993.

Turns out one of the friends Brian met in his music community was working at Wired to get it – well wired. It started as a print newsletter (ironically). His friend, Jonathan, reached out and hired Brian for $100/week to help them get back issues online. Unlike today’s iconic, stunning design, it was black text on a white background. 

Besides just digitizing previously published content, Brian helped produce digital-only content. A unique approach back then. It was one of the first ad-supported websites – hotwired.com. Brian jokes, “I like to say I put the first ad-banner on the web, and I have been apologizing for it ever since.” 

As Brian worked on the content, he had a vision of publishing books online. But, turns out, back then publishers didn’t have the budgets to devote to web content. But bigger brands, looking to advertise on Hotwired, did, and they needed to have a website to point to.  So he joined Organic, a web design firm, as CTO at the ripe age of 22. They build the websites for some of the first advertisers on Hotwired like Club Med, Volvo, Saturn cars, Levis, Nike, and others. 

Back then, Wired and the sites Organic built all ran on a web server software developed by students at the University of Illinois, in the same lab that developed the NCSA Mosaic browser. Long before the term open source was coined, software running the web almost always included the source code. Brian notes there was an unwritten code (pun intended) that if you find a bug, you were morally obligated to fix it and push the code upline so that everyone had it. He and a group of students started working on further developing the browser. Netscape bought the software, which halted ongoing student support for the browser. Although the code remains open. Brain and others kept updating the code, and they decided to change the name since it was a new project. Because it was a group of patches, they chose the name Apache Web Server (get it – a patchy server). It now runs an estimated 60% of all web servers in the world. 

As interesting as Brian’s story is to this point – I really just scratched the surface. The full  episode of the podcast shares the rest, from founding Collab.net to a medical records system in Rwanda to working at the White House to his roles at Hyperledger and now OpenSSF and more.

Okay – I have said too much. No real spoilers. You can listen to the full episode now on Spotify, Apple Podcasts, or your favorite podcast app. 

Take time to listen to all of the episodes and let us know what you think (or if you have suggestions of stories to be told). Look for the formal launch at Open Source Summit North America and OpenSSF Day on June 20, 2022. 

There are thousands of incredible open source stories to share and we’re looking forward to bringing more of them your way.  If you like what you hear, we encourage you to add the series to your playlist.  

For those seeking even more open source stories from across the Linux Foundation and the communities we serve, you might start with some of the other storytelling pioneers including: Open Source Stories, FinOpsPod, I am a Mainframer, and The Changelog.  As we grow deeper roots in the podcasting arena, we’ll introduce more news about a network of open source podcasts we plan to grow visibility for.

Have even more time? Feedspot recently covered an additional 40 Open Source Podcasts worth listening to on your morning walk or commute home from the office.