This week in Linux and open source news, the popularity of blockchain amongst banks will continue to surge through 2017, Linus Torvalds refelcts on the anniversary of Linux at LinuxCon Europe, and more! Read on and stay in the know!


Open source jobs report

A new report from The Linux Foundation & Dice finds that Europeans working in open source are well situated in the global job market.

1) Four out of 5 banks will be using blockchain tech by next year, according to the World Economic Forum.

Why J.P. Morgan Chase Is Building a Blockchain on Ethereum– Fortune

2) Linus Torvalds shares thoughts on the past 25 years of Linux at LinuxCon Europe. Legends of Linux Part 1: Linus Torvalds– The Inquirer

3) A new jobs report from The Linux Foundation & Dice shows that open source employees in Europe have it even better than the rest of the world.

It’s Good to Be an Open Source Pro in Europe– ITProPortal

4) With just a mere 48 characters of code, Linux admin and SSLMate founder Andrew Ayer has figured out how to crash major Linux distributions by locally exploiting a flaw in systemd.

Hack Crashes Linux Distros With 48 Characters of Code– ThreatPost

5) Google’s 2D & 3D library for mapping movement in space goes open source.

Google Open-Sources Cartographer 3D Mapping Library– VentureBeat

There are four essential questions a company should ask before it decides to create an open source project, according to Duane O’Brien, open source programs evangelist at PayPal.

  • Who cares?

  • Are we still using it?

  • Are we committing our own resources?

  • Can we develop it all in the open?

This framework, developed by O’Brien’s boss Danese Cooper, is useful in vetting internal software for release as open source projects.

In a nutshell, a company shouldn’t open source software that no one else cares about, that they themselves are not using, that they will not commit developer resources to maintaining, or that they continue to develop in secret without community inclusion. (You can see more details and the rationale behind each question in his blog post on earlier this year.)

“If no one contributes it becomes unmaintained abandonware – a pollutant in the open source ecosystem,” O’Brien said in his talk on the four questions at LinuxCon Europe yesterday.

But what if the answers to these questions are consistently “no?” This is itself a litmus test for a company’s open source knowledge and culture.  

“Use these questions as pointers about what’s going on in the company,” O’Brien said.

1. Who cares?

“If you’re consistently getting: “no one cares,” it’s a good indicator that your technical community isn’t very well connected to the industry,” O’Brien said.  Open source advocates within a company should consider engaging in programs that encourage engineers to join communities and technical discussions. Some examples are:

  • start publishing a podcast

  • start publishing blog posts

  • encourage employees to attend meetups and talks

  • provide travel stipends for employees to attend conferences

  • bring outside experts in to give talks.

2. Are we still using it?

If a company only open sources projects they’re not using anymore, that’s bad corporate practice, O’Brien said. It damages that company’s reputation in the open source community.  

Instead, he recommends looking for what has replaced that defunct code and consider that as an open source contribution.

“Look for exciting things and mine them for open source projects,” he said.

3. Are we committing our own resources?

“If we aren’t committing resources, we’re probably pushing employees and engineers too hard,” O’Brien said. “They should never be asked to maintain open source projects on their own time.”

If a company never commits resources to open source, “it’s also probable that managers don’t understand what a healthy relationship with the open source community looks like,” he said.

More management training on the importance of open source software and how to best use it strategically may be beneficial.

4. Can we develop it all in the open?

And if code cannot be released publicly because developers don’t want anyone else to see it, you may have code quality issues. Or if they’re not willing to engage with the community, which is required to develop in the open, “then there are probably culture issues,” O’Brien said.

These issues can be addressed through employee training and improved code review processes.

Regardless of a company’s answers to the four questions, one of the best things they can do is share what they’ve learned with other developers and companies. It’s good source material for blog posts, white papers, and talks: what you tried, why it didn’t work, and what you’d do next time.

“So the people who come after us can see where we went wrong previously,” he said, and the entire industry can move forward.

Organizations use open source software to gain competitive advantage in many ways: to speed up software delivery, save money on development, to stay flexible, and to stay on the leading edge of technology.

But using open source software, and especially integrating and redistributing it in products and services, carries with it added complexity and risk. Code coming in from multiple sources, under different licenses and with varied quality and maturity levels, can expose organizations to issues with security, integration, support and management — not to mention legal action — if the code is not properly managed.

That’s why companies that successfully leverage open source for business advantage, have established programs to manage their open source development processes.

“When open source is business critical, it predicates the use of professional open source management,” said Bill Weinberg, senior director and analyst of open source strategy at The Linux Foundation. “You need a clear management strategy that aligns with your business goals. And you need efficient processes to ensure that compliance does not discourage participation.”

Professional open source management requires a clear strategy, driven by your organization’s business objectives. It includes well-defined policies and a set of efficient processes that help an organization deliver consistent results with open source software. Below are the seven dimensions of a good corporate open source policy and processes, provided by Weinberg and Greg Olson, senior director of open source consulting services at The Linux Foundation.

Want to learn more about professional open source management? Watch a free replay of Bill Weinberg and Greg Olson’s recent webinar, “Open Source Professional Management  – When Open Source becomes Mission-Critical.” Watch Now.

7 dimensions of open source management

1. Discovery – Provide guidance for developers on how to find and evaluate open source software for use in their work.

2. Review and Approval – A checkpoint to review architectural compatibility, code quality and maturity, known bugs and security vulnerabilities, availability of required support, and license compatibility.

3. Procurement practices – Review and approval for code that enters through commercial procurement, rather than downloading from the Internet.

4. Code management and maintenance – ensures that open source is reliably tracked and archived and that it is supported and maintained at a level appropriate for each application.

5. Community interaction – clear guidelines for developers who interact with outside community members and an approval process for contributions to open source communities.

6. Compliance program – ensures that OSS elements subject to license requirements are identified and implemented.

7. Executive oversight – important for long-term success. Executives should review OSS management operations, participate in and approve open source management policy and approve policy exceptions and significant contributions to community projects. Legal executives should review all new OSS licenses and any licensing policy exceptions.

1) Microsoft’s PowerShell scripting language and command-line shell has been released as open source, meaning that Windows and Azure’s management tools will have a greater reach.

PowerShell is Microsoft’s latest open source release, coming to Linux, OS X– Ars Technica

2) Open source has come so far over the last few decades and perceptions of it have changed in the business world

What People Don’t Get About Open Source– Light Reading

3) Swapnil Bhartiya considers the new Google OSS announcement from this week.

Why Google’s New Linux-Less Fuchsia Operating System is a Huge Deal– CIO

4) The Linux Foundation has taken steps to mitigate Linux security flaw

1.4 Billion Android Devices Affected by Linux TCP Flaw– Softpedia

5) The Linux Foundation’s latest open source project is focused on the “architecture, implementation and support of digital networks.”

Linux Foundation Touts Open-Source PNDA for Network Analytics– Silicon Angle

With more than 25 billion Internet connected things predicted to hit the market by 2020, the “Internet of Things” is evolving from a promise to an everyday reality. Whether it’s how we control our energy usage or secure our homes, smart devices are changing the world we live in and how we live.

IoT, like any disruptive technology shift, brings opportunities as well as challenges. Open source presents an opportunity for IoT to overcome interoperability barriers and innovate at an unprecedented rate. It provides a neutral forum for collaboration at scale and allows developers to contribute and advance software so that IoT products can get to market faster.

One key challenge is choice, and developers have a lot of it. For IoT to deliver on the promise of seamless connectivity, devices need a highly modular platform that can easily integrate with embedded devices. While Linux has proven itself time and again as the de facto operating system choice for embedded development, some IoT devices require a real-time operating system (RTOS) that addresses the very smallest of memory footprints.

To provide an open source solution that complements real-time Linux but keeps critical concerns like security and modularity top-of-mind, we created the Zephyr Project. Zephyr Project is a small, scalable, RTOS designed specifically for small-footprint IoT devices. It is also embedded with development tools and has a modular design so that developers can customize its capabilities and create IoT solutions that meet the needs of any device, regardless of architecture. This enables easier connectivity to the cloud as well as other IoT devices.

Recently the Zephyr Project announced Linaro as its newest member, joining the likes of Intel, NXP Semiconductors and Synopsys. As a global leader in open source development for the ARM ecosystem, Linaro will help drive Zephyr specifications and initiatives, and help the project realize its vision of becoming the premier multi-architecture open source RTOS for IoT.

The Zephyr Project comes at a critical time for the IoT small device development community. As an open source project, Zephyr unites the community to help make small, embedded devices “smarter,” while ensuring ubiquitous connectivity and security in small device infrastructure. It’s an exciting time for IoT, and we encourage anyone interested to join the effort.

1) Wal-Mart announces they will make their application lifecycle management tool available as an open source project.

Wal-Mart Proves Open Source Is Big Business– Forbes

2)  Android Nougat updates protect the kernel’s memory and reduce attack surface.

Google Beefs Up Linux Kernel Defenses in Android– PC World

3) Facebook open sources Surround360 video capture system, with full specs and code on GitHub.

Facebook Releases Open Source Software for Its 360 Degree Camera– Popular Science

4) Flynn open source PaaS includes pieces necessary to get apps running, but doesn’t make use of recent technology.

Open Source Flynn Takes the Headaches Out of App Deployment– InfoWorld

5) Microsoft is making good on its promise to update client regularly.

Skype for Linux Alpha Gets New Functionality in Update– Neowin

1) The Linux Foundation’s Automotive Grade Linux project announces release of Unified Code Base 2.0.

Open-Source Linux a Step Closer to Automotive Use– CNet

2) Though the use of 3rd-party code in enterprise software projects grows, the code still often has open flaws.

Enterprise Software Developers Continue to Use Flawed Code in Apps– ComputerWorld

3) Anyone using a Chromebook/Chrome on Linux can visit to make one-to-one and group voice calls.

Linux Users Can Now Make Skype Calls From the Web in Chrome– TechCrunch

4) AT&T to release virtualisation automation software, amounting to over eight million lines of code.

AT&T’s ECOMP Code to Land Soon at Linux Foundation– The Register

5) New IBM innovation center to deliver tech pilots based on blockchain for finance and trade.

IBM to Open Blockchain Innovation Centre in Singapore– ZDNet

Xen Project technology supports more than 10 million users and is a staple in some of the largest clouds in production today, including Amazon Web Service, Tencent, and Alibaba’s Aliyun. Recently, the project announced the arrival of Xen Project Hypervisor 4.7. This new release focuses on improving code quality, security hardening and features, and support for the latest hardware. It is also the first release of the project’s fixed-term June – December release cycles. The fixed-term release cycles provide more predictability making it easier for consumers of Xen to plan ahead.  

We recently sat down with the Xen Project chairperson, Lars Kurth, to talk about some of the key features of the release and the future of Xen Project technology. Lars will be discussing this topic and more during Xen Project’s Developer Summit in Toronto, CA from August 25-26 — the conference is directly after LinuxCon North America.

Q: What was the focus on this release?

Lars Kurth: There were five areas that we focused on for this release (full details are in our blog). In summary, we focused on security features, migration support, performance and workloads, support for new hardware features, and drivers and devices (Linux, FreeBSD and other).

Security is consistently something that we focus on in all of our releases. There are a lot of people that rely on Xen Project technology and security is our top concern in any release as well as how we organize our process around security disclosures.

Q: What was the biggest feature coming out of this release?

Lars: The biggest feature for us is live patching, which is a technology that enables re-boot free deployment for security patches to minimize disruption and downtime during security upgrades for cloud admins. It essentially eliminates all cloud reboots, making cloud providers and their users much more safe. It also eliminates a lot of headaches for system and DevOps admins of the world.

Q: Xen is often associated with the cloud, but are there additional use cases that you see growing around this technology, if so why?

Lars: We are seeing a lot of growth in terms of contributions, as well as many different use cases emerging, including automotive, aviation, embedded scenarios, security, and also IoT. In addition, we continue to grow within the public cloud sector and traditional server virtualization.

On the security front, for example, a number of vendors such as A1Logic, Bitdefender, Star Lab and Zentific have released or are working on new Xen Project-based security solutions. In addition, the security focused and Xen-based OpenXT project has started to work more closely with the Xen Project community.

Long-time contributors to the Xen Project, such as DornerWorks – a premier provider of electronic engineering services for the aerospace, medical, automotive, and industrial markets – have expanded their scope and are now providing support for the Xen Xilinx Zynq Distribution targeting embedded use-cases. We have also seen an increasing number of POCs and demos of automotive solutions, which include Xen as a virtualization solution.

Growth in these sectors is largely due to the Xen Project’s flexibility, extensibility, customisability and a clear lead when it comes to security-related technologies. Over the last year, we have also seen contributions increase from developers with strong security and embedded backgrounds. In fact, this totaled nearly 17 percent of the overall contributions in this release cycle, up from 9 percent in the previous release.

Q: How did you address these uses cases in this latest release?

Lars: We introduced the ability to remove core Xen Project Hypervisor features at compile via KCONFIG. This creates a more lightweight hypervisor and eliminates extra attack surfaces that are beneficial in security-first environments and microservice architectures. Users will still be able to get the core hypervisor functions, but they won’t receive all the drivers, schedulers, components or features that might not fit their use case.

Essentially it gives people an “a la carte” feature set. They can decide what they need for compliance, safety or performance reasons.

Q: Were there any new contributors for this release that surprised you?

Lars: We had three new companies contributing to the project: Star Lab, Bosch and Netflix. I met engineers from Star Lab for the first time at the 2015 Developer Summit less than a year ago, and helped introduce them to the Project’s culture. In that short period of time, Doug Goldstein from Star Lab has moved into the top five contributors and top 10 code reviewers for the Project.

I was surprised about Netflix’s contributions; I didn’t even know the company used Xen. Netflix improved and secured the VPMU feature, which is incredibly useful for system tuning and performance monitoring. Bosch Car Multimedia GmbH added some new ARM functionality. In addition, we have seen quite a bit of Xen related development in upstream and downstream projects such as Linux, FreeBSD, NetBSD, OpenBSD, QEMU and Libvirt.  

Q: What’s next for Xen Project? Where do you think the technology is heading in the future and why?

Lars: In the last three releases, we introduced several major new features such as PVH, COLO, new schedulers, VMI, Live Patching, Graphics Virtualization, etc. and significant re-work of existing features such as Migration and the Xen Security Modules (XSM). Looking at trends within the community, I expect that stepwise evolution of large new features to continue.

Some new capabilities, such as restartable Dom0’s, and additional techniques to provide more isolation and security, are also likely to appear. In addition, it looks likely that we will see some GPU virtualization capabilities for GPUs that target the ARM ecosystem, although it is not yet clear whether these will be available as open source. I also expect that both Intel and ARM hardware features will be closely tracked.

Some areas, such as new schedulers, XSM, PVH and Live Patching, will see significant efforts to harden and improve existing functionality. The goal is to ensure their swift adoption in commercial products and Linux and BSD distributions. Some features, which are not enabled by default are likely to become part of the Xen Project Hypervisor’s default configuration.

This week in Linux and open source news, Nike releases its open source software on GitHub, Kubernetes’ growth continues as a new version is released, and more! Stay in-the-know with our weekly digest.

1) Nike publishes three open source projects on GitHub and open-sourced the code that powers its own site.

Nike Releases Open-Source Software to Play With the Techies– TechCrunch

2) Kubernetes continues to grow after just one year of being released as a partnership between Google and the Linux Foundation.

Kubernetes Rolls Out its Latest Version– ComputerWorld

3) An interview with NIthya Ruff, industry veteran and leader of SanDisk.

Women in Business Q&A: Nithya Ruff, Director Open Source Strategy, SanDisk– Huffington Post

4) “How have IoT manufacturers failed to be more security conscious?” asks Bruce Byfield in his article about the future of IoT & security.

IoT Security: What IoT Can Learn From Open Source– Datamation

5) Attending LinuxCon North America next month? Don’t miss these co-located events.

LinuxCon Conference Delves Deep into Open Source, Containers and Virtualization– App Developer Magazine