Open source software (OSS) is vitally important to the functioning of society today; it underpins much of the global economy. However, some OSS is highly secure, while others are not as secure as they need to be.

By its very nature, open source enables worldwide peer review, yet while its transparency has the potential for enhanced software security, that potential isn’t always realized. Many people are working to improve things where it’s needed. Most of that work is done by volunteers or organizations outside the Linux Foundation (LF) who directly pay people to do the work (typically as employees). Often those people work together within a foundation that’s part of the Linux Foundation. Sometimes, however, the LF or an LF foundation/project (e.g., a fund) directly funds people to do security work.

At the Linux Foundation (LF), I have the privilege of overseeing focused work to improve OSS security by the very people paid to do it. This work is funded through various grants and foundations, with credits to organizations like Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself.

The LF and its foundations do much more that I don’t oversee, so I’ve only listed the ones I am personally involved with in the interest of brevity. I hope it will give you a sense of some of the things we’re doing that you might not know about otherwise.

The typical LF oversight process for this work is described in “Post-Approval LF Security Funding.” Generally, performers must provide a periodic summary of their work so they can get paid. Most of those summaries are public, and in those cases, it’s easy for others to learn about their interesting work!

Here’s a sample of the work I oversee:

Ariadne Conill is improving Alpine Linux security, including significant improvements to its vulnerability processing and making it reproducible. For example, as noted in the July 2021 report, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. Alpine Linux’s security is important because many containers use it. For more information, see “Bits relating to Alpine security initiatives in June” and “Bits relating to Alpine security initiatives in July.”kpcyrd is doing a lot of reproducible build work on Linux distributions, especially Alpine Linux (including on the Raspberry Pi) and Arch Linux. Reproducible builds are a strong countermeasure against build system attacks (such as the devastating attack on SolarWinds Orion). More than half of the currently unreproducible packages in Arch Linux have now been reviewed and classified.David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code; git is widely used to manage source code.Theo de Raadt has also been receiving funding to secure the critical “plumbing” behind modern communications infrastructure:This funding is being used towards improving OpenSSH (a widely-used tool whose security is critical). These include various smaller improvements, an updated configuration file parser, and a transition to using the SFTP protocol rather than the older RCP protocol inside the scp(1) program.It is also being used to improve rpki-client, implementing Resource Public Key Infrastructure (RPKI). RPKI is an important protocol for protecting the Internet’s routing protocols from attack. These improvements implement the RPKI Repository Delta Protocol (RRDP) data transfer protocol and fix various edge cases (e.g., through additional validation checks). The https://irrexplorer.nlnog.net/ service is even using rpki-client behind the scenes.

Nathan Chancellor is improving the Linux kernel’s ability to be compiled with clang (instead of just gcc). This includes eliminating warning messages from clang (which helps to reduce kernel bugs even when gcc is used) and fixing/extending the clang compiler (which helps clang users when compiling code other than the Linux kernel). Unsurprisingly this involves changing both the Linux kernel and the clang/LLVM compiler infrastructure, and sometimes other software as well.In the long run, eliminating warnings that by themselves aren’t bugs is important; developers will ignore warnings if there are many irrelevant ones, but if there are only a few warnings, they’ll examine them (making warnings more useful).Of notable mention for security implications is clang support for Control-Flow Integrity (CFI); this can counter many attacks on arm64, and work will eventually enable x86_64 support.

I oversee some security audits conducted via the Open Source Technology Improvement Fund (OSTIF) when funded through the LF. We (the LF) often work with OSTIF to conduct security audits. We work with OSTIF to define the audit scope, and then OSTIF runs a bidding process where qualified security audit firms propose to do the work. We then work with OSTIF to select the winner (who isn’t always the cheapest — we want good work, not a box-check). OSTIF & I then oversee the process and review the final result. Note that we don’t just want to do audits, we also want to fix or mitigate any critical issues the audits identify, but the audits help us find the key problems. Subject matter experts perform the audit reports, and handling bidding is OSTIF’s primary focus, so my main contribution is usually to help ensure these reports are clear to non-experts while still being accurate. Experts sometimes forget to explain their context and jargon, and it’s sometimes hard to fix that (you must know the terminology & technology to explain it).This work included two security audits related to the Linux kernel, one for signing and key management policies and the other for vulnerability reporting and remediation. I’ve also overseen audits of the exposure notification applications COVID Shield and COVID Green: It’s not part of my oversight of OSTIF on behalf of the LF, but I also informally talk with OSTIF about other OSS they’re auditing (such as flux2, lodash, jackson-core, jackson-databind, httpcomponents-core, httpcomponents-client, laravel, and slf4j). A little coordination and advice-sharing among experts can make everything better.

The future is hard to predict, but we anticipate that we will be doing more. In late July, the OpenSSF Technical Advisory Council (TAC) recommended approving funding for a security audit of (part of) Symfony, a widely-used web framework. The OpenSSF Governing Board (GB) approved this on 2021-08-05 and I expect OSTIF will soon take bids on it.

The OpenSSF is also taking steps to raise more money via membership dues (this was delayed due to COVID; starting a new foundation is harder during a pandemic). Once the OpenSSF has more money, we expect they’ll be funding a lot more work to identify critical projects, do security audits, fix problems, and improve or create projects to enhance OSS security. The future looks bright.

Please remember that this is only a small part of ongoing work to improve OSS security. Almost all LF projects need to be secure, so most foundations’ projects include security efforts not listed here. As noted earlier, most development work is done by volunteers or by non-LF organizations directly paying people to do the work (typically employees). 

The OpenSSF has several working groups and many projects where people are working together to improve OSS security. These include free courses on how to develop secure software and the CII Best Practices badge project. We (at the LF) also have many other projects working to improve OSS security. For example, sigstore is making cryptographic signatures much easier; sigstore’s “cosign” tool just released its version 1.0. Many organizations have recently become interested in software bill-of-materials (SBOMs), and we’ve been working on SBOMs for a long time.

If you or your organization would like to fund focused work on improving OSS security, please reach out! You can contribute to the OpenSSF (in general or as a directed fund); just contact them (e.g., Microsoft contributed to OpenSSF in December 2020). If you’d prefer, you can create a grant directly with the Linux Foundation itself — just email me at <dwheeler@linuxfoundation.org> if you have questions. For smaller amounts, say to fund a specific project, you can also consider using the LFX crowdfunding tools to fund or request funding. Many people & organizations struggle to pay individual OSS developers because of the need to handle taxes and oversight. If that’s your concern, talk to us. The LF has experience & processes to do all that, letting experts focus on getting the work done.

My sincere thanks to all the performers for their important work and to all the funders for their confidence in us!

About the author: David A. Wheeler is Director of Open Source Supply Chain Security for The Linux Foundation.

The post Funded open source security work at the Linux Foundation appeared first on Linux Foundation.

The Linux Foundation is ecstatic to return to in-person events next month; we know how important these face-to-face gatherings are to accelerating collaboration and innovation in the open source community. 

We know you have questions surrounding health and safety at in-person events and want to pause for a moment to address these. Rest assured – your health has been at the forefront of every move and decision we have made as we make a safe return back to in-person events.  

Let’s start here with some items from behind the scenes.

The LF has a long-standing relationship with Dr. Joel Selanikio, a physician, former CDC epidemiologist and outbreak investigator, and consultant epidemiologist to the DC Department of Health and to FEMA for the COVID-19 response over 2020-21. Thanks to Dr. Selanikio’s council over the last two years, we have been able to take educated and well-thought out steps to ensure the safety of our community members as we navigate COVID-19. We are working closely with local Departments of Health to ensure we are following all local requirements and recommendations. We are continuing to monitor and follow all CDC, WHO and PHE/NHS (in the UK) guidelines, in addition to those of the local municipalities in which we are holding events.We are checking in with our venues and vendors multiple times a week to ensure we are staying up-to-date on best practices and regulations.Finally, The Linux Foundation Event Team have all been certified in handling Pandemic On-Site Protocols (by the Event Leadership Institute). The team is vaccinated, trained and equipped to handle safety protocols and procedures at our events and are more than happy to assist you onsite and ensure you are comfortable.  

Vaccines, masks and everyone’s new favorite phrase: social distancing.

As announced previously, in-person attendees will be required to be fully vaccinated against the COVID-19 virus. A vaccine verification app will be used to confirm vaccination status.Additionally, masks will now be required for in-person attendance.All event participants will receive a daily temperature check in order to enter the event zone and will receive a sticker to be able to enter and exit as needed.Comfort level wristbands (in green, yellow, and red) will be provided for event participants to use if they choose to indicate their preference on social distancing comfort level. 

All of the above protocols are in place for LF and LF Project events (like KubeCon + CloudNativeCon) through November 2021.

We are working closely with each of our venues and their local jurisdictions to ensure we are following all local requirements and recommendations. Here are some items you can expect on-site at any of our events through November:

Reduced conference room capacity: space between you and your neighbors.More physical space between speakers and attendees: so speakers can present without their masks (and you can hear them clearly!).Wider aisles and thoroughfares through event spaces.Sponsor booths spread further apart in the exhibit hall as well as wider aisles. Socially distanced areas for eating/drinking and mask breaksClose organization with venues: to ensure rigorous onsite cleaning and sanitizing of all touch points, sneeze guards where necessary, and sanitation stations.

You can view a full list of onsite safety procedures on the Health and Safety page, under the “Attend” tab on all event microsites at events.linuxfoundation.org.

Quick Links

View Open Source Summit + ELC + OSPOCon Health and Safety page

View Open Networking + Edge Summit & Kubernetes on Edge Day Health and Safety page

View KubeCon + CloudNativeCon Health and Safety page

We are keeping our health and safety guidelines updated regularly, and adding to the FAQ as necessary.  If these resources do not answer a question you may have, reach out to us at events@linuxfoundation.org.

After much research and with guidance from Dr. Selanikio, we believe the combination of vaccination and mask requirements, along with the other protocols we are putting in place, provides a safe environment for our in-person event participants.

We understand that not everyone will be able to join us in-person due to a variety of factors, which is why we are delighted to offer attendees the ability to participate in our events virtually. To learn more about the different pass options, click on the “Register” tab on any of our event websites.

We hope this information brings you assurance that keeping you and all our event participants safe is top of mind – and will continue to be as we make each and every decision. A big THANK YOU to the entire open source community for your understanding during this fluid COVID-19 situation and this very challenging time in our history. We look forward to seeing you at our events this fall!

The post Vaccines + Masks for Safe In-Person Events – Read About All On-Site Safety Protocols appeared first on Linux Foundation.

Four-plus years of collaboration, 190+ contributors, 8 million+ container downloads, new retail project ORRA, EdgeX Ready, and foundation for future, long-term support pave the way for Ireland release

SAN FRANCISCO – August 3, 2021 – EdgeX Foundry, a project under the LF Edge umbrella organization within the Linux Foundation, today announced it’s Ireland release. Focused on edge/IoT solutions, EdgeX Foundry’s second major release overhauls API sets, removes technical debt, provides more message-based communications, and simplifies and secures interface for adopters and developers, making the platform significantly easier to use and more reliable. 

“As a leading stage 3 project under LF Edge, the EdgeX Ireland release has expanded use cases across retail, building automation, smart cities, process control, and manufacturing,” said Arpit Joshipura, general manager, Networking, Edge & IoT, at the Linux Foundation. “It’s a key to standardizing IoT frameworks across market verticals.”

“This release sets in motion the opportunity for EdgeX to offer its first ever LTS or long-term support release as soon as the fall.  This is a significant commitment on the part of our open-source community to all adopters that says we stand with you, prepared to help support your use of EdgeX in real world, scalable, production deployments,” said Jim White, chief technical officer,  IoTech,  and EdgeX Foundry Technical Steering Committee Chair. 

Ireland Feature Highlights

Standardized and modernized northbound and southbound APIs enrich ease of interoperability across the IoT frameworkAdvanced security is built into the APIs, message bus, and internal architecture of EdgeXNew device services (southbound) and new app services (northbound) included in Ireland are also inherently secure (e.g., GPIO, CoAP, LLRP, UART)

Commercialization & Use Case Highlights

Open Retail Reference Architecture (ORRA): a new sub-project that provides a common deployment platform for edge-based  solutions and IoT devices. ORRA is a collaboration with fellow LF Edge projects Open Horizon and Secure Device Onboard, incubated by EdgeX Foundry.The new Edgex Ready program highlights users and organizations that have integrated their offerings with solutions leveraging EdgeX;  a precursor to a community certification program. Learn how to become EdgeX Ready through the project’s Wiki page. 

Learn more about Ireland’s feature enhancements in this blog post. 

Plans for the next EdgeX release, codenamed ‘Jakarta’ are expected in Q4’ of 2021. 

For more information about LF Edge and its projects, visit https://www.lfedge.org/

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Additional Quotes and Community Support

”Beechwoods Software has been a contributing member of EdgeX Foundry since its inception and chairs the Certification Working Group. EdgeX technology is at the core of our EOS IoT Edge platform offering for which we are readying our version 2 release based on the latest EdgeX code base. Beechwoods is pleased with the growing momentum of EdgeX Foundry and look forward to continuing our support and collaboration,” said Michael Daulerio, Vice President of Marketing and Business Development at Beechwoods Software, Inc.

“Canonical is a founding member of the EdgeX Foundry project and has provided technical leadership in the technical steering committee from day one. The Ireland (aka 2.0) release of EdgeX introduces much improved V2 REST APIs, a transition to a secure message bus for data ingestion, and many additional improvements to the security of EdgeX. The cross-company cooperation that contributed to the success and timeliness of this release once again demonstrates the power of open source development. Snaps of the Ireland release of EdgeX are available from the Snap Store using the new 2.0 track, and can be used to build secure enterprise-grade EdgeX deployments using Ubuntu Core 20,” said Tony Espy, technical architect / IoT & Devices, Canonical, and at-large  EdgeX Foundry TSC member. 

“EdgeX Foundry continues to serve as the basis for our Edge Xpert product.  As such, we see the release of EdgeX 2.0 as critical to our company’s success in support of our customers.  It provides the ability for IOTech to add new features and add more value given the new APIs, support for more messaging and overall simplifications of the platform.  On top of that, the move toward an LTS release in the fall based on EdgeX 2.0 is an important milestone of support shown by the EdgeX community.  LTS tells adopters like IOTech that the EdgeX ecosystem stands behind them and is there to provide a scalable, reliable, and robust platform that can be used in production ready solutions,” said Keith Steele, CEO, IOTech Systems. 

Resources:

Download Edge Ireland via Docker Compose:  https://github.com/edgexfoundry/edgex-compose/tree/irelandRead the Wiki: https://wiki.edgexfoundry.org/display/FA/IrelandFind more details in our latest blog: Announcing EdgeX 2.0 – the Ireland ReleaseLearn more about ORRA and join the project: https://wiki.edgexfoundry.org/display/FA/Open+Retail+Reference+Architecture: EdgeX Ready: https://wiki.edgexfoundry.org/display/FA/Open+Retail+Reference+Architecture 

The post EdgeX Foundry Releases the Most Modern, Secure, and Production-Ready Open Source IoT Framework appeared first on Linux Foundation.

Hosted by The Linux Foundation, along with LF Networking, LF Edge and the Cloud Native Computing Foundation, this is the industry’s premier open networking & edge computing event gathering developers, architects and business leaders across enterprises, government, global services providers and cloud for education, inspiration and collaboration.

SAN FRANCISCO, July 29, 2021 —  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, along with co-hosts LF Edge, LF Networking, and Cloud Native Computing Foundation (CNCF) today announced the full schedule for Open Networking & Edge Summit + Kubernetes on Edge Day. The events are taking place October 11-12 in Los Angeles, California and are being co-located with KubeCon + CloudNativeCon North America, among others. The schedule can be viewed here.

Open Networking & Edge Summit (ONE Summit) is THE event for End to End Connectivity Solutions powered by Open Source. It enables the collaborative development necessary to shape the future of networking and edge computing; between companies, across industry verticals and between developers, architects and business leaders. 

Kubernetes on Edge Day, held alongside ONE Summit, gathers developers and adopters to share lessons learned in building, breaking, and bettering their edge infrastructure on top of Kubernetes.

The events will feature an extensive program of 80+ talks covering the most important and timely topics across networking & edge and business & technical sessions. Conference session tracks include: Enterprise Networking & Edge, Cloud Networking & Edge, Kubernetes on Edge, The New Service Provider (Open Core, Unified Edge & Universal Access) and Business Critical & Innovation.

“This year’s ONE Summit will once again bring together industry luminaries, representing edge, core, cloud, enterprise, RAN, and more,” said Arpit Joshipura, General Manager, Networking, Edge, and IoT, The Linux Foundation. “With both in-person and hybrid options for attending, this year’s event promises to be even more collaborative and inspiring than ever.”

Confirmed Keynote Speakers:

Koby Avital, Executive Vice President of Technology Platforms, WalmartYves Bellégo, Director Network Strategy, OrangeSrini Kalapala, VP – Technology Strategy and Network Cloud, VerizonReg Orton, Chief Technology Officer, BRCKShah Rahman, Engineering Lead, FacebookPriyanka Sharma, General Manager, Cloud Native Computing Foundation

Additional keynote speakers will be announced shortly.

Conference Session Highlights:

Living the Dream: Achieving Cloud Native Network Function Deployment at the Edge – John Belamaric & Stephen Wong, Google (Enterprise Networking & Edge Track)Choosing from the Many Flavors of Edge – KubeEdge, OpenYurt, K3S, and K8S – Malini Bhandaru & Enyinna Ochulor, VMware; Yin Ding, Futurewei; Itohan Ukponmwan, Salesforce; and Fei Guo, Alibaba (Kubernetes on Edge Day)Building Modern Cloud-Native Network Services with ONAP – Ranny Haiby, Samsung; Catherine Lefèvre, AT&T; Łukasz Rajewski, Orange; Seshu Kumar, Huawei; and Byung-Woo Jun, Ericsson (The New Service Provider Track)Brewing Coffee Beyond the Edge: A Hardware Engineer’s Guide to Kubernetes – Pedro Leao da Cruz & Alex Chalkias, Canonical (Kubernetes on Edge Day)5G – Prioritizing Security Now – Brian C. Newman, Verizon (Business Critical & Innovation Track)Lessons Learned from Cloud-Native Design of Network Functions – Xuxia Zhong & Qihui Zhao, China Mobile (Cloud Networking & Edge Track)

Registration (in-person) is offered at the early price of US$950 through Aug 4. In-Person Academic and Hobbyist Passes are available for US$575 and Student Passes for US$275. Registration to attend virtually is US$50 for all attendee types.

Members of The Linux Foundation, LF Networking, LF Edge and CNCF receive a 20 percent discount off registration and can contact events@linuxfoundation.org to request a member discount code. 

Attendees looking to attend ONE Summit + Kubernetes on Edge Day and KubeCon + CloudNativeCon can register for all events through the KubeCon + CloudNativeCon registration form and add their ONE Summit registration at a discounted rate (US$599 for Corporate or US$399 for Individual or Academic).

Diversity & Need-Based Scholarships and Travel Funding
Applications for diversity and need-based scholarships are currently being accepted here. The Linux Foundation’s Travel Fund is also accepting applications, with the goal of enabling open source developers and community members to attend events that they would otherwise be unable to attend due to a lack of funding. We place an emphasis on funding applicants who are from historically underrepresented or untapped groups and/or those of lower socioeconomic status. To learn more and apply, click here.

Health and Safety
In-person attendees will be required to be fully vaccinated against the COVID-19 virus and will need to comply with all on-site health measures, in accordance with The Linux Foundation Code of Conduct. To learn more, visit the Health & Safety webpage and read our blog post.

Sponsor
Open Networking & Edge Summit + Kubernetes on Edge Day is made possible thanks to our sponsors, including Diamond Sponsor: Intel, Platinum Sponsor: IBM, and Gold Sponsor: Cloud Native Computing Foundation. For information on becoming an event sponsor, click here or email us for more information and to speak to our team.

Press
Members of the press who would like to request a press pass to attend should contact Kristin O’Connell.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. Learn more at linuxfoundation.org.

About LF Networking
LF Networking is the umbrella organization fostering collaboration and innovation across the entire open networking stack. LFN software and projects provide platforms and building blocks for Network Infrastructure and Services across Service Providers, Cloud Providers, Enterprises, Vendors, and System Integrators enabling rapid interoperability, deployment, and adoption. Learn more at lfnetworking.org.

About LF Edge
LF Edge is an umbrella organization for open source projects that aims to establish an open, interoperable framework for edge computing independent of hardware, silicon, cloud, or operating system. It fosters collaboration and innovation across a range of industry verticals, all of which stand to be transformed by edge computing. Learn more at lfedge.org.

About Cloud Native Computing Foundation
Cloud native computing empowers organizations to build and run scalable applications with an open source software stack in public, private, and hybrid clouds. The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure, including Kubernetes, Prometheus, and Envoy. Learn more at cncf.io.

Linux Foundation Events are where the world’s leading technologists (90,000 a year) join together to learn, share and collaborate in order to advance innovations that support the world’s largest shared technologies. Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###

Media Contact
Kristin O’Connell
The Linux Foundation
koconnell@linuxfoundation.org

The post Keynote Speakers and Conference Schedule Announced for Open Networking & Edge Summit + Kubernetes on Edge Day 2021 appeared first on Linux Foundation.