Home Blog Page 61

Google Cloud, Société Générale, American Express, Point72, Mirantis, and The Digital Dollar Project Join FINOS, as Open Source Collaboration Becomes Increasingly Critical Across the Global Financial Ecosystem

The Fintech Open Source Foundation continues to expand support across all constituents and geographies with increased buy-side, cloud and financial technology representation

New York, NY – May 31 – The Fintech Open Source Foundation (FINOS), the financial services umbrella of the Linux Foundation, announced today the addition of six new corporate members, including Google Cloud, Société Générale, American Express, Point72, Mirantis, and The Digital Dollar Project. Building upon its 19 new Members in 2021 and its recent addition of Wellington Management Company to its Governing Board, FINOS now has 57 corporate members ushering a new era in open collaboration across the global financial services industry. 

These new members, as well as the entire FINOS ecosystem will meet in London on July 13 at its annual Open Source in Finance Forum

This addition of new members reinforces FINOS’ position as the arena of choice to build the next generation of financial technologies on common standards and open source components for financial institutions on both the sell-side and buy-side, fintechs, cloud companies, regulators, industry consortia and individual contributors. FINOS continues to see growth in the number and diversity of its corporate members across the world, with more than a 35% increase in the number of members year-over-year, fueling a community of more than 1,200 active contributors. This announcement is particularly significant as the engagement of cloud vendors and new buy-side firms signals widespread reception of open source return on investment across the technology value chain as a whole.

“We are at a pivotal moment in our evolution as a Community, where literally every constituent of the industry has come to the realization that open source collaboration has the concrete potential to bring to life the vision of a highly efficient, interoperable and developer-friendly global financial technology stack,” said Gabriele Columbro, Executive Director of FINOS. “From cloud and open source leaders heading the charge to some of the historically most conservative firms in the world now rolling out Open Source Program Offices (OSPOs), we are incredibly proud to see global recognition of the value in open source and of the role FINOS played in this evolution.” 

Meet the new members 

Google Cloud becomes the first global cloud service provider joining FINOS as a Gold member. Google Cloud will contribute to critical efforts for cloud deployments in financial services like the FINOS Open RegTech and Compliant Financial Infrastructure initiatives, aimed at driving adoption of FINOS open source projects in the cloud. 

“For more than 20 years, Google has helped shape the future of computing with its technology leadership and support across the open source ecosystem,” said Zac Maufe, Director, Financial Services, Google Cloud. “We are thrilled to join FINOS and its community of companies and people dedicated to open source. As the financial services industry accelerates its adoption of cloud technologies, FINOS open source projects will deliver valuable support to both our customers and the financial services tech community at large.”

Société Générale (SocGen), a French multinational investment bank and financial services company, joins FINOS as a Gold member, representing an important addition to the European sell-side representation in FINOS. This comes on the heels of the Linux Foundation amplifying its global focus with the recently announced inaugural European World of Open Source: 2022 Europe Spotlight Survey, a testament to the truly global nature and potential of the open source Community.

“Société Générale implemented an ‘Open Source First’ policy in 2017 and established it’s Open Source Program office (OSPO) in 2020,” said Alain Voiment, CIO for Group digital foundations and corporate functions, Société Générale. “Over the years, our focus has been to evolve in the open source journey by deriving benefits from infrastructure layer to applicative layer to business value add while engaging our developers’ community. As we become a more ‘tech enabled’ company leveraging the power of IT, digital, and data, we continue to foster our innovation capacity in bringing added value for our clients. Collaboration with FINOS is the right step in this direction and there couldn’t be a better time to embark on this journey.”

Our third Gold member, American Express, is dedicated to delivering digital products and services that enhance the lives of their customers, and believe open-source is a key component in supporting innovative growth across the industry. 

“Our technology philosophy focuses on delivering increased scale and efficiency, improved speed to market, high-quality, and security, while always keeping our customer at the center of all we do,” said Hilary Packer, Executive Vice President & Chief Technology Officer, American Express. “We’re excited to join FINOS because of the opportunities it will provide to collaborate with and contribute to the community, while supporting our ongoing adoption of open-source software, standards, and best practices, which in turn will help drive the continued success and growth of our company.”

FINOS also continues to expand the open source technology footprint among buy-side institutions to deliver innovation among the investment and asset management industries. Firms now have the ability to leverage open source connectivity, through projects like FDC3 that bolster interoperability with the sell-side, to access the market quickly in a vendor agnostic fashion. Newest Silver member Point72, a global asset manager which invests in multiple strategies and asset classes, was the first buy-side firm to join FINOS earlier in 2022, signaling their leadership and strong focus on the use of open source in this industry sector.

“Open source has emerged as an increasingly important driver of innovation in leading technology organizations within financial services,” said Mark Brubaker, Chief Technology Officer at Point72. “Our decision to join FINOS reflects our belief that open source collaboration raises all boats, benefiting all organizations and technologists.”

Mirantis, an established open source leader and cloud management platform that helps organizations easily ship code on public and private clouds, also joined FINOS as a Silver member.

“We are proud and excited to join FINOS,” said Andy Wild, Chief Revenue Officer of Mirantis. “With the rapid adoption of Cloud Native Technologies driven by Kubernetes in the financial industry, Mirantis understands that collaboration is the fastest path to innovation, and our open source based products and services have helped to drive innovation and growth for our financial customers for years. Joining FINOS, we look forward to having the opportunity to further align with the needs of the financial industry.”

FINOS also welcomes its latest Associate member, The Digital Dollar Project, a leading private-public partnership advancing the study and exploration of a potential U.S. Central Bank Digital Currency (CBDC), an initiative FINOS recently announced its support for in Davos.

“New advances in financial technology, including CBDCs, have the power to transform economies and connect people, governments, and businesses, locally and globally,” said Jennifer Lassiter, Executive Director of The Digital Dollar Project. “We know that experimentation and information sharing are critical to innovation, which is why we are thrilled to contribute to open source solutions as a new addition to the vibrant FINOS community.”

The addition of new Gold, Silver and Associate members marks continued forward momentum of FINOS’ mission to drive mass open source adoption across all facets of the financial services industry, strengthening its position as the leading organization supporting the industry as they collaborate on vital areas, such as interoperability, data standards, and open source security.

To learn more about joining FINOS as a member, visit the Membership Benefits page. Meet the FINOS team in London on July 13 at its annual Open Source in Finance Forum

About FINOS

FINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster adoption of open source, open standards and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 50 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world. Get involved and join FINOS as a Member.

Media Contact:
Catharine Rybeck 
Caliber Corporate Advisers 
catharine@calibercorporateadvisers.com 

The post Google Cloud, Société Générale, American Express, Point72, Mirantis, and The Digital Dollar Project Join FINOS, as Open Source Collaboration Becomes Increasingly Critical Across the Global Financial Ecosystem appeared first on Linux Foundation.

How to enable live kernel patching on Linux

Kernel live patching is a great way to keep your infrastructure updated while minimizing manual work and avoiding system restarts

Read More at Enable Sysadmin

6 deprecated Linux commands and the tools you should be using instead

Swap your old Linux commands for new and improved alternatives that provide the same functionality, if not more.

Read More at Enable Sysadmin

Lesson Learned: Always Listen to Mom

This article originally appeared on the Open Mainframe Project’s blog. The author, Maemalynn Meanor, is a senior public relations and marketing manager at The Linux Foundation. 

In honor of Asian Americans and Pacific Islanders (AAPI) Heritage Month, I wanted to share something my mother passed on to me.

I’ve worked in communications and public relations for the technology industry for almost 20 years. I’ve had to learn new industries, competitors, the intricacies of different technologies and how to interpret engineering language.

In all of these roles – no matter where I was – one thing remained the same. I was often the only Asian woman in the room. Without a roadmap or someone to look up to as an example of what to do I often leaned on my mom because standing in a room full of men who made me doubt myself was scary and intimidating. Always.

Whether it was in person or via webex or phone, nothing is worse than that moment when you say something and all the men in the room pause. Sometimes, they’ve agreed with my recommendations. Sometimes, they shot it down. One time, someone mansplained my idea back to me and then everyone in the room agreed that “that” idea was better than mine.

My mom always had the same advice. Trust yourself. Let your heart work with your mind – the strength of it encompasses not just things I learned in school but things my parents taught me about my family and my Thai heritage and culture.

She said this often. But there were times when I ignored her advice. I didn’t trust myself.

I remember one particular time more than a decade ago that I decided to distance myself from my heritage. I didn’t want to be the Asian woman in the room. I even tried to not be the woman in the room. I tried to be part of the “boy’s club.” I laughed at the inappropriate jokes. I was quiet when they complained about women leaders and used derogatory language.

This made me feel terrible about myself, my work and my life in general. I was going through the motions and no longer enjoyed my work and nor did I like my surroundings. But I kept going. It was my job after all.

A few months later, I was asked to go back to my college and meet with the Asian Students in Alliance (ASIA) club, which I was the former Vice President of, about my career in public relations and communications.

I struggled with this – am I really going to walk into a room full of bright Asian students and tell them that their culture doesn’t belong in the workplace? Am I okay with telling them to not highlight their differences and to not be proud of their culture? Am I really going to tell a room full of beautiful people from different Asian backgrounds – to just try to “blend in?”

No. My mom raised me better than that.

So I took her words and repeated them over and over again. Trust yourself. Believe in you. Let your heart and mind lead you where you need to be because they have the support of all your ancestors, your heritage and your traditions.

That night, I told my mom she’s right. I believe her response was “I know. I’m right about everything. Always. Don’t forget that.”

I am still sometimes the only Asian woman in the room but I’m happy to say that it’s not as often as it used to be. Now, there are more diverse backgrounds, more women, more voices – more of everything. It’s becoming easier to be who you are and love what you represent inside the workplace. This sense of belonging is something I don’t take for granted and will always be thankful for.

The post Lesson Learned: Always Listen to Mom appeared first on Linux Foundation.

Your Path to More Knowledge and Opportunities

I confess I am a lifelong learner – addicted to learning about new things and gaining new skills. So, when I started at The Linux Foundation, I was excited to see the depth and breadth of the training we offer (and employees have access to the catalog, so you should work here). It is truly impressive. And it makes sense. After all, the LF mission is to create the greatest shared technology investment in history by enabling open source collaboration across companies, developers, and users. Training is a necessary part of that. 

For starters, we practice what we preach. Every employee – and I mean every employee, from admin to engineering – is required to take 9 different LF training courses to get an in-depth overview of open source methodologies:

Open Source 101
Open Source Introduction
A Beginner’s Guide to Open Source
Open Source Licensing Basics for Software Developers
Open Source Business Strategy
Effective Open Source Program Management
Open Source Development Practices
Open Source Compliance Programs
Collaborating Effectively with Open Source Projects

Each of these courses is also offered to the public through the LF Training and Certification portal

LF Training and Certification Portal

Speaking of the portal, this is your one-stop-shop for all of our training and certification resources. It hosts our training programs created by well-respected developers that cover the most important open source projects and includes opportunities for certification exams. It is all vendor-neutral, providing foundational knowledge and skills in the technologies running the modern world. 

You can access 30+ e-learning courses, 20+ instructor-led classes, 12+ certification exams, and 40+ free massive open online courses (MOOCs) in partnership with edX. (I just signed up for a blockchain one with 96,000 of my closest friends).

If there is a specific field of study you want to focus on, there are learning paths for: 

Application Development
Blockchain
Cloud and Containers
Cybersecurity
DevOps and Site Reliability
Embedded Development
Linux Kernel Development
Networking
System Administration
Systems Engineering and Architecture

In short there is something for you, and you can join the 2 million+ students who have enrolled and 50,000+ professionals who already earned certifications.

Developing Secure Software Course

I do want to highlight a course that came up during the Open Source Software Security Summit II a couple of weeks ago. The importance of teaching secure software development principles was one of the recommendations to improve the resiliency of open source software. Good news – the LF offers the “Developing Secure Software” (LFD121) course. It focuses on the fundamentals of developing secure software. Both the course and certificate of completion are free. It is entirely online, takes about 14-18 hours to complete, and you can go at your own pace. Those who complete the course and pass the final exam will earn a certificate of completion valid for two years. 

It is geared towards software developers, DevOps professionals, software engineers, web application developers, and others interested in learning how to develop secure software. It focuses on practical steps that can be taken, even with limited resources, to improve information security. 

Why is it needed? Many software developers have never been told how to effectively counter the ever-increasing barrage of cyberattacks. This course explains the fundamentals of developing secure software. A basic security principle – build it more secure in the beginning and you will spend less time fending off attacks later. From the course description: 

This course starts by discussing the basics of cybersecurity, such as what risk management really means. It discusses how to consider security as part of the requirements of a system, and what potential security requirements you might consider. This first part of the course then focuses on how to design software to be secure, including various secure design principles that will help you avoid bad designs and embrace good ones. It also considers how to secure your software supply chain, that is, how to more securely select and acquire reused software (including open source software) to enhance security. The second part of this course focuses on key implementation issues: input validation (such as why allowlists should be used and not denylists), processing data securely, calling out to other programs, sending output, and error handling. It focuses on practical steps that you (as a developer) can take to counter the most common kinds of attacks. The third part of the course discusses how to verify software for security. In particular, it discusses the various static and dynamic analysis approaches, as well as how to apply them (e.g., in a continuous integration pipeline). It also discusses more specialized topics, such as the basics of how to develop a threat model and how to apply various cryptographic capabilities.

You can learn more about the course and enroll for free here

Future Announcements 

We are always working to improve and expand what we offer. There are a lot of exciting announcements coming up next month during the Open Source Summit North America, including insights from our 10th Annual Open Source Jobs Report, the winners of the 500 LiFT Scholarships for 2022, some new training courses, and more. Even if you aren’t able to attend, keep an eye out for our announcements. Some exciting stuff, but I have said too much already. Sign up for the newsletter so you are the first to know when new courses are offered, and – arguably more importantly – get access to promotions. I mean – new skills and saving money, how can you say no. 

I hope you have an opportunity to take some of our courses and become certified. You will be a better person for it.

Open Mainframe Project Announces Major Technical Milestone with Zowe’s Longer Term Support V2 Release

Open Mainframe Project Zowe

Zowe LTS V2 increases product stability, security and interoperability and ensures longevity compatibility with the Conformance and Conformant Support Provider Programs

SAN FRANCISCO, May 26, 2022 – The Open Mainframe Project announced today that Zowe, an open source software framework for the mainframe that strengthens integration with modern enterprise applications, marks a major technical milestone with the Long Term Support (LTS) V2 release. The second version, which comes 2 years after the first LTS release, will offer vendors and customers product stability, security, interoperability as well as easy installation and upgraded features.

“As organizations expand their hybrid cloud workloads, the Zowe framework evolves to address critical architectural requirements,” said Rose Sakach, Chair of the Zowe Technical Advisory Committee and Product Manager at Broadcom. “Since its launch in 2018, Zowe has become a foundational enabler to businesses’ hybrid IT strategy. The LTS V2 Release will continue to strengthen this value with developer-friendly features and benefits.”

Benefits of the LTS V2 include:

Stability: Organizations can confidently adopt the technology for enterprise use and upgrade when appropriate for their environment, minimizing the risk of disruption.Interoperability: Zowe consumers can be assured LTS-conformant extensions have adapted to and support LTS features.Longevity: Zowe is designed for years of use and plans are in place for continued updates and support.

Open Mainframe Project launched Zowe, the first-ever open source project based on z/OS, in 2018 to serve as an integration platform for the next generation of administration, management and development tools on z/OS mainframes.  The Zowe framework uses the latest web technologies among products and solutions from multiple vendors. Zowe enables developers to use familiar, industry-standard, open source tools to access mainframe resources and services.

Feedback and interest in Zowe have been noteworthy. Since January 2022, Zowe has more than:

130,000 downloads87,000 page views and 16,000 visitors of zowe.org520 contributors

Key features of Zowe LTS V2 include:

More security features built in to ensure data and user credentials are always encrypted and safe.A new daemon mode delivering performance improvements for the command line interface.The time to value to configure Zowe is faster and easier.There is more engagement and collaboration between team members using Zowe for modern DevOps at scale.New APIs created by the community

For more features, click here.

“Zowe continues to innovate as a direct result of the contributions, leadership and passion of the global open source community,” said John Mertic, Director of Program Management for the Linux Foundation and Open Mainframe Project. “Zowe shows no sign of slowing momentum and the LTS V2 release demonstrates our commitment to interoperability, stability and security.”

Other Zowe Updates

Zowe Chat, a new incubator project that extends z/OS use by focusing on working with mainframes from chat clients such as Slack, Microsoft Teams and Mattermost (with extensibility for other solutions). A set of commonly used scenarios will be provided, and the framework will be extensible so sites can add new scenarios. Similar to other Zowe core packages, the chat framework will be extensible by vendor tools, bringing an integrated user experience for more elaborate cross-vendor scenarios. Read more about it here.

Zowe IntelliJ Plugin , a new incubator project that provides access to the mainframe from IDEs like IntelliJ, PyCharm, WebStorm and more. Launched by IBA Group, the IntelliJ IDEA plug-in leverages z/OSMF to interact with mainframe data sets and USS files, which enables those familiar with these IDEs to comfortably work with the mainframe just like other projects. This integration will improve the efficiency and overall happiness of IntelliJ enthusiasts now working on the mainframe. Learn more in this blog.

Zowe was recognized as the Best DevOps for Mainframe Award in this year’s DevOps Dozen competition. It was selected over a number of commercial vendor offerings, reflecting a widespread appreciation for the value of an open source solution for the mainframe. Learn more.

The Zowe Conformance Program is Updated with LTS V2 Guidelines

Aimed to build a vendor-neutral ecosystem around Zowe, Open Mainframe Project’s Zowe Conformance Program launched in 2020.  The program has helped Open Mainframe Project members such as ASG Technologies, BMC, Broadcom, IBM, Micro Focus, Phoenix Software International, and Rocket Software incorporate Zowe with new and existing products that enable integration of mainframe applications and data across the enterprise.

To date, 75 products have implemented extensions based on the Zowe framework and earned these members conformance badges

Additional Resources:

Zowe GitHub RepositoryZowe Convenience Build DownloadGetting Started documentation site Open Mainframe Project’s I am a Mainframer Podcast

About the Open Mainframe Project

The Open Mainframe Project is intended to serve as a focal point for deployment and use of Linux and Open Source in a mainframe computing environment. With a vision of Open Source on the Mainframe as the standard for enterprise class systems and applications, the project’s mission is to Build community and adoption of Open Source on the mainframe by eliminating barriers to Open Source adoption on the mainframe, demonstrating value of the mainframe on technical and business levels, and strengthening collaboration points and resources for the community to thrive. Learn more about the project at https://www.openmainframeproject.org.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

###

The post Open Mainframe Project Announces Major Technical Milestone with Zowe’s Longer Term Support V2 Release appeared first on Linux Foundation.

ISO establishes SBOM standard for open source development with SPDX

Software Metadata Standards Wrap Up Bigger Connections

This article originally appeared on Linux.com. The author, Cameron Laird, is vice president of Phaseit, Inc. where he implements software projects and publishes articles about the results. A long-time developer, manager, and author, he’s most recently concentrated on architectural challenges of “continuous everything”: continuous integration, continuous testing, and so on.

You’re in the news. But not with the headline you want.

You’re not getting attention because of your choice of text editor or the number of spaces you use to indent code blocks. However motivating those preferences are for you and me, the non-technical world sees them as private choices. You find your code in the headlines for a different and unpleasant reason: open source dependency management.

We have dependencies, of course, because we know not to “reinvent the wheel”; instead, we software experts re-use the implementations others have created. However, when done poorly, dependency management introduces more risk and degrades the quality of your application. For example, failure to comply with license requirements might be the problem.  Even worse: the absence of a license tied to a component you embedded in your application. In both cases, there are potential legal implications.

Still more traumatic is a media headline announcing that a vulnerability just breached your organization in one of those dependencies. Projects frequently re-use software components to simplify or accelerate development; but sometimes, it can have detrimental results by introducing said vulnerabilities.

That’s not all:  suppose you are experienced and thoughtful enough to recognize this hazard and commit to good dependency management.  It turns out that’s a harder problem than might first appear, and certainly not the kind of thing that can be slipped into a project on its last days, without significant time or other costs.

Building A Standard For Software Bill Of Materials

How, for instance, does an industrial oven manufacturer communicate that one of its products depends on a particular library with a known vulnerability?  How does it say that it does not have such a dependency?  One of the difficulties comes from mixing open and closed information sets. What happens in a scenario where an automotive chip uses an open source sorting algorithm, but the auto manufacturer wants to keep the use of that algorithm proprietary?

Without a better alternative, any discussion about the algorithm has to occur under cover of a non-disclosure agreement (NDA), often one written specifically for the business and technical situation.  Where developers investigating a particular piece of software might be accustomed to connecting to GitHub and inspecting the source in question in a few seconds, even the simplest proprietary questions sometimes take months of legal, security, and compliance negotiation to begin to examine. “Manual” inspection, in any case, is unscalable.  The average application contains 200 OSS components, and each component might manually take three hours to inspect.  Does your project have a better use for 600 hours of effort?  Open source truly begins to pay off when it’s inspected not just by expert engineers but by automatic tools.

Recognize, moreover, that transitive dependencies make dependency management a harder problem than first appears.  Many of the most notorious breaches occurred not because anything was wrong with the source of a product or even the source of the libraries on which it depends; the vulnerability only turned up in a library used by those other libraries.  Over and over again, CEOs who’ve asked, “does $SOME_PROBLEM affect us?” have received the answer, “we don’t know yet: we’re not sure where it shows up in our systems.” We need transparency about dependencies and enough intelligence and standardization around hierarchical relationships to “trace the whole tree.” Organizations must track dependencies through to the operating system run-time and sometimes down to “the silicon,” that is, the microprocessor on which the software runs.

It’s a hard problem but also a solvable one.  Part of any solution is a well-defined software bill of materials (SBOM or sometimes SBoM). That’s where Kate Stewart’s career began to track this story.  Stewart currently serves the Linux Foundation as a vice president of Dependable Embedded Systems.  In previous assignments with such employers as Motorola, Freescale Semiconductor, Canonical, and Linaro, she frequently faced challenges that mixed technical and legal aspects.  As she explained her long-time focus in a recent interview, “if open source components are going to be in safety-critical places … [we need] to be able to trust open source in those spaces …” Good SBOM practices are simply necessary for the level of trust we want to have not just in industrial ovens, but airplanes, medical devices, home security systems, and much more.  An SBOM organizes such metadata about a software artifact as its identity, verification checks it hasn’t been tampered with, copyright, license, where to look up known security vulnerabilities, dependencies to check, and so on. Think of an SBOM as an ingredients list for your software.  It makes those ingredients visible, trackable, and traceable.  It lets you know if you have used the highest quality and least risky open source components to build your software.

Enter SPDX

Stewart and other technologists eventually began to team with specialists in intellectual property, product managers, and others. They developed such concepts in the early years of this millennium as SBOM, the Software Package Data Exchange (SPDX), and the OpenChain Specification.  She co-founded SPDX in 2009 to pursue “[a]n open standard for communicating software bill of materials information ….” Among other features and benefits, these frameworks provide standard and scalable ways to discuss dependencies.

Instead of each vendor having to certify that each of its releases has been verified for security and license compliance of each of eight hundred JavaScript libraries, for example, many of the most time-consuming aspects of compliance can be automated.  When a new vulnerability is identified in an implementation of a networking protocol, automated methods can largely be applied to determine which products embed known vulnerable libraries, even while we developers remain largely unaware of the details of each component and dependency they use.  For Stewart, standards-based transparency and best practices are prerequisites for the security of safety-critical communities she helps serve.  As Stewart observes, “you can’t really be safe unless you know what you’re running.”

Daily Headlines

Does that sound mundane?  The reality’s far different:  SBOM and related technologies actually play roles in events on the world stage.  For example, on the 12th of May, 2021, US President Biden issued Executive Order 14028 on Cybersecurity Improvement; SBOMs play a prominent role there.  The Open Source Initiative just named Stefano Maffulli its first Executive Director precisely because of the need for mature open source licensing practices.  Dr. Gail Murphy argued in a recent interview that it’s time to recognize that open source software is a “triumph of information-hiding [and] modularity …” in enabling the remarkable software supply chains on which we depend.  Emerging information on breaches including SolarWindsRapid7Energetic Bear, and especially the latest on Juniper’s Dual-EC affair shows how disastrous it becomes when we get those supply chains wrong.  The most prominent breaches in computing history have been tied to component vulnerabilities that seemed peripheral until break-ins demonstrated their centrality.

Drone strikes?  Vaccine efficacy?  Voter fraud?  International commerce?  Nuclear proliferation?  Questions about software and data reliability and fidelity are central to all these subjects, not mere technical tangents.

That’s why SPDX’s management of hierarchical relationships is so crucial.

ISO/IEC 5926:2021 Introduces SBOM Standard

SPDX went live as an official international standard at the end of August.  With that milestone, standardization lowers many of the hurdles to the successful completion of an SBOM project.  Implementation becomes more consistent. “Bookkeeping” about external parts becomes largely a responsibility of the standard.  Software engineers focus more on the details specific to an application.  Then, as those external parts–the ingredients of an SBOM recipe–age and security vulnerabilities are discovered in them, developers can reliably track those components to the applications where they were used and update components to newer, hardened versions. What does that mean for you?  In your own work, the faster you identify and update vulnerable components, the less likely the chance you will have of becoming the next breach headline following an attack.

SPDX’s standardization fits in the frameworks of the International Organization for Standardization (ISO) the International Electrotechnical Commission (IEC).  ISO is a post-war transnational creation that originally focused on bolt sizes, temperature measurements, and medical supplies.  ISO tracks human affairs, of course, and its attention in recent years has shifted from materials to business processes and, in this millennium, to software.  IEC is a prior generation’s initiative to pursue the same kinds of standardization and cooperation, specifically in the realm of electrical machinery; the IEC and ISO often collaborate.

In bald terms, ISO and IEC matter to you as a programmer because governments trust them.  The new standard is sure to make its way rapidly into procurement specifications, especially for government purchases.  Suppliers become accustomed to compliance with such standards and apply them in their practices more generally.  The earlier ISO 9000 collection of standards has already greatly influenced software development.

Important Though Abstract

The impact and scope of ISO:IEC 5926:2021 is a challenge to understand, let alone explain.  On the one hand, millions of working programmers worldwide go about their daily chores with little thought of SPDX or even SBOMs.  While we all know we depend on packages, we largely leave it to Maven or npm, or RubyGems, etc., to handle the details for us.  Standardization of SPDX looks like a couple of layers of abstraction, even more remote from the priorities of the current sprint or customer emergency on our desks right now.

And it’s true:  SPDX is abstract, and its technical details look dry to some programmers, the opposite of the “sexy” story many start-ups aspire to.

Without this infrastructure, though, the development of many large, complex, or mission-critical projects would grind to a halt from the friction of communication about proprietary dependencies on open source artifacts.  Think of it on a weight basis:  as the Linux Foundation’s own press release underlines, “… between eighty and ninety percent of a modern application is assembled from open source software components.” SPDX is immensely important at the same time as it’s uninteresting to all but the most specialized practitioners.

Look to history for examples of how momentous this kind of standardization is.  The US’s Progressive movement at the beginning of the twentieth century is instructive.  While often taught in ideological terms, many of its greatest achievements had to do with mundane, household matters:  does a milk bottle actually contain milk?  Can standard doses of medicines be trusted?  Is a “pound” in a butcher’s shop a full sixteen ounces?  Standards in these areas resulted in more convenience and transformed commerce to enable new market arrangements and achievements. That’s the prospect for SPDX:  more transparent and effective management of software dependencies and interactions will have far larger consequences than are first apparent.  Notice, for instance, that while the standard examples of its use have to do with open-source software, the standard itself and the tools that support it can also be applied to proprietary software and other intellectual property.  SPDX doesn’t solve all problems of communicating about dependencies; it goes a long way, though, to clarify the boundaries between technical and legal aspects.

Long Lead Time

The significance and need for secure software supply chains haven’t made SPDX’s adoption easy, though.  Stewart reports that individual companies drag their feet: “why should we do something before we have to?” these profit-oriented companies reasonably wonder.  Even in the best of circumstances, when an industry has largely achieved a technical consensus, “From first proposal to final publication, developing a standard usually takes about 3 years.

Stewart herself cites this year’s Executive Order as crucial: “the one thing that made a difference” in pushing forward adoption of SPDX in 2021 was the emerging SBOM requirements that followed EO14028.  Much of her own emphasis and achievement of late has been to get decision-makers to face the reality of how crucial their dependence on open source is. No longer can they restrict focus to the 10% of a proprietary product because supply chain attacks have taught us that the 90% they re-use from the software community at large needs to be exposed and managed.

Publication of a standard mirrors application development in having so many dependencies “under the covers.” It’s not just Stewart who worked on this for more than a decade, but, as I’ll sketch in follow-ups through the next month, a whole team of organizations and individuals who each supplied a crucial requirement for completion of ISO/IEC 5926:2021.  When you or I think of great software achievements, our memories probably go to particular winning prototypes turned out over a weekend. Standards work isn’t like that.  The milestones don’t come at the rapid pace we relish. Successful standards hold out the promise, though, of impacting tens of thousands of applications at a time. That’s a multiplier and scalability that deserves more attention and understanding.

SBOMs For Everything

And that’s why ISO/IEC 5926:2021 is good news for us.  We still have licensing and security issues to track down. We still need to attend meetings on governance policies. Management of proprietary details remains delicate.  Every project and product needs its own SBOM, and vulnerabilities will continue to crop up inconveniently. With the acceptance of ISO/IEC 5926:2021, though, there’s enough standardization to implement continuous integration/continuous deployment (CI/CD) pipelines usefully. We can exchange dependency information with third parties reliably. SPDX provides a language for describing dependency management chores. SPDX gives answers that are good enough to focus most of our attention on delivering great new functionality.

The best practices of application development applied by developers as a learned methodology can be something more than an exercise in walking a tightrope of intellectual property restrictions. Enterprise-class proposal requests become more engineering than lawyering.  You have a better shot at being in the news for your positive achievements rather than the security calamities into which you’ve stumbled.

Check in over the next several weeks to learn more about what SPDX means to your own programming, how SPDX is a model for other large-scale collaborations the Linux Foundation enables, and how teamwork is possible across profit-making boundaries.  In the meantime, celebrate ISO/IEC 5926:2021 as one more problem that each project does not have to solve for itself.

The post ISO establishes SBOM standard for open source development with SPDX appeared first on Linux Foundation.

SODA Foundation Prioritizes Backup and Restore for Containers, Introduces Object Data Management Across Cloud Providers

Welcomes SoftBank Group to its member ranks

TOKYO, May 25, 2022 – The SODA Foundation, which hosts the SODA Open Data Framework (ODF) for data mobility from edge to core to cloud, today announced two new open source projects: Kahu and Como. Kahu streamlines data protection for Kubernetes and its application data, and Como is a virtual data lake project to enable seamless access to data stored in different clouds. The SODA Foundation also welcomes SoftBank Group as an end-user supporter and key collaboration partner on the Como project.

According to the 2021 SODA Data and Storage Trends Report, two of the top challenges in managing data in containers and cloud-native environments are availability (46%) and management tools (38%).  In direct response to the report findings, the SODA Foundation community collaborated to introduce new tooling options through the Kahu project to improve backup and restore practices critical to data availability.  Furthermore, as enterprises become more data-driven and data growth for some enterprises can exceed 10PB per year, object data management offered by the Como Project will play an important role in performance and scalability requirements for cloud-native environments.

“Data collection, management, and consumption is becoming the new competitive battlefield in IT”, said Steven Tan, chairman, SODA Foundation. “We’re excited to announce Kahu and Como as the latest advances in open source data management and storage. Our 28 members are also excited to welcome the engineers and open source community within SoftBank Group to the Foundation.” 

“Data is the fuel of our global digital economy and harnessing its power requires collaboration on a massive scale”, said Kuniyoshi Suzuki, Senior Director, Cloud Engineering , SoftBank Group.  “Softbank is excited to be joining a community of open source software developers focused on enabling improvements toward data storage, recovery, and retention in cloud environments. We look forward to collaborating with the SODA Foundation and its members, while contributing to the future of this important community.”

New Open Source Releases

In addition to the announcement of Kahu and Como projects, the SODA Foundation also announced the:

Release of SODA Framework Madagascar v1.7.0: Formerly Open Data Framework (ODF), SODA Framework comprises independent projects initiated by the community to solve common data and storage problems faced by end users. It includes:

Terra: a universal SDS controller for connecting storage to Kubernetes, OpenStack, and VMware environments.
Delfin: a performance monitor for heterogeneous storage infrastructure in a single pane of glass.
Strato: a multi-cloud data controller using a common S3-compatible interface to connect to cloud storage.
Kahu : new project to streamline data protection for Kubernetes and application data.

Expansion of its Eco Project Initiative with the introduction of more open source projects: 

DAOS: a software-defined object store designed from the ground up for massively distributed Non Volatile Memory (NVM), providing features such as transactional non-blocking I/O, advanced data protection with self-healing on top of commodity hardware, end-to-end data integrity, fine-grained data control and elastic storage.

YIG: extends Minio backend storage aggregating multiple Ceph clusters to form a massive storage resource pool that can easily scale up to exabyte (EB) levels with minimal performance disruption.

CubeFS: a cloud-native storage platform used as the underlying storage infrastructure for online applications, database or data processing services and machine learning jobs orchestrated by Kubernetes.

Karmada: a Kubernetes management system that enables organizations to run cloud-native applications across multiple Kubernetes clusters and clouds, with no changes to your applications.

SBK: an open source software framework for the performance benchmarking of any storage system.

Conferences and Survey

SODACODE: this week, developers from around the world will participate in SODACODE 2022 – the Data & Storage Hackathon on May 25 – 26.  The first-of-its-kind coding event organized by SODA Foundation is open to developers from all levels ranging from beginner to advanced. The hackathon will conclude with project demonstrations, presentation sessions, panel discussions and an award ceremony for the hackathon winners.
Trend Survey: The SODA Foundation will release its second-annual Data and Storage Trends Survey on June 30, 2022.
SODACON: a technical conference held by SODA Foundation, will be held this year in Yokohama, Japan on December 7, 2022. The conference will bring together industry leaders, developers and end users to present and discuss the most recent innovations, trends, and concerns as well as practical challenges and solutions in the field of Data and Storage Management in the era of cloud-native, IoT, big data, machine learning, and more.

Additional Resources

Join the SODA Foundation
Attend SODACODE 2022 – The Data & Storage Hackathon
Read the 2021 Data and Storage Trends Report

About the SODA Foundation

Previously OpenSDS, the SODA Foundation is part of the Linux Foundation and includes both open source software and standards to support the increasing need for data autonomy. SODA Foundation Premiere members include China Unicom, Fujitsu, Huawei, NTT Communications and Toyota Motor Corporation. Other members include China Construction Bank Fintech, Click2Cloud, GMO Pepabo, IIJ, MayaData, LinBit, Scality, Sony, Wipro and Yahoo Japan.

Media Contact

info@sodafoundation.io

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

The post SODA Foundation Prioritizes Backup and Restore for Containers, Introduces Object Data Management Across Cloud Providers appeared first on Linux Foundation.

Run Podman on Windows: How-to instructions

Learn how to set up Podman’s new Windows client, which makes it easier than ever to run the container tool on Microsoft’s OS.

Read More at Enable Sysadmin

Introduction to VirtIO

If you want to learn about the technical

Click to Read More at Oracle Linux Kernel Development