Home Blog Page 75

FINOS and The Linux Foundation Partner with Fintech Week London, Strengthening European Presence

Registration opens for FINOS’ Open Source in Finance Forum (OSFF) London, taking place alongside partner event Fintech Week London 

London, UK – March 8, 2022 – FINOS, the Fintech Open Source Foundation and financial sector arm of the Linux Foundation, and The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced its partnership with Fintech Week London. Their annual event, Open Source in Finance Forum (OSFF), will take place in London on 13 July, during Fintech Week London, which will run from 11 – 14 July.

This partnership highlights the elevated presence of open source software and open collaboration in the financial services industry, and will allow attendees of both conferences an opportunity to learn more about integrating open source software into their technology strategies. Through partnering with Fintech Week London, FINOS bolsters its European footprint – one it is focused on expanding over the course of 2022.

“Partnering with Fintech Week London signifies the growing recognition and appetite for financial services and fintechs to adopt and contribute to open source,” said Gabriele Columbro, Executive Director of FINOS. “Each year, our goal with OSFF is to not only inspire attendees to foster the open source community within financial services, but also bring industry leaders from financial institutions, fintechs and the regulatory space together to discuss how open source can drive innovation across the industry. This partnership is a natural way to bridge the efforts of Fintech Week London and FINOS in fostering technological innovation in the financial services industry.”

The Open Source in Finance Forum is dedicated to driving collaboration and innovation in financial services through open source software and standards. The first iteration of this conference, previously known as the Open Source Strategy Forum, took place in 2017, and it has since then grown to become the flagship event for the fast growing open source movement in financial services and its unique challenges. OSFF will also be held in New York City, USA on 8 December. The call for proposals is open for both events – view suggested topics and submit talks for each event at the links provided here: 

Submit to speak at OSFF London (deadline is 10 April)Submit to speak at OSFF New York City (deadline is 12 September)

“The momentum of financial institutions looking to and relying on open source technology to scale and grow their businesses is growing at a rapid rate.” said Jim Zemlin, Executive Director, The Linux Foundation. “Holding Open Source in Finance Forum London as part of Fintech Week London will allow us to make even more financial institutions – especially in the UK – open source ready.”

Fintech Week London shines a light on the most interesting topics in financial

technology. Traditional financial institutions come together with fintechs and other financial services companies, in one of the world’s oldest leading financial districts. The event brings together high-street banks, challengers, technology giants, and disruptors, to discuss and showcase fintech’s global presence and the forces driving innovation in the industry. 

“I’m very excited that we have the Open Source in Finance Forum as part of the official programme this year,” said Raf De Kimpe, CEO of Fintech Week London. The overall theme for #FTWLondon 2022 is ‘The Coming of Age of the Fintech Industry’; the industry is moving past its infancy to be a full-blown player in finance services. With so many mergers, acquisitions and partnerships taking place, collaboration and innovation are cornerstones of our programme. A day dedicated to open source software and standards is essential to have a well rounded view on evolutions in the Fintech Industry for all our attendees. On the third day of Fintech Week London, etc. Venues 133 Houndsditch will be transformed into the place to be for our attendees to learn how to best and safely leverage open source software to solve industry challenges”

FINOS’ commitment to fostering the adoption of open source reaches beyond US institutions, with an even distribution of contributors in both the United States and Europe. In recognition of its strong European grassroots, FINOS actively invests in nurturing its relationships across seas. Partnerships such as this bring an increased awareness to the collaborative work of developers, contributors and financial institutions driving adoption around the world.    

“Collaborative efforts through open source adoption go far beyond US financial institutions,” said James McLeod, Director of Community for FINOS. “FINOS recognizes the potential power that world-wide collaboration possesses to drive innovation on a grand scale, and that’s why we continue to nurture relationships with our established European developers, financial organizations and fintechs. To continue this progression, we invest in forming new connections to support and expand the work being done by our community.”

Click here to learn more about and register for Open Source in Finance Forum London. To learn more about and register for Fintech Week London, please click here.

About FINOS

FINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster adoption of open source, open standards and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 50 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world. Get involved and join FINOS as a Member.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

About Fintech Week London

The Coming of Age of The Fintech Industry

Fintech Week London shines a light on the most interesting topics in financial

technology, with a 2-day conference at its core. Traditional financial institutions come together with fintechs and other financial services companies, in one of the world’s oldest leading financial districts: London. From high-street banks to challengers, technology giants to disruptors, this five-day event showcases some of the best that London and global fintech has to offer. 

Mark your calendars for the second edition on July 11-15, 2022. 

To learn more about Fintech Week London please visit our website : www.fintechweek.london

FINOS Media Contact:
Ross Stevens
Caliber Corporate Advisers for FINOS
ross@calibercorporate.com

Fintech Week London Media Contact:
Raf De Kimpe
Fintech Week London 
raf@fintechweek.london

The post FINOS and The Linux Foundation Partner with Fintech Week London, Strengthening European Presence appeared first on Linux Foundation.

DENT 2.0, Secure and Scalable Open Source Network Operating System Aimed at Small and Mid-Size Enterprises, Released

DENT 2.0

The DENT project is an open source network operating system utilizing the Linux Kernel, Switchdev, and other Linux based projects, hosted under the Linux Foundation. The project has announced DENT 2.0 is available for immediate download

The “Beeblebrox” release adds key features utilized by distributed enterprises in retail and remote facilities, providing a secure and scalable Linux-based Network Operating System (NOS) for disaggregated switches adaptable to edge deployment. This means DENT provides a smaller, more lightweight NOS for use at the small, remote edges of enterprise networks.

DENT 2.0 adds secure scaling with Internet Protocol version 6 (IPv6) and Network Address Translation (NAT) to support a broader community of enterprise customers. It also adds Power over Ethernet (PoE) control to allow remote switching, monitoring, and shutting down. Connectivity of IoT, Point of Sale (POS), and other devices is highly valuable to retail storefronts, early adopters of DENT. DENT 2.0 also adds traffic policing, helping mitigate attack situations that overload the CPU. 

“DENT has made great strides this past year and with its edge and native Linux approach, with a rich feature set for distributed enterprises like retail or remote facilities. DENT continues to expand into new use cases and welcomes community input with an open technical community, under the Linux Foundation,” said Arpit Joshipura, GM of Networking & Edge at The Linux Foundation.

DENT 2.0 Main Features to enable secure and scalable development

Secure scaling with IPv6 and NAT to appeal to a broader community of SME customers
PoE control to allow remote switching, monitoring, and shutting down
Rate limiting to protect against broadcast storms, creating a stronger OS under erroneous BUM (Broadcast, Unicast, Multicast) traffic

DENT enables enterprises to transition to disaggregated network switches and use cases available with the distributed enterprise and edge networking. The open source NOS provides key technology leverage in retail, a sector that is leading innovation in digital transformation. The Amazon public showcase of DENT hardware at re:Invent in November 2021 reached 20,000+ attendees.

“This new release of DENT 2.0 adds critical updates focused on smaller enterprise needs. This was the goal of DENT all along, and I would like to thank our members and the wider community for this broad, concerted effort to move DENT significantly forward,” said Steven Noble, DENT Technical Steering Committee Chair. “It’s not easy building a flexible, accessible network OS, and this is why I’m proud of all the effort and coordination by so many talented individuals. If you are looking for an open source disaggregated network OS, now is great timing for looking at DENT.”

Retail stores, warehousing, remote locations, enterprise, and Small and Mid-Size Enterprises are all ideal environments for DENT deployment. Wiring closets in many facilities are small. Staff expertise may be limited, and branch-office switches from leading suppliers can require costly contracts. DENT is easily deployed on white-box hardware in small spaces. It can be set up to support dozens of wireless access points and IoT sensors, creating a manageable network to track inventory, monitor shelf real estate, scan customer activity, and perform automated checkouts.

DENT premier members include Amazon, Delta Electronics Inc, Edgecore Networks, and Marvell. Important contributions to the DENT project have come from NVIDIA, Keysight Technologies, and Sartura.

“Delta has built complete white box networking platforms based on DENT technology, helping drive a disaggregation model in edge that offers cost and flexibility benefits to customers looking for OEM solutions,” said Charlie Wu, Vice President, Solution Center at Delta Networks. “The deployment of our 1G and 10G Ethernet switch boxes with Marvell’s Prestera® devices and the DENT OS in real world applications demonstrates the power of open source to accelerate technology innovation in networking.” 

“Edgecore Networks, as the premier member of DENT, is pleased to see the groundbreaking second release of DENT 2.0, enabling DENT community members to use the DENT’s simplified abstracts, APIs, drivers, to lessen development and deployment overhead,” said Taskin Ucpinar, Senior Director of SW Development. “This innovative product development approach enables the community to build robust solutions with minimal effort and immediately help System Integrators deploy a networking solution to remote campuses and retail stores.”

“As the chairing company for DENT Test Working Group, Keysight has partnered with the open-source community to host the system integration test bed in Keysight labs,” said Dean Lee, Senior Director Cloud Solution Team. “Being a neutral test vendor, we have worked with the community to harden the DENT NOS in multi-vendor interoperability, performance, and resiliency. We are delighted to contribute to the success and wide adoption of DENT.”

“Marvell is accelerating the build-out of Ethernet switching infrastructure in emerging edge and borderless enterprise applications, and DENT is a key component to our offerings,” said Guy Azrad, Senior Vice President and General Manager, Switch Business Unit at Marvell. “With DENT incorporated on our Prestera® switch platforms, we are currently enabling retailers to transform physical stores to smart retail connected environments that benefit consumers through easy and efficient in-store experiences.”

Download and test DENT 2.0: https://github.com/dentproject/dentOS

Additional DENT Resources

Main repo: https://github.com/dentproject/dentOS 
Supported Hardware (DNI, Edge-core, WNC platforms): https://dent.dev/dentos/  
Getting Started Guide: https://github.com/dentproject/dentOS/wiki 
Video demo: https://youtu.be/ZGstgS9d4p0 
DENT Market Leadership Brief: https://dent.dev (email registration required)

 

The post DENT 2.0, Secure and Scalable Open Source Network Operating System Aimed at Small and Mid-Size Enterprises, Released appeared first on Linux Foundation.

How Podman can transfer container images without a registry

The new ‘podman image scp’ command makes it easier to transfer container images between users on the same system or machines over the network.

Read More at Enable Sysadmin

8 steps for estimating a cloud application’s resource requirements

Learn how to calculate a cloud application’s resource needs correctly, in order to minimize common operational issues in production.

Read More at Enable Sysadmin

Keep an eye on these versions – Comparing the performance of Oracle Linux 7 vs Oracle Linux 8 using the Phoronix Test Suite

Comparison of the performance of Oracle

Click to Read More at Oracle Linux Kernel Development

A Summary of Census II: Open Source Software Application Libraries the World Depends On

Introduction

It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions. FOSS is an increasingly vital resource in nearly all industries, public and private sectors, among tech and non-tech companies alike. Therefore, ensuring the health and security of FOSS is critical to the future of nearly all industries in the modern economy. 

In March of 2022, The Linux Foundation, in partnership with the Laboratory for Innovation Science at Harvard (LISH), released the final results of an ongoing study, “Census II of Free and Open Source Software – Application Libraries.” This follows the preliminary release, “Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software” in February 2020 and now identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. This study informs what open source projects are commonly used in applications warrant proactive analysis of operations and security support. 

The completed report from the Census II study identifies the most commonly used free and open source software (FOSS) components in production applications. It begins to examine the components’ open source communities, which can inform actions to sustain FOSS’s long-term security and health. The stated objectives were:

  • Identify the most commonly used free and open source software components in production applications. 
  • Examine for potential vulnerabilities in these projects due to:
  • Widespread use of outdated versions; Understaffed projects
  • Use this information to prioritize investments and other resources needed to support the security and health of FOSS

What did the Linux Foundation and Harvard learn from the Census II study?

The study was the first to analyze the security risks of open source software used in production applications. It is in contrast to the earlier Census I study that primarily relied on Debian’s public repository package data and factors that would identify the profile of each package as a potential security risk.

To better understand the commonality, distribution, and usage of open source software within organizations, the study used software composition analysis (SCA) data supplied by SnykSynopsys, and FOSSA. SCA is the process of automating visibility into any software, and these tools are often used for risk management, security, and license compliance. SCA solution providers routinely scan codebases used by private and public sector organizations. The scans and audits provide a deep insight into what open source is being used in production applications.

With this data, the study created a baseline and unique identifiers for common packages and software components used by large organizations, which were then tied to a specific project. This baselining effort allowed the study to identify which packages and components were the most widely deployed. 

Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. The analysis performed is based on 500,000 observations of FOSS usage in 2020.

These include different slices of the data based on versions, structure, and packaging system.  For example, this research enables identification of the top 10 version-agnostic packages available on the npm package manager that were called directly in applications:

Other slices of the data examined in the study include versioned versus version agnostic, npm versus non-npm, direct versus indirect (and direct) packages. All eight top 500 lists are included in an open data repository on Data.World. 

Observations and analysis of these specific metrics led the study to come to certain conclusions. These were:

Software components need to be named in a standardized schema for security strategies to be effective. The study determined that a lack of naming conventions used by packages and components across repositories was highly inconsistent. Thus, any ongoing effort to create software security and transparency strategies without industry participation would have limited effect and slow such efforts. 

The complexities associated with package versioning. In addition to the need for standardized naming schema mentioned above, Software Bill of Materials (SBOM) guidance will need to reflect versioning information consistent with the public “main” repository for that package, rather than private repositories. Many of the versions that our data partners reported did not exist in the public repositories for those packages because developers maintained internal forks of the code.

Developer accounts must be secured. The analysis of the software packages with the highest levels of usage found that many were hosted on individual (personal) developer accounts. Lax developer security practices have considerable implications for large organizations that use these software packages because they have fewer protections and less granularity of associated permissions. The OpenSSF encourages MFA tokens or organizational accounts to achieve greater account security.

Legacy open source is pervasive in commercial solutions. Many production applications are being deployed that incorporate legacy open source packages. This prevalence of legacy packages is an issue as they are often no longer supported or maintained by the developers or have known security vulnerabilities. They often lack updates for known security issues both in their codebase or in the codebase of dependencies they require to operate. Apache log4j, version 1.x, for example, was ten times more prevalent than log4j 2.x (the version requiring recent remediation), and 1.x still has known unpatched disclosed vulnerabilities because the software was declared end-of-life (EOL) in 2015.Legacy packages present a vulnerability to the companies deploying them in their environments — it means they will need to know what open source packages they have deployed and where to maintain and update these codebases over time.

The prevalence of “supercoders” in the FOSS community. Much of the most widely used FOSS is developed by only a handful of contributors – results in one dataset show that 136 developers were responsible for more than 80% of the lines of code added to the top 50 packages. Additionally, as stated in the Census II preliminary results in 2020, project atrophy and contributor abandonment is a known issue with legacy open source software. The number of developer contributors who work on projects to ensure updates for feature improvements, security, and stability decreases over time as they prioritize other software development work in their professional lives or decide to leave the project for any number of reasons. Therefore, it is much more likely that these communities may face challenges without sufficient developers to act as maintainers as time goes by.

What resources exist to better understand and mitigate potential problem areas in Open Source Software development? 

The Linux Foundation’s community and other open source projects initiatives offer important standards, tooling, and guidance that will help organizations and the overall open source community gain better insight into and directly address potential issues in their software supply chain.

Software Bill of Materials: Adopt the ISO/IEC 5962:2021 SPDX SBOM Standard

An actionable recommendation from Census II is to adopt Software Bill of Materials (SBOM) within your organization. SBOMs serve as a record that delineates the composition of software systems. Software Package Data Exchange (SPDX) is an open international standard for communicating SBOM information that supports accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component. 

Many enterprises concerned about software security are making SBOMs a cornerstone of their cybersecurity strategy. The Linux Foundation recently published a separate study on SBOM readiness within organizations, The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. The report offers fresh insight into the state of SBOM readiness by enterprises across the globe, identifying patterns from innovators, early adopters, and procrastinators. 

Differentiated by region and revenue, these organizations identified current SBOM production and consumption levels and the motivations and challenges regarding their present and future adoption. This report is for organizations looking to better understand SBOMs as an important tool in securing software supply chains and why it is now time to adopt them.

Take the free training on secure software development 

The Open Source Security Foundation (OpenSSF) has developed a trio of free courses on how to develop secure software. These courses are part of the Secure Software Development Fundamentals Professional Certificate program.  There’s a fee if you want to try to earn a certificate (to prove that you learned the material). However, if you just want to learn the material without earning a certificate, that’s free; simply audit the course. You can also start for free and upgrade later if you pay within the upgrade deadline. All three courses are available on the edX platform.

The courses included in the program are:

Secure Software Development: Requirements, Design, and Reuse (LFD104x)Secure Software Development: Implementation (LFD105x)Secure Software Development: Verification and More Specialized Topics (LFD106x)

Focus on building security best practices into your open source projects

The OpenSSF develops and hosts its Best Practices badging program for open source software developers. This initiative was one of the first outputs produced as a result of the Census I, completed in 2015. Since then, over 4,000 open source software projects have engaged, started, or completed obtaining a  Best Practices Badge.

Projects that conform to OpenSSF best practices can display a badge on their GitHub page or their own web pages and other material. In contrast, consumers of the badge can quickly assess which FLOSS projects are following best practices and, as a result, are more likely to produce higher-quality and secure software. Additionally, a Badge API exists that allows developers and organizations to query the practice score of a specific project, such as Silver, Gold, and Passing. This means any organization can do an API check within their workflow to check against the open source packages they’re using and see if that project’s community has obtained a badge.

More information on the OpenSSF Best Practices Badging program, including background and criteria, is available on GitHub. The projects page shows participating projects and supports queries (such as a list of projects that have a passing badge). Project statistics and criteria statistics are available. 

Understand the vulnerability vectors of your software supply chain

In addition to reviewing the Census II findings, we encourage you to read the Linux Foundation’s Open Source Supply Chain Security Whitepaper. This publication explores vulnerabilities in the open source software ecosystem through historical examples of weaknesses in known infrastructure components (such as lax developer security practices and end-user behavior, poorly secured dependency package repositories, package managers, and incomplete vulnerability databases). It provides a set of recommendations for organizations to navigate potential problem areas. 

Conclusion

The Census II study shows that even the most widely deployed open source software packages can have issues with security practices, developer engagement, contributor exodus, and code abandonment. Therefore, open source projects require supporting toolsets, infrastructure, staffing, and proper governance to act as a stable and healthy upstream project for your organization. 

The post A Summary of Census II: Open Source Software Application Libraries the World Depends On appeared first on Linux Foundation.

Podman 4.0’s new network stack: What you need to know

Podman’s new Netavark and Aardvark-based stack offers three main advantages over the existing CNI-based stack.

Read More at Enable Sysadmin

Three Ways to Engage with Open Source Program Offices

Share and learn by speaking at OSPOCon, joining Work Day activities, and more opportunities from TODO

Do you engage in open source-related tasks within your organization? You know that collaboration is key. Here are three ways to engage and network with your open source peers and leverage your organization’s open source program! 

1) Speak at OSPOCon, the premier event for OSPOs

Aiming to provide continuous education and ease OSPO adoption across organizations, the TODO Group, in collaboration with the Linux Foundation, launches OSPOCon 2022 Call for Proposals. OSPOCon is the premier event for Open Source Program Offices to share information, solve problems, and learn how to build effective Open Source initiatives within organizations. 

Why consider submitting a proposal to speak at OSPOCon?

OSPOCon is a go-to place where those working in open source program offices (or similar initiatives) in organizations can:

Share best practices, tooling, and lessons learned
Learn the newest OSPO trends
Connect and learn from the wide diversity of open source professionals’ visions
Take part in real-time discussions and give to get feedback from the community

Overall, people can come together to learn and share best practices, experiences, and tools to overcome OSPO challenges and similar open source initiatives.

OSPOCon NA and Europe are in-person and virtual events that are part of Open Source Summit conference umbrella. To submit a proposal  via the OSSummit CFP (people will also get access to all the other events in the Open Source Summit collection).

Please remember the CFP submissions deadlines for each of the events. We hope to see you in the upcoming OSPOCon series!

OSSummit + OSPOCon NA: March 14th
OSSummit + OSPOCon Europe: May 30th

2) Contribute to OSPO resources with the broader community in the new TODO Work Day Activities

TODO comprises individual community contributors and 70+ organizations with years of experience running open source programs. They all want to collaborate on practices, tools, and other ways to run successful and effective open source projects and programs. We have a wide range of ongoing OSPO initiatives where everyone (from the most seasoned OSPOers to students) can participate and become a contributor.

Why consider attending the next Work Day meeting?

A good practice to keep learning from OSPOs is to share knowledge and be inspired by other community participants that run open source initiatives when working on common tooling and resources. 

TODO organizes Work Day activity monthly meetings to ease community participation and work together with other OSPOers and open source experts on the various issues and PRs in the TODO Group GitHub organization.

Work Days have even a handful of things sorted by TODO project contribution level that we expect people to work during these meetings.

Learn more in the dedicated repo and review the upcoming meeting dates:

Wednesday, March 9, 2022, at 16:30 PM UTC
Monday, March 14, 2022, at 10:00 AM UTC

3) Study and discuss the status of OSPOs with OSPOlogy and TODO Sync calls

The OSPOlogy repo provides continuous OSPO learning and discussions with other OSPOers thanks to the OSPOlogy monthly community meetings, TODO Sync calls, and OSPO Forum.

OSPOlogy Community Meetings: Everyone is welcome to attend and participate in the monthly public meetings of the TODO Group and the wider OSPO community,. People can bring new discussion topics via the OSPOlogy CFP submission.
TODO Sync calls (Europe Chapter): This chapter was created to work together to improve OSPO adoption and education within Europe and discuss with the broader community the challenges European organizations face when implementing an open source program. EMEA-friendly time meetings are scheduled every last Thursday of the month at 3 PM (CET).
OSPO Forum: A place to: (1) Ask questions you’re wondering about when it comes to OSPOs; (2) Share ideas about how to improve OSPOs; (3) Engage with other OSPO community members. Topics are filtered by:
Learning and education
Structure and strategy
Security and compliance
Tools

Bonus: Resources for practical OSPO implementation

We went through three popular OSPO networking spaces where people can engage with the different professionals involved in open source program offices or similar open source initiatives within organizations. 

The good news is that TODO Group goes far beyond a place to connect with other OSPOers. This group also drives open source education and adoption powered by course materials, research studies, and resources created by experienced professionals to keep learning about OSPOs, anytime.

Here is a list of the most popular resources that can help people find inspiration by the vision of open source professionals and guidance.

[NEW]  The Evolution of the Open Source Program Office Study: provides a set of patterns and directions, as well as a checklist, to help implement an OSPO or an open source initiative within corporate environments. This includes an OSPO maturity model, practical implementation from noted OSPO programs across regions and sectors, and a handful of broad OSPO archetypes (or personas), which drive differentiation in OSPO behavior
TODO Guides: A collection of best practices from the leading companies engaged in open source development aims to help organizations successfully implement and run an open source program office.
OSPO Survey:  The TODO Group is committed to running an annual survey of the status of Open Source Program Offices and sharing the results and data with the wider community. People can find the open data and previous results at Linux Foundation Research
OSPONews: Never miss a thing of the newest OSPO trends! This is the monthly newsletter to stay up to date on Open Source Program Office (OSPO) trends.

TODO Group is a great place to begin and advance in the OSPO journey. The open source community is always welcome to be part of TODO. Welcome to the OSPOverse!

The post Three Ways to Engage with Open Source Program Offices appeared first on Linux Foundation.

New Podman features, file sharing with Samba, and more tips for sysadmins

New Podman features, file sharing with Samba, and more tips for sysadmins

Image

Check out Enable Sysadmin’s top 10 articles from February 2022.

Posted:
March 4, 2022

|

by
Vicki Walker (Red Hat)

Topics:  
Containers  
Linux administration  
Podman  
Career  

Read the full article on redhat.com

Read More at Enable Sysadmin

The Linux Foundation and Harvard’s Lab for Innovation Science Release Census of Most Widely Used Open Source Application Libraries

Census II identifies more than one thousand of the most widely deployed applications libraries that are most critical to operations and security 

SAN FRANCISCO – March 2, 2022 — The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the final release of “Census II of Free and Open Source Software – Application Libraries.” This follows the preliminary release of Census II, “Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software” and identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications. This study informs what open source packages, components and projects warrant proactive operations and security support.  

The original Census Project (“Census I”) was conducted in 2015 to identify which software packages in the Debian Linux distribution were the most critical to a Linux server’s operation and security. The goal of the current study (Census II) is to pick up where Census I left off and to identify and measure which open source software is most widely deployed within applications developed by private and public organizations. This Census II allows for a more complete picture of free and open source software (FOSS) adoption by analyzing anonymized usage data provided by partner Software Composition Analysis (SCA) companies Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA and is based on their scans of codebases at thousands of companies.

“Understanding what FOSS packages are the most widely used in society allows us to proactively engage the critical projects that warrant operations and security support,” said Brian Behlendorf, executive director at Linux Foundation’s Open Source Security Foundation (OpenSSF). “Open source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. Census II provides the foundational detail we need to support the world’s most critical and valuable infrastructure.” 

Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. These include different slices of the data based on versions, structure, and packaging system.  For example, this research enables identification of the top 10 version-agnostic packages available on the npm package manager that were called directly in applications:

  • lodash
  • react
  • axios
  • debug
  • @babel/core
  • express
  • semver
  • uuid
  • react-dom
  • jquery

To review all of the Top 500 lists in their entirety, please visit Data.World.

The study also surfaces these five overall findings that are detailed in the report: 

1) The need for a standardized naming schema for software components so that application libraries can be uniquely identified

2) The complexities associated with package versioning – SBOM guidance will need to reflect versioning information that is consistent with the public “main” repository for that package, rather than private repositories

3) Much of the most widely used FOSS is developed by only a handful of contributors – results in one dataset show that 136 developers were responsible for more than 80% of the lines of code added to the top 50 packages

4) The increasing importance of individual developer account security – the OpenSSF encourages the use of MFA tokens or organizational accounts to achieve greater account security

5) The persistence of legacy software in the open source space

Census II is authored by Frank Nagle, Harvard Business School; James Dana, Harvard Business School; Jennifer Hoffman, Laboratory for Innovation Science at Harvard; Steven Randazzo, Laboratory for Innovation Science at Harvard; and Yanuo Zhou, Harvard Business School. 

“Our goal is to not only identify the most widely used FOSS but also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem. Only through data-sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come,” said Frank Nagle, Assistant Professor, Harvard Business School. 

Supporting Quotes

FOSSA

“Open source software plays a foundational role in enabling global economic growth. Of course, the ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software — and we at FOSSA are thrilled to be able to contribute our market-leading SBOM capabilities and experience helping thousands of organizations successfully manage their open source dependencies to improve transparency and trust in the software supply chain.” – Kevin Wang, Founder & CEO, FOSSA

Snyk

“The Linux Foundation’s latest multi-party Census effort is further evidence that OSS is at the very heart of not only today’s modern application development process, but also plays an increasingly vital behind the scenes role throughout all of society,” said Guy Podjarny, Founder, Snyk. “We’re honored to have made significant contributions to this latest comprehensive assessment and welcome all future efforts that help to empower the developers building our future with the right information to also effectively secure it.”

Synopsys

“With businesses increasingly dependent upon open source technologies, if those same businesses aren’t contributing back to the open source projects they depend upon, then they are increasing their business risk. That risk ranges from projects becoming orphaned and containing potentially vulnerable code, through to implementation changes that break existing applications. The only meaningful way to mitigate that risk comes from assigning resources to contribute back to the open source powering the business. After all, while there are millions of developers contributing to open source, there might just be only one developer working on something critical to your success.” – Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center

 

Additional Resources

Download the Report
Join the Webinar TODAY to learn more directly from the authors of this report. 

 

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

 

###

 

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Jennifer Cloer

503-867-2304

jennifer@storychangesculture.com

The post The Linux Foundation and Harvard’s Lab for Innovation Science Release Census of Most Widely Used Open Source Application Libraries appeared first on Linux Foundation.