Home Blog

Uniting for better open-source security: The Open Source Security Foundation (ZDNet)

Steven Vaughn-Nichols writes at ZDNet:

Eric S. Raymond, one of open-source’s founders, famously said, “Given enough eyeballs, all bugs are shallow,” which he called “Linus’s Law.” That’s true. It’s one of the reasons why open-source has become the way almost everyone develops software today. That said, it doesn’t go far enough. You need expert eyes hunting and fixing bugs and you need coordination to make sure you’re not duplicating work. 
So, it is more than past time that The Linux Foundation started the Open Source Security Foundation (OpenSSF). This cross-industry group brings together open-source leaders by building a security broader community. It combines efforts from the Core Infrastructure Initiative (CII)GitHub’s Open Source Security Coalition, and other open-source security-savvy companies such as GitHub, GitLab, Google, IBM,  Microsoft, NCC Group, OWASP Foundation, Red Hat, and VMware.

Read more at ZDNet

Role Of SPDX In Open Source Software Supply Chain

Kate Stewart is a Senior Director of Strategic Programs, responsible for the Open Compliance program at the Linux Foundation encompassing SPDX, OpenChain, Automating Compliance Tooling related projects. In this interview, we talk about the latest release and the role it’s playing in the open source software supply chain.

Here is a transcript of our interview. 

Swapnil Bhartiya: Hi, this is Swapnil Bhartiya, and today we have with us, once again, Kate Stewart, Senior Director of Strategic Programs at Linux Foundation. So let’s start with SPDX. Tell us, what’s new going on in there in this specification?

Kate Stewart: Well, the SPDX specification just a month ago released auto 2.2 and what we’ve been doing with that is adding in a lot more features that people have been wanting for their use cases, more relationships, and then we’ve been working with the Japanese automotive-made people who’ve been wanting to have a light version. So there’s lots of really new technology sitting in the SPDX 2.2 spec. And I think we’re at a stage right now where it’s good enough that there’s enough people using it, we want to probably take it to ISO. So we’ve been re-formatting the document and we’ll be starting to submit it into ISO so it can become an international specification. And that’s happening.

Swapnil Bhartiya: Can you talk a bit about if there is anything additional that was added to the 2.2 specification. Also, I would like to talk about some of the use cases since you mentioned the automaker. But before that, I just want to talk about anything new in the specification itself.

Kate Stewart: So in the 2.2 specifications, we’ve got a lot more relationships. People wanted to be able to handle some of the use cases that have come up from containers now. And so they wanted to be able to start to be able to express that and specify it. We’ve also been working with the NTIA. Basically they have a software bill of materials or SBoM working groups, and SPDX is one of the formats that’s been adopted. And their framing group has wanted to see certain features so that we can specify known unknowns. So that’s been added into the specification as well.

And then there are, how you can actually capture notices since that’s something that people want to use. The license has called for it and we didn’t have a clean way of doing it and so some of our tool vendors basically asked for this. Not the vendors, I guess there are partners, there are open source projects that wanted to be able to capture this stuff. And so we needed to give them a way to help.

We’re very much focused right now on making sure that SPDX can be useful in tools and that we can get the automation happening in the whole ecosystem. You know, be it when you build a binary to ship to someone or to test, you want to have your SBoM. When you’ve downloaded something from the internet, you want to have your SBoM. When you ship it out to your customer, you want to be able to be very explicit and clear about what’s there because you need to have that level of detail so that you can track any vulnerabilities.

Because right now about, I guess, 19… I think there was a stat from earlier in the year from one of the surveys. And I can dig it up for you if you’d like, but I think 99% of all the code that was scanned by Synopsys last year had open source in it. And of which it was 70% of that whole build materials was open source. Open source is everywhere. And what we need to do is, be able to work with it and be able to adhere to the licenses, and transparency on the licenses is important as is being able to actually know what you have, so you can remediate any vulnerabilities.

Swapnil Bhartiya: You mentioned a couple of things there. One was, you mentioned tooling. So I’m kind of curious, what sort of tooling that is already there? Whether it’s open source or open source be it basically commercialization that worked with the SPDX documents.

Kate Stewart: Actually, I’ve got a document that basically lists all of these tools that we’ve been able to find and more are popping up as the day goes by. We’ve got common tools. Like, some of the Linux Foundation projects are certainly working with it. Like FOSSology, for instance, is able to both consume and generate SPDX. So if you’ve got an SPDX document and you want to pull it in and cross check it against your sources to make sure it’s matching and no one’s tampered with it, the FOSSology tool can let you do that pretty easily and codes out there that can generate FOSSology.

Free Software Foundation Europe has a Lindt tool in their REUSE project that will basically generate an SPDX document if you’re using the IDs. I guess there’s actually a whole bunch more. So like I say, I’ve got a document with a list of about 30 to 40, and obviously the SPDX tools are there. We’ve got a free online, a validator. So if someone gives you an SPDX document, you can paste it into this validator, and it’ll tell you if it’s a valid SPDX document or not. And we’re looking to it.

I’m finding also some tools that are emerging, one of which is decodering, which we’ll be bringing into the Act umbrella soon, which is looking at transforming between SPDX and SWID tags, which is another format that’s commonly in use. And so we have tooling emerging and making sure that what we’ve got with SPDX is usable for tool developers and that we’ve got libraries right now for SPDX to help them in Java, Python and Go. So hopefully we’ll see more tools come in and they’ll be generating SPDX documents and people will be able to share this stuff and make it automatic, which is what we need.

Another good tool, I can’t forget this one, is Tern. And actually Tern, and so what Tern does is, it’s another tool that basically will sit there and it will decompose a container and it will let you know the bill of materials inside that container. So you can do there. And another one that’s emerging that we’ll hopefully see more soon is something called OSS Review Toolkit that goes into your bill flow. And so it goes in when you work with it in your system. And then as you’re doing bills, you’re generating your SBoMs and you’re having accurate information recorded as you go.

As I said, all of this sort of thing should be in the background, it should not be a manual time-intensive effort. When we started this project 10 years ago, it was, and we wanted to get it automated. And I think we’re finally getting to the stage where it’s going to be… There’s enough tooling out there and there’s enough of an ecosystem building that we’ll get this automation to happen.

This is why getting it to ISO and getting the specification to ISO means it’ll make it easier for people in procurement to specify that they want to see the input as an SPDX document to compliment the product that they’re being given so that they can ingest it, manage it and so forth. But by it being able to say it’s an ISO standard, it makes the things a lot easier in the procurement departments.

OpenChain recognized that we needed to do this and so they went through and… OpenChain is actually the first specification we’re taking through to ISO. But for SPDX, we’re taking it through as well, because once they say you need to follow the process, you also need some for a format. And so it’s very logical to make it easy for people to work with this information.

Swapnil Bhartiya: And as you’ve worked with different players, different of the ecosystem, what are some of the pressing needs? Like improve automation is one of those. What are some of the other pressing needs that you think that the community has to work on?

Kate Stewart: So some of the other pressing needs that we need to be working on is more playbooks, more instructions, showing people how they can do things. You know, we figured it out, okay, here’s how we can model it, here’s how you can represent all these cases. This is all sort of known in certain people’s heads, but we have not done a good job of expressing to people so that it’s approachable for them and they can do it.

One of the things that’s kind of exciting right now is the NTIA is having this working group on these software bill of materials. It’s coming from the security side, but there’s various proof of concepts that are going on with it. One of which is a healthcare proof of concept. And so there’s a group of about five to six device manufacturers, medical device manufacturers that are generating SBoMs in SPDX and then there are handing them into hospitals to go and be able to make sure they can ingest them in.

And this level of bringing people up to this level where they feel like they can do these things, it’s been really eye-opening to me. You know, how much we need to improve our handholding and improve the infrastructure to make it approachable. And this obviously motivates more people to be getting involved. From the vendors and commercial side, as well as the open source, but it wouldn’t have happened, I think, to a large extent for SPDX without this open source and without the projects that have adopted it already.

Swapnil Bhartiya: Now, just from the educational awareness point of view, like if there’s an open source project, how can they easily create SBoM documents that uses the SPDX specification with their releases and keep it synced?

Kate Stewart: That’s exactly what we’d love to see. We’d love to see the upstream projects basically generate SPDX documents as they’re going forward. So the first step is to use the SPDX license identifiers to make sure you understand what the licensing should be in each file, and ideally you can document with eTags. But then there’s three or four tools out there that actually scan them and will generate an SPDX document for you.

If you’re working at the command line, the REUSE Lindt tool that I was mentioning from Free Software Foundation Europe will work very fast and quickly with what you’ve got. And it’ll also help you make sure you’ve got all your files tagged properly.

If you haven’t done all the tagging exercising and you wonder [inaudible 00:09:40] what you got, a scan code works at the command line, and it’ll give you that information as well. And then if you want to start working in a larger system and you want to store results and looking things over time, and have some state behind it all so like there’ll different versions of things over time, FOSSology will remember from one version to another and will help you create these [inaudible 00:10:01] off of bill materials.

Swapnil Bhartiya: Can you talk about some of the new use cases that you’re seeing now, which maybe you did not expect earlier and which also shows how the whole community is actually growing?

Kate Stewart: Oh yeah. Well, when we started the project 10 years ago, we didn’t understand containers. They weren’t even not on the raw mindset of people. And there’s a lot of information sitting in containers. We’ve had some really good talks over the last couple of years that illustrate the problems. There was a report that was put out from the Linux Foundation by Armijn Hemel, that goes into the details of what’s going on in containers and some of the concerns.

So being able to get on top of automating, what’s going on with concern inside a container and what you’re shipping and knowing you’re not shipping more than you need to, figuring out how we can improve these sorts of things is certainly an area that was not initially thought about.

We’ve also seen a tremendous interest in what’s going on in IOT space. And so that you need to really understand what’s going on in your devices when they’re being deployed in the field and to know whether or not, effectively is vulnerability going to break it, or can you recover? Things like that. The last 10 years we’ve seen tremendous spectrum of things we just didn’t anticipate. And the nice thing about SPDX is, you’ve got a use case that we’re not able to represent. If we can’t tell you how to do it, just open an issue, and we’ll start trying to figure it out and start to figure if we need to add fields in for you or things like that.

Swapnil Bhartiya:  Kate, thank you so much for taking your time out and talking to me today about this project.

SODA Foundation: Autonomous data management framework for data mobility

SODA Foundation is an open source project under Linux Foundation that aims to establish an open, unified, and autonomous data management framework for data mobility from the edge, to core, to cloud. We talked to Steven Tan, SODA Foundation Chair, to learn more about the project.

Here is a transcript of the interview:

Swapnil Bhartiya: Hi, this is Swapnil Bhartiya, and today we have with us Steven Tan, chair of the SODA foundation. First of all, welcome to the show.
Steven Tan: Thank you.

Swapnil Bhartiya: Tell us a bit about what is SODA?
Steven Tan: The foundation is actually a collaboration among vendors and users to focus on data management for, how do you call, autonomous data mesh management. And the point of this whole thing is how do we serve the users? Because a lot of our users are getting a lot of data challenges, and that’s what this foundation is for. To get users and vendors together to help to address these data challenges.

Swapnil Bhartiya: What kind of data are we talking about?
Steven Tan: The data that we’re talking about is referring to anything like data protection, data governance, data replication, data copy management and stuff like that. And also data integration, how to connect the different data silos and stuff.

Swapnil Bhartiya: Right. But are we talking about enterprise data or are we talking consumer data? Like there is a lot of data with Facebook, Google, and Gmail, and then there are a lot of enterprise data, which companies … Sorry, as an enterprise, I might put something on this cloud, I can put it on this cloud. So can you please clarify what data are we talking about?
Steven Tan: Actually, the data that we’re talking about is … It depends on the users. There’re all kinds of data. Like for example, I mean, in the keynote that I gave two days ago, the example I gave was from Toyota. So Toyota use case is actually car data. So car data refers to things like the car sensor data, videos, map data and stuff. And then we have users like China Unicom. I mean, they have enterprise companies going to the cloud and so on. So they’ve all kinds of enterprise data over there. And then we also have other users like Yahoo Japan, and they have like a website. So the data that you’re talking about is web data, consumer data and stuff like that. So it’s across the board.

Swapnil Bhartiya: Oh, so it’s not as specific to an industry or any space or sector, okay. But why do you need it? What is the problem that you see in the market and in the current sphere that you’re like, hey, we should create something like that?
Steven Tan: So the problem that came, I mean the reason why all these companies came together is that they are building data centers that are from small to big. But a lot of the challenges that you have is like, it’s hard for a single project to address. It’s not like a business where we have a specific problem and then we need this to be solved and so on, it’s not like that. A lot of it is like, how do you connect the different pieces together in the data center together?
So there’s nothing like, no organization like that that can help them solve this kind of problem. Like how do you have, in order to address the data of … Or how do you address things like taking care of data protection and data privacy at the same time? And at the same time, you want to make sure that this data can be governed properly. So there isn’t any single organization that can help to take care of this kind of stuff, so we’re helping these users understand their problems and then come together and then we plan projects and roadmaps based on their problems and try to address them through these projects in the SODA foundation.

Swapnil Bhartiya: And you gave an example of data from the cars and all these things. Does that also mean that open source has helped solving a lot of problems by breaking down a lot of silos so that there’s a lot of interaction between different silos, which were like earlier separated and isolated? Today, as you mentioned, we are living in a data driven world. No matter what we do all the way from the Ring, to what we are doing right now, talking to each other, to the product that we’ll create in the end. But most of this data is living in their own silos. There may be a lot of value in that data, which cannot be extracted because one, it is locked into the silos. The second problem is that these days, data is kind of becoming the next oil. These companies are trying to capture all the data, irrespective of the fact of what value do they see in that data today? And by leveraging machine learning and deep learning, they can in the future … So how do you look at that, and how is SODA foundation going to break those silos, without compromising on our privacy, yet allow companies … Because the fact is, as much as I prefer my privacy, I also want Google Maps to tell me the fastest route where I want to go.
Steven Tan: Right. So I think there are certain, I mean, there are different levels of privacy that we’re going to take care of. And in terms of like, first of all, there are all kinds of … I mean, in terms of the different countries or different States or different provinces like in different countries, there are different kinds of regulations and so on. So first of all, like the data silos you talk about. Yes, that’s one of the key problems that we’re trying to solve. How to connect all the different data silos so as to reduce fragmentation, and then try to minimize the so called dark data that you’re talking about, and then extract all the values over there. So that’s one of the things that we try to get here. I mean, we try to connect all the different pieces, like in the different … The data may be sitting in the edge in the data center or different data centers and in the cloud. We try to connect all these pieces together.

I mean, that’s one of the first things that we tried to do. And then we tried to have data policies. I think this is a critical piece of things that a lot of the solutions out there don’t address. You have data policies, but it may be the data policies just for a single vendor solution. But once the data gets out, that solution then is out of control. So what we’re trying to do here is say, how do you have data policies across different solutions, so no matter where the data is it’s governed the same way, consistently? That’s the key. So then you can talk about how can you really protect the data in terms of privacy or govern the data or control the data? And in terms of the, I mentioned about the regions, right? So you know where the data is, and you know what kind of regulations that need to be taken care of and you apply it right there. That’s how it should work.

Swapnil Bhartiya: When we look at the kind of a scenario you talked about, I see it as two-fold. One is there is a technology problem and the second is people problem. So is SODA foundation going to deal with both, or are you going to just deal with the technology aspect of it?
Steven Tan: The technology part that we talk about, we try to define in terms of the API and so on to all the data policies and so on, and try to get as many companies to support this as possible. And then the next thing that we try to do is actually try to work with standards organizations to try to make this into a standard. I mean, that’s what we’re trying to do here.

And then government aspects, there are certain organizations that we are talking to. Like there’s the CESI, it’s China Electronic Standards organizations that we’re talking to that’s trying to work things into their … Actually, I’m not sure about China, because it’s, I mean, we don’t know about their sphere of influence within the CSI and so on. And then for the industry standards, there’s [inaudible 00:09:05] and so on, we’re trying to work with them and trying to get it to work.

Swapnil Bhartiya: Can we talk about the ecosystem that you’re trying to build around SODA foundation? One would be the participants who are actually contributing either the code or the vision, and then the users community who would actually be benefiting from it?
Steven Tan: So the ecosystem that we are trying to build, that’s the core part, which is actually the framework. So the framework, I mean, this part will be more of the data vendors or the storage vendors that will be involved in trying to build this ecosystem. And then the outer part, what I call the outer part of the ecosystem will be things like the platforms. Things like Kubernetes, VMware, all these different vendors, and then networking kind of stuff that you need to take care of like the big data analytics and stuff.

And then for the users, actually, if you can see from the SODA end-user advisory committee, I mean, that’s where most of our users are participating in the communication. So most of these users, I mean, they are from different regions and different countries and different industries. So we try to serve, I mean, whichever participant is interested in, they can participate in this thing. But the main thing is that because they may be from different industries, but actually most of the issues that they have is still the same thing. So there are some commonalities among all these users.

Swapnil Bhartiya: We are in the middle of 2020, because of COVID-19 everything has slowed down, things have changed. What does your roadmap, what does your plan look like? The structure, the governance and the plan for ’21 or end of the year?
Steven Tan: We are very, how do you call it? Very community-driven or focused kind of organization. We hold a lot of meetups and events and so on where we get together the users and the vendors and so on and the community in general. So with this COVID-19 thing, a lot of the plans has been upset. I mean, it’s in chaos right now. So most of the things are like what everybody is doing, moving online. So we are having some webinars and stuff, even as of right now when we are talking, we are having a mini summit going on with the Open Source Summit North America right now.

So for the rest of this year, most of our events will be online. We’re going to have some webinars and some meetups, you can find it out from our website. And the other plans that we have is that we are going to have, we just released the SODA federal release, which is the 1.0 release. And through the end of this year, we’re going to have two more releases, the G release and the H release at the end of this year. G release is going to be in September, and H is in the end of the year. And we’re trying to engage our users with things like the POC testing for the federal. Because each release that we have, we try to get them to do the testing, and then so that’s the way of them trying to provide feedback to us. Whether that works for them or how can we improve to make the code work for what they need.

Swapnil Bhartiya: Awesome. So thank you so much for taking your time out and explaining more about SODA foundation, and I look forward to talking to you again because I can see that you have a very exciting pipeline ahead. So thank you.
Steven Tan: Thank you, thank you very much.

Linux System Administration Training and Certification Leads to New Career

Fabian Pichardo has worked with multiple hardware platforms such as Nvidia, Xilinx, Microchip, and National Instruments, and is skilled in languages such as C++, Python, Matlab, and Julia. During university, Fabian created the Mechatronic Student Society to offer programming training for newbies and demonstrate new technology trends.

In 2018 he applied for and was awarded a Linux Foundation Training (LiFT) Scholarship in the Open Source Newbies category to increase his experience with open source technologies.

Developer Velocity: How software excellence fuels business performance (McKinsey)

McKinsey and Co writes:

With technology powering everything from how a business runs to the products and services it sells, companies in industries ranging from retail to manufacturing to banking are having to develop a range of new skill sets and capabilities. In addition to mastering the nuances of their industry, they need to excel first and foremost at developing software.

It’s a big leap for many, yet a large number of businesses are working hard to make it. At the Goldman Sachs Group, for instance, computer engineers make up about one-quarter of the total workforce. Within retail, software development is the fastest-growing job category. Indeed, of the 20 million software engineers worldwide, more than half are estimated to be working outside the technology industry, and that percentage is growing.

Read more at McKinsey

Participate in the 2020 Open Source Jobs Report!

The Linux Foundation has partnered with edX to update the Open Source Jobs Report, which was last produced in 2018. The report examines the latest trends in open source careers, which skills are in demand, what motivates open source job seekers, and how employers can attract and retain top talent. In the age of COVID-19, this data will be especially insightful both for companies looking to hire more open source talent, as well as individuals looking to advance or change careers.

The report is anchored by two surveys, one of which explores what hiring managers are looking for in employees, and one focused on what motivates open source professionals. Ten respondents to each survey will be randomly selected to receive a US$100 gift card to a leading online retailer as a thank you for participating!

All those working with open source technology, or hiring folks who do, are encouraged to share your thoughts and experiences. The surveys take around 10 minutes to complete, and all data is collected anonymously. Links to the surveys are at the top and bottom of this post.

Take the open source professionals survey

Take the hiring managers survey

Welcome Antmicro to the OpenPOWER Foundation

OpenPOWER Foundation Executive Director James Kulina writes:

This May, Antmicro announced support for the POWER ISA in Renode, its open source, multi-architecture, heterogeneous multi-core capable simulator for software development and software-hardware co-development.

It’s an exciting development, as developers can now test applications based on the POWER ISA before running them on actual hardware. It’s an important step in achieving the vision of the OpenPOWER Foundation – to make POWER the easiest architecture on which to go from an idea to a silicon chip.

I recently caught up with Michael Gielda, VP of business development, to discuss Antmicro, its role in the OpenPOWER Foundation ecosystem and its beliefs on open source hardware in general.

Read more at OpenPOWER Foundation

Meet the new GM of CNCF – Priyanka Sharma

CNCF, a Linux Foundation project, recently appointed Priyanka Sharma as its new GM. As a long time expert of cloud native technologies Sharma brings unique vision and insights to the organization. On behalf of the Linux Foundation, Swapnil Bhartiya, founder and producer at TFiR talked to Sharma to better understand the vision she has for CNCF and what goals she has set for herself and the foundation.

Here is the transcript of our interview.

Swapnil Bhartiya: Hi, this is Swapnil Bhartiya. Today, we have with us Priyanka Sharma. Now she’s in the role of general manager of CNCF. Priyanka, first of all, welcome to the show in your new role.

Priyanka Sharma: Thank you so much for having me, Swapnil.

Swapnil Bhartiya: What exactly is the role of GM at CNCF, and how different is it from the role of executive director that Dan used to have there?

Priyanka Sharma: No difference at all, actually. I am stepping into the role Duncan had. Across the LF, various projects and some foundations have different titles for the leadership, and me being a GM is really giving a nod to trying to consolidate everything as one title, so that’s really where it comes from, it’s the same job.

Swapnil Bhartiya: If you look at CNCF now, it has played a very critical role in creating a home for cloud native technologies like Kubernetes, and now there are so many … I mean the landscape is so huge you cannot even see it, which also mean that a lot of consolidation within CNCF has to happen from the point of view of a lot of projects are overlapping, a lot of projects have gaps. What are your thoughts about that?

Priyanka Sharma: Yes. Absolutely. I actually think it’s a great thing. By charter, the CNCF does not intend to be a kingmaker. We are very different, I guess, from any other foundations in that we really focus on spreading the wave of cloud native for helping the ecosystem build better software quicker and more resiliently. For that, there are multiple tools people can use. They may use option A for telemetry versus option B for reasons that are specific to their system. And we don’t want to be getting into the middle of that. We want to support every solid, good project out there with a neutral IP space, open governance, best practices, support with marketing education, etc. It’s actually a good thing for the end users to have choice, and we enable that.

Swapnil Bhartiya: Right. If you look at CNCF, I think it’s like ’13, ’14, it’s been four or five years since the organization has been around, a lot of projects under the foundation have kind of matured. The ecosystem itself has matured. There are a lot of companies who are doing … and things are moving from testing to production. And there is a very healthy ecosystem there. What role is cloud CNCF playing today for the ecosystem, and how do you see the evolution of CNCF itself?

Priyanka Sharma: Great question. A few things. First off is yes, we’ve made great progress. The first wave of cloud native has gone exceptionally well. 2016, when I joined this ecosystem as a project contributor to open tracing, we were still talking about what are microservices, why you need to do cloud computing, very basic, right? And since then, a lot has changed, which is awesome. However, with new maturity, comes new complexity, and that’s why you see we are still accepting new projects, right, to support the entire development cycle.

In addition, there’s the crossing the chasm, as they say, for various technologies and projects. Kubernetes is definitely crossing the chasm right now, but we have not just 1 but 10 graduated projects, including Kubernetes. We are supporting all of those projects to also cross the chasm. We need to also make Kubernetes more widespread. If you notice, most KubeCons that happen, which are our flagship events, I think at least 25% of the audience each year is brand new first timers.

We actually were having conversation just a few hours back today about don’t underestimate the importance and need for consistent cloud native one on one nurturing. The job is far from done. We need to go deeper with developer engagement. We need to go deeper with end user engagement now that we have made some headway. The second wave of cloud native is just starting.

Swapnil Bhartiya: Excellent. Now when we look at second wave, so far the ride has become kind of easy breeze. But what are the challenges that you see that you want to tackle as you move into the second wave? Or what kind of challenges you’re setting for yourself, which are not the easy one, but you see there is a demand so that you have to do that?

Priyanka Sharma: I had various thoughts and ideas around this stuff. And when I was going to join the organization, I was going to take a complete few months to do a listening tour. Of course you know what they say about the best-laid plans of mice and men, the pandemic hit. The world scenario has completely changed. There’s been shelter-in-place orders various places. People are suffering many places with illness. There is the COVID illness. And then there’s other things that come up and you’re stuck at home for so long, so it’s not an easy time. It’s not a normal time. It’s not a usual time. And that reflects for the cloud native community as well. As an example, we’ve hosted the KubeCons, our flagship events in person with great fanfare, with lots of support, love and excitement from the community.

Now, we have to pivot completely and do it all online in a world where the online solutions are sort of catching up to be able to support large scale events like ours. So joining in, there are challenges that have been thrown my way by just the timing, right? In addition to the events which we’re working very hard on as a team, there is also just your community has different needs. There’s some people may want to be switching jobs or looking for jobs. That’s one element that we need to think about. Some people may need the support that they felt otherwise by going to meet ups, by being more in touch with people around them on cloud native. There are others whose businesses actually might be growing exponentially just because everything’s going online, just supporting them with the technology. There are various elements to this new, strange time that we find ourselves in. So that is a big challenge.

In addition, I would say Dan and Chris have built an amazing, massively impactful organization. For me, I intend to keep this momentum going, to keep building on what they have created. We all stand on the shoulders of giants here. I think the next big thing once we get through pandemic is to double down on the end user ecosystem. The end users have grown and become consistently more sophisticated and technical over the times in the last four years I’ve been involved. We need to support that and enable greater adoption, better insights, safe spaces to discuss and communicate with each other, so that’s coming.

And then finally, as I said, developer education and engagement has to go deeper and wider. That’s what I set for myself.

Swapnil Bhartiya: When you look at CNCF, what vision do you have? Because you yourself have been in the community, in the industry for so long, but you were also on the outside. You are not inside Linux Foundation. You have been working with private companies, so you have an outsider’s view. What unique vision did you bring to the CNCF? Because sometimes when we work within an organization for so long, we have our own myopic view. Can you talk about that?

Priyanka Sharma: You’re absolutely right, that I have worn multiple hats, seen CNCF through different lenses, and I can bring that perspective to this foundation. I’d say one thing that’s been a somewhat disturbing trend I notice was this othering of different parts of the community. It’s like CNCF staff versus end user versus project creator versus GB versus this. You can have so many different categories. But the reality is I really don’t think that’s the way the ecosystem truly functions well I don’t think there’s that much meat in that way of thinking. And we need to change and go back to what we’re good at, which is being builders and doers and being team cloud native, all of us together.

If we in fight, then we don’t stand strong and build upon our work, but rather just dissipate energy. And I’ve seen that trend happen in cloud native. I cannot speculate on the reasons for it, but I make a call to each and every one of you, just know we’re in it together. I have worn multiple hats in this industry. I have been a project contributor. I have been an educator, a marketer. I have been a developer advocate. I have been a governing board member. I have done many things. And now, I’m the GM. Let me tell you, we are all in it together no matter what hat we wear, and we need to make an extra effort to do that. And that is something I think will be a big change if we can achieve it.

Swapnil Bhartiya: You can have as much GitHub repository for tech issues. But what realistic efforts we can see from CNCF to kind of achieve the kind of vision you are bringing, because this is kind of different than a technological problem?

Priyanka Sharma: I hear that. I think that a lot of it starts with the leadership. I have been put in this position and my number one goal is to always keep my door open, these days virtually. I live by an open calendar. Anybody can book time with me, talk to me, tell me what you think, and reach out to me. And I mean it. I have serious blocks open. Of course, they’re starting to get booked up really quickly, which is nice because that means people are taking me up on this offer, that let’s engage. Let’s talk it out. Let’s see where we are disagreeing, and either agree to disagree, which is a totally fair thing to do, or come closer together in some form of consensus.

I think conversation is the first step. We all get so busy with the day-to-day work, that that goes away to the wayside. And when that happens, miscommunication just develops and deepens. So number one is open door policy. Let’s talk. Whenever there’s confusion, let’s do that.

The other is bringing greater transparency. It’s just a habit I have that I picked up at GitLab working under Sid, which is being all remote, it’s important to document everything. So most of my meetings, they will have a document where we write down agenda notes, etc. Sharing that with the people you talk to so everyone’s actually on the same page. We wrote this down. This is what we’re doing. Little things like that can I think go a really long way in making sure people are moving in lockstep together. All this is also, by the way, an ongoing effort that you cannot let up. You have to keep being transparent. You have to keep being open. This is not a onetime thing. People have to keep being transparent. People have to keep their door open. It’s an ongoing effort that I will not stop and let up on. I think it will make a difference.

I’m actually proud to report that I’m already seeing, having taken the time to talk to a lot of people, we really are on the same team. Everyone wants us to just build better software together, and I’m very confident that the cultural change is happening as we speak.

Swapnil Bhartiya: Awesome. Before we dive this last question, we are going through a crisis, a very serious crisis, and we don’t see any end in the sight right now. It has impacted all of us. For example, we were supposed to be in person at open source event, but everything is moving to online events. How does this impact the industry in general? Because a lot of these events, they do bring people together, where they not only hallway track, where people just touch base with colleagues, but a lot of … actually, a lot of partnerships are forged there. What impact do you see, and how do you see CNCF would respond to that or is already responding to that?

Priyanka Sharma: Absolutely. Events play a great role in the community and ecosystem, and that’s just evidenced by the awesomeness of KubeCons. Being at every KubeCon that I could be had open doors for me. Connected me to people who were happy to mentor, guide, talk to me. We cannot lose that, right? We all are waiting for things to change, right? The pandemic to go away one day for us to be able to meet in person. While we wait for that, here and the CNCF team, we are working to make KubeCon EU virtual in August as awesome of an experience as possible. There’s lots of ideas that we have. We sometimes have technology limitations in terms of the platforms that are available, and we’re trying to work through that.

My sense is that we’ll have a bunch of ideas in experiment at KubeCon EU in August, and by the time KubeCon North America, which was going to be Boston, but just today was announced is going to be virtual as well, by the time that rolls around, I think we’ll have a lot more cool engagement and innovation possible.

I did a small event a few weeks before joining CNCF, just for fun. I just wanted to see other community folks. And the reality is that it was cool because we were able to livestream, and we’d expected 200 people, but 2,000 showed up. No, actually, 7,000 at maximum views. It was crazy, crazy numbers. And that’s the equalizer that comes with online events. It’s nice to be able to reach more people. We have to figure out the engagement, have more fun games and trivia prizes, ways to connect a maintainer to someone who has a question, ways to connect a student to someone who will tell them how to contribute. These are the things we need to work on and it’s actively underway.

Swapnil Bhartiya: Awesome. Thank you, Priyanka, so much for taking time out and talking to me today, and I look forward to talk to you again. Thank you.

Priyanka Sharma: Same here. Thank you, Swapnil.


Student Linux club refurbishes computers to support distance learning (opensource.com)

Cam Citrowske on opensource.com writes:

It was March 17, 2020, and I was in my classroom at Aspen Academy. The clock was ticking. This was to be the last day of school before we, along with every other public school in Minnesota, would close due to the outbreak of the new coronavirus. I had students in my room during lunch, advisory periods, and my elective classes all doing the same thing—installing Linux onto old computers so we could give them to students who would use them for school at home during the shelter in place order. I was only going to have the kids’ help until dismissal time, but in the end, we had 17 computers ready to go. It was a start.

Read more at opensource.com