Home Blog

A Brief History of Open Source Software, Part 2: OSS Licenses and Legalities

It would not be an exaggeration to say that the magic of open source software (OSS) is based as much on legal innovation as it is on collaboration. Indeed, the essential innovation that launched free and open source software was not Richard Stallmans GNU Project, but his announcement of a revolutionary new licensing philosophy, and the actual license agreements needed to put that philosophy into effect. Only later did global collaboration among developers explode, riding the wave of Stallman’s licenses, Linus Torvald’s pioneering work in creating the distributed development process, and rapidly increasing telecommunications bandwidth.
[Source: Andy Updegrove]

Like its Windows-noob-stabilisers OS, Zorin’s cloudy Grid tool is Linux desktop management for idiots

Zorin, which provides a Linux distro designed to look familiar for migrating Windows and Mac users, has announced a subscription-based management tool for Linux desktops.

Six desktop layouts in Zorin include Windows, macOS, Touch, Ubuntu, and Gnome 3, though the full range is only available in the paid-for Ultimate edition (€39 + VAT). But the free Core edition is fully usable, includes the Windows-like desktop, and most of the software in Ultimate can be added manually. The main reason to purchase Ultimate is for installation support and to help finance the Ireland-based project.

[Source: The Register]

The Importance Of Growing Developer Action On Open Source Enterprise Blockchain Solutions

Since major enterprises started taking blockchain seriously and looking at the technology’s potential in their chosen arena, so have a number of popular enterprise-grade blockchain solutions have come to the fore.

Some of these solutions are sold to companies as an all in one solution, slightly deviating from some of the core decentralized and open-sourced pillars of the technology, but the more popular ones are open-sourced and constantly being developed. The likes of Hyperledger Fabric, as well as Sawtooth and Besu, R3 Corda, and Quorum are all open source solutions that have been tracked for developer activity by Blockchain service firm Chainstack.

[Source: Forbes]

The Risks and Potential Impacts Associated with Open Source

Open source software (OSS) is built by communities of developers who contribute their knowledge and time to OSS projects they find appealing. That code can then be used by individuals, communities and organizations in their software products—the only obligation they have is to play under the rules of the license with which the OSS project was published.

This type of knowledge sharing brings many benefits to OSS users as it speeds up software development time and can help companies become more competitive in the market. Unfortunately, there is also a catch. Those benefits also come with certain risks which every OSS user needs to be aware of and take necessary actions to mitigate.

The OSS License: One specific risk to consider involves the OSS license. Not knowing what your obligations are under the license (or not abiding by those obligations) can cause an OSS user to, for example, lose intellectual property or experience a monetary loss.

[Source: DevOps.com]

Microsoft releases open source source code analyzer

Looking to aid developers who rely on external software components, Microsoft has introduced a source code analyzer, Microsoft Application Inspector, to help surface features and other characteristics of source code.

Downloadable from GitHub, the cross-platform command-line tool is designed for scanning components prior to use to assist in determining what the software is or what it does. The data it provides can be useful in reducing the time needed to determine what software components do by examining the source code directly rather than relying on documentation.

[Source: InfoWorld]

An Open Source Alternative to AWS SageMaker

There’s no shortage of resources and tools for developing machine learning algorithms. But when it comes to putting those algorithms into production for inference, outside of AWS’s popular SageMaker, there’s not a lot to choose from. Now a startup called Cortex Labs is looking to seize the opportunity with an open source tool designed to take the mystery and hassle out of productionalizing machine learning models.

Infrastructure is almost an afterthought in data science today, according to Cortex Labs co-founder and CEO Omer Spillinger. A ton of energy is going into choosing how to attack problems with data – why, use machine learning of course! But when it comes to actually deploying those machine learning models into the real world, it’s relatively quiet.

[Source: Datanami]

Building Zero Trust authentication for multi-cloud application services

One of the fundamental challenges organizations have about multi-cloud and hybrid cloud environments, is how to easily establish secure communication across different clouds and environments. Cloud providers have their own identity and access management solutions, such as AWS IAM, to manage what access an instance should and should not have. But as soon as the applications or services  need to communicate from AWS to GCP or from AWS to their on-prem infrastructure, it becomes a challenge because it’s AWS-specific and not interoperable. Engineering and operations teams need something secure that could work across environments and at the same time should not add any friction to the deployment cycles

This is the problem Scytale, a is trying to address with Secure Production Identity Framework for Everyone (SPIFFE) and SPIFFE Runtime Environment (SPIRE). Both of these open-source  projects originated at Scytale but now are part of  the Cloud Native Computing Foundation (CNCF). These projects have grown in popularity within the cloud native community and have seen contributions from organizations such as Amazon, Bloomberg, Google, Pinterest, Square , Uber and more.

“Scytale is the primary driver of these projects that offer ‘interoperable identity’ between different cloud providers and different platforms,” Evan Gilman, Senior Engineer at Scytale.io and co-author of Zero Trust Networks. “From the commercial angle, we have built solutions to help organizations adopt these projects faster and  extend their functionalities to address the needs of enterprise customers .”

Vendor and technology neutral identity solution
The passport analogy best explains interoperable identity. Passports from different countries all look different, but they all have the same size and meet the same specifications. They all have a picture of the passport holder at the same spot, they all have a barcode at the bottom. Regardless of what country issued the passport, it works across the globe.

A “country” can be a particular software stack, platform, or a cloud provider. Regardless of the environment, the identities that exist within and between those silos can communicate.

Interoperable identity becomes even more critical in the multi-cloud and hybrid cloud deployments, as they raise this fundamental challenge of how users secure communication across those boundaries.

“We are bringing in a platform-agnostic service identity that is not specific to a cloud provider, platform, and technology,” said Gilman. It levels the playing field and allows users to talk across boundaries. Users won’t talk in AWS or GCP specifics; they communicate on the SPIFFE level. “SPIFFE provides users with what is sometimes referred to as a secure dial tone: you pick up the phone, it rings the other side irrespective of where it’s running and what platform it’s running on,” added Gilman.

SPIFFE based service authentication foundational for zero trust networks
SPIFFE is a standard, a set of documents whereas SPIRE is the software implementation of that standard. SPIRE implements the SPIFFE specifications and enables workloads or services to get these “passports” as soon as they boot, in a way that is very reliable, scalable, and highly automated. This identity centric authentication is also critical for building a zero trust-based security model  , which removes reliance on networks to deliver trustworthy information.

“Networks have been historically fairly manipulable. So instead we build systems in such a way that it doesn’t rely on that network to deliver trustworthy information,” said Gilman, “We use protocols and strong authentication and authorization to try to mitigate any kind of business that might happen on the wire. It also mitigates what we call lateral movement. So if a neighbor is compromised, just because you’re attached to the same network, that should not mean that you should gain access that you would not have otherwise.”

Gilman explains, “Part of the SPIFFE specification set deals with what we call ‘federation’. There is usually a centralized authority that issues these identities. In reality, there are different companies that have their own authorities. Even different software stacks have their own authorities. There is a need to bridge these gaps.”

That’s where the SPIFFE Federation enters the picture. It swaps these cryptographic keys between different domains. It allows users with different identity providers to communicate effortlessly.

One key design principle of the SPIFFE Federation is that it is compatible with OIDC, which is a similar identity federation spec, but is more focused around users. It allows for server-to-server and service-to-service communication. Any existing OIDC can take advantage of it and pass one of its SPIFFE identity documents to a public cloud like AWS, which will be able to validate it using this OIDC SPIFFE Federation mechanism.

While SPIFFE as a specification doesn’t change, SPIRE has a monthly release cadence. It continues to add new features on a regular basis.

The latest release introduced integration with the AWS Private CA Manager, which means that SPIRE deployments living inside AWS can use it to protect the sign-in keys for identities. These identities are cryptographically backed so there is a key that is used to sign these identities. One of the biggest challenges is to secure these sign-in keys. Being able to bury that key inside the AWS service, which is backed by hardware protection, is an incredible feature.

The community is also working on a feature called Nested SPIRE, which allows users to have multiple SPIRE server clusters that form a tree and chain up to each other.

Together, these new features give a lot of flexibility in terms of architecting for failure modes and failure domains, and architecting around different security domains.

Linux 5.5 Released With Many Hardware Support Improvements

Linus Torvalds has just released Linux 5.5 as stable. While there was an uptick in patches this week and some concern the Linux 5.5 cycle may be extended due to the downtime encountered around the Christmas and New Year’s holidays, Linus did opt today to release the 5.5 kernel on schedule today rather than going for an extra release candidate.

Linux 5.5 brings many changes including Raspberry Pi 4 support, AMD Navi GPU overclocking, support for new and upcoming Intel platforms, enabling 5-level paging by default, an NVMe drive temperature driver that is convenient and better than the current user-space utilities, Chromebook Wake-On-Voice support, KUnit for in-kernel unit testing, and much more.

[Source: Phoronix]

The best free and open-source alternatives to Google Drive on Android

Let’s check out the open-source equivalents to Google Drive, the company’s cloud storage product. Thankfully, the feature gap between Google Drive and the alternatives isn’t massive — all of them have clients for desktop and mobile, easy file sharing, and other features. Depending on what hardware you have on hand, these options might not even cost you anything.

NextCloud: NextCloud is widely regarded as the golden standard for hosting your own cloud. It goes far beyond simply hosting files — there are plugins for adding a task manager, a calendar, collaborative document editing (akin to Google Docs), video conferencing tools, notes, and much more. While the Android app only supports manging files, there are some Android clients for NextCloud plugins.

[Source: Android Police]

BT’s ‘open source’ approach will challenge Huawei’s dominance

BT is seeking to challenge the dominance of Huawei over the industry by throwing its weight behind a new “open source” approach to buying essential network gear, the chief executive of Openreach has claimed.

Clive Selley, who runs BT’s separate Openreach broadband business, said the company was seeking to push back against the existing industry structure in which a handful of suppliers, including China’s Huawei, Sweden’s Ericsson and Finland’s Nokia, hold too much power over a highly consolidated market.

[Source: The Telegraph]