Experts from financial services, technology and open source will come together to deepen collaboration and drive innovation across the industry in order to deliver better code, faster.

SAN FRANCISCO, August 11, 2021 —  The Linux Foundation, the nonprofit organization enabling mass innovation through open source, and co-host Fintech Open Source Foundation (FINOS), a nonprofit whose mission is to accelerate adoption of open source software, standards and best practices in financial services, today announced the conference agenda for Open Source Strategy Forum London 2021 (OSSF). The event takes place October 4-5 in London, England. The schedule can be viewed here.

The event will gather experts from financial services, technology and open source who will come together for thought-provoking insights and conversations, providing unique opportunities to hear from and engage with those who are leveraging open source software to solve industry challenges. OSSF is the only conference dedicated to driving collaboration and innovation in financial services through open source.

The event will feature 35+ sessions and endless opportunities to learn about the most cutting edge topics at the cross section of finance, open source and technology, revealing recent developments and the direction of open source in financial services.

Conference Session Highlights:

An Open-sourced Solution to Data Governance? How Legend May Be the Answer to Data Quality Concerns in the Financial Industry – Ffion Acland & Beeke-Marie Nelke, Goldman SachsNew Generation of Mainframers – John Mertic, The Linux Foundation; Jessielaine Punongbayan, Broadcom; and Alex Kim, Vicom InfinityOpen Banking, Open Source, and Open Standards – Kevin Morris, Large Credit Union CoalitionHow to Maximize Open Source Investment to Drive Business Innovation – Traci Robinson-Williams, GitLabIf It’s Such a Good Idea, Why Haven’t We Been Doing It? – Gil Yehuda, U.S. BankDevelop Automated Workflows in Seconds – Olivier Poupeney, Symphony Communication Services

Registration is offered at the early price of 220 GBP through Aug 17. Members of The Linux Foundation receive a 20 percent discount – members can contact events@linuxfoundation.org to request a member discount code. Members of FINOS can attend at no cost – members can contact ossf@finos.org to request the FINOS Member registration code. 

Health and Safety
In-person attendees will be required to be fully vaccinated against the COVID-19 virus and wear a mask while onsite at the event. Additionally, all attendees will need to comply with all on-site health measures, in accordance with The Linux Foundation Code of Conduct. To learn more, visit the Health & Safety webpage and read our blog post.

Diversity & Need-Based Scholarships and Travel Funding

Applications for diversity and need-based scholarships are currently being accepted here. The Linux Foundation’s Travel Fund is also accepting applications, with the goal of enabling open source developers and community members to attend events that they would otherwise be unable to attend due to a lack of funding. We place an emphasis on funding applicants who are from historically underrepresented or untapped groups and/or those of lower socioeconomic status. To learn more and apply, click here.

Sponsor

For information on becoming an event sponsor, click here or email us for more information and to speak to our team. The Sponsorship deadline is September 9. 

Press
Members of the press who would like to request a press pass to attend should contact Kristin O’Connell.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

###

Media Contact

Kristin O’Connell
The Linux Foundation

koconnell@linuxfoundation.org

The post The Linux Foundation and Fintech Open Source Foundation Announce the Agenda for Open Source Strategy Forum London 2021, Oct 4-5 appeared first on Linux Foundation.

Open source software (OSS) is vitally important to the functioning of society today; it underpins much of the global economy. However, some OSS is highly secure, while others are not as secure as they need to be.

By its very nature, open source enables worldwide peer review, yet while its transparency has the potential for enhanced software security, that potential isn’t always realized. Many people are working to improve things where it’s needed. Most of that work is done by volunteers or organizations outside the Linux Foundation (LF) who directly pay people to do the work (typically as employees). Often those people work together within a foundation that’s part of the Linux Foundation. Sometimes, however, the LF or an LF foundation/project (e.g., a fund) directly funds people to do security work.

At the Linux Foundation (LF), I have the privilege of overseeing focused work to improve OSS security by the very people paid to do it. This work is funded through various grants and foundations, with credits to organizations like Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself.

The LF and its foundations do much more that I don’t oversee, so I’ve only listed the ones I am personally involved with in the interest of brevity. I hope it will give you a sense of some of the things we’re doing that you might not know about otherwise.

The typical LF oversight process for this work is described in “Post-Approval LF Security Funding.” Generally, performers must provide a periodic summary of their work so they can get paid. Most of those summaries are public, and in those cases, it’s easy for others to learn about their interesting work!

Here’s a sample of the work I oversee:

Ariadne Conill is improving Alpine Linux security, including significant improvements to its vulnerability processing and making it reproducible. For example, as noted in the July 2021 report, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. Alpine Linux’s security is important because many containers use it. For more information, see “Bits relating to Alpine security initiatives in June” and “Bits relating to Alpine security initiatives in July.”kpcyrd is doing a lot of reproducible build work on Linux distributions, especially Alpine Linux (including on the Raspberry Pi) and Arch Linux. Reproducible builds are a strong countermeasure against build system attacks (such as the devastating attack on SolarWinds Orion). More than half of the currently unreproducible packages in Arch Linux have now been reviewed and classified.David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code; git is widely used to manage source code.Theo de Raadt has also been receiving funding to secure the critical “plumbing” behind modern communications infrastructure:This funding is being used towards improving OpenSSH (a widely-used tool whose security is critical). These include various smaller improvements, an updated configuration file parser, and a transition to using the SFTP protocol rather than the older RCP protocol inside the scp(1) program.It is also being used to improve rpki-client, implementing Resource Public Key Infrastructure (RPKI). RPKI is an important protocol for protecting the Internet’s routing protocols from attack. These improvements implement the RPKI Repository Delta Protocol (RRDP) data transfer protocol and fix various edge cases (e.g., through additional validation checks). The https://irrexplorer.nlnog.net/ service is even using rpki-client behind the scenes.

Nathan Chancellor is improving the Linux kernel’s ability to be compiled with clang (instead of just gcc). This includes eliminating warning messages from clang (which helps to reduce kernel bugs even when gcc is used) and fixing/extending the clang compiler (which helps clang users when compiling code other than the Linux kernel). Unsurprisingly this involves changing both the Linux kernel and the clang/LLVM compiler infrastructure, and sometimes other software as well.In the long run, eliminating warnings that by themselves aren’t bugs is important; developers will ignore warnings if there are many irrelevant ones, but if there are only a few warnings, they’ll examine them (making warnings more useful).Of notable mention for security implications is clang support for Control-Flow Integrity (CFI); this can counter many attacks on arm64, and work will eventually enable x86_64 support.

I oversee some security audits conducted via the Open Source Technology Improvement Fund (OSTIF) when funded through the LF. We (the LF) often work with OSTIF to conduct security audits. We work with OSTIF to define the audit scope, and then OSTIF runs a bidding process where qualified security audit firms propose to do the work. We then work with OSTIF to select the winner (who isn’t always the cheapest — we want good work, not a box-check). OSTIF & I then oversee the process and review the final result. Note that we don’t just want to do audits, we also want to fix or mitigate any critical issues the audits identify, but the audits help us find the key problems. Subject matter experts perform the audit reports, and handling bidding is OSTIF’s primary focus, so my main contribution is usually to help ensure these reports are clear to non-experts while still being accurate. Experts sometimes forget to explain their context and jargon, and it’s sometimes hard to fix that (you must know the terminology & technology to explain it).This work included two security audits related to the Linux kernel, one for signing and key management policies and the other for vulnerability reporting and remediation. I’ve also overseen audits of the exposure notification applications COVID Shield and COVID Green: It’s not part of my oversight of OSTIF on behalf of the LF, but I also informally talk with OSTIF about other OSS they’re auditing (such as flux2, lodash, jackson-core, jackson-databind, httpcomponents-core, httpcomponents-client, laravel, and slf4j). A little coordination and advice-sharing among experts can make everything better.

The future is hard to predict, but we anticipate that we will be doing more. In late July, the OpenSSF Technical Advisory Council (TAC) recommended approving funding for a security audit of (part of) Symfony, a widely-used web framework. The OpenSSF Governing Board (GB) approved this on 2021-08-05 and I expect OSTIF will soon take bids on it.

The OpenSSF is also taking steps to raise more money via membership dues (this was delayed due to COVID; starting a new foundation is harder during a pandemic). Once the OpenSSF has more money, we expect they’ll be funding a lot more work to identify critical projects, do security audits, fix problems, and improve or create projects to enhance OSS security. The future looks bright.

Please remember that this is only a small part of ongoing work to improve OSS security. Almost all LF projects need to be secure, so most foundations’ projects include security efforts not listed here. As noted earlier, most development work is done by volunteers or by non-LF organizations directly paying people to do the work (typically employees). 

The OpenSSF has several working groups and many projects where people are working together to improve OSS security. These include free courses on how to develop secure software and the CII Best Practices badge project. We (at the LF) also have many other projects working to improve OSS security. For example, sigstore is making cryptographic signatures much easier; sigstore’s “cosign” tool just released its version 1.0. Many organizations have recently become interested in software bill-of-materials (SBOMs), and we’ve been working on SBOMs for a long time.

If you or your organization would like to fund focused work on improving OSS security, please reach out! You can contribute to the OpenSSF (in general or as a directed fund); just contact them (e.g., Microsoft contributed to OpenSSF in December 2020). If you’d prefer, you can create a grant directly with the Linux Foundation itself — just email me at <dwheeler@linuxfoundation.org> if you have questions. For smaller amounts, say to fund a specific project, you can also consider using the LFX crowdfunding tools to fund or request funding. Many people & organizations struggle to pay individual OSS developers because of the need to handle taxes and oversight. If that’s your concern, talk to us. The LF has experience & processes to do all that, letting experts focus on getting the work done.

My sincere thanks to all the performers for their important work and to all the funders for their confidence in us!

About the author: David A. Wheeler is Director of Open Source Supply Chain Security for The Linux Foundation.

The post Funded open source security work at the Linux Foundation appeared first on Linux Foundation.

The Linux Foundation is ecstatic to return to in-person events next month; we know how important these face-to-face gatherings are to accelerating collaboration and innovation in the open source community. 

We know you have questions surrounding health and safety at in-person events and want to pause for a moment to address these. Rest assured – your health has been at the forefront of every move and decision we have made as we make a safe return back to in-person events.  

Let’s start here with some items from behind the scenes.

The LF has a long-standing relationship with Dr. Joel Selanikio, a physician, former CDC epidemiologist and outbreak investigator, and consultant epidemiologist to the DC Department of Health and to FEMA for the COVID-19 response over 2020-21. Thanks to Dr. Selanikio’s council over the last two years, we have been able to take educated and well-thought out steps to ensure the safety of our community members as we navigate COVID-19. We are working closely with local Departments of Health to ensure we are following all local requirements and recommendations. We are continuing to monitor and follow all CDC, WHO and PHE/NHS (in the UK) guidelines, in addition to those of the local municipalities in which we are holding events.We are checking in with our venues and vendors multiple times a week to ensure we are staying up-to-date on best practices and regulations.Finally, The Linux Foundation Event Team have all been certified in handling Pandemic On-Site Protocols (by the Event Leadership Institute). The team is vaccinated, trained and equipped to handle safety protocols and procedures at our events and are more than happy to assist you onsite and ensure you are comfortable.  

Vaccines, masks and everyone’s new favorite phrase: social distancing.

As announced previously, in-person attendees will be required to be fully vaccinated against the COVID-19 virus. A vaccine verification app will be used to confirm vaccination status.Additionally, masks will now be required for in-person attendance.All event participants will receive a daily temperature check in order to enter the event zone and will receive a sticker to be able to enter and exit as needed.Comfort level wristbands (in green, yellow, and red) will be provided for event participants to use if they choose to indicate their preference on social distancing comfort level. 

All of the above protocols are in place for LF and LF Project events (like KubeCon + CloudNativeCon) through November 2021.

We are working closely with each of our venues and their local jurisdictions to ensure we are following all local requirements and recommendations. Here are some items you can expect on-site at any of our events through November:

Reduced conference room capacity: space between you and your neighbors.More physical space between speakers and attendees: so speakers can present without their masks (and you can hear them clearly!).Wider aisles and thoroughfares through event spaces.Sponsor booths spread further apart in the exhibit hall as well as wider aisles. Socially distanced areas for eating/drinking and mask breaksClose organization with venues: to ensure rigorous onsite cleaning and sanitizing of all touch points, sneeze guards where necessary, and sanitation stations.

You can view a full list of onsite safety procedures on the Health and Safety page, under the “Attend” tab on all event microsites at events.linuxfoundation.org.

Quick Links

View Open Source Summit + ELC + OSPOCon Health and Safety page

View Open Networking + Edge Summit & Kubernetes on Edge Day Health and Safety page

View KubeCon + CloudNativeCon Health and Safety page

We are keeping our health and safety guidelines updated regularly, and adding to the FAQ as necessary.  If these resources do not answer a question you may have, reach out to us at events@linuxfoundation.org.

After much research and with guidance from Dr. Selanikio, we believe the combination of vaccination and mask requirements, along with the other protocols we are putting in place, provides a safe environment for our in-person event participants.

We understand that not everyone will be able to join us in-person due to a variety of factors, which is why we are delighted to offer attendees the ability to participate in our events virtually. To learn more about the different pass options, click on the “Register” tab on any of our event websites.

We hope this information brings you assurance that keeping you and all our event participants safe is top of mind – and will continue to be as we make each and every decision. A big THANK YOU to the entire open source community for your understanding during this fluid COVID-19 situation and this very challenging time in our history. We look forward to seeing you at our events this fall!

The post Vaccines + Masks for Safe In-Person Events – Read About All On-Site Safety Protocols appeared first on Linux Foundation.