Topics in this free publication include:

The publication and course were developed in conjunction with The Linux Foundation Consulting Services Team, which brings decades of industry experience to help organizations get results from using, developing, contributing, and commercializing open source software.

"Organizations have begun to realize that as they adopt more open source software, they need to establish processes for everything from selecting software, to deploying it, to ensuring license compliance," said Linux Foundation Executive Director Jim Zemlin. "The benefits of adopting and contributing back to open source are immense, but more education is required to fully realize those advantages. Initiatives such as the Open Source Software Basics publication are part of The Linux Foundation's effort to increase accessibility to such education."

Open Source Software Basics is available for free download now. Those wishing to engage in further learning, may enroll for the online, self-paced LFC210 - Fundamentals of Professional Open Source Management course for $179.

About The Linux FoundationThe Linux Foundation is the organization of choice for the world's top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at http://www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact:Dan Brown The Linux Foundation 415-420-7880 dbrown@linuxfoundation.org

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/the-linux-foundation-releases-free-open-source-software-basics-publication-300406255.html

SOURCE The Linux Foundation

http://www.linuxfoundation.org

More:
The Linux Foundation Releases Free Open Source Software Basics Publication - PR Newswire (press release)

I owe part of my IT education to the Open Source community. I enhanced my programming skills using Open Source programming languages; I garnered a better understanding of operating systems through my study and research of the Linux kernel; I understood the inner workings of software by having access to their code; and in college, I used learning materials from computer science classes made available by MIT Open Courseware. But this article is not about how I benefited from open source software. I only mentioned my experience with Open Source Software (OSS) to stress the plethora of opportunities that it provides and the impact it can have on our ICT sector, and the country as a whole. Hence, the subsequent paragraphs provide insights into the positive impact that Open Source Software can have on a developing country like Liberia. The article is also a call to both the public and private sectors to invest in Open Source Software or OSS in order to enhance Information and Communications Technology for Development (ICT4D) and Information and Communications Technology for Dollars (ICT4$).

Liberias ICT sector has achieved a lot since the end of the civil war. The creation of a liberal market that favors all players, the advent and deployment of the ACE subsea cable and several other achievements have been factors that have driven Liberia ICT revolution.

Before going further into this discussion, please indulge me while I attempt to inform you of the two types or categories of software in the field of ICT: Proprietary Software and Open Source Software. Proprietary software is software that is generally licensed for a fee and its source code is kept secret. It is often developed by software firms or companies such as Microsoft. Open Source Software or OSS is software whose source code is openly published, made available at no charge, and can freely be modified and distributed. Since the focus of this article is on the impact of OSS on development, I shall not expound further on Proprietary Software. Investing in OSS for development can be done in several ways: as a research program in institutions of learning, or through IT experts and firms in Liberia. Such an initiative can result in an ecosystem of software that can be used in government, institutions of learning, businesses, etc., to enhance economic growth. It will also lead to the creation of software firms that will hire and train talented Liberian ICT professionals to develop software that can be used and sold both locally and internationally. This initiative has the propensity to yield a rapid uptake in OSS use and expertise in Liberia, with a corresponding blossoming of new projects and new commercial ventures based on them.

Investment in OSS for development is not a new idea. A lot of countries have been doing this for quite some time. For example, in the United States, the Obama Government is known to have been very pro-open source considering its policies and use of open source software (White Houses Web site is built on Drupal and Open Source CMS). In fact, the United States has been supportive of OSS prior to President Obamas ascendency to office.

Through its agency for international development (USAID), the US Government has been funding OSS development abroad since 2007. Its involvement with the Open Source Development 2.0 challenge a few years ago, and the creation of the Global Development Commons and Innovation Development Agency (IDEA) are few initiatives that demonstrate U.S. interest in encouraging open source software development.

The British government is also known to support the use of OSS. Its Gov.uk initiative, a scalable and modular open source platform that supports the needs of citizens across numerous government departments, is evidence of this. France, which has a large market for OSS, has a history of investing in OSS as evidenced by its handing out of 175,000 OSS-equipped memory sticks to high school students in 2007. Through policies and high-profile projects, France has for years been advocating for OSS in government and education.

In Africa, over the years many efforts have been made to promote the adoption and use of OSS within academic institutions, companies and governments. The Free Open Source Software Foundation for Africa (FOSSFA) and Open Source Initiative of West Africa (OSIWA) have been strong advocates of open source software development in Africa. Africa is also known for some major open source projects that have originated from the continent. Some of these projects included, Ubuntu, one of the most widely used Linux distributions and the crisis reporting application from Ushahidi.

Finally, the continual decrease in the prices of broadband internet services due to the presence of the Africa Coast to Europe subsea optical cable in Liberia, I strongly suggest that investors begin funding OSS research. This will help to put software in the hands of many, reduce ICT spending in government and the private sector, allow Liberians to open businesses that will sell locally developed software, increase ICT expertise in Liberia, and help create content needed to leverage the capacity of the ACE subsea cable. It will certainly enhance our ICT4D initiatives as well as provide the medium for ICT4$. More importantly, it will create the path toward a DIGITAL LIBERIA.

HAPPY VALENTINES DAY!!!!!!!!

See original here:
Fund Open Source Software Research to Enhance ICT for Development (ICT4D) and ICT for Dollars (ICT4$) - Liberian Daily Observer

About the author Ben Cotton - Ben Cotton is a meteorologist by training and a high-performance computing engineer by trade. Ben works as a technical evangelist at Cycle Computing. He is a Fedora user and contributor, co-founded a local open source meetup group, and is a member of the Open Source Initiative and a supporter of Software Freedom Conservancy. Find him on Twitter (@FunnelFiasco) or at

We're used to hearing of software being described as "free as in freedom" and "free as in beer." But there's another kind of "free" that doesn't get talked about as much: "free as in puppy." This concept is based around the idea thatwhensomeone gives you a free puppy, that puppy isn't really free. There's a lot of work and expenses that go into its daily care. The business term is "total cost of ownership," or TCO,and it applies to anything, not just open source software and puppies.

So if the free puppy problem applies to everything, how is it important to open source software specifically? There are a few ways. First, if you're already paying for software, then you've set the expectation that it has costs. Software that's free up front but costs money later seems like a major imposition. Secondly, if it happens on an organization's first open source adoption project, it can put the organization off of adopting open source software in the future. Lastly and counterintuitively, showing that open source software has a cost may make it an easier "sell." If it's truly no cost, it seems too good to be true.

The following sections represent common areas for software costs to sneak in. This is by no means a comprehensive list.

To begin using software, you must first have the software.

Getting the software installed is the easy part. Now you have to use it.

Even with a list like this, it takes a lot of imagination to come up with all of the costs. Getting the values right requires some experience and a lot of good guessing, but just going through the process helps make it more clear. Much like with a puppy, if you know what you're getting yourself into up front, it can be a rewarding experience.

View original post here:
Free as in puppy: The hidden costs of free software - Opensource.com

Open source software is everywhere. It underpins virtually the entire technology sector, with every single element of IT relying on at least one open source component.

For those who aren't aware, free and open source software (commonly abbreviated to FOSS) is software and tools that are made freely available online. Not only are they free to download, install and use, the creators also publish the source code for these programs - their 'DNA'. This means anyone can recreate, tweak, improve or modify them as they see fit.

Common examples of open source software include Linux-based operating systems like Ubuntu, Linux Mint or FreeBSD, along with alternatives to paid-for software like Adobe Photoshop rival GIMP or Microsoft Office replacement LibreOffice.

Alongside user-facing programs such as these, a huge amount of back-end technology is built using open-source tools and frameworks. The vast majority of server operating systems are open source, as are the database tools and development utilities used to manage and configure them.

Without open source, the web as we know it wouldn't exist. What's more, if open source technology disappeared tomorrow, it would quickly collapse.

The history of open source software

Open source software has its roots in the very birth of software and computing itself. The field was first pioneered by scientists, researchers and academics with information and knowledge being freely and widely shared.

As commercial software companies started to emerge over the next few decades, the practice of freely sharing source code began to decline. However, while corporations were unwilling to share the fruits of their labour, there remained a devoted contingent of hobbyists and enthusiasts who were still committed to writing and distributing open source code.

One of the ways in which programmers shared their code was via computing books and magazines, which featured full reproductions of source code for readers to copy and use. This became particularly popular with the rise of home computers like the Commodore 64 and ZX Spectrum, which could be used to create basic games.

As more and more computers became connected to the internet, programmers started sharing their code with each other online. This led to a substantial increase in the number of available open source projects, and eventually to the creation of the Linux kernel by Linus Torvalds.

The term 'open source' was first adopted by advocates of these principles in 1998. It grew steadily in popularity and sophistication over the next few years and although open source software was previously known mainly to hardcore computing enthusiasts and programming geeks, it has now achieved a wide level of visibility and acceptance, both in the public eye and within the enterprise community.

Why is open source useful?

The main attraction of open source software for many is that it's free; rather than shelling out a fortune for a Microsoft Office license, cash-strapped users can simply download a free alternative that does much the same thing.

For programmers and developers, the benefits of releasing your creations as open source software are increased feedback and collaboration. Your peers are free to change and improve your code, adding features you may not have thought of or simplifying it to make it more efficient.

Common wisdom also holds that open source software is more secure - after all, the more people are reviewing and working with a piece of code, the more likely it is that any potential errors or security holes will be spotted. On the other hand, the fact that the Heartbleed bug went undetected in the OpenSSL code for so long does throw some doubt on this theory.

How do companies make money from open source?

"But wait," you might say, "if open source software is free, then how can companies like Red Hat and Canonical make money from it?"

This is because organisations that specialise in open source products don't generally make money from sales of the software itself - anyone can download and use it.

Instead, many will offer an enhanced version of their products that enterprises can pay to use. These commonly include greater flexibility, more features and easier management and maintenance options.

Another tactic often used by open source vendors is to provide the software freely, but to withhold official support and other additional services from companies that haven't taken out a contract. Since business IT relies on minimising downtime as much as possible, strong support is essential which makes this tactic very effective.

See the original post here:
What is Open Source? - IT PRO

Short Bytes: ToaruOS 1.0, the first stable release of hobby OS/kernel Toaru, has been finally released. This open source operating system is mostly written from scratch. It comes with composited GUI, dynamically linked ELF binaries, Python applications, networking, etc. The interested users can grab the source code from GitHub and download the Live CD for testing purposes.

Now, after spending six years in development, operating systems first release, i.e., Toaru 1.0, is finally here. In the announcement post, ToaruOS developer wrote that its the time to declare a stable release. Healso called it a work in development with so much work left to be done.

The GitHub page of the ToaruOS describes itself as a hobby operating system built mostly from scratch, including both a kernel and userspace.

ToaruOS is written from scratch, but it supports GCC, Mesa, Python, and more. It can be run as a virtual machine for easy hardware support.

The nice folks at Phoronix have been following the progress of ToaruOS for a long time. According to them, it currently supports 32-bit non-SMP systems, EXT2 file system, lots of Unix utilities, and other open source software packages ported over like Vim, Quake, SDL, etc.

As ToaruOS 1.0 arrived about two weeks ago, there has been a couple of point releases with some bug fixes and audio improvements.

The code of ToaruOS is publicly available on GitHub,grab it here. Also, for trying it out, you can get a Live CD build of the OS.

Did you find ToaruOS interesting? Are your planning to try it out? Dont forget to share your views and feedback.

Read more here:
ToaruOS 1.0 Open Source OS Released After 6+ Years Of Development - Fossbytes

Join the Twitter Party hosted by National Day Calendar on 2/10

Open source remains a competitive means of distributionone that delivers exceptional software to new and devoted users. Despite this, open source, its methodologies, practices, code, and the communities behind them, can be overlooked or misunderstood if they are inadequately communicated. As a professional in tech marketing in the open source space, I often find that my conversations begin by highlighting the key takeaways of open source before I can begin to graze the surface of product-specific impact.

Open source software has come a long way over the past several years, primarily due to the contributions of active open source communities. Still, convincing an enterprises influencers, IT leaders, and developers of the merits of open source remains a challenge in certain spaces. While it is important that organizations take an honest, objective look at the total cost of ownership of any solution, open source or commercial, it became clear to me that impressions of open source were not always reflective of the extraordinary work and talent that can be found in the space.

To emphasize the merits of open source and create a level ground on which leaders could base these important decisions, I wanted to create a marketing platform for common open source messaging and themes.

In the spirit of open source, I sought to create a shared platform that extended beyond my projecta platform that could be used to benefit the greater open source community.

In order to accomplish this, I proposed a reserved month to create awareness around Free and Open Source Software. The intent is to establish a platform that appeals to general audiences, while simultaneously giving the strongest of open source supporters the underlying support they need to strengthen messaging for their projects. The Registrar at National Day Calendar declared the observance of National Free and Open Source Software Month in 2017. Founded by Onyx Point, Inc., FOSS February (#FOSSFeb) is an opportunity to discuss open source methods.

Artwork is licensed under aCreative Commons Attribution 4.0 International License. Originated by Amanda Arnold. Attributable to Onyx Point, Inc. 2017.

Synchronous use of the platform in open source channels will create resonance surrounding project goals ranging from community expansion, new developments, introduction to new spaces, etc. We selected February to observe the holiday, as it is the month in which the Open Source Initiative (OSI) was founded in 1998.

FOSS February is our chance to open the door to open source, to face the larger market, and to increase overall interest in the open source community and its projects.

Together, we can use the platform to promote open source initiatives, market open source projects, and dispel general misconceptions. Here are some ideas on how to participate:

See more here:
FOSS February: A month to celebrate open source | Opensource.com - Opensource.com

Open source software is the norm these days rather than the exception. The code is being written in high volumes and turning up in critical applications. While having this code available can offer big benefits, users also must be wary of issues the code can present and implement proper vetting.

Josh Bressers, cybersecurity strategist at Red Hat, emphasized this point during a recent talk with InfoWorld Editor at Large Paul Krill.

InfoWorld: Why is Red Hat getting on the soapbox about open source security?

Bressers: We've been on this soapbox for a long time. Fundamentally, there's a supply chain with software. In the past, you've not really thought of software using the supply chain concept. [In the past, it was thought of as] some dude writes software, and that's how it is. We're realizing now that there are vendors, and vendors provide you with a thing that goes into your product and obviously it's designed in a way that with a supply chain if you use low-quality parts, by definition, you're only going to get a low-quality product out the other side.

I think we're starting to recognize that if you're just grabbing any piece of software you find from a commercial vendor or from the open-source community and you don't know what it is or it's not vetted and you don't know the quality, you put your final product's quality at risk.... You have developers going out to GitHub, going out to Stack Overflow, and they are downloading code. They're not necessarily paying attention to what they're getting and how it's being taken care of.

Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.

InfoWorld: Where do you go from here?

Bressers: Fundamentally, what it comes down to is you need to understand where your software came from, which means in the open source context, you have to think of open source as a third-party vendor, which means who's paying attention to it? From an organizational perspective, you need either a team paying attention and taking care of this, or you need to find a vendor to work with who will be your representative here and will do all the heavy lifting in terms of vetting the software, understanding what's good, what's bad, keeping it updated, making sure you understand what that means.

That's the piece that's missing today. There's lots of organizations that have developers that will go out, find what they need in the open source universe, pull it in, and then they don't think about it a second time. Obviously, if you do that, if you never update this stuff, eventually there's going to be some sort of problem that you have to deal with in the software. Think of something like Heartbleed. It's a great example where people had literally just pulled this OpenSSL version into their applications, and a lot of them didn't even realize it was there.

InfoWorld: So what do you do about this situation?

Red Hat: I can tell you what Red Hat does, and every organization will be different. We have a team that's dedicated to paying attention to the open source universe, and they watch for security issues. This is where open source is unique compared to some of the third-party, typical software vendors, we could say, is there's a very understood relationship there where essentially they have a product, you pay them for the product, and the expectation is they will maintain it and you will go to them for help and support. In open source, it doesn't exactly work like that. You have two choices.

Number one is you go to a vendor that specializes in essentially productizing open source. [That is] the traditional software vendor relationship. However, there's the alternative option now where you can actually treat open source as your vendor, but it doesn't work in the same way now because you have to pay attention to the community and you probably have to get involved.

I would say if you have an organization that's concerned about this and they are using open source, they need people in-house who can work with the community, who can understand what's being used, and then they can engage at the appropriate level depending upon what's being used. The other side of this coin is you have to make sure that your developers aren't just pulling any random piece of stuff they find. You have to actually have a vetting process to ensure that the software you're using is accounted for so there are no surprises. [And] it has to be high-quality.

InfoWorld: What kind of vetting do you do of the Linux kernel?

Bressers: At Red Hat, obviously, we're known for Red Hat Enterprise Linux but even Red Hat Enterprise Linux is literally hundreds of other open source components put together. It's not just the Linux kernel. The Linux kernel is a big piece of it. Granted, a very important piece. Even though we have tons of kernel expertise, we still have people who focus on the security of the Linux kernel and making sure that we understand what's going on in these kernels: Does this stuff make sense, what are the security issues that we're seeing? What do we do with them, how do we fix them, what's going on?

Heartbleed affected the OpenSSL library, and that was included in Red Hat Enterprise Linux, but we also included it in some of our middleware products, for example, for shipping web servers. We had various other products that used the OpenSSL from Red Hat Enterprise Linux embedded into their own product like an image that could ship them. We pay attention to all of these pieces, and we have teams dedicated to just paying attention to this stuff to make sure that we're using good software that's being vetted.

InfoWorld: What processes do you use at Red Hat, and what do you recommend for others?

Bressers: This is going to depend on, team size, maturity level and just talent to some degree. We fuzz-test certain libraries and applications inside Red Hat. We do automated source code scanning. We do some level of manual scanning. We have a bunch of internal tools that will look at the artifacts that we build, which are making sure we're not making obvious mistakes or making sure that, for example, when you have an RPM package that installs the application or library onto the system, is it putting things in places that make sense? We have dedicated build systems so we understand what's being built, how it's being built.

InfoWorld: Would you say open source software today is more secure than it was five years ago? Is it more secure than proprietary software?

Bressers: Open source is not more secure than proprietary software nor is it less secure. The concept of proprietary software doesn't really exist anymore because virtually every organization has open source inside of the products they're building.

You also asked, is open source more secure today than it was five years ago? There isn't good information on this, necessarily. I would hesitate to say we're more secure. But I think we better understand a lot of the problems, I'm willing to say. Because we have various groups, and Red Hat is one of these and there are also various bug bounties that exist. There are security groups in places like Google that are doing a bunch of testing. There's all these organizations now that everybody is using open source, they're starting to give back. I suspect that as long as things continue the way they are, the future will be better than the past but, of course, it's up to us to make sure we get there because if people stop contributing back to the community, the power of open source is lost. That's the key here around security. You can't just take it and use it. You have to be involved and be a part of it.

InfoWorld: What's next for securing open source software?

Bressers: The big thing that's happening now is this concept of open source needs to be part of your supply chain. The message is starting to get out there, but I don't feel like it's where it needs to be yet because I still think there are a lot of organizations that are treating GitHub or Stack Overflow as a bunch of free software they can just take and that's fine, you never have to worry about it again. But it's not like that. My comparison here would be, what do you think would happen if a car manufacturer literally found some parts in the warehouse? They didn't know where they came from, they didn't know who made them but they're like, "They look great, let's just use those." That would end horribly. That's kind of where we're at in some of these instances where you've got developers just like, "That looks great, I'll take that." We're reaching a point now where we need organizations using this stuff to start understanding their supply chain with open source as part of it.

Error: Please check your email address.

More about GoogleLinuxRed Hat

More:
Open source users: It's time for extreme vetting - Techworld Australia

Microsoft wants to help fight legal claims against intellectual property (IP) in the cloud, according to its most recent announcement. With the rise of patent litigations pushing against Azure (and alternative cloud) customers, the tech giant is beginning to push back with a new initiative to fight these claims.

The Microsoft Azure IP Advantage program will encourage afocus on digital expansion and development, according to the Microsoft blog posted today.

1) Our best-in-industry intellectual property protection with uncapped indemnification coverage will now also cover any open source technology that powers Microsoft Azure services, such as Hadoop used for Azure HD Insight.

2) We will make 10,000 Microsoft patents available to customers that use Azure services for the sole purpose of enabling them to better defend themselves against patent lawsuits against their services that run on top of Azure. These patents are broadly representative of Microsofts overall patent portfolio and are the result of years of cutting-edge innovation by our best engineers around the world.

3) We are pledging to Azure customers that if Microsoft transfers patents in the future to non-practicing entities, they can never be asserted against them. We do not have a practice of making such transfers, but we have learned that this is an extra protection that many customers value.

Bloomberg Technology reports that Microsoft President and Chief Legal Officer Brad Smith describes the new program as creating a patent umbrella and we let our customers stand underneath it. Quite a big umbrella if the tech giants claim of 60,000 patents total is to be believed. But, they are only offering 10,000.

Microsoft has offered patent protection for its own technologies already, but this new initiative adds open source protections, as well.

Since this type of initiative is incredibly new to the cloud computing market, Microsoft is taking a step out of the comfort zone. Maybe it will even dissuade the increase of IP claims in the future. One thing is for certain, however, and that is that Azure is now offering a service that no other cloud provider offers. Yet.

Continue reading here:
Microsoft to offer patent protection for Azure customers using open source software - OnMSFT (blog)

Open source software is the norm these days rather than the exception. The code is being written in high volumes and turning up in critical applications. While having this code available can offer big benefits, users also must be wary of issues the code can present and implement proper vetting.

Josh Bressers, cybersecurity strategist at Red Hat, emphasized this point during a recent talk with InfoWorld Editor at Large Paul Krill.

InfoWorld: Why is Red Hat getting on the soapbox about open source security?

Bressers: We've been on this soapbox for a long time. Fundamentally, there's a supply chain with software. In the past, you've not really thought of software using the supply chain concept. [In the past, it was thought of as] some dude writes software, and that's how it is. We're realizing now that there are vendors, and vendors provide you with a thing that goes into your product and obviously it's designed in a way that with a supply chain if you use low-quality parts, by definition, you're only going to get a low-quality product out the other side.

I think we're starting to recognize that if you're just grabbing any piece of software you find from a commercial vendor or from the open-source community and you don't know what it is or it's not vetted and you don't know the quality, you put your final product's quality at risk.... You have developers going out to GitHub, going out to Stack Overflow, and they are downloading code. They're not necessarily paying attention to what they're getting and how it's being taken care of.

Open source won. It won because it's used everywhere now. But now we have a supply chain problem we need to start thinking about and that is, where did you get it and how is it being taken care of, because software doesn't age well. This is something that you have to take care of and you have to pay attention to. You can't just pull software into your project and you're done.

InfoWorld: Where do you go from here?

Bressers: Fundamentally, what it comes down to is you need to understand where your software came from, which means in the open source context, you have to think of open source as a third-party vendor, which means who's paying attention to it? From an organizational perspective, you need either a team paying attention and taking care of this, or you need to find a vendor to work with who will be your representative here and will do all the heavy lifting in terms of vetting the software, understanding what's good, what's bad, keeping it updated, making sure you understand what that means.

That's the piece that's missing today. There's lots of organizations that have developers that will go out, find what they need in the open source universe, pull it in, and then they don't think about it a second time. Obviously, if you do that, if you never update this stuff, eventually there's going to be some sort of problem that you have to deal with in the software. Think of something like Heartbleed. It's a great example where people had literally just pulled this OpenSSL version into their applications, and a lot of them didn't even realize it was there.

InfoWorld: So what do you do about this situation?

Red Hat: I can tell you what Red Hat does, and every organization will be different. We have a team that's dedicated to paying attention to the open source universe, and they watch for security issues. This is where open source is unique compared to some of the third-party, typical software vendors, we could say, is there's a very understood relationship there where essentially they have a product, you pay them for the product, and the expectation is they will maintain it and you will go to them for help and support. In open source, it doesn't exactly work like that. You have two choices.

Number one is you go to a vendor that specializes in essentially productizing open source. [That is] the traditional software vendor relationship. However, there's the alternative option now where you can actually treat open source as your vendor, but it doesn't work in the same way now because you have to pay attention to the community and you probably have to get involved.

I would say if you have an organization that's concerned about this and they are using open source, they need people in-house who can work with the community, who can understand what's being used, and then they can engage at the appropriate level depending upon what's being used. The other side of this coin is you have to make sure that your developers aren't just pulling any random piece of stuff they find. You have to actually have a vetting process to ensure that the software you're using is accounted for so there are no surprises. [And] it has to be high-quality.

InfoWorld: What kind of vetting do you do of the Linux kernel?

Bressers: At Red Hat, obviously, we're known for Red Hat Enterprise Linux but even Red Hat Enterprise Linux is literally hundreds of other open source components put together. It's not just the Linux kernel. The Linux kernel is a big piece of it. Granted, a very important piece. Even though we have tons of kernel expertise, we still have people who focus on the security of the Linux kernel and making sure that we understand what's going on in these kernels: Does this stuff make sense, what are the security issues that we're seeing? What do we do with them, how do we fix them, what's going on?

Heartbleed affected the OpenSSL library, and that was included in Red Hat Enterprise Linux, but we also included it in some of our middleware products, for example, for shipping web servers. We had various other products that used the OpenSSL from Red Hat Enterprise Linux embedded into their own product like an image that could ship them. We pay attention to all of these pieces, and we have teams dedicated to just paying attention to this stuff to make sure that we're using good software that's being vetted.

InfoWorld: What processes do you use at Red Hat, and what do you recommend for others?

Bressers: This is going to depend on, team size, maturity level and just talent to some degree. We fuzz-test certain libraries and applications inside Red Hat. We do automated source code scanning. We do some level of manual scanning. We have a bunch of internal tools that will look at the artifacts that we build, which are making sure we're not making obvious mistakes or making sure that, for example, when you have an RPM package that installs the application or library onto the system, is it putting things in places that make sense? We have dedicated build systems so we understand what's being built, how it's being built.

InfoWorld: Would you say open source software today is more secure than it was five years ago? Is it more secure than proprietary software?

Bressers: Open source is not more secure than proprietary software nor is it less secure. The concept of proprietary software doesn't really exist anymore because virtually every organization has open source inside of the products they're building.

You also asked, is open source more secure today than it was five years ago? There isn't good information on this, necessarily. I would hesitate to say we're more secure. But I think we better understand a lot of the problems, I'm willing to say. Because we have various groups, and Red Hat is one of these and there are also various bug bounties that exist. There are security groups in places like Google that are doing a bunch of testing. There's all these organizations now that everybody is using open source, they're starting to give back. I suspect that as long as things continue the way they are, the future will be better than the past but, of course, it's up to us to make sure we get there because if people stop contributing back to the community, the power of open source is lost. That's the key here around security. You can't just take it and use it. You have to be involved and be a part of it.

InfoWorld: What's next for securing open source software?

Bressers: The big thing that's happening now is this concept of open source needs to be part of your supply chain. The message is starting to get out there, but I don't feel like it's where it needs to be yet because I still think there are a lot of organizations that are treating GitHub or Stack Overflow as a bunch of free software they can just take and that's fine, you never have to worry about it again. But it's not like that. My comparison here would be, what do you think would happen if a car manufacturer literally found some parts in the warehouse? They didn't know where they came from, they didn't know who made them but they're like, "They look great, let's just use those." That would end horribly. That's kind of where we're at in some of these instances where you've got developers just like, "That looks great, I'll take that." We're reaching a point now where we need organizations using this stuff to start understanding their supply chain with open source as part of it.

This story, "Open source users: Its time for extreme vetting" was originally published by InfoWorld.

Read more here:
Open source users: It's time for extreme vetting | CIO - CIO

Eight years ago, the CyanogenMod project exploded onto the mobile device software scene. The Android-based open source mobile operating system quickly caught the attention of developers, Android fans and investors, and attracted interest from tech giants including Microsoft and Google. But at the end of last year the project imploded spectacularly. Today the CyanogenMod project is no more, but the arc of its story offers fascinating insight into the world of open source software development.

The project started out innocently enough following the discovery, in 2008, of a way to root mobile phones running Google's Android operating system, allowing modified firmware to be installed on rooted devices. One such piece of firmware was created by a developer called Steve Kondik, whose online handle was Cyanogen a colorless toxic gas made by oxidizing hydrogen cyanide. The modified firmware was known as CyanogenMod.

[ What CIOs don't know about open source software ]

Developers are able to create modified firmware because Android is, at its heart, an open source operating system, and pretty soon CyanogenMod became a project with a community around it. At the center of this was a core group of software hackers who became known as Team Douche. The project was hosted on GitHub, had regular releases, and versions were built to support an increasing number of Android devices.

One hiccup the open source project encountered at the tail end of 2009 was a potentially serious legal problem. Android firmware for most mobile devices includes the open source Android operating system as well as a group of proprietary Google apps (collectively known as GApps), including Gmail, Google Maps, YouTube, and Google's Android app store (which is now called Google Play.) Google licenses these GApps for inclusion in vendors' firmware, but they are not freely available for inclusion in modified firmware such as CyanogenMod, as Google explained in a blog post at the time.

As a result, Kondik received a "cease and desist" letter from Google asking that the GApps be removed from CyanogenMod. That was a serious problem because the ability to run those GApps is a significant part of the attraction of Android. Without them, and particularly without Google's app store, an alternative firmware distribution is severely diminished.

It's worth considering at this point that Google's approach to Android isnt unique, although it is slightly different. Many commercial organizations offer free open source software and also sell a product based on that open source code that includes proprietary add-ons that extend the functionality, as well as additional services, such as support. A good example is Kubernetes, a Google-incubated container management and orchestration tool that forms the basis of many commercially available container management systems such as CoreOS's Tectonic platform. Where the situation with Android differs is that Google doesnt sell its GApps to monetize Android. (Instead, it uses Gmail and YouTube to generate advertising revenue, for example.)

In the face of criticism from developers and others in the open source community, Google changed tack and said that the proprietary GApps could be backed up from a phone's original firmware and then reinstalled with CyanogenMod. (Today, an app called OpenGApps, which, ironically, is available on Google Play, makes it easy to install GApps onto a modified firmware that does not include them.)

Then, in 2013, Kondik decided a change of approach was needed for CyanogenMod to continue to thrive. He started a venture-backed business he called Cyanogen Inc. as a vehicle to commercialize CyanogenMod. Seventeen employees were based at two offices: one in Seattle and the other in Palo Alto.

Kondik outlined his motivation in a blog post:

"What we have with CM (CyanogenMod) could not have happened any other way a huge community came together and created something awesome that did not exist before, because it was needed."

"We have had some serious growing pains though, and scaling with this kind of growth has been incredibly hard. What could we build if all the barriers were removed and we could dedicate our time to it?"

The backer that put up $7 million in the Series A funding round for Cyanogen Inc. was Benchmark Capital, a company that also backed such well-known open source companies as Red Hat and HortonWorks, a company that sells a commercial version of the open source big data analysis project Hadoop.

Now, Red Hat and HortonWorks appear to have built thriving businesses based around open source software, but it's not clear that Cyanogen Inc. was able to generate significant revenues in the first months of its existence from its commercial product, Cyanogen OS. This was a firmware distribution based on CyanogenMod but with additional proprietary apps such as Google Play and a collection of its own apps including AudioFX, Gallery, Theme Chooser and Themes Store, known collectively as C-Apps.

That's despite CyanogenMod boasting a user base in excess of 10 million and forging licensing deals with Chinese phone makers Xiaomi, OPPO, and OnePlus (which is connected to OPPO) to use Cyanogen technology. Now here's where things get slightly bizarre. In October 2014 it was reported that Cyanogen Inc. had rebuffed overtures from Google about a possible acquisition. Instead, Cyanogen was valuing itself at close to $1 billion and was seeking investment from major tech firms.

Then, at the start of 2015, The Wall Street Journal reported that Microsoft was about to invest in Cyanogen, leading to speculation that Microsoft was planning to abandon its failing Windows-based mobile platform and use something based on CyanogenOS as the basis for possible new Android-based Microsoft phones.

This never happened, but Microsoft did launch an initiative to get its applications and services running on Android, and in April 2015 Cyanogen announced a partnership with Microsoft which involved Microsoft apps and services being integrated into Cyanogen OS. Later, (following the 12.11 update) Cyanogen OS started suggesting Microsoft apps and services in the "open with" menu when the operating system encountered file types it couldn't already handle.

In the meantime, the partnership with OnePlus evaporated due to a reported clash of personalities at the two companies, as well as a fiasco in India caused by Cyanogen Inc. signing an exclusive deal for the sub-continent with low-cost smartphone manufacturer MicroMax. This resulted in sales of OnePlus handsets powered by Cyanogen OS being temporarily banned in India.

But in 2016 things rapidly went downhill. In the middle of the year a large number of staff were made redundant, and the Seattle office was closed. CEO Kirt McMaster stepped down, and Kondik was removed from the board. In November he officially left the company, and has not responded to a request for comment for this article.

Finally, on December 23, Cyanogen Inc. released a curt notice that read: "As part of the ongoing consolidation of Cyanogen, all services and Cyanogen-supported nightly builds will be discontinued no later than 12/31/16. The open source project and source code will remain available for anyone who wants to build CyanogenMod personally."

The result is that CyanogenMod as an active project is no more in name at least. The good news for users is that they have not been completely abandoned, because it is a simple matter to switch to an actively maintained alternative firmware or a device's stock firmware. (That contrasts favorably with the situation that can arise if a business relies on an open source project when the sponsor walks away and no obvious alternatives exist.)

[ What CIOs need to know about open source forking ]

Of course in that situation it is always possible for a company to take the source code and take on the development task itself (or pay someone else to do so), or hope that someone else will take over the project.

And that, in fact, is what has happened with CyanogenMod. The code has been forked and a new project, called LineageOS, has been started by some in the CyanogenMod community to continue the CyanogenMod project under a new name, independent of Cyanogen Inc.

Continuing a project after it is abandoned by a commercial organization is not without precedent. The LibreOffice project was forked off when OpenOffice was abandoned by Oracle; SuiteCRM emerged after SugarCRM stopped releasing open source versions of its CRM product; and Nautilus (now Gnome Files), the file manager for the Gnome Linux desktop environment, is still thriving long after Eazel went out of business. And something similar happened when MySQL was acquired by Oracle, but in that case it was the developers who abandoned Oracle rather than the other way around, preferring to continue a parallel project called MariaDB.

What does the LineageOS project hope to achieve by continuing the CyanogenMod work? It's hard to say for sure as a request for information received no response at the time of writing.

One problem that the LineageOS may face is that CyanogenMod was a very complex project, and one that had the benefit of at least a proportion of the estimated $100 million in venture funding. That means that it may struggle unless it finds a commercial organization to sponsor it, says Greg Soper, CEO of SalesAgility, a company that backs the SuiteCRM open source project. "You need expertise, and the will and desire to continue a project (after it is abandoned)," says Soper. "But can a project like LineageOS continue without a commercial organization to help develop it? I have my doubts. I think that the LineageOS project may wither on the vine unless people put money into it."

Can a project like Lineage survive and thrive with nothing more than a dedicated community of enthusiasts? Time will tell.

Originally posted here:
Lessons from the rise and fall of an open source project - CIO