CBR asks Adam Jollans, the firms director for Linux and open source strategy, for his views on several topics including security, and where IBM is heading with open source in 2015. <\/p>\n
CBR: Why are emerging workload requirements - cloud, big data - suited to open source development culture? <\/p>\n
Many of the new cloud, analytics, mobile and social (CAMS) workloads are being implemented on top of open source software. There appear to be three main reasons for this: <\/p>\n
1) Open source communities are now hubs of innovation, where the cool kids hang out. This is fuelled by the collaborative nature of open source, enabling faster development iterations and the ability to 'stand on the shoulders of giants' when developing software. So as new workloads emerge, the technologies to support them are prototyped first on open source platforms. <\/p>\n
2) Open source removes the barriers to entry for new start-ups and individual programmers. The software is easy to get hold of, and open source versions are available to download and test for free. <\/p>\n
3) Born-on-the-web companies are built using open source software, for the reasons above, and the open source approach then becomes embedded in their culture. This then feeds back into the first reason, encouraging more innovation for the next wave of new workloads, and creating a virtuous circle of open source development. <\/p>\n
CBR: Given the furore over Heartbleed, how will IBM address security concerns about open source? <\/p>\n
Recent security concerns such as Heartbleed and ShellShock aren't about open source per se; rather, they are concerns about largely forgotten or under-resourced open source projects that are fundamental to the internet and other key components of enterprise IT. <\/p>\n
To address these concerns, IBM and other key vendors have established the multi-million dollar Core Infrastructure Initiative (CII), hosted by the Linux Foundation. This aims to support and fund key open source elements of the global information infrastructure, such as OpenSSL, Network Time Protocol and OpenSSH. A key part of the CII's work is to identify all the key open source projects the Internet depends on to ensure they all have the resources they need to be secure. <\/p>\n
Other, properly resourced open source projects are already regarded as highly secure; for example, Security Enhanced Linux (SELinux) providing mandatory access control (MAC) in the Linux kernel, and the EAL4+ security certifications obtained by Linux distributions such as Red Hat Enterprise Linux and SUSE Linux Enterprise Server. <\/p>\n
<\/p>\n