Planet JM

Author: OSEN

  • Is Open Source More Risky?

    Is Open Source More Risky?

    There’s been a long-running debate over open source and security, and it goes something like this:

    Pro: Open source is awesome! Given enough eyes, all bugs are shallow. This is why open source software is inherently more secure.

    Con: Hackers can see the code! They’ll look at the source code and find ways to exploit it. This is why open source software is inherently more insecure.

    And on and on… ad nauseum. There are a variety of studies that each side can finger to help state their case. The problem as I see it, is that we’re not even talking about the same thing. If someone says open source software is more or less secure, what are they actually talking about? Do they mean software you download from the web and push into production? Or do they mean vendor-supported solutions? Unless we can agree on that, then any further discussion is pointless.

    Open Source Products

    So let’s shift the conversation to an apples vs. apples comparison so that we’re discussing the same things. According to a survey by Black Duck, upwards of 96% of commercial software solutions use open source software to some extent. This means virtually *all* new software solutions use open source software. So, when someone argues whether open source is more or less secure, the question to ask is, “more or less secure than *what*?” Because as we can see, the number of software solutions that *don’t* use open source software is rapidly dwindling.

    To save everyone’s breath, let’s change the dynamics of this conversation. Let’s compare “raw” upstream open source code vs. supported software solutions backed by a vendor. As I’ve mentioned before, you can do the former, but it helps if you’re Amazon, Google or Facebook and have an army of engineers and product managers to manage risk. Since most of us aren’t Amazon, Google or Facebook, we usually use a vendor. There are, of course, many grey areas in-between. If you choose to download “raw” code and deploy in production, there are naturally many best practices you should adopt to ensure reliability, including developing contingency plans for when it all goes pear-shaped. Most people choose some hybrid approach, where core, business-critical technologies come with vendor backing, and everything else is on a case-by-case basis.

    So, can we please stop talking about “open source vs. proprietary”? We should agree that this phrasing is inherently anachronistic. Instead, let’s talk about “managed” vs. “unmanaged” solutions and have a sane, productive discussion that can actually lead us forward.

  • Transform Your Business with Open Source Entrepreneurship

    Transform Your Business with Open Source Entrepreneurship

    This is a webinar I did for the Linux Foundation earlier this month. If you missed it, you can catch it on demand!

     

  • DevOps is not enough

    Or: My source code is your platform, and vice-versa.

    https://twitter.com/i/moments/897859467529912321

    https://twitter.com/johnmark/status/897837253946466304

  • Linux.com: 4 Quadrants of Open Source Entrepreneurship

    Linux.com: 4 Quadrants of Open Source Entrepreneurship

    In light of my Linux Foundation webinar, Building a Business on Open Source, (today, August 1, at 10am PDT/1pm EDT) as well as upcoming meetups and the OSEN Symposium co-located with Open Source Summit, I wrote a piece all about the 4 areas that define open source entrepreneurship: Automation, Collaboration, Community and Governance.

    Lots of companies, even large proprietary ones, had started to use open source software in their products and services, but there was very little in the way of sharing that came from them. Even so, many of them did a poor job of participating in the upstream communities that created the software they used. Shouldn’t these companies get the full benefit of open source participation? I also came across a few startups who wanted to participate in open source communities but were struggling with how to find the best approach for open source participation while creating great products that would fund their business. Most of them felt that these were separate processes with different aims, but I thought they were really part of the same thing. As I continued down this fact-finding path, I felt strongly that there needed to be more resources to help businesses get the most out of their open source forays.

    Read the full article at Linux.com.

  • OSEN Symposium Program Revealed

    OSEN Symposium Program Revealed

    We’re happy to announce that we have set the preliminary agenda for the OSEN Symposium, co-located with the Linux Foundation’s Open Source Summit in Los Angeles on September 14.

    We have an incredible lineup!

    9am: The Principles of Open Source Entrepreneurship

    John Mark Walker, Creator of OSEN

    10am: How to successfully enter the FOSS emerging market

    VM Brasseur, Technical Business and Open Source Strategy Consultant

    11am Innovating in the open: Lessons from a 3 time founder of successful open source based businesses

    Evan Powell, CEO, Cloudbyte

    1pm There is no Open Source Business Model

    Stephen Walli, Open Source and Tech Strategy Consultant

    2pm Effective Business Leadership with Open Source Supply Chain Management

    Shane Coughlan, OpenChain Project Leader

    3pm The World Bank GeoNode Study: 200% ROI on Open Source Community Participation

    James Vasile, Partner at Open Tech Strategies

    Register today!

  • Kite Demonstrates Continuing Toxicity of Silicon Valley

    One of the most frustrating parts of being in open source circles is battling the conventional wisdom in the Valley that open source is just another way to do marketing. It’s complicated by the fact that being a strong open source participant can greatly aid marketing efforts, so it’s not as if marketing activities are completely unrelated to open source processes. But then something happens that so aptly demonstrates what we mean when we say that Silicon Valley has largely been a poisonous partner for open source efforts. Which brings me to this week’s brouhaha around a silly valley startup looking to “Make money fast!” by glomming onto the success of open source projects.

    To quote from the article:

    After being hired by Kite, @abe33 made an update to Minimap. The update was titled “Implement Kite promotion,” and it appeared to look at a user’s code and insert links to related pages on Kite’s website. Kite called this a useful feature. Programmers said it was not useful and was therefore just an ad for an unrelated service, something many programmers would consider a violation of the open-source spirit.

    It’s the “stealing underpants” business model all over again.

    1. Get users and “move the needle”
    2. ?
    3. Profit!

    Step 1 above is why we actually have valley poseurs who unironically refer to themselves as “growth hackers.” Only in the valley.

    The really sad part of this is that the methodology outlined above is terrible, not just because it’s unethical, but because it’s counterproductive to what Kite wants to accomplish. As I’ve mentioned countless times before, a project is not a product, and trying to turn it into one kills the project. The best way to make money on open source is to, big surprise, make a great product that incorporates it in a way that adds value to the customer. In this example, this means taking projects like minimap and autocomplete-python, producing commercial versions of them, and make them part of an existing product or offer them up as separate downloads – from the company site or part of a commercial distribution.

    The worst part of all this is there are still investors and business folks who think that doing is Kite did is the only way to make money from an open source project. It’s not. It’s a terrible maneuver from both an ethics as well as product development standpoint. It’s once again conflating open source with marketing, which is one of the reasons I started this site – it’s an unforced error and should be part of any “open source product 101” curriculum.

  • Linux Foundation Webinar: Open Source Entrepreneurship Howto

    Linux Foundation Webinar: Open Source Entrepreneurship Howto

    osen-webinar.svg

    I’m happy to announce that on August 1, 10am PDT/1pm EDT, I will be leading a webinar from the Linux Foundation on open source entrepreneurship. “What is that?” you may ask. Open source entrepreneurship is the compendium of ideas around building your business process on open source principles. This means optimizing for open source collaboration, code and communities. Here are some qualities often exhibited by open source entrepreneurs:

    • Build on existing open source platforms
    • Abhor NIH and push teams away from it
    • Structure teams for massive collaboration
    • Allergic to corporate work silos
    • Have spent extensive time learning how to operate in open source communities
    • Tell anyone who will listen that product development is inefficient
    • Often heard saying, “There’s an upstream community/ecosystem already working on that. You should join that effort.”

    As we learn more about the pervasiveness and ubiquity of open source code, we’re finding that “open source” means so much more than what license you use or the source code you utilize. Open source is now a term of art that includes the process of collaboration, process automation, and building on the work of external ecosystems. Every product manager, engineering manager, investor, CIO/CTO and, yes, entrepreneur needs to understand these concepts intuitively.

    From this webinar, attendees will gain an understanding of what it means to practice the art of open source entrepreneurship and optimize their business for the continuing open source revolution.

    Register for the webinar now!

  • Announcing OSEN Seattle Meetup on Aug 2

    I’m happy to announce that we now have a space in Seattle to host a meetup on August 2. RSVP at meetup.com.

    https://www.meetup.com/OSENMeetupSEA/events/241851767/

    We’re looking forward to getting to know members of the Seattle open source entrepreneur community!

    This will be a chance to meet and talk to experienced open sourcerers in the area. Come and trade best practices and anti-patterns with others looking to make the most of their open source experience. Open Source has transformed the technology world, and this is your opportunity to learn from the best. To spur discussion, we will feature the following speakers:

    There is no Open Source Business Model

    Stephen Walli: former Microsoft and Outercurve open source engineering lead, currently Docker’s open source strategist. Twitter: @stephenrwalli

    There are best practices to understand when building products from open source software, but there are a number of anti-patterns that crop up along the way. Product teams (from engineering to marketing) need to understand these patterns and practices to participate best in open source project communities and deliver products and services to their customers at the same time. These patterns hold regardless of whether the vendor created and owns the project or participates in projects outside their control.

    Building a business on OSS – whats in it for the community

    Steve Mayzak: VP Solution Architecture at Elastic. Twitter: @smayzak

    Steve will talk about his experiences working for Open Source companies and how the search for the best business model continues.  He has worked at Springsource and now Elastic and built teams of Solution Architects.  His goal has been to bring the best combination of OSS and Commercial software to the community to create a mutually beneficial relationship.  Whats good for the community has to be good for the business and vice versa.

    How to Utilize a Community Distribution in a Cloud Native Context

    John Mark Walker: long-time open source product, ecosystem and community expert and founder of the Open Source Entrepreneur Network. Twitter: @johnmark

    In olden times, when we used IRC and liked it, there were several steps along the way from creating an open source project to releasing a product. Some of these were artifacts of the (lack of) tooling of the time, such as the need to assemble pieces into a whole before releasing as a product. That “first cut” of distribution became a community project in itself. Now that we have better, automated tooling for development, you may be fooled into believing that this “first cut” step is no longer needed. Au Contraire! John Mark will demonstrate why this is still necessary with examples from Fedora, CloudFoundry and Moby.

    Food and beverages will be served!

     

  • Sustainable Open Source – Where Are the Vendors?

    Sustainable Open Source – Where Are the Vendors?

    Harvard Business Review has an article comparing old, crusty open source code to the Y2K ordeal. Go ahead and read it – it’s worth your time.

    Joshua Gans, the author, lists open source projects that are maintained by lonely developers who don’t make much money (if any) for producing their craft. He specifically calls out ntpd:

    What if I told you that the entire NTP relies on the sole effort of a 61-year-old who has pretty much volunteered his own time for the last 30 years? His name is Harlan Stenn…

    For a number of years Stenn has worked on a shoestring budget. He is putting in 100 hours a week to put patches on code, including requests from big corporations like Apple… And this has led to delays in fixing security issues and complaints.

    Then Gans includes this bit, which is also a personal favorite of mine whenever I talk about open source product management:

    …Last year we saw the consequences from this when a 28-year-old developer briefly “broke“ the internet because he deleted open-source code that he had made available. The drama occurred because the developer’s program shared a name with Kik, the popular Canadian messaging app, and there was a trademark dispute. The rest of the story is complicated but has an important takeaway: Our digital infrastructure is very fragile.

    Gans then adds links and descriptions of two efforts in the code sustainability area, which are worth mentioning here:  Open Collective and libraries.io. Strangely, he didn’t mention the Core Infrastructure Initiative, sponsored by the Linux Foundation, which works to address similar issues in the space.

    I agree with much of what Gans writes. There is indeed a problem with unmaintained crusty code, which manifests itself in the form of security vulnerabilities and things that break more easily than they should. In fact, it’s become such a well-known issue that GitHub and others recently sponsored a conference in SF to talk about it. But in all this discussion, and in going through the non-profit organizations dedicated to working on sustainable open source code, I have to ask: where are the vendors?

    As became all too apparent after reading Swapnil Bhartiya’s excellent primer on the state of IoT security (haha), this is a failure of product lifecycle management. The fact that much of the code in question is open source doesn’t really matter from a production point of view – code is code, after all. But because it is open source, this becomes a much wider scale problem, due to the ease with which it spreads from one poorly maintained repository to another. Philip DesAutels, the Linux Foundation’s IoT lead, said it best in Bhartiya’s article when he called out vendors for failing at product development basics.

    On one hand, I’m glad some vendors are participating in initiatives like the CII from the Linux Foundation, but I wish there was more pressure on said vendors to collaborate on these things before it becomes a problem. This is, of course, the essence of why I created OSEN in the first place. Not enough people talk about this stuff, and I want to do my part to fix that. But I don’t think it does us much good to talk around the problem; let’s put the pressure where it should be – on the vendors. They should be working with upstream maintainers, collaborating and devoting resources where necessary, and perhaps even taking on more responsibilities with the project leadership. I know this can lead to governance issues, but the alternative is more dire.

    Whether putting more effort into projects like the CII or voting with our wallets for better product development and testing, it’s time to start raising this as more of an issue. Sustainability of open source development is certainly important for future economic development, and vendors, who greatly benefit from the existence of open source code, have a responsibility to do their part.

  • Inaugural Bay Area Meetup – Aug 3

    Inaugural Bay Area Meetup – Aug 3

    We’re coming to San Francisco! Thanks to Docker for agreeing to host us as we convene in their SOMA headquarters on August 3, 2017. Featured speakers are Stephen Wall, Jono Bacon and yours truly – more to come!

    Agenda

    Join us for our inaugural Open Source Entrepreneur Network meetup in the Bay Area. This meetup will feature the following speakers:

    Stephen Walli: former Microsoft and Outercurve open source executive, currently Docker’s open source strategist

    Stephen will talk about “There is no Open Source Business Model”

    John Mark Walker: long-time open source product, ecosystem and community expert and founder of the Open Source Entrepreneur Network

    John Mark will present a talk on “How to Utilize a Community Distribution in a Cloud Native Context”

    Jono Bacon: Founder of the Community Leadership Summit, author of The Art of Community, and now the founder of Jono Bacon Consulting

    Jono will talk about “Building an Effective Community Strategy”