#HEARTBLEED was 5-years ago.

I was reading through my old handwritten tech notebooks this morning, search for some details on a Windows problem I know I’ve had before. I noticed an entry for March 28th, 2014 on the latest bug tracker list from Red Hat. One of the items on the list from the week before was the #Heartbleed bug in OpenSSL.

Image from synopsis.com

In less than a couple of weeks, Jim Zemlin from the Linux Foundation contacted John Hull in the open source team at Dell, who passed the call to me. I was happy to tell Jim we’d be happy to sign up, I got voice approval for the spending commitment and the job was done.

The Core Infrastructure Initiative (CII) was announced on April 24th, 2014. One of the first priorities was how to build a more solid base for funding and enabling open source developers. The first projects to receive funding were announced on April 26th, 2014 with remarkable speed.

Five years later I’m delighted to see Dell are still members, along with the major tech vendors, especially and unsurprisingly, Google. Google employees have made both substantial commitments to CII and open projects in general. I remember with great appreciation many of the contributions made by the tehn steering committee members, especially, but not limited to Ben Laurie and Bruce Schneier.

This blog, on synopsis.com, has a summary, entitled Heartbleed: OpenSSL vulnerability lives on. May 2, 2017.

My blog entries on Heartbleed and CII are here, here, and here.

There is still much to be concerned about. There are still many unpatched Apache HTTPD servers, especially versions 2.2.22 and 2.2.15 accessible on the Internet.

Remember, just because you don’t see software, it doesn’t mean it isn’t there.

Remembering the dawn of the open source movement

and this isn’t it.

Remembering The Dawn of the Open Source Movement https://t.co/f47r7WB29n

— Alex Williams (@alexwilliams) February 18, 2018

Me re-booting an IBM System 360/40 in 1975

When I first started in IT in 1974 or as it was called back then, data processing, open source was the only thing. People were already depending on it, and defending their right to access source code.

I’m delighted with the number and breadth of formal organizations that have grown-up around “open source”. They are a great thing. Strength comes in numbers, as does recognition and bargaining power. Congratulations to the Open Source Initiative and everything they’ve achieved in their 20-years.

I understand the difference between closed source, (restrictive) licensed source code, free source, open source etc. The point here isn’t to argue one over the other, but to merely illustrate the lineage that has led to where we are today.

Perhaps one of the more significant steps in the modern open source movement was the creation in 2000 of the Open Source Development Labs, (OSDL) which in 2007 merged with the Free Standards Group (FSG) to become the Linux Foundation. But of course source code didn’t start there.

Some people feel that the source code fissure was opened when  Linus Torvalds released his Linux operating system in 1991 as open source; while Linus and many others think the work by Richard Stallman on the GNU Toolset and GNU License started in 1983, was the first step. Stallman’s determined advocacy for source code rights and source access certainly was a big contributor to where open source is today.

But it started way before Stallman. Open source can not only trace its roots to two of the industries behemoths, IBM and AT&T, but the original advocacy came from them too. Back in the early 1960’s, open source was the only thing. There wasn’t a software industry per se until the US Government invoked its’ antitrust law against IBM and AT&T, eventually forcing them, among other things, to unbundle their software and make it separately available as well as many other related conditions.

’69 is the beginning, not the end

The U.S. vs.I.B.M. antitrust case started in 1969, with trial commencing in 1975(1). The case was specifically about IBM blocking competitive hardware makers getting access and customers being able to run competitive systems, primarily S/360 architecture, using IBM Software.

In the years leading up to 1969, customers had become increasingly frustrated, and angry at IBM’s policy to tie it’s software to its hardware. Since all the software at that time was source code available, what that really meant was a business HAD to have one IBM computer to get the source code, it could then purchase an IBM plug-compatible manufacturers (PCM) computer(2) and compile the source code with the manufacturers Assembler and tools, then run the binaries on the PCM systems.

IBM made this increasingly harder as the PCM systems became more competitive. Often large previously IBM only systems users who would have, 2, 4, sometimes even 6 IBM S/360 systems, costing tens of millions of dollars, would buy a single PCM computer. The IBM on-site systems engineers (SE) could see the struggles of the customer, and along with the customers themselves, started to push back against the policy. The SE job was made harder the more their hands were tied, and the more restrictions that were put on the source code.

To SHARE or not to?

For the customers in the US, one of their major user groups, SHARE had
a vast experience in source code distribution, it’s user created content, tools tapes were legend, what most never knew, is that back in 1959, with General Motors, SHARE had its own IBM mainframe (709) operating system, the SHARE Operating System (SOS).

At that time there was formal support offerings of on-site SE’s that would work on problems and defects in SOS. But by 1962, IBM had introduced it’s own S/7090 Operating System, which was both incompatible with SOS, and also at that time IBM withdrew support by it’s SE and Program Support Representatives (PSR’s) to work on SOS.

1965 is where to the best of my knowledge is when the open source code movement, as we know it today, started

To my knowledge, that’s where the open source code movement, as we know it today, started. Stallman’s experience with a printer driver mirrors exactly what had happened some 20-years before. The removal of source code, the inability to build working modifications to support a business initiative, using hardware and software ostentatiously already owned by the customer.

IBM made it increasingly harder to get the source code, until the antitrust case. By that time, many of IBMs customers had created and depended on small, and large modifications to IBM source code.

Antitrust outcomes

By the mid-70’s, once of the results of years of litigation, and consent decrees in the United States, IBM had been required to unbundle its software, and make it available separately. Initially it was chargeable to customers who wanted to run it on PCM, non-IBM systems, but overtime as new releases and new function appeared, even customers with IBM systems saw a charge appear, especially as Field Developed Programs, moved to full Program Products and so on. In a bid to stop competing products, and user group offerings being developed from their products, this meant the IBM Products were increasingly supplied object-code-only (OCO). This became a a formal policy in 1983.

I’ve kept the press cutting from ComputerWorld(March 1985) shown above since my days at Chemical Bank in New York. It pretty much sums-up what was going on at the time, OCO and users and user groups fighting back against IBM.

What this also did is it gave life to the formal software market, companies were now used to paying for their software, we’ve never looked back. In the time since those days, software with source code available has continued to flourish. With each new twist and evolution of technology, open source thrives, finds it’s own place, sometimes a dominant position, sometimes subservient, in the background.

The times in the late 1950’s and 60’s were the dawn of open source. If users, programmers, researchers and scientists had not fought for their rights then, it is hard to know where the software industry would be now.

Footnotes

(1) The PCM industry had itself come about as a result of a 1956 antitrust case and the consent decree that followed.

(2) The 1969 antitrust case was eventually abandoned in 1982.

Linux Foundation Certification program

I was delighted to be able to endorse the Linux Foundations’ new certification program at its’ recent launch,a long with industry luminaris including Mark Shuttleworth.

 “Linux certification that is based on performance and is easily accessible will be key to increasing the number of qualified Linux professionals,” said Mark Cathcart, Senior Distinguished Engineer, Dell. “The Linux Foundation’s approach to this market need is smart and thoughtful and they have the proven ability to deliver.”

Although I’ve contributed little to nothing to Linux in the way of technology, I’m totally impressed in how totally pervasive Linux has become, from embedded to Enterprise, since I wrote the chapters in the Year 2000 IBM Redbook on why IBM was getting involved with Linux.

So the new Linux foundation certification program is a perfectly logical step in furthering the skills and workface that are driving Linux today. Congratulations to Jim Zemlin and the Linux Foundation for achieving this significant milestone.

Linux Foundation Training and Certification

Jim Zemlins Blog entry on the certification program

Linux Foundation Press Release covering the program announcement

16-years? Wow, time to send in a donation to the “Way back machine”, I’d forgotten they have many of my old pages here and here.

OpenSSL and the Linux Foundation

Former colleague and noted open source advocate Simon Phipps recently reblogged to his webmink blog a piece that was originally written for meshedinsights.com

I committed Dell to support the Linux Foundation Converged Infrastructure Initiative (CII) and attended a recent day long board meeting with other members to discuss next steps. I’m sure you understand Simon, but for the benefit of readers here are just two important clarifications.

By joining the Linux Foundation CII initiative, your company can contribute to helping fund developers of OpenSSL and similar technologies directly through Linux Foundation Fellowships. This is in effect the same as you(Simon) are suggesting, having companies hire experts . The big difference is, the Linux Foundation helps the developers stay independent and removes them from the current need to fund their work through the (for profit) OpenSSL Software Foundation (OSF). They also remain independent of a large company controlling interest.

Any expansion of the OpenSSL team depends on the team itself being willing and able to grow the team. We need to be mindful of Brooks mythical man month. Having experts outside the team producing fixes and updates faster than they can be consumed(reviewed, tested, verified, packaged and shipped) just creates a fork, if not adopted by the core.

I’m hopeful that this approach will pay off. The team need to produce at least an abstract roadmap for bug fix adoption, code cleanup and features, and I look forwarding to seeing this. The Linux Foundation CII initiative is not limited to OpenSSL, but that is clearly the first item on the list.

More on OpenSSL, Heartbeat

I don’t propose to become an expert on OpenSSL, much less the greater security field, but I know people who are. My role in the Linux Foundation Core Infrastructure Initiative was to help Dell recognize how we can support a key industry technology, and at least give Dell the ability to have input on what comes next.

Our SonicWall team have many experts. They’ve published a great blog both on  their product positioning and use in relation to Heartbleed and vulnerabilities, and Network Security product manager Dmitriy Ayrapetov raises the question, in a world of mostly TCP traffic, are TLS Heartbeats even necessary?

The Dell SecureWorks Counter Threat Unit™ (CTU) have a blog on malware arising out of and exploiting the heartbleed vulnerability. Another great Dell resource well worth following for those with an interest in security.

Core Infrastructure Initiative (OpenSSL)

I’m pleased to announce that Dell with be a joining the Linux Foundation and a number of key industry partners in establishing the Core Infrastructure Initiative(CII). This is another open source initiative, and I’m glad to have have played my part in pushing through the approval. I mentioned in my February blog, and we continue to work on three other, I think significant initiatives.

CII is a new project to fund and support critical elements of the global information infrastructure. The Core Infrastructure Initiative enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.

The first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.

You can read the full Linux Foundation news release here and the New York Times already has a blog here.

Growing software influence and Dell

A few things have happened in the last couple of months that show the growing influence and maturity of the software team at Dell, and it’s been on my backlog to write up as a blog post.

DMTF VP of Regional Chapters

Yinghua Qin, the Senior Software Manager in our Zuhai China laboratory has been accepted as the new VP of Regional Chapters at the DMTF. This is an outstanding opportunity for Yinghua, who leads the Foglight and a number of software engineering projects, as well as serves as the local liaison to Sun Yat-sen University(SYSU) school mobile engineering (SMIE). Yinghua reports to the Foglight lead architect Geoff Vona.

Dell actually has at various stages in the past been very proactive with the DMTF. Current board chair, Winston Bumpus, was formally a Dell employee; My ESG colleague Jon Haas has been a major contributor to a number of standards. I for one am looking forward to the increased cooperation that working in international standards can bring.

Open Source Project

The Dell Cloud Manager product development team have open sourced their blockade test tool. Blockade is a utility for testing network failures and partitions in distributed applications. Blockade uses Docker containers to run application processes and manages the network from the host system to create various failure scenarios.

It’s a small step, but congratulations to Tim Freeman and the team for navigating through the process to produce the first new open source development project from the Dell Software Group team.

Angular giveback

A number of our development teams are using Angular.js. Once again after an original approach in November by Sara Cowles from the Dell Cloud Manager team stepped forward and asked the right questions, after checking with other teams, I was happy to sign the Google CLA to fax back to google.

Yocto – Embedded Linux and Beyond

Congratulations also go to Mikey Brown from Dells’ Enterprise Systems Group(ESG). Mikey has picked up the mantle of a project I was a big supporter of, when I was in ESG, Yocto. After doing a great job getting a couple of our embedded Linux offering back on track using Yocto, and the build infrastructure around. Mickey has re-connected with the Yocto team.

Each of these on their own are small steps, but these plus a number of other things going on give me a good feeling things are heading in the right direction. I’ll get to go have another facsinating time hearing from students about how things look from their side of the technology field when I head over to Texas A&M University(Insert “GO AGGIES” here!) to address class 481 on 2/25.

Dell joins Yocto project

One of the key activities here, outside of the VIS orchestration, automation engine has been the work around our embedded software stack and where we are heading next. Today we committed to joining the Yocto project, which will be aligned with the OpenEmbedded build system.

The Linux Foundation announced today, via Press Release that Dell+Cavium Networks, Freescale Semiconductor, Intel, LSI, Mentor Graphics, Mindspeed, MontaVista Software, NetLogic Microsystems, RidgeRun, Texas Instruments, Tilera, Timesys, and Wind River, among others would collaborate on a cross-compile environment enabling the development of “a complete Linux Distribution for embedded systems, with the initial target systems being ARM, MIPS, PowerPC and x86 (32 and 64 Bit).

I’m hopeful that this will allow our guys to continue their SDK work, allowing us to move core product technologies between chip architectures, while at the same time contributing back as we innovate around the Linux platform, while building out the the software build recipes and core Linux components, preventing fragmentation.