July 2008

I had the pleasure of speaking with James Burgett of the Alameda County Computer Resource Center and Andrew Fife of Untangle.

James and Andrew are driving Installfest @ LinuxWorld with the goal of bringing together unwanted hardware with community elbow grease to provide computers to needy schools.

James has refurbished approximately 17,000 computers and given them to needy recipients over his career.  Yes, that’s 17,000!  James and Andrew hosted the first Installfest for Schools in March 2008 and were able to refurbish 350 computers.  The software installed on these refurbished computers is largely free and open source (i.e. Ubuntu and OpenOffice).

I’m certain that they’ll be able to refurbish many more than 350 computers; but not without your help!  If you’re going to be at LinuxWorld, here’s how you can do your part:

  1. Bring old hardware that can be donated to the Alameda County Computer Resource Center for a tax receipt.
  2. Drop by the Installfest and spend whatever time you can spare to refurbish some computers.  Don’t worry if you aren’t much of a tech wizard, James and Andrew have work that is suitable for all levels of skills.  All the way from insert Live CD and hit enter to figure out what’s wrong with the machine, fix it and then install the required software.

Just think of the benefits of donating an hour of your time:

  • Helping needy students to build computer skills
  • Introducing students to free and open source software at an early age
  • Extending the life of computers using a less resource-intensive operating system
  • Preventing over 50 Lbs. of toxic material per computer from prematurely reaching a landfill, when the machine can still be used for a variety of computing tasks

Kudos to James and Andrew for setting a great example for the rest of us!

Winners of the SourceForge Community Choice Awards were announced at OSCON today.

Okay, as much as I love phpMyAdmin, how in the world would anyone vote for them to be the next $1 billion acquisition?  Heck, is there even a company to acquire?

  • Best Project: OpenOffice.org
  • Best Project for the Enterprise: OpenOffice.org
  • Best Project for Education: OpenOffice.org
  • Most Likely to Be the Next $1B Acquisition: phpMyAdmin
  • Best Project for Multimedia: VLC
  • Best Project for Gamers: XBMC
  • Most Likely to Change the World: Linux
  • Best New Project: Magento
  • Most Likely to Be Accused of Patent Violation: WINE
  • Most Likely to Get Users Sued: eMule
  • Best Tool or Utility for SysAdmins: phpMyAdmin
  • Best Tool or Utility for Developers: Notepad++

But alas, the voters have spoken, so congratulations to the winners!

InfoWorld’s Bill Snyder has a nice story about the rising demand for open source skills in the enterprise.  Bill is quoting from Open Source in the Enterprise, written by Bernard Golden and published by O’Reilly media:

“…found that 5 percent to 15 percent of the positions now on the market call for open source software skills.”

I wholeheartedly agree that companies are increasingly looking for developers that have experience with open source products.

According to Bill:

“For this report, we focused primarily on jobs postings from Web sites of about half of all the Fortune 1000 companies. We counted the number of job postings that mention specific open source-related technical terms and tracked trends over time,” the report states

The methodology used doesn’t allow us to know if the job truly requires work with open source products, tools, frameworks > 90% of the work day, or simply asks for ancillary skills relating to open source products, tools, frameworks.  For example, looking for someone with Magneto experience to develop an ecommerce site is different than looking for a .NET developer who written against a MySQL database.

That’s why the 5% to 15% really doesn’t sit well with me.  It could overemphasize a set of skills without the reader understanding what the research question was and how to truly interpret the results.  I suspect that larger companies are looking for developers with a mix of experience with proprietary and open source products, tools and frameworks.

Second, and much more interesting, is there a salary differential between jobs calling for experience with open source products vs. proprietary products?  Again, the answer would depend on whether the job was truly an open source job or a job calling for some experience with open source products, tools, frameworks.

My advice, as always, takes a balanced approach.  Learn the latest open source products, tools, frameworks, but don’t forget to keep abreast of their closed-source alternatives.  The future belongs to those who can straddle both camps.

Simon Phipps, is taking on a new role at Sun:

“It’s not an especially closely-kept secret but I’ve now moved from Sun’s software group and taken the Chief Open Source Officer role over to a newly-formed team reporting more directly to the CEO and working on Sun’s relationships with communities globally.”

Simon will lead the Sun Open Technologies Practice, with particular focus on standards and open source.  I must confess that I don’t know how Sun dealt with this before, but open standards and open source are so tightly linked in my mind.  So, it’s good to see both efforts headed up by the same team.

While most of the comments on Simon’s blog were congratulatory, Roy Schestowitz had the following to say:

“Why put a positive spin in intellectual monopolies at all? Is it because Sun /already/ has a portfolio, i.e. fences against competition?”

Simon responded:

“Hi Roy. That’s just the way the world outside the FOSS communities speaks. My intent is to work from this new position to change that world, but one doesn’t usually win by alienating them on day one :-)

Everyone else: Thanks for the warm wishes.”

True, alienating isn’t called for until day 3 ;-)  Anywho, good luck with the new role Simon.

From Physorg (in a slightly different order):

“Scientists say they have found a workable way of reducing CO2 levels in the atmosphere by adding lime to seawater.

The process of making lime generates CO2, but adding the lime to seawater absorbs almost twice as much CO2. The overall process is therefore ‘carbon negative’.

However, the idea, which has been bandied about for years, was thought unworkable because of the expense of obtaining lime from limestone and the amount of CO2 released in the process.”

Cquestrate, the group behind the idea, intends to use open source principles to bring the idea to reality.  The group is attempting to restrict patents from being secured as a result of the project.  Participants are asked to post their ideas and suggestions on the website, thereby disclosing the information for everyone to see and build upon.

Very cool idea and cool use of openness to benefit humanity.

Ounce Labs, a software risk analysis company, has uncovered two security vulnerabilities in the Spring Framework.

Considering how long Spring has been in use, and its popularity, how could such vulnerabilities remain hidden so long? After all, isn’t one of the hallmarks of open source the strong community vetting? Could it be that the shift towards single vendor-driven open source is making open source riskier?

What the Spring vulnerabilities are

Kudos to Ryan Berg, chief scientist and co-founder of Ounce Labs, and Ounce team for uncovering the issues and working with SpringSource to raise awareness.

According to Ounce Labs:

The specific vulnerabilities are “ModelView Injection” and “Data Submission to Non-Editable Fields.” These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application.

If your applications use the Spring Framework, be sure to read FAQs from the SpringSource advisory and the Ounce Security Advisory.

The deeper question on open source vetting

Now, the reason this story caught my eye:

“As we put more and more trust into the frameworks that are the foundation of our applications, we need to make sure we understand the security decisions made so we can make the right implementation choices.”

Two key benefits of OSS are the ability to read and understand the code we use and that “many eyes scouring the code” makes the product more secure.

Considering the millions of downloads of the Spring Framework, should we have expected someone to discover these security holes earlier? Or do developers use what the next guy/gal is using, trusting that “someone” has done the due diligence?

How should we interpret the news versus the long-held belief of increased security as a result of “more eyes scouring the code”? Could that be a trait of merit-based OSS projects that isn’t likely to show up in OSS projects where a single vendor writes the code?

If developers outside the company can’t contribute code, what is the likelihood that a developer will look at a piece of code within the project and ask, “How can I make this better?” — and in the process uncover a potential security issue?

I’m really asking a fundamental question: Are merit-based OSS projects more secure than single-vendor-driven OSS projects?


PS: I should state: “The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.”

We all know that hedge funds and trading floors in virtually every financial institution worldwide are having difficulties these days.  As investors move into cash, redemptions are forcing these financial institutions to cut costs (since these firms get a cut of the funds managed).

Traders will tell you that their trading strategy (encoded into algorithms) is the secret sauce that differentiates her/him from other traders. These trading strategies/algorithms are executed on a trading platform, like the open source Marketcetera Trading Platform.  Marketcetera allows institutions to spend more time and resources on what differentiates them from the other guys, the trading algorithms, rather than on common artifacts across firms, a trading platform.

Marketcetera has built a modular platform with the common capabilities that institutions require.  The open source nature of Marketcetera (GPLv2 or commercial license) allows institutions to tweak their trading platforms for competitive advantage, while starting from a solid base.

Marketcetera is finding that the majority of their users purchase a support contract, which is understandable when considering the business. Marketcetera counts over 500 community members and has a growing number of support and professional services customers.

When asked how Marketcetera can keep up with closed source Trading Platform vendors, especially from a late start, Marketcetera points to its use of OSS.  Marketcetera uses Eclipse RCP, ActiveMQ, various Apache utilities and the Spring Framework.  Additionally, Marketcetera allows customers to control of their own platform vs. waiting for one of the two major trading platform vendors to make changes to their respective products.  The team intends to GA v1.0 in 4Q08.

CEO Graham Miller and CTO Toli Kuznets explained that control maximization and cost minimization are the two key drivers of Marketcetera adoption.

While many of you aren’t going to run out and download the Marketcetera Trading Platform, you may know someone on Wall St. in need.  Point them towards Marketcetera!

Next Page »