diversity equity inclusion

This article originally appeared on the Open Mainframe Project’s blog. It is written by Earl Dixon, Principal Client Services Management at Broadcom


making our strong community stronger a collaborative initiative

After watching the first Making Our Strong Community Stronger panel on “How Personal Experiences Shape Corporate Inclusion,” I was very interested in the topic and engaged my management team to see what I could do to help in the effort. As a result, I was given the opportunity to participate in the second panel discussion focused on UNMASKING in the work place. I was very eager to participate as I felt the panel would be a great way for me to share my experiences.

As we started to discuss the structure and questions, I did get a little nervous.  I would be going from “not unmasking at work” to “unmasking” for my peers, management, and others in the industry.  We had a dry run for the panel, and I left that being even more nervous.  The other panelists (outside of my peers) were executives and managers who were white and had no issue with unmasking at work.  It was intimidating, but as I talked with Dr. Chance about my feelings, she made me feel more comfortable about moving forward.  As the days wound down closer to the event, I actually grew nervously excited.  Once that day came, I wanted to make sure that my story would be told the way that I needed it to be told. I wanted my story to be real and give an understanding of what it is like being a black man coming up in a white dominated field.



Much to my surprise, the panel went very well, and immediately after doing it, I felt a great sense of relief. It was as if a weight had been lifted off my shoulders.  The experience was very therapeutic for me.  The next day, the Making Our Strong Community Stronger initiative hosted a Town Hall for webinar attendees that had attended the panel discussion live and wanted to ask questions or provide feedback.  I felt even more confident in answering the questions posed by the audience, and it actually made me feel even better that I had been involved.

For the next few days, I received numerous emails, LinkedIn notes, and friend requests from individuals who applauded the webinar and the conversation we were able to have. I also heard stories from others who had similar experiences. Someone even asked me to discuss how my experiences could help him better understand how to support his diverse workforce.

In fact, I met with some of my own management team to discuss what they could be doing better from a DEI perspective. Having leaders from my company ask me questions and listen to what I had to say gave me a sense of appreciation that what we did in our panel was not only being heard, but real action was also occurring to help others coming into this mainframe space to work.

Overall, I am proud of the fact that I was able to participate in the DEI panel and look forward to doing more to help with DEI in the future.  It was a pleasure to work with Dr. Chance and her team in this effort to bring awareness to the truly important DEI issues that go unnoticed in the industry.

Open source is a global phenomenon impacting all industries in all parts of the world. To better understand the regional dynamics of open source, Linux Foundation Research is conducting a series of new research projects under the World of Open Source umbrella to explore the state of open source, beginning with a European perspective, focusing on government, enterprise, and non-profit initiatives. 

Commencing with Europe, these studies will investigate ecosystem-wide trends, including:

  • The size and scope of the open source communities in each region 
  • The motivation for contributions to open source
  • Opportunities and challenges in the private and public sector engagement in open source
  • The landscape for consumption and adoption of open source technologies and best practices, such as OSPO formation

This project will seek to understand the state of open source across different European individuals and organizations for decision-makers and influencers alike.

Funded by the Linux Foundation, this research will be led by LF Research in collaboration with FINOS, LF Training & Certification, and LF Public Health. Additional support will be provided by several organizations across the non-profit, for-profit, and academic sectors including Codemotion, Esade, Friedrich Alexander University, Institut de Govern i Polítiques Públiques (IGOP) de la Universitat Autònoma de Barcelona, OpenForum Europe, Sailboard, Scott Logic, TU/Berlin, TU/Eindhoven, TODO Group Europe Chapter, Università di Roma Tre, and the University of Southampton.

The survey will take no more than 10 minutes of your time and will provide valuable data against future studies and serve as a template for studies conducted in other regions. Findings will be shared at Open Source Summit Europe in Dublin in September.

We thank you for your participation. Upon completion of the survey, you will receive a coupon for 25% off any purchase of training and certification from the LF Training & Certification course catalog.

world of open source launch at KubeCon 2022

Key executives to discuss the state of open source initiatives at KubeCon Europe this week

VALENCIA, SpainMay 16, 2022 — The Linux Foundation, a global nonprofit organization enabling mass innovation through open source, today launches the World of Open Source research series with its initial focus on the European community. The initiative will be championed by LF Research in collaboration with several European distribution and research partners. Furthermore, key executives of the Linux Foundation and partners will be speaking at KubeCon in Valencia, Spain this week as they kickstart the research series and meet with the extended open source and cloud native communities.

The Supporting the Flourishing European Open Source Ecosystem birds-of-a-feather session will be hosted on Thursday, 19 May at 14:30 CEST by Gabriele Columbro (Executive Director of FINOS), Hilary Carter (VP, Linux Foundation Research), Astor Nummelin Carlberg (CEO, OpenForum Europe), and Matthew Dunderdale (Delivery Principal, Scott Logic). KubeCon Europe is one of the largest open source developer events hosted on the continent each year.

“FINOS is one of the most globally distributed entities under the Linux Foundation and we are truly excited to support this deep research initiative backed by so many respected institutions across the EU, UK, and Switzerland“, said Gabriele Columbro, Executive Director of FINOS. “A clear European perspective will enhance how we forge deeper collaboration across the FINOS community and will shed new light on cross-border challenges like cybersecurity and sustainability that are important to the Linux Foundation and the open source ecosystem at large.”

Scott Logic is a UK-based consultancy who, alongside our peers, have greatly benefited from the plethora of open source tools and technologies that have recently emerged. However, our collective reliance on open source can reveal the sometimes fragile nature of community-run digital commons. We are delighted to partner with Linux Foundation to better understand the state of open source in Europe“, said Colin Eberhardt, CTO of Scott Logic. “Armed with the research findings, our goal is to ensure everyone can capitalize on the amazing innovations happening within open source and that our ‘digital commons’ are sustained for the long-term”.

“OpenForum Europe is pleased to partner with the Linux Foundation to promote this timely research series and upcoming survey on the state of open source in Europe. Open source software has already been shown to boost the European economy by between EUR 65 to 95 billion annually and to have positive effects on the number of startups and SME growth. As the EU and its Member States continue to invest in digital transformation, better understanding will allow the EU to further benefit from the innovative power of open source software.”

About the World of Open Source Research series

The World of Open Source series will explore the state of open source from a global perspective, scop of open source world of research focusing on government, enterprise, and non-profit initiatives. The research initiative kicks off on Wednesday, 18 May with a “World of Open Source: 2022 Europe Spotlight” survey.

The European open source survey will investigate ecosystem-wide trends, including: (1) the size and scope of the open source communities in the region, (2) the motivation for contributions to open source, (3) opportunities and challenges in the private and public sector engagement in open source, and (4) the landscape for consumption and adoption of open source technologies and best practices, such as open source program office (OSPO) formation. This project will seek to understand key opportunities for collaboration and perceived challenges in the European open source community across sectors for decision-makers and influencers alike.

Funded by the Linux Foundation, this research will be led by LF Research in collaboration with FINOS, LF Training & Certification, and LF Public Health. Additional support will be provided by several organizations across the non-profit, for-profit, and academic sectors including: Codemotion, Esade, Friedrich Alexander University, Institut de Govern i Polítiques Públiques (IGOP) de la Universitat Autònoma de Barcelona, OpenForum Europe, Sailboard, Scott Logic, TU/Berlin, TU/Eindhoven, TODO Group Europe Chapter, Università di Roma Tre, and the University of Southampton.

This research further expands the Linux Foundation’s investment in fostering a flourishing local European ecosystem which already supports critical intra- and inter-region open source collaborations, training, and events. The Linux Foundation will reveal the survey results at Open Source Summit Europe, in Dublin, Ireland, to be hosted 13 – 16 September.

Additional Resources

  • Attend the Birds of a Feather session at KubeCon in Valencia (Spain) on Thursday, 18 May at 14:30 CEST to learn more about the “World Of Open Source” research series
  • Contact us about Linux Foundation activities in Europe
  • Register for Open Source Summit Europe

About the Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members. The Linux Foundation is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contacts

Dan Whiting
+1 202-531-9091
dwhiting@linuxfoundation.org

Newest release introduces performance and usability improvements, and marks welcome of O3DCon speaker proposals and discussion suggestions due July 15

SAN FRANCISCO, May 13, 2022 – The Open 3D Foundation (O3DF), home of a vibrant, diverse community focused on building a first-class, open source engine for real-time 3D development, has released 22.05, the latest version of the Open 3D Engine, with a focus on performance, stability and usability enhancements. 

With over 1,460 code merges, this new release offers several improvements aiming to make it easier for developers to build 3D simulations for AAA games and various applications across robotics, AI, metaverse, digital twin, automotive, healthcare, and more. Significant advancements include core stability, installer validation, motion matching updates, user-defined property (UDP) support for the asset pipeline, and automated testing advancements. 

Artists can focus on bringing their visions to life using the tools they feel most comfortable with, such as Blender or Autodesk® Maya®. The Open 3D Engine (O3DE) can now integrate user-defined properties (UDP) metadata into its asset pipeline from source assets so that scene-building and asset-processing logic can be customized using this metadata. UDP metadata can be assigned in content creation tools to store custom properties for mesh, light, animation, and other elements to power asset generation workflows for O3DE.

Animation artists can now utilize motion matching, a data-driven animation technique that synthesizes motions based on existing animation data and current character and input contexts to deliver photorealistic experiences. This feature, introduced as an experimental gem, includes a prefabricated character example that can be controlled using a gamepad. 

Other improvements include: 

  • Simpler customization of the render pipeline is now possible using a new set of APIs. Examples of gems that currently exploit this capability include Terrain, LyShine and TressFx. 
  • Developers can now re-use Material Types much more easily.
  • Developers can now control the spawning of player-controlled, networked entities using an improved interface, a capability that is essential for building multiplayer games.
  • Automated tests now verify that an installer build is valid, and ensures that all of the steps within the build are successfully executed. These tests are run nightly for O3DE, and have been designed so that anyone can plug them into their quality verification process. 

The 22.05 Release marks the Open 3D Engine’s first major release of 2022. Releases occur on a bi-annual cadence, in the first half and second half of each year. The next release is scheduled for October 2022, which will coincide with the Open 3D Foundation’s flagship conference, O3DCon.

To learn more about this release and all of its features, read the release notes, or join the community on Discord. You can download the 22.05 Release today. 

O3DCon Call for Proposals Now Open

The Open 3D Foundation also announced the call for proposals (CFPs) for its annual flagship conference, O3DCon. On October 18-19, 2022, in Austin, Texas, technology leaders, independent 3D developers, and the academic community spanning the 3D landscape will come together to share ideas, discuss hot topics and help shape the future of open 3D development across a variety of industries and disciplines. O3DCon will be presented as a hybrid event—attendees can join and participate in person or virtually. Workshops and pre-registration will be held on October 17, a day ahead of the actual conference events.

With over 25 member companies since its public announcement in July 2021, the Open 3D Foundation boasts a healthy, thriving community, adding Microsoft as its latest member. Other premier members include Adobe, AWS, Huawei, Intel and Niantic. The O3D Engine averages up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos.

“I’m proud of the O3DE community’s focus on core stability while delivering new capabilities aimed to simplify and enhance 3D development for developers around the globe,” said Royal O’Brien, Executive Director of O3DF and General Manager of Games and Digital Media at the Linux Foundation. “I’m also incredibly excited about the opportunity O3DCon offers in bringing together diverse minds to collaborate on advancing the state of open 3D development across so many industries.”

Proposals to speak at O3DCon are being accepted now through Friday, July 15, 2022, at 11:59 pm PDT. All those interested are invited to submit proposals. Those who have submitted proposals will be notified of a decision by Tuesday, August 2. Learn more and submit your proposal today.

Submission types requested include:

  • Lightning talks
  • Session presentations
  • Birds-of-a-feather discussions
  • Panel discussions
  • Hands-on workshops/training

Suggested topics include:

  • 3D Development & Open 3D Engine 101
  • Building & Sustaining Open Source in 3D Development
  • Game Development
  • Metaverse
  • AI
  • Robotics
  • Digital Twin
  • Automotive
  • Healthcare

Sponsors have the unique opportunity to demonstrate their leadership in this burgeoning arena, forge valuable connections and help shape the future of 3D development. O3DCon offers multiple sponsorship levels for your consideration. To explore all of the sponsorship benefits, please click here. The sponsorship deadline is September 2, 2022. O3DF Members receive a 3% discount on all exhibitor packages. For questions about sponsorships and contract requests, or to become a sponsor, please contact us

Visit the O3DF website and follow O3DE on Twitter, Facebook and LinkedIn for all the latest O3DCon updates and announcements.

About the Open 3D Engine Project

Open 3D Engine (O3DE) is the flagship project managed by the Open 3D Foundation (O3DF). The open source project is a modular, cross-platform 3D engine built to power anything from AAA games to cinema-quality 3D worlds to high-fidelity simulations. The code is hosted on GitHub under the Apache 2.0 license. To learn more, please visit o3de.org. To get involved and connect with the O3DE community, please join us on Discord and GitHub.

About the Open 3D Foundation

Established in July 2021, the mission of the Open 3D Foundation (O3DF) is to make an open-source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations, available to every industry. The Open 3D Foundation is home to the O3D Engine project. To learn more, please visit o3d.foundation.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Media Inquiries:

pr@o3d.foundation

world of open source launch at KubeCon

10-Point Open Source and Software Supply Chain Security Mobilization Plan Released with Initial Pledges Surpassing $30M

WASHINGTON, DC – May 12, 2022 – The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) brought together over 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE, and OMB to reach a consensus on key actions to take to improve the resiliency and security of open source software. 

Open Source Software Security Summit II, is a follow-up to the first Summit held January 13, 2022 that was led by the White House’s National Security Council. Today’s meeting was convened by the Linux Foundation and OpenSSF on the one year after the anniversary of President Biden’s Executive Order on Improving the Nation’s Cybersecurity

The Linux Foundation and OpenSSF, with input provided from all sectors, delivered a first-of-its-kind plan to broadly address open source and software supply chain security. The Summit II plan outlines approximately $150M of funding over two years to rapidly advance well-vetted solutions to the ten major problems the plan identifies. The 10 streams of investment include concrete action steps for both more immediate improvements and building strong foundations for a more secure future. 

A subset of participating organizations have come together to collectively pledge an initial tranche of funding towards implementation of the plan. Those companies are Amazon, Ericsson, Google, Intel;, Microsoft, and VMWare, pledging over $30M. As the plan evolves further more funding will be identified, and work will begin as individual streams are agreed upon.

This builds on the existing investments that the OpenSSF community members make into open source software. An informal poll of our stakeholders indicates they spend over $110M and employ nearly a hundred full-time equivalent employees focused on nothing but securing the open source software landscape. This plan adds to those investments.

KEY QUOTES

Jim Zemlin – Executive Director, Linux Foundation:  “On the one year anniversary of President Biden’s executive order, today we are here to respond with a plan that is actionable, because open source is a critical component of our national security and it is fundamental to billions of dollars being invested in software innovation today. We have a shared obligation to upgrade our collective cybersecurity resilience and improve trust in software itself.  This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership.”

Brian Behlendorf – Executive Director, Open Source Security Foundation (OpenSSF):  “What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it.  The plan we have put together represents the 10 flags in the ground as the base for getting started.  We are eager to get further input and commitments that move us from plan to action.”

Anne Neurenberger, Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House:

“President Biden signed the Executive Order on Cybersecurity last year to ensure the software our government relies on is secure and reliable, including software that runs our critical infrastructure.  Earlier this year, the White House convened a meeting between government and industry participants to improve the security of Open Source software.  The Open Source security foundation has followed up on the work at that meeting and convened participants from across industry to make substantial progress.  We are appreciative of all participants’ work on this important issue.”

Atlassian

Adrian Ludwig, Chief Trust Officer

“Open source software is critical to so many of the tools and applications that are used by thousands of development teams worldwide. Consequently, the security of software supply chains has been elevated to the top of most organizations’ priorities in the wake of recent high-profile vulnerabilities in open source software. Only through concerted efforts by industry, government and other stakeholders can we ensure that open source innovation continues to flourish in a secure environment. This is why we are happy to be participating in OpenSSF, where we can collaborate on key initiatives that raise awareness and drive action around the crucial issues facing software supply chain security today. We’re excited to be a key contributor to driving meaningful change and we are optimistic about what we can achieve through our partnership with OpenSSF and like-minded organizations within its membership.”

Cisco

Eric Wenger, Senior Director, Technology Policy, Cisco Systems

“Open source software (OSS) is a foundational part of our modern computing infrastructure. As one of the largest users of and contributors to OSS, Cisco makes significant investments in time and resources to improve the security of widely-used OSS projects. Today’s effort shows the stakeholder community’s shared commitment to making open-source development more secure in ways that are measurable and repeatable.”

Dell

Jim Medica, Technologist in Dell Technologies’ Office of the CTO

“Never before has software security been a more critical part of the global supply chain. Today, in a meeting led by Anne Neuberger [linkedin.com], Deputy National Security Advisor for Cyber and Emerging Technology, Dell and my Open Source Security Foundation colleagues committed our software security expertise to execute the Open Source Software Security Mobilization Plan. Dell’s best and brightest engineers will engage with peers  to develop risk-based metrics and scoring dashboards, digital signature methodologies for code signing, and Software Bill of Materials (SBoM) tools – all to address the grand challenge of open source software security. This is an excellent example of the leadership Dell provides to proactively impact software security and open-source security solutions, and reinforces our commitment to the open source software community, to our supply chain and to our national security.”

Ericsson

“Ericsson is one of the leading promoters and supporters of the open source ecosystem, accelerating the adoption and industry alignment in a number of key technology areas. The Open Source Security Foundation (OpenSSF) is an industry-wide initiative with the backing of the Linux Foundation with the objective of improving supply chain security in the open source ecosystem.

“As a board member of OpenSSF, we are committed to open source security and we are fully supportive of the mobilization plan with the objective of improving supply chain security in the open source ecosystem. Being an advocate and adopter of global standards, the initiatives aim to strengthen open source security from a global perspective.”

GitHub

Mike Hanley, Chief Security Officer

“Securing the open source ecosystem starts with empowering developers and open source maintainers with tools and best practices that are instrumental to securing the software supply chain. As home to 83M developers around the world, GitHub is uniquely positioned and committed to advance these efforts, and we’ve continued our investments to help developers and maintainers realize improved security outcomes through initiatives including 2FA enforcement on GitHub.com and npm, open sourcing the GitHub Advisory Database, financial enablement for developers through GitHub Sponsors, and free security training through the GitHub Security Lab

“The security of open source is critical to the security of all software. Summit II has been an important next step in bringing the private and public sector together again and we look forward to continuing our partnerships to make a significant impact on the future of software security.”

Google

Eric Brewer, VP of Infrastructure at Google Cloud & Google Fellow

“We’re thankful to the Linux Foundation and OpenSSF for convening the community today to discuss the open source software security challenges we’re facing and how we can work together across the public and private sectors to address them. Google is committed to supporting many of the efforts we discussed today, including the creation of our new Open Source Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects, and by providing support to the community through updates on key projects like SLSA, Scorecards; and Sigstore, which is now being used by the Kubernetes project. Security risks will continue to span all software companies and open source projects and only an industry-wide commitment involving a global community of developers, governments and businesses can make real progress. Google will continue to play our part to make an impact.”

IBM

Jamie Thomas, Enterprise Security Executive

“Today, we had the opportunity to share our IBM Policy Lab’s recommendations on how understanding the software supply chain is key to improving security. We believe that providing greater visibility in the software supply chain through SBoMs ( Software Bill of Materials) and using the Open Source Software  community as a valuable resource to encourage passionate developers to create, hone their skills, and contribute to the public good can help strengthen our resiliency. It’s great to see the strong commitment from the community to work together to secure open source software. Security can always be strengthened and I would like to thank Anne Neuberger today  for her deep commitment and open, constructive, technical dialogue that will help us pave the way to enhancing OSS security. ”

Intel

Greg Lavender, Chief Technology Officer and General Manager of the Software and Advanced Technology Group

“Intel has long played a key role in contributing to open source. I’m excited about our role in the future building towards Pat’s Open Ecosystem vision. As we endeavor to live into our core developer tenets of openness, choice and trust – software security is at the heart of creating the innovation platforms of tomorrow.”

Melissa Evers, Vice President, Software and Advanced Technology, General Manager of Strategy to Execution

“Intel commends the Linux Foundation in their work advancing open source security. Intel has a history of leadership and investment in open source software and secure computing: over the last five years, Intel has invested over $250M in advancing open-source software security. As we approach the next phase of Open Ecosystem initiatives, we intend to maintain and grow this commitment by double digit percentages continuing to invest in software security technologies, as well as advance improved security and remediation practices within the community and among those who consume software from the community.”

JFrog

Stephen Chin, Vice President of Developer Relations

“While open source has always been seen as a seed for modernization, the recent rise of software supply chain attacks has demonstrated we need a more hardened process for validating open-source repositories. As we say at JFrog, ‘with great software comes great responsibility’, and we take that job seriously. As a designated CNA, the JFrog Security Research team constantly monitors open-source software repositories for malicious packages that may lead to widespread software supply chain attacks and alerts the community accordingly. Building on that, JFrog is proud to collaborate with the Linux Foundation and other OpenSSF members on designing a set of technologies, processes, accreditations, and policies to help protect our nation’s critical infrastructure while nurturing one of the core principles of open source – innovation.” 

JPMorgan Chase

Pat Opet, Chief Information Security Officer

“We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members to create the new Open Source Software Security Mobilization Plan, This plan will help to address security issues in the software supply chain which is critical to making the world’s software safer and more secure for everyone.”

Microsoft

Mark Russinovich, CTO, Microsoft Azure

“Open source software is core to nearly every company’s technology strategy. Collaboration and investment across the open source ecosystem will strengthen and sustain security for everyone. Microsoft’s commitment to $5M in funding for OpenSSF supports critical cross-industry collaboration. We’re encouraged by the community, industry, and public sector collaboration at today’s summit and the benefit this will have to strengthen supply chain security.”

OWASP Foundation

Andrew van der Stock, Executive Director

“OWASP’s mission is to improve the state of software security around the world. We are contributing to the Developer Education and Certification, as well addressing the Executive Order for improving the state and adoption of SBOMs. In particular, we would like to see a single, consumable standard across the board.” 

Mark Curphey (founder of OWASP) and John Viega (author of the first book on software security), Stream Coordinators

“We’re excited to see the industry’s willingness to come together on a single ‘bill of materials’ format. It has the potential to help the entire industry solve many important problems, including drastically improving response speed for when major new issues in open source software emerge.” 

SAP

Tim McKnight, SAP Executive Vice President & Chief Information Security Officer

“SAP is proud to be a part of the Open Source Software Security Summit II and contribute to the important dialogue on the topic of Open Source software security.

“SAP is firmly committed to supporting the execution of the Open Source Software Security Mobilization Plan and we look forward to continuing our collaboration with our government, industry, and academic partners.”

Sonatype

Brian Fox, CTO of Sonatype and steward of Maven Central

“It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today. It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone. The Open Source Software Security Mobilization Plan is a great step toward bringing our community together with a number of key tactics, starting with securing OSS production, which will make the entire open source ecosystem stronger and safer.” 

Wipro

Andrew Aitken, Global Head of Open Source

“Wipro is committed to helping ensure the safety of the software supply chain through its engagement with OpenSSF and other industry initiatives and is ideally suited to enhance efforts to provide innovative tooling, secure coding best practices and industry and government advocacy to improve vulnerability remediation.

“As the only global systems integrator in the OpenSSF ecosystem and in line with its support of OpenSSF objectives, Wipro will commit to training 100 of its cybersecurity experts to the level of trainer status in LF and OpenSSF secure coding best practices and to host training workshops with its premier global clients and their developer and cybersecurity teams. 

“Further, Wipro will increase its public contributions to Sigstore and the SLSA framework by integrating them into its own solutions and building a community of 50+ contributors to these critical projects.”

KEY BACKGROUND

Three Goals of the 10-Point Plan

  • Securing Open Source Security Production
      1. Make baseline secure software development education and certification the new normal for pro OSS developers
      2. Establish a public, vendor-neutral, objective-metrics based risk assessment dashboard for the top 10,000 open source components.
      3. Accelerate the adoption of digital signatures on software releases
      4. Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  • Improving Vulnerability Discovery and Remediation
      1. Accelerate discovery of new vulnerabilities by maintainers and experts.
      2. Establish the corps of “volunteer firefighter” security experts to assist open source projects during critical times.
      3. Conduct third-party code reviews (and any necessary remediation work) of 200 of the most-critical open source software components yearly
      4. Coordinate industry-wide data sharing to improve the research that helps determine the most critical open source software.
  • Shorten ecosystem Patching Response Time
    1. Software Bill of Materials (SBOM) Everywhere – improve SBOM tooling and training to drive adoption
    2. Enhance the 10 most critical open source security build systems, package managers, and distribute systems with better supply chain security tools and best practices.

The 10-Point Plan Summarized (available in full here)

  1. Security Education Deliver baseline secure software development education and certification to all. 
  2. Risk Assessment Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
  3. Digital Signatures Accelerate the adoption of digital signatures on software releases.
  4. Memory Safety Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
  5. Incident Response Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
  6. Better Scanning Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
  7. Code Audits Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year. 
  8. Data Sharing Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
  9. SBOMs Everywhere Improve SBOM tooling and training to drive adoption. 
  10. Improved Supply Chains Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Media Contact

Edward Cooper
openssf@babelpr.com

brian behlendorf testifying at a U.S. House hearing

This post originally appeared on OpenSSF’s blog

On Wednesday, May 11, 2022, Brian Behlendorf, OpenSSF General Manager, testified to the United States House of Representatives Committee on Science, Space, and Technology. Brian’s testimony shares the work being done within the Open Source Security Foundation and broader open source software community to improve security and trustworthiness of open source software.

A copy of Brian’s written remarks are below and linked here (PDF). Visit the Committee’s website to view a recording of the hearing.

Also testifying at the hearing were:



May 9th, 2022 

The Honorable Eddie Bernice Johnson, Chairwoman
The Honorable Frank Lucas, Ranking Member
Committee on Science, Space, and Technology
2321 Rayburn House Office Building
Washington, DC 20515-6301 

Dear Chairwoman Johnson, Congressman Lucas, and distinguished members of the Committee on Science, Space and Technology, 

Thank you for your invitation to address you today, and the opportunity to share with you the work being done within the Open Source Security Foundation and the broader open source software community to raise the level of security and trustworthiness of open source software. 

  1. What are the consequences of insecure open-source software and what is industry as a whole, and the Open Source Security Foundation in particular, doing to tackle such Vulnerabilities? 

Open source software (“OSS”) has become an integral part of the technology landscape, as inseparable from the digital machinery of modern society as bridges and highways are from the physical equivalent. According to one report, typically 70% to 90% of a modern application “stack” consists of pre-existing OSS, from the operating system to the cloud container to the cryptography and networking functions, sometimes up to the very application running your enterprise or website. Thanks to copyright licenses that encourage no-charge re-use, remixing, and redistribution, OSS encourages even the most dogged of competitors to work together to address common challenges, saving money by avoiding duplication of effort, moving faster to innovate upon new ideas and adopt emerging standards. 

However, this ubiquity and flexibility can come at a price. While OSS generally has an excellent reputation for security, the developer communities behind those works can vary significantly in their application of development practices and techniques that can reduce the risk of a defect in the code, or in responding quickly and safely when one is discovered by others. Often, developers trying to decide what OSS to use have difficulty determining which ones are more likely to be secure than others based on objective criteria. Enterprises often don’t have a well-managed inventory of the software assets they use, with enough granular detail, to know when or if they’re vulnerable to known defects, and when or how to upgrade. Even those enterprises who may be willing to invest in increasing the security of the OSS they use often don’t know where to make those investments, nor their urgency relative to other priorities. 

There are commercial solutions to some of these problems. There are vendors like Gitlab or Red Hat who sell support services for specific open source software, or even entire aggregate distributions of OSS. There are other vendors, like Snyk and Sonatype, who sell tools to help enterprises track their use of OSS and flash an alert when there is a new critical vulnerability in software running deep inside an enterprise’s IT infrastructure.

However, fighting security issues at their upstream source – trying to catch them earlier in the development process, or even reduce the chances of their occurrence at all – remains a critical need. We are also seeing new kinds of attacks that focus less on vulnerabilities in code, and more on the supply chain itself – from rogue software that uses “typosquatting” on package names to insert itself unexpectedly into a developer’s dependency tree, to attacks on software build and distribution services, to developers turning their one-person projects into “protest-ware” with likely unintended consequences. 

To address the urgent need for better security practices, tools, and techniques in the open source software ecosystem, a collection of organizations with deep investments into the OSS ecosystem came together in 2020 to form the Open Source Security Foundation, and chose to house that effort at the Linux Foundation. This public effort has grown to hundreds of active participants across dozens of different public initiatives housed under 7 working groups, with funding and partnership from over 75 different organizations, and reaching millions of OSS developers. 

The OpenSSF’s seven working groups are: 

  1. Best Practices for Open Source Developers: This group works to provide open source developers with best practices recommendations, and easy ways to learn and apply them. Among other things, this group has developed courseware for teaching developers the fundamentals of secure software development, and implement the OpenSSF Best Practices Badge program. 
  2. Securing Critical Projects: This group exists to identify and help to allocate resources to secure the critical open source projects we all depend on. Among other things, this has led to a collaboration with Harvard Business School to develop a list of the most critical projects. 
  3. Supply Chain Integrity: This group is helping people understand and make decisions on the provenance of the code they maintain, produce and use. Among other things, this group has developed a specification and software called “SLSA”, for describing and tracking levels of confidence in a software supply chain. 
  4. Securing Software Repositories: This group provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories, which are key points of leverage for security practices and the promotion to developers of more trustworthy software. 
  5. Identifying Security Threats in Open Source Projects: This group enables informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. For example, it is developing a database of all known security reviews of OSS. 
  6. Security Tooling: This group’s mission is to provide the best security tools for open source developers and make them universally accessible. Among other activities, this group has released code to better enable a security testing technique called “fuzzing” among open source projects. 
  7. Vulnerability Disclosures: This group is improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication. For example, this group has produced a Guide to Coordinated Vulnerability Disclosure for OSS

There are also a series of special projects under the OpenSSF worthy of special mention: 

  • Project sigstore: an easy-to-use toolkit and service for signing software artifacts, ensuring that the software you are holding is the same as what the developer intended, addressing a wide array of supply chain attacks. 
  • The Alpha-Omega Project: an effort to systematically search for new vulnerabilities in open source code, and work with critical open source projects to improve their vulnerability handling and other security practices. 
  • The GNU Toolchain Initiative: this effort supports the build ecosystems for perhaps the most critical set of developer libraries and compilers in the world, the GNU Toolchain, as a means to ensure its safety and integrity. 

All the above efforts are public-facing and developed using the best practices of open source software communities. Funding from our corporate partners goes towards supporting the core staff and functions that enable this community, but all the substance comes from voluntary efforts. In some cases funds flow to assist with specific efforts – for example, recently the Alpha-Omega project decided to allocate funding towards the NodeJS community to augment its security team with a part-time paid employee and to fund fixes for security issues. 

The Linux Foundation has also begun to adapt its “LFX” platform, a set of services designed to support the open source communities hosted by the Foundation, to incorporate security-related data such as vulnerability scans from Snyk and BluBracket, along with information from the OpenSSF Best Practices Badge program and the OpenSSF Security Scorecards initiative, to provide a unified view of the security risks in a particular collection of open source code, and what maintainers and contributors to those projects can do to improve those scores and reduce those risks. We expect to see more kinds of risk-related data coming into a unified view like this, helping developers and enterprises make better decisions about what open source components and frameworks to use, and how to reduce risk for those components they depend upon. 

Guiding all of this is a deep conviction among the OpenSSF community that while there are many different ways in which security issues manifest themselves in the OSS ecosystem, every one of them is addressable, and that there are lots of opportunities for investment and collective action that will pay a return many times over in the form of lower risk of a future major vulnerability in a widely-used package, and lesser disruption if one is discovered. 

Other efforts at the Linux Foundation include “Prossimo”, an effort focused on moving core Internet-related services to “memory-safe” languages like Rust, Go, or Java, which would eliminate an entire category of vulnerabilities that other languages allow too easily. Another is the SPDX standard for Software Bill of Materials (“SBOMs”), addressing the needs identified by White House Executive Order 14028 in a vendor-neutral and open way. 

This is by no means a comprehensive list of all such efforts in the OSS ecosystem to improve security. Every OSS foundation either has a security team in operation today or is scrambling to identify volunteers and funding to establish one. There is a greater emphasis today than I’ve seen in my 30 years of using and contributing to OSS (since before it was called OSS) on the importance of such efforts. Clear metrics for progress are elusive since we lack clear metrics for evaluating software risk; in fact developing ways to measure and represent that risk is a key priority for OpenSSF. We will never see a time when open source software is free from security defects, but we are getting better at determining the tools and techniques required to more comprehensively address the risk of vulnerabilities in open source code. Scaling up those tools and techniques to address the tens of thousands of widely used OSS components and to get them more quickly updated remains a challenge. 

  1. How can the Federal government improve collaboration with industry to help secure open-source software? 

I’ll focus here on principles and methods for collaboration that will lead to more secure OSS, and then for question 3 on specific opportunities to collaborate on. 

First, focus on resourcing long-term personal engagements with open source projects. 

Over the last few years, we have seen a healthy degree of engagement by the Federal government with OSS projects and stakeholders on the topic of improving security. The push established by Executive Order 14028 for the adoption of SBOMs aligned nicely with the standardization and growing adoption of the SPDX standard by a number of OSS projects, but it was aided substantially by the involvement of personnel from NIST, CISA, and other agencies engaging directly with SPDX community members. 

Often the real secret to a successful OSS effort is in the communities of different stakeholders that come together to create it – the software or specification is often just a useful byproduct. The Federal government, both through its massive use of open source code and the role that it traditionally performs in delivering and protecting critical infrastructure, should consider itself a stakeholder, and like other stakeholders prioritize engagement with upstream open source projects of all sizes. That engagement need not be so formal; most contributors to open source projects have no formal agreement covering that work aside from a grant of intellectual property in those contributions. But as they say, “history is made by those who show up.” If the IT staff of a Federal agency (or of a contractor under a Federal contract) were authorized and directed to contribute to the security team of a critical open source project, or to addressing known or potential security issues in important code, or to participating in an OpenSSF working group or project, that would almost certainly lead to identifying and prioritizing work that would result in enhanced security in the Federal government’s own use of open source code, and likely to upstream improvements that make OSS more secure for everyone else. 

Second, engage in OSS development and security work as a form of global capacity building, and in doing so, in global stability and resilience. OSS development is inherently international and has been since its earliest days. Our adversaries and global competitors use the same OSS that we do, by and large. When our operating systems, cloud containers, networking stacks and applications are made to be more secure, there are fewer chances for rogue actors to cause disruption, and that can make it harder to de-escalate tensions or protect the safety of innocent parties. Government agencies in France, Taiwan, and more have begun to establish funded offices focused on the adoption, development, and promotion of OSS, in many ways echoing the Open Source Program Offices being set up by companies like Home Depot and Walmart or intergovernmental agencies like the WHO. The State Department in recent years has funded the development of software like Tor to support the security needs of human rights workers and global activists. The Federal government could use its convening authority and statecraft to bring like-minded activities and investment together in a coordinated way more effectively than any of us in the private sector can. 

Third, many of the ideas for improving the security of OSS involve establishing services – services for issuing keys to developers like Project sigstore does, or services for addressing the naming of software packages for SBOMs, or services for collecting security reviews, or providing a comprehensive view of the risk of open source packages. Wherever possible, the Federal government should avoid establishing such services themselves when suitable instances of such services are being built by the OSS community. Instead of owning or operating such services directly, the Federal Government should provide grants or other resources to operators of such services as any major stakeholder would. Along similar lines, should the Federal government fund activities like third party audits of an open source project, or fund fixes or improvements, it should ensure not only that such efforts don’t duplicate work already being done, it should ensure that the results of that work are shared (with a minimum of delay) publicly and upstream so that everyone can benefit from that investment. 

These three approaches to collaboration would have an outsized impact on any of the specific efforts that the Federal government could undertake. 

  1. Where should Congress or the Administration focus efforts to best support and secure the open-sourced software ecosystem as a whole? 

The private sector and the Federal government have a common cause in seeing broad improvements in the security of OSS. I’m happy to share where I see the private sector starting to invest in enhanced OSS security, in the hopes that this may inspire similar actions from others. 

  1. Education. Very few software developers ever receive a structured education in security fundamentals, and often must learn the hard way about how their work can be attacked. The OpenSSF’s Secure Software Fundamentals courses are well regarded and themselves licensed as open source software, which means educational institutions of all kinds could deliver the content. Enterprises could also start to require it of their own developers, especially those who touch or contribute to OSS. There must be other techniques for getting this content into more hands and certifications against it into more processes. 
  2. Metrics and benchmarks. There are plenty of efforts to determine what are suitably objective metrics for characterizing the risks of OSS packages. But running the cloud systems to perform that measurement across the top 100,000 or even 10,000 open source projects may cost more than what can be provided for free by a single company, or may be fragile if only provided by a single vendor. Collective efforts funded by major stakeholders are being planned-for now, and governments as a partner to that would not be turned away. 
  3. Digital signatures. There is a long history of U.S. Government standards for identity proofing, public key management, signature verification, and so on. These standards are very sophisticated, but in open source circles, often simplicity and support are more important. This is pulling the open source ecosystem towards Project sigstore for the signing of software artifacts. We would encourage organizations of all sorts to look at sigstore and consider it for their OSS needs, even if it may not be suitable for all identity use cases. 
  4. Research and development investments into memory-safe languages. As detailed above, there are opportunities to eliminate whole categories of defects for critical infrastructure software by investing in alternatives written in memory-safe languages. This work is being done, but grants and investments can help accelerate that work. 
  5. Fund third-party code reviews for top open source projects. Most OSS projects, even the most critical ones, never receive the benefit of a formal review by a team of security experts trained to review code not only for small bugs that may lead to big compromises, but to look at architectural issues and even issues with the features offered by the software in the search for problems. Such audits vary tremendously in cost based on the complexity of the code, but an average for an average-sized code base would be $150K-250K. Covering the top 100 OSS projects with a review every other year, or even 200 every year, seems like a small price compared to the costs on US businesses to remedy or clean up after a breach caused by just one bug. 
  6. Invest into better supply chain security support in key build systems, package managers, and distribution sites. This is partly about seeing technologies like SBOMs, digital signatures, specifications like SLSA and others built into the most widely used dev tools so that they can be adopted and meaningfully used with a minimum of fuss. Any enterprise (including the Federal government) that has software certification processes based on the security attributes of software should consider how those tools could be enhanced with the above technologies, and automate many processes so that updates can be more frequent without sacrificing security. 

These activities, if done at sufficient scale, could dramatically lower the risks of future disruptive events like we have seen. As a portfolio of different investments and activities they are mutually reinforcing, and none of them in isolation is likely to have much of a positive impact. Further econometrics research could help quantify the specific reduction of risk from each activity. But I believe that each represents a very cost-effective target for enhancing security in OSS no matter who is writing the check. 

Thank you again for the opportunity to share these thoughts with you. I look forward to answering any questions you may have or providing you with further information. 

Sincerely,

Brian Behlendorf
General Manager, Open Source Security Foundation
The Linux Foundation

in memory of shubhra kar

This past week, we lost our dear friend, colleague, and a true champion of the open source community. Our CTO, Shubhra Kar, passed away suddenly while he was with his entire LF family at our first in-person, all-hands gathering since before the pandemic. 

Those who had the honor to work with him will know, he was a special leader and a wonderful human being.  Above all, Shubhra was the kind of leader who quickly passed the credit for accomplishments to his team over himself. His humble spirit and ever-present smile was admired by all around him. He was so proud of the world class team he had built here, and did that in part with engineers who followed him from one organization to another throughout his career.

We also knew Shubhra as a selfless leader – one who was more interested in the work than the reward. At the same time, he was incredibly ambitious – wanting to build a platform that would not only transform The Linux Foundation but support open source development communities around the world.  This was the week his team unveiled significant new enhancements across the LFX platform. It was a project he led from vision to reality, after many – even members of his own team – had told him the path to success was impossible. He was a transformational leader that has left his legacy here.

While he was passionate about his work and his team, he loved his family even more. In fact, his children were often spotted behind him during video calls throughout the day. He was a fantastic husband and father, and we are so grateful for his wife, son, and daughter sharing him with us. 

Sharing Memories

Our thoughts and prayers remain with Shubhra’s family in this incredibly difficult time. If you would like to leave a memorial message for Shubhra, please submit a pull request on GitHub here. His family would love to hear from you and especially appreciates stories that are shared of his life and career.

Memorial Fund

The Linux Foundation has made arrangements with the family to establish Shubhra’s memorial fund that will provide support for his family and his children’s education.  Donations can be made to the family here.


shubhra kar and his wife and two kids

call for code 2022


I am always amazed at the impact we all have coming together, using our collective talents for good. Combining our collective brain power, skills, time, and resources produces stellar results – maybe it is better rendering management for films that entertain with mind-bending CGIs or improving automated software testing and deployment so developers can spend more time on innovation. Human ingenuity is amazing! 

Imagine our impact when we come together for good. When we see communities who need a collective leg up in life, or when we see injustice and foresee ways to balance the scale, or when we see the devastation in the wake of natural disasters and know there is a better way. We want to make the lives of everyone better – it might seem daunting, but innovation is bred from not knowing what you can’t do. 

Facilitating this drive to help is what the Call for Code® project is about. It is, “creating and deploying open source technologies to tackle some of the world’s greatest challenges.” It is about thinking beyond yourself – using your talents to help others. 

Call for Code was created by David Clark Cause with Founding Partner IBM and in partnership with United Nations Human Rights and The Linux Foundation. The goal is to inspire “developers to create practical, effective, and high-quality applications that can have an immediate and lasting impact on humanitarian issues as sustainable open source projects.” The Linux Foundation helps take the raw innovation and put in place the right tools to enable an impact across the world: instill best practices, engage external partners, provide feedback, and test them in the real world.

Call for Code 2022

The Call for Code 2022 is now open for registration. The focus this year is on sustainability. Do you have an idea to improve sustainable production, consumption, and management of resources, reduce pollution creation, and protect biodiversity? Keep reading. You don’t have a world-changing idea. Keep reading – you just might light a spark of ingenuity. 

For this year, specifically, your solution should address: carbon emissions; clean energy; supply chain transparency and traceability; water scarcity and quality; reducing waste footprints; biodiversity; food insecurity; and education access and job opportunities to further environmental justice. And, no, this isn’t just for software developers. Each well-rounded team needs builders, designers, communicators, and humanitarians.  

There is a total of $285,000 in prizes, all winners will receive open source support from The Linux Foundation, and all participants will receive a variety of support, such as IBM Cloud services, accelerators, expert webinars, mentors, and more.

Registration opened April 26, 2022 and final submissions are due October 31, 2022. Visit callforcode.org for detailed information and requirements and to register. 

Call for Code 2021 Winners

Do you still need some inspiration? Take a few minutes to read about the 2021 winners. Half of the projects focus on racial justice – and those are the ones I want to take a moment to highlight. If you see one that inspires you, click through to learn more and for ways you can contribute: 

Fair Change allows people to easily record public safety incidents in a safe and secure way with a goal of more transparency, reeducation, and reform. 

TakeTwo utilizes machine learning to highlight potentially racially insensitive language on websites you are browsing in Chrome. 

Legit-Info provides information on policy proposals at various levels of government. It communicates the potential impact without legalese and facilities sharing opinions with policy makers. It also gives policy makers visibility into how diverse citizens will be impacted.

Open Sentencing helps public defenders understand and document any racial disparities in the judicial system.

Five Fifths Voter helps remove impediments to voting by providing information on voter registration, voter ID laws, restrictions, purging, gerrymandering, and tools that make it easier to vote, such as childcare at the voting stations.

Incident Accuracy Reporting System enables victims and witnesses to contribute to incident reports to help give law enforcement and the public a 360-degree view of events that took place at any incident. It utilizes Hyperledger blockchain to ensure transparency, trust, and that information can’t be altered. 

Truth Loop is a mobile-friendly tool to see pending legislation, learn about it, record your own story related to the legislation and its impact, and share that with policy makers.

Call for Code also has seven other projects related to natural disasters and stemming the impact of climate change, including monitoring the real-time air health for wildland firefighters, democratizing earthquake monitoring, inspecting buildings, facilitating drone canvassing and delivery of supplies following a natural disaster, and helping farmers optimize water use. Finally – they have a project, Rend-o-Matic, that enables musicians to remotely record their individual track in a composition and stitches them all together into the final, virtual performance. 

Join a Call for Code Project

Let’s show the world the impossible is possible.

Call for Code is making a difference! Are you experiencing some FOMO? Want to join in? Good news – fear no more. You can! And you don’t even have to be a technical person. Besides the need for a wide range of technical specialists, the projects can also utilize individuals for documentation, testing, design, UI/UX, legal, subject matter experts, advocacy, and community building. Just head over to our Call for Code page and help work on these projects. 

Do you have another idea around sustainability?  Register for the Call for Code 2022 now and pull together your team.  

Let’s show the world the impossible is possible.

Demi Ajayi and Daniel Krook joined forces at a keynote session for the 2021 All Day DevOps conference to talk about the Call for Code, the 14 current projects, and how individuals can become involved with them. 

RIT campus view

This post originally appeared on Linux.com. The author, Stephen Jacobs, is the director of Open@RIT and serves on the Steering Committee of the TODO Group and served as a pre-board organizer of the O3DE Foundation. Open@RIT is an associate member of the Linux Foundation. 

What Is An Academic OSPO?

The academic space has begun to see activity around the idea of Open Source Program Offices at colleges and universities.  Like their industry counterparts, these offices lead or advise administrative efforts around policy, licensing compliance, and staff education.  But they can also be charged with efforts around student education, research policies and practices, and the faculty tenure and promotion process tied to research.

Johns Hopkins University (JHU) soft-launched their OSPO 2019, led by Sayeed Choudhury, Associate Dean for Research Data Management and Hodson Director of the Digital Research and Curation Center at the Sheridan Libraries in collaboration with Jacob Green with MOSS Labs. Other universities and academic institutions took notice.

Case Study: Open@RIT

I met Green at RIT’s booth at OSCON in the summer of 2019 and learned about JHU’s soft launch of their OSPO.  Our booth showcased RIT’s work with students in Free and Open Source humanitarian work. We began with a 2009 Honors seminar course in creating educational games for the One Laptop per Child program. That seminar was formalized into a regular course, Humanitarian Free and Open Source Software. (The syllabus for the course’s most recent offering can be found at this link)

By the end of 2010, we had a complete “Course-to-Co-Op lifecycle.” Students could get engaged in FOSS through an ecosystem that included FOSS events like hackathons and guest speaker visits, support for student projects, formal classes, or a co-op experience. In 2012, after I met with Chris Fabian, co-founder of UNICEF’s Office of Innovation, RIT sent FOSS students on Co-Op to Kosovo for UNICEF. We later formally branded the Co-Op program as LibreCorps. LibreCorps has worked with several FOSS projects since, including more work with UNICEF. In 2014 RIT announced what Cory Doctorow called a “Wee Degree in Free,” the first academic minor in Free and Open Source Software and Free Culture. 

All of these efforts provided an excellent base for an RIT Open Programs Office. (more on that missing “s” word in a moment) With the support of Dr. Ryne Raffaelle, RIT’s VP of Research, I wrote a “white paper” on how such an office might benefit RIT. RIT’s Provost, Dr. Ellen Granberg, suggested a university-wide meeting to gauge interest in the concept, and 50 people from 37 units across campus RSVP’d to the meeting. A subset of that group worked together (online, amid the early days of the pandemic) to develop a “wish list” document of what they’d like to see Open@RIT provide in terms of services and support. That effort informed the creation of the charter for Open@RIT approved by the Provost in the summer of 2020.

An Open Programs Office

Open@RIT is dedicated to fostering an “Open Across The University” as a collaborative engine for Faculty, Staff, and Students. Its goals are to discover and grow the footprint, of RIT’s impact on all things Open including, but not limited to, Open Source Software, Open Data, Open Science, Open Hardware, Open Educational Resources, and Creative Commons licensed efforts; what Open@RIT refers to in aggregate as “Open Work.” To highlight the wide constituency being served the choice was made to call it an Open Programs Office to avoid being misread as an effort focusing exclusively on software. The IEEE (which Open@RIT partners with), in their SA Open effort , made the same choice.

In academia, there’s growing momentum around Open Science efforts. Open Science (a term that gets used interchangeably with “Open Research” and “Open Scholarship”) refers to a process that keeps all aspects of scientific research, for the formation of a research plan onward, in the Open. This Scientific American Op-Ed (that mentions Open@RIT) points to the need for academia to become more Open. Open Educational Resources (I.E., making course content, texts, etc., Free and Open) is another academic effort that sees broad support and somewhat lesser adoption (for now).

While the academic community favors Open Science and Open Educational Resource practices, it’s been slow to adopt them. This recently released guide from the National Academies of Science, Engineering, and Mathematics, a bellwether organization, adds pressure to academia to make those changes.

What’s Open@RIT Done Since The Founding?

Drafting Policies and Best Practices Documents

Policy creation in academia is and should be slow and thoughtful.  Open@RIT’s draft policy on Open Work touches every part of the research done at the university.  It’s especially involved as it needs to cover three different classes of constituents.  Students own their IP at RIT (a rarity in academia) except when the university pays them for the work that they do (research assistance ships, work-study jobs, etc.), Staff (the University owns their IP in most cases), and Faculty. The last are a special case in that researchers and scientists are expected to publish their work but may need to work with the university to determine commercialization potential.  It also needs to address Software, hardware, data, etc.

Our current draft is making the rounds to the different constituencies and committees, and that process will be completed at some point in academic year 21-22.  In the meantime, parts of it will be published as Open@RIT’s best practices in our playbook, targeted for release before the end of Fall semester. Our recommendations for citing and supporting Open Work in Tenure and Promotion will also be part of the playbook and its creation is supported by the Alfred P. Sloan Foundation grant and by the LFX Mentorship program.

Faculty and Staff Professional Development

In October of 2020, The Alfred P. Sloan Foundation funded a proposal by Open@RIT funding some general efforts of the unit and, in particular, a LibreCorps team to support what we’re now calling the Open@RIT Fellows Program. We’re charged with supporting 30 faculty projects over two years and already have twenty-one that have registered, with about one-third of those project support requests completed or in progress. In many ways, the Open@RIT Fellows program could be considered an “Inner Source” effort.

This Zotero curated collection of articles, journal papers, book chapters, and videos on various aspects of Open Work and Open scholarship is the first step in our professional development efforts. It includes links to drafts of our recommendations around releasing Open Work and on building your evaluation, tenure and promotion cases with Open Work. We hope to offer professional development-related workshops in late fall or early spring of the coming AY.

Student Education

Open@RIT is wrapping up our “Open Across the Curriculum” efforts.  While we’ve had several courses and a minor in place, they mostly were for juniors and seniors.  Those classes were modified to begin accepting sophomores, and some new pieces are being brought into play.

At RIT, students are required to take an “Immersion,” a collection of three courses, primarily from liberal arts, designed to broaden students’ education and experiences outside of their majors. The Free Culture and Free and Open Source Computing Immersion does just that and opens to students this fall.

Within the month, Open@RIT will distribute a set of lecture materials to all departments for opt-in use in their freshman seminars that discuss what it means for students to own their IP in general and, specifically, what Opening that IP can mean in science, technology, and the arts.

Once the last pieces fall into place, students will be able to learn about Open as Freshmen, take one or both of our foundational FOSS courses Humanitarian Free and Open Source Software and Free and Open Source Culture as Sophomores and then go on to the Immersion (three courses) or the Minor (five courses) should they so choose.

Advisory Board and Industry Service

Open@RIT meets three times/year with our advisory board, consisting of our alums and several Open Source Office members from Industry and related NGOs.

Open@RIT is active in FOSS efforts and organizations that include IEEE SA Open, Sustain Open Source’s Academic and Specialized Projects Working Group and CHAOSS Community’s Value working group.

Next Steps

By the end of 2022, Open@RIT will complete all of the points in its charter, hold a campus conference to highlight Open Work being done across the university, and complete a sustainability plan to ensure its future.

Microsoft joins over 25 organizations committed to democratizing 3D software development for games and simulations

SAN FRANCISCO – April 29, 2022 – The Open 3D Foundation (O3DF) is proud to welcome Microsoft as a Premier member alongside Adobe, AWS, Huawei, Intel, and Niantic. Microsoft’s participation in the project brings a wealth of knowledge and thought leadership that continues to reinforce how important the industry believes in working to make a high-fidelity and fully-featured open-source 3D engine available to every industry unencumbered by commercial terms. 

Microsoft Principal Group Program Manager Paul Oliver will join the Governing Board of O3DF, supporting the Foundation’s commitment to ensure balanced collaboration and feedback that meets the needs of the Open 3D community. The Governing Board cultivates innovative relationships among stakeholders to drive the Foundation’s strategic direction and its stewardship of 3D visualization and simulation projects. 

“Microsoft’s roots in creativity run deep, and we want to help creators wherever they are, whoever they are, and whatever platform they’re creating for. Having the Linux Foundation create the Open 3D Foundation is a fantastic step towards helping more creators everywhere and we are excited to be a part of it.”

This move builds on Microsoft’s continued commitment to democratizing game development and making its tools and technologies available to game creators worldwide. Last year, the company made its Game Development Kit available to all developers through GitHub. With its new engagement with O3DF, Microsoft is extending a commitment to opening up technology to everyone.

“We are elated to have Microsoft join the Open 3D Foundation as a Premier member,” said Royal O’Brien, Executive Director of O3DF and General Manager of Games and Digital Media at the Linux Foundation. “Having incredible industry veterans like Microsoft contributing and helping drive innovation with the community for 3D engines is a huge benefit to the open-source community and the companies that use it alike.”

A Growing Community

Microsoft is one of 25 member companies since the public announcement of the Open 3D Foundation in July 2021. In November 2021, Open 3D Engine (O3DE) announced its first major release. The 21.11 Release allows simulation developers to create 3D content with the new O3DE Linux editor and engine runtime. This release also added a new Debian package and Windows installer that provides a faster route to getting started with the engine. The O3DE community is very active, averaging up to 2 million line changes and 350-450 commits monthly from 60-100 authors across 41 repos.

Where to See the Open 3D Engine Next

On June 20, the Open 3D Foundation will host Open 3D Connect, a half-day interactive meet-up, co-located with the Linux Foundation’s Open Source Summit North America in Austin, Texas. Learn more here.

Additionally, on October 18-19, the Open 3D Foundation will host its flagship conference, bringing together technology leaders, indie and independent 3D developers, and the academic community to share ideas, discuss hot topics and foster the future of 3D development across a variety of industries and disciplines. For those interested in sponsoring this event, please contact pr@o3d.foundation

Anyone interested in the Open 3D Engine is invited to get involved and connect with the community on Discord.com/invite/o3de and GitHub.com/o3de

About the Open 3D Engine (O3DE) project

The Open 3D Engine (O3DE) is the flagship project managed by the Open 3D Foundation (O3DF). The open-source project is a modular, cross-platform 3D engine built to power anything from AAA games to cinema-quality 3D worlds to high-fidelity simulations. The code is hosted on GitHub under the Apache 2.0 license. To learn more, please visit o3de.org.

About the Open 3D Foundation

Established in July 2021, the mission of the Open 3D Foundation (O3DF) is to make an open-source, fully-featured, high-fidelity, real-time 3D engine for building games and simulations, available to every industry. The Open 3D Foundation is home to the O3DE project. To learn more, please visit o3d.foundation.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Media Inquiries:

pr@o3d.foundation