The Open Source Ethos: From Freewheeling to Software Bills of Materials

author-image

By

Today’s tech workers hunker down with noise-cancelling headphones and dodge notifications to get work done. But imagine trying to code with frequent Grateful Dead concerts just down the road. James Gosling, “father” of the Java* programming language, says that his co-workers at Sun Microsystems* didn’t mind – they were likely to join in the fun.

Times have certainly changed. But what Gosling, now a Distinguished Engineer at AWS*, calls the “flower child culture” still influences open source today.

That’s just one takeaway in the 27-minute conversation with Gosling and Intel CTO Greg Lavender interviewed by Arun Gupta, VP and GM of the Open Ecosystem at Intel. For a taste, check out this two-minute clip where the panel talks about the importance of the open ecosystem.

The conversation centers around the relevance of open source culture, with Gosling discussing the importance of openness in the original Java platform and its relevance to today's computing environment. The trio also discuss the importance of open ecosystems, which can include open source, open APIs, open hardware, open standards, and open collaboration.

The Open Road

If the ethos for Java was “write once, run anywhere,” (WORA), Gosling says the notion of staying open was there from the very beginning. Even the first release in the mid-90s came with a src.zip file, or source files for all classes that make up the Java core API.

That enabled a key feature of open development: A “conversation between us, the developers and the people using it. Some of it was straightforward stuff like, ‘Oh, I found a bug’...to the scary ones, which were, ‘Oh, there's this security issue here,’” Gosling says.

Gupta notes that WORA has been adopted by recent projects like Docker* and Kubernetes,* but will it hold in modern computing workloads, such as open accelerated computing and artificial intelligence?

“If you're in PyTorch,* you're not thinking too much about how the actual code is executing on the CPU and the systolic array,” Lavender answers. “You don't need to worry about that. Even in this abstraction layer happening in AI frameworks in ecosystems, much of it open source, you still want to maintain the ability to have it just run everywhere on different devices.”

The Dark Side of Open Source

Lavender says open source today is like “reuse on steroids,” because it's not just reusing class libraries and source code definitions but entire ecosystems.

Much like how we now consider smoking in hospitals verboten and seat belts in cars mandatory, the freewheeling spirit of a bygone era requires some guardrails.

“At the same time, we have a security risk now with concerns about the provenance of code check-ins in open source technologies: Do we have some backdoor or some malware that's been inserted in there?” Lavender asks. “That's the dark side of open source, we've got to be vigilant about ensuring that it's working,” he adds, citing recent incidents such as Heartbleed, a security bug in the OpenSSL* cryptography library, and Log4J, software vulnerability in Apache* Log4j 2, a popular Java library.

 

From left to right: Greg Lavender, James Gosling and Arun Gupta.

Secure Open Source, Today

With open source everywhere – including software-as-a-service, embedded in hardware and sold with proprietary solutions – what’s the fix for today’s security issues?

The Software Bill of Materials or SBOM. Often compared to a list of ingredients, it’s a nested inventory of items that make up software components. Intel has plans to introduce SBOMs to accompany its software offerings in 2023 and participates in working groups to define a common, standardized format called Software Package Data Exchange (SPDX).

“We all have a role to play and as individual contributors to open source, we have a professional responsibility to make sure we're writing high quality code,” Lavender says. “I’d argue we have to write efficient code because the big challenge of sustainability in today's modern cloud environment is inefficiencies of the code, wasting CPU cycles or being poorly written with regard to the way it copies memory or interacts with the operating system.”

Free as in…

As for the evolution of open source in organizational terms, the panel agreed on the pros of having a well-thought-out governance model, such as the one used by the Apache Foundation*, that includes reliability, security, and safety. However, becoming an Apache committer is not trivial and requires signing license agreements. Open collaborative cultures are generally more successful; it’s important to have governance for critically used areas to ensure quality control and credibility.

“Open source is free as in puppy, not as in beer,” Gupta says. “Somebody's got to take care of it. Make sure that it continues to work.”

Gosling, sporting a “Lord of the Rings” meme t-shirt, says: “It's the usual delicate balance that is freedom. You, as a person, want the freedom to do whatever you want yet you also want the freedom to not be impacted by irresponsible acts from other people.”

They also talked about why your GitHub* contributions count as a resume, the perils of generative AI, and computational challenges -- catch the whole video here.