 Hey everyone back here in Austin at open source summit Linux Foundation Austin we have had an amazing day we spent a lot of time talking about security though and open source supply chain security we're gonna talk a little bit more about open source it is the open source summit I want to introduce you to mr. Jeff Borek Jeff has been well I don't want to say how long you've been with IBM but Jeff's been with IBM a long time and the last 10 years or so really focused in on IBM and open source software specifically and you know Jeff will tell you this but I don't want to embarrass him historically IBM has been one of the biggest supporters of open source software in the world right going back to the early days of Linux to many many other open source the eclipse foundation yeah great example yeah no thanks I when I talk about it I like to say I stand on the shoulders of giants yeah because back when you know open source was a new thing the senior leadership team looked into it in great clarity and did some very savvy things and you know the triple crown I like to kind of refer to is you know you mentioned Linux you mentioned clips but IBM was also fundamental in helping to establish the Apache foundation yes wrote some of the bylaws absolutely and so back then IBM also had a clear understanding that you know this was something that IBM needed to be thoughtful about not just walk in and say hey we're from IBM and you know we know here to help yeah or we know what's what right do it our way you know we tried to go in thoughtfully both look to how to contribute and establish this new ecosystem as well as to consume from it in a thoughtful way yep and I'm glad you said it that way because it's a two-way street and that people don't understand that I think today more people understand it but back in the day people didn't understand the two-way street of open source software and of community right right for too many people it was like it has to be a win-lose situation what's in it for me right but there's almost a little bit of pay it forward and when it comes to open source and community what you do right it kind of does right by you and it and it is that two-way street well it's one of the ways that open source has survived as long as it's had right because the other thing that I think is interesting is that it all started out with individuals you know IBM wasn't there at the very beginning but you had a variety of people that were passionate about it for you know either a possibly a political reason or possibly just a independence reason or some it's almost like for some of us almost like a quasi you know religious yeah but then you know the second wave was when traditional IT vendors and it wasn't just IBM there were others that got in involved early on and started to experiment and see what this could you know deliver and the third wave started about you know a little over a decade ago now but it was you know it led to what I call the the wave of the hyperscalers right some people like to say fang but you know the Facebook Apple Amazon all of them all of the players that built you Jeff I this is how I explain it and you make a great decision in my mind that first phase you spoke about I call the Cathedral in bizarre phase if you remember the book right absolutely very much you know free is in freedom there were some folks who are into open source because it was free as in freedom there are other folks who are into it because it was free as in beer right and it was that you know dr. Richard Stallman and that whole thing the next phase that you described is when commercial software got into it I call that the big brother phase we're all of a sudden these these you know commercial technology software companies said wait a second this is great we can get other people to contribute to the software we use that we control that we ultimately own but we're gonna call it open source right and we're gonna do some good in the community but at the end of the day we're gonna steer this thing for our own benefit and if it helps other people great but really we're gonna help ourselves yeah I think it'd be I think that's that big brother well I wouldn't argue with that other than to say that different players at scale came at it from different way right and some were more focused on what was in it for them yeah that's what I'm trying somewhere a little bit more selfish right at the end of the day companies are kind of like people and everyone I like to say in their own self-interest at some point and some people are very altruistic because that's in their own self-interest but some people also realize it that sometimes doing the right thing comes the wheel of karma pays you back in space absolutely and I like to think the foundation phase though right right well and the foundation phase was always kind of as big companies got involved the foundations acted as a counterbalance to maintain a level playing field absolutely well I was a nice a guys are more fans so I like the foundation but yeah it what it did it develop this concept of co-op addition right where if we all play together nicely we will that rising tide lifts all boats we started a really good level and then what you do with it at IBM versus HP is up to you guys well another great example of that and this level playing field concept is the whole Kubernetes yeah people you know I'm sure Kubernetes came from a lot of origin stories right but one of the ones that I think resonates is the fact that back when in 2014 I was at a conference like this and all the buzz was about Docker and containers and in Austin I was too and and Docker to their credit they did a pivot they were working on creating a pass and they were starting to flame out money wise and they looked at well we've got a pivot what can we do well we created this innovation around using containers and we're going to contribute that out and then we're going to rebrand ourselves as Docker and they became the darling of the industry for a period of time and I was the second chair of the Docker governance advisory board trying to help them do the right thing but they made a I guess a calculated step that had pluses and minuses you have the open source project and then you have the company that's looking to create products and they conflated that by branding their project Docker and their company Docker and that was just one of a number of things that mother was that yes I mean there's probably a Harvard Business School review and where Docker you know went off but but to bring it back to Kubernetes in a that level playing field concept so the industry was looking for how okay you know that's great Docker this is innovative and it shows a lot of problems great but the the bigger problem is how do you do orchestration at scale but they try to orchestrate and I'm telling you something if you were I and we're in Vegas sitting at the sports book and you said okay here are all of the container orchestration formats you know a five to two is Docker because they had their own orchestration I forget the swarm swarm five to two Rancher labs had one they would there was a long shot may sose may sose D2 IQ or whatever the heck it was I mean there was all there was a whole bunch from yeah Kubernetes was not the favorite no it's hard as hell yes so yes so but yeah but but what the part of the way I explain its origin story is that it's 2015 now and you're a CIO and I'm here to you know from IBM and I'm saying hey you know you know IBM you love us and you know we have a concept of cloud back in that time that was largely focused on private cloud yep and on the other side of the spectrum there was AWS starting to emerge and they were all about public and they wouldn't even they threw shade on anything that wasn't them as oh that's just the traditional vendor cloud wash but Google would go into that same environment and say hey we have GPC we think it's a better mouse trap you know Google our propeller spin faster than anybody else's and we based our container orchestration on the board that's what they refer to is right right so we we saw you're using AWS would you like to try JPC and the answer back was well you know the IBM guy was in there just recently and I told him I'd never use AWS because it's this murky highly you know not quite sure but it came through the side door and now I'm using it and now I have concerns about it because it's like I got my applications in and I don't know how I'm gonna get them out yep so even though you know your GPC story sounds interesting and I sure you're smart guys I'll take a pass for now and they heard that time and again and they started to realize gosh we need a more open friendly on ramp to our board technology hey you hands handful of smart Googlers come up with a enterprise version of this highly complex infrastructure that we can put out there in open source and they did and they came back a year later to that same CIO and said hey you know we heard what you said look we've got this new open source project on AWS so you know so let's talk turkey and this they got some takers but the smart CIO looked them in the eye and said you know you're right it looks interesting looks hot you know decent quality maybe a little complex and it is open source but I'll pass why it's a community of one and what is that what do you mean if I do the dance with you and something doesn't go right you're the only people that really understand and it's basically a sole source type of thing they heard that enough and at that same time some smart folks from IBM and some others from Red Hat started knocking on Google's door and saying hey we see you put this out there we'd like to contribute and collaborate but we're not comfortable doing it until it becomes under the control of an independent foundation so that it's a level playing field and a rising tide can lift all bits there you heard it the history of Kubernetes right and how Linux Foundation came I'm sure there are other versions of no no I'll tell you the truth I've interviewed Tim Hawken from Google I don't know if you know Tim he was on the original Google team Coop team and similar similar kind of stuff but really that is why the foundational model for open source I think it has seen us open source rules right there plenty of people today gave us this 90% of all software has open source in it today right wouldn't be if not but for foundations let's talk a little bit about though you're here impressions you know we were lucky enough to speak with Jamie I say he was also from IBM and she is the chair of OSSF but you had a kind of a and I don't mean to embarrass you again I'm sorry if we're going out of school no but you had a pivotal role in IBM's participation in this well the yeah basically being responsible for IBM's open source clearance process I started losing sleep four or five years ago because I saw this you know exponential growth in open source and again we touched on it open source isn't inherently more or less secure but because of the sheer volume it created a large attack service and I felt that it was time that we really needed to start like addressing this and as we mentioned it's it's a problem that is you know pretty intimidating frankly because it's it's didn't happen overnight and it's a huge systemic challenge now in the industry and so you come to conferences like this two or three years ago and you start sharing concerns and that type of discussion between you know IBM and Microsoft and other players in the industry led to this issue of helping to kind of create the open SSF what I kind of call 1.0 because it was right as the pandemic was hitting and so hey great idea and there's clearly a need but do it remote yeah and and no one has a checkbook that they're willing to open at that time because we don't know what's gonna happen yeah I remember so there has been about 18 plus months of you know good intent and that what I sometimes called the good college try yeah but it was clear that the problem wasn't going away well as the fall frame was coming around again it was time to basically step up and try and do this right so the business unit that I currently work at work in committed the funds IBM's joined as a top member number of big players have joined and it's going to be million dollars worth of big players have jumped yeah and certainly didn't it didn't hurt that the White House issue that no that didn't hurt either the cybersecurity executive order that went out a little over a year ago now kind of rung the bell with respect to S bombs and this so for supply chain security you know I've been in security about 25 years one of the lessons I learned really early on was nothing gets religion to your customers like a good old-fashioned security breach or incident right and look and I'm not blaming anyone but the solar winds thing certainly and then some of the subsequent ones leading all the way up here to log for J right well you it was not that long ago but I guess it was long ago 2014's an eternity in the tech cycle right and that was when Heartbleed hit yes boy the industry dodged the bullet because a white hat found it and they quietly got a subset of the car and right and they came up with a patch they got it out there and you know thank goodness the industry largely dodged a bullet and Linux did not get the black eye it could have had absolutely go forward three years and it was 2017 and the Apache community had their own had their own scare with respect to Apache struts yet but to their credit they found their problem they got the patch just not everyone put it out there so they will they put it out I mean not everyone applied it so quick exactly and unfortunately X 9 months 9 months after the patch was available I'll go one better six months after aqua facts people are still downloading the old version yeah look I've been in security a long time here's what I we're running out of time but here's what let me end it on a good note I think today we are better positioned better situated better financed better organized yes to deal with this issue than we ever have been in the past by by a factor of 10 or 100 or more right yeah we I think we're on to something and I think this model right so today it's software supply chain security two years from now it might be another thing we're looking at but this model works yep right because the security problems we need to tackle are too big for any company whether it's IBM or Google or or Microsoft or any of them we need this consortium's type of yeah it's definitely fixing the software security supply chain is going to be a team sport yeah and there's one last thought I'd like to leave your viewers with is that that you know we touched on it briefly but S-bombs software bill of materials they're on the way they're gonna become an acquire a requirement but a lot of what customers are hearing is that they need to publish one but long before they need to put one out what you really need to do is start learning get your hands dirty and then use that learning to address those issues you need to remediate before you start you know handing them around like trading cards I agree with the 100% we got to pull the plug on this one we have people waiting but just thank you so much man I appreciate it great conversation hey and many thanks to IBM and all you guys are doing with this we're going to take a quick break we've got our friends from JFrog next