Open Source Insider


January 14, 2020  12:24 PM

The open source licence debate: what we need to know

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

As we have already noted on Computer Weekly Open Source Insider, open source grew, it proliferated… and it became something that many previously proprietary-only software vendors embraced as a key means of development.

But the issue of how open source software is licenced is still the stuff of some debate.

Open Source Insider has already looked at the issues relating to dead projects (that are still walking and running) and the need for workable incentivisation models. 

Chief operating officer (COO) for GitHub Erica Brescia noted that, from her perspective, she is seeing an “increasing tension” between open source projects and those that are building services on top of open source, such as cloud vendors with their database services. 

Brescia notes that licenses applied to open source projects a decade ago did not consider the possibility of a cloud vendor delivering an as-a-Service SaaS layer using the project without contributing back to it, which is leaving some open companies in a difficult position.

Computer Weekly’s Cliff Saran wrote, With friends like AWS, who needs an open source business? — and noted that a New York Times article suggested that Amazon Web Services (AWS) was strip-mining open source projects by providing managed services based on open source code, without contributing back to the community.

Security sources

We have also looked at the security aspects of open source licencing.

Exec VP at software intelligence company Cast is Rado Nikolov – for his money, the open source licencing debate also has a security element in it.

“Large organisations using open source code from GitHub, xs:code and other sources range from Walmart to NASA, collectively holding billions of pieces of sensitive data. Although open source code packages can be obtained at low or no cost, their various intellectual property and usage stipulations may lead to expensive legal implications if misunderstood or ignored,” said Niklov.

Ilkka Turunen, global director of solutions architecture at DevSecOps automation company Sonatype further reminded us that there are 1001 ways of commercialising open source software — but when releasing open source, the developer has a choice of publishing it under a license that is essentially a contract between them and the end user.

A multiplicity of complexities

So there’s security, there’s fair and just contributions back to the community, there’s layering over open for commercial use, there’s the complexity of just so many open source licences existing out there to choose from and there’s even concerns over whether trade sanctions can affect open source projects and see them becoming bifurcated along national borders. 

Open source is supposed to be built around systems of meritocracy and be for the benefit of all, we must work hard to ensure that we can do this and shoulder the nuances of licensing to keep open source software as good as it should be… let the debate continue.

 

January 9, 2020  9:25 AM

The open source licence debate: comprehension consternations & stipulation frustrations

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

As we have noted here, open source grew, it proliferated… and it became something that many previously proprietary-only software vendors embraced as a key means of development — but the issue of how open source software is licenced is still the stuff of some debate.

Exec VP at software intelligence company Cast is Rado Nikolov – for his money, the open source licencing debate also has a security element in it.

“Large organisations using open source code from GitHub, xs:code and other sources range from Walmart to NASA, collectively holding billions of pieces of sensitive data. Although open source code packages can be obtained at low or no cost, their various intellectual property and usage stipulations may lead to expensive legal implications if misunderstood or ignored,” said Niklov.

Stipulation situation

Niklov argues that the crux of the matter lies in the fact that (whatever licencing agreement open source software is brought in under), the most ‘important stipulations’ are often lost over time.

“The case of Artifex v Hancom shows the risk of being held liable for improper use of source code, even when it’s open source. Company executives need to ensure they are covered for the code they use, wherever they get it from. Ignorance of the law is no defence. Regularly using software intelligence for automating the analysis of open source usage is one way to significantly reduce such risk exposures,” said Nikolov.

Ilkka Turunen is global director of solutions architecture at DevSecOps automation company Sonatype.

Turunen reminds that, generally speaking, there are 1001 ways of commercialising open source software — but when releasing open source, the developer has a choice of publishing it under a license that is essentially a contract between them and the end user.

“These licenses vary from fairly restrictive (i.e. must associate where the open source came from and publish source code) to fairly liberal (buy the author a beer if you like the software). It’s important to understand that all open source is licenced under some terms at all times,” said

He notes that there are then several ways of adding commercial components on top of that (above) – and indeed many commercial companies leverage fairly open types to be able to add their own commercial code on top, to be able to spin out other commercial issues.

Comprehension consternations

“Fundamentally, it boils down to open source software licencing being generally hard to [comprehend and] understand. Most devs start these projects as a passion project and just publish it with some basic license they might live to regret later when they consider their options. Fundamentally, this is another avenue for them to gain funding, but would imagine there are limits to the scalability of what can be achieved,” added Turunen.

 


January 8, 2020  9:41 AM

The open source licence debate: dead project walking & incentive models

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Open source grew, it proliferated… and it became something that many previously proprietary-only software vendors embraced as a key means of development.

If you don’t accept the options offered by the community contribution model of development, then you risk becoming a Proprietary 2.0 behemoth… or so the T-shirt slogan might go.

But the issue of how open source software is licenced is still the stuff of some debate.

Chief operating officer (COO) for GitHub is Erica Brescia.

Brescia has pointed out that the industry is witnessing rising levels of tension between open source projects (and open source development shops) and those commercially motivated organizations that are building services on top of open source, such as cloud vendors with their database services

So how do we move forward with open source?

Dead project walking

Matthew Jacobs, director, legal counsel at Synopsys Software Integrity Group reinforces the suggestion that avoiding licence compliance issues and avoiding use of any software, open source included, that contains vulnerability risks is extremely important.

“However, many companies fail to consider the operational risks associated with the open source they are using. By this I mean the risk that a company will decide to leverage open source from a dead open source project or one that is failing to maintain a critical mass of contributors who are actively maintaining and improving that project. The viability of the project is only as good as the people behind it and those people need to support themselves,” said Jacobs.

He argues that providing avenues for developers to continue to do what they enjoy and for which we all benefit, but in a way that allows them to earn something along the way is important.

New incentive models, please

Shamik Mishra is Altran’s AVP of technology and innovation.

Mishra points out that in newer software development models, nobody really tries to reinvent the wheel and instead focuses on solving their own business problems – the ‘wheel’ comes from those pre-existing open source projects.

He says that many large open source projects survive because they enjoy a degree of investment from a supporting business entity to keep the community going as they hire experts and developers, but several brilliant projects have lost their momentum and have never come to fruition due to a lack of support.

“But, the industry badly needs incentive models. GitHub sponsor is a great example but still relies on the ‘donation’ mind-set. The other problem that organisations face is that they don’t exactly know which developer really contributed to that piece of brilliance that the organisation monetised, particularly within large projects. Collaborative models where developers can be compensated by interested organisations through smart contracts based on the level of contribution is perhaps the way forward,” said Mishra.

It seems clear that developers should also have a choice of providing licensed versions of open source and still have the ability to switch licences… but this subject is far from decisively closed as of 2020.

 

 

 


January 7, 2020  11:20 AM

commercetools: how GraphQL works for front-end developers

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

GraphQL (query language) was the brainchild of Facebook and was open sourced in 2015. 

Many of the apps and websites we use are built on GraphQL, including Twitter, AWS and GitHub.

Kelly Goetsch, chief product officer at commercetools and author of GraphQL for Modern Commerce (O’Reilly, 2020) argues why developers need to take notice of GraphQL in 2020.

Goetsch writes as follows…

GraphQL is a layer that sits on top of REST APIs, any application or data store — and it makes the process of data retrieval and extraction across multiple APIs easy.

Say you’re a developer for a retailer tasked with rendering a page for a product. You’ve already built a catalogue of 300 REST APIs and now need your product detail page to access data including product description, price and similar item information.

It may be 10 APIs, could be 200.

You could individually call each API one-by-one, but that could take a while… and calling many different APIs, which exist with a minor or major variation can be difficult in a microservices environment. You might not know which ones to call and which ones would provide the freshest data – the warehouse management system, or the Enterprise Resource Planning (ERP) system, or other?

One query to rule them all

With GraphQL, to consume REST APIs, you simply submit one query describing the information you need… and then the GraphQL layer does the legwork, making direct calls to the individual APIs.

As a result, you get back one JSON object with the exact data you requested, no less, no more. You can think of it like a SQL query where you make a request to a database, ‘select X from table 1 and join it with table 2’.

GraphQL solves a lot of headaches for developers. As well as being able to render webpages, app screens and other experiences in the first instance faster, there is no problem of under- or over-fetching data.

Under & over-fetching data

Under-fetching data can be a common issue with REST APIs and kit will especially affect devices with limited processing power like old smartphones connected to high-latency, low-bandwidth cellular networks. Making lots of HTTP requests can mean significantly increased page loading speeds.

Data over-fetching can cause severe performance issues too, for example building your product page for a smartwatch. You’d only need the product name, image and price but could get back a hundred fields.

GraphQL offers numerous advantages.

Since it is the GraphQL layer that calls all the APIs and not the developer, there is less code to maintain. Plus, as GraphQL makes all its requests within a datacentre where latency is almost zero and computing power is virtually endless, applications are loaded faster for the end-user.

And because GraphQL is the layer that decouples back-ends from front-ends, it is easy and quick for developers to change things, useful for IT teams under pressure to continually test and launch new improvements.

What else ya got?

What else should developers know about GraphQL?

GraphQL is not a product or implementation, it is a specification, so it makes no difference which programming language you use. You as the developer write the code that conforms to the specification. Imagine it like HTML whereby individual browsers implement the code that renders a web page. Furthermore, it is a supplement to REST APIs – it doesn’t replace them.

As is the case with most tech, there are downsides. GraphQL is a layer that needs to be maintained, the user is responsible for security, and it can be a challenge to combine several GraphQL endpoints and schemas.

However, the benefits of GraphQL far outweigh the costs.

In an increasingly competitive marketplace commerce players need to leverage the tools that enable them to be as agile as possible, save time and deliver superior customer experience.

When building commerce applications, GraphQL is the ideal tool for the job.

The platform: commercetools offers a scalable cloud platform with a flexible commerce API at its core, which supports a modern microservice-based architecture and offers a wide range of integrations.

Kelly Goetsch: enjoy the freedom from decoupling back-ends from front-ends… and breathe easy.


December 19, 2019  7:35 AM

New moon rising: DataStax Luna is subs-based support for Cassandra

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

DataStax has taken the Christmas wrapping paper off of DataStax Luna, a subscription-based support offering for open source Cassandra.  

The company says it is offering this service due to the rapid growth of Apache Cassandra. 

According to the DB-Engines Ranking

  • Cassandra is the 10th most popular database management system (out of 350 systems)
  • Cassandra is used by 40% of the Fortune 100
  • Cassandra has grown 252% in popularity from 2013 to 2019

“Enterprises and developers tell us that they want the power and flexibility of Cassandra for a wide range of compelling use cases to impact everything from business optimisation to consumer apps,” said Jonathan Ellis, co-founder and CTO of DataStax. “They want Cassandra to be easier to use, backed by experts, and available in a range of options depending on their business and app needs.”

DataStax Luna is supposed to address these (above) needs and is available via a self-service website for purchasing and scaling.

The company claims to be working on the world’s largest Cassandra implementations, contributing to open source Cassandra and pioneering advances that extend the power of Cassandra for the needs of the enterprise.

This includes free downloads of the DataStax Apache Kafka Connector and Bulk Loader for all Cassandra users to make loading and unloading data faster and easier.

Organizations are finding that running open source projects for important applications without professional support is a significant risk.

Analyst firm Gartner has been very explicit on the matter.

“Gartner does not recommend unsupported open source offerings for production applications,” said Merv Adrian, Gartner vice president and analyst, in the report, State of the Open-Source DBMS Market, 2019.

DataStax Luna is available now

 


December 10, 2019  4:28 PM

Fairwinds navigates straighter open course towards SaaS-y Kubernetes 

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Cloud-native infrastructure company Fairwinds recently launched a SaaS product for DevOps teams so that they can manage multiple Kubernetes clusters.

The almost-eponymously named called Fairwinds Insights, uses an extensible architecture and has been launched with a curated set of open source security, reliability and auditing tools. 

The initial suite of tools includes Fairwinds Polaris, Fairwinds Goldilocks and Aqua Security’s Kube-hunter.

Fairwinds Insights claims to be able to solve a few common problems faced by DevOps teams. 

First, it eliminates the time-intensive process of researching, learning and deploying the Kubernetes auditing tools that are available. 

Second, it automatically organises and normalises data from each tool, so engineers get prioritised recommendations across all clusters. 

Finally, it enables DevOps teams to proactively manage the hand-off from development to production. 

NOTE: For the record, we can define normalised data as relational database data which has been through a process of structuring in accordance with a series of so-called normal forms in order to reduce data redundancy and improve data integrity. By other definitions, data normalization ensures all of your data looks and reads the same way across all records in any given database (although typically a relational one).

Misconfigurations situations

The platform can integrate into deployment pipelines so misconfigurations can be identified and fixed before releasing to production.

“Many DevOps teams have sprawling Kubernetes environments and want to get a handle on it, but with lack of resources and expertise, it’s not a priority. Fairwinds Insights is the first platform that solves this problem by leveraging community-built open source tooling and operationalising it in a way DevOps teams can use at scale,” said Joe Pelletier, Fairwinds’ VP of strategy. 

Fairwinds Insights is in public beta and free for any early adopter who wants to try the software during the beta period. The free tier, located at fairwinds.com/insights, is limited to a seven-day history for results and up to two clusters. 

 

 


December 10, 2019  7:21 AM

Calmer waters promised in the data lake through Linux Foundation Delta Lake Project 

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

The Linux Foundation’s promotion and hosting of Delta Lake is an interesting development.

Delta Lake (wait for it… the clue is in the name) is a project focusing on improving the reliability and performance of data lakes. 

Delta Lake was actually announced by unified analytics company Databricks earlier this year before this autumn becoming a Linux Foundation project with an open governance model.

The team points out that organisations in every vertical aspire to get more value from data through data science, machine learning and analytics, but they are hindered by the lack of data reliability within data lakes. 

Delta Lake addresses data reliability challenges by making transactions ACID compliant enabling concurrent reads and writes. 

NOTE: ACID compliance describes properties of database data that have atomicity, consistency, isolation and durability — MariaDB provides a nice fully-fledged definition here if you want to read more.

Conformant comfort

The schema enforcement capability in Delta Lake is said to help to ensure that the data lake is free of corrupt and not-conformant data.

“Bringing Delta Lake under the neutral home of the Linux Foundation will help the open source community dependent on the project develop the technology addressing how big data is stored and processed, both on-prem and in the cloud,” said Michael Dolan, VP of strategic programs at the Linux Foundation. 

“Alibaba has been a leader, contributor, consumer and supporter for various open source initiatives, especially in the big data and AI area. We have been working with Databricks on a native Hive connector for Delta Lake on the open source front and we are thrilled to see the project joining the Linux Foundation. We will continue to foster and contribute to the open source community,” said Yangqing Jia, VP of big data & AI at Alibaba.

As noted above, Delta Lake will have an open governance model that encourages participation and technical contribution and will provide a framework for long-term stewardship by an ecosystem invested in Delta Lake. 

 

 

 

 


December 9, 2019  10:27 AM

WhiteSource acquires & open sources Renovate ‘dependency’ update toolset

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Open source security and license compliance management company WhiteSource has brought dependency update company Renovate into its stable.

All of Renovate’s current commercial offerings will now be available for free under its new name, WhiteSource Renovate.

Founder of Renovate Rhys Arkins explains that Renovate was developed because running user-facing applications with outdated dependencies is not a serious option for software projects – or at least it shouldn’t be.

As we know, using outdated dependencies increases the likelihood of unfixed bugs and increases the quantity and impact of security vulnerabilities within software applications. 

WhiteSource will continue to drive the Renovate open source project, which to date has received over 5,000 commits from more than 150 contributors.

Further, WhiteSource will now offer the existing paid offerings for free: a GitHub app, a GitLab app and a self-hosted solution — all under the WhiteSource Renovate umbrella.

“Dependency visibility and currency are essential ingredients for mature software organisations and an important complement to vulnerability and license management. We’re proud that a tool for updating dependencies is itself open source and will ensure the project continues to extend its leadership in multi-platform and language support,” said Rami Sass, CEO of WhiteSource.  

WhiteSource Renovate will be integrated into the WhiteSource product portfolio, which includes WhiteSource Core and WhiteSource for Developers.


December 6, 2019  10:07 AM

Tibco dials into Apache Pulsar

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Software integration and analytics company Tibco has added Apache Pulsar as a fully supported component in its own messaging brand, TIBCO Messaging. 

By way of definition and clarification then…

Apache Pulsar is a distributed ‘pub-sub’ messaging platform with a flexible messaging model and an intuitive client API. 

Pub-sub (publish/subscribe) messaging is a form of asynchronous service-to-service communication used in serverless and microservices environments.

Tibco positions this as a) a commitment to open source technologies, obviously… but also b) a means of making sure that users of (the undeniably quite popular) Apache pub-sub messaging system can now use Tibco Messaging.

The suggestion here is that developers will be able to create a fully integrated application integration infrastructure with the freedom to choose the right messaging tool for the job at hand.

Streaming & Messaging

Here’s the core technology proposition: users can achieve connectivity from a data distribution solution that provides the support of a streaming and messaging infrastructure — and this, therefore, allows the creation of software that spans streaming, event processing, data analytics and AI/ML.

“Our support of Apache Pulsar gives customers the freedom of choice when navigating the need for a solution to assist with the real-time processing of high volumes of data for the most demanding enterprise use cases,” said Denny Page, chief engineer and senior vice president, Tibco.

Apache Pulsar enables lightweight compute logic using APIs, without needing to run a stream processing engine. It offers native support for streaming and event processing in a single package. This ensures horizontal scalability with low latency, allowing for flexible solutions for streaming.

Further, it provides native support for geo-replication and multi-tenancy without requiring add-on components to manage.

Users are free to choose from multiple messaging and streaming options and can work with a single vendor that delivers all their messaging needs, including fully distributed, high-performance, peer-to-peer messaging; certified JMS messaging; and open source, broker-based messaging including Apache Kafka®, Apache Pulsar, and Eclipse Mosquitto.


December 3, 2019  8:23 AM

Ubuntu 19.10 offers ‘integrated’ AI/ML developer experience

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater

Autumn (or Fall, depending on your level of Americanization) was a busy period… so busy in fact that the Computer Weekly Open Source Insider blog saw a number of milestone advancements go whizzing past.

Among those news items we’re catching up on as we approach the Christmas silly season is the latest update from Canonical on Ubuntu.

Canonical is positioning Ubuntu as (in its view) an operating system (OS) of choice for ‘most’ (it was clear not to say all) public cloud workloads, as well as the emerging categories of ‘smart gateways’, self-driving cars and advanced robots. 

NOTE: NXP defines smart gateways as an appliance that bridges a Wide Area Network (WAN/cloud) connection to a Local Area Network (LAN), usually via Wi-Fi and/or Ethernet in a user’s home or a company premises. 

Now that we reach the Ubuntu 19.10 version release, Canonical says that it has increased its focus on accelerating developer productivity in AI/ML and brought forward new edge capabilities for MicroK8s and delivering the fastest GNOME desktop performance.

NOTE: MicroK8s is a CNCF certified upstream Kubernetes deployment that runs entirely on a workstation or edge device — being a ‘snap’ (a Canonical application packaging & delivery mechanism) it runs all Kubernetes services natively (i.e. no virtual machines) while packing the entire set of libraries and binaries needed.

Canonical CEO Mark Shuttleworth says that Ubuntu 19.10 brings enhanced edge computing capabilities with the addition of strict confinement to MicroK8s. 

Strict confinement ensures complete isolation and a tightly secured production-grade Kubernetes environment, all in a small footprint ideal for edge gateways. MicroK8s add-ons – including Istio, Knative, CoreDNS, Prometheus, and Jaeger – can now be deployed securely at the edge with a single command. 

The Raspberry Pi 4 Model B is supported by Ubuntu 19.10. The latest board from the Raspberry Pi Foundation offers a faster system-on-a-chip with a processor that uses the Cortex-A72 architecture (quad-core 64-bit ARMv8 at 1.5GHz) and offers up to 4GB of RAM. 

Additionally here, Ubuntu 19.10 ships with the Train release of Charmed OpenStack – the 20th OpenStack release, backed by the Nautilus release of Ceph. 

Shuttleworth and team insist that this marks Canonical’s long-term commitment to open infrastructure and improving the cost of cloud operations. Train provides live migration extensions to aid telcos in their infrastructure operations. Live migration allows users to move their machines from one hypervisor to another without shutting down the operating system of the machine. 

Finally here, Canonical says it has thought about users running Ubuntu on older hardware — which, arguably, is contentious ground for some as open source purists will want to position an open OS as ‘more than just something you stick on an old Windows machine to bring it to life’ — and so with GNOME 3.34, Ubuntu 19.10 is the fastest release yet with significant performance improvements delivering what the company has called a more responsive and smooth experience, even on older hardware.  

Image Source: Sosha1996 on GitHub.

 


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: