Chris Ferris | Open Source CTO | In the Open with Luke and Joe

Luke Schantz: Today we are pleased to bring you a conversation with IBM Fellow and CTO of Open Source Technology, Chris Ferris. We are going to be discussing a variety of open source projects as well as a recent report, The Value of Open Source in the Cloud Era. This report surveyed 3, 400 developers and managers to build an understanding of the attitudes and realities in today's development ecosystem. Before we welcome our guest, Chris Ferris, let's say hello to my colleague and co- host Joe Sepi.

Joe Sepi: Hey Luke. How are you?

Luke Schantz: Good. How are you doing, Joe?

Joe Sepi: I'm okay. Thank you. It's a little overcast today. The weather's been a little weird. The other day it was warm through the night and then slowly got colder through the day, which is always really weird. It's flipped around. The weather's been really strange. How about you, Luke?

Luke Schantz: Similar. I think you want to be at your pool, whereas I want to stay out of the sun at all costs, so this is perfect. I like a warm ish day and then a cool night. That's great for me.

Joe Sepi: No, it sounds nice. And look, I have a whole closet full of light coats, light jackets that I like to wear, so I prefer a good cool day. So it's nice. I'm enjoying it.

Luke Schantz: It's funny you mentioned it. I remember that about when we would do events together in New York City, you always had very cool jackets. Before we welcome Chris, I wanted to mention a few things, just a little bit of housekeeping. So if anybody has any questions, feel free to drop those into the chat on whatever platform you're watching. And if you're catching this as a replay later as a podcast, hey, tweet at us. Happy to answer your questions post event. No problem. I also wanted to mention, as always, you can find us at IBM. biz In the Open. We have the livestream whenever we're going live. Every other week is on there as well as all past episodes. And then if you want to find the podcasts, you can find all our past episodes as podcasts. And I don't want to forget all the rest of the podcast ecosystem. We've got other podcasts, IBM Z DevOps talks, we have Data Science podcast, we have IBM Cloud podcast, Call for Code podcast. There's so many podcasts on IBM Developers, so make sure to check those out. But without further ado, let's welcome our guest, Chris Ferris.

Chris Ferris: Hey guys. How are you doing?

Joe Sepi: Good. How are you, Chris? Welcome.

Luke Schantz: Thanks for joining us.

Chris Ferris: My pleasure. And speaking of overcast, I'm just going to warn you, I live in Florida, so it's the rainy season, which means it's going to rain every day for the next three months.

Joe Sepi: Three months, huh?

Chris Ferris: Sure enough, it was beautiful this morning and now it's a huge thunderhead overhead.

Joe Sepi: Yeah, I feel like I told the story maybe on the show once already, but I was in Florida once and my flight got canceled home and I was there with my wife and son and we ended up going to the Kennedy Space Center and enjoying the day that we were gifted by the airport snafus and stuff. But anyway, I'm trying to work while my wife is driving and it starts pouring like crazy which apparently it does in Florida. And I put in Orlando Airport and put it up on the screen. Okay, great. And we start driving and I'm working and we pull into this tiny airport in Orlando. Apparently Orlando has three or four-

Chris Ferris: Oh, there's like an executive one. Yeah.

Joe Sepi: So we're like, "This is not the right airport." Anyway. Yeah, Florida was crazy. Good luck with that. All summer, huh?

Chris Ferris: All summer. Actually, my wife showed me a cartoon the other day. So it starts out, it's 2: 30 AM and it's beautiful out, right? 3: 00 and then it's got this picture of the palm trees are just blowing and it's raining hell. And then 3: 15. Usually it's in the afternoon, usually it's mid afternoon when the thunder showers come rolling through. It comes from the west coast across to the east and nails us every afternoon. But then it is usually beautiful in the evenings, then you go out, dine out by the water.

Joe Sepi: Yeah, that sounds nice.

Chris Ferris: It's a tough life, but somebody's got to do it.

Joe Sepi: I had the flip scenario when I lived in Olympia, Washington out in the Pacific Northwest where it's beautiful in the summer, but all the non- summer months, it just rains all the time. But when it's summer and it's nice out, you just really soak it in. It's lovely.

Chris Ferris: Yeah. Plus in Florida, you learn you have to do everything before about 10:30 AM. It doesn't get as hot. I think actually I think out in the northwest is going to get hotter than here. 90 degrees is usually about as hot as it gets, but it's humid. It's not a dry heat like some places. If you're out playing tennis or golf or something, it can be brutal.

Joe Sepi: Yeah. I can imagine. Cool. Hey, you've been here at IBM for a while. Maybe we could start, you could just tell us a little bit about what you've been doing and how it started and a little bit of your IBM story.

Chris Ferris: Sure, sure. So I actually am a professional hire into IBM. I joined in 2002, so I'm working on my 20th year right now. And before that I was working at Sun Microsystems for, I don't know, about 13 years I think. And I had actually started to work in open source and in around XML in particular in some of the XML parsers, starting to use open source and contribute back. And I started getting involved in a project called ebXML, which was a joint initiative between an organization called OASIS, the Organization for the Advancement of Structured Information Systems and the UN. And they were working on trying to unify the world of e- business and enabling it to be done through XML. I had been working in Sun's IT organization for a long time and then I joined Javasoft and they said, " Hey, you have this background in e- business and systems and so forth. You should get involved in this." So I did. One of the co- leads for the organization was my boss and the other one was Bob Sutor who is now over in the research in the Quantum Group. And I guess he saw something he liked and gave me an offer I couldn't refuse. And the next thing I knew I was working for him.

Joe Sepi: Nice.

Chris Ferris: Yeah.

Joe Sepi: Yeah, it's interesting to hear. 20 years for you. I feel like a baby at five and which is interesting, my career usually was two or three years at a place and I'd be moving on to the next thing. But I'm happy here for a variety of reasons we could go into another time. But it's amazing. Especially, I used to live in Westchester, I'm over in Connecticut now, but I couldn't throw a stick without hitting an IBM. Most of them are multi- decade IBMs.

Chris Ferris: I grew up in Westchester, I grew up in Rye.

Joe Sepi: Oh, nice.

Chris Ferris: Yeah.

Joe Sepi: Yeah, I have some friends over at Rye.

Chris Ferris: An IBM right up the street there.

Joe Sepi: Yeah.

Chris Ferris: We had a timeshare in the high school and that was where they taught... Eighth grade had an honors course in computer programming. So actually I took that one. That was a lot of fun. That was probably my first introduction to writing software was writing checkers and chess, poker and so forth. That was a lot of fun. I was basically hired to go and work in the open technology organization and I've been here ever since. So this has been the only job I've had at IBM. I've been promoted a few times, but they brought me in to try and help open up IBM, get it more involved in open standards and open source. And here we are 20 years later.

Joe Sepi: Yeah, that's amazing. I love that this is a 20 year story in open tech and open source and stuff, which really is a good segue into perhaps the first thing we can chat about, IBM's open source story, I guess you'd say.

Chris Ferris: Yeah. A lot of people would say IBM open source really. Until we acquired Red Hat, it wasn't as widely known as it probably should have been, just how involved and invested in opensource we have been since the earliest days. Since before Red Hat was a thing, we were involved in opensource and working on contributing to Linux Kernel in helping to write some of the software that's powering the web today. Some people working in the very earliest days on the Apache web server and so forth.

Joe Sepi: I'm sorry to interrupt you Chris. I just wanted to say too that I think it's important to point out too that it's open source but also the open standards work and open governance too. To concur with, I often found myself frustrated working at open source and feeling like nobody realized IBM did as much as we do in open source. But I often would experience where in a lot of the organizations I was in, there would be a limit for an employer to be a part of the TSC or the committee or whatever. We were always bumping up against that limit like, " Oh, you got to step down so this other person can come on." It's like we do too much open source almost.

Chris Ferris: Yeah. So we've been doing it for the longest time. Actually, if you reach back in the very earliest days in the late 1990s when Linux was starting to get a little popular and a certain operating system vendor in the Upper Northwest started getting a little antsy about their inaudible the operating system on a desktop in the server and an IBM indemnified its clients. If they were using Linux on IBM hardware, we said, " Go for it, we got your back." And that really helped to legitimize open source for the enterprise. A lot of financial institutions had started, they were all rolling their own distros and so forth and starting to leverage a lot of open source, whether it was just the new compilers and stuff like that or just the plethora of things that were growing up around that ecosystem. We made that a legitimate thing. And then of course we helped to found the Apache Software Foundation because our legal department actually was the ones that helped to write the original Apache software license with others. We collaborated with others in the industry obviously, but we helped to bring that to life. I don't know if we have anybody on the board now, but for the longest time we had somebody who was serving on the board. We have a number of mentors there. We have people that are working to this day in various Apache projects. We also helped to establish Eclipse. Now that was one of those situations where actually I was at Sun at the time and it was an interesting development to come up. Eclipse, what does this mean? If you look at these communities, whether it's Eclipse or the Linux Foundation or Apache, and they all started with one thing. So Linux, it was the Kernel. With Eclipse, it was the IDE framework for Java. And with Apache it was HDP. And now they each have over 300 or 400 projects a piece working on all kinds of things that have nothing to do with the original purpose. And it was for exactly that point that you made about open governance because it basically created these safe spaces to innovate and collaborate even with your fiercest frenemies. It's amazing to this day that we have collaborations in the cloud space with every one of the Hyperscaler cloud vendors and the activities that we do, whether it's in CNCF for Kubernetes and so forth, very collaborative environment. There's no backstabbing and kind of stuff. Standards was a little bit different, standards was a little bit more defensive. But I find that open source tends to be a lot more collaborative and innovative and sharing of success. inaudible.

Luke Schantz: I was also going to mention, I think it was Brad Topol on a past episode mentioned when the folks who developed Eclipse found out it was being open sourced, it was a bit of a paradigm shift because they're like, " Oh boy, we spent all this time. We thought this is a product and you're giving us away?" But obviously like you mentioned, it has implications and it grows bigger than it could ever be standing on its own.

Chris Ferris: That's exactly right. And to this day, still we're encountering situations where I'm making a recommendation that we opensource something in. They're like, " What? We spent all this resource in developing it and it's proprietary and it's earning us money." I'm like, " You don't need to have proprietary software to make money." Ask the guys that we just bought for$ 34 billion. Everything they do is open source and they're still making a ton of money.

Luke Schantz: And it's interesting, you had mentioned that other operating system from the past that was apprehensive against Linux. I believe on the last version of it, they even started to incorporate the Linux Kernel into it and then made a power shell for Linux. So it's interesting how the paradigm shifts change over the decades.

Chris Ferris: Totally. And then VS Code is one of the most popular IDEs out there, but almost everybody does it to develop on Linux. That's the reality.

Luke Schantz: I think we all had a feeling and a inaudible sense of this is how open source works this. There is a value and it's right, but there's some confirmation on this now. It was a recent study, the value of open source in the cloud era.

Chris Ferris: That's right. Yeah. So it was actually interesting. I'd been reading an article that was suggesting that if you're a software developer in the cloud that you need to know these 10 APIs from, and I won't mention the cloud provider. And I said to myself, " That's just not right." I said, " Because everything that's behind each one of those APIs is open source." And I said, " I think it's actually the case that developers... I think their preference would be to have skills in the underlying open source capabilities rather than the proprietary vendors a set of APIs." And I got with the IBM marketing team and said, " Can we do a survey or a study about just what is the developer sentiment around, whether it's for cloud and for various other data and AI capabilities, what's their preference in terms of what APIs and what technologies are they interested in to advance their careers?" And it was interesting because my sense was no, it's the open source that they care about. It's not necessarily the proprietary APIs. That comes secondary. But if you're doing container orchestration, you're using Kubernetes. Whether it says so or not, that's under the covers there. And that's the skillset that developers are looking to acquire. That's the one that I think that actually hiring managers are looking to find for their teams because it's easy enough to learn the skin that various vendors put on top of that. We did a study with Wiley and they surveyed about 3, 400 plus and probably evenly split between hiring manager types and developer types across the spectrum of enterprise sizes and so forth. The study came back and reinforced my sense that actually two thirds of developers felt that it was the underlying open source APIs and skillsets that helped advance their career. The other interesting sort of tidbit from that was that over 50% felt that their contributions to open source actually helped advance their careers and essentially netted them more money in the jobs that they did land. So that was, I think, a very positive thing. There was a number of different findings. Yeah, there's the link to the report. A huge amount of information in there. But it all reinforced my sense that the things that matter are the skills and the underlying open source, not so much the proprietary API.

Luke Schantz: It is good to get that confirmation because I feel like especially on this show and just in general, that has been, I think the message that I've been purporting to folks, " Hey, get involved in open source. It's a way for you to not only differentiate yourself at your company, but then also get to know that greater ecosystem. And if you want to make a move or if you want to negotiate for that higher salary, you might be awesome. But if you're locked away and no one knows what you're doing, being able to work out in the open is a great way of just personal development."

Chris Ferris: Totally. It's a double- edged sword for hiring managers because having people that are out in networking in these communities and building their own personal eminence in open source communities can essentially make them very good targets for the competition to pick them up and that can advance your career. But I think most developers, that's a nice thing if they get into a bind. But I think people like to work for a company that allows them to work in open source. I know a lot of the people on our team feel that way, very strong. There's an awful lot of people that are on the product teams that really want to be on our team because they love to be working out in open source. So we're trying to turn the tide and dial it up a notch to get more and more of the IBM developers that are working on proprietary products to work out in open source as well.

Joe Sepi: Yeah, I'm inaudible.

Luke Schantz: Yeah, I can hear you great, Joe.

Joe Sepi: Yeah, I feel like there's so many benefits to being an open source. So I think one thing, and forgive me if you guys already touched on this, but learning to work with other people in open source in a collaborative way where no manager is telling you whatever, but you have to figure it out with other people out in the open and make it work is a really important skill as well.

Chris Ferris: That's right. It's what they call soft skills that you learn from working out collaboratively in the open. You're learning to essentially be able to assert yourself in a positive way to get your point across and so forth. And that helps. And then of course there's the practices that we have out in the open source communities tend to be a little bit more mature, especially from more advanced CICD, Agile development practices and so forth. And bringing that back into the enterprise is an important part of the overall, I think, attraction. Now the other thing that I didn't mention about the study was, so yeah, it's two- thirds of developers and more than 50% of developers thinking that it advanced their careers. The interesting thing that I found though was that when you look at who's responding, the hiring managers actually felt more strongly about both points by about 5%, which I thought it was fascinating to see that the hiring managers starting to recognize that this is important. And increasingly, a lot of our clients are asking us, " Boy, we're getting an awful lot of our developers asking us can we work out an open source? And we don't know how to do that." So a lot of what I do is help some of our customers to work on how to incorporate open source into their inaudible into the practices.

Joe Sepi: Yeah, that's a really good segue because I wanted to talk to you more, I guess briefly because this could be a whole episode, how we do that internally and then how do we share that knowledge and what we're doing with our clients? Something I've bumped into as well.

Chris Ferris: Yeah. We actually published the framework, if you will, that we use to encourage more and more open source. So we have annual training to start with just what is open source and why should you care? And you have to be careful. You don't want to just pick up anything off the ground and use it. You want to make sure that you're using something that has a community behind it that's working to keep it current, to fix bugs and vulnerabilities as they arise. And we teach them about all the different licenses and so forth. And then we also have some internal training and we call it the Dojo. So it's basically an opportunity for people such as yourselves, Joe, and others, to basically help mentor new developers that want to get involved in open source, help them through that process. First of giving them the basic training, if you will, of working out in GitHub and how to land a pull request and how not to be a jerk in the chat forums and stuff like that. But then also when they get stuck and they're trying to get something in and we actually have a lot of people in a lot of the communities that can actually help get somebody up to speed and onboarded and feeling part of the community. So we have all of that. And then we have the recognition program every year and people that are actually leading in the various communities, we can recognize that value. We've got badges. Everybody's got badges now, but we've got badges. Then the other piece of it is that we're actually trying to... Again, as I mentioned, we're trying to grow the upstream participation from the product team. Way back in the day, I remember there was a, " Oh my god, you can't be contaminated by open source."

Joe Sepi: Unsafe.

Chris Ferris: Or something. I don't know. And I always felt that was funny because if you look inside, peel the Onion skin back a little bit, our flagship web application developer WebSphere web application development platform was 70% open source. Okay, so you can't touch open source. Tell me again, how does that work? That isn't the only one. And certainly all of the new stuff that we're doing now, all the cloud, AI and data, all of that is based on that. Even Quantum. You've got Qiskit and QASM out there and very much out in the open. It purveys every single industry. And we're now starting to see more and more application level stuff is turning open source. So I was just working with a colleague who's in the oil and gas industry and they've done this amazing work around open sourcing, if you will, a data analytics platform for oil and gas discovery. So it's some cool stuff. It's some cool stuff.

Joe Sepi: Yeah. I remember being at a conference and somebody coming up and talking to me about open source and they're trying to get their employer, which they worked in the auto industry and they're very protective and afraid of any security related stuff. But I remember talking to them about the business differentiators, those you can keep to yourself, but all the foundational stuff, build it out in the open with your competitors and help crowdsource the work part of it. And also help but work on security stuff together and work it all out in the open.

Luke Schantz: Every time I hear it, Chris had said, " In the open," earlier, I was like, " Well, he said in the open." Also, in the open source coming from IBM and oil and gas industry, the MQTT standard from Andy Stanford- Clark over there in Hursley is also another great example.

Chris Ferris: Yeah, it's also a good example of the pairing, if you will, of open source and open standards because MQTT actually started as an open standard. And then there's a number of different implementations that have mostly been written in open source. So it's been a good partnership really.

Joe Sepi: Yeah, that's interesting. We talked a little bit about the Linux Foundation earlier and I think it's really interesting that the Linux Foundation has become something of an umbrella foundation for all these other foundations. I'm a part of the OpenJS Foundation and that was born out of merging the JS Foundation and the Node. js Foundation together, which all of them are a Linux Foundation project. I know a fairly recent one is the Open Source Security Foundation. You do some work in that space as well, Chris?

Chris Ferris: I do, yeah. Right before the pandemic about. I want to say in the fourth quarter of 2019, IBM and Google and Microsoft and GitHub and Red Hat started to talk about the need to... And this predates the whole SolarWinds thing, but we recognize that look, open source is increasingly becoming sort of defacto in every industry, and whether it's governments or whether it's enterprise, it's pervading absolutely everything. We need to make sure that we aren't going to be in the situation because we're taking dependencies of some obscure library someplace that nobody's paying attention to, that we end up with some serious vulnerability that causes the world economies to collapse and stuff like that. So we had some conversations around, so how would we deal with this? The thinking ranging from let's the fund open source projects that are needing people to come and contribute to them. But then there's also, but how can we help projects that have diverse communities, but how can we help them improve the practices around secure engineering and developing an effective CICD system that isn't going to get compromised? And how do we ensure that they have the wherewithal to be able to deal with vulnerabilities in a progressive disclosure of a way where you're not just sort of blurting out, "Hey, I got a zero- day in this cool library." So there's a number of different aspects of this. Some of it is just, again, badging, but we have the core infrastructure initiative, badging initiative that you could assess your open source project against a set of best practices in the industry to ensure, and then you get a little badge that you could put on your README that said, " Hey, I've got a CII badge." And now we have different levels of passing silver and gold, I think, are the different levels. But they're progressively more and more focused on ensuring that you're able to deal with security vulnerabilities in a reasonable and responsible way. So yeah, I helped to actually with work with Microsoft and Google in helping to set up the open SSF and I serve on the board right now. Again, because we stood it up during the middle of the pandemic when everybody was a little bit concerned about whether we were going to be in business the next week or not, we ended up saying, " Let's not go and dialing for millions of dollars of funding right away. Let's get something going and then we'll figure out how to fund it later." So we're actually in the process now of trying to figure out how to turn it into, just as with the JS Foundation and so forth, how do we actually get it up and running with staff, with marketing dollars behind it, with full support for any of the operational aspects of things we want to do to make sure we have somebody out there essentially raising awareness of what we're trying to accomplish? With SolarWinds and with some of the recent sort of ransomware hacks that have occurred and what was it, Colonial Pipeline and others. And with the executive order most recently from the White House, everybody's hair is on fire now about the supply chain for open source security. So we're getting a lot of attention. I think that's a positive thing, but I like the fact that we were ahead of the curve and trying to get something rolling before everything hit the fan, so to speak.

Luke Schantz: So interesting. And two thoughts I wanted to mention here on a past episode of the IBM developer podcast, we had the NSA community team come on and they mentioned using Eclipse and using a lot of open source tools. Obviously there's a lot of strict controls when you get into these sorts of government agencies, but that they had work groups to be able to work on that stuff together. And then most recently I just saw a post they made, especially because of these nation state threats and infrastructure threats, they've actually created almost similar to what our IBM garage is to work with industry partners to be able to work together in this kind of coworking half inside, half outside environment to address some of these threats.

Chris Ferris: Actually that was one of the things that we were trying to set up. Of course we need some funding for that, but we wanted to actually set up an enclave where we could collaborate together on resolving some critical vulnerabilities, whether it's in the Kernel or elsewhere in an environment where we had full build capabilities and everything, but nobody could see it except the people that had been granted access to it. But that would allow us... Because right now everybody's doing it on their own pretty much. When we had the situation with inaudible and so forth, everybody had to go and deal with how to resolve that vulnerability on their own. And it wasn't pretty. Everybody was doing the same piece of work essentially, but because we didn't have that ability to collaborate out in the open on that, we were talking about it, but we weren't able to actually collaborate on the actual fix in the open.

Luke Schantz: Sorry to cut you off, Joe, but if I don't cut you off, you're going to cut me off.

Joe Sepi: That's what we do.

Luke Schantz: This is the New York way. One thing I was just going to mention, one of my favorite podcasts I listen to is called Darknet Diaries and it talks about a lot of these cases. And it's exactly one of the things you mentioned. It's what if a security firm finds that zero- day? Now of course they want to tell their clients first, but they want to tell everybody else. Maybe someone else is discovering it at the same time. And then most of those systems are going to take a while to get updated and patched. So sometimes even doing the right thing and letting the community know about this vulnerability, those bad actors will within a day or two whip up something to exploit that and cause a huge problem in a very short period of time. It's a tough situation.

Chris Ferris: It really is. That's actually one of the things was getting into a best practice for how to set up a responsible disclosure process for reporting vulnerabilities that you uncover. The vast majority of open source projects don't have that level of maturity of having an inner sanctum, if you will, of security engineers who can deal with that sort of thing. But where you don't just blurt it onto the mailing list, but you instead send it to a mail address that's going only to the select individuals that have the ability to address the problem.

Joe Sepi: That's one of the benefits of being in a foundation is they help you to try to sort those things out and everything.

Chris Ferris: Yeah. But again, most of open source is random. And it's the projects that are housed in the likes of the LF or Apache or Eclipse that I think are the ones that have the most maturity. They also have the most prospects for sustained success. There's actually been studies done that projects under open governance tend to do better by and large than their non- openly governed counterparts. But you can have projects that are controlled by a single vendor that are done very effectively, but Google's not... You shouldn't shake your head at projects like STO and Knative. They're very well run. Would we like them to be under open governance? Yes, absolutely. And we're working towards that, but that that's not necessarily the case. I mean there's a lot of open source. It's just some guy or gal came up with a really good idea, wrote some software, and then they got busy with their day job or they went back to school or whatever it was. And there it is, right? Hey, it's open source so you can have it.

Joe Sepi: Billions of projects.

Chris Ferris: Kind of like furniture left by the side of the road. You can have the couch, you can put it in your living room, but you get all the quarters and you get all the bugs.

Joe Sepi: Yeah. Yeah. There's an XKCD comic where it's the Jenga sort of Lego thing styled up and there's a little one down here. Yeah, that's so true.

Chris Ferris: Actually, that was on the open SSF. That was one of the things we had in our announcement. We did a little XKCD thing.

Joe Sepi: It's perfect. And we can move on in a second. I just wanted to share, and we can talk about this actually offline, but I have an old friend at the Ford Foundation who I know from punk rock days and she spoke at OpenJS world recently. And anyway, we're talking about trying to get a grant from them and work with them at the LF and I think security would be a really interesting thing to explore. So let's maybe talk about that more offline. Yeah, I'm curious, what are some of the things that you're excited about right now in the work that you're doing or research?

Chris Ferris: Very recently, one of my colleagues who was managing... So we have an OpenTech group. The OpenTech group is split down the middle where half of the team is working on cloud and cloud native kind of things, and the other half is working on data and AI. And so my colleague is retiring after a long career. So I took over the data and AI side of things saying, " Okay, I've never been a manager, but let's give this a try." But over the course of, I would say the past year I've started shifting a lot of my focus. I had been working on blockchain for a while, so I started shifting a lot of my focus to data and AI. I think it's fascinating. I taught myself Python and learned a lot about the different frameworks and so forth. That's sort of the world that I'm in most now, if you will. I still keep a sharp eye on some of the other things. And the other part of my job is as an IBM fellow, I have to have more of a global influence and so forth. As I mentioned, I'm trying to get the IBM company to be thinking about open source first. So I actually have this initiative that we call the Open Source First Initiative where I'm trying to get people to say, rather than the first instinct to be, " Let's develop something proprietary," when we need some new capability. " Let's look at open source first. If there's something there, then let's see if that makes sense for us and let's turn that equation on its head." So I'm also working to try and get more and more things to be either put out as open source because I don't see a reason why we have to keep things proprietary as well as getting them to start looking first at what's already existent in open source. So one of the teams that I've been working with is in research, and they recently published something that's actually not open source but open data. It's actually also an open source project called CodeNet. And basically what they have is they have a curated data set of software that was entered into various contests. So it's been vetted, it's been reviewed thoroughly. So they know that the software is doing what it's supposed to do. So they've been doing machine learning on that foundation, that data set of vetted software, and they're hoping that they can leverage that, whether it's to make recommendations as to, " Oh, I see you're trying to write a loop. Maybe you should do it this way as opposed to what you're doing." That kind of thing to give recommendations in an IDE, for instance, as to how better to write something to spot potential vulnerabilities before they actually reach the merge state. When you're doing development, they can actually say they're going to create a vulnerability here. So they put this out. It's gotten an awful lot of attention, but the other thing that it's done is it's really helped to see the value of taking something that we've done that's really cool and putting it out there because now we're getting a whole lot of credit in the machine learning space. But hey, that's really cool stuff. So even some of our competitors are taking advantage of that data set and people are starting to write models around it. We'll be doing some and publishing those as well. But it really has helped the executives in research and elsewhere in IBM recognize the value of doing that. We had a similar success with blockchain when we open sourced the IBM blockchain. We called it IBM Open Blockchain. We contributed that to Hyperledger, which I actually created as well and created the Hyperledger Fabric Project out of that. But it was a huge success from an open source perspective and it led to hundreds of millions of dollars of revenue for IBM in building services around that foundation. But it wouldn't have happened if we had been proprietary about it. It just couldn't happen.

Luke Schantz: That is fascinating. And I actually didn't realize you had worked on the Hyperledger and the blockchain stuff. I have some questions offline to ask you. I've been okay thinking about stuff, so I'm going to make a note to myself to come back to that. And I could see how you were mentioning vulnerabilities. This could be really useful to tie into the last topic we were talking about things that would be, I'm imagining a lot of these things, indiscernible for a human or takes a lot of time for a human to discern it. But if you're able to maybe look at past exploits, past vulnerabilities and then use AI to inform automation on looking for new ones.

Chris Ferris: Right now everything is basically pattern matching. So we're looking for exact matches, the signature if you will, of a particular vulnerability. This is actually looking at where does something have that potential? Because a lot of vulnerabilities actually happen not because there's a piece of code that's flawed, but it's because then you lay it on top of a piece of hardware and then boom. So there's an awful lot of things that don't necessarily get caught right away just from the scanning that we have today.

Luke Schantz: I was reading a little bit about the CodeNet and one of the things that I got excited about, and the documentation said it, part of it is because it has such good commenting and metadata around the code base so that now it becomes beyond that simple pattern match. And you can almost get into a semantic ontology of how the code works.

Chris Ferris: If you just did machine learning on all of GitHub, which I guess maybe somebody could do, how much of that code is really good versus GitHub? So you don't want to have the bias of really bad software practices to creep into your AI that's going to help make recommendations as to how you should write something. So this is actually, like I said, it's been vetted code, it was code that was contributed into competitions. So it's well documented and well written because of all of that and that's what makes it different than just random code. One of the things that we do is we keep an eye on what's going on out in the open source world, if you will. And there's a project that's sort of caught a lot of people's attention. Project Ray that's being developed by some of the same people that developed Spark. And we've been taking a very close look at it. It does some very interesting things. Trying to do multi- threaded Python is difficult. So anytime you want to do some machine learning, and in this particular case, it's reinforcement learning that Ray was built for when you want to run a whole bunch of things in parallel, otherwise it's just going to take you forever to train a model. So they've written capabilities that allow you essentially to annotate your Python and/ or Java and have it run off and do things in parallel in separate containers and stuff. So this is interesting for a variety of reasons, but basically it can help accelerate the process of training models and so forth. So that's interesting enough, and that got the attention of a lot of the data scientists and so forth that are working on things like Cloud Pak for Data and people that are working in research and so forth. But it also caught the attention of the people that are doing serverless work and we have a project called Code Engine, which does serverless. So somebody had the brilliant idea of what if we layered Ray on top of Code Engine so that we could actually fire off different threads in a serverless kind of a manner that would also then be paralleled? So we could actually get even better... We call them pipelines. So we actually presented something at the Ray Summit this past week. I was actually hoping it would be announced yesterday, but I guess the actual announcement is going to be maybe after the fourth weekend, but watch the space, as they say.

Joe Sepi: Yeah, exactly.

Chris Ferris: Interesting capabilities published as open source again, and it's the accelerating trend here from IBM, especially because we want to be able to collaborate with our colleagues over at Red Hat and everything they do is upstream. That's the pattern that we're starting to see more and more of. And I couldn't be happier. It took me 20 years to get here, but it's a good thing.

Joe Sepi: Yeah, that's really cool. I will encourage folks to follow you on Twitter to hear more about that.

Chris Ferris: Yeah, we'll be talking about that probably in another week or so.

Joe Sepi: Yeah, exciting.

Luke Schantz: We'll definitely mention it in an upcoming episode in our introduction and we'll add it to the show notes of this episode.

Chris Ferris: And then I would actually encourage... I'll connect with you guys afterwards, but it'd be good probably to have a chat with some of the guys that are working on this. I think it would be helpful.

Joe Sepi: I'd love to. Yeah, that would be great. Really great. Very cool. I know we had a bunch of other things.

Luke Schantz: How about the new data license agreement?

Chris Ferris: Oh yeah. I meant to mention that with the Code Network. So we'd actually been collaborating with Microsoft and the Linux Foundation and a few others on... We needed to have an ability to license data. It's not open source, so there's different things to be concerned about and you want to be able to license data for particular uses and so forth. So we came up with something we call the Community Data License Agreement or the CDLA and it had a sort of sharing mode and it had a permissive. And the permissive mode was considered to be a little bit cumbersome, let's say, of a license. So colleagues of mine from Microsoft and Linux Foundation again got together and said, " We need to solve that problem." Because we really want to be able to publish data sets for machine learning and so forth that are fully permissive. We wanted to have something the equivalent of like the MIT License for Data. That's essentially what we're looking for. And so we actually came up with and just announced it, I guess it was about a week ago, the CDLA Permissive V2, which does exactly that. It gets us to a much cleaner and less cumbersome permissive license for the CDLA. So actually one of the first things that we've published under the CDLA Permissive V2 is the CodeNet data set.

Joe Sepi: Cool.

Chris Ferris: And there will be more coming. We actually have something called Data Asset Exchange. So we're in the process now of working with research and legal to get all of those that are written under the old CDLA 1 Permissive to adopt the CDLA 2 Permissive.

Joe Sepi: Yeah, this is amazing and fascinating to me. This is what I love about open source, right? It's like we have this problem, you have this problem, let's get together, talk about it, solve it together. And everybody benefits. I think it's inaudible.

Chris Ferris: And we're competing in the AI space, obviously with Microsoft. But we're trying to get to a point where at the end of the day, there's so much that's really just table stakes. There's so much software that's basically just commodity capability. It doesn't really differentiate. And I think most software vendors are now realizing that there's really no value in trying to come up with a better version than somebody else. Because the community's just going to out- innovate you eventually. You may have a brief advantage for a time, but then the community will come along and do it for you anyway.

Joe Sepi: Yeah, that's so true. I don't know if this is a good segue, but another thing we had talked about in the prep show was the LinuxONE build platform for the open source project stuff.

Chris Ferris: Oh yeah. So that's actually another cool thing. So very briefly, a lot of projects, the LinuxONE team, I should say the zLinux team, but they're trying to make open source more compatible with the mainframe platform. But a lot of people think, " Oh, the mainframe. That's like 19 millions technologies." I got news for you. We got some capabilities on the mainframe that blow your mind. And we've got the full Linux capabilities on the mainframe as well. Again, there's always some porting that's involved. So it used to be the case, and it still is the case to a certain degree, that when we have customers that say, I want to run Cassandra on zLinux, we have to do a little bit of porting and we have to do some maintenance to keep it patched and so forth. The preference would really be, well, why aren't we just making the LinuxONE capabilities available in the cloud for people that are working in open source to use as a resource? It's the same way that, for instance, Intel did back in the day with CNCF and said, " Here's a thousand inaudible that you can use to scale in performance tests, Kubernetes and so forth." So we're in the process of making a build platform available for open source, trying to publicize it and get other projects to recognize it. You can just extend your Travis, if you're using Travis for instance, to do your CICD, you can just extend it into this and have a build pop out the other end to make sure that it's going to run on zLinux. And then they'll help obviously with remediation of any issues that you might run into. But the first step is really just making that build platform available to people to use. So yeah, that's another, I think, positive step that we've taken.

Joe Sepi: Yeah, that's great. I assume my colleagues on the Node. js space are fully aware of this, but I'm going to touch base with them after this call. Awesome stuff.

Luke Schantz: Yeah. Thank you so much, Chris, for taking the time to chat with us today.

Chris Ferris: My pleasure. This was fun. This was good.

Luke Schantz: As Joe mentioned, the hour just flies by, but again, if anybody has any questions. There was some chat coming through, I didn't pass anything through. But if you're catching this on podcast, please feel free to check the show notes and private messages.

Chris Ferris: Tweet at us or DM us or whatever. Yeah, exactly. We're always happy to answer questions.

Joe Sepi: Yep. Great. Thanks, Chris. I really appreciate it.

Chris Ferris: Thanks, Joe. Thanks, Luke. Appreciate the time. This was good. A lot of fun. You guys have a nice weekend.

Joe Sepi: Yep, you too.

Luke Schantz: You too.

Chris Ferris: Cheers.