Chris Ferris | Open Source CTO | In the Open with Luke and Joe

Luke: Today we are pleased to bring you a conversation with IBM Fellow and CTO of Open Source Technology, Chris Ferris. We are going to be discussing a variety of open source projects as well as a recent report, The Value of Open Source in the Cloud Era. This report surveyed 3, 400 developers and managers to build an understanding of the attitudes and realities in today's development ecosystem. Before we welcome our guest, Chris Ferris, let's say hello to my colleague and co- host, Joe Sepi.

Joe Sepi: Hey, Luke. How are you?

Luke: Good. How are you doing, Joe?

Joe Sepi: I'm okay. Thank you. It's a little overcast today. The weather's been a little weird. The other day, it was warm through the night, and then slowly got colder through the day, which is always really weird. It's flipped around. The weather's been really strange. How about you, Luke?

Luke: Similar. I think you want to be at your pool, whereas I want to stay out of the sun at all costs, so this is perfect. I like a warm- ish day, and then a cool night. That's great for me.

Joe Sepi: No, it sounds nice. Look, I have a whole closet full of light coats, light jackets that I like to wear, so I prefer a good cool day. So it's nice. I'm enjoying it. I don't mean-

Luke: It's funny you mention... I remember that about when we would do events together in New York City. You always had very cool jackets. But before we welcome Chris, I wanted to mention a few things, just a little bit of housekeeping. If anybody has any questions, feel free to drop those into the chat on whatever platform you're watching. And if you're catching this as a replay later, as a podcast, hey, tweet at us. Happy to answer your questions post- event. No problem. I also wanted to mention, as always, you can find us at ibm. biz/ intheopen. We have the livestream. Whenever we're going live, every other week, is on there as well as all past episodes. And then if you want to find the podcasts, you can find all our past episodes as podcasts. And I don't want to forget all the rest of the podcast ecosystem. We've got other podcasts, IBM, Z, DevOps Talks. We have a data science podcast. We have a IBM Cloud podcast, a Call for Code podcast. There's so many podcasts on IBM developers, so make sure to check those out. But without further ado, let's welcome our guest, Chris Ferris.

Chris Ferris: Hey, guys. How you doing?

Joe Sepi: Good. How are you, Chris. Welcome.

Luke: Thanks for joining us.

Chris Ferris: My pleasure. And speaking of overcast, I'm just going to warn you. I live in Florida. It's the rainy season, which means it's going to rain every day for the next three months.

Joe Sepi: Yeah. So three months, huh?

Chris Ferris: Sure enough, it was beautiful this morning, and now it's a huge thunderhead overhead.

Joe Sepi: Yeah. I feel like I told this story maybe on the show once, already, but I was in Florida once. My flight got canceled home. I was there with my wife and son, and we ended up going to the Kennedy Space Center and enjoying the day that we were gifted by the airport snafus and stuff. But anyway, I'm trying to work while my wife is driving, and it starts pouring like inaudible, which apparently it does in Florida. And I put in Orlando Airport, and I put it up on the screen. Okay, great. And we start driving, and I'm working. And we pull into this tiny airport in Orlando. Apparently Orlando has three or four of those inaudible.

Chris Ferris: Oh, there's like an executive one, yeah.

Joe Sepi: So we're like, "This is not the right airport." Anyway, yeah, Florida was crazy. Good luck with that all summer, huh?

Chris Ferris: All summer. Actually, my wife showed me a cartoon the other day. It starts out, it's at 2: 30 AM. It's beautiful out. 3: 00, and then it's got this picture of the palm trees are just blowing and it's raining hell. And then 3: 15, ah. And that's about it. Usually, it's in the afternoon. Usually, it's mid- afternoon when the thundershowers come rolling through. They come from the West Coast across to the east, and now it's every afternoon. But then it's usually beautiful in the evenings. Then you go out, dine out by the water.

Joe Sepi: Yeah, that sounds nice.

Chris Ferris: It's a tough life, but somebody's got to do it.

Joe Sepi: I had the flip scenario when I lived in Olympia, Washington, out in the Pacific Northwest, where it's beautiful in the summer, but all the non- summer months, it just rains all the time. But when it's summer and it's nice out, you just really soak it in. It's lovely.

Chris Ferris: Yeah. Plus in Florida you learn you have to do everything before about 10: 30 AM. It doesn't get as hot as out... I think, actually, I think out in the Northwest is going to get hotter than here. To 90 degrees is usually about as hot as it gets, but it's humid. It's not a dry heat, like some places. So if you're out playing tennis or golf, or something, it can be brutal.

Joe Sepi: Yeah, I can imagine. Cool. Hey, you've been here at IBM for a while. Maybe we could start. You could just tell us a little bit about what you've been doing and how it started and a little bit of your IBM story.

Chris Ferris: Sure. Sure. I actually am a professional hire into IBM. I joined in 2002, so I'm working on my 20th year right now. Before that, I was working at Sun Microsystems for, I don't know, about 13 years I think. I had actually started to work in open source in around XML in particular in some of the XML parsers, starting to use open source and contribute back. And I started getting involved in a project called ebXML, which was a joint initiative between an organization called OASIS, the Organization for the Advancement of Structured Information Systems, and the UN. They were working on trying to unify the world of e- business and enabling it to be done through XML, and I had been working on in Sun's IT organization, for a long time. And then I joined JavaSoft, and they said, " Hey, you have this background in e- business and systems and so forth. You should get involved in this." So I did. And one of the co- leads for the organization was my boss, and the other one was Bob Sutor, who is now over in research in The Quantum Group. I guess he saw something he liked and gave me an offer I couldn't refuse, and the next thing I knew, I was working for him.

Joe Sepi: Nice.

Chris Ferris: Yeah.

Joe Sepi: Yeah, it's interesting to hear 20 years for you. I feel like a baby, at five, and which is interesting. My career usually was two or three years at a place, and I'd be moving on to the next thing, but I'm happy here for a variety of reasons we could go into another time. But it's amazing, especially, I used to live in Westchester. I'm over Connecticut now, but I couldn't throw a stick without hitting an IBM. And most of them are multi- decade IBMs.

Chris Ferris: I grew, grew up in Westchester. I grew up in Rye.

Joe Sepi: Oh, nice.

Chris Ferris: Yeah. Yeah.

Joe Sepi: Nice. Yeah, I had some friends over at Rye.

Chris Ferris: Just inaudible IBM right up the street there.

Joe Sepi: Yeah, yeah. Well...

Chris Ferris: We just had a IBM, we had a timeshare in the high school, and that was where they taught it. Eighth grade had an honors course in computer programming. Actually, I took that one. That was a lot of fun. That was probably my first introduction to writing software, was writing checkers and chess and various other, poker and so forth, on them. That was a lot of fun. But so, I mean, I was basically hired to go and work in the open technology organization, and I've been here ever since. This has been the only job I've had at IBM. I've been promoted a few times, but they brought me in to try and help open up IBM, get it more involved in open standards and open source, and here we are 20 years later.

Joe Sepi: Yeah. That's amazing. I love that this is a 20- year story in open tech and open source and stuff, which really is a good segue into perhaps the first thing we can chat about, IBM's open source story, I guess you'd say.

Chris Ferris: Yeah. A lot of people would say, " IBM open source? Really?" until we acquired Red Hat. It wasn't as widely known, as it probably should have been, just how involved and invested in open source we have been, since the earliest days. Since before Red Hat was a thing, we were involved in open source and working in, contributing to the LAMP kernel, in helping to write some of the software that's powering the web today, some people working in the very earliest days on the Apache Web server, and so forth.

Luke: I'm sorry to interrupt you, Chris. I just wanted to say too, that I think it's important to point out too, that it's open source, but also the open standards, standards work, and open governance too.

Chris Ferris: Yep.

Luke: I, to concur with you, often found myself frustrated working at open source and feeling like nobody realized IBM did as much as we do in open source. But I often would experience where, in a lot of the organizations I was in, there would be a limit for an employer to be a part of the TSC, or the committee, or whatever. And we were always bumping up against that limit, like, " Oh, you got to step down so this other person can come on." It's like we do too much open source, and almost, but-

Chris Ferris: Yeah. We've been doing it for the longest time. Actually, if you reach back in the very earliest days, in the late 1990s, when Linux was starting to get a little popular, and a certain operating system vendor in the upper Northwest started getting a little antsy about their IBM, meaning over the operating system on a desktop in the server. And IBM indemnified its clients if they were using Linux on IBM hardware. We said, " Go for it. We got your back." That really helped to legitimize open source for the enterprise. A lot of financial institutions had started to... They were all rolling their own distros, and so forth, and starting to leverage a lot of open source, whether it was just the new compilers and stuff like that, or just the plethora of things that were growing up around that ecosystem. And we made that a legitimate thing. And then, of course, we helped to found the Apache Software Foundation. Was our legal department actually was the ones that helped to write the original Apache software license, with the others. And we collaborate with others in the industry, obviously, but we helped to bring that to life. I don't know if we have anybody on the board now, but for the longest time we had somebody who was serving on the board. We have a number of mentors there. We have people that are working, to this day, in various of the Apache projects. Also, we helped to establish Eclipse. And now, that was one of those situations where, actually, I was at Sun at the time, and it was an interesting development to come up. Eclipse, what does this mean? If you look at these communities, whether it's Eclipse, or The Linux Foundation, or Apache, and they all started with one thing. Linux, it was the kernel. With Eclipse, it was the IDE framework for Java. And with Apache, it was HDP. And now, they each have over three or 400 projects a piece, working on all kinds of things that have nothing to do with the original purpose. And it was for exactly that point that you've made about open governance. It's because it basically created these safe spaces to innovate and collaborate, even with your fiercest frenemies. It's amazing to this day that we have collaborations in the cloud space with every one of the hyperscaler cloud vendors. And the activities that we do, and whether it's in CNCF or Kubernetes, and so forth, very collaborative environment. There's no backstabbing and kind of stuff. Standards was a little bit different. Standards was a little bit more defensive, but I find that open source tends to be a lot more collaborative and innovative and sharing of success.

Joe Sepi: Yeah. I mean-

Chris Ferris: Sorry.

Joe Sepi: ...it's the whole inaudible.

Chris Ferris: The vendor- neutral governance thing.

Luke: Maybe-

Joe Sepi: Is it me?

Luke: ...turn your volume down.

Joe Sepi: Got it.

Luke: I'm not sure. I was also going to mention, I think it was Brad Topol, on a past episode, mentioned when the folks who developed Eclipse found out it was being open sourced, it was a bit of a paradigm shift because-

Joe Sepi: Oh.

Luke: ... they're like, "Oh, boy. We spent all this time. We thought this is a product. And what? Are you giving this away?" But obviously, like you mentioned, it has implications, and it grows bigger than it could ever be, standing on its own.

Chris Ferris: Right. That's exactly right. And it's still, to this day, it's still we're encountering situations where I'm making a recommendation that we open source something, and they're like, " What? We spent all this resource in developing it. And it's proprietary. And it's earning us money." I'm going, " You don't need to have proprietary software to make money. Ask the guys that we just bought for$ 34 billion. Everything they do is open source, and they're still making a ton of money."

Luke: And it's interesting. You had mentioned that other operating system from the past that was apprehensive against Linux. And I believe, on the last version of it, they even started to incorporate the Linux kernel into it and then made a PowerShell for Linux.

Chris Ferris: That's right.

Luke: So it's interesting how the paradigm shifts change over the decades.

Chris Ferris: Totally. And then VS Code is one of the most pop IDEs out there, but almost everybody does it to develop on Linux. That's the reality.

Luke: I think we all had a feeling and got a focused sense of this is how open source works. There is a value. And it's right, but there's some confirmation on this now. There was a recent study, The Value of Open Source in the Cloud Era.

Chris Ferris: That's right. Yeah. It was actually interesting. I'd been reading an article that was suggesting that if you're a software developer in the cloud, that you need to know these 10 APIs from... And I won't mention the cloud provider. And I said to myself, " That's just not right." I said, " Because everything that's behind each one of those APIs is open source." And I said, " I think it's actually the case that developers, I think their preference would be to have skills in the underlying open source capabilities rather than the proprietary vendors' set of APIs." And I got with the IBM marketing team and said, " Can we do a serious study about just what is the developer sentiment around whether it's for cloud and for various other data and AI capabilities, what's their preference in terms of what APIs and what technologies are they interested in, to advance their careers?" It was interesting because my sense was, no, it's the open source that they care about. It's not necessarily the proprietary APIs. That comes secondary. But if you're doing container orchestration, you're using Kubernetes. Whether it says so or not, that's under the covers there, and that's the skillset that developers are looking to acquire. That's the one that I think that actually hiring managers are looking to find for their teams because it's easy enough to learn the skin that various vendors put on top of that. But so that we did a study with Riley, and they surveyed about 3, 400 plus, and probably evenly split between hiring manager types and developer types, across the spectrum of enterprise sizes and so forth. And the study came back and reinforced my sense that actually two- thirds of developers felt that it was the underlying open source APIs and skillsets that helped to advance their career. And the other interesting sort of tidbit from that was that over 50% felt that their contributions to open source actually helped advance their careers and essentially netted them more money in the jobs that they did land. So that was, I think, a very positive thing. There was a number of different findings. And I think, yeah, there's the link to the report, a huge amount of information in there. But it all reinforced my sense that the things that matter are the skills in the underlying open source, not so much the proprietary API.

Luke: It is good to get that confirmation because I feel like, especially on this show and just in general, that has been, I think, the message that I've been purporting to folks, is, " Hey, get involved in open source. It's a way for you to not only differentiate yourself at your company, but then also get to know that greater ecosystem." And if you want to make a move, or if you want to negotiate for that higher salary, you might be awesome, but if you're locked away and no one knows what you're doing, being able to work out in the open is a great way of just personal development.

Chris Ferris: Totally. It's a double- edged sword for hiring managers because having people that are out networking in these communities and building their own personal eminence in open source communities can essentially make them very good targets for the competition to pick them up, and that can advance your career. But I think most developers, that's a nice thing if they get into a bind, but I think people like to work for a company that allows them to work in open source. I know a lot of the people on our team feel that way, very strong. And there's an awful lot of people that are on the product teams that really want to be on our team because they love to be working out in open source. So we're trying to turn the tide and dial it up a notch to get more and more of the IBM developers that are working on proprietary products to work out in open source as well.

Joe Sepi: Yeah. I'm good?

Luke: Yeah. I can hear you great, Joe.

Chris Ferris: Yeah.

Joe Sepi: Good. Yeah, I feel like there's so many benefits to being in open source. I think one thing, and forgive me if you guys already touched on this, but learning to work with other people in open source, in a collaborative way, where no manager is telling you whatever, but you have to figure it out with other people out in the open and make it work, is a really important skill as well.

Chris Ferris: That's right. It's what they call a soft skill, that you learn from working out, collaboratively, in the open. You're learning to essentially be able to assert yourself in a positive way, to get your point across and so forth. And that helps. And then, of course, there's the practices that we have, out in the open source communities, tend to be a little bit more mature, especially from more advanced CI/ CD, Agile development practices and so forth. And bringing that back into the enterprise is an important part of the overall, I think, attraction. Now the other thing that I didn't mention about the study was, so yeah, it's two- thirds of developers, and more than 50% of developers about thinking that it advanced their careers. The interesting thing that I found, though, was that when you look at who's responding, the hiring managers actually felt more strongly about both points, by about 5%. Hey, I thought it was fascinating to see that the hiring managers starting to recognize that this is important. And increasingly, we're getting... A lot of our clients are asking us, " Boy, we're getting an awful lot of... Our developers are asking us, 'Can we work out in open source?' And we don't know how to do that." So a lot of what I do is help some of our customers to work on how to incorporate open source into their thinking, into the practices.

Joe Sepi: Yeah, that's a really good segue because I wanted to talk to you more, I guess briefly, because this could be a whole episode, how we do that, internally. And then how do we share that knowledge and what we're doing with our clients? Something I've bumped into, as well.

Chris Ferris: Yeah, we actually publish the framework, if you will, that we use, to encourage more and more open source. We have annual training to start with. Just what is open source? And why should you care? And you have to be careful. You don't want to just pick up anything off the ground and use it. You want to make sure that you're using something that has a community behind it that's working to keep it current, to fix bugs and vulnerabilities as they arise. And we teach them about all the different licenses and so forth. And then we also have some internal training. We call it the Dojo. It's basically an opportunity for people such as yourself, Joe, and others, to basically help mentor new developers that want to get involved in open source, help them through that process, first of giving them the basic training, if you will, of working out in GitHub and how to land a pull request and how not to be a jerk in the chat forums and stuff like that. But then, also, when they get stuck and they're trying to get something in, we actually have a lot of people in a lot of the communities that can actually help get somebody up to speed and onboard and feeling part of the community. We have all of that. And then we have the recognition program every year. We go around, and people that are actually leading in the various communities, we can recognize that value. We got badges. Everybody's got badges now, but we've got badges. And the other piece of it is that we're actually trying to, again, as I mentioned, we're trying to grow the upstream participation from the product teams. Way back in the day, I remember there was a, " Oh, my god. You can't be contaminated by open source. Ooh."

Joe Sepi: Unsafe.

Chris Ferris: He's got inaudible or something. I don't know. I always felt that was funny because if you look inside, and peel the onion skin back a little bit, our flagship web application developer, WebSphere, web application development platform, was 70% open source. Okay, so you can't touch open source. Tell me again, how does that work? Right?

Joe Sepi: Yeah.

Chris Ferris: That isn't the only one, and certainly all of the new stuff that we're doing now, all the cloud AI and data, all of that is based on open... even Quantum because you've got Qiskit and QASM out there, and very much out in the open. It purveys every single industry, and we're now starting to see more and more application- level stuff is turning open source. I was just working with a colleague who's in the oil and gas industry. They've done this amazing work around open sourcing, if you will, a data analytics platform for oil and gas discovery. It's some cool stuff. It's some cool stuff.

Joe Sepi: Yeah. Yeah, I remember being at a conference, and somebody coming up and talking to me about open source. They're trying to get their employer. They worked in the auto industry, and they're very protective and afraid of any security- related stuff. But I remember talking to them about keep the stuff that... The business differentiators, those you can keep to yourself. But all the foundational stuff, build it out in the open with your competitors and help crowdsource the work part of it, and also help work on security stuff together and work it all out in the open.

Luke: Every time I hear... Chris had said, " In the open," earlier. I was like, "Oh, he said,'In the open.'" Also in the open source, coming from IBM and oil and gas industry, the MQTT standard from Andy Stanford- Clark over there in Hursley, is also another great example.

Chris Ferris: Yeah. It's also a good example of the pairing, if you will, of open source and open standards because MQTT actually started as an open standard. And then there's a number of different implementations that have mostly been written in open source, so it's been a good partnership, really.

Joe Sepi: Yeah, that's interesting. We talked a little bit about the Linux Foundation earlier, and I think it's really interesting that the Linux Foundation has become something of an umbrella foundation for all these other foundations. I'm a part of the OpenJS Foundation, and that was born out of merging the JS Foundation and the Node. js Foundation together, which all of them are Linux Foundation projects. I know a fairly recent one is the Open Source Security Foundation.

Chris Ferris: Yeah.

Luke: Yeah.

Joe Sepi: And you do some work in that space as well, Chris?

Chris Ferris: I do. Yeah, back in right before the pandemic, about I want to say in the fourth quarter of 2019, IBM and Google and Microsoft and GitHub and Red Hat started to talk about the need to... And this predates the whole SolarWinds thing. But we recognized that, " Look, open source is increasingly becoming defacto in every industry. And whether it's governments or whether it's enterprise, it's pervading absolutely everything. We need to make sure that we aren't going to be in the situation, because we're taking dependencies of some obscure library someplace that nobody's paying attention to, that we end up with some serious vulnerability that causes the world economies to collapse," and stuff like that. So we had some conversations around, " So how would we deal with this?" The thinking ranging from, " Let's fund open source projects that are needing people to come and contribute to them," but then there's also, " Yeah, but how can we help projects, that have diverse communities, but how can we help them improve the practices around secure engineering and developing an effective CI/ CD system that isn't going to get compromised? And how do we ensure that they have the wherewithal to be able to deal with vulnerabilities in a progressive disclosure of a way, where you're not just blurting out, " Hey, I got that zero day in this cool library." So there's a number of different aspects of this. Some of it is just, again, badging, but we have the Core Infrastructure Initiative had a badging initiative, that you could assess your open source project against a set of best practices in the industry to ensure. And then you get a little badge that you could put on your README that said, " Hey, I've got a CII badge." Now we have different levels of passing. Silver and gold, I think, are the different levels. But they're progressively more and more focused on ensuring that you're able to deal with security vulnerabilities in a reasonable and responsible way. So yeah, I helped to actually work with Microsoft and Google in helping to set up the OpenSSF, and I serve on the board right now. Now, again, because we stood it up during the middle of the pandemic when everybody was a little bit concerned about whether we were going to be in business the next week or not, we ended up saying, " Let's not go and Dialing for Dollars for a millions of dollars funding right away. Let's get something going and then we'll figure out how to fund it later." So we're actually in the process now of trying to figure out how to turn it into, just as with the JS Foundation and so forth, how do we actually get it up and running with staff, with marketing dollars behind it, with full support for any of the operational aspects of things we want to do, to make sure we have somebody out there essentially raising awareness of what we're trying to accomplish. With SolarWinds and with some of the recent sort of ransomware hacks that have occurred, and what was it, Colonial Pipeline and others, and with the executive order, most recently, from the White House, everybody's hair is on fire now about the supply chain for open source security. So we're getting a lot of attention. I think that's a positive thing, but I like the fact that we were ahead of the curve and trying to get something rolling before everything hit the fan, so to speak.

Luke: So interesting. Two thoughts I wanted to mention here. On a past episode of the IBM Developer podcast, we had the NSA community team come on. They mentioned using Eclipse and using a lot of open source tools. Obviously, there's a lot of strict controls when you get into these government agencies, but that they had work groups to be able to work on that stuff together. And then, most recently, I just saw a post they made, especially because of these nation- state threats and infrastructure threats, they've actually created almost similar to what our IBM garage is, to work with industry partners to be able to work together in this coworking, half inside, half outside environment, to address some of these threats.

Chris Ferris: Yeah. Actually, that was one of the things that we were trying to set up. Of course, we need some funding for that, but we wanted to actually set up an enclave where we could collaborate together on resolving some critical vulnerabilities, whether it's in the kernel or elsewhere, in an environment where we had full build capabilities and everything. But nobody could see it, except the people that had been granted access to, and but that would allow us... Because right now, everybody's doing it on their own, pretty much. We had the situation with Heartbleed and so forth. Everybody had to go and deal with how to resolve that vulnerability on their own, and it wasn't pretty. Everybody was doing the same piece of work, essentially. But because we didn't have that ability to collaborate out in the open on that kind of... We were talking about it, but we weren't able to actually collaborate on the actual fix, in the open. So yeah.

Luke: Sorry to cut you off, Joe, but if I don't-

Chris Ferris: No.

Luke: ...cut you off, you're going to cut me off. It's what we do. This is the New York way. One thing I was just going to mention, one of my favorite podcasts I listen to is called Darknet Diaries. It talks about a lot of these cases, and it's exactly one of the things you mentioned. It's what if a security firm finds that zero day? Now, of course, they want to tell their clients first, but they want to tell everybody else. Maybe someone else is discovering it at the same time. And then, if you do, most of those systems are going to take a while to get updated and patch. So sometimes even doing the right thing and letting the community know about this vulnerability, those bad actors will, within a day or two, whip up something to exploit that and cause a huge problem in a very short period of time. It's a tough situation.

Chris Ferris: It really is. That's actually one of the things was getting into a best practice for how to set up a responsible disclosure process for reporting vulnerabilities that you uncover. And most, the vast majority of open source projects don't have that level of maturity of having an inner sanctum, if you will, of security engineers who can deal with that sort of thing. But where you don't just blurt it out to the mailing list, but you instead send it to a mail address that's going only to the select individuals that have the ability to address the problem.

Joe Sepi: Yeah. That's one of the benefits of being in a foundation, right, is they-

Chris Ferris: Totally.

Joe Sepi: ...help you to try to sort those things out and everything.

Chris Ferris: Totally. Yeah, and I say most of open. But again, I like to say most of open source is random.

Joe Sepi: Yeah. Yeah. Yeah.

Chris Ferris: It's the projects that are housed in the likes of the LF, or Apache, or Eclipse that I think are the ones that have the most maturity. They also have the most prospects for sustained success. There's actually been studies done that projects under open governance tend to do better, by and large, than their non- openly- governed counterparts. But you can have projects that are controlled by a single vendor that are done very effectively, but Google's not... You shouldn't shake your head at projects like Istio and Knative. They're very well run. Would we like them to be under open governance? Yes, absolutely. And we're working towards that, but that that's not necessarily the inaudible. I mean, there's a lot of open source that just some guy or gal came up with a really good idea, wrote some software, and then they got busy with their day job, or they went back to school, or whatever it was, and there it is. It's like, " Hey, it's open source, so you can have it."

Joe Sepi: Billions of projects?

Chris Ferris: That's the same thing like furniture left by the side of the road. You can have the couch. You can put it in your living room, but you get all the quarters, and you get all the bugs. inaudible.

Joe Sepi: Yeah, there's an XKCD comic where it's the Jenga Lego thing styled up. And there's a little one down here.

Chris Ferris: It's like just a little thing. I mean...

Joe Sepi: Yeah. Yeah.

Chris Ferris: That's right.

Joe Sepi: That's so true.

Chris Ferris: Yeah. Actually, that was on the OpenSSF. That was one of the things we had in our announcement. We did a little XKCD thing. Yeah.

Joe Sepi: It's perfect. We can move on in a second. I just wanted to share, and we can talk about this actually offline. But I have an old friend at the Ford Foundation who I know from punk rock days. She spoke at a OpenJS World recently. Anyway, we're talking about trying to get a grant from them and work with them at the LF, and I think security would be a really interesting thing to explore, so let's maybe talk about that more offline. Yeah, I'm curious. What are some of the things that you're excited about right now in the work that you're doing, or research, or-

Chris Ferris: Very recently, one of my colleagues, who was managing... We have an open tech group. The open tech group is split down the middle where half of the team is working on cloud and cloud native kind of things, and the other half is working on data and AI. so my colleague is retiring, after a long career. So I took over the data and AI side of things, saying, " Okay, I can. I've never been a manager, but let's give this a try." But over the course of, I would say, the past year, I've started shifting a lot of my focus. I had been working on blockchain for a while, and so I started shifting a lot of my focus to data and AI. I think it's fascinating. I taught myself Python and learned a lot about the different frameworks and so forth. That's the world that I'm in most now, if you will. Still keep a sharp eye on some of the other things. And the other part of my job is, as an IBM Fellow, I have to have more of a global influence and so forth. And I've been, as I mentioned, I'm trying to get the IBM company to be thinking about open source first. So I actually have this initiative that we call the Open Source First initiative, where I'm trying to get people to say, rather than the first instinct to be, " Let's develop something proprietary when we need some new capability," let's look at open source first. If there's something there, then let's see if that makes sense for us, and let's turn that equation on its head. So I'm also working to try and get more and more things to be either put out as open source, because I don't see a reason why we have to keep things proprietary, as well as getting them to start looking, first, at what's already existent in open source. One of the teams that I've been working with is in research. They recently published something that's actually not open source, but open data. It's actually also an open source project, called CodeNet. Basically what they have is they have a curated data set of software that was entered into various contests, so it's been vetted. It's been reviewed thoroughly. They know that the software is doing what it's supposed to do, and so they've been doing machine learning on that foundation, that data set of vetted software. And they're hoping that they can leverage that to actually, whether it's to make recommendations as to, " Oh, I see you're trying to write a loop. Maybe you should do it this way as opposed to what you're doing," that kind of thing. To give recommendations in an IDE, for instance, as to how better to write something. To spot potential vulnerabilities before they actually reach the merge state, So when you're doing development, they can actually say, " You're going to create a vulnerability here." So they put this out. It's gotten an awful lot of attention, but the other thing that it's done is it's really helped to see the value of taking something that we've done that's really cool and putting it out there. Because, now, we're getting a whole lot of credit in the machine learning space, that, " Hey, that's really cool stuff." So even some of our competitors are taking advantage of that data set, and people are starting to write models around it. We'll be doing some and publishing those as well. But it really has helped the executives in research, and elsewhere in IBM, recognize the value of doing that. We had a similar success with blockchain when we open sourced the IBM blockchain. We called it IBM Open Blockchain. We contributed that to Hyperledger, which I actually created as well, and created the Hyperledger Fabric project out of that. But it was a huge success, from an open source perspective, and it led to hundreds of millions of dollars of revenue for IBM, in building services around that foundation. But it wouldn't have happened if we had been proprietary about it. It just couldn't happen.

Luke: That is fascinating. Actually, I didn't realize you had worked on the Hyperledger and the blockchain stuff.

Chris Ferris: Yep.

Luke: I have some questions offline to ask you. I've been-

Chris Ferris: Okay.

Luke: ...thinking about stuff, so I'm going to make a note to myself to come back to that.

Chris Ferris: inaudible.

Luke: But yeah, and I could see how you were mentioning vulnerabilities. This could be really useful to tie into the last topic we were talking about, things that would be, I'm imagining a lot of these things, indiscernible for a human, or takes a lot of time for a human to discern it, but if you're able to maybe look at past exploits, past vulnerabilities, and then use AI to inform automation on looking for new ones, right?

Chris Ferris: Right now, everything is basically pattern matching. We're looking for exact matches, the signature, if you will, of a particular vulnerability. This is actually looking at where does something have that potential? Because a lot of vulnerabilities actually happen, not because there's a piece of code that's flawed, but it's because then you lay it on top of a piece of hardware, and then it, boom. So there's an awful lot of things that don't necessarily get caught right away, just from the scanning that we have today.

Luke: I was reading a little bit about the CodeNet. One of the things that I got excited about was, and you were saying it, or the documentation said it, part of it is because it has such good commenting and metadata around the code base so that now it becomes... Beyond that simple pattern matching, it's almost getting into a semantic ontology of how the code works.

Chris Ferris: If you just did machine learning on all of GitHub, which I guess maybe somebody could do, how much of that code is really good versus GitHub? It's you don't want to have the bias of really bad software practices to creep into your AI that's going to help make recommendations as to how you should write something. So this is actually, like I said, it's been vetted code. It was code that was contributed into competitions. It's well- documented. It's well- inaudible, well- written, and because of all of that. That's what makes it different than just random code. One of the things that we do is we keep an eye on what's going on out in the open source world, if you will. There's a project that's caught a lot of people's attention, project Ray, and that's being developed by some of the same people that developed Spark. And we've been taking a very close look at it. It does some very interesting thing. Python is not by... Trying to do multi- threaded Python is difficult. So anytime you want to do some machine learning, and in this particular case, it's reinforcement learning that Ray was built for, you want to run a whole bunch of things in parallel. Otherwise, it's just going to take you forever to train a model. So they've written capabilities that allow you, essentially, to annotate your Python and/ or Java and have it run off and do things in parallel in separate containers and stuff. So this is interesting for a variety of reasons, but basically it can help accelerate the process of training models and so forth. That's interesting enough, and that got the attention of a lot of the data scientists, and so forth, that are working on things like Cloud Pak for Data, and people that are working in research, and so forth. But it also caught the attention of the people that are doing serverless work. We have a project called Code Engine, which does serverless. So somebody had the brilliant idea of what if we layered Ray on top of Code Engine so that we could actually fire off different threads, in a serverless kind of a manner, that would also then be parallelized. So you could actually get even better, we call them pipelines. So we actually presented something at the Ray Summit this past week. I was actually hoping it would be announced yesterday, but I guess the actual announcement is going to be maybe after the fourth weekend. But watch the space, as they say.

Joe Sepi: Yeah, exactly.

Chris Ferris: It has some interesting capabilities, published as open source again. And it's the accelerating trend here from IBM, especially because we want to be able to collaborate with our colleagues over at Red Hat, and everything they do is upstream. That's the pattern that we're starting to see more and more of. I couldn't be happier. It took me 20 years to get here, but it's a good thing.

Joe Sepi: Yeah, that's really cool. I will encourage folks to follow you on Twitter, to hear more about that in the upcoming weeks.

Chris Ferris: Oh, yeah. Yeah, we'll be talking about that probably in another week or so.

Joe Sepi: Yeah, exciting.

Luke: And we'll definitely mention it in an upcoming episode, in our introduction, and we'll add it to the show notes of this episode.

Chris Ferris: Yeah, and then I would actually encourage... I'll connect with you guys afterwards, but it'd be good probably to have a chat with some of the guys that are working on this. I think it would be a good inaudible.

Joe Sepi: We'd love to. Yeah, that would be great, really great. Very cool. I know we had a bunch of other things.

Luke: How about the new data license agreement?

Chris Ferris: Oh, yeah. I meant to mention that with the code network. We'd actually been collaborating with Microsoft and the Linux Foundation and a few others on... We needed to have an ability to license data. It's not open source, so there's different things to be concerned about. And you want to be able to license data for particular uses and so forth. So we came up with something we call the Community Data License Agreement, or the CDLA. It had a sharing mode and it had a permissive. And the permissive mode was considered to be a little bit cumbersome, let's say, of a license. So colleagues of mine from Microsoft and Linux Foundation, again, got together and said, " We need to solve that problem." Because we really want to be able to publish data sets for machine learning, and so forth, that are fully permissive, so we wanted to have something the equivalent of like the MIT license for data. That's essentially what we were looking for. So we actually came up with, and just announced it this, I guess it was about a week ago, the CDLA Permissive, Version 2, which does exactly that. It gets us to a much cleaner and less cumbersome permissive license for the CDLA. So actually one of the first things that we've published under the CDLA Permissive, V2 is the CodeNet data set.

Luke: Cool.

Chris Ferris: And there will be more coming. We actually have something called Data Asset eXchange. So we're in the process now of working with research and legal to get all of those that are written under the old CDLA 1, Permissive, to adopt the CDLA 2, Permissive.

Joe Sepi: Yeah, this is amazing and fascinating to me. This is what I love about open source. It's like, " We have this problem. You have this problem. Let's get together, talk about it, solve it together-

Chris Ferris: Totally.

Joe Sepi: ...and everybody benefits." I think it's... I don't want to get-

Chris Ferris: We're competing in the AI space, right? Obviously-

Joe Sepi: Yeah.

Chris Ferris: ... andMicrosoft. But we're trying to get to a point where... At the end of the day, there's so much that's really just table stakes. There's so much software that's basically just commodity capability, doesn't really differentiate. And I think most software vendors are now realizing that there's really no value in trying to come up with a better version than somebody else because the community is just going to out- innovate you, eventually. You may have a brief advantage for a time, but then the community will come along and do it for you anyway.

Joe Sepi: Yeah, that's so true.

Luke: Yes.

Joe Sepi: I don't know if this is a good segue, but another thing we had talked about, in the prep show, was the LinuxONE build platform for open source project stuff.

Chris Ferris: Oh. Yeah. That's actually another cool thing. And just so very briefly, a lot of projects, the Linux team... the LinuxONE team, I should say, the Z Linux team. But they're trying to make open source more compatible with the mainframe platform. But a lot of people think, " Oh, the mainframe, that's like 1980s technology."

Joe Sepi: Yeah.

Chris Ferris: I got news for you. We got some capabilities in a mainframe that will below your mind. And we've got the full Linux capabilities on the mainframe as well, but again, we have to do some... There's always some porting that's involved. It used to be the case, and it still is the case to a certain degree, that when we have customers that say, " I want to run Cassandra on a Z Linux," we have to do a little bit of porting, and we have to do some maintenance to keep it patched, and so forth. And the preference would really be, well, why aren't we just making the LinuxONE capabilities available in the cloud for people that are working in open source to use as a resource? The same way that, for instance, Intel did, back in the day, with CNCF, and said, " Here's a thousand box, and that you can use to scale and performance test Kubernetes and so forth." So we're in the process of making a build platform available for open source, trying to publicize it and get other projects to recognize it. You can just extend your Travis, if you're using Travis, for instance, to do your CI/ CD. You can just extend it into this and have a build pop out the other end, to make sure that it's going to run on Z Linux. And then they'll help obviously with remediation of any issues that you might run into, but the first step is really just making that build platform available to people to use. Yeah, that's another, I think a positive step that we've taken.

Joe Sepi: Yeah. That's great, but I got to make sure... I assume my colleagues on the Node. js space are fully aware of this, but I'm going to touch base with them after this call. Awesome stuff.

Luke: Yeah. Thank you-

Chris Ferris: Yeah.

Luke: ...so much, Chris, for taking the time to chat with us today.

Chris Ferris: My pleasure. My pleasure. This was fun. This was good.

Luke: And as Joe mentioned, the hour just flies by. But again, if anybody has any questions that... There was some chat coming through. I didn't pass anything through, but if you're catching this on podcast, please feel free to check the show notes and private messages.

Chris Ferris: Tweet at us, or yeah, or DM us, or whatever. Yeah, exactly.

Luke: Yeah.

Chris Ferris: We're always happy to answer questions.

Joe Sepi: Yeah. Great. Thanks, Chris, really appreciate it.

Chris Ferris: Thanks, Joe. Thanks, Luke. Appreciate the time. This was good.

Joe Sepi: Yeah, definitely.

Chris Ferris: Lot of fun. inaudible weekend.

Joe Sepi: inaudible. Yeah, you too.

Luke: You too.

Joe Sepi: Cheers.

Luke: inaudible.