Search Results
OpenJDK Governance
On Friday, Mark Reinhold, mentioned that I have recently spent some time helping to help flesh out a draft governance model for the OpenJDK community. As John Duimovich described it, our goal is for OpenJDK to be “…an open, transparent, and meritocratic project that can be run in a lightweight and efficient manner”. I think we’ve largely succeeded in getting there. But it is important to recognize that when the document is (soon!) made public that it is a draft. I expect that many people will have comments and feedback, and I look forward to hearing them.
I do not have a prior history of involvement with the OpenJDK community, so being asked to contribute to this process was both an honour and a pleasant surprise. But given that Eclipse is also a community which involves participants ranging from individuals to some of the world’s largest corporations I believe we have some experiences which are helpful and relevant to the governance of OpenJDK. I hope that I’ve made some useful contributions which help the OpenJDK community off to a great (re)start.
Cyber Resilience Act: Good Intentions and Unintended Consequences
In my previous blog post on the European Cyber Resilience Act (“CRA”), I touched on a topic which I feel warrants additional discussion. Specifically:
Fundamentally, the core of the proposed legislation is to extend the CE Mark regime to all products with digital elements sold in Europe. Our assumption based on the current text is that this process will be applied to open source software made available under open source licenses and provided free of charge, ostensibly under licenses which disclaim any liability or warranty. We are deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe.
First, a mea culpa. In the quote above I stated that “…the proposed legislation is to extend the CE Mark regime to all products with digital elements sold in Europe.” That statement is inaccurate. It should have said “the proposed legislation is to extend the CE Mark regime to all products with digital elements made available in Europe.” That is a critical distinction, as it makes the CRA broadly extra-territorial. In today’s world where most software is downloaded over the internet, “made available” means that the documentation, certification, and liability requirements of the CRA are expected to apply to all software worldwide.
I honestly believe that CRA was developed with the best of intentions. Software has become critically important to our economies and societies, and to date has been a completely unregulated industry. Recent events such as the SolarWinds and Apache Log4j vulnerabilities have shown that there can be very large economic impacts when something goes wrong. The Log4j event showed that open source software components can have a very large impact due to wide usage. Given that, it is a reasonable position that the time has come to implement regulations upon the software industry, and to ensure that open source software is included within the scope of those regulations. I want to stress that I believe that the open source community very much wants to be part of the solution to the industry problems that we all face with respect to supply chain security. The open source community provides extremely high quality software and takes great pride in the value that it provides to society.
However, the CRA legislation (along with the companion revisions to the Product Liability Directive) in its current form will have enormous negative effects on both the open source community and the European economy.
For the purposes of this blog post I am going to ignore for the moment the impact of applying the CE Mark regime to all software all at once, as that would be a long post in its own right. This post will focus on the unintended consequences of applying legal product liability obligations to the open source community and ecosystem. But before doing so, I want to spend a few moments describing what open source software is, and why it is important. If you have a good understanding of that topic, feel free to skip that section.
The Economics of Open Source
Today’s software systems are mind-bogglingly complex. And for most systems, a very large percentage of the overall code base provides zero product differentiating features. For example, any modern system will require code which allows it to connect to the internet to acquire and share data. Open source at its core is a simple licensing model which allows individuals, researchers, academics, and companies to come together to develop and maintain software which can be freely studied, used, modified, and redistributed. The breadth of software which has been developed under this model encompasses every field of human endeavor. But arguably the most common use case is to share the cost of developing and maintaining software which implement non-differentiating technologies used across a broad spectrum of products and applications. To be clear, “non-differentiating technologies” means implementations in software of the types of technologies that many similar applications must implement. Examples include network access, database access, user authentication, and the like. It is impossible to overstate the economic benefits of being able to reuse software in this way. Reuse decreases lifecycle costs, reduces time to market, and mitigates development risk across every type of system which contains software. Which is to say, every single aspect of social and economic activity. That is why it is estimated that most modern software and cyber-physical products contain 80 to 90 percent open source. It is simply not economically viable to write all software yourself while your competitors are building theirs using open source.
But the economic benefits of open source only start there. In fact, there is arguably even greater value in the pace of innovation which is made possible by open source. All developers today start their development off by selecting and assembling open source components to form the basis for their product or application. And they are able to do so without asking permission from any of the providers. This ‘permissionless innovation’ has vastly accelerated the pace at which new products in all fields can be developed and brought to market. When open source was first introduced, it was primarily used to commoditize technologies which were already well understood. Today, open source is used to introduce new technologies, in sectors such as Big Data, Cloud, Edge, AI and software defined vehicle, in order to accelerate adoption and create new market segments.
It is important to remember that open source software is provided at zero cost to the consumer. This completely decouples its value from its sale price. And there are many examples of open source software which are almost immeasurably valuable: Linux, Kubernetes, Apache, and OpenJDK are just a few examples of open source which support multi-billion euro ecosystems.
It is also important to recognize that open source software is a non-rivalrous good. In fact, it is an anti-rivalrous good in that the more a software component is used, the more valuable it becomes. This is incredibly important to understand: the value of a piece of open source software is not determined when it is made available. It becomes valuable (and potentially critical) when it is used. And the more it is used, the more valuable and critical it becomes. As a logging framework, Log4j was not a piece of software which at face value would be expected to be security critical; it became so because it was so broadly used and adopted.
Finally, there is no open source business model. Open source licensing has enabled an incredibly successful collaborative production model for the development of software, but that is decoupled from the commercialization of that software. Obviously, given the massive investments in open source someone must be making money somewhere. And they are. Open source technologies are used in virtually every cyber-physical, software, SaaS, and cloud product on the planet. It is also very widely used in the internal bespoke software applications that run our governments, enterprises, and industrials. When we talk of the open source supply chain, it is important to recognize that what we are discussing is the use by governments and commercial organizations of freely provided software. Unlike any other market that I am aware of, the financial resources available to manage and secure the open source software supply chains are solely available to the consumers, rather than the producers. For this reason, it is important that any compliance burden be placed on the downstream commercial adopters and consumers, rather than the producers of open source.
Unintended Consequences
Which brings me to the risks to Europe’s economy that I see from the CRA. The preamble to the legislation states: “For the whole EU, it is estimated that the initiative could lead to a costs reduction from incidents affecting companies by roughly EUR 180 to 290 billion annually.” On the cost side it states: “For software developers and hardware manufacturers, it will add direct compliance costs for new security requirements, conformity assessment, documentation and reporting obligations, leading to aggregated compliance costs amounting to up to roughly EUR 29 billion.” In other words, spend 29 billion to save 290 billion. The impact assessment further describes that an analysis was done which spurred the decision to extend to legislation to cover all tangible and non-tangible products:
This option would ensure the setting out of specific horizontal cybersecurity requirements for all products with digital elements being placed or made available on the internal market, and would be the only option covering the entire digital supply chain.
As discussed in my previous blog post, the CRA as currently drafted will be extended to cover virtually all open source software. This will legally obligate producers of open source software to the documentation, certification, and liability provisions of the CRA. Let us focus here solely on the liability topic.
The fundamental social contract that underpins open source is that its producers freely provide the software, but accept no liability for your use, and provide no warranties. Every open source license contains “as is”, no liability, and no warranty clauses. I’ve always assumed that this is simple common sense: if I provide you with a working program that you can study, use, modify, and further distribute freely for any purpose, why should I accept any liability for your (mis)use of that program? It is the companies which commercialize the technology and make a business from it who need to accept liability and provide warranties to their paying customers, not the open source projects which they have freely consumed. The CRA fundamentally breaks this understanding by legislating non-avoidable liability obligations to producers of free software.
What might be the consequences of forcing the producers of free and open source software made available in Europe to accept statutory liability for code that they provide? Remembering, of course, that all open source software is both developed and distributed over the internet so “made available in Europe” can arguably apply to it all. And also remembering that enormous amounts of open source software are produced worldwide by projects, communities, and nonprofit foundations which make no money off of their software, and who have always operated under the assumption that their liability obligations were extremely low. Thirdly, it is important to remember that open source software is provided for free. The producers of open source do not receive any revenue from users and adopters in Europe, so the usual market incentives to accept additional regulations to retain access to the European single market do not apply.
So with the caveat that these are all hypothetical scenarios, let’s look at some potential unintended consequences of the CRA’s liability obligations. (Some of these points are also made in Brian Fox’s excellent blog post.)
- A reasonable and rational response would be for non-European producers of open source code to state that its use is not permitted in Europe. If you are not willing to accept statutory liability obligations for something you make available for free, a notice file stating the above would be an obvious reaction. What would this mean to the European companies that build products on platforms such as Linux, Kubernetes, Apache, and OpenJDK? I would assume that the vast majority of their procurement and compliance organizations would conclude that they can no longer use those technologies in their product development. Cutting Europe off from these platforms would have catastrophic consequences.
- European producers of open source will be at a significant disadvantage relative to their international peers. Since they cannot avoid the liability obligations, they will be forced to accept them as part of their operations. For a small project hosted at (say) Github, it would probably be simpler to just terminate the project and pull its source code off of the internet. For a foundation such as the Eclipse Foundation, amongst other things I would expect that we would be forced to procure a very large liability insurance policy to mitigate the exposure of the organization and its directors and officers to potential liabilities. The result would threaten the €65 billion to €95 billion that open source software development contributes to EU GDP, as per the Commission’s own study.
- The CRA extends the liability obligations to distributors of software. In the open source context, some of the most important distributors include the language and platform-specific package distribution sites such as npm, Maven Central, PyPi and the like. None of those sites are in a position to accept liability for the packages they make available. As Brian Fox of Sonatype stated “…the consequence of this would be [Maven] Central, npm, PyPi and countless other repositories being suddenly inaccessible to the European Union.” As Brian is the leader of Maven Central, I am confident he understands what he’s talking about. I cannot stress enough how disruptive it would be to Europe’s business if that should occur.
- The CRA liability obligations could also force European business to stop contributing to open source projects. At the moment, it is generally understood that the risk that contributions to open source may incur a liability to the company is low. The CRA changes that equation and as a result European companies may curtail their open source collaborations. This would be extremely damaging to the innovation economy in Europe, for the reasons described in the economics section above. It also runs counter to a number of European wide strategies such as digital sovereignty which explicitly have major open source components. Initiatives such as GAIX-X, Catena-X, Dataspaces, Digital Twins, and Industrie 4.0 all explicitly rely upon open source collaboration which could be at risk under the CRA.
Europe’s Cyber Resilience Act was developed with the best of intentions. And it is certainly the right time to look at what regulations are appropriate for software generally, and given its importance open source software likely needs to be included in some manner. But the liability obligations imposed by the CRA upon projects, communities, and nonprofit foundations will have negative unintended consequences on Europe’s innovation economy and digital sovereignty initiatives.
AQAvit Brings Quality Assurance to Adoptium Marketplace and Java Ecosystem
The launch of the Adoptium Marketplace on May 26 is exciting news for the millions of developers, researchers, and organizations who rely on TCK-tested compatible Java runtimes. As noted in the announcement, by providing a vendor neutral home for the OpenJDK ecosystem, the marketplace makes it easier than ever to access Java SE-conformant binaries necessary for cloud native and enterprise deployments.
But there’s more to the story. For a long time, compatibility has been the name of the game when it came to Java implementations. The Adoptium Marketplace has been set up to take the Java ecosystem to the next stage of its development.
That’s where Eclipse AQAvit comes in. It brings quality assurance metrics into the marketplace, so that the Java community can begin to select binaries not just based on compatibility but on quality.
Eclipse AQAvit Brings Quality Assurance to Java
Everything in the marketplace will be compatible with the relevant version of the Java SE Technology Compatibility Kit (TCK).
But TCK compatibility doesn’t tell you anything about the quality of the implementation. In recent years, the number of OpenJDK-based runtime distributions has absolutely exploded. And although many vendors maintain their own release quality tests, OpenJDK distros have historically not been built to any consistent quality standard. It has become increasingly clear that the Java ecosystem needs a consistent, multi-vendor definition of quality.
Ensuring high-quality binaries are ready for production deployment is crucial for the Adoptium Marketplace. The AQAvit project team compiled tens of thousands of tests and built a few of their own to produce a comprehensive, systematic way of ensuring the quality of runtimes available. The AQAvit Quality Verification Suite covers a broad set of requirements, ensuring binaries provide superior:
- Performance
- Security
- Resilience
- Endurance
They also ensure that the binaries can pass a wide variety of application test suites and can verify new functionality during runtime development. That’s what’s unique about the Adoptium Marketplace: it provides peace of mind knowing that the binaries are not only compatible but will actually meet the demanding requirements of your enterprise applications.
Contributing Helps Ensure AQAvit Meets Your Needs
And in the spirit of open source, you give a little to get a lot.
Many of the founding members of the Adoptium Working Group are Java developers and vendors, including Alibaba Cloud, Azul, Huawei, IBM, iJUG, Karakun AG, Microsoft, New Relic, and Red Hat. The marketplace enables working group members to promote their Java SE compatible releases verified to Eclipse AQAvit’s quality criteria. Their membership helps support the cloud-based infrastructure that drives Adoptium’s efficiency as a shared community project. In other words, the working group collaborates to create and provide access to high-performance, enterprise-caliber, cross-platform, open source-licensed, and Java-compatible binaries of OpenJDK builds, through the marketplace.
Contributing to the AQAvit project is one of the best ways to ensure access to runtimes that meet specific needs. We encourage Java community members to get involved and contribute additional tests to cover the use cases their applications require. They’ll be incorporated in the AQAvit test suite, so every binary going forward will have to meet that standard. This way enterprises and developers can be confident any AQAvit-verified binaries they use will function as needed.
Security Updates for Java
Quality assurance is a big part of what makes the Adoptium Marketplace unique, but it’s not the whole picture. Security fixes are also an important focus.
Once upon a time, you could count on getting security fixes for old versions of Java for a long time. After all, if you’ve deployed a set of applications on a version, you’re probably going to want to use it for a long time.
That’s no longer the case elsewhere. But all the distributions in the Adoptium Marketplace will be kept up to date with the latest security patches or those patches will be backported to older LTS versions. This way you can be sure that your applications are secure, no matter which version of Java you’re running them on. Of course, this goes for new versions of Java too.
Everything Users Need in One Place
The Adoptium Marketplace brings together all these elements — quality assurance, adaptability to community needs, security updates for every version, sustainability — into a one-stop shop for binaries. Ultimately, this delivers five key assurances to end users:
- The binary has been tested and is compatible with the relevant version of the Java SE TCK
- The binary was built in accordance with open source principles
- The binary has been fully verified using the AQAvit quality verification criteria, having passed through multiple tests to ensure it meets industry quality standards
- The binary is as secure as possible, with the latest security updates included
- The binary is brought to you by a vendor committed to supporting and participating in a multi-vendor, vendor-neutral collaboration
If your organization is considering participating in the Adoptium Working Group, have a look at the Charter and Participation Agreement. Or if you have questions, email us at membership@eclipse.org.
Meet Adoptium: Open Source Java Runtimes for Enterprises
Today we announced the creation of the Adoptium Working Group, whose mission is to bring high-quality, open source Java runtimes to millions of developers building the next generation of enterprise applications.
Adoptium was created in collaboration with the AdoptOpenJDK Technical Steering Committee, and supports the Eclipse Adoptium top-level project. The working group provides the vendor-neutral governance, infrastructure, marketing, community building, and developer advocacy work needed to ensure timely releases of Java runtimes and strengthen the project’s community.
The Adoptium project continues the work initiated by the AdoptOpenJDK community. The project gives developers a trusted location where they can download fully compatible, high-quality distributions of Java runtimes based on OpenJDK source code. In a few short years AdoptOpenJDK became the leading provider of OpenJDK-based binaries used to power production workloads in embedded systems, desktops, traditional servers, modern cloud platforms, and mainframes. Adoptium will continue that mission as a vendor-neutral, multi-vendor initiative hosted at the Eclipse Foundation. We appreciate the trust that the AdoptOpenJDK TSC has placed in us as we become the new stewards of this amazing community.
The founding members of the working group include numerous Java developers, as well as vendors such as Alibaba Cloud, Huawei, IBM, iJUG, Karakun AG, Microsoft, New Relic, and Red Hat. This strong participation clearly shows the value the industry sees in transitioning the widely adopted AdoptOpenJDK technologies and community to the Eclipse ecosystem. I would also like to recognize the efforts of Oracle in negotiating a TCK license agreement with us in support of this initiative.
Benefits for the Global Java Ecosystem
Developers and enterprises need a dependable source of open source, compatible Java runtimes that are fully supported with timely patches and updates. AdoptOpenJDK was created in 2017 to provide a community-based solution to this requirement, delivering open build and test systems for OpenJDK across multiple platforms, and delivering high quality binaries for use. Developers responded enthusiastically, downloading more than 240 million Java binaries from AdoptOpenJDK.
Moving the AdoptOpenJDK technologies and community to the Eclipse Foundation benefits the AdoptOpenJDK community and the many members of the global Java ecosystem:
- The AdoptOpenJDK community can leverage our governance framework and intellectual property services, as well as our developer advocacy, marketing, legal, and hosting capabilities, to help ensure the AdoptOpenJDK initiative and community continue to flourish. The community can strengthen its vendor independence, while maintaining a strong relationship with existing sponsors and the Java community as a whole.
- Developers and enterprises in the Java ecosystem have reliable access to fully compatible Java runtimes for hybrid cloud and multi-cloud enterprise development.
Adoptium complements the other Java-based projects already hosted at the Eclipse Foundation, including the Jakarta EE and MicroProfile specification communities, and open source projects such as Eclipse GlassFish, Eclipse Jetty, and Eclipse Vert.x.
I want to thank everyone who was involved in establishing the Adoptium Working Group. I also want to welcome everyone from the AdoptOpenJDK community to the Eclipse Foundation, and encourage you to continue building on the character and spirit of your great community.
Get Involved in Adoptium
There are a few different ways to get involved in the Adoptium community at the Eclipse Foundation:
- Join the Adoptium Working Group. For details about working group governance and membership, read the Adoptium Working Group Charter and Participation Agreement.
- Explore the Eclipse Adoptium top-level project, and its sub-projects, Eclipse AQAvit and Eclipse Temurin.
- Join the Eclipse Adoptium project mailing list.
What’s ahead for Open Source in 2021 and beyond
For some reason, the tradition amongst most technology pundits is to spend the waning weeks and days of the past year making prognostications about what’s to come. I’m all for introspection, but making guesses right before the holidays usually means I’m going to forget what I said (wrote?) after my holiday break. Besides, I’d much rather focus on beginnings than endings. That’s why I’m opening the new year here at the Eclipse Foundation with some thoughts on what’s to come for open source software in general, but also specific insights into the technology segments the Eclipse community is focused on: enterprise Java, the IoT and Edge computing, developer tooling, and automotive design.
Let’s start with a very general prediction, but a critically important one: the open source model for collaborative innovations will continue its growth, particularly with enterprises and industrials. Open source is already the dominant model for collaboration amongst companies in the IT and software technology sectors. But it is quickly becoming mainstream among every company working on a digitalization strategy. The pace of innovation and level of collaboration enabled by the open source model simply cannot be matched.
Many European companies have largely missed out on this value to date. In order to create the new platforms necessary for future prosperity, both governments and industry need to become software-centric and master the process of innovating and contributing via the open source model. You’re going to see a lot of that in 2021, particularly as we shift our own legal headquarters to Brussels early this year.
Now, let’s get a little bit more specific …
Cloud Native Java Predictions
The Java EE ecosystem will switch to Jakarta EE
With the release of Jakarta EE 9 on December 8 of last year, the enterprise Java ecosystem will move to the new jakarta.* namespace. It will be gradual at first, but much of the industry will come around surprisingly quickly. We are already seeing rapid adoption of the new jakarta namespace by the vast ecosystem of open source projects built on Jakarta EE specifications.
Now the focus is on innovation, and the pace of development for Jakarta EE will speed up with the community focusing on delivering both Jakarta EE 9.1 and 10 releases. In addition, the successful transition to the jakarta.* namespace cracks open the door on further integrating Jakarta EE with the world of microservices and containers. The community is already working on increasing the alignment of MicroProfile and Jakarta EE to meet this challenge.
The inexorable rise of community-supported Java binaries will continue
With the move of AdoptOpenJDK to the Eclipse Foundation and its birth as Eclipse Adoptium, the industry will have a single, vendor-neutral source of high-quality open source Java runtimes. Expect to see adoption accelerate as developers use the project’s high quality binaries and technologies across the Java ecosystem.
2021 will serve as the “tipping point” for cloud-based development tools
A wholesale move to the cloud driven by the era of COVID-19 and remote work, combined with the release of new cloud-based tools like Eclipse Theia, Eclipse Che, and Github Codespaces, accelerates the trend towards cloud-based development tools Traditional desktop tools will have a long tail, but the proverbial tipping point has been reached.
IoT and Edge Computing Predictions
As Edge Computing architectures and the Internet of Things (IoT) continue to proliferate throughout multiple vertical markets, one trend that enterprises have made abundantly clear is that, in 2021, they expect many edge computing solutions and IoT technologies to leverage open source. This was confirmed in the most recent Eclipse IoT Commercial Adoption survey published in March 2020, which found that 60% of the organizations surveyed are factoring open source into their deployment plans.
One guiding factor to these trends is that businesses want to tailor information technology (IT) and operational technology (OT) builds to meet their specific requirements while avoiding vendor lock-in. This is best accomplished with solutions based on an open source model. In other words: while businesses certainly appreciate the cost and time savings open source offers, what they truly need is the control and flexibility it affords.
Open source will help solve SCADA software interoperability
This prediction is a bit specific to the Industrial IoT (IIoT), but given the size of this market, everyone from Chevron to Intel are carefully building solutions based on open source to address this issue. While SCADA providers have fully embraced IoT as a concept, sector growth has been limited by lack of interoperability between proprietary systems. Open source IoT solutions, such as Sparkplug, will enable new innovations that finally allow for true widespread interoperability.
2021 will mark the rise of the Hybrid Edge
Hybrid cloud was definitely one of the biggest buzzwords of 2020, but in 2021, we believe this concept will be applied to edge computing architectures. Just as hybrid cloud requires orchestration between public, private, and distributed compute architectures, so too will enterprises that may be deploying their own edge networks, using edge compute offerings from a cloud provider, and operating separate edge networks for different use cases (AI vs. IoT for example). What is needed to fulfill this vision is an open source platform for Edge computing that the industry can rally around.
Cloud providers will embrace open source edge computing
Late 2020 saw all three major cloud providers – AWS, Azure, and GCP – deliver their own edge offerings. We believe 2021 will not only see a continuation of this trend, but also see providers embrace open source edge solutions as a means of differentiation and to speed innovation within their own development efforts.
For organizations looking to leverage both edge computing and IoT, they need to carefully evaluate their strategies and the open source alternatives that will enable their software-defined initiatives to thrive. By doing so, they will enable not just near-term efficiency, but lay a foundation upon which future innovations can be built for years to come.
Automotive Software Predictions
Of all the market segments I’ve written about today, none have been as slow to adopt the open source model as the automotive industry. Open source is potentially a life saver for this industry given its many challenges.
Automakers will respond to the impact of the pandemic by accelerating their digital transformation.
By and large, OEMs in the global auto sector have recognized a deep need to move on from development models of a bygone era. The global economic impact of the pandemic is forcing their hand to quickly pivot to meet the needs of a new economy. They know this. What will change in 2021 is the realization that mastering the art of open source is a necessary step in their digital transformation.
OSS will serve as the primary catalyst in most automakers digital transformation.
We’re already seeing this shift begin in 2020. The traditional automakers are embracing open source to establish industry-scale collaboration on core frameworks, toolchains, and systems for interoperability, simulation, testing, validation, and certification. We expect to see accelerating OSS innovation in areas like AI for autonomous driving, with some companies contributing AI elements to the open ecosystem.
In 2021, the challenges of autonomous vehicle design will force the industry to turn to community-based collaboration in order to reach its full potential.
Currently, the majority of firms choose to perform their development completely in-house. 2021 will see some of these organizations become aware that they cannot do everything alone. We predict more partnerships and potentially some consolidation in the market as well. Firms will shift to a more collaborative approach that leverages the entire industry, with the OSS model serving as a mechanism to enable this transition.
And let’s not forget the best part about open source; you can participate in the process and help guide the outcome. The Eclipse Foundation is just one means to this end, but you want to find out more, visit here – https://www.eclipse.org/membership/#tab-membership
In the meantime, I’m looking forward to engaging with many of you as we all work to build more positive outcomes for 2021. Happy New Year everyone!
Life at Eclipse 