FLOSS Weekly 702, Transcript

Please be advised this transcript is AI-generated and may not be word for word.
Time codes refer to the approximate times in the ad-supported version of the show.


Doc Searles (00:00:00):
This is Floss Weekly. I'm Doc Searles. Jonathan Bennett and I talk this week with John Mertk, who's the director of program management at the Linux Foundation. Big focus for him is mainframes, open source and mainframes. Whole big topic there. Much bigger than you would think cuz there's some things only mainframes can do. An open source is kind of new to them. So that's a big topic and that is coming up next.

VO (00:00:28):
Podcasts you love From People you trust. This is TWIT

Doc Searles (00:00:35):
This is F Weekly, episode 702. Recorded Wednesday, October 12th, 2022. Open source and mainframes. This episode of Flo Weekly is brought to you by IT Pro tv. IT Pro TV's training solutions provide professionals and enterprise organizations the education needed to kickstart or advanced IT careers and upskill through engaging training and virtua

l labs. Get 30% off when you sign up at IT and use code TWI 30 at checkout and by compiler. An original podcast from Red Hat devoted to simplifying tech topics and providing insight for a new generation of IT professionals. Listen to compiler in your favorite podcast player. Hello again. Everybody, Everywhere in the world. I am Doc Searles and this is Floss Weekly. I'm joined US week by Jonathan Bennett, Alpha cohost. There he is. <laugh>. Hey Doc, you don't move around. You just like may. Maybe change a chair every once in a while.

Jonathan Bennett (00:01:45):
A little bit. Have changed chair in a long time either. Yeah, I've invested quite a bit of sweat equity into getting the home office here set up, so I'm gonna take advantage of

Doc Searles (00:01:54):
It. <laugh>, they're gonna say put a lot of sweat equity into stain the leather in this chair. <laugh>. Well

Jonathan Bennett (00:01:59):
That's true too. <laugh>.

Doc Searles (00:02:02):
So I am in an unusual place. I am over. I would turn the computer to show you, but I'm afraid to disconnect something. But I'm overlooking Lake Core Lane in Idaho and about 150 feet above the lake, which stretches out in all directions what looked like a bald eagle. Went by yesterday when I was talking to aunt about this. I, This is at a borrowed house. I hardly ever been here. I've been here once before. It was to test this out. I'll never be here again. <laugh>. But I'm probably, But anyway, I'm talking to you through tethered through a phone because there is actual cellular connection here. It's a satellite connection for internet and is not starlink. It's the older pre starlink where the latency is years <laugh>. So I'm looking Okay. Otherwise I'm surprised is working.

Jonathan Bennett (00:02:54):
But yeah Doc, you move around enough, you oughta just get one of those starlink RV connections and just throw out your backpack and go with

Doc Searles (00:03:02):
That. It has occurred to me that if a Starling gets portable enough where it's like a small case, I could, a briefcase, I can unfold and a whole thing pops up. It's a possibility. <laugh> really a possibility. Not that I'm the camping type, but I carry, this mic goes with me to all places and this is a laptop and all this. So I'm ready to travel in that sense. So our guess this morning is John Mego, I think has been on at least twice before. He'll correct us in a minute probably if I'm wrong about that.

Jonathan Bennett (00:03:37):
You, Yeah, I did a little research before we started and it's like, oh wow. He was on back when Randall was here and I searched for his name in my male threads and it's like, oh well here's where I almost got to co-host with him last time. Yeah, I

Doc Searles (00:03:53):
Thought you did. I were the co-host last time. I

Jonathan Bennett (00:03:55):
May have been one of the times. And then the other time I wasn't did not do a whole lot of research at Time <laugh>. But of course he's tied in, he's part of the little foundation. He's working with Open Mainframe, which will be fun to talk about. Look forward to really picking his brain about those things.

Doc Searles (00:04:12):
Oh, we'll get on that today. So let's get right into the show and welcome John Mertk. He's the director of program management at the Linux Foundation. There he is in his la So where are you on the planet John?

John Mertic (00:04:28):
I am at a little town called Doylestown, Ohio, which is just outside of Akron. And if you don't know where Akron is, it's just outside of Cleveland. And if you don't know where Cleveland is, it's somewhere between New York and Los Angeles is the best way to describe where we're at <laugh>. But yeah, in my home office here,

Doc Searles (00:04:46):
Well normally I'm one state away from you. I'm in Bloomington, Indiana, but nor normally in a sense that I've been there for a year. <laugh> <laugh>. But I also live in California and I go to things and so we get around. So well t tell us first how if and how program management at the LF has changed or since we last talked or we're just going what we do.

John Mertic (00:05:14):
Yeah, I mean I think a little bit. We've definitely grown. If you keep up with the news, you'll see that the Linux Foundation, we're always bringing new new foundations and new focuses and new efforts within. So I think we've seen a large area of growth and with our team has definitely grown. But I think also the one thing that we do is we just learn from a lot of the experiences that we have. I so much of the Linux Foundation's culture and how we approach open source comes from the Linux kernel community. And we've built upon that by working with additional communities, working with the Kubernetes community and the no jazz community. And then as we've expanded, we've started working with a lot of different verticals such as the motion picture industry, the automotive industry, the energy industry, and a bunch of others. And so I think while there's definitely new people and new things, I think the biggest thing is just we just learn so much from the groups that we work with.

And not only just the amazing people, but the uniquenesses of how that collaboration happens. It's the one thing that I, I've always preached about at Open Source is I've been an open source for over 20 years now and every project is a little bit different and there's always just such uniquenesses not just from the personalities but just the cultures of the group that you really have to embrace and understand it and really appreciate and you learn from those things and you say, Wow, this might plug in to be useful here. This might be a useful tactic here or this is something I should never do ever again. Cause it was a really bad idea. <laugh>, which you get those occasionally, but I think that's the biggest thing that I've seen.

Doc Searles (00:06:58):
One of the things the Linux Foundation does is spawn other foundations. And so we had Brian Bellend Orhan recently and he was with the Hyperledger Foundation and now he's with <affirmative> security in some way. How does the foundation make a foundation? Is that or is it just called that? I'm not even sure what the legal or the regulatory structure of that is.

John Mertic (00:07:26):
Yeah, it gets a little bit nuanced in there. I think what we, as a Linux Foundation there's well over a thousand open source projects and efforts that we're hosting here presently. And depending upon just the size and scope of what's being worked on, some of these groups are coming together and are trying to do very large scale things. So Hyperledger for example, was really trying to pull together a lot of the blockchain technologies that were out there so that it could have multiple different applications in different areas and not just Bitcoin and cryptocurrencies but in more broader areas like insurance and finance and government and things of that nature. The one Brian's working right now with is the Open source security foundation or for short open ssf, which is really trying to build a center of gravity around the best practices of security in open source.

But we also see a lot of those also just leakage out in just a technology in general with things like software supply chain and other best practices that you see. So what we see is we see parties that come to us and say we need a place that we can collaborate. We could go individually and do this in different places. We could create just a partnership or things like that. But what moves a lot of these technologies forward is a neutral location that this can happen. So it's not any one company that's owning it, not any one company that's controlling it, but you have a multitude of different companies that have a piece of it and everything down to the code. I mean if you're familiar with Linux kernel, one of the interesting things is there's no one person that owns the copyright to all that code.

It's every single person that's made a contribution owns it. So you have this interesting sort of a lawyer might call it a weave mess, I would call it a cool commons that comes together where to really make decisions on licensing and different changes, you have to have everyone as a part of that. And that's the fabric of every single project we host here as well is those pieces. And for these companies, they see a huge advantage not only for them but also just for the ecosystem that they're working with as a whole. Cuz they can bring their competitors in, they can bring partners in, they can bring all sorts of other individuals in to collaborate on amazing technologies that really help move their groups forward. One of the ones here that I'm working with, which is also Endurance, the t-shirt that I have is the Open Mainframe project which came together because there was a great need to have a neutral home for the open source that was being driven in this industry cuz many of these players were doing open source but they said it works better if we have everybody on board, everyone contributing cuz then we can build things on top of this.

We can drive a lot of the investment this way we can leverage the collective expertises of all of our different engineering teams and just strategy and all that. And we just see that pattern just repeated over and over everyone who's coming to us. That's like sometimes there's a little different nuanced reasons or industry reasons or things like that. But the core is exactly that piece. We wanna come together, we wanna collaborate on something that we recognize is bigger than any one of us. And how we see this as successful is having it a neutral entity where we all have an equal stake in it and not somebody has a greater stake than one another. And those are also projects that are sustainable in the long term because they can weather the storm of different players, different people getting involved over time and they can evolve throughout time. So it, it's really a cool thing that we start to see.

Jonathan Bennett (00:11:18):
Hey John, so I wanna jump in and I'm curious about the good that the Linux Foundation can do for a bunch of different projects, maybe even projects that aren't directly under its wings. And of course me being me, security is one of the things I'm going to think about. And there's a story that's still kind of hot in Python the TAR implementation in Python. I think Python tar is what they call the module has this 15 year old bug in it where you can have an archive, AAR archive that contains links and files that are do when you archive, it will go up directories and then over and then archive something in a different place. And so the real problem there being that someone can without knowing it overrides something important to like slash EDC slash password. And one of the things that I've seen that in some of the Lennox Foundation media information, some of the things that y'all's put out is that you guys are trying to work on this security and security for all projects and trying to eliminate some of these kind of shall we say, institutionalized problems maybe that are in different places.

I'm just curious if there's any kind of services or even guidance that LF gives generally speaking and do you work with little projects on some of the security problems?

John Mertic (00:12:55):
So we are seeing security things coming up hugely across a lot of our projects. And I've been a software engineering the past and I think how we've all been trained to think about security is more of an intrusion penetration aspect. How is somebody getting into our app and logging in? But I talk with industries that say, hey, this code is being used behind a firewall, it's not connected to the internet so it should be fine. Why do we need to care about security? And the thing that I would go tell them is, okay, well where are you getting the software that is coming to your system? And they might say, Well it's from such and such some open source project. I'm like, well how do you know the lineage and the providence of that because you could go install this package and then all of a sudden somebody had embedded some sort of NAST iss and I don't know if nast ISS is a word, but we'll go with it <laugh> that all of a sudden you have a ransomware attack on your infrastructure and imagine if you're trying to run a hospital and that happens, it would imagine if you're trying to build a motion picture and all of a sudden you're locked out of all of your assets, these things get real.

And I think that's an aspect that we've begun to start to see over the last couple years. This isn't my best area of expertise. I mean I think when you talk with Brian, he probably was able to add a lot more color, but that's been an area that's been hugely growing. I mean I think Sonotype did some surveys and it is like 650% increased in the last couple years. So it's a huge, huge area. I think the recognition you have to have about security is that it's not a one time thing, it's an ongoing process and one part of it is there's an ounce of prevention in there which comes to having the infrastructure to be doing some of this testing, whether that would be fuzz testing, intrusion testing things of that nature. Another piece of it comes in is just practices. So do you have a practice to, if somebody sees a security issue of how to even report it, I mean there's a ton of open source projects that don't.

Do you have expertise within your project that could identify that and know how to address it in a secure manner? And then outside of that is how can you make sure that you sort have that sustainable aspect to continue those investments with time? And I think that's one of the fabulous things that the open source security foundation has been really focused on is helping projects give a sense of guidance of what a good project looks like that can respond to security and address security in a proactive and then reactively in a timely way. And if you look at the what was the CI core infrastructure initiative, Best practices badge, which is being rebranded as the Open ssf best practices badge. That's one of the big aspects of what it's about is these are the best practices that you do within an open source project. If you're doing those pretty good chance that you are gonna be able to respond to security issues in a very timely manner and be ahead of them.

And there's other initiatives that they're stand, they're standing up they've built a scorecard mechanism as well that's able to look into your repositories and say, Hey, this is a grading of how things are going based upon the code and how you have it structured. And less of code quality because I think that gets very subjective, but more of the objective things of do you have the right pieces in place? Do you have the right structure and governance to go about it? And then we're even seeing broader efforts like Project Alpha Omega, which is actually looking to invest funding directly in that, especially in projects that don't have that funding available. Cuz some of these we've have really become ones that in our creative, our collective conscious just kind of flowed in the back. You don't think about but they power so much of internet. The log for J, which was a big thing a couple of months ago, a very similar sort scenario there of just low investment, the high criticality and trying to make sure that there's a balance to address those.

I think in addition to that, one of the things that we have seen our project communities start to do, and we have great partnerships here with our training arm, is building training out for communities on how to do open source well and ica, everything with that is there is a lot of different ways to do open source and things work in one community that don't work in another. And I'm completely cognizant of that, but there's a lot of just great base knowledge to have to really be effective in that realm. And we have a ton of open source 1 0 1 training available. We have a lot of open source security training available and we have ones in different specific areas like Kubernetes or blockchains and things like that. Most of this is available for free because we really think it's so crucial to have this knowledge out there.

And some of it, there's different certifications you can do depending upon where your professional direction is going. But I would say the one thing that we see valuable out there is to make sure that there is great knowledge of how to do open source well from the individual level to the company level with things like the DO group from the measurement level with things like the Chaos project, which is really focused on how to drive great metrics in there. And then I think more broadly is just seeing how our industry is evolving and recognizing that diversity inclusion are major parts of that. And having that is also something that we see as a part of Linux Foundation whole, but also a lot of our individual projects as well because they're seeing that as an area that as they begin to grow, making sure that it can be an area that brings in diverse groups is really, really critically important. So there's just a lot of different areas that we see gaps. We try to go out there and provide either a way to address it or bring together the smart people that know how to do it and give them a forum to do it, which oftentimes we kind of like to see more because we want those smart people out there that know how to solve these problems and really help pull things together.

Jonathan Bennett (00:19:21):
Excellent. An excellent answer. I'm gonna follow that up. I know you said that security is not your thing, but this is kind of more of a philosophical question I'll get you to ruminate with me. When I think about security and open source, one of the things that we've seen reasonably recently, and a lot of this actually as a result of the war in Ukraine is protest wear. And that's the idea of particularly when it's open source a developer, it's the feeling passionate about what's going on. And in some cases it will be as simple as he'll put a log message in every time his application runs or his library gets called, it'll spit a log message out that says something about what's going on in some place. One of the notable examples of this was Node I p C the developer of that included a new library linked to called Peace not War I believe was the name of it.

And it did the same thing. It spat out a message of support for Ukraine and all of that except if it detected that you were an IP address coming from Russia, it would attempt to wipe your machine <laugh>. So oh dear. That one was not quite as peace, love, and rainbows as it claimed so much to be not. I'm curious though, what if and what the conclusion is that you and or the Linux Foundation have come to about what is acceptable when it comes to protest wear? Like are we even okay with our machines when we call a library, it has a off topic message it wants to tell us. I mean that's almost like at app advertising in a way and it's just a weird place that we've come to. And it seems to me, I wrote about this on hack day too. In fact I'm pretty sure I coined the term protest wear, but that's not the point. But it seems like we almost need to come together and figure out a guideline what is acceptable here and what are we gonna consider malicious. It's some of it's obvious wiping a machine is malicious <affirmative> pretty obvious, but at what point is log spam malicious, that eventually becomes a problem too.

John Mertic (00:21:30):
Yes. And I wanna copy at the early, it's not that security isn't my thing, there's just a lot better people than I am at it. So I'm a big fan of security here but there's gonna be a lot smarter people that if you really wanted to dig into that, they would be the better people to talk to than me. But I mean guess on the topic, it's really interesting in open source communities because sometimes I get a lot of questions when companies are looking to open source something that there's kind of like a fear of loss of control. And I've learned this from a lot of my colleagues that I've talked to this talked them about, and when you look at open source governance, there's this concept of legislative versus effective governance and legislative is the laws you brought down the outshot do a release, this is how your voting works, yada yada.

But then there's this concept of effective governance and what we see in open source communities that are successful is that they generally drive by consensus even if that means it's a lot of work to get to that consensus and <affirmative>, even if sometimes I can count probably on one hand the number of times that I've been involved in working with an election or a vote with a particular community where there wasn't a consensus vote. And these are ones that have industry competitors all at the table. So it's not like there wasn't tensions that were there, but there was a greater look from those communities of we know in the end of the day working together is better for all of us. Forking is, it happens, but it can sometimes cause a lot of fissures and frictions within communities. So I think, and so when we look at the concept of effective governance, when I talk to these companies, I'll be like, yes, you're going to get other people in the project that are maintainers and committers and gonna, they're might have differences, opinions and things like that, but in the end of the day they're gonna look at you as the people that brought this here and have a high degree of respect and look at you for advice because they knew you've put the hard work into getting it to this point and they're gonna look to you to, they're not gonna wanna turn something that's directly against you.

They're gonna wanna work with you and know that you're a partner at the table. So I know that kind of probably on the surface seems like entirely dodging the question. I think when we're thinking about though this concept here, I feel like there'll be probably a social aspect that comes into play that helps drive a little of this forward. I could imagine, and again I'm not as directly familiar with the library in there, but I can imagine that even for people that may not have been directly affected by the machine wiping out, they probably weren't all that thrilled about it. And I'm sure, and I don't know where this resolved, but I would assume that maybe that functionality went away or was sidelined. I don't know for sure but it would stand a reason that that would be the case. I think the developer got blacklisted from every website that hosts code and one of his code maintainers took over the project and everything got cleaned up if I remember correctly.

Well that's solve the problem. So that's good <laugh>. So I see that a lot as communities have this great ability to self correct because generally they want to be forces for good. And you could argue that a lot of what may be some early intenses, there tends to be forces for good. Sometimes it runs off the rails. And I see this also a lot in a lot of the work that I see in diversity and especially I know there's been a lot of work in inclusive naming and things like that. And as you look back through history well you can always find bad actors in anything. I often believe that there's a lot of great intentions where a lot of these things were happened and maybe these folks just didn't realize the after effects of what all that means. I would call that if there's a group that really wants to get together and say, Hey, we should set some best practices and guidelines I'd be up for that being a Linux Foundation project.

If somebody really be interested in it, I think that would be a really cool idea. I wouldn't, and I wouldn't ever position that as the Linux Foundation says X cause I think that's not where we look to be. But what I would rather think is we have a group of really smart people that care about this quite a bit, that are coming together and collectively saying, Hey, this is where we think is right. And if you look at the heart of every project we host here, that's what it's all about. We don't write any of this code especially me cause you don't see my code. It's awful anymore. <laugh> the smart people write all the code and that's what we look to empower and give them the space so that they can focus on that. But that probably didn't directly answer the question you're after, but hopefully that gave you at least a way to think about it.

Doc Searles (00:26:30):
Well that's a great answer and I have kind of a follow to this that goes in another direction. But first I have to let everybody know that this episode of flos Weekly is brought to you by IT tv. Whether you're looking to start your career in it, master the profession or develop your own team. IG PRO TV offers virtual learning solutions for everyone. IT TV has more than 5,800 hours of IT training with current content added daily. So courses are always up to date. You learn by doing it. Pro TV sets itself apart with hands on learning via their hosted virtual labs. Join an online community of IT learners. There are over 220,000 of them share in forums and engage with instructors directly with courses you can binge in 20 to 30 minute episodes. You'll also have access to it Pro TVs searchable transcripts to let you zero in on exactly the information you need.

Learn when and where you want on a desktop, Apple TV say or Roku or hit the road with your tablet or a mobile device each month IT pro TV offers free webinars You can watch catch the live broadcast or watch on demand at your convenience. October is cybersecurity awareness month. Catch the following it pro TV webinar coming up for the month of October. On Thursday, October 20th at 2:00 PM Eastern Time All things cybersecurity will run with Tim Mein, CEO of Red Siege Information Security. Also be sure to check out their cybersecurity free weekend on October 15th and 16th. Tim Broome, co-founder of IT Pro TV, says it best himself. We want to make life easier for people who want an IT career. It's as simple as that. Get 30% off when you sign up at IT and use code TWI 30 that's 30% off when you sign up at IT and use code TWIT 30 IT pro tv build or expand your IT career and enjoy the journey.

Okay, so John, I'm wondering about how open source and your organization or your many organizations' involvement with IT are changing corporate culture. I bring this up because right now we're sort of as in between economic time when some things are growing, some things are shrinking, some categories can't hire people like fast food or trying to hire all over the place, can't do it. And yet I know from people I know in the staffing and recruitment world, nothing is more valued than programmers. Nothing is more value than people who are technically aept getting top dollar. They're doing well and I would imagine they have influence inside the company. Yet at the same time I've been hearing over and over again this is going on. I mean I was at Linux Journal for 25 years almost that companies can't tell their open source developers what to do cuz they have to work in these communities that you've done so well describing, especially with effective governance. I really like effective governance, but I'm wondering how this percolates back into a company that's busy. In many cases Intel just laid off a bunch of people. I guarantee they're not shrinking out their programmers for the most part. But what is this doing inside the change corporate culture itself, both functionally and in welcoming open source in getting leadership as it were from open source and even cooperating within a category rather than competing at the cost of everybody.

John Mertic (00:30:21):
It, it's really interesting because I think we often see in tech that the value moves its way up the stack over time. So I mean if you would go back a couple decades, there was a lot of competition that was happening at the the operating system layer, different variances of Unix is and things like that at play. And as Linux really came on the scene there and to degree also some of the bsds as well, we saw that become less of an area of competition and then we started see things move up the stack. With the advent of cloud services, we've seen so much of the services that were offered at a lower level, all of a sudden the value moves higher up the stack and where we see that happen is where it creates efficiencies in our cultures and things like that. Now if you look at that from a company standpoint, if you're looking at an average application today, roughly 80 to 90% of it is comprised of open source which most people don't really even realize.

And this is if you'd go the entire layer down from frameworks to support libraries to things like that, I mean almost all the way down to BOS layer, that's a very common theme that you see start to emerge. So I think as companies that I've talked to have begun to look at the technology they're developing within, there's a couple questions they begin to ask themselves. One is what's our specialty? What are we known for? What is the unique thing that we're bringing to the table? And not to be facetious here, but is it a database interface library or is it a really cool end user application? And sometimes that's actually not a prestigious discussion but you that I'm trying to help draw a point here that some of these common layers that are at the very bottom companies quickly realize it's like we don't need to invest developer man hours to a high degree on that.

That is something we can leverage an open source project for or we can help contribute to if it doesn't fit directly. And we're seeing a lot of companies continue to move that up the stack so that they can focus their investment at the things that are unique. Now that doesn't necessarily mean that you all the talent at the bottom splurges itself out. What we see is a lot of those are collaborating in these different open source communities because in some of these areas there's just only limited amount of expertise that's out there and it's really hard to cultivate over time. And these companies see that these underlying parts are really, really valuable. But we know we can't develop these out completely on our own. I mean this is something I think the mainframe community especially not to come back to them I think have really started to see is that there's a lot of very core skills and core abilities to be a mainframe administrator or programmer that are kind of hard ones to replicate in some areas.

And being, if the idea is to really mass grow an industry and help bring a whole new group in making it so that the mass part of that it's easier for them to leverage the technology makes it much more sustainable. It doesn't get away from the need for the people that understand the lower levels of it, but what it does do is it gives those people the ability to collaborate on it and come together on it. Think about it as something as silly as maybe the IAL standard for calendaring. If you've ever tried to implement that as developer, it's really, really hard. And then you also have calendaring clients that do kind of wonky things with it that you have to pay attention to. If a company is building a product or an application and a customer requirement comes in as I need to be able to subscribe the things out of here into an I cal calendar, maybe it's like tasks or deadlines or things like that.

A developer could go write a full IAL implementation but then they're gonna struggle with every single bit of the weird peculiarities that happen when Outlook integrates it with IT or Google Calendar or something like that versus there's a library out there, they can use that and when they run into those peculiarities they can contribute back to it And now you have the collective knowledge of moving that forward is with this group here, but it's for the benefit of all overall. So I think we are starting to see a lot of that mindset with companies as well where they're saying, Hey, we're doing some cool things and we think other companies could benefit from it too. And it's not necessarily a special thing to us. There could be other companies that are into as well. I mean we've seen Netflix and has been a huge pioneer in this area with number of tools that they've released out there.

And they're not the only, I mean there's tons of companies big and small that have done the same thing. I think the other angle that we see is that companies, while they find they have a level of expertise around surrounded technology, they recognize to grow it to the point where it's changing an industry is bigger than them. I think Google probably realized that a lot with Kubernetes many years ago. And the mainframe space, we have a project that's called Zoe, which has really been focused on how can we create modern interfaces to a Zs mainframe. And there was a number of companies that came together there, ibm Broadcom, which was then Technologies in Rocket Software and we've seen other companies come to the table too like BMC Software and Viacom Infinity and number of others that have had that same recognition as well. It's like hey, we could build this, we have the expertise here but this could go so much farther if we had this whole industry wrapped around it and everybody contributing and everybody building from this.

And it's an efficiency for all of us. And I think we're starting to see a lot of the company cultures being able to change in there of thinking less of the secret sauce and the proprietary as sort of a differentiator, but maybe starting to see open sourcing as of a faster path to market and a faster way to evolve an industry in some cases actually being a way to set them ahead so they're seeing this concept of open sources is not something, hey we're giving something away for free but we're putting ourselves outta the market as the leader in this area. Which is really a fabulous way to do. I think another thing is we've also seen is it's changed how collaboration happens and we've seen companies sort of take the concept of open source and bringing into their companies with Inner Source which in many cases has helped with large companies that might have many lines of business with independent developer teams being able to converge and work together on tools that are very applicable across the business.

So it, it's changed a lot of the culture in there and I think in the companies where we've seen this successful and those tend to be the ones that are adopting opensource program offices, they're also recognizing of it. It's not that we're maybe scared of these open source developers can't make a matter or anything, but I see actually more in companies where these open source developers are underappreciated for the work they do and it's hard for them to tie back to the bottom line of the company and those offices are coming in there and saying, Hey, let's recognize the work you're doing out there because you're doing great things for us. Not only just from a technology standpoint but also being able to showcase us as a leader because more and more people that are looking for development jobs, they're going to companies and seeing what are you doing in open source? Cause that's a key part of their ethos and culture of what they want to be as a software developer.

Jonathan Bennett (00:38:04):
Hey, so I wanna jump back in and I dunno that we've talked about it a whole lot, but Open Mainframe is one of the things that you're really, really involved in and I know we've talked about this in the past and I can't remember, is this mostly the IBM mainframe, the thing that still exists that you don't see very often that has its roots back in System 360 and the old heavy iron stuff from the seventies. Is that what Open Mainframe is still about?

John Mertic (00:38:34):
It is, and that stuff goes even back farther from the seventies even into the fifties. It, it's really interesting if you trace the lineage of open source, it goes all the way back into the fifties with the mainframe community at events like Cher where these early mainframe programmers coming together they were encountered with a new IBM mainframe and they're like, we gotta work together to figure out how to use this really well. And they began to collaborate by sharing code back and forth. That's the name of the organization being shared and everything in technology. If you talk with somebody who's been in mainframe a long time and you talk with Anybo, any modern technology trend, they tend to kind of smirk at you a little bit and say, Oh geez, we did that in mainframe X number of years ago <laugh>. And in many cases they're not wrong.

But I would also say in open source we have so much to learn from there as well. One of the, I think earliest open source projects, even before the concept of open source or free software was a thing, was a project called C B T Tape named after Connecticut Bank and Trust, which is a bank that's been defunct for decades now, but it was a systems programmer there named Arnie Kaino that came and said, Wow, we're passing all of this great code back and forth, but it gets lost really quickly if you don't know this guy wrote this or this person wrote this, it's hard to find it. And he said, I'm just gonna get this all together and put it on a tape. And since 1970, that project has been distributing a couple of tapes a year of this. In the early days you had to send a couple bucks in the mail with a nice letter and already would catch it up and actually send you a physical tape.

You can still get a physical tape today if you really send him a couple bucks in the mail. But if you talk to anybody that's been in the industry so familiar with it, it's a tool that's just kind of bailed them out and we're actually seeing a resurgence of that project here in the Open Mainframe project. But yeah, I mean a lot of what this work is around the software and applications around the IBM mainframe whether that would be Linux which is a huge growing operating system, the mainframe that's been a part of the mainframe since 1999 with work at me, Marist and early vendors such as suse Linux, which were really behind it but also os, which is kind of the predominant operating system and kind of dresses itself back to Uni System 360 and similar technologies, kind of the open source communities and work that's done around that.

Jonathan Bennett (00:41:07):
One of my favorite bits of history about Main, about mainframes and how they actually impact us is the first micro, well the first microprocessor was designed of course by Intel, but it was designed with, I believe Data Point was the name of the company and they were making a terminal for talking to mainframes and they put all these components together to make a smart terminal. And then a fellow came along and I cannot recall his name but he came along and said, Hey, that chip that you're putting in that would be great for us, a little standalone computer. And some of this history is still being uncovered actually, but apparently he built something called the q1, which was a teletype machine with a micro computer, a microprocessor in it. He actually used the 8,008 and then Intel said, Well that's interesting. And then they developed the 80 80 and the rest of course is history with Ulta and Ulta Basic and a company called soft making software for Micros. There is a lot that actually we owe to the world of mainframes. And I find that stuff fascinating. And the craziest thing about it is these things are still at work and yet most of us, even people in the industry, I have been to data centers, I have done data center installs and you still hardly ever see mainframes in the kind of data centers that I walk into. So odd to me that these things are so important and they're so hard to get to.

John Mertic (00:42:43):
Yeah, well and the interesting thing is in many cases a single mainframe could take the place of an entire data center. I mean that's the amount of computing power that these things have. And you actually see a lot of cases where people are looking at Linux data centers and as a cost reduction and also just for the environmental benefit, they'll be like, we could reduce down a hundred Linux X 86 servers into a single mainframe and still have capacity to grow. So I mean these things, you're right, I mean they're sort of a cornerstone. They're in the background a lot of times but they run continue on. I mean they're one of the few platforms that I really know of that are built with design principles in mind of security, performance scalability and stability. And all of those pieces come together when they're designing these boxes.

Now they're not a box that everyone needs by any means, but if you have the case where all of those points you need and not to go all spinal tap on, everyone you need turned up to an 11, this is it. This is the only box that can do this. So if you're a financial services company and you're needing to process millions of transactions a second, this is the only box that can do it. The cloud can't do it for you sorry, Google and all those. But this is the infrastructure that can do it. If you need a machine that literally you can swap all the parts out of while it's still running and it doesn't shut down, you don't have to reboot or anything. This is it mean you can Google and find pictures of mainframes tipped over and rubble after earthquakes that are still running and still processing at load with no problem whatsoever. So I mean these are machines that are built for the long haul, they're built for sustainability and they're built to be really able to handle pretty much anything thrown at them, whether technology wise or societal wise as well.

Jonathan Bennett (00:44:56):
Exactly. Where does Open Mainframe itself sit in this? I know there is at least one or two projects that it allow you to emulate mainframes on X 86 hardware, which is fun because mainframes do a lot of emulation of X 86 hardware these days. Where is Open Mainframe that project? Or is it a sort a body that helps different companies with their mainframe projects? What exactly is the kind of problem space that the Open Mainframe bit of the Links foundation solves?

John Mertic (00:45:38):
So the problem that it's after is how can we ensure that mainframes are well connected with where modern enterprises are going? And we live in such a great era where there are multitudes of computing choices that you can pick from and they all have different strengths and weaknesses depending upon where you're after. We have Edge computing, we have distributed, we have Cloud, and we have mainframe and all sorts of other even options even in between that. And a modern organization in a future forward looking organization rather starts to change the view of what their computing infrastructure is. It doesn't look at it as sort of the cost of doing business. We've gotta have 20 cloud servers to do this or we need to install these edge notes. It's something we have to do. But they transform their thinking to this is an opportunity for us to be different.

This is an opportunity for us to uniquely engage our customer. This is a new opportunity for how we operate as a business. Cuz they realize it's like if we just go buy the same thing everyone else did, we're just gonna be just as good as all of them. So that's sort of the mindset of these enterprises. And the challenge where mainframe is always fit in is it's just different in a lot of ways both from an integration standpoint ZS is definitely a lot of a different animal of an operating system in many regards. And we've often seen in many of these enterprises that use mainframes is there's almost a little bit of a drift that happens between the group that manages the mainframes and the rest of it. And what we really try to do is say what, there's unifying technologies that help this mainframe be better used across the organization.

And that's the open source that we really focus on. So an example project is Zoe. Zoe is a project which came together of saying, let's create modern interfaces, rest interfaces command line tooling that you could just run on any sort of laptop web, desktop environments such that it's really easy for somebody to integrate with a mainframe. But more importantly, I can tie that into the rest of the things I'm doing. So if you have a command line access to a mainframe that looks like any sort of other command line on Linux or whatever, you know can do some Ansible scripting against it, you know could build out deployment jobs with it, you can do so interesting things that way if you have REST APIs to your mainframe, you can use those to integrate the data and applications there and pull them into other line of business services that can benefit from the work that's being done there.

And what it's really started to do is make it so that these mainframes, the footprint of those actually we start to see in organizations is starting to even grow a little bit because they're realizing is like, Oh wow, now that I can tie this mainframe into other areas, I also see an opportunity where maybe there's areas where this mainframe can be useful for me on applications I have in different parts of my business. So it's almost in a way bringing it all together, but where we fill the gap is the technologies that make the connection between the mainframe as it is to the rest of where a modern business and IT services are.

Jonathan Bennett (00:49:00):
So I have to get this in because it's hilarious. Phoenix Warp from the chat as you were talking, he was asking kind of the same question you were answering about whether the mainframe model is gonna be obsolete. And then he says, Isn't this blockbuster trying to way to stay, trying to find a way to stay relevant with Netflix around <laugh>? I think that's hilarious.

John Mertic (00:49:22):
Yeah, I mean I think the little bit of the difference here is the how ingrained mainframe is into our culture. And not to say that Blockbuster was not a cultural phenomenon for the time that it was there, but I think the reality is, is that mainframes do things that no other platform can do and no other platform is really optimized to do. And what they do, they do really well. There's been countless times that you see out there of people, we're gonna get off our mainframes, we're gonna move away from this. And a lot of those projects fail. Some of them is just because the level and depth of the complexity of the applications on there, but more often is that they run into the things that they're trying to accomplish from a technological and performance and security and a scalability standpoint. They can't find another platform that does it well.

And so they end up having to make all sorts of compromises over there. And when they start making those compromises, they realize they're actually setting their business back and they're setting their users back and that's just not a solution for them. So I think it's just a lot of what this platform brings to the table that's so unique. It's it that security state stability, scalability, and performance that just, again, if you need all of those, this is it. There's no other choices out there, period. End descent it sentence. And I think that hopefully makes it a little bit different than the blockbuster analogy, although I applaud your person to the audience. It's a cute one too. <laugh>.

Doc Searles (00:50:57):
So one more thing we wanna get into on mainframes, but first have to let everybody know that this episode of Floss Weekly is brought to you by compiler and original podcast from Red Hat devoted to simplifying tech topics and providing insight for a new generation of IT professionals. It's hosted by Angela Andrews and Brent Semio and Compiler closes the gap between those who are new to technology and those behind the inventions and services shaping our world. Compiler brings together stories to perspectives from the industry and simplifies its language, culture and movements in a way that's fun and formative and guilt free. Do you want stay on top of tech without the time spend and original podcasts from Red Hat compiler presents perspectives, topics and insights from the tech industry free from jargon and judgment. They want to discover where technology is headed beyond the headlines and create a place for new IT professionals to learn, grow, and thrive.

Compiler helps people break through barriers and challenges turning code into community at all levels of the enterprise. In one episode, they cover the great stack debate. The software stack is like an onion or a sheep cake or a lasagna or is it, It's often described as having layers that sit on top of each other. The reality is much more complicated and learning about it can help any tech career. The Great Stack Debate is the first episode in compiler series on the software stack. They call it Stack Unstack. They explore each layer of the stack, what it's like to work on them and how they come together into a whole application. Another episode covers are we as productive as we think the pressure to balance productivity with passion projects, personal responsibilities are just with a need to rest, is challenging their team spoke to tech minded creators and the productivity space and how to achieve full focus and how to make time for work, relaxation and creativity. And listen to that one. And it's really important for now because <laugh> productivity is, we haven't talked about it on this show, is going in all kinds of new directions as open source filters. Its way into the way companies themselves work. Learn more about slash twi. Listen to compiler on your favorite podcast player. We'll also include a link in the show notes. My thanks to compiler for their support.

So John, we understand you have some news about a mainframe that may actually be in your possession. Is that right?

John Mertic (00:53:29):
Well, not in my physical possession because I feel like my family would be a little bit unhappy that we would have to relocate things in our house here, <laugh>. But they might find it cool too. I don't know. But we have been fortunate that Broadcom mainframe software has donated a IBM Z 15 in disc storage and tape storage to the project for the intention for us to make this as a resource available to any open source project that would be looking to support mainframe, whether that would be Linux on the s S3 90 architecture or z os. Both of those are instances we're able to provide. And the hardware is hosted at Marris College, which is another great partner. And we have another great partner, Viacom Infinity, that's helping us on the back end of the administration, but also just kind of getting through of how to get hardware like this established and another bunch of other companies that are donating software.

But the intention is that any project that has ever said, I wanted to support a mainframe, but I don't have a hardware to do it, this is it. And I've been involved in the Open Mainframe project for seven years now and this is the number one question I've always got is Great hardware, seems really cool, how could I use it? And it's hard to get access to these machines. And so we're fortunate that in 2023 we're gonna be able to bring this machine up. We're still working on some funding aspects, but we're really excited that this is really, I think for one of the first times, I mean there's been some little efforts over the years probably remember the open source development labs a few decades ago there was a little bit of mainframe infrastructure available for some projects, but at this scale and this breadth, it's never been done before. And we're super excited for this community that we're able to offer that.

Jonathan Bennett (00:55:29):
So awesome. One of the interesting things about that I covered a story not too long ago about a security company that set up their own little mainframe workshops that they could do security research on them and they did an audit on the customer and that they found some problems. But all of the problems that they found were configuration errors. The let's see the old mainframes supported keyboards that had extra keys on them and IT infrastructure didn't necessarily take that into account when they were designing the menus and such. So they figured out this way to become administrator on the system, but none of it was actual problems in the mainframe or the mainframe software. It was all configuration stuff. And you don't ever hear about CVEs in mainframes or mainframe software. It's been forever since we've had one of those. <affirmative> wondering, and I'm gonna get your thoughts on this too, cause I'm real curious what you think is that because these things are actually built tanks and the software is built extremely defensively and they actually don't have flaws. Or is it because they're so obscure and it's so hard for people to get to work on one and then with you guys maybe offering some time on a mainframe do you see it maybe a future where security researchers can get some time on it and try to poke at the software and hardware and find problems?

John Mertic (00:57:06):
Well, I mean, I would hope that would be one of the outcomes is that we'll see much more of this getting poked at the mainframe. Community's really prided itself in its security aspect for decades. I mean, this is one of the things they really hallmark back to in and even mainframe administrators put a high degree of rigor on software that just even hits these machines for valid reason. Because it powers parts of our society and one of these things has a vulnerability and goes down we got problems. So there are a lot of pieces with the hardware itself that has a security aspect in mind everything from encryption, from memory all the way down to the disc. A lot of specialty chips and controllers in there that deal with encryption and pieces of that nature. So there's a lot of pieces in there that are part of it.

I think there's a lot of, part of just the culture of this group, of the rigor they put through with applications on it. But I, I think the reality is no piece of software is a hundred percent secure. I mean, it's basically just waiting for security vulnerability to be found in there somewhere. It just hasn't been tracked down. I mean that's just a reality, right? I, it sounds a little bit flippant, but it's true. And what I would hope out of this, and we've had a lot of conversations even with the open source Security foundation that sees a high importance of many of these open source projects out there, being able to have a stronger security culture and pedigree about them. And part of the way to achieve that is to have access to machines on different architectures that have some uniquenesses that are able to push your software in different ways.

And some of the examples you stated there with those researchers or are spot on, I mean the mainframes have some interesting things. They use SIG versus Askie for example. Big Idian versus little Idian. There are technological differences under the hood that depending upon what the level of the application, the language it's building in, there are things you just have to consider. And like you said, there's also just things of how the hardware works that there are things that a project could take advantage of that may not be things on different architectures that are considered. So to answer your first question, I mean is the pendulum all on one side? No. Is it all on the other side? No, I think, I don't wanna say it's straight in the middle because that's probably also live. I think this group has such a high culture of how they think about security that I do think these machines are secure. But I would also say that with any other piece of software out there, it's the same story that the security vulnerabilities are yet to be found. And what we find in open source is having the right culture around it helps sort of move that forward and frankly also just helps address these issues faster.

Jonathan Bennett (01:00:20):
So Beck, years ago, Eric Raymond described the two different approaches to software development and particularly open source the Cathedral versus the bizarre. And I think probably Linux is one of the great examples of bizarre development. Not Bizarres in strange, but bizarre as in the open air market where everyone could come and sell and add and do their thing. And maybe mainframes are the ultimate example of the cathedral where you have the monks slowly, meticulously working away, they want to get their creation absolutely perfect and then they push it out into production. I think it's fascinating to see those two approaches.

John Mertic (01:00:58):
It is, and the interesting thing is, I think both approaches have stuff to learn from one another. The truth is the success with everything in life ends up being some in the middle and actually interesting in life. I think we're seeing a lot more of the bizarre, or I think what we call today is more agile approach to development, really taking on in the mainframe world because these companies realize they have to move faster. And I think the degree of security concerns and patches and things that are needed are so much faster than they were even a couple of decades ago. I mean, you can look at my collection of old IMAX back there and you know, remember Makos classic operating system releases were once or twice a year and between then you didn't get anything right. And now I've got a man Linux box over here that if I don't do the updates on it a couple of times a week, it starts screaming at me. So I just think the pace of things have really just started to change and the rigor and I think and one half it could be, I guess, frustrating the other half. I think it's kind of a good, because we've advanced ourselves of how we think about it and how we approach it and the culture that we have around it.

Doc Searles (01:02:24):
I was on mute, sorry about that. So we're getting down to the end of the show here and I just wonder if you can answer quickly is there one question we haven't asked that you could answer in a short time? Is it is been a really interesting show so it may not be possible. I don't know. No,

John Mertic (01:02:42):
I mean I think you answered all the questions. The only thing that I would just slightly plug is that I am working on a book an open source. I'm working with PAC Publishing on a book called The Art of Open Source. I'm about a third of the way through writing it. It should be out mid 2023. And the goal is to take a lot of the things that I have learned in working with these communities and helping provide a little bit of a guidebook with some examples and some insights from the communities I've worked with that can help Project maintainers or people just new to the space of thinking about how you would approach working in open source. Everything from the starting up to the shutting down, which is in inevitability in life. So I guess I would insert my shameless plug, but other than that, you asked all great questions.

Doc Searles (01:03:27):
Good. We like our plugs. We're gonna get to a phone in a minute. Final two ones I'm sure you've answered before, be interesting if they're changed. What's your favorite text editor and scripting language?

John Mertic (01:03:40):
I am a big Via user. Presently I'm using, I use it. I for, I mean, I don't do a lot of writing code anymore. I do some, like I said, it's pretty horrible, but I'm actually writing this book in Neo VM here which is kind of a lot of fun writing it, using that in markdown and everything. So that's been a big one for me there. And I think in the scripting language it could be a bit all over the place. I do a lot of work in Python traditionally. I first really got started in software development. I did a ton in php, but that's when I was doing a lot more web focused stuff. I don't do as much PHP really anymore. I think I've been doing just a lot more Python these days. But like I said, my pipeline code's pretty horrible so I wouldn't harken for anybody to look me up on, get husbands, see the stuff I've created

Doc Searles (01:04:32):
<laugh>. Well you've just prompted a bunch of people to do that. <laugh> probably there

John Mertic (01:04:38):
For all my repositories and instead of sending all of these pull requests, what the hell were you thinking, John? Now patches are welcome. The answer patches are welcome, right,

Doc Searles (01:04:49):
<laugh>. Great. Well John, it's been awesome having you on the show. It's been a great show. I think we learned a lot and the back channel seems happy too. So thanks so much for being on here and

John Mertic (01:05:01):
Thank you for inviting me. This has been fun chatting with, I love coming on this show. You're a great steward to open source both of you, and I really appreciate the hard work you put into this.

Doc Searles (01:05:14):
And you too, man. Take it easy. Thanks.

Jonathan Bennett (01:05:18):
Thank you.

Doc Searles (01:05:20):
So John, that was good.

Jonathan Bennett (01:05:22):
Oh yeah, a lot. We took the shotgun approach for sure. Yeah, I talked about a lot of different things. Always fascinating to hear about the Lennox Foundation and all the things that they're doing. And I know I, there's some subset of developers that maybe look at them a little skeptically but there's good folks there and they're trying to be helpful. Mainframes, mainframes are so fascinating to me. <laugh>, Steven Levy talks about them in his book and he describes the mainframe guys as being essentially the priests. They would take your back in the old days, you know, would write code and it would come out on either on tape or on punch paper. You would take it to the priest and then the priest would go and put it into the machine and then take the result back and give it to you. We've come a one way since then, but it's still it's something I need to come up with a good excuse to get some run time on their mainframe when it comes up. Figure out which one of my projects that I have a finger in would be like, Oh yeah, we could come up with a way for that to be useful on mainframes. Maybe zone minder, we can handle a million cameras on one mainframe using zone minder or something. It'd be fun.

Doc Searles (01:06:35):
Well, I like recognizing that there are some things that only mainframes could do and that you really can't take a thousand or a zillion micros and make a mainframe out of it. A mainframe has a bunch of callings that are not what you find on your desktop. It's not a desktop thing, it's a it's, it is made for big things and banking and space and I suppose a lot of other stuff. We didn't go into exactly where all these things are going, but it's kept IBM in business even as they got out the micro business. They've always been about that. And it's true for some other big companies. It's an important topic and we need to hit on it every once in a while.

Jonathan Bennett (01:07:28):
Yeah, we could spend another couple of hours I think talking with John and maybe another mainframe guy about all of the different places that it's in, the differences between mainframes and microcomputers, whether many computers exist anymore, how supercomputers fit in there. Throw back to the BA Wolf cluster, there is so much space to cover in this and it would,

Doc Searles (01:07:48):
Right, We do bring up Ba Wolf, right? <laugh>?

Jonathan Bennett (01:07:51):
Yeah, <laugh>.

Doc Searles (01:07:52):
I thought about that. <laugh> stuff. So what have you got to plug, dude?

Jonathan Bennett (01:07:59):
Okay, so the two things I've got, first off, as you can see right here somewhere. There it is. Got the plug going on the show. Keep up with a security column. It goes live every Friday morning. Need to get to work on that later today. Cover all kinds of fun stuff. We'll probably have another mainframe story this Friday because I went to look up a source and discovered a part two of a blog article about mainframe. So we'll cover that again. But all kinds of good security stuff. It's the things that I find interesting in that you need to know about. And then the other big thing to mention is the Untitled Linux Show. That is a club TWI exclusive. We tape it on the Discord and there is a club twit exclusive feed for it. And we have a blast just covering Linux news and tips and all the stuff you need to know about Lenox.

Doc Searles (01:08:49):
So I wanna plug next week, which is gonna be Marcus Sailor Jr. This is one we've had planned for some time. I know it's gonna be a good show. So that is coming up then. So thanks everybody for being with us another week. And I am Doc sles. This is Floss Weekly, and we'll see you then.

Speaker 5 (01:09:08):
Hey folks, I'm Ant Pruit. I have a question for you. How do you think your hardwork team with the Club TWI corporate subscription plan? Of course, show your appreciation and reward your tech team with the subscription to Club twi. Keep everyone informed and entertained with podcasts. Covering the latest in tech with the Club TWI subscription. They get access to all of our podcasts at free and they also get access to our members only Discord access to exclusive outtakes and behind the scenes footage and special content like the fireside chats that I enjoy hosting. Plus they also get shows like Hands on Mac, hands on Windows, and the Untitled Linux show. So go to twit and look for corporate plans for complete details.

All Transcripts posts