 | Level: Introductory Scott Laningham (scottla@us.ibm.com), Podcast Editor, IBM developerWorks
13 Mar 2007 Dan Frye, vice president of IBM® Open Systems Development, discusses Linux® today and tomorrow -- open and secure.
developerWorks: You're listening to developerWorks interviews, where we feature conversations with technical luminaries and thought leaders from a variety of disciplines on topics of interest to technology professionals. I'm your host, Scott Laningham. Our guest today is Dan Fry, vice president of IBM Open Systems Development. He runs the Linux and AIX development teams. He joins us to talk about the subject of a talk he's giving at the SELinux, which is Security Enhanced Linux, symposium this month. It's called Open and Secure Linux Today and Tomorrow. Dan, thanks for your time today.
Frye: Good morning. I appreciate having the opportunity to talk.
developerWorks: Now, there's so much we could talk about, and we might even want to think about having you on again soon, so we don't wear you out today. But I'd like to ask some things up front about Linux and SELinux, and then maybe broaden the discussion a bit into open source, if that's OK with you.
Frye: Great -- there's lots to talk about.
developerWorks: Well, you know, first of all, I wonder, in looking at some of the materials that you all had sent me ahead of time about the IBM Linux Technology Center (LTC), I wonder if you might want to just give a brief explanation of what that is for those who might not be familiar with it.
Frye: Sure. When we, IBM®, started working on Linux really at the corporate level in 1988, immediately we saw the need to participate in the community to become part of the community that produces Linux. And so we formed, in 1999, the Linux Technology Center. And the IBM Linux Technology Center has three basic missions: one, help make Linux better just work side by side in the worldwide open source community to add security, scalability, performance, file system work, etc., all the attributes of an enterprise UNIX that our customers need. We have been doing that in the community since 1999.
|
Guest: Dan Frye
Daniel D. Frye, vice president -- IBM Open Systems Development, is the head of IBM’s UNIX development team, principally responsible for Linux and AIX development, and oversees IBM’s Linux technical strategy and IBM’s participation in the open source Linux development community. Prior to his current responsibilities, Frye was a member of IBM’s Emerging Technologies and Business Opportunities team where he worked on company-wide technical strategies that predicted future trends and transitions in the IT industry. At the time, he co-authored the original IBM corporate strategies for Linux and open source. Frye sits on the board of the Open Source Development Laboratory (OSDL) and participates in a variety of other Linux and open source industry groups. He has a master's degree in physics from The Johns Hopkins University and a bachelor's degree in physics from the University of Idaho. He also received his doctorate in theoretical atomic physics from The Johns Hopkins University.
|
|
The second mission is to help make IBM successful. So we worked to deploy Linux on our Intel® servers, our POWER servers, our mainframes. We work with Software Group to make sure that WebSphere® and Domino® and Tivoli® work well on Linux. We work with services as well. So all the IBM brands that have embraced Linux, we work to make them successful and make sure the IBM products work well with Linux.
And the third mission is to expand the reach of Linux -- to make Linux work in work loads and in areas it hasn't worked before: carrier grade, real time. And so those three basic missions have been at the core of the LTC mission since 1999. We have about 600 people worldwide. On any given day, half of those people, 300, are in the community working in a variety of different Linux open source projects, helping make Linux better, helping make IBM products succeed with Linux.
developerWorks: So it sounds like the LTC really is ... or is the core of IBM's focus and efforts on Linux as well, really, isn't it?
Frye: We are the operating system development team for IBM. Now, every brand, you know, DB2®, for example, does the work to port their product on to Linux, etc., but when they have a problem in Linux -- when they need a feature -- they need something improved they come to us and we work inside the community to help make Linux better.
developerWorks: Let me ask you a question that came from Tom Young, who is the editor of the Linux zone on developerWorks. He's wondering: Do you feel Linux is a more secure operating environment than some of its competitors, such as Windows®? And if so, why?
Frye: Security is many things to many people. And there is no such thing as perfect security. But it's pretty clear the open source development process around Linux has made Linux a secure operating system and has enabled the community and the industry to respond quickly and efficiently when there are problems. What open source forces you to do is it forces you to rely on the right algorithms. You can't do security incompletely and relying on the fact that nobody can see the source code to hide an inefficiency or problem. You'd have to do it right from the beginning. And the old adage about open source where there are thousands of eyeballs looking at the code, is it one level [true]? When there is a security defect, there are people from lots of different background, lots of different companies, communities, looking for the problem. And the community has a fantastic record of closing security holes very quickly more rapidly than most of the competitive operating system. So it's not perfect, there's still work to do. But it's a secure operating system and the open source development process really works well.
developerWorks: Now, as you're saying this, there's obviously strength in numbers with all those contributing and that really adds to the speed of response, doesn't it?
Frye: It really does. You're not dependent on a single team, in a single time zone. You've got a worldwide team. And the fact that the people looking at it come from many different cultures, many different technical backgrounds. Eric Raymond has an adage that, every defect is shallow to someone. And it really does make a difference having people from wildly different technical backgrounds looking for the same problem. It tends to get fixed faster.
developerWorks: Pretty impossible to imagine trying to assemble a team like that on a payroll, too, wouldn't it be?
Frye: Right. Right. So we have one of the, if not the largest, Linux development team in the industry, and we are probably less than 10 percent of that overall community.
developerWorks: Most people already think of Linux as being fairly secure. Why is SELinux needed? What's the thought there?
Frye: Well, so SELinux exists in Linux today. It was really started at the request and initiative of the U.S. Federal government agencies, including the National Security Agency back in 2001, where in fact, Linux was fairly secure, but it did not have a security architecture that allowed for administrators and users to set policy differently. And so a collaborative effort between the open source community, between industry, between the Linux distributors and between large users like the NSA, we really worked to put a formal security architecture called Linux Security Module inside of Linux. And then we worked to create a set of policies that users can use on top of that.
So SELinux really is a success in helping improve the security of Linux. And what it does, it allows each user to pick a different level of security. And that granularity really helps in allowing Linux to be used in a variety of different industries because you do need different levels of security for different types of use.
developerWorks: You know, as Linux continues to gain a foothold, what do you think is the future of UNIX or other OSes that are already here but are obviously going to face a challenge there?
Frye: Well, so if you look at AIX. AIX, IBM's UNIX, is the industry's leading UNIX operating system. It continues to grow. We're number one in the industry and gaining share. And really there isn't competition in the marketplace between Linux and AIX. They work in different markets, they serve different customers, a simple choice for customers. So we think AIX, you know, is, for the foreseeable future, is a growth platform for IBM on the POWER platform.
Now, Linux is different. Linux runs everywhere -- runs on our Intel platforms, our POWER platforms, our mainframes -- and brings an entirely different set of workloads to IBM platforms and to provide customer value. So we see them as complementary, as opposed to in competition.
developerWorks: Tell me about this talk that you're giving, and you may have given it by the time this podcast airs or possibly the same week. What other big points are you making that we're not even getting to here in this discussion yet in that talk in regard to Linux and security?
Frye: One of the things I'm talking about is the history of security certification around Linux. So there's two elements to security when it comes to government programs. One is functional security: Does the software, the operating system have the right function that you can set the right security policies. And is it assured? There's a formal program called the Common Criteria Certification Program, which actually has an independent agency come in and evaluate the design, evaluate the process, etc., so that you get stamped with a level of certification. Yes, the design works; yes the process works.
So we started the certification program around Linux in 2002, and at the time, there was doubt. In fact, there were people in the industry spreading fear, uncertainty, and doubt stating that Linux and open source could never be certified; that it was a chaotic process that could never undergo the rigors that this international agency process requires. And we proved that to be wrong very quickly. It turns out that it was easier and quicker to do certification around open source because it was open. The design was open and available. The documentation was open and available. And we were able to go from low levels of assurance to very competitive levels today -- much faster than any operating system in the past. So I'm going to talk about that history to the SELinux audience, which has a great number of participants from government programs that rely on security certification.
developerWorks: So is there an element in putting people at ease sort of with the message that you're giving to really highlight the progress that's been made in that area?
Frye: There is an element to that, but most of the heavy lifting around making people at ease for Linux security and certification really happened 12-24, 36 months ago; that early in the decade, there was quite a bit of question about the ... you know, separating fact from fiction around security and certification on Linux. But by and large, the question of whether Linux is secure, the question of whether Linux can be certified has gone. And so this is more of a retrospective in terms of that history. But then, I'm talking about the additional work that still needs to be done to make security around Linux easy to use, deployable in small businesses, etc. But I don't get the question very often anymore about -- can Linux really be certified? Can it be secured?
developerWorks: What about with SELinux and the IBM Linux Technology Center? What's the role there with the LTC?
Frye: So the LTC has had two roles. One: We've had a security team working inside the community, alongside the community, working to make Linux security better since 2001. Also since 2002, we've done a number of security certifications with both of our [distribution] partners, Red Hat and Novell. We've had our first certification, I believe, in 2003.
We've got additional certifications coming out this year. We certify across all of our hardware, our Intel-based servers, our POWER servers, our mainframes. So both those missions help make Linux better in terms of security architecture and also have led the industry in security certifications. And both of those have come from the LTC.
developerWorks: You know, perhaps you might give us some sense of how IBM came to embrace open source. I know Michael O'Connell, our editor in chief, was wondering about that -- how this strategy has worked from a business perspective, technical and otherwise, but just how that came about in a nutshell.
Frye: So in 1998, I was actually working in the Emerging Technologies Group in corporate, and we were debating new things IBM should worry about and the conversation of Linux came up. So we started exploring. And it turned out, even in 1998, that IBM customers were beginning to demand IBM solutions around Linux. They were asking, "When would our servers support it? When would our software support it? When would we be able to provide service and support?" So really from day one, it was not IBM looking into a crystal ball and deciding that open source was the wave of the future, it really was the marketplace knocking on the door and saying we're beginning to deploy Linux, we're beginning to deploy open source solutions, we want IBM products to work with it.
So we did a short series of strategy. We looked closely at Linux; we looked closely at open source. And it was almost immediate that ... you know, a realization at the highest levels of the corporation was, this was good for us. This was good for our customers to provide choice. This was good for the market. And so we adopted a strategy within, really within the first three months after we started looking at Linux and open source that, yes, IBM would help make Linux better and IBM had nothing to fear from open source. In fact, open source provided another way not the only way but another way to provide innovation -- another way to set open standards. And we've had a happy marriage ever since.
developerWorks: And what do you say, or how do you respond to people who say, is open source competing with and even cannibalizing sales of IBM products? How do you deal with that question?
Frye: Well, that question doesn't come up so much anymore, either, although it used to be quite popular. And if you talk to Software Group in particular, Software Group leverages and works closely with open source.
The best example is the relationship between Apache and WebSphere®. You know, 10 years ago IBM had its own proprietary HTTP server functionality, and it had a very low market share. And what Software Group decided in the first major move IBM did around open source was they got rid of our proprietary server. They adopted Apache, which was becoming the industry standard. They incorporated that into WebSphere. And all of a sudden it was one of the elements that made WebSphere take off and become today the leading application server software. And part of that was writing, making sure it worked on the industry leading open source HTTP server. It gave them enormous flexibility in where they deployed. It got rid of expense in an area where the innovation didn't matter. And they built an extremely successful strategy that leveraged and incorporated what was going on in the marketplace. At the same time they joined the Apache community and helped make Apache better in ways that were important for their customers.
developerWorks: Quick question for developers coming from Denise Ruterbories, who is an editor with our open source zone. She asks, "What role will open source software play in the typical developer's toolbox and how can developing with open source tools help businesses grow revenue?" And that's really two questions, but the first one especially.
Frye: Well, a) I don't think there's a typical developer. So there are developers out there who will use 100-percent open source. They will use Eclipse and there is .... Anything a developer wants to do, there is a good, you know, robust, mature open source solution for it.
There are other developers out there, application developers, who won't use open source at all, not because ... in some cases because they don't like it; in some cases because they just simply prefer other solutions. But maybe they're completely happy in the .NET environment. And more typically these days, developers use a combination, kind of like our customers, the world is becoming increasingly heterogeneous, and they pick and choose tools and pick and choose environments that in some cases might be proprietary; some cases might be open source.
So I don't know how to answer the question about a typical developer other than for the ones who do want to use open source, they do it fine. Everything they need is there.
developerWorks: Mark Cappel is Denise's co-editor of the open source zone, and he's wondering: "Where do you think open source is falling short? Where does it need to strengthen?"
Frye: Let me answer that specifically around Linux, where the industry has, is now focusing around Linux and where we have work to do is around making Linux easy to use for the typical ... for the small business customers, for the less-technical customers.
We've been very good -- and open source communities are very good -- at doing base technology. The development process works very well to produce high-quality, secure-performing code, etc. What they don't do as well is make that easy to use, to make it ... to make things easy to install, easy to configure, etc. And so that is where the industry is focused now, is making open source solutions easier to deploy, easier to use, easier to upgrade and maintain. And we're making good progress and have actually made ... things have improved considerably in the last couple of years.
But that really is an area where the community process can on occasion breakdown that people tend to focus on function on and tend to focus a little less than they might on the larger issues of consumability. And that's where industry helps. And that's where we can apply the resources in the areas where the community might not do everything they need to do.
developerWorks: How confident are you that that's going to be worked out?
Frye: Very confident. So we have tens of thousands of Linux customers, and they're pretty ... they're using Linux successfully in virtually every industry, geography, and workload. But they let us know when things fall short. Linux isn't perfect yet. And it's an area where they've pointed out that they want Linux easier to consume. And we have responded. It's not just IBM but the other players, whether it's Intel or HP or Oracle, and are working on these things and delivering improvements to the market.
developerWorks: This is a lot of great stuff today, Dan. And I hope we can have you back on sometime because I'm sure there's plenty more we could talk about.
Frye: I would be delighted. Be happy to do this whenever you need.
developerWorks: Our guest again was Dan Fry, vice president of IBM Open Systems Development, where he runs the Linux and AIX development teams. Find out more about Linux and open source at ibm.com/developerworks. And check out our other podcasts at ibm.com/developerworks/podcasts or through many of the popular podcast portals. I'm Scott Laningham. Talk to you next time.
Resources
About the author | 
| | Scott Laningham, host of developerWorks podcasts, was previously editor of developerWorks newsletters. Prior to IBM, he was an award-winning reporter and director for news programming featured on Public Radio International, a freelance writer for the American Communications Foundation and CBS Radio, and a songwriter/musician. |
Rate this page
| |
