Matt Asay, a former COO of Canonical now working at AWS, argues that the question of open source sustainability "is really a people problem."

But to make the case, he cites comments by Tobie Langel, formerly W3C's testing lead (and a former member of Facebook's Open Source and Web Standards Team) who's now founded an open-source strategies consulting firm whose clients include Mozilla, Intell, Google, and Microsoft. Much of the "open source sustainability" discussion has focused on the one thing that really needs no help being sustained: software. As Tobie Langel rightly points out, "Open source code isn't a scarce resource. It's the exact opposite, actually: It's infinitely reproducible at zero cost to the user and to the ecosystem." Nor is sustainability really a matter of funding, though this gets closer to the truth.

No, open source sustainability is really a people problem. Or, as Langel highlights, "In open source, the maintainers working on the source code are the scarce resource that needs to be protected and nurtured."

Over the past several weeks, I've interviewed a number of maintainers for popular open source projects. In every case, they talked about how they contribute because it's fun, but also acknowledged that some aspects of open source development can make it decidedly "un-fun" (e.g., demanding users who complain about missing features or existing bugs but don't contribute code or fixes). Most have found ways to turn their passion into financial independence, but Langel stresses that cash is critical to keeping open source humming along... "Without revenue, there is no maintenance, and without maintenance, the commons becomes toxic very quickly... As new security issues are discovered, open source code that isn't updated becomes a security risk..."

Langel is absolutely correct to argue, "In an ecosystem with infinite resources, the attention needs to be on the people taking care of and maintaining that resource, because that's where the bottleneck is." Again, that's partly a question of money, but it's even more a question of treating people with dignity and respect, while making open source communities a fun, welcoming place.

Slashdot reader #16,185 wrote regularly for the newsletter of a small-town computer users group. Now they've written an article for Ars Technica reminding readers that "The Homebrew Computer Club where the Apple I got its start is deservedly famous — but it's far from tech history's only community gathering centered on CPUs." Throughout the 70s and into the 90s, groups around the world helped hapless users figure out their computer systems, learn about technology trends, and discover the latest whiz-bang applications. And these groups didn't stick to Slacks, email threads, or forums; the meetings often happened in real life. But to my dismay, many young technically-inclined whippersnappers are completely unaware of computer user groups' existence and their importance in the personal computer's development. That's a damned shame... Computer groups celebrated the industry's fundamental values: a delight in technology's capabilities, a willingness to share knowledge, and a tacit understanding that we're all here to help one another...

Two things primarily made user groups disappear: first was the Internet — and the BBSes that preceded them. If you could articulate a question, you could find a website with the answer. But computers also became easier to use. Once personal computers went mainstream, troubleshooting them stopped being an esoteric endeavor.

The typical computer user group is gone now. For the exceptions, you can find an incomplete and mostly out-of-date list via the Association of PC User Groups, though online exploration may lead you to more options. For example, the Toronto PET Users Group (TPUG) is the longest continually operating Commodore user group. Washington Apple Pi is still going strong, as is the Triangle Linux Users Group. IBM's user group, SHARE, began in the 1950s and continues to support enterprise users, though it's primarily a conference these days...

Hopefully tech will continue to inspire ways to get together with other people who share your enthusiasm, whether it's Raspberry Pi meetups, Maker days, or open source conferences such as Drupalcon or PyCon. You also continue the computer user group ethos by finding ways to help other tech enthusiasts locally. For example, Hack Club aims to teach skills to high school students. Hack Clubs are already in two percent of US high schools across 35 states and 17 countries, with about 10,000 students attending clubs and hackathons each year.

So even if computer user groups largely are a thing of the past, their benefits live on. User groups were the precursor to the open source community, based on the values of sharing knowledge and helping one another. And who knows, without user groups promoting a cooperative viewpoint, the open source community might never have taken off like it did.
The article includes photographs of the OS/2 community's magazine Extended Attributes, the M.A.C.E. Journal (for Atari users), the Commodore Eight Bit Boosters newsletter, and the 1979 publication Prog/80 ("dedicated to the serious programmer.")

And it also includes video of a 1981 visit to the Boston Computer Society by a 25-year-old Bill Gates.

Though Mozilla laid off 250 people last week, the Rust Core Team wrote a blog post Tuesday reminding the world that "the Rust project as a whole is very resilient to such events..." it is a common misconception that all of the Mozilla employees who participated in Rust leadership did so as a part of their employment. In fact, many Mozilla employees in Rust leadership contributed to Rust in their personal time, not as a part of their job. Finally, we would like to emphasize that membership in Rust teams is given to individuals and is not connected to one's employer. Mozilla employees who are also members of the Rust teams continue to be members today, even if they were affected by the layoffs...
But they've still got some news: We've developed legal and financial needs that our current organization lacks the capacity to fulfill. While we were able to be successful with Mozilla's assistance for quite a while, we've reached a point where it's difficult to operate without a legal name, address, and bank account. "How does the Rust project sign a contract?" has become a question we can no longer put off....

The Rust Core Team and Mozilla are happy to announce plans to create a Rust foundation. The Rust Core Team's goal is to have the first iteration of the foundation up and running by the end of the year... The various trademarks and domain names associated with Rust, Cargo, and crates.io will move into the foundation, which will also take financial responsibility for the costs they incur.... As an immediate step the Core Team has selected members to form a project group driving the efforts to form the foundation. Expect to see follow-up blog posts from the group with more details about the process and opportunities to give feedback...

We're excited to start the next chapter of the project by forming a foundation. We would like to thank everyone we shared this journey with so far: Mozilla for incubating the project and for their support in creating a foundation, our team of leaders and contributors for constantly improving the community and the language, and everyone using Rust for creating the powerful ecosystem that drives so many people to the project. We can't wait to see what our vibrant community does next.

InfoQ reports on a new security group that launched last week: Supported by The Linux Foundation, the Open Source Security Foundation (OpenSSF) aims to create a cross-industry forum for a collaborative effort to improve open source software security. The list of initial members includes Google, Microsoft, GitHub, IBM, Red Hat, and more.

"As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world's technology infrastructure depends on it."

Microsoft CTO for Azure Mark Russinovich explained clearly why open source security must be a community effort:

"Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. [...] Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process."
Also joining the group are Intel, IBM, Uber, and VMWare, according to Foundation's inaugural announcement, which promises its governance and decisions "will be transparent, and any specifications and projects developed will be vendor agnostic."

Microsoft just launched a new website "to showcase how it's embracing open source to 'bring choice, technology and community to our customers,'" reports ZDNet: Microsoft, under CEO Satya Nadella, has said and done a lot to shed its image as a pariah of Linux and open-source software communities. With a Linux kernel for Windows 10, GitHub, a new Android Surface Duo, and the commercial cloud as its main source of revenue, Microsoft is a very different company than it was 30 years ago when it was afraid open-source software would gobble up its intellectual property and revenues.

Nowadays, it's got a growing number of open-source projects, including its hugely popular cross-platform code editor Visual Studio Code (VS Code), .NET Core, the hit JavaScript-based programming language TypeScript, and new open-source Windows developer tools like PowerToys and Windows Terminal... According to the company, over 35,000 engineers at the company are using GitHub Enterprise Cloud to host and release official Microsoft open-source projects, samples, and documentation....

Jeff Wilcox, a software engineer with the Microsoft Open Source Programs Office, announced the new site Thursday. He notes that it is "built by the Ruby open-source project Jekyll (that also powers GitHub Pages)".

Ton Roosendaal, Chairman of Blender Foundation (which accepts donations to support activities to provide free and open accessible services for all Blender contributors), writes: Microsoft makes use of Blender to generate synthetic 3D models and images of humans that can be used to train AI models. For researchers, having access to high quality free/opensource 3D software has proven to be of great benefit for scientific projects. You can check some of their work here. To express their support, Microsoft is joining the Blender Foundation's Development Fund as a Corporate Gold member per July 1st, 2020. We at Blender are very proud of this support statement, it's another important signal that the industry migrates to open source and finds ways to contribute to it.

emil (Slashdot reader #695) writes: The advent of quantum computing poses a well-recognized threat to RSA and other well-known asymmetric cryptosystems. It has been four years since NIST opened the post-quantum cryptography competition, and we are seeing extensive delays compared to AES.

A new and (hopefully) quantum-secure SSH key exchange, based on NTRU Prime, has been present in OpenSSH since January 2019, first implemented in TinySSH shortly before. This key exchange is marked by OpenSSH as experimental, and not enabled by default.

For those ready to evaluate NTRU Prime, or otherwise seeking an SSH server with "state-of-the-art crypto" (as described by TinySSH author Jan Mojí), a complete procedure for a Musl build and Busybox container deployment is presented, with additional focus on supplemental servers and key conversion.

SUSE has released the next versions of its flagship operating system, SUSE Linux Enterprise (SLE) 15 Service Pack 2 and its latest infrastructure management program, SUSE Manager 4.1. ZDNet reports: SLE 15 SP2 is available on the x86-64, Arm, IBM POWER, IBM Z, and LinuxONE hardware architectures. This new Linux server edition is based on the Linux 5.3 kernel. This new kernel release includes upstream features such as utilization clamping support in the task scheduler, and power-efficient userspace waiting. Other new and noteworthy features include:

- Support for migration from openSUSE Leap to SUSE Linux Enterprise Server (SLES). With this, you can try the free, community openSUSE Linux distro, and then, if you find it's a good choice for your business, upgrade to SLES.
- Extended Package Search. By using the new Zypper, SUSE's command line package manager, command option -- zypper search-packages -- sysadmins can now search across all SUSE repositories, even unenabled ones. This makes it easier for administrators to find required software packages.
- SLE Software Development Kit (SDK) is now integrated into SLE. Development packages are packaged alongside regular packages. - Python 3: SLE 15 offers full support for Python 3 development. SLE still supports Python 2 for the time being.
- 389 Directory Server replaces OpenLDAP as the LDAP directory service.
- Repository Mirroring Tool (RMT) replaces Subscription Management Tool (SMT). RMT allows mirroring SUSE repositories and custom repositories. You can then register systems directly with RMT. In environments with tightened security, RMT can also proxy other RMT servers.
- Better business continuity with improved SLE Live Patching. SUSE claims Live Patching increases system uptime by up to 12 months. SLE Live Patching is also now available for IBM Z and LinuxONE mainframe architectures.

As for SUSE Manager 4.1, this is an improved open-source infrastructure management and automation solution that lowers costs, identifies risk, enhances availability, and reduces complexity in edge, cloud, and data center environments. With SUSE Manager you can keep servers, VMs, containers, and clusters secure, healthy, compliant, and low maintenance whether in private, public, or hybrid cloud. That's especially important these days thanks to coronavirus pandemic IT staff disruptions. SUSE Manager 4.1 can also be used with the Salt DevOps program. Its vertical-market brother, SUSE Manager for Retail 4.1, is optimized and tailored specifically for retail. This release comes with enhancements for small store operations, enhanced offline capabilities and image management over Wi-Fi, and enhanced virtual machine management and monitoring capabilities. Simultaneously it can scale retail environments to tens of thousands of end-point devices and help modernize point-of-service rollouts.

The Linux Foundation Public Health initiative has chosen the Covid Tracker Ireland app as one of its first two open-source Covid-19 projects. From a report: Since its launch, more than 1.3m people have downloaded the Covid Tracker Ireland app, which was developed to help track the future spread of the coronavirus. Now, the app has been chosen as one of the first two open-source contact-tracing projects by the newly established Linux Foundation Public Health (LFPH) initiative. Nearform, the Waterford-based company that developed the app with the HSE, has been made one of the initiative's seven premium members, along with Cisco, Doc.ai, Geometer, IBM, Tencent and VMware. Under the project name 'Covid Green', the source code of the Irish app is being made available for other public health authorities and their developers across the world to use and customise. As part of the agreement, Nearform will manage the source code repository on GitHub. In its announcement, the LFPH pointed to the "extraordinarily high" adoption rate of the Covid Tracker Ireland app.

Microsoft-owned GitHub has finally moved its snapshot of all active public repositories on the site to a vault in Norway. ZDNet reports: GiHub announced the archiving plan last November and on February 20 followed through with the 21 terabyte snapshot written to 186 reels of film. GitHub cancelled plans for a team to "personally escort the world's open-source code to the Arctic" due to the coronavirus pandemic, leaving the job to local partners who received the boxed films and deposited them in an old coal mine on July 8. The archive is being stored in Svalbard, Norway, a group of islands that's also home to the global seed bank.

"The code landed in Longyearbyen, a town of a few thousand people on Svalbard, where our boxes were met by a local logistics company and taken into intermediate secure storage overnight," said Julia Metcalf, director of strategic programs at GitHub. "The next morning, it traveled to the decommissioned coal mine set in the mountain, and then to a chamber deep inside hundreds of meters of permafrost, where the code now resides fulfilling their mission of preserving the world's open-source code for over 1,000 years." The repository includes public code repositories and significant dormant repos. The snapshot consists of the HEAD of the default branch of each repository, minus any binaries larger than 100kB in size. Each repository is then packaged as a single TAR file, and for efficiency's sake, most of the data will be stored as QR codes. A human-readable index and guide will itemize the location of each repository and explain how to recover the data.

An anonymous reader quotes a report from ZDNet: Google has announced it is launching a new organization, Open Usage Commons (OUC), to host the trademarks for three of its most important new open-source projects. These are Angular, a web application framework for mobile and desktop; Gerrit, a web-based team code-collaboration tool; and Istio, a popular open mesh platform to connect, manage, and secure microservices. While it only covers three Google projects, for now, OUC is meant to give open-source projects a neutral, independent home for their project trademarks. The organization will also assist with conformance testing, establishing mark usage guidelines, and handling trademark usage issues. The organization will not provide services that are outside the realm of usage, such as technical mentorship, community management, project events, or project marketing. "Having an entity like this does make some sense for a certain number of use cases," says Andrew "Andy" Updegrove, open-source standards and patent expert and founding partner of top-technology law firm Gesmer Updegrove. "The most obvious one is an unincorporated OSS project. An amorphous group of individuals can't own a trademark efficiently, so there's no way to protect the project name unless they agree on a singular owner. There are many cases where an individual member has owned a project mark, and that has often led to downstream problems. So simply having a neutral owner is a community good without going any farther than that."

Updegrove also said noted trademarks have usually been achieved by a project "approaching a host, like The Apache Foundation or Linux Foundation and asking them to take over as host. But that usually requires taking the project under the umbrella, and subject to the rules, of that foundation."

Updegrove wonders if there's "more to the story than meets the eye." He notes there is one important difference by only handing over the trademarks: "A project that is primarily important to a single vendor and primarily staffed and controlled by developers employed by that employer can continue to exercise effective control while avoiding the market suspicion that might arise if the vendor owned the mark." He suspects Google is doing this "to up the credibility of some of its projects [to the open-source community] while not taking the more extreme step of turning the project over to a foundation in connection with which a new and more independent governance structure is put in place."

Nokia has become the first major telecom equipment maker to commit to adding open interfaces in its products that will allow mobile operators to build networks that are not tied to a vendor. Reuters reports: The new technology, dubbed Open Radio Access Network (Open RAN), aims to reduce reliance on any one vendor by making every part of a telecom network interoperable and allowing operators to choose different suppliers for different components. Currently, Nokia along with Ericsson and Huawei supplies most of the equipment for building telecom networks and mobile operators can only pick one for each part of their network.

As part of the implementation plan, Nokia plans to deploy Open RAN interfaces in its baseband and radio units, a spokesman said. An initial set of Open RAN functionalities will become available this year, while the full suite of interfaces is expected to be available in 2021, the company said. Nokia, unlike other vendors, had been promising to participate in the development of open RAN technology and have joined several industry alliances.

Long-time Slashdot reader PCM2 shares a report from CBS News: Gov. Gavin Newsom on Thursday announced a new COVID-19 modeling website as well as new open-source tools designed to help California residents understand the data informing local health departments and empower what he called "citizen scientists." The governor introduced the new coronavirus modeling website [...] as a way for residents to see the raw data that is driving the decisions of state and county officials with full transparency.

The new website features three sections: a "Nowcast" section that provides the most current information on how fast COVID-19 is spreading in the state and by county; a "Forecasts" section that provides short-term COVID-19 forecasts in the state and by county; and a "Scenarios" section that projects the possible long-term impacts under different scenarios and responses to COVID-19, again for the whole state and by county. "We want to open up our site to 'netizen-tists' ... of citizen-scientists, people that are out there doing coding every single day," said Newsom. "We want to give them access through an open-source platform to all of the available data that we have, that I have, that our health professionals have, in a way that we don't believe has been done before anywhere in the United States. This is a deep dive for transparency and openness. This is a new resource that we are making available today."

Volkswagen wants to use an open-source approach to refine elements of a software-based car operating system being developed by the carmaker, Christian Senger, its board member responsible for digital services and software, said. From a report: With the advent of autonomous driving, carmakers have been forced to link up radar, camera and ultrasonic sensors and connect them to braking and steering components, something which requires thousands of lines of software code. "There is a race to create automotive operating systems. We are seeing that many non-automotive players are building up competence in this area," Senger told Reuters. By 2025, VW wants to increase its own share of software development on its cars to 60%, from 10% at present, and to design the electronics and vehicle architecture as well.

Volkswagen board member Thomas Ulbrich said in March that U.S. electric car manufacturer Tesla has a 10-year start on rivals when it comes to building electric cars and software. "In future there will likely be fewer automotive operating systems than carmakers," Senger explained. Volkswagen will define the core operating system but may seek an open source approach to enhance elements of it. "The operating system is not something that we will control on our own. We will define its core and then quickly include open-source components, to create standards. This will create opportunities for partnerships," Senger said.

The head of the Open Technology Fund (OTF) Corporation, which funds internet freedom projects and technologies, resigned Wednesday because she said she became aware of a lobbying effort that would push the group's funds toward closed-source tools rather than the open-source ones it has traditionally championed. From a report: In a resignation email sent to an OTF mailing list, Libby Liu, the inaugural OTF CEO, mentioned that the Trump administration had recently sworn in Michael Peck as the new head of the U.S. Agency for Global Media (USAGM), which is the OTF's grantor. She said that she learned of lobbying efforts to push money to closed-source tools. "As you all know, OTF's flexible, transparent, and competitive funding model has been essential to our success in supporting the most secure and effective internet freedom technologies and innovative projects available," she wrote. "I have become aware of lobbying efforts to convince the new USAGM [U.S. Agency for Global Media] CEO to interfere with the current FY2020 OTF funding stream and redirect some of our resources to a few closed-source circumvention tools."

This week long-time open source advocate Matt Asay warned employers that the best way to keep their developers happy was to let them contribute to open source projects: SlashData recently surveyed over 16,000 developers to see what makes them tick... what they care about. The data is collected in SlashData's State of the Developer Nation, though let me give you the tl;dr: 59% of developers contribute to open source software today. Why do they contribute? The top two reasons are: To improve coding skills and because they believe in open source.

Want to keep those developers happy and employed with you? Let them contribute...

[Y]our employees want to contribute both code and knowledge — they want to be part of something. Talking to Bert Hubert, founder of PowerDNS, a supplier of open source DNS software, services, and support, he stressed that an open source project must be "a fun place where people feel that they are learning things, that they're contributing things, that they're being valued." Perhaps not surprisingly, these are the same elements developers expect from their employers. By making open source a valued part of workplace expectations, employers tick both boxes.

Is it an absolute requirement that you encourage your developers to contribute to open source projects? No. But many of your best developers will chafe at keeping their talents locked up behind the firewall, and other developers simply won't apply if you have a reputation for being an open source scrooge.
The article was written by Matt Asay, a former COO of Canonical now working at AWS. (Right before becoming Canonical's COO, Matt answered questions from Slashdot readers).

The survey he cites also found that out of 17,000 developers they talked to, just 3% said they were paid to contribute to open source.

The other 97% contributed for free.

watha2020 writes: Spot, the four-legged robot made famous by its YouTube dance video, is being tested as a remote triage system at Boston's Brigham Women's Hospital. A Spot robot carrying an iPad allows doctors to interview possibly infected patients at a safe distance. [Spot is also carrying a pouch near the robot's "tail," which allows it to deliver small items such as bottled water to infected patients, without the need to send in a nurse. The report adds that an upgraded model will add cameras that can measure a patient's respiration rate and body temperature, with no need to make physical contact.] An anonymous Slashdot reader also shares news that Boston Dynamics today open-sourced its health care robotics toolkit on GitHub. "The company hopes that existing Boston Dynamics customers and other mobile robot providers can use the toolkit, which includes documentation and CAD files of enclosures and mounts, to help health care workers and essential personnel and ultimately save lives," reports VentureBeat. "The mobile robot provider outlined four use cases for its toolkit: telemedicine (which it has already deployed), remote vitals inspection, disinfection, and delivery."

Motherboard reports on a new open source program "that superimposes someone else's face onto yours in real-time, during video meetings." Programmer Ali Aliev used the open-source code from the "First Order Motion Model for Image Animation," published on the arxiv preprint server earlier this year [and developed by researchers at the University of Trento in Italy as well as Snap]... With other face-swap technologies, like deepfakes, the algorithm is trained on the face you want to swap, usually requiring several images of the person's face you're trying to animate. This model can do it in real-time, by training the algorithm on similar categories of the target (like faces)...

Aliev made a video of himself as Elon Musk, pretending to join the wrong meeting, to demonstrate the tech. It's pretty clear that it's a fake, but the eyes and head move around well enough that it'd be a neat trick for a few seconds, before the rest of the call looks any closer.
He's released his program on GitHub, naming it "Avatarify". But Motherboard warns it requires "a bit of programming knowledge" plus a powerful gaming PC.

"You have to run Zoom or Skype, as well as streaming software and Avatarify at the same time, which takes a decent amount of computing power."

The editor of TFIR posed an interesting question to Rob Hirschfeld, the Founder/CEO of RackN (which automates and integrates bare-metal infrastructure). Will the financial impact of the COVID-19 pandemic affect the sustainability of open source software?

Hirschfeld responded: "The idea that big companies are maintaining open-source projects for the community good is going to get tested, as companies look for places where they can conserve revenue. I think that's a really critical thing."

"The same is going to be true with open-source startups that are hoping to monetize support or consulting but have no real gate across the front of their infrastructure... Companies might decide they can use the open-source project and not pay the sustaining engineers that are working in that project.

"These are really serious concerns about the whole open-source model, which relies on goodwill and free money."

"Sales of Raspberry Pi's single-board computers hit 640,000 in March, the second-biggest month for sales since they started selling," reports TechRepublic, "as consumers flocked to inexpensive ways to work and learn from home." But that's not all, Eben Upton tells them: With the pandemic having highlighted shortages in personal protective equipment (PPE), 3D-printing manufacturers and hobbyists have been building face shields printed on plastic acetate that can be quickly assembled and delivered to hospitals, for free. "A lot of that is Pi-driven," Upton explained, noting that OctoPrint, which is the most popular platform for managing 3D printers, runs on Raspberry Pi... "[M]aking face shields seems to be a community effort. You have people with a home printer, printing these things once a week and then going to a post office and sending them," he said.

"Then you'll have some people sat in a hack space receiving the parcels, cutting the acetate and the elastic, assembling them into face shields then sending them to the hospital. It's amazing." Upton suggested this effort could eventually be ramped up to a "massively distributed scale", with the benefit of open source being that, once you have a good design that works, it can be rapidly iterated. In the long term, this could even include the ventilators themselves, he said.

"One thing we're seeing with this is people finding a niche within which open hardware really works," he said.