[CSDN Editor's Note] The Apache Software Foundation and the Linux Foundation, as the flag of global open source, have deeply influenced billions of developers around the world since their establishment more than 20 years ago. As the penetration rate of open source in the world increases year by year, security issues such as the open source supply chain that have a huge impact are also posing challenges to open source practitioners. This article will follow the perspective of Brian Behlendorf, one of the founders of Apache and general manager of the OpenSSF Foundation, and face the This open source founder’s in-depth thoughts on open source ecology and security.
Author| Wang Qilong Editor-in-charge| He Miao
Produced | "New Programmer" editorial department
In the minds of open source developers, the significance of Apache and Linux is self-evident. The development of open source today is inseparable from the help of many non-profit open source software organizations, and they are the best among these organizations. To this day, the Apache HTTP Server, which was formed by programmers led by Brian Behlendorf in the early years to rewrite the open source program NCSA HTTPd, is still the number one web server in the world. This existence, originally jokingly called the "patch server", became the legend of the Web server and earned Brian Behlendorf the honorary title of "Father of Apache".
At the same time, Apache ShardingSphere, Apache SkyWalking, Apache Doris, etc., which are familiar to domestic developers, are also top open source projects incubated by Apache. Apache's open source culture deeply affects developers around the world. The "Apache Way" points out a road for technical people to "how to do open source? How to do open source well?" The principle of "what didn't happen in the email didn't happen" was inherited from an accidental move by Brian Behlendorf. In his early years, in order to better communicate, he established a mailing list to bring everyone together. Work better together.
Today's open source has entered a new stage. Pioneers have returned from pioneering and have begun to study more realistic open source security issues. Brian Behlendorf, one of the founders of "Apache", has also joined the OpenSSF Open Source Security Foundation as general manager. , committed to the construction of global open source ecosystem security.
Brain Behlendorf, co-founder of Apache and general manager of the OpenSSF Foundation
This issue of "New Programmer 005" was fortunate to invite this open source master for an exclusive interview. He not only shared with us many practical experiences and valuable thoughts on the construction of open source security fields, but also revealed his most sincere and lofty open source ideals.
The following is a transcript of the interview with Brian Behlendorf:
The growth path of "the father of Apache"
"New Programmer": It is understood that your parents work in the technology field, but you did not major in computer science in college. What were you more interested in at that time? What later sparked your interest in computer programming?
Brian: I graduated high school in 1991, the same year that Tim Berners-Lee launched the world's first web browser and web server, but not many people knew about it at the time. When I was in high school, my parents met and worked at IBM, so we had a personal computer at home. But my father was a COBOL programmer, and the COBOL language was boring to me, so I didn't plan to write software as my future job.
While in college at UC Berkeley, I started out as a physics major, but slowly became more interested in computer science as I set up my first email account in college and was exposed to the Internet. It was also from that time that I started running some independent programming projects, and thus got a lab job helping to manage Unix machines, and gained a certain understanding of the work and operations of the computer programming industry. Later, I became very interested in electronic music, so I established a website about electronic music in 1992 and started to build a community there. This also resulted in me not having time to complete my undergraduate degree.
"New Programmer": So what did you think of the Unix operating system when you first heard about it?
Brian: My first impression of Unix was that it was command-line driven, which I was ecstatic about. For me, typing the command line is like talking to the computer. I can give the computer very precise and specific requests through the command line. The command line is even easier to use than the GUI because I don't have to open folder after folder and try to find the right button or input. From this perspective, the birth of Unix was inspiring.
Looking back now from around 1991 to 1993, the Internet atmosphere and even social culture at that time greatly encouraged mutual help. It was an era when everything was perfect. You would be excited about receiving emails from strangers. You would imagine that everyone you came into contact with on the Internet was friendly and interesting. You would want to reach out to more people. to the internet. This culture predates even open source software, but I think it's still carried forward today, and many open source communities are now productive and creative.
"New Programmer": Do you still remember the first interesting program you wrote? Has your early programming style carried over into your current work?
Brian: When I was about eight years old, I read a book on how to program a TRS-80 computer in BASIC, and I used that book to write some simple games and programs. As for the first real program I wrote, it goes back to when I was in fourth grade. At that time, I needed to arrange a random seating chart for my class every two weeks, so I wrote a program that could randomly assign seats and print out the results. The funny thing is, if I was randomly assigned to sit next to someone I didn't like, I'd let it run again and just "randomly" sit next to the cool kids in the class - so this seating chart isn't exactly "Random". The teacher didn't understand the principle, so he didn't notice my little moves.
But after that, I stopped programming regularly for most of my career. I still remember that I wrote a lot of programs in the early days of building the Apache Web server, and I also wrote a lot when Apache's first sponsored website was launched. I still maintain my own mail server, but I never consider myself a great software developer. I'm not great.
"New Programmer": After leaving campus in 1993, you founded Organic.Inc with your partners, but the web server software at that time could not handle the company's needs, so you tried to tinker with open source code, which was your first exposure to open source ? How did you become involved with open source?
Brian: No, not then. The first time I came into contact with open source was when I first went to Berkeley in 1991. I began to explore what the early Internet was like. I saw that there were a lot of software available for download on the Internet, and I could easily download each software and use it on my own. running on the computer. Since then I have had an idea: software should not be something that one or two people can write and sell for more than $30 a copy; instead, software should be something that hundreds of people put together small pieces of code. Writing, the existence of bringing everything together, may be the prototype of my open source thinking. This experience happened in 1991, and it was the first time I used what you would today consider "open source software," but it wasn't called open source until 1998, and the term open source was invented after that.
Secure open source development requires a public “ingredient list”
"New Programmer": Since the "shocking" vulnerability in Log4j2 was exposed in December last year, it has aroused the attention and reflection of many governments and technology giants around the world. At the same time, discussions on the security issues of open source software have also become more and more popular. more urgent. For you, what are the big changes that have occurred in the open source security space over the past few years?
Brian: Open source security is something that governments and businesses need to work together on. I remember at that time they released quite a few reports after the Log4j incident, but in one report released about 3 weeks ago they said: There were a lot of different situations that led to this crisis, so hopefully open source security foundations like OpenSSF more and more. OpenSSF was cited 29 times in that government report. It seems to me that, at least for the past few years, the National Security Council has stopped giving us a say in fixing vulnerabilities, so for the foundation to get to where it is today is not only very satisfying, but also very daunting. Open source security is a daunting task before us, and society depends on it to function just as much as we depend on bridges, highways, power grids, or other parts of society, and we cannot live without it.
"New Programmer": In October 2021, the Linux Foundation announced a new investment of US$10 million to expand and support the Open Source Security Foundation (OpenSSF) and protect the open source supply chain. Why is an open source supply chain so important? What place does it occupy in the development of open source?
Brian: Supply chain represents everything. It can be said that the world we live in is made up of supply chain. There is a mouse next to my computer now because of the existence of supply chain. Software is no exception. It is rare that software is written by one person and then sent directly to end users, because open source software is inseparable from the existence of a supply chain.
Because of this, supply chains are now also a major target of attack. Ten years ago, we would have never imagined that someone might secretly insert a bad package into our package database, let alone that the author of a JavaScript module might sell his account to a hacker, and that the hacker might use our website On setting backdoors... Our business was built in an era of high trust in each other, when we didn't have to worry about these types of attacks. Now we have realized that we need to help open source developers make more secure decisions.
"New Programmer": What do you think is the biggest challenge currently facing the security of open source software?
Brian: Today’s developers often overlook an issue, and that is platform selection. For example, when I need to add a function, I usually build it based on the existing library. During the construction process, I need the help of the platform, but we always default to a platform and rely on it, without thinking deeply about it. Security issues. You can think this is because most programmers are "efficient", but in fact it is also a kind of "lazy". Everyone gives a lot of trust to central organizations like GitHub during the development process and never even questions them.
Of course, I hope GitHub will never be hacked. Once GitHub is hacked, many people will suffer. GitHub has done a great job so far, but should we really put all our trust in one organization?
I don't know the answer to this question either. We have a project in OpenSSF called Sigstore that uses a very lightweight Let's Encrypt way of signing artifacts in the R&D process with keys to embed it in the tools everyone uses to build and publish middle. It's like the ingredient lists we see everywhere in our lives: If you pick up a bottle of ketchup, the manufacturer must tell you what's in the bottle, lest someone have an allergy. In short, developers now need better software tools to promote open source security.
Open source development also requires such an "ingredient list" and a transparent and open collaboration process. Many businesses often don't know what software they are running, and Log4j has problems because of this. When deploying software, developers need to understand the construction of the target object and the running process of the entire set of work. We try to avoid software that only one developer has seen, software from untrustworthy sources, or software where you can't guarantee whether the build server has been compromised.
Overcoming language barriers, OpenSSF boosts China’s open source security construction
"New Programmer": Many problems may be different in China, thus giving rise to new problems. What are your views on the current state of open source in China?
Brian: Open source security is a problem in every country. At this point, everyone's interests are actually the same. After all, the Log4j vulnerability was discovered by researchers from Alibaba (Alibaba Cloud). We need to work together, and that's one of the reasons why I'm participating in this interview, I really want to see the Chinese community, businesses, developers, and even policymakers really unified on this.
Of course, I am also very aware of some of the problems that Chinese developers are facing now, and the most important one is definitely the language issue. If your native language is not English, working with developers outside of China can be a challenge, hindering collaboration and development by not knowing how to ask the right questions. Linux is working with OpenSSF, and we are trying to create a Chinese sub-community that focuses on serving and helping Chinese developers adopt these advanced technologies, while also letting Chinese developers help us improve the technology, and eventually open the Sigstore project I mentioned earlier in China. These should be localized to China so that the Chinese community can learn and use them more widely.
"New Programmer": To reduce the security risks of open source software, security awareness is also very important. How does OpenSSF help open source users effectively improve their security awareness?
Brian: We publish quite a bit of content on OpenSSF to not only help developers learn how to use the tools, but also to help them write more secure code. In fact, we have published a course on basic Linux security training on the training website, and are now translating it into Chinese, called the basic course on security software development. The course is about 20 hours long, which isn't very long, but it teaches you how to avoid problems like not parsing untrusted users and how to submit the correct input format string - a problem that caused Log4j's bug. We believe that if more developers took this course and became certified, the risks associated with code entering the software supply chain would be greatly reduced.
All in all, I encourage developers to go take this course on the OpenSSF website, especially after we localize it into Chinese. We've also published a guide that outlines a list of things open source projects can do to improve security. OpenSSF opens up many resources to help developers, not just to make their code more secure, but more importantly to cultivate a different way of thinking and a different way of doing things.
"New Programmer": Most Chinese developers are relatively pragmatic, and they are very concerned about the commercialization and openness of open source software. What are your thoughts on this?
Brian: If everyone chose to sell their code, it would be impossible for companies like Google, Amazon, or even Baidu and Tencent to grow. We should really think specifically about how to commercialize open source code, but certainly not by selling the open source code itself, but by doing other things around it; for example, we can use open source code to build a great website, or a mobile application , mobile app backends, launching some compelling new services, and more. Don't always think about how to sell open source code. You should think about how you can use this open source code to create more value in the world, and people will naturally pay you.
"New Programmer": You once mentioned the concept of sustainable open source software. How can Chinese developers benefit from this concept?
Brian: The concept of sustainable open source is not necessarily related to software. First of all, you have to realize that most people write open source code not out of charity. They choose open source not out of altruism, but to write code for free. For example, if you are working on a project to build a web service or a payment platform, then every time you fix a bug, add a feature, or write something new during the process - it is a need Paid. Therefore, a well-run and long-lasting open source project is the main driver of people's activities, and I think this is a key issue for enterprises to consider.
For Chinese developers, I also want to say that we are here, we want you to be stronger, and we also want you to help each other to achieve global collaboration. I think there are a lot of developers that have put a lot of effort into solving this problem. "Communication" is a very important thing. The development of human beings originated from communication. We will provide tools for all Chinese companies—even global industries—to share the results of this open source undertaking.
The Apache Way is a safer way to collaborate
"New Programmer": As a founding member of the Apache Software Foundation, what is your understanding of the famous "Apache Way"? How does this open source operation ensure the security of open source software?
Brian: In fact, there has never been a clear definition of the Apache Way. It has two core points: email and digital communication. The Apache Way is a fully inclusive, open, transparent, and consensus-based way of working. Let us make an analogy: if a project or something does not happen on our public mailing list, then you can do it privately first, but You have to bring it back to the public and have a group conversation before you can move forward with the project. The theme of the Apache Way is transparency and collaboration. We try to avoid the situation of "one person is responsible for the entire software", because if the only person in charge of a project leaves the project one day, no one will know how to continue maintenance.
As I said before, you want to make sure that in an open source project, there are always many people responsible for each line of code, or even for the entire project. This is the Apache Way, and I think it is actually a rule of life. This way we work together to use simple tools to coordinate our activities and share expectations for how things should be written so that we can be productive and write the best software possible, building public trust in our code. trust.
"New Programmer": Do you have any interesting stories to share about the "Apache Way" and your working methods?
Brian: I really like using email for work communication. I like the feeling of online collaboration in an asynchronous way. Email also tolerates our time differences, cultural differences, language differences, etc. As for interesting facts, our Apache Web server project is actually an example. There is a person named Alexico in our project. He has provided us with a lot of practical help for most of the three years since the server project was established. Not only did he help write some code, he also helped other people in the project write code, assisted in reviewing other people's code, and even helped us answer user questions. I have to say that he is really an excellent community builder.
But video conferencing wasn’t popular at that time, and we didn’t have many face-to-face opportunities, so I never met him in person, so the only thing I knew was Alexico’s email address. Until one day, he sent a message to the Apache Web server developer mailing list and said: "Hey guys, I have some news for you. I may not be able to contribute as much to the project in the future, nor Law classes are online; I’m going to college this fall.”
He has been working on this open source project as a high school student, interacting with all the other professional software developers! At that time, everyone in our project was shocked by his diligence, intelligence, and pure open source spirit, which we later saw among people in many different countries. So I think the Apache Way can help people whose native English is not their first language communicate using email much better than using video or phone calls or other methods because using email ensures that the message is conveyed more accurately.
Open source is born free, global collaboration is the ultimate ideal
"New Programmer": In the field of open source, the value of freedom of Richard Stallman (the spiritual leader of the free software movement) is a major idea that can never be avoided. What do you think is the difference between "free software" and "open source software" today compared to the past?
Brian: I respect Richard M. Stallman very much. There is a popular saying in our community: If Richard M. Stallman did not exist, we must create a Richard M. Stallman. Because it's very useful to have him represent a variety of viewpoints. Others in the community look like moderates by comparison. I'm very aware of the practical benefits of sharing source code, and I think this right is very important, and Richard M. Stallman even considers it a human right. I believe we have been able to convert many people in the industry to open source software careers. You know, 90% of the software used on mobile phones, cars or websites in the world today is open source software.
Of course, I am not emphasizing that software should be open source from a moral or human rights perspective. It is precisely because open source projects that work together as a team to build better software more efficiently that I think free software and agile development can coexist with open source software, I don't think they are antithetical or inconsistent. The open source software movement has always been about "how can we help developers?" "how can we help businesses write better code?" Thinking that the debate on these issues is long over, open source has largely won. Now that we have won, we should think about how to use open source to develop the society and future we want. My ideal is global collaboration.
"New Programmer": Finally, what words do you want to send to Chinese developers? How do you assess the development prospects of open source globally and in China?
Brian: I'm an idealist. I want a future where we can collaborate globally on common projects, where we can find a way to work together regardless of barriers like languages, time zones, politics, etc., but I'm concerned that this will happen. In fact, I don't think enough people are writing open source code today to meet the needs of the market. I want the future to be like the early days of Apache, where everyone can work together, regardless of each other's origins, ages, or backgrounds. This is the future of open source code I want. I also hope that governments will recognize more of the critical role that open source software plays in building the society we want, and that open source will build a very digital society. All businesses (mainly large ones, of course) and individuals need to recognize and invest in open source code, and realize the positive consequences that open source code can bring to society. These are my hopes, my fear is that we will never get close to that goal, I fear that we will go in the opposite direction, but I cannot predict whether we will go in a more optimistic direction in the future, so all I can do It is to talk about the current direction of optimism.
— Recommended reading —
☞中国联通与腾讯共同设立新公司;苹果被曝已冻结招聘,直至2023年9月;Apache Flink 1.16发布|极客头条
☞元宇宙与AI热度不减,Gartner 2023 年十大战略技术趋势完整解析
☞吴峰光杀进 Linux 内核