Author | Wang Qilong
Editor | He Miao
Produced | "New Programmer" Editorial Department
"The future I hope for is to be able to cooperate globally on common projects, and to be able to find a way to collaborate together in the future that is not affected by language, time zone, political and other barriers." In 2022, CSDN "New Programmer" interviewed Brian Behlendorf, the father of Apache and general manager of the OpenSSF Foundation, these words are the most sincere and lofty open source ideals he confided at the end.
Time has passed, and Brian is now the chief technology officer of the OpenSSF Foundation. He has led the foundation to become a huge organization that connects one hundred companies, spreading security protection everywhere in the open source field to prevent the next "Log4j2 crisis" from breaking out. Under his "platforming", OpenSSF working groups distributed around the world perform their duties. People from different countries, different time zones, and different companies have reached consensus and implemented the open source spirit to achieve global security governance.
Time has also changed the world's hottest topics. The advent of ChatGPT has swept AI across all major fields, attracting the attention of people including technology giants, business leaders and entrepreneurs. While Musk and Jen-Hsun Huang stole the show in news related to artificial intelligence, Brian, who is deeply involved in the open source field, also set his sights on the hot big models: in his opinion, the final "big winner" of the AI model will be The open source model, the popular ChatGPT, is just like the arrogant Windows 98, but in the end, almost all electronic devices around the world chose Linux, the contemporary open source operating system.
In this issue of " Near Craftsman ", Brian Behlendorf came to China to have a face-to-face conversation with CSDN & "New Programmer" chief content consultant Zou Xin. He will not only talk about OpenSSF's response experience during the epidemic, but also bring his own unique views on artificial intelligence As well as valuable advice for students, programmers, and developers in general.
ChatGPT is like Win 98 back then.
But Linux has become a mainstay in many fields
Zou Xin: The popularity of ChatGPT in the past six months has attracted much attention to the success of OpenAI. What do you think of this?
Brian: I don’t know how open OpenAI is now, but it undoubtedly uses all existing open source tools to train a large amount of data and iterates GPT-1 to GPT-4. From some perspectives, the success of OpenAI is somewhat similar to the launch of Windows 98 by Microsoft, which symbolizes the summary of Microsoft's achievements in a certain period. ChatGPT plays the role of a platform, provides opportunities for startups, and is also an important node in the changing times. As we look at this turning point, it's worth remembering that when Windows 98 was released, Linux was still unknown. Linux has now become the mainstay of many fields, and most electronic devices run on Linux. Linux, which was originally regarded as charity or even academic research, has developed into the core supporting 70% to 90% of technology brands.
The power of open source cannot be ignored. After witnessing the emergence of ChatGPT and other large language models, we have also witnessed the vigorous development of the field of open source large language models. Some companies, such as HuggingFace, are making continued progress in this area. The influence of the open source model is gradually increasing, and the gap with ChatGPT is also rapidly narrowing. These open source models will be trained more efficiently and incorporate more patterns. I firmly believe that by the end of this year, open source models will be on par with closed source models. Windows 98 and ChatGPT are dominated by a single company and a single product. Although this model is efficient and focused and can create many amazing results, I think developers are generally eager for the future software model to be more decentralized and eager to Build a more open source and open development environment in a multi-person participation mode.
The Linux Foundation has long had tools and strategies for collecting big data, and established the LF AI & Data Foundation, which is crucial for building large models. The addition of Huawei, ZTE, Alibaba, and CSDN makes these models more reliable. In addition, LF AI & Data recently established a Generative AI working group dedicated to open source large model projects, which is expected to be released in Shenzhen in September.
Zou Xin: The IT field has historically proven that development by multiple people often leads to better results. We look forward to better open source large models in the future, so that different companies can use them to freely explore different application models. In addition, in June this year, OpenAI CEO Sam Altman called for global security cooperation in a speech. In your opinion, what is the biggest obstacle to global collaboration?
Brian: Linux is actually not more secure than Windows, but people's trust in Linux stems from its open source nature. Trusting yourself to find potential security holes and fix them makes Linux more transparent and easier to scrutinize. Precisely because open source software can be reviewed, improved, and shared by many people, more secure code can be created.
Similar to open source software, AI models may benefit from more collaboration, improvement, and sharing. People’s concerns and doubts about artificial intelligence may be answered with more people’s participation and direct cooperation. By working with, recombining, improving, and integrating models, AI may also become more transparent and trustworthy, addressing concerns about its direction.
Global collaboration that eliminates time zone and cultural differences may rely on AI
Zou Xin: This is your first visit to China after the epidemic. What kind of organization is OpenSSF? What changes has it undergone in the past three years?
Brian: At the end of last year, the Linux Foundation internally customized a series of different strategies for OpenSSF, with the goal of improving the original security status of open source software and solving some deficiencies in the software supply chain. These projects quickly became community-led, with me as the lead at the time.
Prior to this, I had served as the executive director of the Linux Foundation's open source project Hyperledger for 5 years, and later moved from Hyperledger to a larger-scale foundation career. OpenSSF was established due to widespread attention caused by famous security incidents such as Log4j2 and SolarWinds. Today I am the CTO of OpenSSF.
It took me three years to make OpenSSF an organization that connects 100 companies, including many large companies, such as Huawei, Tencent, Alibaba and many Chinese companies. In order to identify the security vulnerabilities of open source software and its code, we launched a series of projects to measure the risks of open source software, make the software more secure through training Dev, write more secure code, and look at supply chain-specific tools. (For example, a framework is given to describe the security level of software through the signature of software engineering) and so on. Our mission is to seal these vulnerabilities.
Zou Xin: The open source supply chain is an important part of the open source ecosystem. You have emphasized this point in many speeches. What is an open source supply chain? Why is it so important?
Brian: Open source software and the Internet are inseparable. In the early days of the Internet, we could easily send emails to anyone, and even send presidential letters under the name of the White House to play pranks and deceive people. Before TLS became popular, everyone had a high level of trust in content on the Internet. But as people get deeper into the field of open source software, they gradually learn to pay attention to the chain of custody when the project releases the build package on its website, understand the entire process from the GitHub warehouse to the package release website to the personal device, and understand which links may be inappropriate. interference. In complex enterprise environments, supply chains are becoming increasingly complex.
Therefore, OpenSSF introduced two technologies to prevent the next Log4j2 or SolarWinds disaster. The first is SIGSTOR , a signing platform similar to Let's Encrypt (a well-known TLS certificate authority). SIGSTOR allows developers to easily sign releases and build tarballs. This allows the identity of the developer to be verified at the warehouse as the code passes through the system, thereby enhancing supply chain integrity.
The second is SLSA , which is " Supplychain Levels for Software Artifacts " (Supply Chain Level of Software Artifacts) . SLSA provides a standard or specification for the conditions under which software artifacts flowing through the supply chain are manufactured. This covers the use of trusted hardware, whether multiple people sign for confirmation when releasing a source code compressed package, etc. This is a self-verifying approach based on technology developed internally at Google that has become an open source project and is used to manage risks in the software supply chain.
Zou Xin: The OpenSSF Foundation has six designated security-related working groups. Why six? How do they collaborate?
Brian: We're actually going to increase the number of working groups to nine.
Since the early days of OpenSSF, various ideas and projects have emerged within the community. The organization began to group various projects by topic, and eventually, OpenSSF activities were classified into different working groups . There are people who focus on supply chain, developing tools to measure software risk, and there are people who write coding best practices and provide tools, documentation, and guidance. We recently formed a new working group to help users integrate tools from the perspective of banks and healthcare companies.
The establishment of the working group is an expanded approach. We are currently launching a working group focused on artificial intelligence and machine learning, trying to explore how to use artificial intelligence to improve the security of software, and pay attention to the security issues of artificial intelligence itself, and Find ways to coordinate different activities so that they actually create value.
Zou Xin: The members of the working group are distributed all over the world. How does OpenSSF allow people from different countries, different time zones, and different companies to reach consensus and implement an effective working model?
Brian: This is really a long-standing challenge of open source projects. I took inspiration from the Greek diarchy, which allowed people with different motivations, priorities, and skills to work together.
In an open source project team, everyone has their own priorities, and having a good idea doesn’t mean others will follow it. So the key is how to build a framework where people not only have good ideas, but are willing to act on them and submit pull requests or provide documentation. That said, we need to create a culture within the work group. In open source projects, people need to communicate frequently, stay open, and avoid infighting. That's the art of building community, and I've learned how to do it, and do it brilliantly, from the case of the Linux Foundation.
Time zone issues are my biggest concern when thinking about building a global team. When I was involved in developing Apache, everything was email-based, and the basic principle was: if something didn't happen on the email list, it didn't happen. Because email has no time zone restrictions, in this work environment, it doesn't matter if you reply to the email every few hours. However, collaboration can become difficult during live calls on Zoom or Slack. Many open source projects now focus heavily on real-time chat and video conferencing. This is indeed a good thing. It will become easier for people to ask for help and cooperation will become smoother when people communicate face to face. But these tools do make collaboration between participants in different time zones difficult, and this cannot be ignored.
Therefore, we have been considering whether to schedule some meetings during business hours in the Asia Pacific region. In the Hyperledger project in China, we created a local Chinese community focused on supporting local developers and provided translation and other support. When someone wants to contribute, we become a bridge to the global community. OpenSSF is also promoting similar work and has translated many OpenSSF websites and documents into Chinese and shared them through WeChat channels. However, it still faces the challenge of how to introduce more Chinese people into the project.
Zou Xin: I discovered your trick, which is to solve local problems first.
Brian: Yes. Developers face a learning curve when getting involved in any open source project. Sometimes documentation can be lacking and we have to help developers understand how the project works. If your developers don't understand English, this will undoubtedly present some challenges. Even the best machine translation today cannot completely solve this problem. I think the worst-case scenario in the future is that every problem is solved in two different open source projects, let's say one in China and another in the United States. I really hope that common technical solutions can be built together, and maybe future AI translators can solve this problem.
We have to create ways to cope with time zone differences and cultural differences. That's why I traveled to China, and the Linux Foundation also holds events in China. Even during the most difficult times in the past, we continued to work closely with open source developers around the world.
Safety issues should not be rectified, but nipped in the bud.
Zou Xin: In the software development process, security is often ignored by people. Usually people come up with ideas first and then start thinking about security later in development. But I think developers around the world have made some progress now, especially in the open source field. For some small companies or projects, they may worry that they do not have the ability to consider such important security issues. What suggestions do you have for this?
Brian: There is a skill to learning how to refactor other people's code, and it's a skill that open source developers need to learn. A project that has been around for a while and has many contributors is often more secure than a young project with just one person.
Ideally, the more people checking, the fewer errors there will be. OpenSSF runs a project called the Security Scorecard, which covers over a hundred different heuristics to assess risk for projects in open source software repositories such as GitHub or others by automating inspections of software performance. More than 1 million GitHub code repositories have been evaluated and a credit score of open source code has been generated. Think of it as a credit report for open source code, assessing the code's reliability and potential vulnerability risks. I hope to integrate this into developer tools. In this way, when developers need a certain feature, they can quickly check the scores of different options and decide whether to choose the option with the least risk from a risk perspective. You'll even see insurance companies use this score to assess the risk of data sources when auditing a business, thereby deciding whether to charge higher cybersecurity insurance premiums. Risk assessment is crucial.
Additionally, improving software security is not expensive . We developed a course in OpenSSF's best practices working group called "Writing Secure Software." The course contains about 16 hours of content and brings together some common bad programming cases to help new developers avoid the most common mistakes. loopholes. Even Log4j developers can take this course and become aware of the risks in their code, as one of the important pieces of advice is not to trust user input and parse formatted strings, which is exactly what Log4j does. I hope that software developers - even those using tools like ChatGPT or Copilot - will benefit from this course. You can get certified through the Linux Foundation, and the course is free.
Zou Xin: Is this course suitable for college students?
Brian: This is not a very technical course. It is best to have learned at least one programming language before taking this course. It can be Python or Go, of course it can also be C.
This course will help students gain a solid foundation in better understanding and applying the fundamental principles of software security throughout their careers. It can also help people realize that security problems are not something that can be solved immediately, but can be prevented before they happen . If the security issue is left to the end, it may never be addressed. By learning these techniques, developers will take steps to improve code security during the process of writing code, rather than waiting until the end.
If you don’t understand open source, don’t expect to learn computer science well.
Zou Xin: Today, many young people in China begin to study IT-related majors in college or even high school, and open source may not be one of their biggest concerns. Do you think it’s appropriate for high school students to join open source projects?
Brian: This may be my bias, but I think that in today's computer science education, even high school students should have priority in exposure to open source software. In the United States, there is a very popular programming language called Scratch, which teaches simple programming concepts. It is suitable for different age groups, especially beginners. Through visualization, users can create interactive projects, share code, and learn how to read and improve other people's code.
On the Scratch platform, I can see people making their own drone software, young kids participating in the development of robot software, and these projects are open source from the beginning. When I was in college, the chip architecture courses taught closed source architecture. Nowadays, more and more people are starting to learn the RISC-V architecture. In addition, when people learn operating systems, they will not learn the closed-source MacOS kernel. Instead, they will learn the Linux kernel or other open source kernels from the beginning.
Therefore, it is impossible for today's students to learn computer science well if they do not understand open source knowledge.
Many young people have long felt that open source is a natural part of computer science. This is like if you explain to fish how important water is, the fish may not understand why you emphasize the importance of water, because to them, the existence of water (open source) is taken for granted.
Zou Xin: There are still differences in the understanding of open source among users in the open source community. Some simply enjoy free source code; some actively participate in contributions; others want to contribute but don’t know how to start; and some students who have not joined the game think Open source means free, and there is no way to make money from it, thus questioning its meaning. Can you solve this mystery for us?
Brian: People who don't know how to start often just don't see the problem in the code. When software developers encounter a problem, do they understand whether the problem is a bug or a missing functionality in the code itself? How do you find the right person to ask this question? How to ask smart questions in open source projects? These techniques are rarely pointed out. Therefore, a new course should be established in computer science education in the future: how to interact with open source projects. Allow software developers to identify the nature of a problem and then provide fixes or even create new features. I hope every college student majoring in computer science can understand how to participate in projects, how to communicate with people, and ultimately benefit from it.
If AI can help everyone become a 10x developer, then let’s do it!
Zou Xin: Artificial intelligence has recently made amazing progress in writing code, and college students majoring in information technology have begun to worry that artificial intelligence will replace their jobs. What advice do you have for them?
Brian: Every technology wave will disrupt something, and there is no reason to be afraid of these technologies. Ultimately, these technologies have become tools for empowerment. Let's look at cars. The automatic transmission was also considered "magic" when it came out, but instead of suddenly making people unemployed, it made driving easier. Instead of losing their jobs, people will change their roles . I think students should now focus on learning how to use these tools and think about how to use them to solve real problems, rather than just using AI to complete assignments, so that they will be more competitive in future jobs.
Zou Xin: For example, use AI to write a sorting function.
Brian: It's ridiculous to expect developers to write sorting functions over and over again. It's fun to understand how functions work, but no one actually writes sorting functions over and over again. AI tools will help developers improve efficiency and accelerate work processes. Most developers feel like they don’t have enough time to handle all their tasks. If AI can really help everyone become a 10x developer, then so be it! To be honest, there is no reason why people studying software development should not use these tools.
Zou Xin: Kent Beck, an advocate of agile software development, once wrote on Twitter: “I reluctantly tried to write code with AI, and then discovered that it can replace 90% of my skills. And amplify the remaining 10% of my skills a thousand times.”
Brian: Yes, those parts that have been replaced, we will find new ways to fill them, and there is no doubt that AI will help us do that.
Zou Xin: In the AI era, what are the most critical core skills for students and professionals, especially those in the software field? If artificial intelligence can automatically complete "CRUD", that is, create, retrieve, update, delete these tasks, what else can we do?
Brian: In my opinion, one of the key qualities of great developers is the ability to draw inferences from one example to another. When someone proposes that software needs to implement some new features, a good developer will first think: Does this software really need new features? Perhaps the software has other potential capabilities or can provide value to the innovation process, such as considering user interface and user experience. Developers will focus more on product design and correctly guide product development, rather than being too entangled in building algorithms or debugging low-level application programming interfaces. This will help reduce errors, improve work efficiency, and bring more fun.
"I want to create a better world for my daughter"
Zou Xin: What are your expectations for the next two to three years? Is it optimistic that there will be more cooperation between different organizations and countries? Or pessimistic about the different geopolitical conflicts in the world? How can developers make software and ecosystems more secure?
Brian: I’m an optimist by nature! Although the current geopolitical situation seems complicated, it will eventually develop in a good direction. I am over fifty years old, and I have experienced the tense relations between the United States and Russia in the last century, good times and bad, and I understand the reason why things in the world are constantly changing. I hope to create a better world in this unstable situation, and I firmly believe that humanity will eventually be able to overcome our differences and work together to solve systemic problems - such as climate change, poverty and the Sustainable Development Goals. I have a seven-year-old daughter and I hope to leave her a better world.
As the world pays more attention to security issues, and regions such as the United States and Europe begin to introduce new regulations aimed at improving software security, my biggest concern is that political factors may lead to certain countries being warned not to use software developed in China, as well as Try to resist this trend and emphasize that it doesn't matter where the software comes from, but that what really matters is educating people on how to write secure code.
Artificial intelligence will develop in a direction that is more beneficial to humans and safer, and will have a positive impact on ensuring the security of code. I am also looking forward to the future, and now is an exciting turning point .
Recommended reading:
▶ Take stock of ten revolutionary IDEs that shape software development
▶ Is there a chance for "Scroll" iPhone? Apple’s new patent is exposed, Apple fans are excited: It’s finally going to change!