►
Description
OpenSSF Day at Open Source Summit North America - Fireside Chat with Brian Behlendorf, OSSF & Jamie Thomas, IBM
B
Go
okay,
well,
welcome
back
everybody!
Hopefully
you
all
are
refreshed
and
snacked
and
and
ready
for
the
the
final
push
I'm
Brian
bellendorf
I'll,
be
your
MC
for
this
kind
of
closing
session.
We'll
have
some
closing
comments
from
Probe
later
all
right.
We're
gonna
do
this.
B
In
two
parts
the
first
is
I'm
going
to
have
a
fireside
chat
with
Jamie
Thomas
here
from
IBM,
and
then
after
that,
we'll
have
a
panel
with
a
a
set
of
really
great
guests,
but
I
certainly
encourage
all
of
you
who
are
sitting
out
in
the
bleachers
and
the
far
off
kind
of
Corners
feel
free
to
come
in
closer.
We
don't
bite
and
and
being
closer
in.
B
We
don't
have
a
stuff
to
present
or
anything
like
that
feel
free
to
come
in
and
and
and
make
it
feel
like
we're
talking
to
a
nice
full
room.
Thank
you
all
for
sticking
it
out.
So
it
is
my
pleasure
to
I
introduce
to
you
Jamie
Thomas
Jamie
is
the
chair
chair
of
the
open
ssf
governing
board.
She
also
over
sees
all
of
Enterprise
security
for
IBM,
and
she
has
been
a
part
of
this
project
since
we
pressed
the
reboot
button
in
October
or
September.
B
Sorry
and
I
got
things
underway
and
I
thought
it'd
be
really
fun
to
help
the
audience
get
to
know
more
both
about
you
and
and
kind
of
your
work
at
IBM
and
kind
of
the
interest
that
led
you
to
this
point
and
and
frankly,
what
you
know,
the
the
the
corporate
worlds
so
to
speak,
thinks
about
what
we're
doing
and
what
we
should
be
doing
as
we
go
through
this.
So
thank
you
for
being.
B
A
Sure-
and
one
of
my
favorite
topics,
of
course,
is
women
in
stem,
which
we
all
know
there's
not
enough
of
so
thanks
to
all
of
you
that
are
here,
but
I
tried
to
encourage,
ladies,
that
there's
a
lot
of
opportunity
in
this
field
and
it's
really
fascinating,
but
I
I
joined
as
a
computer
science
programmer
in
IBM.
Before
we
had
a
really,
we
were
just
starting
our
software
business.
It
ended
up
being
a
20,
a
20
billion
dollar
business.
A
In
the
end
you
know
it's
kind
of
it
grew
a
little
bit
and
along
the
way,
I
I
worked
on
application.
Development
projects
was
part
of
the
eclipse
decision
to
donate
the
original
software
to
the
eclipse
foundation
and
start
the
eclipse.
Foundation
did
a
lot
of
work
with
our
support
of
Linux
in
the
early
days
when
we
decided
fundamentally
that
we
would
Embrace
Linux
that
we
would
support
Linux
as
a
key
operating
system
and
obviously
those
were
the
days
where
we
were
also
embracing
Java
quite
a
bit.
So
Java
is
a
key
middleware
component.
A
A
Of
course,
you
know,
Hardware
does
not
run
without
software
last
time
we
checked
and
we
were
working
on
openstack
Technologies
Linux
again,
a
lot
of
the
software
defined
Technologies
and
through
that
path,
I
ended,
ended
up
owning,
which
is
what
I
owned
today,
in
addition
to
Enterprise
security,
all
the
IBM
processor
development
and
the
systems,
development
that
support
our
high-end
systems,
Z
power
and
Quantum
Computing
systems.
In
addition
to
my
my
night
job
as
Enterprise
security,
if
things
were
not
exciting
enough,
but
those
topics
all
kind
of
fit
together,
if
you
think
about
it,.
B
Yeah
no
I
I
mean
certainly
Quantum
and
and
Ai,
and
and
and
even
processors
like,
like
they're
security
ramifications
through
throughout
all
of
that.
What
would
you
say,
though,
is
kind
of
different
about
cyber
security
in
2022
like
compared
to
to
five
years
ago,
10
years
ago,
and
especially
kind
of
in
the
domain
that
we're
focused.
A
On
well,
I
would
say,
first
of
all
and
when,
in
my
journey
to
get
into
Enterprise,
security
was
really
through
the
lens
of
product
security,
whether
that
was
software,
product
security
or
Hardware
product
security.
If
any
of
you
are
here
from
Hardware
background,
Specter
meltdown
was
pretty
exciting
and
that
was
also
the
precursor
to
you
know
the
sulfur
supply
chain
attacks
like
solarwinds,
and
things
like
that
and
I
think
what's
different
now
is
that
you
do
have
to
have
for
an
Enterprise
like
IBM.
A
You
do
have
to
have
an
effective
melding
of
cyber
operations
with
product
security.
I
mean
they
go
hand
in
hand,
given
the
role
that
we
play,
they're,
both
very
important
and
the
level
of
sophistication
of
these
software
supply
chain
attacks,
I
think
was
eye-opening.
I'm
sure
that
many
of
you
all
here
and
first
of
all,
thanks
for
being
here
and
devoting
yourselves
to
software
security,
because
without
you
we're
not
going
to
make
a
difference,
but
solarwinds
was
fairly
interesting
from
a
number
of
Dimensions
right.
We've
studied
it.
You
know
we
we
took
it
apart.
A
We've
got
a
PhD
in
solarwinds
and
I
would
say
that
we
took
away
a
lot
of
learnings
from
that
that
we
started
to
implement
even
before
log4j
hit
and
like
4J
was
just
more
prevalent
right
because
it
was
a
very
prevalently
used
component
and
therefore
it
affected
Not
only
was
it
a
Cyber
attack
right
because
for
any
of
those
of
you
that
do
cyber
operations,
you
can
see
at
some
point
early
on.
A
We
had
instrumented
like
day
one
our
tools
to
detect
log
for
J
attacks,
and
we
could
see
exactly
how
many
we
were
getting
every
day
and
from
where
they
were
coming
literally.
You
know
which
country
of
origin
that
kind
of
thing,
but
these
were
very
different
attacks
and
and
of
course,
love
for
Jay
was
very
prevalent
in
the
software
stack
and
so
patching
that
much
software
in
a
reasonable
amount
of
time
and
meeting
the
expectations
of
all
the
customers
fairly
challenging.
A
So
I
think
that
then
became
a
catalyst
for
all
of
us,
though
in
the
industry
to
say
how
do
we
be
more
proactive
about
this?
How
do
we
help
open
source
prevent
these
kind
of
things
in
the
future,
but,
more
importantly,
be
prepared?
Should
they
happen
again
in
the
future
right?
Because
live4j
I
don't
know
about
you
all,
but
it
took
up
a
little
bit
of
our
holiday
season,
as
did
solarwinds
the
previous
year,
so
yeah
and.
B
And
what
about
the
degree
of
interest
that
we're
seeing
from
government
in
in
cyber
security
topics
these
days
and
open
source
cyber
security?
Is
this?
Is
this
new
and
different
or.
A
Is
this
thanks
for
bringing
that
up?
Of
course
it's
it
is
new,
I
mean
the
government's
always
been
interested,
but
I
would
say.
The
level
of
interest,
of
course
was
heightened
because,
as
we
as
I
I
think,
it
really
started
to
heighten
with
solar
winds
and
then
along
for
Jay,
was
like
the
icing
on
the
cake
right
and
what
it
said
is
that
we,
as
an
industry,
need
to
cooperate
more
fully
to
conquer
this
challenge.
A
Without
that
cross
industry
collaboration
we
weren't
going
to
make
as
much
progress
and
that
included
cooperation
with
the
government
as
well
and
so
I
think
that's
been
the
the
the
beauty
of
open
ssf
is
we
now
have
this
industry
collaborate
collaborative
for
technology
organizations
as
well
as
commercial
organizations.
We
have
a
lot
of
financial
firms
that
are
also
involved
in
the
community
and
I.
A
Think
that's
going
to
allow
us
to
to
work
with
the
government
and
of
course
we
had
the
two
meetings
that
you
highlighted
earlier
in
the
presentation
we've
come
out
of
those
meetings,
I
think
with
some
very
concrete
actions
that
we
can
take.
We
also
can
see
that
other
or
other
countries
around
the
world
will
also
want
to
do
similar
things,
and
we,
we
and
IBM
are
being
asked
to
participate
on
other
government
boards
of
a
similar
nature
in
other
countries.
Yeah.
B
No
I
mean
so
in
2009,
when
I
worked
at
the
White
House
in
the
office
of
Science
and
Tech
policy.
I,
don't
think
there
was
anybody
else
in
the
executive
branch,
either
appointee
or
a
career
who
had
been
a
developer
or
who
had
you
know,
engaged
with
the
open
source
Community
previously
and
to
them.
Software
was
like
something
other
people
did
right,
something
that
the
the
private
sector
did.
B
B
One
of
many
people
that
I've
met
in
the
last
year,
who
kind
of
show
that
demonstrate
the
difference
in
this
just
before
our
meeting
as
well
in
the
12th
on
the
11th
I
testified
to
this
house
panel,
the
house
house
committee
on
Science
and
Technology,
who
were
who
are
also
looking
into
this.
It's
not
just
the
the
White
House
and
executive
branch
and
defines
that
there
were
Congress
people
who
were
themselves
programmers
or
recent.
B
B
It
was,
although
one
was
still
surprised
when
I
mentioned
I'd,
rather
use
open
source
code
that
had
had
bugs
discovered
in
it
and
fixed,
of
course
right
because
it
was
I
think
it
was
a
accomplishment
pearlmutter
who
said
you'd
rather
use
software
that
had
bugs
in
it
and
I
was
like
bugs
that
had
been
found
in
pixies
that
that
means
people
cared
about
it.
A
I
think
it's
right
that
there's
been
this
dialogue
right
and
understanding
and
a
lot
of
really
solid
collaboration
from
the
National
Security
Council
cisa,
the
nist
folks
that
have
been
in
the
meetings.
I
think
that
as
a
community,
we
all
have
our
different
points
of
view.
Ibm's
a
little
bit
unique
in
that
we
have
lived
for
111
years
in
the
technology
industry,
which
is
hard
to
do,
and
so
we
have
a
lot
of
Legacy
out
there,
which
others
may
not
have.
A
B
Well,
I
think
also:
we've
progressed
from
open
source
being
seen
as
like
the
thing
to
build
websites
with,
and
do
this
kind
of
almost
I,
don't
say
frivolous,
but
but
something
that
was
optional
perhaps
until
recently
right
and
now
is
really
about
critical
infrastructure.
If
it's
about
the
software
running
in
grids
and
power
stations
and
the
like,
absolutely.
A
B
Given
how
critical
it
is
now
and
given
David's
presentation
on
cyber
security
education
I
mean
this
is
something
that
that
you
see
is
a
very,
very
serious
thing
worthy
of
investment.
Do
you
mind
talking
some
more
about
that.
A
Well,
I,
absolutely
so
we
believe-
and
just
this
morning
I
got
a
report
every
day.
I
get
a
multi-page
cyber
security
report
in
terms
of
just
what
happened
in
the
last
week
and
that's
along
with
regular
cyber
reports
of
the
day
and,
of
course,
the
sadly,
the
Russia
report
that
I
get.
But
you
know
750
000
open
cyber
jobs
in
in
the
United
States
cyber
security
jobs.
So
how
are
we
ever
going
to
start
to
meet
the
need
of
that?
A
If
we
don't
really
expand
the
aperture
of
education,
so
IBM
has
done
a
number
of
things
to
reach
out
to
different
communities
right
that
includes
the
historically
black
collagens
and
universities.
We've
selected
20
and
we've
announced
six
so
far
that
we're
creating
specialized
portals
for
for
cyber
education
and
we'd
really
like
to
partner
with
the
Linux
foundation
for
some
of
the
education
that
David
spoke
about
right.
It's
really
exciting.
A
How
do
we
get
that
into
that
Community
into
that
University
and
college
sector,
so
the
one
that
I,
like
the
most
of
course,
because
I'm
from
North
Carolina
is
North
Carolina
a
t
but
there's
a
Southern
University
adversity,
Xavier
out
of
Louisiana
Morgan
State,
Clark,
Atlanta
University,
a
number
of
others
that
are
participating.
I
think
this
is
important.
We
also
have
a
program
to
reach
veterans,
there's
250
000
individuals
that
you
know
come
out
of
the
Armed
Forces.
A
So
how
do
we
work
with
Veterans
Affairs
to
reach
that
community
and
then
how
do
we
reach
those
with
neurodiversity?
All
of
us
have
relatives
or
friends
that
have
neurodiversity
challenges.
Dyslexia,
perhaps
autism
and
other
things
very
important
to
expand
and
I've
got
members
on
my
team
that
are
neurodiversity
folks
that
are
Executives
and
have
done
amazing
things.
So
I
really
feel
excited
about
that
and
so
I
I
think
we
have
to
expand
the
reach.
I
have
so
many
organizations
that
come
to
IBM.
They
say
we
can't
hire
a
single
person.
A
We
cannot
afford
to
hire
anyone
with
security
skills,
so
we
don't
even
know
where
to
go.
We
don't
even
know
where
to
start
There's
an
opportunity
for
all
of
us
to
create
those
skills
and
to
leverage
the
education
you
all
are
doing.
In
fact,
we
saw
your
announcement
already
today.
We
want
to
leverage
that
education
for
IBM
internal,
to
complement
our
cyber
training.
So
we
track
cyber
training
to
the
deaf.
We
are
trying
to
make
sure
that
people
don't
do
those
silly
things
that
David
talked
about.
A
That's
why
you
have
automated
tools,
cyber
tools
that
detect
the
crazy
behavior.
That
does
happen
every
day,
because
you
can't
Train
everybody,
but
you
try
to
right,
but,
along
with
that,
this
developer,
training,
I
think
is
going
to
be
really
important
for
for
going
forward.
The
other
thing
we
really
feel
is
that
contribution
to
open
source
is
something
we
have
to
do.
A
We
have
over
5
000
contributors
between
what
IBM
has
and
what
red
hat
has,
because
red
hat
is
an
IBM
company,
albeit
they're,
separate,
and
we
also
believe
that
love
for
Jay
we
went
back
and
we
looked
at
our
most
utilized
open
source
projects
and
we
did
an
assessment
of
contributors
on
those
projects
and
we
realized
we
had
to
contribute
to
the
most
utilized
projects,
as
well
as
to
the
cool
projects.
B
That's
great,
that's
great!
So
your
chair
of
the
openness
of
governing
board
and
for
those
of
you
don't
know
how
the
kind
of
typical
Linux
Foundation
governance
model
work.
Works.
B
Obviously,
all
the
actual
substance
of
what
we
do
is
built
in
the
public
built
voluntarily
built,
sometimes
we're
able
to
provide
some
seed
funding
for
things
here
to
help
get
them
started,
but
really
we
want
the
application
of
things
happening
publicly
and
being
driven
Bottoms
Up
organically,
based
on
you
know,
the
the
phrase
from
The
West
Wing
television
show
history
is
made
by
those
who
show
up
has
always
been
like
one
of
my
guidance
guiding
lights,
but
but
what
the
governing
board
does
is
oversee
a
budget
right.
B
We're
able
to
raise
some
funds
we're
now
at
enough
membership
to
be
able
to
afford
some
staff
be
able
to
make
some
investments
in
things,
and
it's
through
that
kind
of
oversight
on
the
budget
and
us
as
staff.
You
know
you
could
tell
us
we're
not
doing
a
good
job
and
and
swap
us
out
that
you,
you
know,
have
some
influence
over
the
strategy
and
direction
for
the
overall
Community.
But
it's
really
to
help
support
the
community
and
we
have
on
our
governing
board.
B
I,
don't
want
to
say:
well,
it's
not
every
large
company,
but
it's
it's
like
it's
a
lot
of
the
large
companies
that
matter
in
the
the
software
and
the
developer
tools,
space,
increasingly
Financial
Services
firms
and
the
like.
It's
a
it
as
the
as
as
your
servant,
I
I
work
for
you
right,
I,
I,
I,
I
I
have
opinions
that
I
might
hold
to
myself,
but
it
sometimes
feels
like
helping
that
group
come
to
an
agreement,
can
be
a
challenge
right
or
look
at
kind
of
common
Direction.
B
So
as
chair,
what
are
some
some
thoughts
that
you
have
on
on
bringing
that
Community
around
a
common
Vision
and
and
working
together
towards
supporting
the
community?
Well.
A
I
think,
whenever
you
have
a
group
of
stakeholders
like
that,
it
will
be
impossible
to
agree
on
everything
right.
But
what
I
have
seen
is
relative
agreement
on
these
top
priority
items.
I
thought
the
meeting
that
we
had
in
DC
helped
me
understand
why
some
of
them
were
more
important
to
others
than
they
were
to
me.
So
I
took
away
that
level
of
understanding.
A
We
probably
were
you
know
we
were
perhaps
not
as
at
the
table
as
much
as
we
needed
to
be.
We
also,
of
course,
collaborate
with
red
hat,
who
are
very
involved
in
six
door,
and
things
like
that
to
make
sure
we're
dividing
conquer
as
it
makes
it
appropriate
right,
makes
sense,
but
I
think
that
that's
the
value
that
we
can
get
together
as
this
community.
A
We
you've
talked
in
this
meeting
about
a
lot
of
the
important
actions
right,
which
is
the
automation
of
best
practices
for
the
open
source
projects
to
make
sure
the
developers
can
take
advantage
and
be
responsible
for
security,
but
also
have
productivity,
because
we
we
can
represent,
recognize
the
productivity
that
open
source
has
brought
to
the
world.
But
how
do
we
do
that
and
we
still
have
security?
The
only
good
thing
that
came
out
of
log4j
is
an
enormous
amount
of
awareness
of
how
important
Security
is
to
everybody,
my
team
that
does
cyber
security.
A
They
believe
that,
fundamentally,
until
there's
a
big
incident,
you
just
don't
get
enough
attention,
so
they
believe
that
love4j
was
the
calling
card
right.
That
said,
we
have
to
do
something
dramatically
different
as
a
community
and
I
think
it's
been
a
it's
been
a
catalyst,
perhaps
an
unfortunate
Catalyst,
but
a
catalyst
and
I
think
we
can
go
from
there
and
take
advantage
of
that.
The
situation
and
improve
things
going
forward
is
going
to
be
so
important
to
us,
because
the
world
runs
on
software.
A
It's
sometimes
obscure
what
software
you're
running,
underneath
the
hood
I
agree
that
the
end
client
should
not
have
to
worry
about
that.
Those
of
us
that
provide
the
software
to
them
and
support
it.
You
know
it's
Our
obligation
to
take
the
burden
of
security
and
making
sure
that
the
software
is
designed
with
security
in
mind,
and
you
can
do
different
things
you
can
implement
the
things
we've
talked
about.
B
B
In
openssf,
not
just
showing
up
and
joining
as
a
member,
but
also
making
code
contributions
and
participating
strategically,
we'll
talk
a
little
bit
about
this
on
the
next
panel.
But
what
are
some
other
Industries?
This
is
kind
of
a
wild
card.
Sorry
I
didn't
like
preppy
on
this.
What
are
some
other
Industries
and
I'll
I'll?
B
Give
you
the
two
on
my
mind
after
after
I
hear
yours,
but
are
there
other
industries
that
you
think
might
be
next
in
line
as
as
kind
of
end
user
Industries
as
folks
who
should
be
paying
attention
to
these
issues
potentially
having
their
staffs
get
involved
and
and
following
what
we're
doing,
and
perhaps
even.
A
Contribute
well
clearly
I'm
really
glad
that
the
financial
services
teams
are
engaged
because
during
log
for
Jay
I
think
I
spent
five
hours
a
day
talking
with
financial
services
organizations
right
literally,
it
was
because
regulated
Industries
are
typically
the
most
concerned
about
these
things,
but
that's
a
statement
in
and
of
itself.
Why
do
you
have
to
be
regulated
to
necessarily
be
worried
about
this,
but
next
I
would
say
on
the
list.
A
What
was
Health
Care,
okay,
so
Healthcare
organizations,
Through
My
Lens,
the
most
affected
organizations
around
the
world
typically
are
hospitals
for
ransomware,
and
you
saw
this
a
lot
during
covid-19,
where
a
lot
of
healthcare
organizations
were
being
attacked
right,
so
Health
Care,
insurers
of
Health
Care,
another
big
important
area
for
us
and
then
the
area
that
is
most
of
a
Target
that
needs
to
step
up
to
the
plate.
A
And
when
you
have
a
case
like
that,
when
it's
inside
this
200
000
whatever
it
is
right,
you
have
to
take
different
steps
and
protocols
to
make
sure
you
protect
yourself
until
that
is
upgraded
right,
you're
not
going
to
just
throw
out
equipment
of
that
value
tomorrow.
But
it
is
really
critical.
I
think
that
those
that
those
organizations
step
up
to
the
plate.
B
Right,
yeah,
consumer
electronics,
embedded
industrial,
all
those
makes
a
ton
of
sense.
The
only
other
industry,
in
my
mind,
was
the
insurance
industry,
because
all
those
companies
that
write
it
cyber
security
breach
insurance
policies,
you
know
getting
them
to
nudge,
their
their
clients
to
use
more
secure,
Alternatives
and
the
like
could
be
a
way
to
help
encourage
investment
in
the
right
kind.
A
Well,
certainly,
they
started
to
increase
the
premiums
right
because
I
think
it
was
the
pipeline.
The
with
the
colonial
pipeline
situation
and
I'm
in
North,
Carolina
and
all
I
can
say.
Is
my
cyber
team
sent
me
a
note
that
day
pipelines
have
been
attacked?
We
all
went
out
and
got
gasoline
now
people
say
well
you're
part
of
the
problem.
You
went
and
got
gas
when
you
didn't
need
it.
I
said
well:
I
was
here
for
the
last
hurricane
that
shut
down
that
Pipeline
and
I
sat
in
line
for
seven
hours.
I.
A
Don't
have
the
time
to
do
that
right
now,
so
this
pipeline
is
going
to
be
done
down
down
for
seven
days
and
I've
got
my
I've
got
my
gas
and
I
made
my
choice,
but
that's
how
long
it
was
down
right
because
that's
the
average
length
of
time
that
those
typically
take
that's
an
example
of
a
you
know.
One
of
those
situations
right
that
was
very
critical.
My.
B
Last
question
would
be:
what
or
do
you
think
is
the
most
important
thing
for
us
as
a
community,
to
figure
out
how
to
do
by
the
end
of
this
year
just
to
get
accomplished,
even
if
it's
a
something
we
haven't
yet
talked
about,
even
if
it's
kind
of
a
wild
card,
just
like
one
important
thing
for
us
to
get
out
there
and
succeed
at
doing.
A
Well,
I,
don't
know
if
it's
gonna
I
don't
know
if
we
could
say
that
one
thing
is
going
to
to
make
or
break
the
year,
but
certainly
making
a
lot
of
Headway
in
the
education
aspect,
because
we're
not
going
to
do
this
without
thousands
of
developers
who
feel
feel
that
they're
being
recognized
and
that
security
is
important
and
that
it's
fun
to
be
a
part
of
security
right
I,
actually
in
a
strange
way,
have
a
lot
of
fun
with
cyber
attacks.
I
mean.
A
That
probably
has
said
something
you
know
odd,
but
you
learn
a
lot
from
these
things
right
and
I
think
that's
really
imperative
that
we
Marshal
the
army
of
thousands
of
contributors
that
can
make
a
difference
and
then
that
that
Army
will
help
us
do
many
of
the
other
things
that
we've
been
speaking
about
today.
Well,.
B
My
dad
was
a
Cobalt
programmer
at
IBM
when
I
was
growing
up
and
he
would
take
me
into
the
computer
lab
in
the
basement
of
glendale's
office
and
he
would
give
me
a
green
screen,
a
terminal
to
it.
I
I,
don't
know
what
he
was
thinking,
because
I
knew
how
to
write
basic
and
there's
this
one
address.
I
could
poke
and
cause
them
to
have
to
come
out
of
his
office
and
press
reboot
buttons
on
the
Mainframe.
So
I
understand
that
rain.
B
Mainframe,
no,
no
they're,
not
so
I,
understand
that.
Why
why
this
kind
of
vulnerability,
thing
and
and
cyber
texting
could
be
a
little
bit
interesting,
it
certainly
was
to
eight-year-old
me.
So
thank
you
very
much
Jamie.
This
was
a
really
enlightening
talk.