EXCLUSIVE INTERVIEW

Keeping the Desktop Dream Alive: Q&A With Linux Foundation’s Jim Zemlin, Part 1

In 2007, Linux was heralded as the desktop of the future. However, the history of Linux on the desktop has been a story of strong support from a relatively small group of diehards but little real impact on the market as a whole. And by last year, there was even talk that the dream of the Linux desktop had been shattered.

What happened, and where is Linux going? LinuxInsider sat down with Linux Foundation Executive Director Jim Zemlin for an exclusive interview to get to the bottom of things.

LinuxInsider: Why is Linux not doing so well on front-end desktops and on laptops? Lack of content? Fragmentation of the Linux platform? The poor quality of drivers?

Or could it be the lack of a hub of some sort to coordinate Linux content development — perhaps a large company such as Microsoft or Apple, or an organization such as the Linux Foundation?

Jim Zemlin:

Let’s look at what we think of as the traditional desktop PC. Clearly Windows has a momentum that’s powerful, and platform confusion tends to happen in slow-moving albeit very powerful waves, but tsunamis are rare, although they do occur. So that momentum that Microsoft has had for years on the desktop continues to benefit them.

Having said that, what’s not benefiting Microsoft … is that desktop computing is starting to become less relevant, and the definition of such is changing more towards what’s probably better characterized or called “client computing.”

The thing people used to care about, and the reason they chose Windows, was because there was a huge number of applications available for the platform, so they had the inertia of having lots of installed users and that led to lots of applications users could use.

What users care about now from the applications perspective is the Internet. Their data, applications and services are meant to be utilized online, and that’s changed the nature of what we think of as desktop computing.

I suspect there’s an entire generation that will accept their smartphone, car, tablet, maybe a traditional PC that looks at all of these devices collective as client computing because all of those modalities get them to what they truly care about, which is the data they have online, the information they may want to share with others, the music they want to stream.

That was most recently validated by Apple’s iCloud product and companies like Google, which has a search product and online mail and other services.

We’ve moved towards a services industry where the client that’s used to access services can be any one of a number of things.

Linux has become used in automobiles, smart connections, and has become the underpinning of a new form of computing. But clearly in the desktop space, Microsoft has hung on to its inertia, albeit that has been significantly encroached upon by Apple. In some sectors of technology, and in business computing where thin clients or specific desktops are needed, Linux has made its mark.

LIN: But the consumer is the key, and in that respect, Microsoft has the ground troops.

Zemlin:

Microsoft has made its money in two products, Windows and Microsoft Office. In terms of future operating systems, people aren’t betting on Windows. In fact, Microsoft stock hasn’t moved in over a decade, whereas competitors to Microsoft are moving up. I won’t dispute that Microsoft will continue making a massive amount of money off Windows and Office, but will it grow? The global community obviously doesn’t think so.

LIN: You can say that Microsoft has X share of the market and Apple has Y share, but when you say Linux has Z share of the market, you can’t point to any one company because there are so many. Linux is the underpinning of many desktop operating systems, and then there’s Android, but the market is very fragmented.

Zemlin:

That, I think, is an argument that perhaps Microsoft would have made a decade ago to criticize Linux in their traditional desktop market, but the reality is that today, computing is leaning towards a services model. We see that [fragmentation of the Linux market] as a strength — that Linux has multiple contenders.

The first thing you should know about Linux is that, at the kernel level, the component that manages the interfaces on the upper level software and the hardware in the operating system is not fragmented.

All operating systems based in Linux pull their primary code from the project hosted at the kernel.org website. This is where Linus Torvalds maintains and develops collectively the Linux kernel.

What you call fragmentation is that core kernel, which is a multibillion-dollar investment, and what people are doing is taking that and building products in the marketplace based on it, whether it’s Google Search, Android, Samsung TV, Facebook ,a music service or the New York Stock Exchange.

You could characterize all these things as fragmentation, but I’d characterize that as an efficient market — in other words, the market is solving the problems today.

What’s important is that Linux as an underpinning can help all these different computing efforts get to market faster and cheaper and, most importantly, allow firms creating these products and services to own their own destiny because no one else controls that destiny.

Also, the price of building a phone is significantly dependent on software development, which is very expensive; and the timeline is short, so Linux is a great way to save money and to make money, because if you own your own platform, you can create your own services and charge for those services and not be dependent on a third party.

LIN: Are there any attempts to move Linux forward?

Zemlin:

I’d like to consider a more subtle argument than “Linux is fragmented, Microsoft is not.” The reality is that most applications people care about are accessed today through Web browsers and/or are native apps that access service on the Internet, whether that’s streaming music or any other variety of service, so that makes the operating system less important.

As the operating system becomes less important, being the free alternative, in other words, the place where people can collectively develop to reduce cost and bring innovation to the market, is a much better place to be because people will launch their services on top of Linux, as it’s the quickest and most effective means to bring products to market.

Keeping the Desktop Dream Alive: Q&A With Linux Foundation’s Jim Zemlin, Parts 2

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Richard Adhikari
More in Software

LinuxInsider Channels

OSS NEWS

Google Debugs, JFrog Jumps Code, Confidential Kubernetes, Meta-PyTorch

Open Source

As the open-source model continues to prove its sustainability in the enterprise, the software community is ramping up its security mindedness. That concern was evident in recent weeks as leading Linux groups led the way for better code security.

Google announced a new initiative to zero in on software vulnerabilities. Already a generous provider of patching incentives, the software developer upped the ante to encourage more researchers to submit troublesome codes for cash.

Edgeless Systems made a striking open-source contribution, JFrog offered advancements in support a more polished Rust Foundation, and Facebook, too, pushed the limits for Meta AI.

Google Offers Bug Bounty for Infected Open-Source Code

Google launched its Open Source Software Vulnerability Rewards Program (OSS VRP) at summer’s end to reward discoveries of vulnerabilities in Google’s open-source projects such as Golang, Angular, and Fuchsia. The program joins the bounty campaign Google started some 12 years ago.

Over time, the campaign expanded to include programs focused on Chrome, Android, and other areas. Collectively, these programs have rewarded more than 13,000 submissions, totaling over $38 million paid.

The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open-source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open-source vulnerability.

Google’s OSS VRP is part of a $10 billion commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open-source consumers worldwide.

“Securing open-source software and the broader software supply chain remain a top concern for security organizations globally. By leveraging the human intelligence of the researcher community, Google is showing that they are committed to ensuring its open-source projects are secure.

“This represents a great step being taken by a leader in OSS to ensure they are providing secure OSS components,” said Dave Gerry, chief operating officer at crowdsourced cybersecurity firm Bugcrowd.

How It Works

The top awards will go to vulnerabilities found in the most sensitive projects: Bazel, Angular, Golang, Protocol buffers, and Fuchsia. After the initial rollout, Google plans to expand this list.

Researchers must focus on discoveries that have the greatest impact on the supply chain. Target code includes vulnerabilities leading to supply chain compromise, design issues causing product vulnerabilities, and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations.

Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged.

See the program rules for more information. If submissions better suit another Google code-hunting campaign, Google will submit it for you to a different VRP.

Also check the Patch Rewards program, which rewards security improvements to Google’s open-source projects such as up to $20,000 for fuzzing integrations in OSS-Fuzz.

“OSS projects already have the advantage of having more eyes on the code, which leads to vulnerabilities often being found and fixed quickly. A bug bounty program like this will incentivize people to take a deeper look.

“Ideally, a program like this could expand outside of ‘sponsored’ projects with ties to large tech companies to help other vital, but not so well funded, OSS projects too,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a SaaS provider for enterprise cyber risk remediation.

Industry Gets First Runtime-Encrypted Kubernetes as Open Source

Edgeless Systems on Sept. 13 released the first Confidential Kubernetes based on Confidential Computing. It is available for all users on GitHub.

The Constellation open-source project keeps Kubernetes clusters verifiably shielded from the underlying cloud infrastructure and encrypted end-to-end. Confidential Computing is a hardware-based technology that shields computer workloads from their environments and keeps data encrypted even during processing.

This development helps to meet a massive safety requirement as computing spans increasingly diverse environments. It helps enterprises and developers manage increasing security and compliance concerns. With Constellation being open-sourced, more Kubernetes users can secure all their data in rest, in transit, and now in use.

JFrog Adds to Rust’s Efforts To Root Out OSS Vulnerabilities

The open-source community is gaining traction in raising the security of code that runs in the vast majority of the world’s software, including propriety programs.

JFrog, the Liquid Software company and creators of the JFrog DevOps Platform, on Sept. 13 announced a new initiative with the Rust Foundation, an independent non-profit organization that stewards the Rust programming language. The partnership focuses on identifying and eliminating threats to the Rust platform and ecosystem.

Starting immediately, the JFrog Security Research team will provide access to all information on known software vulnerabilities, ongoing threat research, and developer resources to proactively amend discovered platform issues and prevent emerging security vulnerabilities from having future impacts.

“Securing the software supply chain cannot be achieved with a one-time effort. It requires ongoing commitment, plus a multi-layered approach. We believe memory-safe languages play a big role in that plan,” said Stephen Chin, vice president of developer relations at JFrog.

“By working hand-in-hand with the Rust Foundation, we can ensure this cornerstone programming language remains a recommended best practice in the development of modern, secure software,” he added.

A study by Google indicated memory safety issues have represented almost the same proportion of security vulnerabilities designated as critical vulnerability exposures (CVEs) for more than a decade. The Rust programming language, reportedly used by 2.2 million developers over the past two years, was designed from the ground up to be both memory-safe and deliver high-performance.

This means the language does not allow users to access memory they are not permitted to access. This, in turn, significantly reduces their ability to unknowingly inject malicious code that could make the language insecure.

Thus, Rust has been identified as a “critical open-source software project” by the Open Source Security Foundation (OpenSSF) and granted support under the OpenSSF’s Alpha-Omega Project to help identify new and as-yet-undiscovered vulnerabilities to improve Rust’s security posture.

The inherent stability and performance of Rust, coupled with JFrog’s advanced security tools, research, and expertise, will help ensure the safety of the Rust language over time.

“I believe this investment will keep Rust safe, secure, and sustainable, enabling new use cases and wider industry adoption,” said Bec Rumbul, Executive Director, Rust Foundation.

PyTorch and Deep Learning Initiatives

Meta on Sept. 12 announced the PyTorch Foundation: A new era for the cutting-edge AI framework.

The pre-existing PyTorch organization is now the independent PyTorch Foundation under The Linux Foundation (LF) umbrella. The project joins LF with a diverse governing board comprised of representatives from AMD, Amazon Web Services, Google Cloud, Meta, Microsoft Azure, and Nvidia, with the intention to expand over time.

PyTorch Foundation will act as a steward for the technology and support PyTorch through conferences, training courses, and other initiatives. The goal is to drive the adoption of AI tooling by fostering and sustaining an ecosystem of open source, vendor-neutral projects with PyTorch. It will democratize state-of-the-art tools, libraries, and other components to make these innovations accessible to everyone.

In conjunction with this arrangement, LF the same day announced its Training & Certification community is introducing a new course, PyTorch and Deep Learning for Decision Makers (LFS116x). The content targets technical and non-technical individuals interested in understanding how deep learning and PyTorch can be used to create business value through the development and deployment of AI applications.

Visit The Linux Foundation for enrollment details.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Enterprise