Application Platform Strategies Blog

Blogger: Joe Niski

I’ve spent the last couple of days at the Open Source Business Conference, now in its seventh (or eighth) year. As far as I cold tell, the roughly 800 attendees were about evenly split between open source projects seeking funding, venture capitalists, and lawyers - but organizer Matt Asay said this year was notable for about 40% of attendees representing enterprise IT. This would indicate that enterprises are starting to get serious about understanding the implications of using free open source software (FOSS), and proactively managing it.

As a developer who’s used FOSS for over a decade and worked hard to get executive buy-in, I find this a very welcome indicator. As an industry analyst with a report on FOSS detection and governance tools due to publish in late April, I’m running to stand still regarding the evolution of FOSS business models and governance tools.

I learned of two governance resources that might not make it into my my upcoming report, both with heavy involvement from HP. The first is FOSSBazaar, an open community for sharing governance best practices. HP is a founding partner, along with Coverity, DLA Piper, Google, the Linux Foundation, Novell, Olliance Group, OpenLogic and SourceForge. HP has also released its internally-developed FOSSology detection and governance framework under the GPL (v2). Although there's something poetic about a FOSS solution for FOSS governance, as with all new projects, we'll need to wait and see how a community develops before forming an opinion on what FOSSology means for commercial vendors already in this solution space.

I also heard a few interesting data points. According to a survey of conference attendees conducted by North Bridge Venture Partners, there’s a strong belief that the current economic downturn will be good for FOSS in general – to quote a panelist, “the absence of money is good for innovation.” If anything, there’s some concern that a flood of poorly placed investments in FOSS-based startups could have a negative effect. I think this is good news for developers, users and enterprise IT.

Blogger: Anne Thomas Manes

Following closely on the heels of WSO2, MuleSource (the commercial entity behind Mule, the popular open source ESB) has released another RESTful open source registry/repository. This new product, called Galaxy, is a bit more feature complete and mature that the WSO2 repository.

Like the WSO2 repository, Galaxy treats each piece of information captured in the repository as an identified resource--i.e., a resource with a URI--which can be accessed and manipulated using the traditional HTTP verbs. The repository also supports remote access and notifications using the Atom Syndication Format (Atom) and the Atom Publishing Protocol (AtomPub).

Also like the WSO2 repository, Galaxy does not conform to the prevailing registry standard, UDDI, and therefore presents a bit of a challenge to organizations looking to use a registry to enable information exchange among heterogeneous SOA infrastructure components. Galaxy provides deep runtime integration with Mule and with the Apache CXF service platform, but connecting it with other ESBs and platforms (e.g., WebSphere, AquaLogic, Microsoft WCF) and with other management and mediation systems (e.g., XML gateways and SOA management systems) is left as an exercise for the implementor. REST makes that exercise relatively straight forward, but work is required.

At this point, three vendors provide fully RESTful repositories: MuleSource, WSO2, and HP Systinet. The IBM WSRR product also supports RESTful access to some of the entities in its repository. HP and IBM both support automatic synchronization between their repositories and a UDDI registry. The folks at MuleSource tell me that a similar synchronization feature is potentially on their roadmap, depending on customer demand.

Unfortunately, all four RESTful repositories use proprietary data models. It would be very helpful if these vendors got together to try and bang out some standards.

Blogger: Joe Niski

A big theme for my 2008 coverage of "all things SDLC" is what we measure, why we measure it, and how we measure. We all have hunches about where our development process does well, and what we could do better. Can we back up our hunches with hard data? Can we do it without a lot of manual data-capture overhead, i.e., without interfering with the process itself? To a large extent (the Heisenberg uncertainty principle aside), i'm convinced we can.

i won't go so far to repeat the old saw, "You can't manage what you can't measure." Rather, i prefer to rephrase it as "You can't improve what you don't measure." How do you measure project performance? Software quality? Developer productivity? What exactly do you mean by the things you measure?

Meanwhile, the fine folks at OpenLogic had a nice holiday gift for us quantitative wonks - the Open Source Census, a voluntary effort to catalog the use of open source "in the wild." If enough people behind the enterprise firewall participate, the whole industry could benefit from a reasonably valid snapshot of  open source utilization. Please consider participating - consider it a gift to the broad development community.

Blogger: Joe Niski

Now that I've had a few days to rest up and catch up after attending OSCON 2007 (my first), I can digest the experience and test whether I'm still as inspired as I was last week.

One could describe OSCON as a really good developers' conference, with plenty of technical breadth and depth. But it definitely had a sense of espirit de corps that I haven't encountered elsewhere. For all the talk of the free/open source movement "growing up" (it has in a number of ways), and for the increasing involvement (some would say "encroachment") of enterprise ISVs in open source projects, there's still a healthy amount of honest idealistic motivation in the FOSS world. The idealism may be a bit tempered by experience, and it may have reached a pragmatic coexistence with the realities of doing business, but it's still palpable and still has a valuable influence on the state of software, the development profession, and the expanding use of computing by humanity.

Eben Moglen (founder of the Software Freedom Law Center and counsel to the Free Software Foundation in drafting the just-released GPL v.3) was more articulate than anyone else I've encountered in expressing the complex and dynamic tensions between freedom and commerce; between the rights of software developers, publishers and users; and between individualism and community.

Much was blogged last week about Moglen's spirited conversation with Tim O'Reilly during an all-day "executive briefing" session (here, here, and here, among other places). But Moglen's most insightful remarks were presented in a talk titled "More Than Licenses: The Legal Policy of the Free World in the Age of Web 2.0." Despite a healthy dose of what some might describe as "freedom-fighter rhetoric," Moglen's talk was a balanced assessment of the legal and political landscape, both inside and outside FOSS communities. He also waxed poetic about the larger accomplishments of the FOSS movement while exhorting the audience to continue maturing. What I appreciated most was his ability to place the FOSS movement and the development profession in a much larger context.

The text of his talk isn't available on the OSCON site, but I gleaned a few points and a couple of quotes. Here are minimally-edited excerpts from my notes (I typed furiously throughout the talk, and take responsibility for any inaccuracies):

The effects of community the and "network effect" in creating the Web 2.0 phenomenon were presaged beginning over 20 years ago by open source software projects. Today the FOSS community is stronger than ever; the FOSS development, distribution, and licensing model is well-enough established to be under no substantial legal or commercial threats. But it's not completely out of the woods - "..our problem is not with some failing monopolist; our problem is with the uncertain state of patent reform in this country (the USA)."

"We (FOSS communities) spend little money and earn little money - though we earn money for the companies around us - and we spend no money on lawsuits... The communities are working with an absence of friction that should be the envy of the industrialized world... our efforts are being used to benefit just about everyone around the world... we are the best example the world has to show of how the reduction of barbed wire can benefit business and society."

"...and yet many still characterize us/you as geeks who don't understand politics! ...we have to be aware that this is a political achievement... we should understand that we have built a republic, and what it means to keep it."

FOSS communities are examples of Emersonian meritocracy - rooted in the larger (Western) values of individual achievement, freedom to reinvent ourselves, and so forth - one's status depends on the answer to "what have you done?" This inevitably leans toward libertarianism, and emphasis on individual rights, which has an odd tension with the idea of community.

"Institutions of equalization" are essential as more capital/wealth moves into the FOSS republic - the most important of these is accessibility to each other, as exemplified by email (despite all its problems). For such a "peaceable republic", the OSS communities are notoriously undemocratic - no elections! The leadership of meritocracy needs to evolve to an elected leadership model. "...attach the people's power, collectively, to the people who lead them. ...to legitimize the leadership over time."

blogger: Joe Niski

Living in Portland, Oregon, I often see news regarding commercial involvement in open source software, Linux, Linus Torvalds (currently a Portland resident), and the Open Source Development Labs (OSDL) in the business section of the local paper before I see it online. Such was the case with former OSDL CEO Stuart Cohen's announcement of first-round funding for the Collaborative Software Initiative earlier this week. By late Thursday, online reports had no more depth than the Tuesday Oregonian’s business section.

Briefly, CSI intends to build software for vertical markets using an open source development model, possibly releasing it under a to-be-determined open source license. The idea is to provide functionality that's necessary (e.g., to meet regulatory requirements or industry standards) but likely won’t provide competitive advantage to any company using it. CSI defines collaborative software as “software developed or acquired by a variety of like-minded companies at a fraction of internal development or outsourcing costs.”

Having recently spent several years as a software architect for a large bank, and seeing the enterprise fire drills surrounding Sarbanes-Oxley and the Payment Card Industry Data Security Standards, I find CSI's concept really compelling.

From the perspective of software architecture, Burton Group considers “infrastructure” as “everything but business logic.” The easily understood examples are common functions such as authentication and authorization. Extracting infrastructure logic from applications and making it available via common APIs, frameworks, or services can save money, improve consistency, and allow application developers to focus on business functionality rather than “plumbing.”

Compliance functions fit this definition of infrastructure - the key difference is that they're not as universal as auth & auth, but are industry-specific. They have little business value in terms of differentiating a company's products and services - they're a cost of doing business. In banking (in which operating margins can be tight as for retail groceries), the costs of compliance are significant. Individual companies have much to gain by lowering the cost and assuring the quality of reusable software that helps them meet government and industry standards. CSI seems to be proposing a hybrid of collaborative open source development and outsourcing. Ideally, participating companies could have the visibility and input of an open source project, without taking on the overhead of managing it completely, and without the risk of vendor lock-in.

I’d love to see CSI succeed for a number of reasons, but primarily because they’re exploring a different business model for software development. It’s a way of responding to real business needs. It brings the open source development model up the software stack, from the operating system and generic application framework into the lower reaches of the business layer. It points toward a way of making a business of open source development, as opposed to selling support.

And it’s a welcome contrast to big vendors throwing their resources behind open-source projects to influence the competitive landscape, or open-sourcing their existing products and technologies to gain or retain developer mindshare. It has potential to get competitors within a vertical market to cooperate in their own interest.

CSI's announcement also serves as a reminder that many of us in the IT biz assume “open source” includes “free” - we shouldn't assume anything.