opensource.google.com

Menu

Posts from November 2019

Google and Pixar add Draco Compression to Universal Scene Description (USD) Format

Monday, November 25, 2019

Google and Pixar have collaborated to add Draco compression to USD files to enable significantly smaller meshes for transmission, and real-time asset delivery on the web or in mobile applications.

Draco is an open source compression library to improve the storage and transmission of 3D assets—including compressing points, connectivity information, texture coordinates, color information, normals and any other attributes associated with geometry.

With Draco, applications can present complex 3D assets to the user much more quickly without compromising visual fidelity. For users this means apps can now be downloaded faster, 3D graphics can load quicker, and transmitted over any type of network, regardless of bandwidth.

USD addresses the need to robustly and scalably interchange and augment arbitrary 3D scenes that may be composed from many models and animations. USD also enables assembly and organization of any number of assets into virtual sets, scenes, and shots, transmit them from application to application, and non-destructively edit them (as overrides), with a single, consistent API, in a single scenegraph. USD provides a rich toolset for reading, writing, editing, and rapidly previewing 3D geometry and shading.

We tested Draco compression performance on a representative set of of USD objects and found that Draco on average compressed objects by more than 15X. On a typical 4G network, these assets would load 2.5X faster, all while using less of your users’ data plan.

Public Domain model Kore dressed in chiton and cape from SMK National Gallery of Denmark compressed 15X with Draco. 

Compressing USD objects with Draco enables a wide range of use cases moving forward, especially when delivering run-time assets to consumer devices. Anything from 3D commerce to complex AR scenes can benefit from reduced data requirements and quicker time to launch.

We look forward to seeing what people do with this combination of Draco compression and USD format. Check out the code on GitHub and let us know what you think and how you plan to use it!

By F. Sebastian Grassia, Pixar and Jamieson Brettle, Chrome Media

Why Google’s Celebrating at KubeCon

Monday, November 18, 2019



It's hard to believe it was just five years ago Googlers decided to open up Kubernetes to the world, partnering with Red Hat, and eventually many others, to build a community that would reshape the world of infrastructure. Kubernetes' impact has been accelerated by an incredible 35,000 contributors, who give their time to make the project a cornerstone of cloud native computing, and the center of three huge events a year around the world.

No surprise then that we're excited to be at KubeCon + CloudNativeCon North America 2019 in San Diego: to celebrate Kubernetes, plus a constellation of other open source projects. You can meet leaders from these projects at the Google Cloud Community Lounge, part of Google's numerous activities at KubeCon + CloudNativeCon.

Happy Birthday, Go!

First of all, let's take a moment to celebrate the project that started it all, and wish the Go programming language a happy 10th birthday! As Kubernetes co-founder Joe Beda pointed out in 2014, Go is "Goldilocks for system software", and has been foundational to Kubernetes' success.
Since Kubernetes' adoption of Go, it has become known as the language of the cloud. Most of the projects you'll see this year at KubeCon are built with, or are compatible with, Go. And the Go community is a vibrant ecosystem in its own right: over the last ten years it has grown to see over 20 conferences a year, as well as 2,100 contributors. Read more about the history and evolution of Go in these 10th birthday blog posts from Russ Cox and Steve Francia.

Come join us in celebrating Go's birthday during the booth crawl, from 6.40pm to close on Tuesday November 19! Sweet treats will be served, meet with some of the Go team and other enthusiasts.

Google Open Source At KubeCon



KubeCon is a great chance to learn about the many open source projects that Google has founded or contributes to, and meet face-to-face with our engineers and community leaders. We want to hear about your use cases, meet with contributors (aspiring or experienced!), and connect with the whole community. Google's participation in the conference is not limited to technical talks. In fact, we sponsor and participate in many important community gatherings like the Diversity Lunch+Hack, and project governance like the Steering Committee and Technical Oversight Committee. We recognize and care about fostering a healthy, inclusive environment that extends far beyond just technology concerns.

Of course, Kubernetes is at the center of the conference. And, Google is deeply committed to the Kubernetes ecosystem, including creating and contributing to sub-projects such as kubebuilder, kustomize, KIND, and krew, as well as building testing infrastructure and fostering a community that inspires the whole world of open source. We're still here and still trailblazing. Come and talk with us at the community lounge, attend our talks and tutorials throughout the week, and drop in on hallway discussions galore!

gRPC, developed at Google and donated to CNCF, is a modern, open source, high-performance RPC framework that can run in any environment. Use gRPC to efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. Meet some of the gRPC maintainers, connect with the community, and pick up the latest limited edition PanCakes sticker at the Community Lounge on Wednesday!

Knative is an open source serverless platform hosted on Kubernetes. It abstracts away much of the complexity, allowing developers to focus on their code and build highly scalable, secure stateless applications. Knative codifies the best practices shared by successful real-world implementations, and solves the "boring but difficult" parts of deploying and managing cloud native services on Kubernetes.

Knative recently cut their 10th release of the project, providing a stable v1 API for the serving project, and additional work to enable production-readiness. Meet some of the maintainers and learn more about Knative in a hands-on workshop on the Monday November 18.

Istio is an open source service mesh, providing observability, control and security over communication in a distributed application -- running on Kubernetes or on VMs. Started in 2017 by Google and IBM, and reaching 1.0 in 2018, Istio has developed a vibrant community. Over the last 12 months, more than 600 developers from across 125+ companies have committed PRs! GitHub acknowledged this recently, reporting that Istio is in the top 4 of all projects across GitHub for contributor growth for committed PRs! The most recent quarterly release was Istio 1.4, which featured scalability and performance improvements as well as greatly improved experience for getting started.

Kubeflow is dedicated to making deployments of machine learning (ML) workflows on Kubernetes simple, portable and scalable. The community is building a powerful development experience for data scientists to build, train and deploy from notebooks, as well as the enterprise capabilities ML operations teams rely on to deploy and scale advanced workflows in a variety of infrastructures. The Kubeflow project is supported by 180+ contributors from 25+ organizations.

Kubeflow just released v0.7, featuring beta functionality for the Kubeflow 1.0 release, expected in early 2020. Learn how Kubeflow is being used and built in the 17+ talks featuring the project in the Machine Learning + Data track. If you're getting started, attend our Kubeflow OSS Hands-On Workshop on November 18, 1-3pm. Connect with the Kubeflow maintainers attending KubeCon by following @kubeflow.

Agones is an open source, multiplayer-dedicated, game server scaling and orchestration platform built for Kubernetes. Google founded the project in early 2018, along with Ubisoft, and recently Agones reached its 1.0 release milestone. It is being used in production for several games, with more to come!

If you're a game developer or just interested in non-traditional Kubernetes workloads, please join us for a workshop on Monday November 18, where we'll combine forces with our sibling project Open Match to turn a Kubernetes cluster into a game services backend. We're very excited about the future of open source and game development, and invite you to join us Tuesday morning in the Google Cloud Community Lounge for an open source in gaming meetup!

Krew makes it easy to discover and install kubectl plugins. Initially developed at Google, and now a Kubernetes subproject, over 60 open source kubectl plugins are distributed through Krew, and can be installed with a single command. Learn more in our breakout session, and come and talk about Krew in a Community Lounge Q&A session.

KIND makes it easy and cheap to test Kubernetes locally with Docker container "nodes". Started in the Kubernetes SIG-Testing group, this project has flourished and is now used for testing Kubernetes Pull Requests and many subprojects in the ecosystem including kubeadm, CSI, Istio, and Cluster API. KIND v0.6.0 will release before KubeCon, and the team will be presenting a deep dive and running a workshop on contributing to Kubernetes using KIND.

Envoy is a fundamental building block of service mesh architectures, providing a programmable data plane for services. Service mesh helps deploy multi-cloud applications and microservices at scale, by decoupling applications from networking, and service development from operations. Google is a lead contributor to the Envoy project, a critical part of Google Cloud's enterprise-grade service mesh products such as Anthos Service Mesh, Traffic Director and L7 ILB. We are excited to be a sponsor for EnvoyCon on Monday November 18, and would love for you to join us for an intro to Envoy on Thursday November 21.

OpenTelemetry provides the best way to capture metrics and distributed traces from your applications. Google is one of the founders of OpenTelemetry, and the community has grown to include most major monitoring, APM, and cloud vendors. OpenTelemetry is fully supported by the Google Cloud Platform and Stackdriver. Hear more about OpenTelemetry in the KubeCon keynotes, and go deeper in the overview and advanced breakout sessions.

Tekton defines reusable building blocks on Kubernetes for Cloud Native CI/CD. In March Tekton was donated to the CDF (the Continuous Delivery Foundation), and is being developed in collaboration with companies such as Red Hat, IBM, Cloudbees and other friends.

With the first release of Tekton Triggers and Tekton Pipelines, it's now possible to create an entire bespoke CI/CD system from scratch! Hear more about Tekton at the Continuous Delivery Summit on Monday, and catch the breakout sessions Mario's Adventures in Tekton Land and Russian Doll: Extending Containers with Nested Processes. Meet the Tekton maintainers at the Google Cloud Community Lounge on Thursday November 21 from 12.30-2.25pm, and follow @tektoncd for updates during the conference!

gVisor is a container-native sandbox for defense-in-depth anywhere. It provides a per-sandbox user-space kernel to improve isolation and mitigate privilege escalation vulnerabilities. gVisor integrates with Kubernetes and other container orchestration systems, while preserving the portability and resource efficiency of containers. Connect with the gVisor team in the Google Cloud Community Lounge during the Cloud Native Security meetup from 3.55-4.25pm on Thursday November 21.

Skaffold is a tool from Google that speeds up the feedback loop (build, tag, push, deploy) when developing applications on Kubernetes. Using Skaffold, you create a configuration for your project, and on every source code change Skaffold builds the images, deploys the app, abd starts tailing logs from pods and forwarding ports. For continuous delivery pipelines Skaffold provides a one-off deployment, with the ability to wait for health-checks. Skaffold is now GA, and Patrick Flynn and Balint Pato are available to chat about Skaffold and the Kubernetes Developer Experience from 4-5pm on Tuesday November 19, at the Google Cloud Community Lounge.

Additionally, join us for a breakout session on Binary Authorization in Kubernetes, which brings together Grafeas, an artifact metadata API for software supply chains, and Kritis, a deploy-time policy enforcer for Kubernetes applications.

We're excited to meet with so many users, friends, and fellow contributors at KubeCon, and hope you can join us in our talks and the Google Cloud Community Lounge.

Still can't get enough?

If you're interested in keeping up with the Kubernetes ecosystem, including all the news from KubeCon, subscribe to the Kubernetes Podcast from Google. Every week we release an episode covering news from the community, and in-depth interviews with leaders from the Kubernetes and cloud native ecosystem. Subscribe via your favorite podcast platform.

Knative governance update from the steering committee

Thursday, November 14, 2019

Open source collaboration exemplifies the best aspects of contributors and companies uniting to solve difficult technical problems. And, at Google, we support thousands of projects, each with their own unique communities and challenges. Recently, the Knative Steering Committee came together to write a letter that distills this ethos, and we wanted to share it with you here.

***

Dear Knative Community,

Since the previous announcement on Knative ownership and stewardship, we’ve heard a lot of feedback from you, and the ecosystem at large. As a Steering Committee, our primary job is guiding the long-term success of the project, and this really means your success building great things with Knative. 

In order to accomplish that important goal, it requires everyone involved to be aligned on our values, what it means to be an active contributor, how you build progressive trust and responsibility, and fundamentally how we work together to build that success. The Kubernetes project explicitly defined these, and for us as a governing body, they strongly resonate. We will work to construct similar values and vet them across our community.

Trust is the heart of open source. And, clear governance is a means of building and maintaining that trust. It also provides clear signal to future contributors that joining the community is a good bet, and that everyone is visibly working toward the same goals. While there are always differences in approaches and ideas, the power of the community is its ability to collectively reconcile for the benefit of our user community first and foremost. This project is bigger than any one company or individual.

These aspirations are not enough. They will require rethinking how we structure project governance. The overarching goals of the project's governance will be:
    • Create a clear and documented contributor ladder that recognizes both code and non-code contributions as valuable, and provides a means to obtain membership in governance bodies like the Technical Oversight Committee and Steering Committee based on those contributions.
    • Allow the Steering Committee to oversee the usage and implementation of the Knative trademark, with the intent of limiting confusion for adopters, and providing assurances of implementation consistency. Google will provide the Steering Committee with a legal escalation path for enforcement when needed.
    • Widen the contributor community to include additional vendors, end-users, and ecosystem stakeholders such that fair, representational governance organically prevents any one vendor from having a majority in any part of the project. To be clear, no one company should aspire to control outcomes, as that is inherently in conflict with the goal of community stewardship. Committee representation must be a reflection of the diversity of contributors, and also allocated fairly based on the people doing the work. This is of course a delicate balance, but one we intend to solve with community input.
    • Develop the governance documents, community feedback, required tooling for metrics collection, and whatever else is necessary to enact these changes. Because the community we have now is ideally a small subset of the community we aspire to see in a year, we will target a one-year transition period to the new governance we define, similar to how the Kubernetes project moved from a bootstrap committee and charter to the new community-driven model. Building consensus is a painstaking process, so it is important to allocate enough time for all voices to be heard.
The most important takeaway here is that we are working together on this, and will do so with community input, in an inclusive way. This is the beginning of the process, and we want to go back to our roots and focus on the problems we are trying to solve for adopters of our work. Let's take this moment and rejoin our efforts to do great things together.

Respectfully yours,

Michael Behrendt (IBM), Brenda Chan (Pivotal), Paul Morie (Red Hat), Jaice Singer DuMars (Google), Ryan Gregg (Google), Donna Malayeri (Google), Tomas Isdal (Google)

Members, Knative Steering Committee


Improving Developer Experience for Writing Structured Data

Though we’re still waiting on the full materialization of the promise of the Semantic Web, search engines—including Google—are heavy consumers of structured data on the web through Schema.org. In 2015, pages with Schema.org markup accounted for 31.3% of the web. Among SEO communities, interest in Schema.org and structured data has been on the rise in recent years.

Yet, as the use of structured data continues to grow, the developer experience in authoring pieces of structured data remains spotty. I ran into this as I was trying to write my own snippets of JSON-LD. It turns out, the state-of-the-art way of writing JSON-LD is to: read the Schema.org reference; try writing a JSON literal on your own; when you think you’re done, paste the JSON into a validator (like Google’s structured data testing tool); see what’s wrong, fix; and repeat, as needed.

If it’s your first time writing JSON-LD, you might spend a few minutes figuring out how to represent an enum or boolean, looking for examples as needed.

Enter schema-dts

My experience left me with a feeling that things could be improved; writing JSON-LD should be no harder than any JSON that is constrained by a certain schema. This led me to create schema-dts (npm, github) a TypeScript-based library (and an optional codegen tool) with type definitions of the latest Schema.org JSON-LD spec.

The thinking was this: Just as IDEs (and, later, language server protocols for lightweight code editors) supercharge our developer experience with as-you-type error highlighting and code completions, we can supercharge the experience of writing those JSON-LD literals.

With IDEs and language server protocols, the write-test-debug loop was made much tighter. Developers get immediate feedback on the basic correctness of the code they write, rather than having to save sporadically and feed their code to a compiler for that feedback. With schema-dts, we try to take validators like the structured data testing tool out of the critical path of write-test-debug. Instead, you can use a library to type-check your JSON, reporting errors as you type, and offering completions for `@type`s, property names, and their values.


Thanks to TypeScript’s structural typing and discriminated unions, the general shape of Schema.org’s JSON-LD can be well-represented in TypeScript typings. I have previously described the type theory behind creating a TypeScript structure that expresses the Schema.org class structure, enumerations, `DataType`s, and properties.

Schema-dts includes two related pieces: the ‘default’ schema-dts NPM package which includes the latest Schema.org definitions, and the schema-dts-gen CLI which allows you to create your own typing definitions from Schema.org-like .nt N-Triple files. The CLI also has flags to control whether deprecated classes, properties, and enums should be included, what `@context` should be assumed by objects you write, etc.

Goals and Non-Goals

The goal of schema-dts isn’t to make type definitions that accept all legal Schema.org JSON literals. Rather, it is to make sure we provide typings that always (or almost always) result in legal Schema.org JSON-LD literals that search engines would accept. In the process, we’d like to make sure it’s as general as possible, without sacrificing type checking and useful completions.

For instance, RDF’s perspective is that structured data is property-centric, and the Schema.org reference of the domains and ranges of properties is only a suggestion for what values are inferred as. RDF actually permits values of any type to be assigned to a property. Instead, schema-dts will actually constrain you by the Schema.org values.

***

If you’re passionate about structured data, try schema-dts and join the conversation on GitHub!

By: Eyas Sharaiha, Geo Engineering & Open Source scheme-dts Project

Hey! Ho! Ten Years of Go!

Wednesday, November 13, 2019



Ten years ago, we announced the Go release here on this blog. This weekend we marked Go's 10th birthday as an open-source programming language and ecosystem for building modern networked software.

Go's original target was networked system infrastructure, anticipating what we now call the cloud. Go has become the language of the cloud, but more than that, Go has become the language of the open-source cloud, including Containerd, CoreDNS, Docker, Envoy, Etcd, Istio, Kubernetes, Prometheus, Terraform, and Vitess.

From our earliest days working on Go, we planned for Go to be open source. We knew that bootstrapping a new language and ecosystem was too large a project for one team or even one company to do alone. Go needed a thriving open-source community to curate and grow the ecosystem, to write books and tutorials, to teach courses to developers of all skill levels, and of course to find bugs and work on code improvements and new features. And of course we also wanted to share what we had created with everyone.

Open source at its best is about people working together to accomplish far more than any of them could have done alone. We are incredibly grateful to the thousands of people who have built up Go, its ecosystem, and its community with us over the past decade.

There are over a million Go developers worldwide, and companies all over the globe are looking to hire more. In fact, people often tell us that learning Go helped them get their first jobs in the tech industry. In the end, what we're most proud of about Go is not a well-designed feature or a clever bit of code but the positive impact Go has had in so many people's lives. We aimed to create a language that would help us be better developers, and we are thrilled that Go has helped so many others. Today we launched go.dev to be a hub for all Go developers to learn more and find ways to connect with each other.

As a thank you from us on the Go team at Google to Go contributors and developers worldwide for joining us on Go's journey, we are distributing a commemorative 10th anniversary pin at this month's Go Developer Network meetups. Renee French, who created the Go gopher for the release back in 2009, designed this special pin and also painted the mission control gopher scene at the top of this post. We thank Renee for giving Go so much of her time and a mascot that continues to delight and inspire a decade on.

As #GoTurns10, we hope everyone will take a moment to celebrate the Go community and all we have achieved together. On behalf of the entire Go team at Google, thank you to everyone who has joined us over the past decade. Let's make the next one even more incredible!



By Russ Cox, for the Go team

Building Skills, Building Community

Tuesday, November 12, 2019

Year after year, we hear from conference attendees that it's not just the content they came for, it's the connections. Meeting new people, getting new perspectives, making new friends (and sometimes hiring them!) is a big part of KubeCon Life. We want to make sure that the Kubecon community is welcoming to people from diverse backgrounds but just being welcoming is not enough: we have to actually do the work to help people get through the door.

The easiest way to help people get through the door is through diversity scholarships. One of the biggest blockers to full participation in our community is just having the resources to get to the room where it happens, and a diversity scholarship—not just a ticket, but travel assistance too—helps increase participation.

1: Going Swagless

This Kubecon we want you to take away the really important things from the conference: new knowledge and new connections... not just another pen or plastic doodad. (Although to be fair, we will also have plenty of stickers... stickers aren't swag, they're an essential part of Kubecon!)

Google prides itself on being a data-driven company, so when we need to decide where we can spend our dollars to make the most impact and do the most good for the Kubecon community, we turn to the data. We know there is an issue from the CNCF KubeCon report in Seattle 2018 reporting in 11% women (and that’s not even a complete diversity metric). Now looking at the things conference attendees have told us they value about Kubecon, we put together this handy chart to help us guide our decision-making:
Travel + Conf Ticket ScholarshipBranded Pen
Face to face learning
Career development
OSS community building
Writing tools

We also need to consider externalities when we make our decisions—and going #swagless and dedicating those resources to improving the conversation and community at Kubecon has some positive externalities: less plastic (and lighter luggage going home) is better for the planet, too!

If our work to support diversity and inclusion at Kubecon has inspired you and you want to know what your org can do to participate, there is plenty of room in the #swagless tent for everyone—redirect your swag budget to D&I efforts. Shoutouts to conference organizers like SpringOne that went totally swagless this year!

2: Diversity Lunch + Hack

Our commitment to a welcoming environment and a diverse community doesn't stop at getting people in the door: we also need to work on inclusion. Our diversity lunch and hack is a place where people can:
  • Build their skills through pair programming
  • Get installation help
  • Do deep-dives on k8s topics
  • Connect with others in the community
Our diversity lunch isn't just talking about diversity: it's about working towards diversity through skill-building and creating stronger community bonds. Register here!

We welcomed 220 friends and allies in Barcelona and expect to continue the sold-out streak in San Diego (get your ticket now)!

3: Redirecting Even More

But wait, there's more! We're not just going #swagless, we're also redirecting all the hands-on workshop registration fees ($50) from Anthos Day, Anthos&GKE Lab, OSS: Agones, Knative, and Kubeflow to the diversity scholarship fund. You can build a stronger, more diverse community while you build your skills—a total twofer. (And our workshops are also walking the walk of inclusion by being accessible themselves: if you need support to attend a workshop, whether financial or physical, send us a note.

4: Hiring

Also, one of the best things any company can do to drive D&I is to hire people who will help your company become more diverse, whether as a consultant to help you build your program, or as a team member who will help you bring a wider perspective to your product! Come meet a Googler at any of the activities we are doing during the week to discuss jobs at Google Cloud: g.co/Kubecon.

By: Paris Pittman, Google Open Source

Paving the way for a more diverse open source landscape: The First OSS Contributor Summit in Mexico

Wednesday, November 6, 2019

“I was able to make my first contribution yesterday, and today it was merged. I'm so excited about my first steps in open source", a participant said about the First Summit for Open Source Contributors, which took place this September in Guadalajara, México.
How do you involve others in open source? How can we make this space more inclusive for groups with low representation in the field?

With these questions in mind and the call to contribute to software that is powering the world's favorite products, Google partnered with Software Guru magazine, Wizeline Academy, OSOM (a consortium started by Googler, Griselda Cuevas, to engage more Mexican developers in open source), IBM, Intel, Salesforce and Indeed to organize the First Summit for Open Source Contributors in Mexico. The Apache Software Foundation and the CNCF were some of the organizations that sponsored the conference. The event consisted of two days of training and presentations on a selection of open source projects, including Apache Beam, Gnome, Node JS, Istio, Kubernetes, Firefox, Drupal, and others. Through 19 workshops, participants were able to learn about the state of open source in Latin America, and also get dedicated coaching and hands-on practice to become active contributors in OSS. While unpaid, these collaborations represent the most popular way of learning to code and building a portfolio for young professionals, or people looking to do a career shift towards tech.


As reported by many advocacy groups in the past few years, diversity remains a big debt in the tech industry. Only an average of 8.4% of employees in ten of the leading tech companies are Latinx(1). The gap is even bigger in open source software, where only 2.6% of committers to Apache projects are Latinx(2). Diversity in tech is not just the right thing to do, it is also good business: bringing more diverse participation in software development will result in more inclusive and successful products, that serve a more comprehensive set of use cases and needs in any given population.


While representation numbers in the creation of software are still looking grim, the use of OSS is growing fast: It is estimated that Cloud and big-data OSS technologies will grow five times by 2025 in Latin America. The main barrier for contributing? Language. 

The First Summit for Open Source Contributors set out to close this fundamental gap between tech users and its makers. To tackle this problem, we created, in partnership with other companies, 135 hours of content in Spanish for 481 participants, which produced over 200 new contributors across 19 open source projects. When asked why contributions from the region are so low, 41% of participants said it was due to lack of awareness, and 34% said they thought their contributions were not valuable. After the event, 47% of participants reported that the workshops and presentations provided them with information or guidance on how to contribute to specific projects, and 39% said the event helped them to lose fear and contribute. Almost 100% of participants stated that they plan to continue contributing to Open Source in the near future… and if they do, they would raise representation of Latinx in Open Source to 10%.
Organizing Team
This event left us with a lot of hope for the future of diversity and inclusion in open source. Going forward, we hope to continue supporting this summit in Latin America, and look for ways of reproducing this model in other regions of the world, as well as designing proactive outreach campaigns in other formats.

View more pictures of the event here.
View some of the recorded presentations here.


By: María Cruz for Google Open Source

(1) Aggregate data from Tech Crunch: https://techcrunch.com/2019/06/17/the-future-of-diversity-and-inclusion-in-tech/
(2) Data from the last Apache Software Foundation Committer Survey, applied in 2016, 765 respondents (13% of committers)

OpenTitan – Open sourcing transparent, trustworthy, and secure silicon

Tuesday, November 5, 2019

Security begins with secure infrastructure. To have higher confidence in the security and integrity of the infrastructure, we need to anchor our trust at the foundation—in a special-purpose chip.

Today, along with our partners, we are excited to announce OpenTitan—the first open source silicon root of trust (RoT) project. OpenTitan will deliver a high-quality RoT design and integration guidelines for use in data center servers, storage, peripherals, and more. Open sourcing the silicon design makes it more transparent, trustworthy, and ultimately, secure.
The OpenTitan logo

Anchoring trust in silicon

Silicon RoT can help ensure that the hardware infrastructure and the software that runs on it remain in their intended, trustworthy state by verifying that the critical system components boot securely using authorized and verifiable code. Silicon RoT can provide many security benefits by helping to:
  • Ensure that a server or a device boots with the correct firmware and hasn't been infected by a low-level malware.
  • Provide a cryptographically unique machine identity, so an operator can verify that a server or a device is legitimate.
  • Protect secrets like encryption keys in a tamper-resistant way even for people with physical access (e.g., while a server or a device is being shipped).
  • Provide authoritative, tamper-evident audit records and other runtime security services.
The silicon RoT technology can be used in server motherboards, network cards, client devices (e.g., laptops, phones), consumer routers, IoT devices, and more. For example, Google has relied on a custom-made RoT chip, Titan, to help ensure that machines in Google’s data centers boot from a known trustworthy state with verified code; it is our system root of trust. Recognizing the importance of anchoring the trust in silicon, together with our partners we want to spread the benefits of reliable silicon RoT chips to our customers and the rest of the industry. We believe that the best way to accomplish that is through open source silicon.

Raising the transparency and security bar

Similar to open source software, open source silicon can:
  1. Enhance trust and security through design and implementation transparency. Issues can be discovered early, and the need for blind trust is reduced.
  2. Enable and encourage innovation through contributions to the open source design.
  3. Provide implementation choice and preserve a set of common interfaces and software compatibility guarantees through a common, open reference design.
The OpenTitan project is managed by the lowRISC CIC, an independent not-for-profit company with a full-stack engineering team based in Cambridge, UK, and is supported by a coalition of like-minded partners, including ETH Zurich, G+D Mobile Security, Google, Nuvoton Technology, and Western Digital.

The founding partners of the OpenTitan project

OpenTitan is an active engineering project staffed by a team of engineers representing a coalition of partners who bring ideas and expertise from many perspectives. We are transparently building the logical design of a silicon RoT, including an open source microprocessor (the lowRISC Ibex, a RISC-V-based design), cryptographic coprocessors, a hardware random number generator, a sophisticated key hierarchy, memory hierarchies for volatile and non-volatile storage, defensive mechanisms, IO peripherals, secure boot, and more. With OpenTitan, a coalition of partners have come together to deliver a more open, transparent, and high-quality RoT.
A comparison of the major design components of a traditional RoT and an OpenTitan RoT
The OpenTitan project is rooted in three key principles:
  • Transparency – anyone can inspect, evaluate, and contribute to OpenTitan’s design and documentation to help build more transparent, trustworthy silicon RoT for all.
  • High quality – we are building a high-quality logically-secure silicon design, including reference firmware, verification collateral, and technical documentation.
  • Flexibility – adopters can reduce costs and reach more customers by using a vendor- and platform-agnostic silicon RoT design that can be integrated into data center servers, storage, peripheral and other devices.

Participating in the OpenTitan project

OpenTitan will be helpful for chip manufacturers, platform providers, and security-conscious enterprise organizations that want to enhance their infrastructure with silicon-based security. Visit our GitHub repository today.

If you are interested in actively collaborating on OpenTitan to help make secure open source silicon a reality, we encourage you to contact the OpenTitan team. If you would like your product to be considered for a pilot OpenTitan RoT integration, the team would be excited to hear from you.

By Royal Hansen‎, Vice President, Google and Dominic Rizzo, OpenTitan Lead, Google Cloud

From "let's try" to "woah, this is awesome!": Three years of GSoC for InterMine

Friday, November 1, 2019

GSoC Experience Series

InterMine is an open source data warehouse for biological data. In 2017, we decided at short-ish notice to participate in a call from Open Genome Informatics for Google Summer of Code (GSoC) mentoring organisations. InterMine had never participated in a program like this before, and we weren’t entirely sure if the time investment was actually going to be worth it. We nervously said “no more than two projects”, but we had so many great applications, we ended up taking on five brilliant students.
Fast forward to 2019, GSoC is firmly embedded in our organisation it’s hard to imagine that this is only our third time participating. The benefits to us (and hopefully the students as well!) were immeasurable, allowing us to explore open-ended projects we thought might be fun and implement concrete ideas that we’ve been wanting to do for years, all while interacting with a really smart bunch of talented students. 

From the 2017 cohort of students, we ended up with one of our students, Konstantinos Krytsis, authoring a scientific paper about the work they did: InterMineR: an R package for InterMine databases. Another student, Nadia Yudina, returned to our org as a mentor the next year.
In 2018, student engagement got even better: of six students, Adrián Rodríguez-Bazaga applied for an internal vacancy and joined us full time, Nupur Gunwant spent her next summer break working on an internship in our office, and two students returned as mentors the next year (Aman Dwivedi and Arunan Sugunakumar).

By this point, any questions we might have had about whether or not GSoC was “worth it” were firmly answered: GSoC had become an integral part of our team’s operations. There were still things we needed to improve, though—we ran a student debrief after GSoC 2018, and one student expressed that despite having worked with our API and data for three months, they still didn’t have a firm idea of why or how someone might wish to use InterMine. 😱 whoops! This definitely had never been our intent, and I felt mortified that we’d overlooked something so basic.

In 2019, we set out to provide our students with a firm grounding by running cohort calls. All students were invited, giving them the chance to meet one another and interact—not quite face to face, but video calls still give a great sense of “group” compared to just text chat. We structured the calls to run over several months, liberally borrowing from the Mozilla Open Leaders curriculum to teach students about open source good practices, presentation skills, code review, providing effective and kind feedback (an essential part of code review), and of course—talking about what InterMine is, how it was founded, and what type of people might use it. We made heavy use of Zoom’s breakout room feature, to allow small sub-groups of students and mentors to have private discussions about topics, before re-convening to report their experiences to the group.

Feedback from students was very positive about the calls, so we expect to continue this in later years. I think my favourite comment after our very first call was “Are there going to be more of these group calls? This was awesome!” We also repeatedly had the group calls mentioned positively in free-text feedback from student evaluations.

With this in mind, we’d like to share our call agenda templates with other organisations so others can run the same student cohort calls if they wish,and remix/modify, etc. as needed. As part of our GSoC site repo, all content including our call templates, GSoC grading criteria and advice, etc. is Apache licensed and open for reuse. You can see all of our call templates on our GSoC repo site, or fork our GSoC GitHub repo;and I’m happy to discuss ideas (email: yo@intermine.org, twitter: @yoyehudi or @intermineorg) or help others get similar group call programs off the ground if you’d like advice.
.