TechRadar Pro: The Heartbleed bug showed that there can be serious consequences when bugs in open source software are exploited. Did that event change how OpenStack developers approach security?
JB: Sure. Heartbleed was a very big vulnerability. The team that's responsible for OpenSSL has really smart guys, but they didn't have a huge support network around them, the type that allows you to dedicate the resources you need.
On the other hand, OpenStack has a massive community and a dedicated security team, along with companies that spend millions of dollars to test and develop on it. From the foundation's perspective, we make sure that we help to put the frameworks and systems in place to keep those groups operating, functioning and sharing information.
TRP: Does that involve things like cross-checking code?
JB: When a contribution comes into OpenStack, it's a really cool process. Following automated tests, two core reviewers have to approve the contribution (or patch), which then re-enters a testing environment to check that nothing has changed in the time that it has been reviewed. If that all works then it finally enters the source tree. It's a very robust system. During the six-month release cycle for Juno, that testing system ran 2 million jobs in that release process.
TRP: Something that has been raised frequently at the summit is the lack of staff training and people skilled in OpenStack. What is the OpenStack Foundation doing to improve education around the platform?
JB: I think that's just a sign of a rapidly-growing market; that's how it is in new markets at the beginning. Given time it'll all balance out, but we want to get there sooner. We launched a training market last year that aggregates training courses from companies all over the world. Hundreds of those courses have been delivered in a year in something like 60 cities in 20 or 30 different countries.
We're doing more to promote those kinds of training opportunities. In addition, we have something like 70 user groups around the world that do hackathons and community training, getting people together to learn OpenStack.
TRP: Another issue raised is the difficulty users are facing is downtime when upgrading OpenStack. Mirantis has claimed it is going to fix the problem. What do you think to that?
JB: Mirantis is a company that does pretty much everything upstream and push their stuff into the community. We love it when companies function like that because everybody is able to benefit from it.
TRP: Intel is now a platinum partner of the OpenStack Foundation - how does that change its standing in the OpenStack community?
JB: It's more the other way around - they were elected there because of their standing. This is the first time that we've had an opening for a Platinum position, and the board has to elect a company to that spot. It's all about their standing in the OpenStack community and how much they're contributing to help both drive the code but also organise their related efforts, drive it back into the development process and make the software more useful. Those are some of the big things that were key in them being elected.
TRP: Why might an organisation move from a commercial solution to OpenStack?
JB: There are a number of companies who have moved some of the proprietary systems in their environment to OpenStack. It's interesting because OpenStack has the broadest support for the most technologies in the date centre.
We've heard that a really valuable piece of the OpenStack equation for a lot of companies is that they have a load of applications that run really well on VMware, so they don't want to get rid of that, but at the same time they want to have the option of using [open source hypervisor] KVM for new workloads, or workloads that don't require all of the functionality of VMware.
I think that sometimes it is about cost, and they want to cut licensing fees, but other times it's about flexibility and having the opportunity to choose and not being stuck on a single vendor's product cycle forever.