Twitter github

Malicious Open Source Contributions

Yesterday, an interesting happened within the Eclipse Foundation community where someone sent a malicious code review

We generally don’t see this type of thing in open source communities (mostly just contributions without tests), but I believe malicious contributions will continue and become more frequent. The opportunity is just there for bad actors and open source code is embedded all over the place, from your desktop, to your mobile devices to vehicles.

Looking back, there’s been some notable opportunities for bad actors to inject malicious code. One example I recall in particular is RubyGems and SSL and another more prominent example was when the Kernel.org servers were hacked:

Good times, stay diligent.

Apache (and other foundations) considered useful

I couldn’t resist writing a blog about this topic given the chance to use a witty blog title. A few years ago, I blogged about a post that Mike Rogers (@mikeal) wrote about “Apache considered harmful” in the GitHub era.

I agreed with Mike to an extent, but mostly around my frustration in how slow the ASF was in adopting newer tools (like Git) and how the organization was structured with volunteers responsible for critical infrastructure. However, we can save that frustration for another post (note: this has improved as of late).

The interesting part was that Mike recently has had some interesting thoughts about the role of companies in open source due to the NodeJS / io.js forking debacle:

In particular, his opinion is that no company alone can be trusted with the ownership of a community driven open source project. I generally agree with his thoughts however, there are solutions to his problem involving open source foundations. Open source foundations like the ASF, Eclipse Foundation and Linux Foundation (and more) are actually really useful:

The foundations I mentioned above have over a decade of experience being built for the sole purpose of allowing independent open source communities to flourish with fair governance models built on meritocratic behaviors (just take a peak at some of the Apache documentation or Eclipse development process). This is important because the incentives between individuals small companies, large companies, heavily funded companies and even academics are different and need to be accounted for in a fair open source governance structure. Some of these foundations like the Eclipse Foundation started out as the “Eclipse Consortium” and learned some of these lessons the hard way.

In particular, I would like to call out the Eclipse Foundation Working Groups and Linux Foundation Collaborative Projects concepts as some of the best ways to collaborate in the open for maturing open source projects.

On a funny note, as I was trying to get this post out last week, hilariously the container community was going through a fork of Docker with Rocket from CoreOS (in particular, this Hacker News thread was just cheeky):

What happened with Docker/Rocket was almost predictable given the way the Docker project was structured and how late to the game they were in establishing some level of governance and independence as more larger companies were getting involved. At least the competition should help container technology improve at a quicker pace.

In the end, I have to agree with this tweet from Jim Jagielski (@jimjag) about the role of open source foundations:

I hope that in the future as new open source projects become successful, they take a serious look at open source foundations (especially the ones I mentioned) as a proper place to grow and provide structure to their community. Their communities deserve it.

#DeckerChallenge 2014 Half Marathon

I had a great time running the challenging Decker Half Marathon today:

I’m trying to get back into running shape where I can consistently do a half marathon under 1:30 but I’m not back there yet. I definitely made the mistake going out of the gate a bit to fast today so there was no negative split for me when finishing the race. On the plus side according to Strava, I ran an average page of 7:16 and burned 2000+ calories.

In the end, looking forward to increasing the track workouts to get my speed up a bit in the future, especially that the New York Times is saying that we need to “Run to Stay Young” (or just stay in shape).

Naming Mars+1 (2016 @EclipseFdn Release)

It’s that time of year that members of the Eclipse Foundation Planning Council help spearhead the community-based naming process of the next Eclipse release (slated for 2016).

The rules are contained in this bug where you can submit names for consideration. Here are the guidelines for names:

The rules and procedure for naming Mars+1 will be similar to what has happened in the past. The name should be alphabetically greater than “M”

Preference will be given to “N” names, but no strict rule that others would not be considered. Preference given to names that fit the “moon”, “heavenly body gods”, or “scientists” themes we’ve had in the past.

I’m suggested Nova or Neutrino to start, but have taken a liking to Neptune as a potential option:

NeptuneHave a better suggestion for a name? Well put it in the bug before we call for an official vote in the coming weeks.

Thank you!

 

Open Sourcing the Twitter Emoji

Usually I’m buried in the realm of just code, but yesterday I had the fun job of open sourcing the beautifully designed Emoji set we use at Twitter:

Why does this make me happy? First off, emojis are fun, hugely popular and standardized by the Unicode Consortium. One of the interesting sites I came across was EmojiTracker which shows real time emoji usage across Twitter.

emojitracker

Finally and more importantly, emoji have been historically plagued by licensing issues. Due to some of these concerns, WordPress reached out to us to see if we were interested in collaborating and opening up our emoji set. We thought this was a great idea, so here we are today.

In the end, my hope is that us sharing our emoji with a permissive license will help alleviate some of the IP issues and help open up the web a little bit more for everyone.

@Flight Conference 2014

I had a great time at @Flight, our first mobile developer conference at Twitter where we announced Fabric. As part of the conference, I helped organized a small run in the morning to start things off, it was nice to see about 20 people show up to run a 5K (ok, it was really more like an 8K with hills).

At the conference, I had the opportunity to talk briefly in the Lightning Theater about some of the open source technology behind tweets, in the context of what happens behind the scenes of a typical API call.

I hope the audience left with some new knowledge and appreciation of what helps power those tweets they see everyday. I posted the slides on Slideshare if anyone is interested. I look forward to us doing this next year, it’s about time that we do more developer focused events at Twitter.

#ZilkerRelays and the Car2go Marathon Relay

Over the past couple of weeks, I had the opportunity to run in the Zilker Relays and the Car2go Marathon Relays. For the Zilker Relays, I ran a pretty solid pace of 6:20 min/mile over 2.5 miles:

Although during the first mile, I ran a sub 6 and that was obviously a terrible idea that didn’t contribute to me finishing with a negative split.

For my car2go marathon relay leg, I ran a 6:55 min/mile over 4.3 miles:

Looking forward to the next relay race, they are always a fun way to push yourself with a group of people.

One Week until #MesosCon 2014 (and LinuxCon)

Over the last couple of years I’ve been heavily involved in open source infrastructure technology by way of the Mesos project, which my team and Twitter have helped grow outside its humble beginnings as an academic project. As a result, I’m really looking forward to the first #MesosCon next week (co-located with LinuxCon) which my team at Twitter helped put together in collaboration with the awesome Mesos community and the great folks at the Linux Foundation. It was interesting as we put together the conference in a fairly transparent fashion, but that’s a topic for another blog post.

mesoscon

 

 

 

 

The schedule looks great and covers a wide variety of infrastructure usage:

The final day we also have a Hackathon where committers and Mesos community members will be available to drive the project forward based on community interest (basically who shows up).

Also, right before #MesosCon there will be a Docker Meetup in Chicago which will have a talk about running Docker containers on Mesos.

Look forward to seeing everyone in Chicago, feel free to reach out to me if you would like to meet up and chat open source over a frosty beverage.

Interview with @OpensourceWay

I’m a bit behind on blogging but last week I gave an interview with opensource.com about how we scale our infrastructure at Twitter using Mesos, check it out:

Hope you learned something new!

#oscon 5K 2014

I’m getting in the habit of posting more of my race results so it guilts me into running faster in the future. Last week I had the opportunity to be at OSCON for work and ran in the wonderful 5K they put on:

I finished third in my age group and 6th overall with a 6:35/mi clip!