The changing face of open source distribution

In the past, open source Java projects were largely independently distributed, often with nothing more than a sourceforge site. In the past few years branded collections of projects have emerged. The best known is the Jakarta collection at Apache. Some others are http://opensymphony.com, http://codehaus.org, and http://opensource.thoughtworks.com . The new thing emerging is commercial support and packaging into distributions “stacks” of the most popular projects.

JBoss, SourceLabs, Spikesource, Gluecode (now IBM) and others are making money out of of supporting Java open source. What you see in each case is that they only support a narrow selection of open source projects that make it into in their distributions. That the distributions are “stacks” further clarifies that there is a narrow selection at each level – often only one. They tend to go with the sweet spot: a configuration where most of the users are. The effect of this selection in turn reinforces the popularity of the selected projects.

Most users of Linux distributions or JBoss distributions stick to the projects included, because the work is done and it is easy. In the old days people would put their own together. I think we are seeing a similar change occurring in Java tools and libraries. An example of this in the Java space is http://jpackage.org/. I had an email just this weekend from someone asking about updating the ehcache packages there, because his company only used libraries that were in jpackage. I cooperated with him. As the method of distributing open source Java changes, individual projects need to support the new distribution approaches or suffer a decline in use.

A lesson in what can happen once you get dropped by a distribution is the XFree86 project. It was the standard Linux X server, a windowing system, used on millions of machines worldwide. There was a disagreement over licensing last year. Within a few months Red Hat had dropped them in favour of the X.org project. I do not know of anyone who has bothered downloading and installing XFree86 who is using an X.org system.

For those of us that write open source software, the main satisfaction is in having others use your code. The more people that use your code the greater the satisfaction. As a non-aligned open source contributor, I think there is a need to be aware of these changes in distribution to remain widely used.

Have you swikked yet?

For the past 5 months I have been talking to SourceLabs about open source. They are a promising startup offering support for commonly used open source. The research I have read consistently shows lack of support as the largest inhibitor of open source adoption.

To make themselves known to the open source community, SourceLabs decided to give something back. That something is swik. Swik is a little hard to describe, thus the title of this post – have you swikked yet? It is a combination of del.icio.us, freshmeat, and an open source themed wikipedia. Its aim is to be a repository of knowledge about open source projects. Like wikipedia, anyone can edit anything. Like freshmeat, it has information on open source projects. Like del.icio.us it is a social network. The hope is it will provide some much needed meta information about projects, and be more than freshmeat and do more than sourceforge search.

A lot of thought has been put into swik. Search for a project. If it does not exist, swik’s robots will go out to the usual places and discover information about it. On its own this makes using swik useful. But if others come along and add extra information then it becomes quite valuable. I encourage you to get behind swik and make it work.

Digital Signing and Encryption of email on Linux and Mac OS X

Years ago I played with PGP – pretty good privacy, an open source crypto package from Phil Zimmerman. At the time, Phil copped a lot of heat from the NSA and others, concerned with the nefarious applications of crypto. I played around with signing my email and so on, but I upgraded my computer and my attention drifted.

My family do all of our banking online. As a result I am a little paranoid about security. We never do banking unless on one of our own Mac or Linux machines. (Our Macs have just become plural – we added an iMac for my 4 year old son Curtis). What really worries me is phishing. As a result I have my spam filters turned way up, to the point where I sometimes miss non-spam. (Apologies to any open source patch submitters I have been slow to respond to). Occasionally I have to look closely at a phishing email. Looking at the actual URL and viewing raw source of the email headers always reveals the scam. What worries me is what is a couple of things:

  1. knowledge of the SMTP and HTTP seems to be required to ascertain a scam, and
  2. how do people know my messages are really from me?

I have always thought that digital signing ala PGP, was a solution waiting for its time. I thought that once authentication and privacy became a big deal, naturally all this stuff would get used. Today I decided to take the trip. From now on, all emails from me will be digitally signed with my own Thawte Certificate.

Having done this I can sign my emails and encrypt them. The thing I have not worked out is how to share my public key. This is the missing piece.