>>Welcome everyone to the cubes presentation of the AWS startup showcase open cloud innovations. This is season two episode one of the ongoing series and we're covering exciting and innovative startups from the AWS ecosystem. Today. We're going to focus on the open source community. I'm your host, Dave Vellante. And right now we're going to talk about open source security and mitigating risk in light of a recent discovery of a zero day flaw in log for J a Java logging utility and a related white house executive order that points to the FTC pursuing companies that don't properly secure consumer data as a result of this vulnerability and with me to discuss this critical issue and how to more broadly address software supply chain risk is Don Fisher. Who's the CEO of tide lift. Thank you for coming on the program, Donald. >>Thanks for having me excited to be here. Yeah, pleasure. >>So look, there's a lot of buzz. You open the news, you go to your favorite news site and you see this, you know, a log for J this is an, a project otherwise known as logged for shell. It's this logging tool. My understanding is it's, it's both ubiquitous and very easy to exploit. Maybe you could explain that in a little bit more detail. And how do you think this vulnerability is going to affect things this year? >>Yeah, happy to, happy to dig in a little bit in orient around this. So, you know, just a little definitions to start with. So log for J is a very widely used course component that's been around for quite a while. It's actually an amazing piece of technology log for J is used in practically every serious enterprise Java application over the last 10 going on 20 years. So it's, you know, log for J itself is fantastic. The challenge that organization organizations have been facing relate to a specific security vulnerability that was discovered in log for J and that has been given this sort of brand's name as it happens these days. Folks may remember Heartbleed around the openness to sell vulnerability some years back. This one has been dubbed logged for shell. And the reason why it was given that name is that this is a form of security vulnerability that actually allows attackers. >>You know, if a system is found that hasn't been patched to remediate it, it allows hackers to get full control of a, of a system of a server that has the software running on it, or includes this log for J component. And that means that they can do anything. They can access, you know, private customer data on that system, or really do anything and so-called shell level access. So, you know, that's the sort of definitions of what it is, but the reason why it's important is in the, in the small, you know, this is a open door, right? It's a, if, if organizations haven't patched this, they need to respond to it. But one of the things that's kind of, you know, I think important to recognize here is that this log for J is just one of literally thousands of independently created open source components that flow into the applications that almost every organization built and all of them all software is going to have security vulnerabilities. And so I think that log for J is, has been a catalyst for organizations to say, okay, we've got to solve this specific problem, but we all also have to think ahead about how is this all gonna work. If our software supply chain originates with independent creators across thousands of projects across the internet, how are we going to put a better plan in place to think ahead to the next log for J log for shell style incident? And for sure there will be more >>Okay. So you see this incident as a catalyst to maybe more broadly thinking about how to secure the, the digital supply chain. >>Absolutely. Yeah, it's a, this is proving a point that, you know, a variety of folks have been making for a number of years. Hey, we depend, I mean, honestly these days more than 70% of most applications, most custom applications are comprised of this third party open source code. Project's very similar in origin and governance to log for J that's just reality. It's actually great. That's an amazing thing that the humans collaborating on the internet have caused to be possible that we have this rich comments of open source software to build with, but we also have to be practical about it and say, Hey, how are we going to work together to make sure that that software as much as possible is vetted to ensure that it meets commercial standards, enterprise standards ahead of time. And then when the inevitable issues arise like this incident around the log for J library, that we have a great plan in place to respond to it and to, you know, close the close the door on vulnerabilities when they, when they show up. >>I mean, you know, when you listen to the high level narrative, it's easy to point fingers at organizations, Hey, you're not doing enough now. Of course the U S government has definitely made attempts to emphasize this and, and shore up in, in, in, in, in push people to shore up the software supply chain, they've released an executive order last may, but, but specifically, I mean, it's just a complicated situation. So what steps should organizations really take to make sure that they don't fall prey to these future supply chain attacks, which, you know, are, as you pointed out are inevitable. >>Yeah. I mean, it's, it's a great point that you make that the us federal government has taken proactive steps starting last year, 2021 in the fallout of the solar winds breach, you know, about 12 months ago from the time that we're talking, talking here, the U S government actually was a bit ahead of the game, both in flagging the severity of this, you know, area of concern and also directing organizations on how to respond to it. So the, in May, 2021, the white house issued an executive order on cybersecurity and it S directed federal agencies to undertake a whole bunch of new measures to ensure the security of different aspects of their technology and software supply chain specifically called out open source software as an area where they put, you know, hard requirements around federal agencies when they're acquiring technology. And one of the things that the federal government that the white house cybersecurity executive order directed was that organizations need to start with creating a list of the third-party open source. >>That's flowing into their applications, just that even have a table of contents or an index to start working with. And that's, that's called a, a software bill of materials or S bomb is how some people pronounce that acronym. So th the federal government basically requires federal agencies to now create Nessbaum for their applications to demand a software bill of materials from vendors that are doing business with the government and the strategy there has been to expressly use the purchasing power of the us government to level up industry as a whole, and create the necessary incentives for organizations to, to take this seriously. >>You know, I, I feel like the solar winds hack that you mentioned, of course it was widely affected the government. So we kind of woke them up, but I feel like it was almost like a stuck set Stuxnet moment. Donald were very sophisticated. I mean, for the first time patches that were supposed to be helping us protect, now we have to be careful with them. And you mentioned the, the bill of its software, bill of materials. We have to really inspect that. And so let's get to what you guys do. How do you help organizations deal with this problem and secure their open source software supply chain? >>Yeah, absolutely happy to tell you about, about tide lift and, and how we're looking to help. So, you know, the company, I co-founded the company with a couple of colleagues, all of whom are long-term open source folks. You know, I've been working in around commercializing open source for the last 20 years that companies like red hat and, and a number of others as have my co-founders the opportunity that we saw is that, you know, while there have been vendors for some of the traditional systems level, open source components and stacks like Linux, you know, of course there's red hat and other vendors for Linux, or for Kubernetes, or for some of the databases, you know, there's standalone companies for these logs, for shell style projects, there just hasn't been a vendor for them. And part of it is there's a challenge to cover a really vast territory, a typical enterprise that we inspect has, you know, upwards of 10,000 log for shell log for J like components flowing into their application. >>So how do they get a hand around their hands around that challenge of managing that and ensuring it needs, you know, reasonable commercial standards. That's what tide lifts sets out to do. And we do it through a combination of two elements, both of which are fairly unique in the market. The first of those is a purpose-built software solution that we've created that keeps track of the third-party open source, flowing into your applications, inserts itself into your DevSecOps tool chain, your developer tooling, your application development process. And you can kind of think of it as next to the point in your release process, where you run your unit test to ensure the business logic in the code that your team is writing is accurate and sort of passes tests. We do a inspection to look at the state of the third-party open source packages like Apache log for J that are flowing into your, into your application. >>So there's a software element to it. That's a multi-tenant SAS service. We're excited to be partnered with, with AWS. And one of the reasons why we're here in this venue, talking about how we are making that available jointly with AWS to, to drink customers deploying on AWS platforms. Now, the other piece of the, of our solution is really, really unique. And that's the set of relationships that Tyler has built directly with these independent open source maintainers, the folks behind these open source packages that organizations rely on. And, you know, this is where we sort of have this idea. Somebody is making that software in the first place, right? And so would those folks be interested? Could we create a set of aligned incentives to encourage them, to make sure that that software meets a bunch of enterprise standards and areas around security, like, you know, relating to the log for J vulnerability, but also other complicated parts of open source consumption like licensing and open source license, accuracy, and compatibility, and also maintenance. >>Like if somebody looking after the software going forward. So just trying to basically invite open source creators, to partner with us, to level up their packages through those relationships, we get really, really clean, clear first party data from the folks who create, maintain the software. And we can flow that through the tools that I described so that end organizations can know that they're building with open source components that have been vetted to meet these standards, by the way, there's a really cool side effect of this business model, which is that we pay these open source maintainers to do this work with us. And so now we're creating a new income stream around what previously had been primarily a volunteer activity done for impact in this universe of open source software. We're helping these open source maintainers kind of GoPro on an aspect of what they do around open source. And that means they can spend more time applying more process and tools and methodology to making that open source software even better. And that's good for our customers. And it's good for everyone who relies on open source software, which is really everyone in society these days. That's interesting. I >>Was going to ask you what's their incentive other than doing the right thing. Can you give us an example of, of maybe a example of an open source maintainer that you're working with? >>Yeah. I mean, w we're working with hundreds of open source maintainers and a few of the key open source foundations in different areas across JavaScript, Java PHP, Ruby python.net, and, you know, like examples of categories of projects that we're working with, just to be clear, are things like, you know, web frameworks or parser libraries or logging libraries, like a, you know, log for J and all the other languages, right? Or, you know, time and date manipulation libraries. I mean, they, these are sort of the, you know, kind of core building blocks of applications and individually, they, you know, they may seem like, you know, maybe a minor, a minor thing, but when you multiply them across how many applications these get used in and log for J is a really, really clarifying case for folks to understand this, you know, what can seemingly a small part of your overall application estate can have disproportionate impact on, on your operations? As we saw with many organizations that spent, you know, a weekend or a week, or a large part of the holidays, scrambling to patch and remediate this, a single vulnerability in one of those thousands of packages in that case log. >>Okay, got it. So you have this two, two headed, two vectors that I'm going to call it, your ecosystem, your relationship with these open source maintainers is kind of a, that just didn't happen overnight, and it develop those relationships. And now you get first party data. You monetize that with a software service that is purpose built as the monitor of the probe that actually tracks that third, third party activity. So >>Exactly right. Got it. >>Okay. So a lot of companies, Donald, I mean, this is, like I said before, it's a complicated situation. You know, a lot of people don't have the skillsets to deal with this. And so many companies just kind of stick their head in the sand and, you know, hope for the best, but that's not a great strategy. What are the implications for organizations if they don't really put the tools and processes into place to manage their open source, digital supply chain. >>Yeah. Ignoring the problem is not a viable strategy anymore, you know, and it's just become increasingly clear as these big headline incidents that happened like Heartbleed and solar winds. And now this logged for shell vulnerability. So you can, you can bet on that. Continuing into the future and organizations I think are, are realizing the ones that haven't gotten ahead of this problem are realizing this is a critical issue that they need to address, but they have help, right. You know, the federal government, another action beyond that cybersecurity executive order that was directed at federal agencies early last year, just in the last week or so, the FTC of the U S federal trade commission has made a much more direct warning to private companies and industry saying that, you know, issues like this log for J vulnerability risk exposing private, you know, consumer data. That is one of the express mandates of the FTC is to avoid that the FTC has said that this is, you know, bears on both the federal trade commission act, as well as the Gramm-Leach-Bliley act, which relates to consumer data privacy. >>And the FTC just came right out and said it, they said they cited the $700 million settlements that Equifax was subject to for their data breach that also related to open source component, by the way, that that had not been patched by, by Equifax. And they said the FTC intents to use its full legal authority to pursue companies that failed to take reasonable steps, to protect consumer data from exposure as a result of log for J or similar known vulnerabilities in the future. So the FTC is saying, you know, this is a critical issue for consumer privacy and consumer data. We are going to enforce against companies that do not take reasonable precautions. What are reasonable precautions? I think it's kind of a mosaic of solutions, but I'm glad to say tide lift is contributing a really different and novel solution to the mix that we hope will help organizations contend with this and avoid that kind of enforcement action from FTC or other regulators. >>Well, and the good news is that you can tap a tooling like tide lift in the cloud as a service and you know, much easier today than it was 10 or 15 years ago to, to resolve, or at least begin to demonstrate that you're taking action against this problem. >>Absolutely. There's new challenges. Now I'm moving into a world where we build on a foundation of independently created open source. We need new solutions and new ideas, and that's a, you know, that's part of what we're, we're, we're showing up with from the tide lift angle, but there's many other elements that are going to be necessary to provide the full solution around securing the open source supply chain going forward. >>Well, Donald Fisher of tide lift, thanks so much for coming to the cube and best of luck to your organization. Thanks for the good work that you guys do. >>Thanks, Dave. Really appreciate your partnership on this, getting the word out and yeah, thanks so much for today. >>Very welcome. And you are watching the AWS startup showcase open cloud innovations. Keep it right there for more action on the cube, your leader in enterprise tech coverage.

>> From theCUBE studios in Palo Alto and Boston, connecting with thought-leaders all around the world, this is a Cube Conversation. >> Hi everybody, this is Dave Vellante. Welcome to this Cube Conversation. We're really excited to have Wim Coekaerts in, he is the senior vice-president of software development at Oracle. Wim, it's great to have you on, and, you know I often say I wish we were face-to-face but if we were you'd have to cut off my tie, cause developers and ties just don't go together. >> No, I know, and this is my normal outfit, so this is me wherever I go. Hi again, good to see you. >> Yeah, great to see you. So, of course, you know a lot of people are confused about Oracle, and open-source, they say "Oracle? Open-source? What is that all about?" But I think you're misunderstood. People don't, first of all, realize you as the leader of the software-development community inside of Oracle, I mean, you've been involved in Linux since the early 90s. But you guys have a lot of committers, you do a lot. I want to talk about that. What is up with Oracle, and open-source? >> Ah, well, it's a broad question. So, you know, a couple of things. One is, we have many different areas within the company that are dealing with open-source. So we have the cloud team doing a lot of stuff around cloud SDKs and support for different languages like Python and Go, and of course Java and so forth, so they do a lot around ensuring that the Oracle ecosystem is integrated in the open-source tools that customers use, or developers use, Terraform companies and so forth. And then you have the Java team, and so forth. Java is open-source and then the Graal project, GraalVM which is a polyglot compiler that can run Java, and Python, and Javascript and so forth together in one. VM do really cool optimizations, that's an open-source project, also on GitHub. There's of course MySQL, which is along with Java, they're probably the two most popular and widely used open-source projects out there. There's VirtualBox which is of course also a very popular project that's open-source. There's all the work we do around Linux. And I think one of the things is that, when you have so many different areas, doing things that are for that area, then as a developer or as a customer, you typically just deal with that group. And what you see is, oh you're talking to the Java developers, so you know what's going on around Java. The Java developers might not necessarily say, "Oh well we also do MySQL, and we do Linux and VirtualBox and so forth," and so you get a rather myopic, narrow view of the larger company. When you add all these things up, and there will be one big slide that says "This is Oracle, these are all these open source projects," and there's multiple ways. One is, we have projects that we've open-sourced and all the code came from us and we made it publicly available, we're the main contributor and we get contributions back. There are other projects where we contribute to third-party in terms of enhancing things, like I said with the Cloud Team, and then in general something like Linux where we're part of an external project and we participate in development of that project at large. And so there's these three different ways, when you count up all the developers that we have that deal with open-source on a daily basis. And in terms of contributions, in terms of bug fixes, testing, and so forth, it's thousands, literally, full-time paid developers. And of course, all the projects are all either on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And, you know, our primary goal is to provide services and products to customers, and so the open-source part is sort of embedded in a development methodology. But that's not something we sell or market separately, we just work with customers and products and services, and so in some cases it's not well-understood. >> Yeah. Well, we're talking of course, we're talking about the state of the penguin, I think it's important for people to understand, Oracle got into the Linux game in the 90s, maybe the latter part of the 90s and Oracle, of course, wants to make Linux-- wants to make Oracle, it's applications and database run better on Linux, but as you're pointing out, your Linux distro, full support, end-to-end, thousands of people in your open-source community, and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those, but of course you want an Oracle distro that is going to make Oracle stuff run better, that's always kind of been the Oracle way. >> Well, so, yes, two things though. One is, so everything we do is upstream. So we have no Linux patches that are not contributed upstream; There's no proprietary code in Oracle Linux at all, it's all completely open, publicly available: the source code, the change log, all the commits, it's fully open and public, which sometimes is not well-understood, but it's completely open. And, everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mail-list. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that eco-system. Otherwise, the cost of maintaining your own fork, so to speak, is very high and it doesn't really solve the problem. Now, the functionality we work on obviously is focused on making Oracle products run better, making Oracle Cloud run better, and so forth. However, again, what's important to understand, though, is an Oracle database is a program running on an operating system. It does IO, it does networking, it deals with memory management, lots of processing. So, for the most part, the things that we work on to improve that helps everyone out, right? It helps every other database run better, or helps every other language run better. So none of these changes are specific to Oracle, they're just things that we found doing performance benchmarks and testing and so forth, where we say "Hey, if Linux did the following, it would make boot-up faster. Now boot-up has nothing to do with the database. But our customers run on 1-terabyte, 4-terabyte, 8-terabyte systems, and so booting up, and Linux starting up, and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here, we're now talking about just enterprise for you. So there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone out. >> Yeah, that's great. So I wanted to kind of get that out of the way and help our audience understand that. So let's get into it a little bit; What are you seeing, what's going on in IT, pick your observation space and your vision of what you see happening out there. >> Well, you know, it's very interesting, it's sort of, there's two... there's sort of two worlds, right, there's the cloud world and the move to cloud, and there's the on-premises world, where people run their systems on their own. And, one of the things that we've learned is, when you talk about machine-learning, obviously, is something that's very popular these days, and automation. And so in order to rely on machine-learning well, and have algorithms that are very effective, you need lots of data. And so being a cloud vendor, and having Linux in our cloud on tens of thousands, or hundreds of thousands of servers, or more, allows us to have a view of how an operating system works across an incredibly large scale. So we get lots of data. And so for us to figure out which algorithms work well in terms of how can we do network optimizations, how can we discover anomalies on the storage site, and deal with it and so forth, we can do that at scale. And what's interesting is, how do we then bring that on-prem? Well, if we can get the data and the learning done, the training done, in our cloud directly, then when we provide that service also for people running Oracle Linux on premises then that will work. The alternative is to have point solutions where you provide something to a customer, and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds, on-prem and cloud directly, allows us to kind of benefit from that. And I think that's important, because lots of customers are interested in going to cloud. Many of the enterprises have not yet. You know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right, Autonomous Database is incredibly popular and so forth, that allows us to then say, "Here, try these things out here, it's a service. We can show you the benefits right away," and then as that improves we bring that, to a certain extent, on-premises as well. And then they can have it in both places. And that, I think, is something, again, that's relatively unique but also very important, is that we want to provide services and products that act similarly on-premises as well as in cloud, because at some point when people move we want to make that transition seamless. And what you have today for the most part is one world that's on-prem, and then the cloud world is completely different. And that is a big barrier of moving, and so we want to reduce that, we can run the same operating system local as well as cloud, you can the same functionality, and then that helps transition people over much easier. >> Yeah, well Oracle actually was one of the -- I think Oracle was the first company to actually market same-same, you actually used that term. Others put forth that concept, but Oracle was the first to announce products like Cloud at Customer, that were same-same, now it took some time to actually get it perfected, and get it to market, but the point is, and we've written about this, is Oracle, because of the ascendancy of cloud, flipped and has a cloud-first mentality, and you just kind of referenced that, you just said, "And you can bring that to on-prem." So I wonder if you could talk about that cloud-first mentality, and the impact on hybrid. >> So yeah, I think the cloud-first part is of course in cloud we work on services moreso than products that we deliver. And there's a number of things that are happening. So one is that we obviously continue to provide products to customers, you can download Oracle Linux, you can download the database and what not, you can install it on your own, you can do the traditional way of working. Then in the cloud-world, what typically happens is "Oh, I use a database service. I'm not installing anything, I push a button and I get an IP address and a SQL that connects extremely quickly to the database." And we take care of everything underneath that is on this database. Now, in order to do that, you need a whole infrastructure in place, you need log-in agents, you need a back-end that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing the service up and monitor it. And so, that takes a lot of time to do right, and we learn a lot by doing this. And so the cloud-first part of these services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy, and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can do everything at the same time. And so what we've done with Autonomous Database is we created everything in Oracle Cloud, we have the whole system running really well, and then we've been able to sort of package that and shrink it into something that can be installed on-premises, but then connected into Oracle Cloud again. And so that way we can get all the telemetry over the metric, and that allows us to scale. Because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that similar to how that runs in our own cloud. Right, otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work, and now with Cloud at Customer Database that's really in place. >> Yeah, you really want to have that same cloud experience, whether with on-prem, in the public cloud, hybrid, et cetera. So, I want to explore a little bit more who is using Oracle Linux, and what's the driver for using it. Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started this fourteen years ago, in 2006, October 25th, 2006. I remember that day very well; Penguins on stage and a big launch for Oracle Linux in San Francisco Moscone Center. So, look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, and the ability to be able to handle critical issues when that occurs, because typically a database runs the company's critical data: the most essential stuff that a company has is typically in a database, an Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger-pointing, and having to explain to an operating system vendor how the database works. In the Unix world, we had a good relationship with the OS vendors, and the hardware vendors, they were the same. And they knew our products really well, and in the Linux world, that was very different. The OS vendor basically did not want to understand or learn anything about the products living on top. And so while to a certain extent that makes sense, it's an enterprise world where time is of the essence, and downtime needs to be limited absolutely. We can't have these arguments and such. And that was the driver, initially, for doing Oracle Linux. It was to ensure there was a Linux distribution really backed by us, that we could fix, that we could fully support. That was completely the original intent. And so the early customer base was database customers. Database and middleware. Mostly database. But that has then evolved quickly, and so what happened was, people say "Look, I have a thousand servers, a hundred run Oracle, so we'll run Oracle Linux on those hundred, and we'll run something else on those other nine-hundred." Now after a year or so, they realize that our support is really good; We fix all these issues, and so then they're like "Why are we having two Linux distributions? This thing works really well, it runs any application, it's fully compatible, so we'll do a thousand with Oracle Linux." And so the early days, the first few years, was definitely Oracle Database as the core driver, and then it sort of expanded to the rest of the estate. And over the years, we've added lots of features and functionality, like Ksplice, and so forth. We have an attractive pricing model for running on servers, and so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all-or-nothing play in the Linux space, and we're well-known now, so it's actually very good. >> You just mentioned Ksplice. We've been talking about cloud, and on-prem, and hybrid. Let's talk about security, because security really is a differentiator, particularly if you're going to start to put stuff in the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So, "Security first" is sort of what you hear us say and do, in everything we do. The database obviously security, on the Linux site security matters. Ksplice as a technology is there to do critical bug-fixing and make sure that we can apply security vulnerability fixes without affecting the customer, and not have downtime. And if you look at most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well not that our customer doesn't understand that it's important, but it's a whole train of events that needs to happen. You have to, you get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-layered setup. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down, cause that talks to the database. So to patch one system, you basically have to bring down the whole application stack. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well during that time, you're vulnerable. So the only way, really, to address security in a scalable and reducing that window of time is to do it without affecting the customer. And so Casewise is something that, it's a company we acquired in 2009, and have since evolved in terms of capabilities, and so it allows us to patch the Linux terminal without downtime. We lock the kernel for 8 microseconds. It's literally no downtime. You don't have to bring down applications, the user doesn't see it, there's no hang, there's no delay. And so by doing that, you can run a Linux operating system, or gLinux, and you can be fully patched on a system that hasn't rebooted for 3 years. You don't even know it. And so by doing that type of stuff, it makes customers more secure, and it avoids them-- It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel, we do that for some of the libraries on top that are critical like OpenSSL and 2 LVC, and, you know one example-- I can give you two examples. So one example is, Heartbleed was this bug in OpenSSL a number of years ago. And so everyone had to patch their SSH server. And that meant, basically, systems around the world had to reboot. Like a whole IT reboot across the world. With Ksplice today, if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, and also, of course, the headache. Another example is, and this was in Oracle Cloud, when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, where you could basically see memory potentially of other CPUs running, the cloud is incredibly critical. We were basically able to basically patch our entire cloud in four hours. And the customer didn't know, right, a hundred and twenty million patches, or something, that we applied within four hours, all online, without any downtime. And so that technology has been really helpful, both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole, what we do in cloud we also do for customer. And I think that's a unique thing that we have at Oracle which is quite fascinating. The operating system we run for our customers, the operating system that's the host part of VMs, is the exact same binary and source code that we make available, just to be clear, the exact same binaries are the ones that you run as a customer on-premises. So if you run Oracle Linux with KVM, you run VMs, you're actually running the exact same stuff as we run underneath our customer's stuff. Nobody else does that, everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment, you're talking about that sort of security mindset, it's critical, you're not just bolting it on, it's part of the culture. But you started your career, and then of course you were a Linux person when you came to Oracle, but then I think you spent some time in database, back in the day when there were serious database wars going on, before Oracle became the king of database. So now you've got, obviously, this great portfolio, and a lot of really sharp software developers; What should we expect going forward, from Oracle? What should we look for? >> You know, I was talking to some, I was welcoming some interns to the company, for their summer internship yesterday, and one of the things I mentioned to them was that -- so cloud obviously gives us a lot of opportunities, but there's a number of things. One is, we have such a breadth of applications and software and hardware together. We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side, and one of the great opportunities, and I think we've shown a lot of this happening with the ability to create something like Autonomous Database, is to combine all these things. Right, we have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things it really becomes awesome. You cannot create autonomous database without having autonomous learning. You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers, and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly. And having the scale for that. I think that has been, for the last few years, a really great thing, but I can see that being one of the advantages that we have going forward. We have Oracle Fusion Applications, which is incredibly popular, and has great growth, and then we have that running on Oracle Cloud, that talks to Oracle Autonomous Database, so we bring all these pieces together. And no other SaaS vendor can do that, because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me, it's not so much about making my own world better, and having Linux be better, and Casewise and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle's always invested in RND, we've made that point many, many times. Whether it's database, you know Fusion was a painful but worthy effort, the whole public cloud piece, obviously many acquisitions, but the investments that you've made in open-source as well, Wim, you're a great spokesperson, and a great representative of the open-source community generally, and then Oracle specifically, so thanks very much for coming on theCUBE and sharing with us the state of the penguin, and best of luck. >> You're welcome. Thank you, thanks for having me. >> Alright, and thank you for watching, everybody. This is Dave Vellante for theCUBE. We'll see you next time. (cheerful music).

>> From theCUBE studios in Palo Alto and Boston, connecting with thought-leaders all around the world, this is a Cube Conversation. >> Hi everybody, this is Dave Vellante. Welcome to this Cube Conversation. We're really excited to have Wim Coekaerts in, he is the senior vice-president of software development at Oracle. Wim, it's great to have you on, and, you know I often say I wish we were face-to-face but if we were you'd have to cut off my tie, cause developers and ties just don't go together. >> No, I know, and this is my normal outfit, so this is me wherever I go. Hi again, good to see you. >> Yeah, great to see you. So, of course, you know a lot of people are confused about Oracle, and open-source, they say "Oracle? Open-source? What is that all about?" But I think you're misunderstood. People don't, first of all, realize you as the leader of the software-development community inside of Oracle, I mean, you've been involved in Linux since the early 90s. But you guys have a lot of committers, you do a lot. I want to talk about that. What is up with Oracle, and open-source? >> Ah, well, it's a broad question. So, you know, a couple of things. One is, we have many different areas within the company that are dealing with open-source. So we have the cloud team doing a lot of stuff around cloud SDKs and support for different languages like Python and Go, and of course Java and so forth, so they do a lot around ensuring that the Oracle ecosystem is integrated in the open-source tools that customers use, or developers use, Terraform companies and so forth. And then you have the Java team, and so forth. Java is open-source and then the Graal project, GraalVM which is a polyglot compiler that can run Java, and Python, and Javascript and so forth together in one. VM do really cool optimizations, that's an open-source project, also on GitHub. There's of course MySQL, which is along with Java, they're probably the two most popular and widely used open-source projects out there. There's VirtualBox which is of course also a very popular project that's open-source. There's all the work we do around Linux. And I think one of the things is that, when you have so many different areas, doing things that are for that area, then as a developer or as a customer, you typically just deal with that group. And what you see is, oh you're talking to the Java developers, so you know what's going on around Java. The Java developers might not necessarily say, "Oh well we also do MySQL, and we do Linux and VirtualBox and so forth," and so you get a rather myopic, narrow view of the larger company. When you add all these things up, and there will be one big slide that says "This is Oracle, these are all these open source projects," and there's multiple ways. One is, we have projects that we've open-sourced and all the code came from us and we made it publicly available, we're the main contributor and we get contributions back. There are other projects where we contribute to third-party in terms of enhancing things, like I said with the Cloud Team, and then in general something like Linux where we're part of an external project and we participate in development of that project at large. And so there's these three different ways, when you count up all the developers that we have that deal with open-source on a daily basis. And in terms of contributions, in terms of bug fixes, testing, and so forth, it's thousands, literally, full-time paid developers. And of course, all the projects are all either on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And, you know, our primary goal is to provide services and products to customers, and so the open-source part is sort of embedded in a development methodology. But that's not something we sell or market separately, we just work with customers and products and services, and so in some cases it's not well-understood. >> Yeah. Well, we're talking of course, we're talking about the state of the penguin, I think it's important for people to understand, Oracle got into the Linux game in the 90s, maybe the latter part of the 90s and Oracle, of course, wants to make Linux-- wants to make Oracle, it's applications and database run better on Linux, but as you're pointing out, your Linux distro, full support, end-to-end, thousands of people in your open-source community, and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those, but of course you want an Oracle distro that is going to make Oracle stuff run better, that's always kind of been the Oracle way. >> Well, so, yes, two things though. One is, so everything we do is upstream. So we have no Linux patches that are not contributed upstream; There's no proprietary code in Oracle Linux at all, it's all completely open, publicly available: the source code, the change log, all the commits, it's fully open and public, which sometimes is not well-understood, but it's completely open. And, everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mail-list. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that eco-system. Otherwise, the cost of maintaining your own fork, so to speak, is very high and it doesn't really solve the problem. Now, the functionality we work on obviously is focused on making Oracle products run better, making Oracle Cloud run better, and so forth. However, again, what's important to understand, though, is an Oracle database is a program running on an operating system. It does IO, it does networking, it deals with memory management, lots of processing. So, for the most part, the things that we work on to improve that helps everyone out, right? It helps every other database run better, or helps every other language run better. So none of these changes are specific to Oracle, they're just things that we found doing performance benchmarks and testing and so forth, where we say "Hey, if Linux did the following, it would make boot-up faster. Now boot-up has nothing to do with the database. But our customers run on 1-terabyte, 4-terabyte, 8-terabyte systems, and so booting up, and Linux starting up, and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here, we're now talking about just enterprise for you. So there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone out. >> Yeah, that's great. So I wanted to kind of get that out of the way and help our audience understand that. So let's get into it a little bit; What are you seeing, what's going on in IT, pick your observation space and your vision of what you see happening out there. >> Well, you know, it's very interesting, it's sort of, there's two... there's sort of two worlds, right, there's the cloud world and the move to cloud, and there's the on-premises world, where people run their systems on their own. And, one of the things that we've learned is, when you talk about machine-learning, obviously, is something that's very popular these days, and automation. And so in order to rely on machine-learning well, and have algorithms that are very effective, you need lots of data. And so being a cloud vendor, and having Linux in our cloud on tens of thousands, or hundreds of thousands of servers, or more, allows us to have a view of how an operating system works across an incredibly large scale. So we get lots of data. And so for us to figure out which algorithms work well in terms of how can we do network optimizations, how can we discover anomalies on the storage site, and deal with it and so forth, we can do that at scale. And what's interesting is, how do we then bring that on-prem? Well, if we can get the data and the learning done, the training done, in our cloud directly, then when we provide that service also for people running Oracle Linux on premises then that will work. The alternative is to have point solutions where you provide something to a customer, and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds, on-prem and cloud directly, allows us to kind of benefit from that. And I think that's important, because lots of customers are interested in going to cloud. Many of the enterprises have not yet. You know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right, Autonomous Database is incredibly popular and so forth, that allows us to then say, "Here, try these things out here, it's a service. We can show you the benefits right away," and then as that improves we bring that, to a certain extent, on-premises as well. And then they can have it in both places. And that, I think, is something, again, that's relatively unique but also very important, is that we want to provide services and products that act similarly on-premises as well as in cloud, because at some point when people move we want to make that transition seamless. And what you have today for the most part is one world that's on-prem, and then the cloud world is completely different. And that is a big barrier of moving, and so we want to reduce that, we can run the same operating system local as well as cloud, you can the same functionality, and then that helps transition people over much easier. >> Yeah, well Oracle actually was one of the -- I think Oracle was the first company to actually market same-same, you actually used that term. Others put forth that concept, but Oracle was the first to announce products like Cloud at Customer, that were same-same, now it took some time to actually get it perfected, and get it to market, but the point is, and we've written about this, is Oracle, because of the ascendancy of cloud, flipped and has a cloud-first mentality, and you just kind of referenced that, you just said, "And you can bring that to on-prem." So I wonder if you could talk about that cloud-first mentality, and the impact on hybrid. >> So yeah, I think the cloud-first part is of course in cloud we work on services moreso than products that we deliver. And there's a number of things that are happening. So one is that we obviously continue to provide products to customers, you can download Oracle Linux, you can download the database and what not, you can install it on your own, you can do the traditional way of working. Then in the cloud-world, what typically happens is "Oh, I use a database service. I'm not installing anything, I push a button and I get an IP address and a SQL that connects extremely quickly to the database." And we take care of everything underneath that is on this database. Now, in order to do that, you need a whole infrastructure in place, you need log-in agents, you need a back-end that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing the service up and monitor it. And so, that takes a lot of time to do right, and we learn a lot by doing this. And so the cloud-first part of these services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy, and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can do everything at the same time. And so what we've done with Autonomous Database is we created everything in Oracle Cloud, we have the whole system running really well, and then we've been able to sort of package that and shrink it into something that can be installed on-premises, but then connected into Oracle Cloud again. And so that way we can get all the telemetry over the metric, and that allows us to scale. Because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that similar to how that runs in our own cloud. Right, otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work, and now with Cloud at Customer Database that's really in place. >> Yeah, you really want to have that same cloud experience, whether with on-prem, in the public cloud, hybrid, et cetera. So, I want to explore a little bit more who is using Oracle Linux, and what's the driver for using it. Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started this fourteen years ago, in 2006, October 25th, 2006. I remember that day very well; Penguins on stage and a big launch for Oracle Linux in San Francisco Moscone Center. So, look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, and the ability to be able to handle critical issues when that occurs, because typically a database runs the company's critical data: the most essential stuff that a company has is typically in a database, an Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger-pointing, and having to explain to an operating system vendor how the database works. In the Unix world, we had a good relationship with the OS vendors, and the hardware vendors, they were the same. And they knew our products really well, and in the Linux world, that was very different. The OS vendor basically did not want to understand or learn anything about the products living on top. And so while to a certain extent that makes sense, it's an enterprise world where time is of the essence, and downtime needs to be limited absolutely. We can't have these arguments and such. And that was the driver, initially, for doing Oracle Linux. It was to ensure there was a Linux distribution really backed by us, that we could fix, that we could fully support. That was completely the original intent. And so the early customer base was database customers. Database and middleware. Mostly database. But that has then evolved quickly, and so what happened was, people say "Look, I have a thousand servers, a hundred run Oracle, so we'll run Oracle Linux on those hundred, and we'll run something else on those other nine-hundred." Now after a year or so, they realize that our support is really good; We fix all these issues, and so then they're like "Why are we having two Linux distributions? This thing works really well, it runs any application, it's fully compatible, so we'll do a thousand with Oracle Linux." And so the early days, the first few years, was definitely Oracle Database as the core driver, and then it sort of expanded to the rest of the estate. And over the years, we've added lots of features and functionality, like Ksplice, and so forth. We have an attractive pricing model for running on servers, and so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all-or-nothing play in the Linux space, and we're well-known now, so it's actually very good. >> You just mentioned Ksplice. We've been talking about cloud, and on-prem, and hybrid. Let's talk about security, because security really is a differentiator, particularly if you're going to start to put stuff in the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So, "Security first" is sort of what you hear us say and do, in everything we do. The database obviously security, on the Linux site security matters. Ksplice as a technology is there to do critical bug-fixing and make sure that we can apply security vulnerability fixes without affecting the customer, and not have downtime. And if you look at most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well not that our customer doesn't understand that it's important, but it's a whole train of events that needs to happen. You have to, you get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-layered setup. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down, cause that talks to the database. So to patch one system, you basically have to bring down the whole application stack. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well during that time, you're vulnerable. So the only way, really, to address security in a scalable and reducing that window of time is to do it without affecting the customer. And so Casewise is something that, it's a company we acquired in 2009, and have since evolved in terms of capabilities, and so it allows us to patch the Linux terminal without downtime. We lock the kernel for 8 microseconds. It's literally no downtime. You don't have to bring down applications, the user doesn't see it, there's no hang, there's no delay. And so by doing that, you can run a Linux operating system, or gLinux, and you can be fully patched on a system that hasn't rebooted for 3 years. You don't even know it. And so by doing that type of stuff, it makes customers more secure, and it avoids them-- It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel, we do that for some of the libraries on top that are critical like OpenSSL and 2 LVC, and, you know one example-- I can give you two examples. So one example is, Heartbleed was this bug in OpenSSL a number of years ago. And so everyone had to patch their SSH server. And that meant, basically, systems around the world had to reboot. Like a whole IT reboot across the world. With Ksplice today, if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, and also, of course, the headache. Another example is, and this was in Oracle Cloud, when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, where you could basically see memory potentially of other CPUs running, the cloud is incredibly critical. We were basically able to basically patch our entire cloud in four hours. And the customer didn't know, right, a hundred and twenty million patches, or something, that we applied within four hours, all online, without any downtime. And so that technology has been really helpful, both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole, what we do in cloud we also do for customer. And I think that's a unique thing that we have at Oracle which is quite fascinating. The operating system we run for our customers, the operating system that's the host part of VMs, is the exact same binary and source code that we make available, just to be clear, the exact same binaries are the ones that you run as a customer on-premises. So if you run Oracle Linux with KVM, you run VMs, you're actually running the exact same stuff as we run underneath our customer's stuff. Nobody else does that, everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment, you're talking about that sort of security mindset, it's critical, you're not just bolting it on, it's part of the culture. But you started your career, and then of course you were a Linux person when you came to Oracle, but then I think you spent some time in database, back in the day when there were serious database wars going on, before Oracle became the king of database. So now you've got, obviously, this great portfolio, and a lot of really sharp software developers; What should we expect going forward, from Oracle? What should we look for? >> You know, I was talking to some, I was welcoming some interns to the company, for their summer internship yesterday, and one of the things I mentioned to them was that -- so cloud obviously gives us a lot of opportunities, but there's a number of things. One is, we have such a breadth of applications and software and hardware together. We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side, and one of the great opportunities, and I think we've shown a lot of this happening with the ability to create something like Autonomous Database, is to combine all these things. Right, we have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things it really becomes awesome. You cannot create autonomous database without having autonomous learning. You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers, and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly. And having the scale for that. I think that has been, for the last few years, a really great thing, but I can see that being one of the advantages that we have going forward. We have Oracle Fusion Applications, which is incredibly popular, and has great girth, and then we have that running on Oracle Cloud, that talks to Oracle Autonomous Database, so we bring all these pieces together. And no other SaaS vendor can do that, because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me, it's not so much about making my own world better, and having Linux be better, and Casewise and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle's always invested in RND, we've made that point many, many times. Whether it's database, you know Fusion was a painful but worthy effort, the whole public cloud piece, obviously many acquisitions, but the investments that you've made in open-source as well, Wim, you're a great spokesperson, and a great representative of the open-source community generally, and then Oracle specifically, so thanks very much for coming on theCUBE and sharing with us the state of the penguin, and best of luck. >> You're welcome. Thank you, thanks for having me. >> Alright, and thank you for watching, everybody. This is Dave Vellante for theCUBE. We'll see you next time. (cheerful music).

>> Announcer: From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a Cube Conversation. >> Hi everybody, this is Dave Vellante and welcome to this Cube Conversation. Really excited to have Wim Coekaerts and he is the senior vice president of software development at Oracle. Wim, it's great to have you on. And you know what I often say I wish we were face to face but if we were you'd have to cut off my tie 'cause developers and ties just don't go together. >> No, I know, and this is my normal outfit so this is me, wherever I go. Hi again, good to see you. >> Yeah, great to see you. So of course, you know a lot of people are confused about Oracle and open source. They say, Oracle, open source? What is that all about? But I think you misunderstood. People don't first of all realize you as the leader of the software development community inside of Oracle, I mean, you've been involved in Linux since the early '90s but you guys have a lot of committers. You do a lot, I want to talk about that. What is up with Oracle and open source? >> Well, it's a broad question. So you know, a couple of things. One is we have many different areas within the company that are dealing with open source, right? So we have the cloud team doing a lot of stuff around the cloud SDKs and support for different languages like Python and go and of course Java and so forth. So they do a lot around ensuring that the Oracle ecosystem is integrated in the open source tools that customers use, or developers use Terraform, so on and so forth. And then you have the Java team, and so of course Java is open source. And then, the Graal project, GraalVM, which is a polyglot compiler that run Java and Python and JavaScript and so forth together in one VM, do really cool optimizations, that's an open source project. Also on GitHub, there's of course MySQL which is along with Java, they're probably the two most popular and widely used open source projects out there. There's VirtualBox which is of course also a very popular project that's open sources is all the work we do around Linux. And I think one of the things is that when you have so many different areas doing things that are for that area, then as a developer or as a customer, you typically just deal with that group and what you see is, oh, you're talking to the Java developers so you know what's going on around Java. The Java developers might not necessarily say, oh, and we also do MySQL and we do Linux and VirtualBox and so forth. And so you get sort of a rather myopic narrow view of the larger company. When you add all these things up and there would be one big slide that says, "This is Oracle, these are all these open source projects there". And there's multiple ways, right? One is we have projects that we've opened sourced and all the code came from us and we made it publicly available. We are the main distributor and we get contributions back. There are other projects where we contribute to third party in terms of enhancing things, like a separate the cloud team. And then in general, something like Linux where, you know, we're part of an external project and we participate in the development of that project at large. And so there's these three different ways when you count up all the developers that we have that deal with open source on a daily basis and in terms of contributions, in terms of both Pyxis testing and so forth, it's thousands, literally, full time developers. And of course all the projects is on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And our primary goal is to provide services and products to customers. And so the open source part is sort of embedded in the development methodology, but that's not something we sell or market separately. We just work with customers and products and services. And so in some cases it's not well understood. >> Yeah, well, we're talking, of course we're talking about the state of the Penguin. I think it's part of what people understand. I mean, Oracle got into the Linux game, in the '90s, maybe the latter part of the '90s and Oracle of course wants to make Linux, wants to make Oracle its applications and database run better on Linux. But as you're pointing out you're Linux distro, full support, end-to-end, thousands of people in your open source community and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those. But of course you want an Oracle distro that is going to make Oracle stuff run better. That's always kind of been the Oracle way. >> Well, so yes, two things. The one is that, so everything we do is upstream. So we have no Linux patches that are not contributed upstream. There's no proprietary code in Oracle Linux at all. It's all completely open, publicly available. The source code, the change log, all the commits, everything. It's fully open and public, which sometimes is not well understood, but it's completely open. And everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mailers. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that ecosystem. Otherwise, the cost of maintaining your own forks so to speak is very high and it doesn't really solve problems. Now the functionality we worked on obviously is focused on making Oracle products run better, making Oracle cloud run better and so forth. However, again, what's important to understand though is an Oracle database is a program running on an operating system that does IO, it does networking, it does memory, it deals with memory management, lots of processes. So for the most part, the things we work on to improve that, helps everyone out, right? It helps every other database run better or it helps every other language run better. So none of these changes are specific to Oracle. They're just things that we found doing performance benchmarks and testing and so forth. But we say, "Hey, if Linux did the following, it would make boot up fast." Now boot up has nothing to do with the database. But if our customers run on one terabyte, four terabyte, eight terabyte systems, and so booting up and Linux starting up and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here we're now talking about just enterprise, right? And so there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone customer. >> Yeah, that's great, good. So I wanted to kind of get that out of the way and help our audience understand it. So let's get into it a little bit. What are you seeing, what's going on in IT? Pick your observation space and your vision of what you see happening out there? >> Well it's very interesting. There's sort of two worlds, right? There's the cloud world and move to cloud and there's the on-premise world where people run their systems on their own. And one of the things that we've learned is, when you talk about machine learning obviously is something that's very popular these days and automation. And so in order to rely on machine learning well and have algorithms that are very effective, you need lots of data. And so being a cloud vendor and having Linux in our cloud on tens of thousands or hundreds of thousands of servers or more allows us to have a view of how an operating system works across incredibly large scale. So we get lots of data and so for us to figure out which algorithms work well in terms of, how can we do network customizations, how can we discover anomalies on the storage side and deal with it and so forth, we can do that at scale. And what's interesting is how do we then bring that to on-prem? Well, if we can get the data and the learning done the training done in our cloud directly, then when we provide that service also to people running Oracle Linux on-premises, then that will work. The alternative is to have point solutions where you provide something to a customer and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds on-prem and cloud directly allows us to kind of benefit from that. And I think that's important because lots of customers are interested in going to cloud. Many of the enterprises have not yet, you know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right? Autonomous database is incredibly popular and so forth. That allows us to then say, "Here, try these things out here. "It's a service, we can show you the benefits right away". And then as that improves, we bring that on to a certain extent on-premise as well and then they can have it in both places. And that I think is something, again, that's relatively unique but also very important is that we want to create an... we want to provide services and products that act similarly on-premises as well as the cloud. Because at some point when people move, we want to make that transition seamless. And what you have today for the most part is one world that's on-prem and then the cloud world is completely different and that is a big barrier of moving. And so we want to reduce that. You can run the same operating system local as well as cloud, you can get the same banality and then that helps transition people over much easier. >> Yeah, well, Oracle actually was one of the... I think but Oracle was the first company to actually market same-same, you actually use that term. Others put forth that concept, but Oracle was the first to announce products like cloud to customer that was same-same now it took some time to actually get it perfective and get it to market. But the point is, and we've written about this is that Oracle, because of the ascendancy of cloud flipped and has a cloud first mentality and you just kind of referenced that you just said, "And you can bring that to on-prem". So I wonder if you could talk about that cloud first mentality and the impact on hype? >> So yeah, I think the clouds first part is of course in cloud we work on services more so than products that we deliver and there's a number of things that are happening. So one is we obviously continue to provide products across you can download Oracle Linux, you can download the database in web blog, you can install it on your own, right? You can do to the traditional way of working. Then in a cloud world, what typically happens is, oh, I use a database service. I'm not installing anything. I push a button and I get an IP address and a SQL, and a connect string and connect to a database. And we take care of everything underneath the database. Now, in order to do that, you need to hold infrastructure in place, right? You need lugging agents, you need a backend that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing this service up and monitor it. And so that takes a lot of time to do, right? And we learned a lot by doing this. And so the cloud first part of the services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can't do everything at the same time. And so what we've done with autonomous database is we created everything in Oracle cloud, you have the whole system running really well. And then we've been able to sort of package that and shrink it into something that can be installed on-premises but then connected into Oracle cloud again. And so that way we can get all the telemetry, all the metrics, and that allows us to scale because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that, similar to how we manage something that runs in their own cloud, right? Otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work and now we've got our customer database that that's really in place. >> Yeah, you really want to have that same cloud experience, whether it's on-prem, in the public cloud, hybrid, et cetera. So I want to explore a little bit more. Who is using Oracle Linux and what's the driver for using it? Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started 14 years ago, right? 2006, October 25th, 2006 (giggles). I remember that day very well. Penguin's on stage and a big launch for Linux in San Francisco Moscone Center. So look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, right? And the ability to be able to handle critical issues when that occurs because typically a database runs the company's critical data. The most essential stuff that a company has is typically in a database, in Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger pointing and having to explain to an operating system vendor how the database works. In the Unix world, we had a glitch relationship with the OS vendors and the hardware vendors. They were the same. And they knew our products really well, and in the Linux world that was very different. The OS vendor basically did not want to understand or learn anything about products living on top. And so, while, to a certain extent, that makes sense. It's an enterprise world where time is of the essence and downtime needs to be limited absolutely. We can't have these arguments and such. And so that was the driver initially for doing Oracle. So it was to ensure there was a Linux distribution really backed by us that we could fix and we could fully support, right? That was completely the original intent. And so the early customer base was database customers. Database and middleware, mostly database. So but that has then evolved quickly, and so, (clears throat) sorry. What happened was, people would say, "Look, have a thousand servers, a hundred run Oracle, "so we'll run Oracle Linux on those hundred "and we run, something else on those other 900." Now after a year or so, they realized that our support was really good. We fixed all these issues and so then they're like, "Why are we having two Linux distributions? "This thing works really well. "It's runs any application, it's fully compatible. "So we'll just go a thousand with Oracle Linux". And so the early days, the first few years was definitely Oracle database as the core driver and then it sort of expanded to the rest of the estate. And over the years (clears throat), we've added lots of features and functionality, like Ksplice and so forth. We have an attractive pricing model for running on servers. And so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all or nothing play in the Linux space and we're well known now, so it's been actually very good. >> You just mentioned Ksplice. I mean, we've been talking about cloud and on-prem and hybrid and let's talk about security because security really is a differentiator but particularly if you're going to start to put stuff into the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So security first is sort of what you hear us say and do in everything we do, right? The database obviously security on the Linux side, security matters, Ksplice as the technology is there to do critical bug fixing and make sure that we can apply security vulnerability fixes without affecting the customer and not have downtime, right? And if you look at, most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well, not that a customer doesn't understand that it's important, but it's a whole train of events that needed to happen. You have to get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-tiered set up. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down because that talks to the database. So to patch one system, you basically have to bring down all application stacks. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well, during that time you're vulnerable. So the only way really to address security in a scalable way and reducing that window of time is to do it without effecting the customer, right? And so Ksplice is something that... It's a company we acquired in 2009 and have since evolved in terms of capabilities. And so it allows us to patch the Linux kernel without downtime, right? We lock the kernel for a microsecond, so it's literally no downtime. You don't have to bring down applications. The user doesn't see it. There's no hang, there's no delay. And so by doing that, you can run the Linux operating system, Oracle Linux, and you can be fully patched on a system that hasn't rebooted for three years and you don't even know it. And so by doing that type of stuff, it makes customers more secure and it avoids them... It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel. We do that for some of the libraries on up that are critical, like OpenSSL and glibc and one example, I can give you two examples. So one example is Heartbleed was this bug in OpenSSL a number of years ago and so everyone had to patch their SSH server. And that meant basically, systems around the world had to reboot, like a whole active reboot across the world. With the Ksplice today if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, right? And also of course, the headache. Another example is, (clears throat) and this was an Oracle cloud when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, right? Where you could basically see memory of potentially of other machines running that the cloud it's incredibly critical. We were basically able to patch our entire cloud in four hours and the customer didn't know, right? 120 million patches or something that we applied within four hours all online without any down time. And so that technology has been really helpful both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole what we do in cloud, we also do for customer, and I think that's a unique thing that we have at Oracle, which is quite fascinating, right? The operating system we run for our customers, the operating system that's the host for the VM is the exact same binary and source code that we make available, just to be clear. The exact same binaries are the ones that you run as a customer on premises. So you run Oracle Linux with KVM, you run VMs, you're actually running the same stuff as we do for our... That we run underneath our customer stuff. Nobody else does that. Everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment you're talking about sort of the security mindset is critical. You're not just bolting it on, it's part of the culture. Look, you were, you know, started your career, and then of course you were a Linux person when you came to Oracle, but then I think you've spent some time in the database back in the day when there were some serious database wars going on before Oracle, became the king of database. So now you've got obviously this great portfolio and a lot of really sharp software developers. What should we expect going forward from Oracle? What should we look for? >> I was welcoming some interns to the company, (clears throat) for their summer internship yesterday. And one of the things that I, (clears throat) I'm sorry. One of the things I mentioned to them, was that one of the... So cloud obviously gives us a lot of opportunities, but there's a number of things. One is we have such a breadth of applications and software and hardware together, right? We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side. And one of the great opportunities and I think we've shown a lot of this happening with the ability to create something like autonomous database is to combine all these things, right? We have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things, it really becomes awesome, right? You cannot create autonomous database without having autonomous Linux, right? You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly and having the scale for that. I think that has been for the last few years a really great thing but I can see that being one of the advantages that we have going forward, right? We have Oracle Fusion Applications, which is incredibly popular and has great growth. And then we have that running on Oracle cloud that talks to our autonomous database. So we bring all these pieces together and no other SaaS vendor can do that because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me is basic... It's not so much about making my own world better and having Linux be better and Ksplice and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle has always invested in R&D. We've made that point many many times, whether it's database, fusion was a painful but worthy (giggles) effort. The whole public cloud piece, obviously many acquisitions but the investments that you've made in open source as well. Wim, you're a great spokesperson and a great representative of the open source community generally, and an Oracle specifically. So thanks very much for coming on theCUBE and sharing with us the state of the Penguin. The best of luck. >> You're welcome. Thank you, thanks for having me. >> All right, and thank you for watching everybody. This is Dave Vellante for theCUBE. We'll see you next time. (soft music)

>> Announcer: Live from Los Angeles it's The Cube covering Open Source Summit North America 2017. Brought to you by the Linux Foundation and Red Hat. >> Hey, welcome back everyone. We're here live in L.A. for the Linux Foundation Open Source Summit North America. I'm John Furrier, your host, with Stu Miniman, my co-host. Our next guest Jim Zemlin, Executive Director of the Linux Foundation, runs the whole show. Welcome back to The Cube, great to see you. >> Thank you, thank you. Runs the whole show is a little bit of an overstatement. >> Well, certainly great keynote up there, I mean, a lot of things coming together. Just some structural things. Let's get the update on what's going on structurally with the Linux Foundation, one, and then two, the keynote today, this morning, really kind of laid out the state of the union, if you will, and all cylinders are pumping, no doubt, on open source. So give the quick update on kind of what's going on with the Linux Foundation and then let's get in some of the trends inside the open source movement. >> Yeah, I mean, our organization has grown quite a bit in the last few years as evident by all the people who are here at this event. But our focus is really on the projects that are important to, you know, the stability, security, and growth of the global internet and of large-scale systems. And when you look at Linux or Node.js or things like our networking projects which are powering the production networks for 3 1/2 billion people, what we're really focused on is making sure those projects are healthy, making sure that they have great developers who write incredible code, that it's used to power things like China Mobile's network or AT&T's production network. And then, those firms are employing the developers who then write more code, you get more solutions, products, services based on Linux or whatever. More reinvestment, lather, rinse, repeat. It's that cycle we're trying to promote. >> So before we get into some of the stats, structurally, I know this show, we've Cube comments out there, clarify the structure. How the shows are rolling out, how are you guys putting together the big-tent events, and how developers can get involved in the specific events across, but now there's a ton of projects. But just at a high level, what's the structure? >> Yeah, so, you know, and I'll throw out a few stats. We have about 25,000 developers that attend all of our events which are all over the world. But we have our Open Source Summit which is really sort of a summit to come together and talk about these big-picture issues around sustainability to allow for cross-project collaboration. We have project-specific events so the CloudNativeCon, KubeCon event which is coming up in Austin which is going to be blow-out, you know, I'm expecting thousands of people. I think probably three, 4,000 people. >> And even more platinum sponsors than I've ever seen on any project before so huge demand. >> It's crazy, yeah. Yeah, you know, get it while it's good, right? All these things kind of go up and down but they're on the upswing. So we have project-specific and then in the networking sector, we have have the Open Networking Summit which is sort of similar to the Open Source Summit but much more focused on networking technology, SDN, and NFD, and that is going to be in L.A. next year and we'll have a U.S. event and then a European and an Asian. >> And this show's purpose is what? How would you position the Open Source Summit? >> The Open Source Summit is where all the projects come together and do cross-pollination. I mean, the idea here is that if you're just always in your silo, you can't actually appreciate what someone else is doing that may improve your project. >> And Jim, there's a couple of events that came together to make this 'cause it was LinuxCon, ContainerCon, and MesosCon is also co-resident so. >> Exactly, so we just decided after a while that all these events could come together and again, this cross-pollination of ideas. >> And they kind of did, they're just different hotels in Seattle last time. >> Yeah, exactly. That's enough, it's just going to be Open Source-- >> It's a big-tent event. >> It's a big-tent event and it really reflects how open source has gone mainstream in a way that I don't think any of us would've predicted even maybe five, six years ago. >> It's pretty massive. Just to quote some stats. 23 million plus open source developers, what you shared onstage there, want to get to your keynote. 41 billion lines of code. 1,000 plus new projects a day. 10,000 new versions pushed per day. 64 million repos on GitHub. Just amazing growth so this kind of points to obviously the rising tide is floating all boats. I made a comment, I tweeted, in the spirit of the joke of standing on the shoulders of giants before you, it's like, what shoulders are we standing on now? Because there's so many projects. Is there going to be like a legacy like the dual-star, badge values, been around for a while? You mentioned old news and you bring up Linus onstage. I mean, some projects are older, more mature, Bruce Wayne, Tier One, meat and potatoes, some got a little bit more flair and fashion to it, if you will. So you got new dynamics going on. Share your thoughts on this. >> Yeah, I mean, it's like the shoulders you're standing on are almost like stage-diving, right? Where it's just lots of people's shoulders that you're really bouncing around on. But the idea here, and what we really focus on, is what are the most important projects in the world and how do we make sure we sustain those projects. So those are the ones that you're going to generally see focused on here. Like, you know, if you've got two people contributing to one small repo for a very small project, that's probably not something that's going to be super high-profile here. But what we're trying to do is bring together sort of the big projects and also the key contributors. You know, if you look at the distribution of contribution, and this is the thing, I think, if you're a developer listening to something like this, someone who gives just one commit to a project to solve some kind of problem they might have, that's the vast majority of people. Somebody who does maybe five to 10 commits, you know, a little bit less, quite a bit less. The vast majority of code, people who give 25 or more commits to a project, small group of folks, they're here. >> I know Stu wants to ask a question, one final question on the growth 'cause this kind of reminds me of sports as we're like the ESPN of tech here for the community. If you look at the growth, you put a slide in there by SourceClear that show the projection, by 2026, at 400 million libraries, putting it today around, I think, 64 million. This is going to be like an owners meeting. It's kind of like they get together, this event because you are going to have so many projects 'cause this is kind of the vibe you got going on in here. The scale is massive, this is going to be almost like the owners meeting, the teams. Expansion's going to be coming, you have to deal with that, that's challenging. >> We're ready to grow, I mean, we've been working on systems and staffing and processes to help scale with that. You know, we take seriously that that code runs modern society. It keeps us private or doesn't as we saw with the Equifax hack which was a CVE in an open source project and we want to be ready to up our game. Let's say we could have secure coding class at this very event for the greatest developers who are working on our most important projects in the world. Would that make all of our lives better? Yes, absolutely. >> Yes, absolutely would. Yeah and you want to enable that, that's where you're going. >> That's exactly where we're going. >> Jim, the quote that jumped out at me that you gave in the keynote was, projects with sustainable ecosystems are the ones that matter. How do we balance all this? I heard in, you know, Linus's Q and A it was, look, individual's important but companies are important. You put up a slide and said, there's thousands and thousands of projects, sometimes we're going to get some really awesome stuff from three people contributing code versus the massive ecosystem with all the platinum providers so, it's always in technology, it's an and and it's very nuanced but how do we get our arms around this? How do we know where to focus? >> It's worth going back in time to understand where the future is going and study innovation theory, you know, Eric von Hippel at MIT, or Karim Lakhani at Harvard Business School. And you look at the framework, which is, you have corporations who underwrite a lot of development by hiring developers who have an equal importance in this and then users of that software. So those are your main constituents and sometimes they're the same people, right, or the same things. They're not mutually exclusive, they're actually self-reinforcing if you get the formula right and you make sure that the project is in good shape so that it gives confidence to industry or society that, hey, we can count on that. I think Heartbleed and OpenSSL maybe rattled people's cages like, hey, can we count on, not just this project, but can we count on open source period? So we spent a ton of time working with that project to provide them millions in resources, audited their code, expanded their testing, and we learned a hell of a lot about how to support these communities in the most important developer projects in the world and create that positive feedback loop, that's what we're doing. >> Yeah and Jim, it's, as an analyst, one of the things we're always asked is, right, how do I choose the right technology? Whereas companies now are contributing here so it's not just I'm putting dollars in, I'm putting manpower into this. And the foundations sometimes get a lot of lung from people, saying it's like, oh well, people throw money and what do they get out of it? I liked what I heard today, you talking about this cycle, and maybe talk to our audience a little bit about CHAOSS which I though was a nice, tongue-in-cheek acronym to say how you're actually going to bring order to the chaos that we see in the open source world. >> I'm going to come to this but I want to answer one quick question about the roles of organizations like ours. We are the roadies, the supporting cast, and the plumbers and the janitors of the system that keep things going but the real rock stars are the developers. If you think about it, Linux is worth $10 billion. An average kernel developer makes probably, let's say $150,000 a year, by the way, they make more than your average developer because they're in such high demand. The role of organizations like ours is such a tiny fraction financially of what is really fueling this model but it's an important one. What we ask ourselves all the time is, why do you need us? Who cares, right? Like, throw your code up on GitHub, you don't need the Linux Foundation, right? Why do we even exist? And the answer is to do things like this Community Health Analytics for Open Source Software, to provide the infrastructure for sustainability. Sustainability is something that we need to measure, right? How many developers are contributing to a project? Are they from a diverse community so that if one group goes away, there'll be somebody else there to do that work? How much test coverage do they have? Are there code quality metrics that we could look at? Do they have security practices like a responsible disclosure policy, a security mailing list? Have they recently fuzzed their code? Are they a community that's welcoming for people of different backgrounds? And so on and so forth. If you don't have a healthy project, you kind of don't want to bet your company on this project by using it in a production system, right? But here's the interesting thing, how many people are using that code in production also is a metric for health, right? Because that's where the reinvestment is going to come in the form of developers who are working on it. >> There's a difference between being proactive and jamming something down someone's throat. So you're taking an approach, if I get this right, to be kind of the same open source ethos, use some KPIs, key performance indicators, to give them a sense of success. But it's not an edict saying-- >> No, no, it can't be an edict. What you want to do is preserve the organic innovation that goes on in open source and get projects to go, and you'll notice that curve of sort of value to volume goes up and to the left, we could've written it to the right but, you know, the whole copyleft thing we love. How do you get that organic innovation to kind of go from this small project up and to the left? How do you capture that? Well, give tools to everyone so that they can better self-analyze. >> John: You get exponential growth with that. >> Exactly. >> If you try to control, it's linear but you bring it to the community, you get exponential growth. >> Exactly, so we studied a ton of innovation theory, we looked at how we could build frameworks to facilitate this kind of form of mass innovation and so that's where tools like CHAOSS which is being worked on by Red Hat and a lot of companies who want to figure out which project should I work on? How can I spot that one earlier? And we're excited about it. >> You know, I always joke, being the old guy that I am, in the late '80s, early '90s, '80s particularly when I was coding. We did everything, we wrote all the code. You bring up an interesting stat and you put the finger on, at least for me, and I think this is where a lot of us old timers who had to do all the libraries from scratch. You mentioned the code sandwich, the code club, the club sandwich, how code's being made and the interesting thing, as you point out, 90% of most great software is done with open source where the 10% innovation is done with original code or original content, if you will, and that that is the norm. So open source is now called the code sandwich because you can put your differentiation and that's a good use of time. >> That's the meat, right. >> That's the meat, it's not a wish sandwich to use the old Blues Brothers example but I mean look, the thing is is that that's dynamic is real, the code is leverageable, and that this is the dynamic so where'd the number come from? Because that seems really high to me but I love it. >> So that number came from a combination of Sonatype, SourceClear, and other organizations that monitor commercial reuse of software on a global basis. So these are the folks who are actually working with commercial industry to look at the makeup of their code, basically. You don't have to go far to look at a Node.js developer, they're using Node.js, they're taking packages out of NPM, and they're writing, they're cut and paste masters, but they write this critical component that's the meat of their application, it's what they do. >> But that's the innovation fabric that's happening. >> It also is a requirement because let's look at a modern, luxury vehicle today. It has 100 million lines of code in it. That's more than an F-35, like, fighter jet. That's an unbelievable amount of code. Toyota, who we work with, and you know, our AGL, our Automotive Grade Linux, is in their Camry. They couldn't write that code on their own. It's just too much. And this is how we get to autonomous vehicle control and things like that. >> I know you got a tight schedule, I want to make one more comment, get your reaction to it. I made a tweet and said, it's open bar in open source and with a reference to all the goodness being donated by companies, Google TensorFlow, there's a lot of other things coming in, these libraries. A lot of people are bringing really, really big IP to the table, IoT, and I kind of made an open remark 'cause a lot of the young kids, they think this is normal, like, well it's going to get better. Keep on drinking that open source. Is this normal? Is it going to be more like this in the future? Because you have essentially real intellectual property, like say from Google, being given to the open source communities as a gift for innovation. I mean, that is just unprecedented greatness. >> The reason for that is they're not doing it necessarily altruistically although I think you can take it that way, they're doing it in a way that betters themselves and others at the same time. I mean, it is a form of collective capitalism where they've realized, my value's over here, it is better for me to collaborate on underlying infrastructure software that my customers don't care about that's not critical to my system but I absolutely have to have and I'm going to focus on data or I'm going to focus on much higher-level innovation. And what that's doing is creating this hockey stick of innovation where, as we share more and more and more infrastructure software, and as that keeps moving up and up the stack, we all benefit. >> So in the theory of the management, bring up management theory, their theory, I'd love to get your thoughts on, is that they're betting on scale rather than trying to go for profits in the short-term, they'd much rather share intellectual property on the back-end value of scale and scale's the new competitive advantage. >> Exactly, take Kubernetes as an example. The fact that, today, and just even a couple years ago this wasn't known, we didn't quite know where this was going to be, but today you can take Node.js, build a container, you know, take an application, throw it into a container, and use Kubernetes to run it on Azure, Amazon, Google, or in a private cloud. That definition, the ability to do that, unlocks this massive developer productivity which creates more value which is more business opportunity for all these guys. You know, they're not doing it 'cause they're nice people, they're doing it 'cause they're unlocking market potential. >> And they're the real rock stars. Jim you're doing a great job. Congratulations on your success. You got a lot of growth in front of you, a lot of challenges and opportunities certainly with that and of course, the tech athletes out there doing the coding, they're the real rock stars, they're the real athletes. Of course, we get more on The Cube, thanks for your support with The Cube as well, appreciate that. >> Jim: Thank you, thanks for everything. >> Alright, this is live coverage from Open Source Summit North America in Los Angeles, California. I'm John Furrier, Stu Miniman, we'll be back with more live coverage after this short break.