Danese Cooper (of Sun) Finally Answers
Sun Microsystems Posted by Roblimo on Thursday May 09, @02:00PM
from the hurry-up-and-wait-for-approval-from-lawyers-and-PR-people dept.
We put up the original Talk to Sun's 'Open Source Diva' call for questions on January 10, 2002, which makes this the longest lag we've ever had betweeen a set of Slashdot quesions and their answers, a record previously held by the late Douglas Adams, whose question post went up on May 2, 2000, but didn't get his answers to us until June 21, 2000.

Danese:
First of all, I have to tell you that everywhere I go, people ask me when my Slashdot answers will be coming out! The Slashdot effect doesn't only impact websites ;-). As a loyal daily Slashdot reader I'm thrilled to have the opportunity to answer your questions and I want to thank Slashdot for their patience in waiting for them. It wasn't for lack of trying but since I first penned my answers there have been a steady string of announcements that we'd been working on a long time and I didn't want to tell you all one thing and have the answer change just a couple of weeks later. I was very impressed with the questions, which showed a lot of understanding of Sun and interest in where we're headed with respect to Open Source. As a result of so many people asking me about the answers, I've had some great conversations about working on Open Source in a big traditional company and of course the inevitable "What's it like to be a woman in technology?" (questions you folks didn't ask). I plan to stick around today to participate in the threads resulting from these answers, and after that I'll retire to the discussion forum at http://www.sunsource.net which is a site I moderate. I'm always available there for more discussion.

Danese Cooper
Open Source Diva
Manager, Sun Open Source Programs Office

1) OpenOffice
by kvandivo

Is Sun moving to put more resources into the OpenOffice initiative?

Danese:
There are already several hundred Sun employees currently working off the OpenOffice.org codebase to produce StarOffice. The StarOffice product is Sun's branded and supported version of OpenOffice.org. This is a recurring pattern for Sun's engagement on the Open Source communities which we sponsor: we work the codebase in the clear but we're working towards producing a Sun-branded binary. We encourage other developers to work on the codebase as well and the licensing allows anyone to benefit from the work they donate by freely using the code. More on this in the answer to question number 7.

BTW, you may have noticed that this month OpenOffice.org just announced their 1.0 version as well as a first Developer Release of the MacOSX port.

2) Money From Open Source/Free Software
by Hasie

A large number of open source/free software companies have ceased to exist in the last while because they couldn't make money from a free product.

In light of this do you believe that it is possible to make money from open source/free software alone or does a company need a hardware arm like Sun?

Danese:
It seems to me to be a question of scale. There have been a few Open Source companies who've managed to make a go of it and return decent salaries and some security to their employees using some combination of the models discussed in Eric Raymond's papers. But Sun was already a publicly held company with previously established earning patterns when these Open Source business models began to be discussed, and because of our obligations to shareholders it wouldn't have been appropriatefor us to try to transition for example to making all our software revenue off of support because the returns just wouldn't have been satisfactory to the shareholders. So, I guess I'm saying that if your business plan is to make all your revenue in open source ways, then you need to be a organized that way from the start or else privately owned or not trying to convert from a more traditional publicly traded, higher margin model with all the obligations that implies.

About hardware. I've noticed that having hardware as a revenue generator definitely can make a software business more "fault tolerant" (less subject to strain from the occasional bad quarter), but its not the *only* effective hedge. Building real professional services, enterprise support services, and other sorts of product offerings can work to increase economic fault-tolerance. Some companies use Open Source to gain an influx of innovation which feeds their complex business models in ways that are difficult to quantify.

What we're going through now in the Industry is more extensive than just a bad quarter and all companies are feeling it, regardless of product mix or orientation (open or closed). At the start of the current downturn, many of the Open Source companies were still in their infancy and were therefore more vulnerable to downturn. That doesn't necessarily mean their business plans wouldn't have had some success if the economy had been more sheltering. Many of the stronger ones are now morphing to business models similar to the one Sun most often employs for its pure Open Source projects, use Open Source base technology to gain ubiquity and make money on the value-adds.

One last thing. I was talking to someone the other night who said he thought that Open Source is suffering because people don't understand it yet. I still get the question all the time whether applying Free & Open Source methodologies to a project will reduce engineering costs. This belies a huge misunderstanding. For traditional companies with existing closed source development models, going to Open Source costs more, not less. Of course in "total cost" terms the equations equal out. Open Source developers aren't going to code your product for you, but their feedback can dramatically reduce the time it takes to get the product where it needs to be to truly satisfy customer needs and can also have a huge positive impact on total quality of the product. In proprietary efforts, the activities designed to determine customer needs and Total Quality usually live in Marketing, not Engineering. At the end of the day Market and Customer Requirements analysis may be the problem Open Source solves for traditional product teams.

3) Open source for everything?
by mfarah

While it's true that a lot of "attractive/sexy" work can be done via open source methods, there's still some areas that traditional programming models (i.e., closed source) still function better (even though ESR says otherwise in The Cathedral & the Bazaar [oreilly.com]). What, in your opinion, is the proper balance between open source and closed source methods Sun should strive for?

Danese:
First let me say that I really appreciate the thought and writing that ESR has done. His writings are so well known and contributed hugely to proprietary companies' inquiries into Free and Open Source, but there are of course many metaphors in addition to his which try to describe the differences between proprietary and open source methods.

In my opinion, the secret sauce of Open Source is Transparency. Transparency teaches formerly proprietary engineering groups to trust the customer and vet plans before committing expensive resources to implementation. It generally uplevels coding quality as the potential for public embarrassment increases with increased scrutiny (the famous "massive peer review"). It often enhances job satisfaction since well-written or cleverly implemented code is publicly praised and hard work recognized. Reputations are built based on contribution and willingness to engage in constructive dialog. Trust is built in to Transparency as well, since the choice whether to trust organizations saying "We know better than you" or those saying "Here's how we work. We have nothing to hide" is easy. Not coincidentally the Open Source methodology companies like CollabNet and SourceForge are starting to sell Transparency methodology to proprietary companies for use internally.

But as mentioned above, its not appropriate for a successfully proprietary company to open source *every* scrap of code. At Sun we've tended to follow a pattern with our Open Source projects.We open source a base architecture and make money on value adds.The base technology becomes ubiquitous and that creates demand for the value added products we sell. They also tend to support our standards efforts or to be in themselves a de facto standard.

The best example of this is the relationship between NetBeans and Forte for Java. NetBeans is an integrated development environment (IDE) for Java, publicly launched as a fully transparent Open Source project 18 months ago. Forte for Java is a Sun-branded product line built on the NetBeans code base with feature enhancements developed at Sun. We sell Forte for Java, Enterprise Edition and also sell support contracts, professional services and related products.

As noted earlier, companies with a mix of hardware and software revenues like Sun can afford to liberate a larger percentage of their software in programs that support or in some conceivable way entice customers to buy the hardware. In the case of Forte for Java, providing good cross-platform developer tools is key to provisioning the platform.

4) Open Source Solaris?
by Sobrique

Since Solaris X86 is not going to be supported any more, is there any chance of getting that donated' to the user community? I appreciate that there's a fair chunk of intellectual property in there (and probably a fair amount of overlap with Sparc), but it'd be nice to see.

Danese:
First of all, Solaris continues to be a supported product on x86. In fact an update was just shipped in March. What we announced was that due to resource constraints we are deferring (not cancelling) the productization of x86 for Solaris 9. Solaris is already the most open of the traditional Unix distros, and we continue to look at ways to make it more open within the constraints of resource and user demand. We are actively working with the Solaris on Intel community to find ways to make that happen.

Generally however we've found that the cost of open sourcing code for a proprietary product is non-trivial. I know it seems counter-intuitive but consider this: the reality is you can't just toss code over the fence. You have to first scrub it to make sure you have the rights to release it (your question acknowledges this difficulty). You also have to provide resources to answer questions and generally support those who are trying to pick up the code. Typically you have to develop additional documentation as well. Lastly there's the issue of ongoing liability. Large companies have deep pockets. When a company releases a product it at times comes with a warranty which the company is willing to offer because the risk is offset by revenue. There has to be some significant value to the licensor to justify the risk. Make no mistake, whenever a large company converts a product to Open Source it's because that strategy has in some way been positively tied to the bottom line.

RMS and the Free Sofware Foundation have a vision of liberated software that takes care of all of these problems by socializing code. Personally I love that vision but it doesn't explain who funds initial R&D if the profit motive diminishes (now that even universities have recognized the potential for profit in research). Discussions on the "Free Software Business" mail list run by Russ Nelson have occasionally come to the conclusion that the US Federal Government will have to step up to fund research (as they did when the Internet was ARPANet). But of course any government will tend to support research that matches its goals, for instance better defense, and often social benefits are unintentional or at best ancillary.

In my opinion the best we can do as people who want to see infrastructure code socialized is work together to make Transparency and code liberty more attractive to organizations engaging in R&D so more code will be developed in the clear *from the outset* Once code is liberated it can't be taken back, and the community can seamlessly take up support for code if the original licensor changes priorities.

5) Fitting Open Source in a Corporate Environment
by Marx_Mrvelous

I work for a very large company (Fortune 100), and we are, very slowly, moving towards using open-source programs like Linux, Apache, etc. The IT department likes and supports these applications, but it's very difficult to convince management that these applications have the same stability and reliability that commercial applications do. What is the best way to approach management to help evaluate open source solutions to the problems we face?

Danese:
Companies like to know that somebody is responsible for supporting the products they select. For instance, they want enterprise level support. They want a warranty and someone standing behind it. Its easy to understand they want some security for their investments. The shift to pervasively liberated infrastructure code will be regulated by the trustworthiness of the code (since tying trust to shared risk doesn't work if the licensor has nothing to lose). Some members of both the Free and Open Source movements are personally committed to non-conformity at the expense of credibility with typically conservative IT decision makers. This further hampers deep and wide adoption.

Luckily, the other key factors in IT decision making are cost and control. In a real sense the current world economic situation is hugely helpful to the Open Source cause because cost becomes a more significant factor. Companies like RedHat are working to address the total cost equation to make it easier to choose open source. Notice that the "pattern" Sun uses is similar to RedHat's. They essentially brand and support open source base technologies (GNU/Linux) and increasingly provide proprietary value-adds.

If I were trying to convince my IT boss to adopt an Open Source technology I would be looking at the total cost to use it (i.e. Is it easier to use,learn or manage? Is the cost differential big enough to justify whatever risk? Is real support available?) in addition to evaluations based on feature set. In the area of control I would focus on the flexibility that comes from having Open Source rights to the code. No longer are you at the mercy of vendors who may or may not class your issues as high priority. I would point out the national governments and NGOs who are chosing to mandate use of Free and Open software as evidence that Open Source has entered the governmental mainstream. However, its important to recognize that the mass migration to liberated infrastructure software will be evolutionary because a revolution would be too disruptive to Business.

6) Why isn't JBoss certified?
by revscat

There has been some speculation that Sun is uncomfortable with certifying JBoss [jboss.org] as a J2EE-compliant container. Mark Fleury, president of the JBoss team, has said "Sun quoted a price for that certification suite that is beyond the current financial resources of the JBoss team." Is there any possibility that Sun will relax these certification fee requirements for open-source initiatives such as JBoss, especially when they meet the technical requirements as specified by Sun?

Danese:
I've had several conversations with the team that authors Java Technology about this one. They point out that the J2EE Specification License is really clear on how the specification can be used. It requires new implementations to be licensed and to pass the compatibility tests because compatibility and the portability it enables are the fundamental value proposition of Java Technology for the millions of developers actually using it. The certification test suite and the basic licensing of the Reference Implementation are the key mechanisms that protect that value proposition. The best example of this was the Sun vs. Microsoft lawsuit, which forced Microsoft to stop shipping their incompatible Java implementation.

Historically the problem with JBoss was not so much whether or not they could afford to access the certification test suite, as whether it or any Open Source project was potentially a weakening of the value proposition. JBoss is an open source project. According to the Open Source Definition, JBoss can't pass on compatibility requirements to subsequent code licensees. Open Source advocates have repeatedly assured us that the social contract (which is the primary method of enforcement in the Open Source world) is strong enough to protect the value proposition if branding was optional, but readily admit they can offer no guaranty. Java-related open source activities such as TomCat have been very popular, but uptake for the associated compatibility suite has been limited.

This is a really hard problem. Sun strongly believes in Open Source for infrastructure software, but also believes in protecting the value proposition of Java Technology. There has been at least one famous attack on that value proposition, but even among the members of the Java Community Process there is a dynamic tension between maintaining compatibility and allowing individual implementations enough room to distinguish themselves in the marketplace. Multiple software companies have bet their entire business on Java compatibility and are counting on the JCP to maintain an economically, as well as a technologically, level playing field.

After extensive work with the Apache Software Foundation Sun announced at JavaOne this year that it is working to change the JSPA (the legal agreement for participation in the Java Community Process or JCP) so that the JCP projects (JSRs) can be run as Open Source projects at the specification lead's discretion. Sun also announced that as future Sun-lead specifications are finalized it will allow compatible alternate implementations (including J2SE, J2EE and J2ME) under Open Source licenses. Additionally, Sun announced that it will make compatibility test kits available at zero cost to non-profit Open Source and Educational organizations and individuals, and will establish a $3 million dollar fund to provide support to qualified entities' use of the compatibility test kits. Sun's intention in making these changes is to enable compatible non-profit Open Source and Educational efforts to flourish.

It is my hope that this new willingness to allow compatible Open Source implementations will prompt Sun to also allow JBoss, which although licensed under the GPL is decidedly a *for profit* effort, to submit to the compatibility test suites so the world of Java can go forward compatibly. JBoss arguably has the largest market share of application servers claiming to be J2EE compliant, garnering awards and much attention, and it would be good form IMHO if Sun helped them to achieve true compatibility. I attended part of their "JBossOne" alternative conference and they told me they've secured funding to buy a support agreement for the J2EE 1.3 CTK like any other for profit implementor.

7) OpenOffice and Sun perceptions
by ACK!!

I was wondering what contributions of the OpenOffice group actually made it into StarOffice 6.0 beta? Did only contributions make it in or is 6.0 based off of OpenOffice code?

Danese:
OpenOffice.org is the code repository for the StarOffice 6.0 product, so the short answer is that StarOffice 6.0 is based off OpenOffice.org. As mentioned above, the common pattern of engagement for Sun with Open Source is to periodically roll a Sun-branded version which then becomes a fully supported part of the Sun product line. In this we are acting similarly to RedHat and the other Linux distros. Of course we contribute all bug fixes made during the productization process back to OpenOffice.org.

However, to answer the question of what types of contributions have been accepted you have to look at the types of contributions we've received. We conducted a survey on OpenOffice.org last summer which told us that the majority of the large community we've attracted are end-users. They contribute by reporting bugs and enhancement requests and recently have organized to provide marketing support but they rarely contribute code fixes. I went to GUADEC this last month to try to get more developers interested in contributing to OpenOffice.org, and we *are* getting more interest due to the recent announcements of version 1.0 and the First Developer Release of the MacOSX port).

So far, the developers who have attached themselves to the project have mostly contributed ports to alternative platforms and small-audience localizations which are not supported in StarOffice. StarOffice 5.x also included some proprietary components which had been licensed for use by StarDivision before the Sun acquisition. There has been some excellent work on OpenOffice.org to replace some of those with open source alternatives. Lastly there has been lots of activity in the area of enhancing distribution. The community has set up several mirrors and have even produced a CD delivery service.

8) "Linux" package management / GNU utils
by Erich

Solaris has had packages for a long time, but nothing compares to Debian or RedHat as far as package management goes. With Solaris I can download patch clusters and run them all in a script, but it's not nearly as easy "apt-get update; apt-get upgrade". Similarly, hunting down some package and all the utilities it requires and compiling them all is much more tedious than "apt-get install that_package".

Do you see Solaris incorporating some of the package management features found in Linux systems?

Also, Unix vendors many times have very feature-incomplete versions of utilities compared to their respective GNU versions. For instance, GNU tar (while lacking some of the Solaris tar options) has many features that are extremely handy. Do you see Unix vendors in the future incorporating more free tools over the proprietary ones they have, and if so what do you think the time frame is? Do you think that Unix vendors that move towards GNU tools and make their installations more "Linux"-like will have an edge, or will moving to unfamiliar tools be a hindrance?

Danese:
Since Solaris 8, Sun has shipped a "Companion CD" with many of the most popular utilities and programs in use by the free Linux and BSD distros because we recognize that some customers prefer to use those tools (and they run great on Solaris). Solaris 9 includes tighter integration of many of the most popular free tools (including GNU tar) within Solaris itself. We also added support in our C/C++ compilers for GNU compatibilty. One of the core things we are doing with Solaris 9 is ensuring even tighter Linux compatibility.

BTW, the currently available Companion CD already include the RedHat package manager (RPM), but for the time being we'll continue to support the System 5 pkgadd format because it is the consistent choice for our customer base and they tell us it still provides several advantages. We'll continue to consider other formats for future inclusion in response to a changing marketplace. We tend to think that what's good for Unix is good for Sun, because Solaris is simply the premier version of Unix.

9) Big Iron, Little Iron
by bfree

Do you forsee Sun having their own OS in 10 years time or do you forsee Sun selling hardware with their own optimsed version of another OS? If Yes, are we likely to see such an evolution climbing up your chain from the small workstations up to the big iron OR will we see a new OS for all boxes at once? Will Sun ever make an offer like IBM's offer for AIX with Solaris i.e. "You can have anything you want from our OS"?

Danese:
Sun's position on Linux has long been friendly, since we see it as a commodity unix variant which has been very successful at growing the community of Unix users. Many of our customers continue to say that Solaris is their operating system of choice but other customers have been calling for "Edge of the Network" Linux alternatives. Our February announcement to expand the Cobalt product line to include new general purpose Linux systems was a surprise to some but I think it makes sense for us to be responding to customers and leveraging a great market opportunity.

As it said in the announcement, Sun sees a time in the future when it won't matter which operating system you're running and many consumers won't even know which one they have. Part of that future as Sun sees it will be accomplished by pervasive Java platforms, but we also support efforts to make unix available as broadly as possible because it is a well-documented and industry tested open standard. Sun's Founding Principle, "Cooperate on Standards, Compete on Implementation" means that we'll continue to offer what we believe to be best of breed, standards compatible implementations for the markets we choose to enter.

So, in 10 years will we still maintain our own kernel? Will it look more or less like Linux? Will it look more or less like BSD? 10 years is a LONG time in this industry. In my opinion efforts by the community to enhance the Linux kernel to the level of "carrier-grade, high-availability" will have happened way before then. Vendors with Linux offerings will hopefully have learned how to provide fantastic Enterprise-Level Support and Professional Services for Linux way before then. The San Francisco Chronicle may be running a regular comic strip about a the adventures of a cute and politically liberal penguin by then! Whatever happens, Sun will continue listen to its customers and offer best of breed solutions.

10) The future of Liberty Alliance
by mydigitalself

I've been following Microsoft's .NET strategy for quite some time and have been quite interested in the Passport vs Liberty Alliance scenario.

Firstly, what exactly is happening with Liberty Alliance at the moment? I got the impression that the iniative was started as a marketing oppositing against Passport as there doesn't appear to be any visibility of the implementation on the web site [projectliberty.org].

Secondly, there is also an open source source initially from .GNU for this central authentication service [dotgnu.org]. Essentially both Liberty Alliance and .GNU are trying to provide an opposition framework to Passport - and yet the nature of the concept and the existance of the two projects seem to be self depricating. If everyone and their dog develop a centralised authentication service that spans services across networks - people would probably use Passport purely because of its market share.

Would it not be a good idea to somehow merge the work done to offer a unified opposition to Passport?

Danese:
I'm really glad you asked about the Liberty Alliance because I recently attended a Web Services conference in San Francisco and got really riled up about the problem that the Liberty Alliance is trying to address. The organizations in the Liberty Alliance and the folks working on DotGNU have all recognized the danger of allowing identity profiles to be controlled or even exclusively architected by a single company. As my friend Tim O'Reilly first said about Identity last year, "There are some things nobody should own". Sun took on the initial work to launch the Liberty Alliance, but now that it exists Sun is taking a peer role.

Passport by design is a potential chokepoint for Internet commerce. What's really concerning is that passport has already been deployed and is collecting membership from every user of Windows XP, Hotmail and the rest of the WinTel stack! Lately Microsoft has gotten pretty quiet about Passport, but that doesn't mean they aren't continuing to execute a strategy to dominate Internet commerce. As a technologist my tendency is to want to hurry up and impulsively code an alternative, but I recognize that it will be difficult at best for even superior technology to win in a horserace to achieve compelling membership.

That's why the Liberty Alliance is so important. As you notice there has been precious little technical information released about any actual Liberty implementation. If you look at the makeup of the Liberty Alliance founding group they are overwhelmingly organizations with large existing membership databases. The first problem is to assemble enough membership to actually challenge the "sole architect" position of the dominant player. In my mind this strategy is the only way to effectively mandate a truly open and decentralized architecture. Last month it was announced that AOL has joined the Liberty Alliance and at this conference I mentioned above a Liberty Alliance member confirmed that Microsoft has been invited to join.

I was very happy to see Apache in the list of charter organizations endorsing the concept of the Liberty Alliance because it effectively ensured that the Liberty Alliance would have to accept non-profit membership and indeed they have defined a no-cost Affiliate membership level. This opens up the possibility for efforts like DotGNU to join and bring their perspectives (or their technology) to the table. Since DotGNU is a Free Software project the traditional challenges of working in concert with profit-motivated organizations will definitely arise but as your question points out the alternative is diminished impact.