It can be seen from the recent Re:Invent conference that cloud service giant AWS is still cautious about business-driven open source projects, advocating business health checks for all open source dependencies. This is understandable, given that after the discontinuation of the highly influential CentOS, AWS's plans for Amazon Linux were unexpectedly disrupted.
D**ID Nalley is the Director of Open Source Strategy and Marketing at AWS and President of the Apache Software Association. "My responsibilities cover almost all open source projects at AWS. ”
What are the advantages of Amazon Linux compared to other distributions of EC2 (Elastic Compute Cloud) virtual machines?"Ubuntu has long been the major distribution of choice. We also work with many different distros to make sure it works well. ”
FreeBSD is also an option. "I spoke directly with the FreeBSD release manager about developing an AMI (Amazon Machine Images) for FreeBSD. I have a gut feeling that Amazon Linux should be better supported, after all, its development team is Amazon internal employees. ”
One of the major hurdles for Amazon Linux 2023 (which was eventually released outside of AWS as well) was that it didn't support EPEL (Extra Packages for Enterprise Linux), but its predecessor, Amazon Linux 2, did. Considering the importance of EPEL packages, why is there this change?
"The difference is that Amazon Linux was previously based on CentOS. CentOS has a vibrant community, and contributors package a lot of software. But in the latest version of Amazon Linux, we've made Fedora the new foundation through refactoring. ”
And the reason is simple, CentOS has stopped developing. "It's embarrassing. Packaging itself isn't difficult, and most contributors can easily build it into other distributions as long as they have access to the source rpm. I used to help Fedora with the packing work myself. While there are occasional issues, "for the vast majority of packages, it's enough to make sure the source RPM is still updating." ”
Another obstacle is that if security patches need to be installed, the entire process must be repeated, and the distributor often does not explain why the package needs to be updated. "That's right, the maintenance burden needs to be borne downstream. ”
Why can't you get Amazon Linux to upgrade from one distro in-place to another?"We've always been committed to building a stable platform, and in-place upgrades aren't inherently stable," said Nalley. It is very difficult to upgrade the underlying version of glibc or llvm while maintaining stability and security between versions. ”
However, this problem mainly affects those who are small-volume customers. "Well-architected customers are already using infrastructure to define the look and feel of these instances, so it's easy to spin up new instances, move the software that was originally deployed on the old instances, check if it's working, and finally migrate the actual workloads over. It's as simple as that. ”
So, why did linux 2023 take so long to be released?After all, Amazon Linux 2 is quite old and seriously outdated, and a successor has not yet appeared. "There's a reason for that, of course," said Nalley. ”
We don't want to release something that isn't ready yet. We are in the process of making a radical realignment of the underlying distribution. Amazon Linux 2 maintains good security patches and support, which is a challenge for older products. And due to architectural issues, the release of Linux 2023 was later than expected, and we have announced the postponement several times. ”
But Fedora is notoriously a fast-growing distribution, while Amazon Linux has a reputation for robustness. Will this create a conflict in the relationship between the two parties?"It's definitely going to have an impact, unlike what we're used to with CentOS," said Nalley. ”
But one of the things we love about Fedora is that it's always pushing innovation at breakneck speed. We feel that Fedora provides us with a better platform and that we will extend the support cycle to a level far beyond the official support of Fedora. Fedora is really fast, and the new CentOS releases can't keep up with it. ”
Considering projects like Elastic, which gave birth to OpenSearch, where is the relationship between AWS and the open source community heading?
According to Nalley, "Every company that uses open source software is getting far more than they can put in the resources." This is already a universal truth. ”
Every company that uses open source software reaps far more than they spend.
I do think AWS's understanding of open source and the bilateral relationship is changing, and some of that change stems from our deep understanding of the evolution of open source. Historically, most open source projects have been entirely community-led, including the Apache web server and the Linux kernel, and people have come together with a common sense of mission. But today's emergence of many innovative products is gradually shifting to vendor-controlled open source software projects. Of course, we cannot look at these two forms in the same way, nor can we expect to enjoy both types of results in the same way and expect similar results. ”
Our understanding of open source has begun to shift, and we realize that all dependencies must be matched with appropriate risk measurement and assessment. How can we ensure that the open source projects we rely on continue to exist and thrive in the long term?Apache Web Server or Apache Tomcat is certainly worth trusting, but other vendor-led packages may have different considerations. The essence of the problem lies in the diversity and health of communities. We are actively working on this issue in the hope of establishing a more stable and reliable dependency. ”
AWS itself has a number of open source projects, such as SDKs, that are driven by in-house engineers rather than community-driven. "When we release software, AWS uses open source for a number of reasons. ”
One of them is that open source licenses are really easier to understand from an intellectual property (IP) perspective. If certain achievements based on the Apache or MIT licenses are adopted, the company's lawyers will find it easier to control and can pre-approve the introduction of these licenses. We've released a lot of projects under open source licenses, and we don't expect to build a community from them. ”
There are some exceptions, such as the AWS Karpenter project, which has now been contributed to the Cloud Native Computing Association (CNCF). "Microsoft has said they like Karpenter. ”
But the premise that Microsoft likes Karpenter is that the project is not controlled by Amazon. So we had an internal conversation about how we could donate Karpenter to the CNCF. Now it's an incubation program and is nurturing its own community. ”
D**ID Nalley, Director of Open Source Strategy at AWS and Chairman of the Apache Software Association.
According to Nalley, another AWS open source project that has been embraced in an "unexpected but satisfying way" is Bottlerocket, a lightweight container Linux distribution. "We developed this project to build lambdas on top of it. But there are also customers who are using it to try some great ideas that we never thought of. ”
Faced with the poor business model of many open source projects, does AWS be worried?Nanley sighed and emphasized, "Every service team thinks about this when they look at their dependencies. ”
Within AWS, we have established a clear strategic open source project concept. We require department heads within the service team to report on the health of these projects on a quarterly basis. This is, of course, to ensure that the project owner remains focused on their own results. We don't want to see some particularly important technology being maintained by someone who lives in a basement and receives a subsistence allowance, which is not in the best interest of our clients. ”
How can AWS prevent tampering risks when consuming public open source projects?"Our Creator Experience team maintains an internal package repo," says Nalley, as well as reviewing things like software** and licenses.
"This allows us to respond quickly to security issues and keep track of all the scenarios in which the software is used." ”