Josh welcomes Mo Duffy from Red Hat to chat about project Lightwell. The idea is to leverage the resources and understanding Red Hat has built up over the years to help deal with the deluge of vulnerability reports that are overwhelming open source projects. Mo does a really good job of explaining why this is fundamentally a people problem, not a technology problem. But it’s a people problem we can probably use technology to help. It will be interesting to see where Lightwell goes in the next few years.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today, open source security welcomes Mo Duffy, distinguished engineer at Red Hat, and a person I’ve been lucky to call a friend for many, many years now. It’s been a it’s been a minute. So Mo welcome to the show.
Máirín “Mo” Duffy (00:12) Yep.
Happy to be here. Thanks for having me.
Josh Bressers (00:16) No, I’m I’m really excited. So I I Mo is here because Red Hat announced something called Project Lightwell. I don’t know how long ago it’s been. It’s been a couple weeks at least. And I remember I saw this and I thought, I want to talk to someone about this because first of all, I think it’s really cool. I like Red Hat. I used to everyone anyone who listens knows I worked at Red Hat for a long time and and it was like a an awesome place to be. And additionally, I think there’s an important thing about this this topic is first of all.
Red Hat has a proven track record in this space of working with upstreams and f fixing vulnerabilities and bugs and all kinds of things. But then also since I since you and I scheduled this, there have been like ten other projects that have come out of the wood work to do this. So I’m like, this is bizarre to say the least. So anyway, I will let you give an intro. I’ll let you explain Lightwell a little bit and we’ll take it from there because this this is gonna be great.
Máirín “Mo” Duffy (01:07) too.
So, yes, I’m Mo Duffy the software engineer at Red Hat. I’ve been at Red Hat for, at this point, over 22 years. if you count my internship, long time, very passionate about open source software. I’ve done a whole bunch of stuff at Red Hat. I’ve worked mostly in Linux, but it was also worked on AI products. I do have in recent years, AI background. And recently I have been working with the intersection between AI and cybersecurity for open source software.
So that’s exactly where we’re going with Project Lightwell. Lightwell is something that Red Hat is looking to do to kind of combine our kind of AI prowess and our understanding of like agent software development life cycles for remediating issues in code and combining that with our upstream capability in order to work with upstreams for projects that may need a little help
Just basically, the end goal is you’re running open source software somewhere in your enterprise and now you’re worried about these new classes of AI models that are finding vulnerabilities that traditional like SAST scanners and DAST scanner have not found. You want to be protected, you want to be safe, you want to make sure your customers are safe. And because we have that upstream open source collaboration know how we can work to help
secure those libraries for you. So that’s sort of the program goal.
Josh Bressers (02:43) Okay, that’s a lot to unpack, I think. And I’m gonna pull us back a bit because you said a whole bunch of things that you and I understand. Probably all the Red Hat folks understand, but a lot of other people don’t necessarily understand. So let’s just talk about what the Red Hat development model kind of looks like in the context of we say words like upstream and downstream and customers, and I don’t think this is always clear. And I think the way Red Hat has existed for a long time is quite clever in the context of open source. And so just give us like the the nickel tour of
what that all looks like, kind of some of the relationships and how the development works.
Máirín “Mo” Duffy (03:16) Sure, so the way I like to explain it is it’s almost like the academic community. So if you understand the way the academic community works, you’re always building on the shoulders of those who came before you, right? Like, we don’t have people reinventing the basics of physics or reinventing calculus. Like, Newton invented calculus back in the day, and we’ve built a lot of stuff on top of that. Well, yeah, that’s just all of these things. There’s always questions historically of like, who really invented the thing? And that’s fair. But the one thing that does hold is that was invented sometime.
Josh Bressers (03:27) Yes.
Well, it depends who you ask. I’ve
Máirín “Mo” Duffy (03:47) and since then we’ve made a lot of progress and developments on top of that, right? So that’s how like humanity as a species, we have developed far beyond any one human lifetime because we’ve been sharing our discoveries and building on top of them. And part of the academic model is when you join the academic community, you’re working on novel research, you’re building on the work of others, and you’re contributing to that body of work of human knowledge so that others who come after you can build on top of what you created. So if you think about that, the notion of upstream
I am to put it back in the academic pool of knowledge for others to build upon. When I take my research and I submit it, often this is a conference presentation or a journal submission or something like that, I am putting it into the academic upstream, let’s say. And so if you are downstream
stream of this academic model, you are learning that information, you are applying that information to whatever you’re trying to do. So that’s sort of taking an academic analogy. So then if we go into the world of software, open source software, very similar to like academic journals, anybody can access them. Well, okay, there are some issues with that. But, you know, in terms of like costs and access and things like that, but generally knowledge should be free, right? And so with open source, we believe that the
The code should be free. You should be able to access and examine and be able to modify the code that runs the technology that you rely on. So you have agency over that technology. If it’s a black box, that technology has an impact on your life, on your business, on society. And if those impacted by the technology have no way to influence or even examine that technology, that’s a real problem. So open source kind of…
The idea is we share our discoveries, we just share our learnings. If we invent some new piece of software that helps people, we share it freely for others to build upon. That’s how you get frameworks and new ways of doing things that many pieces of software can benefit from because they’re shared out. Now, when we talk about like say downstream versus upstream in the open source community, basically let’s just say I grab something from
the open source universe. grab some Python library and it’s handy and I use it as a basis of creating some new tool and then I will release that tool upstream into the open source community that makes it publicly available, that enables other people to contribute to it, that enables other people to work with me and collaborate rather than holding it to myself and keeping it myself. So think of it as I’m almost like submitting it to a
public academic journal or I’m submitting it to a public conference so other people can know about it. Then downstream is I will take that code that I submitted upstream and I might package it up. I might make it really easy to use. I might deploy it on a piece of hardware, but I’m basically productizing it or I’m using it in some other way downstream. So that’s sort of like, you know, upstream, you’re not going to get a warranty upstream. There’s not really money exchanging hands. It’s
just an open collaborative community project. Downstream is where you see commercialization of the software, you see productization of the software, and that’s where mere mortals who may not understand how to code can take advantage of the technology because somebody has put in that work downstream to make it consumable, to provide you support, to provide you training, those sorts of things. And that’s how you make money in the open source world is sort of productizing that code.
Josh Bressers (07:40) Yeah, for sure. And I also want to stress Red Hat has historically done, I think, a very good job of kind of bridging the gap between upstream and downstream, where they’ve contributed back, they’ve hired a lot of engineers. It’s definitely, I think, one of the better ways to handle a lot of this. Whereas I think we hear of a lot of organizations, you know, strip mining open source or it feels like they’re taking advantage of open source. And I don’t think I’m sure this is a contentious opinion, but in my
biased opinion and what I’ve observed. I do think Red Hat gets a lot more right than they get wrong in this space.
Máirín “Mo” Duffy (08:15) Yeah, feel Red Hat’s philosophy. So there’s an economist who had been part of Bill Clinton’s cabinet. His name is Robert Reich, if anybody’s read his books or his writings. Yeah, he is.
Josh Bressers (08:24) His he’s like prolific on social media and he’s awesome. Yes.
Máirín “Mo” Duffy (08:28) Yeah, and I won’t get political, but I’ll just say he has a very specific, he calls it the, I think it’s the circle of, virtuous circle of economics or something like that, where it’s basically like you have to put money into the economy and to give a little bit for it to grow. And so like the idea is with Red Hat.
We don’t just say, look, this free code out there, let’s just make products and make money off of it. Right. Like we invest in it. And when we productize an upstream open source project, and by the way, there are many projects that originated at Red Hat or originated by Red Hat engineers, but we also work with projects we didn’t originate as well. And we’ll help support them. If we decide strategically, that’s what we want to do. Then that’s something our customers have an interest in having productized, but we will go into these projects. We will downstream productize them.
We will make money and then we will reinvest that money in the project and then investment may look like for example like sponsoring the open source foundations that back those projects it may look like Hiring engineers to work on them full-time it may involve You know just simple thing like sponsoring their conferences or whatnot or you know Just just committing to build out a roadmap and to assist that project to work and I have to say like it’s a really interesting
model because when you reinvest in these things, if you’re reinvesting in the upstream, if you think of a stream of like, this is a water flow, right? So like here up in the mountains, that’s where the stream originates, right? And my city is downstream of that. If I take care of that mountain, when I’m drinking my drinking water, it’s going to be cleaner, it’s going to be healthy, it’s not going to be polluted, right? If I neglect this and I’m just taking the water that comes down and I’m not protecting it, then, you know, I might have pollution seep into my water issues like that.
Josh Bressers (09:57) Yes.
Máirín “Mo” Duffy (10:17) So that’s that part of that virtuous cycle that Robert Reich talks about when you reinvest and you make it strength. It kind of grows the pot, if that makes sense. And it’s also a really interesting, as an intern at Red Hat, this is back in 2004.
I worked on the GNOME project. It was really interesting for me, like fresh out of college, I’m interacting with folks who are Red Hat peers, who worked at the time Novell, who worked at Intel, and we’re all just like engineer to engineer figuring out problems, and it’s like across company lines. That’s a really cool thing, and that’s where I think it relates to the academic model lot too, because you’ll see researchers working on a problem from different universities, right? Really, the core focus is we want to solve this problem the best possible way.
That’s part of that when you have more people collaborating, more perspectives, I feel the technology is going to be better. You’re going to have stronger outputs of the process versus it just being one siloed company with the source code not examinable by anybody outside of that, if that makes sense.
Josh Bressers (11:25) Yes,
a hundred percent. So now, what is Project Lightwell? And how does that fit into this whole thing?
Máirín “Mo” Duffy (11:31) Sure. So I would say the way that I would position it is we have since, I would say the announcement of mythos and when we started seeing, sort of of that, that model grade findings for AI. Well, let me backtrack a little bit. let’s just say, I’ll make a general statement. AI has impacted open source development in many ways, right?
We have AI slop hitting projects now. A lot of weird factors around that.
from code to bugs to PRs being filed that are all AI generated, not necessarily following project guidelines. And it’s a lot of output hitting projects and projects don’t necessarily, because many projects are volunteer coordinated, not all, but many. And even for like corporate backed projects, they don’t necessarily budget out time to review say 100 PRs in a week, which is honestly with AI, you could do 100 PRs in a couple hours.
to be less. And it’s the it used to be patches accepted, right? So like if you would go into an open source project and complain like, well, why doesn’t it do this? well, patches gratefully accepted because that takes you to put some skin in the game to actually enact the thing. Now with AI, you have some wild idea. The AI will just generate a patch, whether or not it’s of great quality. And it is a labor. It is a lot of work to review that, especially when the AIs aren’t following best
Josh Bressers (12:48) Yeah, yeah.
Máirín “Mo” Duffy (13:10) Practices
in terms of like atomic commits have your commit messages make sense. Don’t give me a PR That’s like a million lines of code. So there’s that there’s the AI Bug filing and I think my measure and Josh I’m interested in your take on this my measure of how this stuff goes is I follow follow Daniel Stenberg from the curl project where he’s talking Yeah, he talks about he’s almost like the barometer of like, okay We’re getting flooded with AI bug reports and they’re all garbage
Josh Bressers (13:32) He’s really good.
Máirín “Mo” Duffy (13:41) we’re getting flooded with AI reports and they’re actually good.
Josh Bressers (13:44) Okay, so I mean, that’s an important
data point though, because if you look at what Daniel’s talked about is maybe a year plus ago now, he was complaining about a lot of AI slop, especially security reports. But that is kind of done a one eighty and i the the AI tooling has started creating much better security reports. And this is something I mean I’m seeing personally at work and I know a lot of other open source projects are seeing as well, and especially curl. In fact, what is we are recording this on July first.
And this is Daniel started his month of bliss, where he’s taking zero security reports and he’s not doing any security work on curl for a month because they’re quite frankly just burnt out, which I think is amazing. And I’m I’m really excited for when this is done because I really want to talk to him and be like, So how’d it go? What happened? But but I think this is I mean, this is the reason I was so interested when you announced Lightwell is the ability for
Máirín “Mo” Duffy (14:30) Right.
Josh Bressers (14:38) The AI tooling to find security vulnerabilities has increased dramatically in the last couple of months. And like mythos or not, the tooling is getting better. And this is like it doesn’t matter whether you love AI or hate AI. Like this is a real thing and it is a real problem, especially in the world of open source. And so I’m very keen to understand like what are we going to do? Because right now, if nothing changes, the outcome is we burn out all of the open source maintainers and they quit. Which is
Literally the worst possible outcome.
Máirín “Mo” Duffy (15:10) We can’t have that. just can’t. Open source is too critical for…
Josh Bressers (15:12) Yeah, yeah.
Máirín “Mo” Duffy (15:17) so much of our economy, of society, like we have to protect it. I would say, by the way, yes, those past two months or so, maybe a little bit longer, where things, the reports have gotten better, there’s a number of factors with that. And part of it is the grade of model, sure. Part of it is people getting more sophisticated about the harnesses with which they’re running the models. I think harness development is honestly sometimes more of a factor than the actual model you’re using.
Josh Bressers (15:39) Yes.
Máirín “Mo” Duffy (15:47) Right. even if you can do a multi-model system, because the different models have different like personalities in terms of like what types of vulnerabilities they’re best at doing and like they have strengths and weaknesses. And so if you can kind of treat them like a team in the same way that people will launch different agents with different personalities, the different models had different personalities too. So if you can route to the correct model for the type of thing you’re trying to research through your harness, you can get better results. The other thing is context. Right. So one of the things, for example, like
Josh Bressers (15:47) Yes.
Máirín “Mo” Duffy (16:16) Does your project have a security.md? Does your project have documented trust boundaries? Does your project have any sort of extra context and metadata about like, how is this deployed typically that you wouldn’t get from just reading the source that like a human understanding, how is this code actually used in the real world? What are the trust boundaries? How do we organize things? What is the bar for like, what counts as a security issue? The glibc project has a very nice security MD by the way. And I point a lot of projects at that one is like a good standard to follow.
Josh Bressers (16:31) Yes.
Máirín “Mo” Duffy (16:47) So that kind of context being developed around open source projects, I think will help them because when the agent scans their repos, and by the way, like they’re all out there, they’re all accessible. There is, and I’m sure you’re well familiar with this Josh, is sort of some of the perverse incentives around CVEs and finding vulnerabilities. Like I’m sure there are people that are like, Ooh, look, I got my new AI agent. Let me go find some stuff and become famous. Like I do think that’s a motivator.
for some. And so the easy target is kind of famous critical open source projects and the code is out there for them to scan. I think the more context that those projects can make available within the source tree that these agents would scan, the less false positives and the more useful results you’ll get. And I think some projects are doing that and that may be why the results and like the reports are getting are better is because they’ve put that context in the view of agents that are getting points.
Josh Bressers (17:40) Yes.
Máirín “Mo” Duffy (17:46) at their projects. there’s a lot of like it’s the context, the models, the harnesses, all of these are factors and like sort of some of the shifts we’ve seen in recent months. Now for Lightwell, what we’re looking to do is there are some projects that are, you know, Linux kernel, curl, glibc, like those are ones where they would be an easy target, people are pointing their scanners at. There are other projects that maybe let’s say are less
exciting that enterprises rely on that maybe aren’t getting that attention, that need help. We need to figure out, so we’ve discovered this vulnerability, an AI agent found it, no tools that are currently in the ecosystem right now have found it. What can we do to help shore up those libraries to help generate fixes for these findings and get them in a way that’s safe?
government has done an executive order about these clearing houses around AI cybersecurity. Is that something you’re familiar with? Okay, there was an executive order establishing this idea of having clearing houses for critical infrastructure.
Josh Bressers (18:55) I have no idea you’re talking about actually.
Máirín “Mo” Duffy (19:06) who may be using open source libraries that may be vulnerable in ways that are exposed by these AI agentic systems. And the idea is could these critical infrastructure organizations somehow collaborate? Because here’s the idea, right?
When anybody has access and this is why you’ve seen probably news items about like the US government limiting access to fable And then but you know with mythos before it Yeah, hey, all right, so Okay But I think some of that was saying well listen like there’s critical infrastructure that could be impacted by these super powerful models that are out there
Josh Bressers (19:37) Which which ironically it’s back today, I’m told, so
That’s what I heard. I’ve not checked yet, but supposedly it’s back on.
Máirín “Mo” Duffy (19:56) Maybe we should think before we open, like let the genie out of the bottle on this, because if the bad guys have the same tools, you know, if you can scan using one of these models and harnesses to find a vulnerability, they can also generate exploits. And then if you have exploits in the wild, like pre-zero day, that’s a little bit scary, right? So there’s…
There’s a lot tied up in this stuff. And like I said earlier, there’s a lot of society and economy and countries relying on open source. So like we can’t have it fail. So part of Project Lightwell is to provide organizations relying on these libraries that need fixes for these things. In some cases, there are older versions of libraries too. Like maybe they’re not the most recent version. Let’s get them patches so that the people who rely on that critical infrastructure are safe.
So that’s the thought about it. And using Red Hat’s community and upstream collaboration know-how so that the broader open source ecosystem is also protected. Because it’s one thing to say, okay, well, I will patch this stuff for you. Let’s exchange money. Here’s your patches. Have a good day. And not share it generally with the ecosystem because then you’re going to have problems, right?
one, it’s like, well, okay, so I got patches for this vulnerability that I found an open source library, some vendor gave me the patch for it. But let’s say upstream patches it a different way. They decided to go a different way. Now you’re carrying a fork that has its own risks, right? Like you would prefer, and this is part of Red Hat’s SDLC with working with upstream communities, upstream leads the way, right? Like we’re not, we try to minimize to as little as possible any sort of
forks or patches we carry on top of Upstream. It’s much better to contribute upstream, just like I said with the academic model, right? Like you don’t want to hide some discovery that doesn’t help us all progress forward. And it’s also easier maintenance if Upstream can carry a thing and you can have a shared responsibility within the community to maintain it. You don’t want to be carrying something on your own. You want to share the resources available around that project. I think a critical part of securing open source is making sure that
the security patches are also upstreamed and we have that capability.
Josh Bressers (22:26) Yes. And
one of my favorite examples of this actually is so this is one of the things I used to do when I was at Red Hat, way back in the days. This was like two thousand four, two thousand five timeline. Is the we called it the secure not it wasn’t called product security back then. I think we called ourselves a security response team. But we would go to upstreams and say, like, here’s the vulnerability, and we would try to make patches. And it was always hilarious to me that
The patch I thought was the correct fix. The upstreams would be like, Nope, that’s not the right way to fix this. We actually need to do this other thing instead. And so I think this is one of the things when I see all these, you know, organizations saying, we’re gonna use AI to patch vulnerabilities and and we’re gonna fork it and do our thing. It’s like, Are you though? Like
Máirín “Mo” Duffy (23:10) Yeah.
And it takes that human relationship with the upstream to understand, because honestly it’s open source is not kind of a standardized set of regimented what like each project has its own personality. Each project has its own set of standards. One project may like atomic commits. One project may have its own idea. One project may follow some formatting, know, linting process, and another one might reject or commit if you use that.
So you have to have the human relationships or be able to have the skill set to generate those human relationships, to be able to have that collaborative exchange and make sure that you are solving these issues in a way. Because at the end of the day, like I said, like you have downstream and that’s the product ties and that’s like the commercial end of open source. But then you have the upstream community and it’s the upstream community that’s the ultimate sort of like owner or maybe the better term would be caretaker of the.
software. And so you don’t want to build something that upstream can’t maintain. And so that’s where they get to dictate like, know, Hey, Josh, that patch was very interesting, but that’s not the way we do it, buddy. We’re going to do it this way. They’re ultimately responsible for caretaking that code. So it has to be done their way. And you need those human relationships at scale, the scale we’re talking about in terms of like all of open source, having issues, especially the enterprise focused libraries.
Josh Bressers (24:12) Yeah, yeah.
Máirín “Mo” Duffy (24:41) That takes a scale that’s kind of hard to beat in terms of what Red Hat has built over multiple decades in many, many parts of the open source ecosystem. yeah, mean, agents aren’t going to solve that. And if you think about it on the upstream receiving side, if I get some message from some agent, hey, you have the security issue. Here’s the, like, I’m going to be like, some projects will just auto close it if they can determine it wasn’t filed by a human. Right.
Josh Bressers (25:04) Yes.
I don’t blame
Máirín “Mo” Duffy (25:11) you
Josh Bressers (25:12) them for that because I will also say one of my complaints is I’ve gotten an enormous number of clearly AI written vulnerability reports over the last couple of months. And they are they’re they’re almost infuriating to me because it they’re very long and it’s like, I feel like you’re wasting my time. Why am I reading something you didn’t write? You know what I mean? And it just kind of
By the time I get to the end, I’m like, I am grumpy. I’m going to go do something else before I reply to this email because nice things will not be in this reply if I do it right now.
Máirín “Mo” Duffy (25:45) It’s like a chef taking random stuff from the fridge, throwing it in a blender, and then serving it to you without even like taste testing it, nevermind curating the ingredients, right? It’s like, that is the labor, that is the work. That curation, the quality checking, the standards, the looping back and iterating, that’s the work. Like pressing a button and having the blender spew stuff together is not the hard part.
Josh Bressers (25:53) Yes.
Yeah, yeah.
This is a marvelous
analogy and I’m totally stealing it ‘cause it’s so good and it’s disgusting.
Máirín “Mo” Duffy (26:15) feel free. It’s disgusting.
And by the way, that’s what my kids do and they serve it to me.
Josh Bressers (26:20) I I yeah, yeah.
I mean as as a parent you have to eat the terrible things your children make you and then t tell them it’s good.
Máirín “Mo” Duffy (26:26) with a smile.
honey, beets and bananas and peanut butter.
Josh Bressers (26:35) Yeah, they’ll they do reach an age where you can
be like, This sucks, I’m not eating it. Like, but anyway, okay. So now here’s my here’s so here’s my question about all this, right? And I think this is maybe the the million dollar question for Red Hat is we’re talking about a lot of volume. like what what what is the vision? Are are you thinking the reports will come to Red Hat to deal with this? Is Red Hat doing the work to look for these things? You know, and and if they’re like how are you gonna s cope with scale? Like how do you expect ‘cause like
Máirín “Mo” Duffy (26:39) Yeah.
Josh Bressers (27:02) One of the challenges I think Red Hat has always had with open source is it it scales kind of linearly because of that human aspect of this, right? And this is a problem that is not scaling linearly at the moment.
Máirín “Mo” Duffy (27:09) Right.
So I would say here’s how I would position it, right? And I think a lot of the vendors in this space right now are using agentic AI. We’re no different. We have that prowess in-house. What we add to it is the human element. What we add to it is the ability to train and curate the agents in a way that is more, I would say, friendly to upstreams. I’d also say we have a lot of expertise. Like right now, we’re working in the Java and Python ecosystems.
We have that expertise. You probably remember when we acquired JBoss back in like 2006 or something. Those folks are in-house. We’re working with them. We have a lot of Pythonistas in-house. And so part of it is building the agent system to automate the remediations, to automate the triage remediations. Because there’s also stuff too, you’ll have, we’re working with a bunch of customers who are design partners in this endeavor. And honestly, like there is no shortage
Josh Bressers (27:48) I do remember that. Yes.
Máirín “Mo” Duffy (28:13) of vulnerability findings. So right now we’re not, I mean, for our own products, we have a robust AI vulnerability scanning program. But for these, these are libraries that are outside of our portfolio for the most part. Our design partners are coming to us with vulnerabilities they have found. We are examining those. We are working through an agent system that we have built to remediate them. And that’s kind of a lot of the context and
Josh Bressers (28:16) Yeah.
Máirín “Mo” Duffy (28:43) know how that we have as practitioners in the open source space for decades now is things that we are building into that pipeline. As we’ve progressed and developed it and it’s matured, we’re looking at the outputs, we’re providing context and feedback. It’s sort of an iterative loop that we do, sort of a broader outer loop that we do to improve the results so that I would say there’s a lot of menial tasks as part of like backporting fixes, as part of
generating
new fixes and triaging things that we’re looking to automate based on know-how. And then for the bits that are tricky, those get escalated to human subject matter experts to make sure that they’re implemented. I mean, that’s just the general. any building, any agentic system, these are the things you have to do. You just start your rough process. Yeah. Well, I don’t know how do you do it without doing these things. I guess you’re just, you know.
Josh Bressers (29:34) These are the things you should do. Like
All right, Mo, I think it’s time to to land this plane. So I’ll give you the floor. Tell us anything you want us to know, anything you think we might have left out. Just kind of what’s going on with with Lightwell and Red Hat and and it’s it’s a cool project. I’m excited to see where it goes. So the floor is yours. Take us home.
Máirín “Mo” Duffy (29:56) Sure.
So I would say, and you can read this at redhat.com, we have a Project Lightwell landing page there. It’s redhat.com slash lightwell. There’s some information about what we’re doing. The initial investment between Red Hat and IBM is 20,000 engineers dedicated to the effort. We have a sign up system on that page. So if you wanna sign up for more information as we have more announcements that come out, it’s a good place to sign up and get more information.
And of course being Red Hat, are, upstream communities and foundations are very important to us. you know, recent things like Project Akrites that was announced by the Linux Foundation, we are involved there. And I’m sure that that’ll play a role in this entire effort of securing open source. And I want to say that like generally, the end goal here is to keep people safe, right? It’s to protect people. It’s to make sure that open source is really the most secure technology solution.
for people around the world. And I would say due to its open nature, like with all these scanners able to point at these code bases, to access the source, to be able to do these assessments, it’s gonna be a bit of like waves of like, you know, as new capabilities come out, as new developments and models come out, there’ll be sort of waves of like reports. We’ll deal with them. We’ll get better over time. And there’s also this fight fire with fire element where if it’s AI agents generating these
findings we’re going to need at this scale, at this velocity, we’re going to need to be able to use AI agents to sort of push back and handle it at that scale. And I think as time goes on, we will develop that because we have collaborators across vendors, across organizations, across open source communities. I think we’ll get there. I think in the end, open source software is probably going to be the most secure software out there because, you know, the old saying was
open source software is, many eyes make bugs shallow. now some of those eyes are agents and those agents are getting more powerful over time, but that’s what’s examining open source software. If your software is closed, you’re not getting the benefit of that. And I know that at this point with all the stress of this stuff, some people might question if that’s a benefit, but I think in the end, open source is going to win here. It is going to be more secure. It’s going to be the best technology choice just for everyone downstream of the technology to be safe.
be able to get their jobs done.
Josh Bressers (32:28) Look, I’m
gonna end it with it already won, it’s already more secure, and it’s already the default technology source. There you go. There you go. I like it. Now with thirty percent more security. Mo, it has been a treat. It has been awesome to catch up. Thank you so much. I’m very excited to see where this goes. We’ll have to have you back maybe in a couple months or a year and and see if it I I g I guess hopefully it’s a raging success, right? ‘Cause I feel like we can’t afford to screw this one up. So yeah.
Máirín “Mo” Duffy (32:32) True, true. It’s gonna be even more, now with more.
We can’t.
Open source is too important.
Josh Bressers (33:00) For sure, for sure. Awesome. Thank you so much.
Máirín “Mo” Duffy (33:03) pleasure. Thanks, Josh