In this latest podcast from The New Stack, we spoke with Ricardo Torres, who is the chief engineer of open source and cloud native for aerospace giant Boeing. Torres also joined the Cloud Native Computing Foundation in May to serve as a board member. In this interview, recorded at KubeCon+CloudNativeCon last month, Torres speaks about Boeing's use of open source software, as well as its adoption of cloud native technologies.
In this latest podcast from The New Stack, we spoke with Ricardo Torres, who is the chief engineer of open source and cloud native for aerospace giant Boeing. Torres also joined the Cloud Native Computing Foundation in May to serve as a board member. In this interview, recorded at KubeCon+CloudNativeCon last month, Torres speaks about Boeing's use of open source software, as well as its adoption of cloud native technologies.
While we may think of Boeing as an airplane manufacturer, it would be more accurate to think of the company as a large-scale system integrator, one that uses a lot of software. So, like other large-scale companies, Boeing sees a distinct advantage in maintaining good relations with the open source community.
"Being able to leverage the best technologists out there in the rest of the world is of great value to us strategically," Torres said. This strategy allows Boeing to "differentiate on what we do as our core business rather than having to reinvent the wheel all the time on all of the technology."
Like many other large companies, Boeing has created an open source office to better work with the open source community. Although Boeing is primarily a consumer of open source software, it still wants to work with the community. "We want to make sure that we have a strategy around how we contribute back to the open source community, and then leverage those learnings for inner sourcing," he said.
Boeing also manages how it uses open source internally, keeping tight controls on the supply chain of open source software it uses. "As part of the software engineering organization, we partner with our internal IT organization, to look at our internet traffic and assure nobody's going out and downloading directly from an untrusted repository or registry. And then we host instead, we have approved sources internally."
It's not surprising that Boeing, which deals with a lot of government agencies, embraces the practice of using software bills of material (SBOMs), which provide a full listing of what components are being used in a software system. In fact, the company has been working to extend the comprehensiveness of SBOMs, according to Torres.
" I think one of the interesting things now is the automation," he said of SBOMs. "And so we're always looking to beef up the heuristics because a lot of the tools are relatively naïve, and that they trust that the dependencies that are specified are actually representative of everything that's delivered. And that's not good enough for a company like Boeing. We have to be absolutely certain that what's there is exactly what did we expected to be there."
While Boeing builds many systems that reside in private data centers, the company is also increasingly relying on the cloud as well. Earlier this year, Boeing had signed agreements with the three largest cloud service providers (CSPs): Amazon Web Services, Microsoft Azure and the Google Cloud Platform.
"A lot of our cloud presence is about our development environments. And so, you know, we have cloud-based software factories that are using a number of CNCF and CNCF-adjacent technologies to enable our developers to move fast," Torres said.
Colleen Coll 0:08
Welcome to this special edition as the new stack makers on the road. We're here in cube con North America and discussions from the show floor with technologists giving you their expertise and insights to help you with your everyday work. Pucon and cloud native con conference news gather adopters and technologists to further the education and advancement of Cloud Native Computing, vendor neutral events, Speaker domain experts, and key maintainers behind popular projects like Kubernetes, Prometheus, envoy, core DNS containers, and more.
Joab Jackson 0:46
Hello, and welcome to the latest edition of the new stack makers podcast. This week we are in Detroit at cube con. And we have joining us, Ricardo Torres, who is the chief engineer of open source and cloud native for Boeing. Hello, thank you. Thank you for taking time to talk to us about open source cloud native and how it's used by Boeing. First of all, everybody knows the name Boeing, and I think Boeing airplanes. But what what does Boeing do?
Ricardo Torres 1:18
Yeah, you know, we like to say that we protect and defend what's important from seabed to space, you know, so we frame ourselves as an aerospace company, first and foremost. But beyond the aircraft, we also have a large amount of software. And so that's where I am as part of the organization as part of our software engineering organization.
Joab Jackson 1:34
Nice. Nice. And I know, as the government contractors, military contractor, initially, a lot of companies were kind of wary of open source, but now there seems to be an acceptance. So let's delve into that. First of all, now, how did you yourself get involved in open source?
Ricardo Torres 1:51
Yeah, so same story, right? So defense is very weary of it. And so like most software developers, though, I started as a consumer, or you start bringing in third party dependencies to get the job done. And so then it just becomes a question of involvement, right? Is it sooner or later, even if you're just a software developer, you're going to want to patch something, right, there's gonna be a bug that you're gonna have to fix. And that's how it started with me. So you know, at the time, we were using a plugin for Jenkins, and I needed to go ahead and, and just submit a fix. It wasn't being maintained. And so I had to get maintainer privileges on that particular repo. And, you know, and it was great. It was a good opportunity for me to get involved, huh, nice.
Joab Jackson 2:27
Nice. So, at the time, what was Boeing sort of involved with open source? And how has that evolved over time?
Ricardo Torres 2:35
Yes. So Boeing actually has a long history with open source, just maybe not a big history so far, right. And so that's one of the things that we're looking to change, we actually have a project under the Eclipse Foundation already that we actively support, and we employ the maintainers. Of so it's called Osae. It's basically a tool for Model Based Engineering around the Eclipse platform. And so, you know, it's just a question now of us evolving, and we're looking to be part of the emerging technologies are things that are a strategic value to the company.
Joab Jackson 3:03
What is the value of open source for Boeing? You guys got plenty of money?
Ricardo Torres 3:08
Yeah, you know, I think Kelsey Hightower has said something the effect of different companies, same team. And so us being able to leverage the best technologists out there in the rest of the world is of great value to us strategically. And then we get a differentiate on what we do as our core business, rather than having to reinvent the wheel all the time on all of the technology.
Joab Jackson 3:25
All right, nice, nice. And Boeing joined the Cloud Native Computing Foundation. Last May, I believe it was earlier this year in May. What were the reasons behind that?
Ricardo Torres 3:36
Yeah, so like I said, it's strategic alignment, right. And so us, like most every other company that has large amounts of data, or is in computing has moved a lot to the cloud. And so for us, cloud native, still represents a significant on prem presence, but also in April, we announced major partnerships with all three of the largest CSPs. And you know, so we have a footprint there as well. CSCs. I'm sorry, CSP is our cloud service providers service. We announced a major contract agreements with AWS, Microsoft, Azure and GCP as well.
Joab Jackson 4:04
Okay. Generally speaking, what do you use the cloud providers for is, is the for runtime stuff with the equipment? Or is it for development? Or?
Ricardo Torres 4:13
Yeah, so traditionally, Boeing software is kind of procured as a byproduct of procuring Boeing hardware. So for the most part, definitely not exclusively, but a lot of our cloud presence is about our development environments. And so you know, we have cloud based software factories that are using a number of CNC F and cscf adjacent technologies to help enable our developers to move fast.
Joab Jackson 4:35
So you could say Boeing is cloud native,
Ricardo Torres 4:38
huh? That's right. Building for the clouds building for the clouds.
Joab Jackson 4:41
Terrific now, so you guys opened an open source office? That's correct. So why why why do that? Why would a company open open source office?
Ricardo Torres 4:51
Yeah. So you know, I think that to do group has a lot to say about this. I think for us, it's about formalizing how we're going to interact with the open source community, you know, For us, we will always be primarily a consumer, I would argue that most companies will always be primarily consumer. So that's one of the core tenants is how we manage that. But additionally, we want to make sure that we have a strategy around how we contribute back to the open source community, and then leverage those learnings for inner sourcing.
Joab Jackson 5:14
So what are the benefits of contributing
Ricardo Torres 5:16
back? Yeah, so it's really about mindshare demonstrating to our customers. Also that, you know, we are in these spaces, we're talking to talk, we walk the walk, you can see it in an open community open forum. But additionally, of course, we're competing for all the same talent that everybody else is. And so it's a great recruitment and retention tool.
Joab Jackson 5:34
Oh, nice. Nice. Terrific. Now, I would imagine that Boeing has a lot of different divisions, departments, and there might be open source projects or open source usage across them. How does an open source office for a large company, find and coordinate all these efforts?
Ricardo Torres 5:50
Yeah, so yeah, we do have lots of different organizations. So internally, as part of the software engineering organization, we partner with our internal IT organization, we work together to first look at our internet traffic and assure nobody's going out and downloading directly from an untrusted repository or registry. And then we host instead, we have approved sources internally. And we work through that.
Joab Jackson 6:14
So how does that which office does that? How does that work?
Ricardo Torres 6:17
Well, so the Aasbo is working together with it. So we are working to automate a lot. And so traditionally, a lot of it has been a manual process. And so that can be error prone, it can be really long lead times. And so right now, we are actively working to automate all
Joab Jackson 6:30
of that. So the team will identify here, the open source projects you had mentioned, Jenkins, I believe, and you have like a gold distribution that you have certified through?
Ricardo Torres 6:39
Oh, you know, actually, so that was a long time ago, with my own personal involvement with Jenkins. Right? Now, we use any number of open source projects. And so it's usually not a separate distribution, it's so much more than it is actually scanned or compliance and security scans to be brought into the perimeter. And then internal developers can actually pull from an approved source. We just host internally.
Joab Jackson 6:59
Nice, nice. Yeah. So I would imagine that you have a lot of governance, both internal and cover mandates and commercial mandates. How does that interact with the open source world?
Ricardo Torres 7:10
Yeah, I mean, so it's directly relevant. So first, to our benefit, the US government in particular is becoming a lot more forward leaning with regards to their embracing of open source. Okay, so that's something that makes it easier for us. However, obviously, security remains a challenge. And so that's why I remain really focused on securing our software supply chain. But so in terms of how it works, we have multiple scans that we do both for security and for licensing. And so once we bring something in the perimeter, that's the first thing that we do, once it clears those scans, we will go ahead and host it internally for internal use. And then we'll continue to monitor its use so that if something like say a lot for Shell event happens, we can know who's consuming that internally, make them aware and help provide them a path for patching it does.
Joab Jackson 7:51
I know you guys can endorse particular open source projects. But are there tools that will help you build out the supply chain,
Ricardo Torres 7:58
so the open source security foundation is adjacent to the CN CF. It's one that you know, we're actively monitoring, they have a great project in six store, I think that the way that it handles at a station is very important to the supply chain story. And so that's one that we're tracking as well, you know, that space is still really developing rapidly. And so I don't know that anybody has an end to end solution at this point.
Joab Jackson 8:22
Yeah, I'm very interested in this, because the software bill of materials is kind of a recent thing for a lot of companies. And I would imagine you guys would be way ahead of the curve on that front.
Ricardo Torres 8:33
You know, and there are still things for us to learn there as well, you know, we've definitely used a bill of materials, software bill of materials we've definitely delivered as well. But I think one of the interesting things now is the automation. And so we're always looking to beef up the heuristics because a lot of the tools are relatively naive, and that they trust that the dependencies that are specified are actually representative of everything that's delivered. And that's not good enough for a company like Boeing, we have to be absolutely certain that what's there is exactly what we expect to be there.
Joab Jackson 8:58
Have there been software projects that you're, you're not really sure the origin of and so you may be wary of using?
Ricardo Torres 9:07
Yeah, and so that would depend on the specific customer. But there definitely been cases where it whether it's a an unfriendly government, or we think that the supply chain might have been tampered with by just an unfriendly individual actor. Those are kinds of things that get raised from time to time, and then maybe wouldn't clear a certain process to go into a specific product.
Joab Jackson 9:23
Interesting. Interesting. So Boeing is both enterprise itself, but it's also a large scale integration company, and a lot of open source projects. They scratch an itch, and they're like, Well, this is good, we need this. But could you offer some advice for the smaller but useful open source projects? What do they need to keep in mind when dealing with integrators and deal with the enterprise?
Ricardo Torres 9:48
Yeah, I think it's really important, just anyone that's dealing with software to focus on solving the problem. And unfortunately, there are a lot of tools out there that can overcomplicate that and so sometimes you're gonna find something that is, is much more than what you really need. to scratch the edge, and it may not be worth the cost of adoption then and not necessarily dollars, because we're talking about open source. Right. Right. But in terms of time and effort, so keep it simple. Absolutely.
Joab Jackson 10:10
All right. Excellent. Excellent. Terrific. Try to think of any other questions that I have. Are there any other aspects you think that that are interesting, from your perspective, deal with both open source and the airline industry and the government?
Ricardo Torres 10:24
Yeah. So I actually often liken us to the financial services industry, another heavily regulated industry that has been slow to embrace open source. And so I think that we have a lot to learn from those folks. Oh, interesting. And so I'm looking forward to others joining us and being a little bit more open about the things that we can talk about, and all the things that we can do. Our engineers make incredible products, we have some of the smartest people on the planet, doing things that are really hard and taking us off the planet. So, you know, I think, if we embrace that, we can actually, we have a lot to share with the open source community.
Joab Jackson 10:55
Do you guys have like a GitHub repo or we
Ricardo Torres 10:59
we do have a Boeing organization under GitHub. We're still looking to grow that presence.
Joab Jackson 11:04
All right, fantastic. Oh, Ricardo, thank you so much for taking time to talk with us. And thank you listeners and viewers for tuning in and we'll talk with you soon.
Colleen Coll 11:14
tucan and cloud native con conferences, gather adopters and technologists to further the education and advancement of Cloud Native Computing, the vendor neutral events, feature domain experts, and key maintainers behind popular projects like Kubernetes, Prometheus, envoy, core DNS, container, and more.
Alex Williams 11:33
Thanks for listening. If you liked the show, please rate and review us on Apple podcast Spotify, or wherever you get your podcasts. That's one of the best ways you can help us grow this community and we really appreciate your feedback. You can find the full video version of this episode on YouTube. Search for the new stack and don't forget to subscribe so you never miss any new videos. Thanks for joining us and see you soon.
Transcribed by https://otter.ai