Friday, October 25, 2019

ATO 2019 - Inclusion event (a report)

This was the second year that ATO hosted a pre-conference track on diversity and inclusion. It was a sold out event with a free but separate registration (for booking, budgets, and accounting). I attended last year as well.

As I began writing up this report, I noticed the title of the event does not include the word diversity. According to the wayback machine, the main title was the same last year but it felt like the word diversity was included in most of the promotion of the event. Last year did have "A Conversation" as part of the title and incorporated much discussion on the definitions and differences in diversity, inclusion, and equity. This year the title was simply Inclusion in Open Source & Technology [1] and the presentations had a lot more actionable examples of how a project, organization, team, or individual can be more inclusive.

I really like the format of this event. They have a series of short talks which this year were basically people's stories of how they felt included or actions they thought there should be more of so others feel more included. Later there is a Q&A session for everyone to further explore these topics and suggestions.

This year also included a screening of the second episode of the Chasing Grace Project and a Q&A with the producer. I cannot seem to remember which event I was at when I had the opportunity to screen the first episode. I am looking forward to the complete series being available to a wider audience.

Last year I remember feeling a mix of depression and optimism. There were a lots of examples showing how those paying attention have expanded the types of diversity beyond gender and race and how many opportunities do exist. There were also a lot of stats showing how slow the progress is happening and where it is even going backwards. In many ways I felt like I was hearing the same things I've heard all my life and that is a tiring thought.

This year was, at least for me, a lot more positive. I think mostly because the discussions were not so much around statistics and abstract items which still need to be done, but rather a lot of examples of activities that have helped and could help:

  • The young high school student asked for more everyday roles models like parents and teachers sponsoring club activities. Representation at the C-level is important but not as important has having someone in room learning technology along side the students.
  • The older but not ready to retire gentleman reminding people that having had to change technologies so many times, older people bring a lot of experience and can still learn new things - sometimes even learning faster. Most of us also accept (even enjoy) being managed by more youthful enthusiasm as long as we are not just dismissed as a dinosaur. 
  • The consultants that help D&I committees  proactively create company communities and both networking and educational opportunities. 
  • The examples of how to reach out of your comfort bubble, grow your own network, and be an ally.
I came away reminded that I am where I am and still an Open Source consultant and educator because the of the welcoming and supportive people I have gotten to work with. People who treat other people as people. People who can work as part of a team. People who want to do the right thing and give the right people the credit they deserve. These people were rarely official mentors and many have never thought of themselves as an ally but by being good humans, they were an ally to me.

The little things matter. They matter when they produce the thousand paper cuts that drive people away. They matter when they appear from an ally and encourage inclusion.

-SML


[1] Note: at the time of writing the URL for this event was for the current year. At some time in the future it may be replaced with the next year details. I do not know if it will be archived. I was able to submit the page to the wayback machine.

Thursday, October 24, 2019

ATO 2019 - an event report

ATO 2019 was a good year.

For a number of years now, each October, thousands of technical folks converge in Raleigh for All Things Open. The "all things" includes a lot of developers talking about opensource platforms, tools, stacks, and applications but it also includes topics on open hardware, open government, open education, and building communities in addition to projects and products.

For a couple of years, I felt there was too much of a programmer focus for me and I wasn't finding new things in the community tracks. It is local though and so with expectations set, I continue to support a great  conference and enjoy the hallway track with a number of people I "see" mostly online even though I was not previously finding a lot of talks for my sysadmin or infosec interests.

I know several local people that have not attended the past couple of years because of this trend and I bring it up because this year was a bit different. While I attended expecting to once again content either repetitive (of other years and other conferences) or too dev focused, I was pleasantly surprised. There were full tracks both days for Security and Linux/Infrastructure. [1]

I attended a few of the security sessions, two that stood out were:

Prepping for the Zero Day Attack 
Eric Starr discussed a CI/CD pipeline that includes checking for vulnerabilities with both source code analysis and container scanning. He shared experiences where unit tests were disable "to speed up the deployments" which later turned into disasters. He was practical in his approach where some of the scans take hours to run. If the deployment or test cycle is shorter than a day, maybe those scans get run daily instead of with each change but do NOT eliminate them just because they take too long! He mentioned tools that work for his project but regularly pointed out what type of tool it was and that the specific tool used is not important. I would add that the best or right tool is any one you will use though you may be limited by what will work in your environment.

Insecurities and Vulnerabilities: How to Keep the National Vulnerability Database Current
I really enjoyed this one! Rob Tompkins shared his experience reporting CVE as part of an opensource project security team. When I teach about tools such as openscap and Red Hat Insights which include information from the NVD and then suggest remediations, it is helpful to understand how the information gets into this database. This example along with a talk from OSCON years ago about reporting embargoed security issues helps me also explain how an administrator should go about reporting a suspected vulnerability with correct documentation. This is a topic I am now adding to my "write and article on this" list.

Next door, at the Linux/Infrastructure room, by title, I would be interested in Getting Started with Flatpak and possibly Platform Agnostic and Self Organizing Software Packages . Also the What You Most Likely Did Not Know About Sudo…  and maybe the Terminal Velocity: Work faster in your shell  talks.

With these tracks, I would encourage a few of my more "Ops" friends to rethink attending this conference, especially if they are local to the area. I also have some new ideas for articles to write and possible presentations at future events.

Oh, they also have great book signings scattered across both days!

-SML

[1] Note: at the time of writing the URLs for the tracks were for the current year. At some time in the future these will be replaced with the next year tracks. I do not know if they will be archived. I was able to submit the parent tracks page for the wayback machine.

Wednesday, October 23, 2019

Writing Summary - late summer 2019

I've done some (ok, very little) writing for opensource.com in the past and I still have some notes for more articles that keep getting pushed aside. This site is almost 10 years old, community driven (with Red Hat Sponsorship), and tries to cover a variety of open topics, products, projects, and distributions.

This summer, some of the staff from that project switched over to help Red Hat start a new blog for system administrators called Enable Sysadmin. As the name implies it is focused on system administration topics and as a corporate blog it can also be a bit more Red Hat product specific. In addition to a small staff, a few part time contractors, and a number of Red Hat employee contributors, they do accept and encourage community contributions.

I have enjoyed being one of the early authors. Of course, like all my writing projects, I have plenty more ideas in my head and not enough focus to get them organized in a timely manner.

So far I have written two articles about using SSH keypairs, two articles about SELinux, and a short article about cybersecurity awareness month.

How to manage multiple SSH key pairs

Passwordless SSH using public-private key pairs

Accessing SELinux policy documentation

Four semanage commands to keep SELinux in enforcing mode

Security advice for sysadmins: Own IT, Secure IT, Protect IT

-SML