Google Open Source Program Manager Chris DiBona: Best of Both Worlds
"You are not going to get malware on a Chrome OS. You are not going to get security problems on a Chrome OS that has the developer's switch," said Google's Chris DiBona. "But at the same time, if you are a developer, that sort of locking down stops you from innovating. It stops you from developing very quickly. So we wanted to make it possible to have the best of both worlds there."
In 1996, two Stanford University students, Larry Page and Sergey Brin, created a unique search engine called "BackRub" that ran on the school's server. After one year, BackRub's bandwidth outgrew the university's needs. Its creators rebranded BackRub into Google, a respelled reference to "googol." It is a mathematical term for the number represented by the numeral 1 followed by 100 zeros.
Google began as a business after its founders accepted a US$100,000 funding grant from Sun Microsystems cofounder Andy Bechtolsheim in August 1998. Page and Brin embedded their mission statement in their corporate name. They would organize a limitless amount of information on the World Wide Web.
Several years later, Google's founders devised a list of 10 things they knew to be true about running their business. Item No. 2 was "it's best to do one thing really, really well." Google is now much more than a unique search engine. And Google does much more than catalog a world of information on its massive servers. Google does many things. But perhaps all of what it does still meets that key founding principle of organizing vast volumes of data on the Web.
In this interview, LinuxInsider discusses with Christopher DiBona, Google's open source program manager, how Linux, Chrome, Android and a host of Google-created proprietary code all mesh with open source software to maintain Google's massive information infrastructure.
LinuxInsider: Given all of the software platform options, what drew you into working with Linux and open source software?
Chris DiBona: Back in the mid '90s, I was working on a science assignment at the time. I had a choice of working in the Sun workstation lab at the school. That was crowded and hot. Or I could dial Linux on a 386 or a 486 (CPU). At the time, I was working in a computer book shop. So I accumulated all these computer books and textbooks. I traded my books for a friend's real Unix machine, an AT&T 381. It was not fully featured. Finally I got involved with a Linux machine. Later when I moved to California, I got involved with running a Linux User's Group. Now here I am 20 years later.
LI: How much is Google driven by open source?
DiBona: When you personally go and use Google, like Gmail or our online stuff, on top of that you have software that we've written. We combine our software with what you typically would expect from a server and a desktop. We pull in a standard amount of open source libraries and standard libraries. Some of these are released [as open source] and some of them are not. All of these things come together to make Google -- well, Google.
Some of what we have added is completely state of the art, such as the Android stack. We've released something like 3,000 projects of various size and quality and development models. So any kind of project you want, we've done that model for our company.
LI: How hard is it to tie all of that together for users who are on a Windows box or an Apple product? How do you make it almost platform-agnostic?
DiBona: Take our Chrome platform. Most of the people who use it have no idea that there is this open source Chromium thing inside it. That shows where open source is and where it is going. You have to come to the realization that open source technical people understand and appreciate these things. But most consumers not only don't care, they have literally no interest in it. All they want to know is that their software is good, that their software does what they want, and that it works well. That you got to it by way of open source or that we open sourced it -- they don't care.
LI: Do you find that consumer response disheartening?
DiBona: There is satisfaction to be found in that because -- in the case of Chromium -- we know that we are doing that in a way that is very exciting from an engineering perspective with the release of technology. And we are really moving all browsers forward in the way that we work with Chrome. That's pretty cool. There are a great number of people out there using Chrome and Chromium and have no clue that it is open source. It is one of those things that we are very satisfied in doing the correct amount of work there. We know that the consumers just love the product, and we do what we can to make that persist within the rubric of open source.
LI: What differences are there between Chrome and Chromium? Does Chromium really drive Chrome, or are they two separate things?
DiBona: Well, they are not separate by any measure. I would say that Chrome is complementary with Chromium. When you look at what Chrome does, we are very holistically minded about what surfing means online. For instance, if you are going to be running Flash and you have the standard plug-in architecture that a browser has ... Flash sort of exists outside the sandbox. So if Flash breaks down in one tab, it will break down across all tabs. That is not what you want.
That should really be a red flag. So we do a lot of proprietary things in Chrome with things like Flash and PDF that we couldn't really do in Chromium because those proprietary offerings are really not available in open source. To really have a plug-in system that works in the sandbox model, you kind of have to have a closed source element. So Chrome is really the closed source stuff merged with the open source stuff called "Chromium."
Remember that Chromium is all the HTML rendering and all of the browser stuff and all the data-compression stuff. It's pretty amazing. So Chrome exists to have the things that can really not be open sourced. This makes it well secured and well managed by the software, so that people have what we consider to be a very good quality Web surfing. There are some really interesting Chromium offshoots out there. It's neat to see what people do with Chromium.
LI: How does the Chrome OS fit into this security scenario?
DiBona: In many ways, the Chrome OS is very much in the spirit of Chromium. What's really remarkable about the Chrome OS is the developer's switch under the battery. Say you leave your Chrome notebook under the seat on a bus and lose it. You can go buy another Chrome notebook and sign into your account and have all of your data restored. It is incredibly secure.
LI: How does that feature work?
DiBona: There is lots to why that works. It comes down to that developer's switch under the battery. We have a cryptographically assured chain of custody, if you will, from the chip on the motherboard all the way to the communications for the device. So that's pretty amazing. But the problem with that is people use that same mechanism to make it impossible to update the operating system and do interesting things with Linux, say on the laptop or their tablets.
What we did instead is said with the flip of a switch, you basically can do whatever you want with this hardware. You can install an operating system without bootloaders or whatever. That makes it possible for the Ubuntus of the world and the Debians of the world to install on a Chrome OS laptop. So when you switch it back, it will say where is the signed binary. It will give you, again, that chain of custody that you want. That's the secured computing environment.
Chrome is pretty amazing at this. You are not going to get malware on a Chrome OS. You are not going to get security problems on a Chrome OS that has the developer's switch. But at the same time, if you are a developer, that sort of locking down stops you from innovating. It stops you from developing very quickly. So we wanted to make it possible to have the best of both worlds there. So a responsible developer who understands the risks of surfing the Web is going to be able to do that.
LI: Based on what you just said, let's talk about the Android OS. It seems to be the direct opposite in terms of security.
DiBona: Oh, I fundamentally disagree. The Nexus devices are extremely open. Take Ubuntu, for instance. Whenever they demo Ubuntu, it is done on a Nexus device. When we, Google, sell a device, it is very specifically unlocked. Or it is unlockable in a very clear manner.
Things are different with carriers. Things work a little differently in the U.S. People walk into a cellphone store and want a free cellphone. The telephone company or AT&T store or a T-Mobile store or whoever pays for that. They say in return for you getting a $500 device for free, you're committing to this two-year plan. And part of that structure allows them to lock down the phone so you can't change the operating system on it.
LI: How do you avoid that?
DiBona: I don't know if the people really pay attention to the terms of those deals -- but I know that developers who are savvy to these restrictions should just go buy a Nexus device or another unlocked device. Or work with a carrier who cooperates.
For instance, if you have T-Mobile, after the first three or six months into the contract, they will unlock your phone for you. Of course, this only works for certain kinds of phones. There are a lot of things out there that if the developers were just a little conscientious, these things wouldn't have to plague them.
LI: It almost seems -- and I don't mean this negatively -- that Google is almost shooting itself in both feet at the same time. It has the Chrome OS, and it has the Android OS. It almost seems they are competing against themselves.
DiBona: I would not characterize Google as shooting itself in both feet. Google actually develops a number of OSes. There is the Nexus Q; there is Google TV; there is Chrome OS; there is the Android. We are actually in this operating system-rich environment.
Google is not a small company any more. Just on the Google side alone, we have over 30,000 employees. Then there are the Motorola employees. Chrome OS and Android have different philosophies on what they are presenting to the users. I think that Google as a company is big enough both as a company and personnel-wise that that is OK.
Some customers respond extremely well to the Chrome OS model, especially those that use Google services like docs and spreadsheets. That's also true of the Android. But it is really a different way of approaching the user. Now they both have Chrome in common. You can have the Chrome browser in Android, and that is obviously fundamental with the Chrome OS.
LI: Don't those conflicting choices make for a confusing marketing strategy?
DiBona: It may seem odd that people are consuming both of them. We are very happy with the outcome. It is sort of like when you have two children who are kind of competitive with each other. You wouldn't get rid of one of your kids. They are both great kids. You just have to make sure that their competitiveness does not hurt each other.
LI: What do you see as your biggest obstacles as a manager indealing with all of this?
DiBona: You shouldn't over expand on what my job actually is. The primary focus of my job -- and it is very cutting-edge, actually, and is very exciting -- is open source compliance; making sure that we don't screw up with other persons' licenses. It involves making sure that when we choose a license for a project that we release, that it is consistent with our values and our philosophies for that project.
Chrome is a great example of that. We used BSD because we wanted the code to get back into the webkit and be used by other browser vendors. BSD was the most common denominator in Firefox and the webkit. And even Microsoft could use it.
We wanted to get the technology in the hands of everybody -- not just our browser, but everybody's browser. In a lot of these projects now, we have to provide infrastructure for development in the form of Git and Gerrit. Gerrit is a code review front end for Git (a distributed revision control and source code management system). That means that whenever we buy a company, we have to make sure that they are in compliance. I hate to say it, but I am a very high-functioning bureaucrat who looks after licenses.