Red Hat's Project Lightwell. Interview with Mo Duffy

LaSombra1 pts0 comments

Red Hat's Project Lightwell with Mo Duffy | Open Source Security

Josh welcomes Mo Duffy from Red Hat to chat about project Lightwell. The idea is to leverage the resources and understanding Red Hat has built up over the years to help deal with the deluge of vulnerability reports that are overwhelming open source projects. Mo does a really good job of explaining why this is fundamentally a people problem, not a technology problem. But it’s a people problem we can probably use technology to help. It will be interesting to see where Lightwell goes in the next few years.

Episode Links#

Mo’s Linkedin

Project Lightwell

Project Akrites

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript#

Josh Bressers (00:00)<br>Today, open source security welcomes Mo Duffy, distinguished engineer at Red Hat, and a person I&rsquo;ve been lucky to call a friend for many, many years now. It&rsquo;s been a it&rsquo;s been a minute. So Mo welcome to the show.

Máirín &ldquo;Mo&rdquo; Duffy (00:12)<br>Yep.

Happy to be here. Thanks for having me.

Josh Bressers (00:16)<br>No, I&rsquo;m I&rsquo;m really excited. So I I Mo is here because Red Hat announced something called Project Lightwell. I don&rsquo;t know how long ago it&rsquo;s been. It&rsquo;s been a couple weeks at least. And I remember I saw this and I thought, I want to talk to someone about this because first of all, I think it&rsquo;s really cool. I like Red Hat. I used to everyone anyone who listens knows I worked at Red Hat for a long time and and it was like a an awesome place to be. And additionally, I think there&rsquo;s an important thing about this this topic is first of all.

Red Hat has a proven track record in this space of working with upstreams and f fixing vulnerabilities and bugs and all kinds of things. But then also since I since you and I scheduled this, there have been like ten other projects that have come out of the wood work to do this. So I&rsquo;m like, this is bizarre to say the least. So anyway, I will let you give an intro. I&rsquo;ll let you explain Lightwell a little bit and we&rsquo;ll take it from there because this this is gonna be great.

Máirín &ldquo;Mo&rdquo; Duffy (01:07)<br>too.

So, yes, I&rsquo;m Mo Duffy the software engineer at Red Hat. I&rsquo;ve been at Red Hat for, at this point, over 22 years. if you count my internship, long time, very passionate about open source software. I&rsquo;ve done a whole bunch of stuff at Red Hat. I&rsquo;ve worked mostly in Linux, but it was also worked on AI products. I do have in recent years, AI background. And recently I have been working with the intersection between AI and cybersecurity for open source software.

So that&rsquo;s exactly where we&rsquo;re going with Project Lightwell. Lightwell is something that Red Hat is looking to do to kind of combine our kind of AI prowess and our understanding of like agent software development life cycles for remediating issues in code and combining that with our upstream capability in order to work with upstreams for projects that may need a little help

Just basically, the end goal is you&rsquo;re running open source software somewhere in your enterprise and now you&rsquo;re worried about these new classes of AI models that are finding vulnerabilities that traditional like SAST scanners and DAST scanner have not found. You want to be protected, you want to be safe, you want to make sure your customers are safe. And because we have that upstream open source collaboration know how we can work to help

secure those libraries for you. So that&rsquo;s sort of the program goal.

Josh Bressers (02:43)<br>Okay, that&rsquo;s a lot to unpack, I think. And I&rsquo;m gonna pull us back a bit because you said a whole bunch of things that you and I understand. Probably all the Red Hat folks understand, but a lot of other people don&rsquo;t necessarily understand. So let&rsquo;s just talk about what the Red Hat development model kind of looks like in the context of we say words like upstream and downstream and customers, and I don&rsquo;t think this is always clear. And I think the way Red Hat has existed for a long time is quite clever in the context of open source. And so just give us like the the nickel tour of

what that all looks like, kind of some of the relationships and how the development works.

Máirín &ldquo;Mo&rdquo; Duffy (03:16)<br>Sure, so the way I like to explain it is it&rsquo;s almost like the academic community. So if you understand the way the academic community works, you&rsquo;re always building on the shoulders of those who came before you, right? Like, we don&rsquo;t have people reinventing the basics of physics or reinventing calculus. Like, Newton invented calculus back in the day, and we&rsquo;ve built a lot of stuff on top of that. Well, yeah, that&rsquo;s just all of these things. There&rsquo;s always questions historically of like, who really...

rsquo like lightwell open source duffy

Related Articles