Tom Marble's Blog

Check out:

See also all posts and comments

Testing 1 2 3

Testing 1 2 3

Does anyone use RSS anymore?

This is just a test post to make sure all the machinery is still working!


M41LZ in Tails

Here is the background on my workshop presentation M41LZ in Tails: securing e-mail at Code Freeze 2015. Currently the slides are under heavy development -- stay tuned as they are updated in anticipation of v1.0.0 on January 14, 2015. Of course the slides alone don't provided the extra commentary and personal experiences -- you'll have to come to Code Freeze for that!

Code Freeze 2015


Tom Marble is best known for being the first "OpenJDK Ambassador" on the Sun Microsystems core team that open sourced the Java programming language. Tom has a Masters degree in Electrical Engineering from the University of Minnesota where he worked under Otto H. Schmitt. He has combined his EE and community experiences in open source hardware projects such as USB TRNG and his software and intellectual property experiences by organizing a legal and policy issues track at Europe's largest open source conference, FOSDEM. Tom's passion for Free Software is demonstrated by frequent speaking at conferences such as O'Reilly's Open Source Convention, JavaOne, the Debian conference, Software Passion (Sweden), Fórum Internacional do Software Livre (Brazil) and Linux Conf Australia.

Mr. Marble is committed to increasing diversity in technology (especially in open source) by volunteering as an organizer for ClojureBridge Minneapolis -- a weekend workshop for women to learn the Clojure programming language -- as well as the GNOME Outreach Program for Women on behalf of the Debian project.

Tom is the founder of Informatique, Inc.: a consultancy which leverages his hardware, software and legal engineering background for client projects as diverse as telematics for electric vehicles, probabilistic model checking, autonomous cyber defense, and multiplayer online gaming.


We are stuck between knowing that our Internet communications are vulnerable and using overly complex crypto tools. This workshop will explain, step by step, how to use open source encryption available in a live USB drive based system to secure e-mail. Along the way you will learn about threats to anonymity on the web and how to harness the Web of Trust. We'll then explore the next steps to making secure e-mail more practical for everyday use.


The presentation can be viewed live at

The source for the presentation is at


Please let me know how I can improve this presentation!



Today I've made some modest changes to my CV, LinkedIn and various online profiles. The theme has been "less is more" and I want to highlight my interest consulting in Clojure, security and embedded hardware.

Why corp-to-corp consulting? I regularly get asked this question by companies that want to fill permanent, full-time positions. Having worked for big companies, small companies and even having founded a Silicon Valley startup from Minnesota (just think of the miles!) I've come to realize that consulting is a great fit for me. I can carefully chose clients projects that have really interesting problems and at the same time invest continually in personal development (e.g. conference organizing, working to increase the participation of women in open source software). One of the nice fringe benefits for clients is I can share best practices that I've learned in my travels with each engagement.

Let me know if your project could use some extra hands!



Yesterday I had a blast presenting my talk Security not by chance: the AltusMetrum hardware true random number generator at DebConf14.

DebConf 14

USB TRNG is a collaborative effort with AltusMetrum to create a completely open hardware and Free software true random number generator.

In my talk I mention the rationale for gathering more entropy: The Linux urandom boot-time entropy hole as described in the paper Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices.

I also mention some of the difficulty in assessing RNG quality for security applications as highlighted by Matthew Green in his blog post How do you know if an RNG is working?.

I've been lucky to work on this design with Bdale Garbee and Keith Packard.

If you'd like to learn more you can...

  • Download the presentation (see below)
  • Check out the web page for USB TRNG
  • Join us on IRC OFTC #altusmetrum
  • Join the trng mailing list

Let me know if you'd like to get involved!


10000 Processes in Om

10,000 Processes in Om

I have just published om-processes which is a port of David Nolen's 10,000 Processes in Clojurescript to Om.

Clojurescript is a port of Clojure to JavaScript which is especially well suited for running in a browser. Just as Clojure offers a pleasant LISP on the JVM Clojurescript offers (nearly the same) LISP in the browser. The performance of Clojurescript is outstanding due to the massive optimizations available from the Google Closure compiler.

JavaScript, however, has some fundamental flaws... Top among these are it is single threaded which leads to an asynchronous callback style of "event programming". Clojure's core.async offers a solution in the form of CSP style programming. Using core.async one can think about coding in a more intuitive way.

In 10,000 Processes Nolen demonstrates using core.async to simulate independent "threads" despite the fact that the underlying platform has no native support for threads.

In Om Nolen leverages Facebook's React to create a high performance, immutable model for client programming.

The technical study om-processes is simply the fusion of all these ideas into one demonstration. Who knew web development could be so much fun!

Is this thing still on

Is this thing still on?

This is just a test of posting to my blog.. it's been too long...

And, since I upgraded my VPS I realize the dates/ordering of posts was lost :(

I'll try to remedy this!

Legal Issues at FOSDEM 2014

Legal Issues at FOSDEM 2014

I'm very pleased to announce the Call For Participation for the FOSDEM 2014 Legal Issues DevRoom.

This is the third year that I've been lucky enough to collaborate with some leading practitioners of Free Software and Open Source licensing and community leadership to organize this intense event on the topic of what makes FLOSS possible and what are the key issues facing FLOSS today. I'm joined by my friends Karen Sandler, Bradley Kuhn, and Richard Fontana.

I have been fascinated by the intersection of law and technology because it is the clever use of copyright that makes Free, Libre and Open Source Software possible. We hope to stimulate discussion on topics such as:

  • Copyleft vs. permissive licensing: What is a policy case for copyleft? If so what form should it take?
  • How is software freedom important in ensuring privacy and security?
  • What defines a Free Software and/or Open Source project?
  • Do traditional Free Software values face some level of cooption from for-profit corporate interest? If so, how?
  • Copyleft licensing models and how they relate to business models. Are there some business models that are license-permissible but bad for community building? On the other side, does your license choice limit or expand your community?
  • Eroding software freedom in the proliferation of closed computing devices such as mobile phones and tablets
  • Copyleft enforcement and compliance planning from a developer perspective. What is the future of GPL enforcement? Is it working?
  • What is its impact on adoption of copyleft?
  • How does the 'so-called' software patent war impact Free Software and Open Source?
  • Copyleft license compatibility. What are the challenges of code base merges when various licenses are in use? How does a compatibility analysis between licenses work?

Please submit your talk idea before December 1st and plan to join us in Brussels on February 1st and 2nd!


ClojureBridge Minnesota

ClojureBridge Minnesota

Of course the weather being what it is -- winter came in with a bang -- our turnout last night at was light....


But we had a small, enthusiastic group that discussed the recent Clojure Conj by editorializing the fine blog bost by Logan Linn.

We also introduced the ClojureBridge effort to the group and everyone sees nice synergy between this and our recent success in November with "beginner's night" (which we plan to repeat every other meeting).

As a software development consultant I often co-work at CoCoMSP -- a melting pot of entrepreneurial energy. I have introduced the idea of hosting ClojureBridge at CoCoMSP with the founders and they are considering it (fingers crossed)!

Now we need to recruit more volunteers to help organize our local ClojureBridge Minnesota workshop next spring!

Ask me how you can help!


2011 and not J1

Calendar.getInstance().get(Calendar.YEAR) == 2011 && ! J1

Here we are in the middle of yet another J1 and, alas, I won't be joining folks in the City of Oracle World. Of course I'm skeptical of the "new" hotel based format (from last year)... But the reason I would want to go is, of course, the "hallway track": to see friends and colleagues like: @robilad, @alexismp, @mreinhold, @fabianenardon, @virtualsteve, @delabassee, @brjavaman, @karianna, @romainguy, @headius, @AzulSystemsPM, @jddarcy, @jfarcand, @tom_enebo, @asz and @terrencebarr.

I'm not even sure of Oracle is aware of the hallway track?

The big news recently for FLOSS enthusiasts was the sunsetting of the DLJ. When we released a redistributable version of Java under the DLJ in 2006 we heard a lot of criticism about this new, less restrictive license. The Free Java world saw it as simply "not enough". As it turns out on the same day Rich Green promised the open sourcing of Java and with this news the roar of applause was amazing. However it would take a full year before the complete publication of OpenJDK source code. And, even then, the community was frustrated by the lack of support for the Java plugin.

During this intitial period we heard from people such as the Brazilian's at FISL that the Java plugin -- now well integrated with GNU/Linux under the DLJ -- made it possible to do banking and file tax returns on their favorite platform. Meanwhile an open source plugin effort was underway. Largely through the efforts of RedHat OpenJDK gained a truly open source implementation of the plugin. However due to the lack of a public spec (and source code) it continues to be very difficult to get the exact same Java plugin behavior with the IcedTea plugin.

Before the acquisition of Sun many of us had hoped that the code for the new Java plugin would be contributed to OpenJDK. Even though Larry has a beard he clearly doesn't drink the open source Kool-Aid and thus Oracle has decided to continue the closed plugin status. Since UI developers gave up on applets long ago maybe this is just an annoyance... At the very least its a shame that we now have a completely fractured Java plugin landscape and GNU/Linux users that need applets will have to struggle (as in the bad old days) to configure their browsers correctly.

Despite this setback it does seem that Java technology is enjoying a renaissance in the form of dynamic languages built on top of the JVM. I'm hoping to help with the modularization of OpenJDK and encourage community based performance analysis tools that extend the platform.

Send me a tweet and let me know how the hallway track is going!

A Hug is Symmetric

A Hug is Symmetric

An embrace is warm when two are pulled together. A one arm hug is a patronizing squeeze that makes for a (bad) photo op.

This little blog post is my > 140 response to my new friend @dberkholz's post The Story Of Data: Whither the GPL? Why we don’t need it anymore. I met Donnie at FOSDEM this year just after he joined RedMonk -- the analyst firm that is essential for anyone in software development to follow. (Full Disclosure: RedMonk and Informatique, Inc. do not have any business affiliation).

While I acknowledge that permissive licensing has become fashionable I think it is a grave disservice to suggest that restrictive licensing in FLOSS is withering, unneeded or for the uneducated.

This recent dust up is a result of an ongoing meme of "the Decline of the GPL" started last year by Matt Aslett. To which fuel was added by a recent BlackDuck analysis also asserting the the decline of the GPL. In precious few seconds of research I was unable to to find the BlackDuck report itself, but only mention of it. Ultimately the approach of the BlackDuck study is one of the problems. The data and methodology have not been made available for peer review -- the basis of the scientific method which defines progress in every academic discipline.

During our first Legal Issues DevRoom at FOSDEM we had several talks touching on the impact of software (and other artifact) licensing on FLOSS. Of special note: John Sullivan, Executive Director of the Free Software Foundation gave a talk "Is copyleft being framed?" and Richard Fontana, Red Hat's Open Source Licensing and Patent Counsel gave a talk, "The (possible) decline of the GPL, and what to do about it". Slides for these and other talks are available ?here. Sullivan's data and methodology are available for review and suggest that the use of GPL is vibrant.

I do hope that my friend and former Sun colleague Rich Sands -- who is now at BlackDuck -- can help shed some light on their analysis.

But I'm not here to quibble about the data. I want to talk directly to the assertions made from the data.

1. Compliance is complicated

In this era of continuous development and continuous deployment powered by tools like the uber awesome Jenkins you can't really say with a straight face that making a tarball and publishing it somewhere is hard. Even in the embedded space there are tools like Yocto make delivering "Complete and Corresponding Source" just one of the build products.

For the massive, commercial enterprise which is Java™ Oracle manages to publish the source code for OpenJDK. Under the GPL. And Oracle publishes it from a tightly intermingled source base comprising open as well as closed, proprietary components.

2. The collaborative development model is really all you need

Bruce Perens was right: collaboration is better. Yet collaboration is necessary, but not sufficient to build a community. As we have become more familiar with FLOSS models it has become increasingly clearly that copyright assignment or licensing agreements that put a corporation in asymmetric control of a codebase does not foster the healthiest communities.

When inbound == outbound licensing and everyone is symmetric footing collaboration and contribution thrive.

Simon Phipps, also a friend and former Sun colleague, has written about the health of projects such as Libre Office and assessing the health of FLOSS governance.

3. Commercial products == proprietary products

"Not to mention that copyleft licenses make it much harder to build proprietary products". Well maybe we should start with understanding there might be a difference between building products and making a biz model around them vs. the licensing of said products.

With Red Hat hitting the milestone of $1 billion in revenue I think we can put to rest the question, "can you make money with open source?" Certainly Red Hat has some proprietary licensed products, but the crux or their business model is based on restrictively licensed, copyleft software. Red Hat invests an enormous amount of developer time to give back to the community... And apparently they are not suffering for it. Apparently this isn't too complicated for them. And apparently the bottom line is doing just fine, thank you.

4. Restrictive licensing doesn't matter in Cloud

If anything the rise of "Cloud Computing" drives the need for an updated approach to restrictive licensing. This was the real motivation behind creating the AGPL. Why is this? It's because traditionally restrictive licensing kicks in when the software is delivered. In web services you get data, but not software (in any form).

A great deal has been written about copyleft in the cloud era... Since Donnie's post included "Data" I think it's worth mentioning the Freedom to Leave and the Franklin Street Statement.

(Secret: data is more valuable than code :) )

5. You can't build a business on restrictive software

Jeremy Allison has clearly articulated why the GPLv3 is essential for the commercial Samba marketplace to thrive. He talks about symmetry providing a necessary level playing field (and he spoke about this recently).

Evan Prodromou has built the StatusNet business on AGPL'd software and is selling the Decentralized Social Web into Enterprises.

And NoSQL all star, MongoDB, is licensed under the AGPL and the company behind it, 10gen, seems to be doing just fine.

Work with Me

So whether or not the GPL is in decline (or not) only scratches the surface of the how the FLOSS revolution has transformed information technology in the past 20 years. I bet the that Story of Data in the next 20 years will tell us that symmetric collaboration is the big win.

Ultimately the key thing is to remember that permissively licensed software is also Free Software.


This blog is powered by ikiwiki