Interview with David Blevins



We are very lucky that this May there will be a JCP Committee meeting here in Sofia and right after it jPrime will take place! And for both of these events our great friend David Blevins will be here! Just few days before them we have this amazing chance to make an interview with him! Enjoy!

Hey David! Thank you for deciding to give a talk at jPrime! Would you please introduce yourself?
Let me try a non title-driven answer to that question. I'm someone who has been passionate about Open Source and Java EE since 1999 and for some reason has never given up, quit, took a break or slowed. I believe fundamentally in the value of collaboration not just in open source, but in standards as well and know that any successes we're currently achieving in those two areas are small compared to our true potential. Both open source and standards have a way of uniting diversity for incredible industry gain, but suffer in sustainability when taken for granted. We all have a role to play. My own journey in that quest has lead me to co-found a few open source projects, OpenEJB, Geronimo, TomEE, become involved in the Java Community Process (JCP), found a company, Tomitribe, help launch the Eclipse MicroProfile and play a role in open sourcing Java EE as Jakarta EE. Aside from being CEO of Tomitribe, I serve on the Java Community Process Executive Committee (JCP EC), Eclipse Board of Directors and Jakarta EE Steering Committee.

You describe yourself as open source veteran and at the same time you run a business around open source products. Would you share with us your view on evolving open source and at the same time paying your bills?
The long and short of it is our discussions around open source need to go beyond the technical and its creators. There are several blindly obvious business opportunities there we are all persistently failing to see.

Let's use Apache Struts as an example. Looking at job posts on indeed, there are 1721 open positions for a developer with Struts experience. At say $80k/year that's $137 million dollars that will be spent in some way this year by companies using Struts. The Struts project itself has 10 people active in the last year, roughly 2 appear to be full-time, and 8 people who would love a Struts related job.

The first observation is all 1721 recruiters missed the 8 people on Struts who clearly would love a Struts job. They are not looking at the open source projects listed in their own job postings. The second observation is business plan to spend $137 million implementing struts, but less than $500k developing Struts itself (2 FTEs and 8 misc contributions). Do we honestly think only 0.3% invested in reuse is the cheapest way to develop software? Last year Equifax had a major Struts related security vulnerability and as a result lost $4 billion dollars on their stock price in one week. They could have avoided it in many ways, but not the least would be by employing someone on the project who could have told them in advance about the issue. They'd have reduced their hiring costs, reduced their development costs and avoided a major breach. Lastly there were 12,893 computer science degrees issued last year. That's 12,893 people who missed the obvious fact that contributing to Struts itself is the best way to both get experience and compete for those 1721 open Struts jobs.

The question is not how do we pay our bills, but how can we avoid losing millions or billions of dollars. Open source developers paying their bills should be the least of our concern. It only shows how still very primitive we are in an open sourced economy. We have open source developers, we need open source executives.

Your talk is about REST security. Why do you think security is so underestimated in most of projects and what can we do about fixing that?
The way we've done security in the last decade or two largely reflects the stateful and monolithic world we've come from. There was one team that only did security, just like there was one operations team. The trick is they are not the same people who go to conference and get excited about microservices and stateless architectures. Just like we've had to invent "DevOps" to unite to split worlds, we have the same challenge with security. That means educating developers in security like we've had to educate them in ops. It also means educating the security team on the kind of architecture we're aiming for and why.

In the talk we stay architecturally focused so both groups can benefit. It's not down into lines of code. We walk our architecture from a one-hop monolith to a four-hop microservice and see how shifting from something like basic auth to OAuth and JWTs we can go from the security layer being hit with 55% of traffic to more like 0.55% of traffic and actually achieve more security. Just like Bitcoin shows us you can have distributed money with no "central" bank, you can have distributed security. It's not that hard, you just need to understand a couple concepts and then its obvious.

Old concepts applied in a clever way and painfully simple when you get right down to it. It really boils down to education.

What do you like to do in your spare time (whenever you manage to find some)?
I love to play guitar. But since I don't really have time to practice or learn full songs, my favourite thing is to challenge my ear and play to the radio, Pandora or whatever people in the room like. I love when someone plays "DJ" and puts on songs or music styles they love, but I've never heard. Songs that change key are quite hard, but if they stay put and aren't too fast I can usually get there. A life goal for me would be Jazz. If I could get good enough to be a retired 70-year old Jazz musician with mean chops, that'd be bliss.

You come for the second time in Sofia. What are your expectations from both events that you are attending: JCP EC meeting and jPrime?
On the side of the JCP there are of course major changes happening with both Java EE/Jakarta EE and the shift to six month releases of Java itself. Java EE moving out of the JCP reduces the scope quite a bit. The six month releases challenges the typical JSR format as it often isn't know what will make the release till the end. JSRs were designed for a feature that's "done when it's done" and that isn't what we're doing anymore. So naturally we have a lot of talks about refocusing and adapting. These don't happen the same way over conference calls. I'm sure Sofia will be a very notable JCP EC event.

With jPrime, I'm of course looking forward to seeing the many amazing Bulgarian friends from our visit three years ago. I'd run out of fingers trying to count them. Bulgaria impresses me with the number of women that attend technical conferences -- usually triple of other countries I visit -- and the incredible passion of the tech community in general. There is no sense of entitlement, people work hard, they want to learn. They are also incredibly warm, generous and full of fun. If you've never attended incredible tech talks during the day and then danced in a big circle of 30 people at night, you're missing out.

Thank you very much, David! We are looking forward to meeting you in Sofia so soon!