How We've Adapted Ubuntu's Time-based Release Cycles to Fintech and Software-as-a-Service

The Spring launch of the Apex 20a platform on March 26, 2020, marks the beginning of an exciting, new era of product development at Apex Clearing.  We have adopted a number of product management best practices from the software industry and adapted them to address some of the unique challenges within financial services and software-as-a-service.  In the interest of transparency, I’m pleased to share our new processes, what we’ve learned along the way, and where we’re headed next. 

Elsewhere in the Software Industry 

I joined Apex Clearing last year, having spent the previous 20 years as a software engineer, product manager, and executive, mostly around open source software, including Ubuntu, OpenStack, and Kubernetes.  Albeit IBM, Canonical and Google differ from fintech on many levels, these operating systems and cloud infrastructure technology platforms share a number of similarities with Apex's software-as-a-service platform.  Moreover, there also exists some literal overlap: we’re heavy users of both Ubuntu and Kubernetes here at Apex. 

Ubuntu, OpenStack, and Kubernetes all share similar, predictable, time-based release cycles.  Ubuntu has released every April and October, since October of 2004 – that's 32 major software platform releases, on time, every time, over 16 years.  Ubuntu has set the bar for velocity, quality, and predictability in the open source world.  OpenStack’s development processes have largely mirrored Ubuntu’s, with many of the early project leaders having been ex-Ubuntu engineers and managers.  OpenStack, too, has utilized a 6-month development cycle, since 2010, now on its 20th release.  Kubernetes came along in 2014, and sought to increase the pace a bit, with quarterly release cycles.  Kubernetes is a little bit looser with dates than Ubuntu or OpenStack, but has generally cranked out 4 quality releases per year, over the last 6 years.  I’ve been involved in each of these projects at some level, and I’ve thoroughly enjoyed coaching a number of early stage start-ups on how to apply these principles to their product development methodologies. 

Across the board, users, and especially enterprise customers, appreciate the predictability of these release cycles.  Corporate IT managers are better able to plan, test, and roll out technology changes to their environments, with less risk and disruption.  From a commercial perspective, these methodologies drove many wins against legacy, less predictable platforms.  

The Key Principles of Coordinated Cycles 

As a product development team, you have: 

1. Time 
2. Work to complete 
3. Resources to perform work 

To succeed, you must ensure that two of these three are fixed; and only one may vary.  In the Ubuntu methodology – time and resources are assumed to be fixed.  Time is fixed, in that the product will release, on time.  Resources are fixed, in that it takes many months to recruit and hire and on-board new resources.  We hire new people, of course, but we’ll assume those resources will be productive in a subsequent cycle.  Hence, it’s the amount of work that we will complete, which varies.  We will drop or defer commitments, but we won’t change the release dates, and we won't assume additional resources will have meaningful impact within a cycle. 

Within Ubuntu, OpenStack, and Kubernetes, each cycle would “kick-off” with a summit or conference, that brought together hundreds of developers and leaders from around the industry, to discuss and debate designs for the release.  Anyone who’s participated in an Ubuntu Developer Summit, an OpenStack Design Summit, or a KubeCon Design Summit can tell you how essential these gatherings are, to the success of the project.  Within Canonical, we also held a “Mid-Cycle Summit”, exactly at the half-way point of the cycle.  We used this checkpoint, as product and engineering teams, to right-size the scope, and ensure that we hit our release dates, and with the highest quality standards.  Inevitably, new requirements and priorities would emerge, or some committed work proved more complicated than anticipated.  This checkpoint was critical to the success of each launch, as we adjusted the targeted scope for the remainder of the release.

Adapting these Processes to Apex 

When I arrived at Apex in September 2019 to lead the product organization, I inherited an excellent team of product and project managers, peered with high-quality engineering teams.  Products and projects, however, were managed pretty asynchronously, hence release timelines and new feature commitments were unpredictable.  Of course, I had seen this before at a number of the start-ups that I’ve advised, so the model was quite familiar. 

Launch Cycles 

When adapting the coordinated, time-based release cycle to a given organization, the first thing to consider is the time frame.  After talking to all of our stakeholders, 6-month releases, like Ubuntu or OpenStack felt a little too long, a little too slow, for Apex and our customers.  Most of the engineering teams were already quite agile and utilizing 2-week sprints, so getting product requirements for 26-weeks (13 sprints) seemed a little unwieldy.  Quarterly cycles, however, can be pretty tough to see through, for anything but the smallest individual projects (frankly, Kubernetes struggles with the pace at times).  Moreover, all of the projects I’ve been involved in, have struggled with the end of year holidays, in November, December, and January.  Thus, we actually settled on a 16-week cycle, which amounts to roughly 4-month cycles.  That translates to 3 full cycles per year, with 48 weeks of development, while still allowing for 4 weeks of holidays. 

Our cycles are named for the year in which it will complete (launch), and with a letter as an iterator.  In 2020, we launch Apex 20a (March), Apex 20b (July), and Apex 20c (November), and looking forward to 2021, we should see Apex 21a (March), Apex 21b (July), and Apex 21c (November).  The “c” cycles are a few extra weeks, to account for the holidays near the end of the year.  These aren’t really “versions”, as Apex is more like “software as a service”, rather than “delivered software”, like Ubuntu, OpenStack, and Kubernetes.  Also, conversationally, we're referring to the cycles with the season -- so Apex 20a is our "Spring" launch, 20b will be our "Summer" launch, and 20c will be our "Autumn" launch.

Summits 

Each cycle involves 3 key summits.  As much as possible, these summits are in-person meetings (at least until our travel paused along with the rest of the world).  At this point, we’re proceeding quite seamlessly with virtual summits, instead.  Our summits are recorded in Zoom, and we always take extraordinarily detailed notes in internally shared documents. 

1. Prioritization Summit 
2. Planning Summit 
3. Mid-cycle Summit 

Prioritization 

The Prioritization Summit brings together our product managers with all of our key stakeholders – sales executives working with new business prospects, our client relationship managers working with existing customers, as well as our own IT, operations, and site reliability engineers tasked with keeping Apex running on a day to day basis.  Each product manager works with their stakeholders to gather CUJs (critical user journeys) and map those into patterns of similar, weighted product requests. Product Managers generally spend about 2 weeks on that work, which culminates in a session where the Product Manager presents the consensus priorities for their product area for review by the broader product team.  Based on this work, each product manager then starts working on their PRDs (product requirements documents), for the next 3-4 weeks.  Our Prioritization Summit is about a dozen, hour-long sessions, spread over three days in the same week.  We exit the Prioritization Summit with clear stakeholder consensus on stack-ranked priorities for each product family. 

Planning  

The Planning Summit signals the end of the PRD-writing period, during which product managers worked closely with their engineering counterparts, digesting all of those product requests and priorities, and turn those into product requirements written in RFC2119-style language (must, should, may, etc.).  At the end of that process, each Product Manager and their technical counterpart lead an hour-long session with their plan for the next cycle, including fairly detailed commitments as to the major changes we should expect to be delivered.  Our Planning Summit is about a dozen, hour long sessions, spread over three days in the same week.  We exit the Planning Summit with clear product and engineering consensus on work commitments across the product portfolio, for the upcoming cycle.  This marks the beginning of the development portion of the cycle. 

For the next few weeks, product managers spend the majority of their time with Apex customers and prospects.  Each of us on the product team carry specific OKRs (objectives and key results), to spend meaningful time with our existing correspondents and prospects, communicating our product roadmaps and gathering feedback on their experiences.  We take detailed notes, and all of this data filters directly into our future Prioritization Summits. 

Mid-cycle 

At the middle of our release cycle (week 8 of 16), we bring together the same Product Managers and technical leads to report on status of the first 8 weeks (4 sprints), and recalibrate the remaining work for the cycle.  Without exception, there are always new, late-breaking product requests or requirements that emerge, after the prioritization and planning summits.  Some of these are urgent, and we must accommodate, which usually means something else gets deferred to the next cycle.  Sometimes, we were a little too optimistic with our work estimates, and again we need to adjust.  Occasionally, we’re ahead of schedule and we can cherry-pick some other bite-sized items to bring into scope.  In any case, we will exit the Mid-cycle Summit with a very clear line-of-sight on our deliverables by the end of the cycle. 

With any scope adjustments well understood, the product team shifts into “go-to-market" mode.  Over these next 3 weeks, Product Managers are working with our Marketing counterparts, writing release notes, creating marketing content, educating our sales teams, and working through signoffs on our launch checklists. 

At this point, the cycle repeats itself.  Once our go-to-market activities are complete, Product Managers shift back into prioritization mode, working with our stakeholders, while the engineering team completes their work and the marketing team publishes the launch. 

Speaking of...let’s talk about the Apex 20a Release. 

The Apex 20a and 20b Releases 

Apex 20a launched on March 31, 2020, as our first release using the methodologies described above.  Apex clients can find detailed release notes in the Apex Developer Portal.  This cycle began with a Prioritization Summit in October 2019, a Planning Summit in November 2019, and a Mid-cycle Summit in January 2020.   This cycle involved 17-weeks of development. 

Our work on Apex 20b is already well underway, having held our Prioritization Summit in February 2020, and we’re holding our Planning Summit this week (March 2020).  Our Mid-cycle Summit will be held in May 2020, and we will launch Apex 20b in July 2020. 

It’s important to note that although we do have a very specific “launch date”, which signals the end of the development cycle, each of our engineering teams have developed, tested, and deployed to production hundreds of changesets during the cycle.  Thus, we maintain our agile CI/CD (continuous integration / continuous deployment) systems within every product and engineering team.  To be clear, we don’t “hold” anything specifically until launch date.  This is a very specific differentiation from Ubuntu, OpenStack, and Kubernetes, which are “shipped software”, as opposed to Apex technologies, which amount to “software as a service”.  For these reasons, we try to use the term “launch”, rather than “release”, when we talk about the “launch date” at the end of the cycle.  All, that said, we have found the processes described here very useful in our planning and communications about Apex technology to our customers. 

In Conclusion 

Apex 20a is the first of many coordinated product launch cycles our customers will experience.  We’ve adapted many of the best practices utilized by the open source software industry as well as Silicon Valley, and those practices are helping us work more effectively with our tech-savvy client base.  Apex will have 3 launches in 2020 (20a, 20b, 20c), and at least 3 launches in 2021.  By openly sharing our product stages and delivering a consistent, predictable, and reliable schedule, there are now ample opportunities for both customer input and detailed review and oversight by our leaders, which culminates in secure and stable products for our industry.  We’re delighted at the engagement thus far, and really look forward to more collaboration in the future. 

On behalf of the Apex product team,

:-Dustin

I'm Joining the Google Cloud Team!

A couple of months ago, I reflected on "10 Amazing Years of Ubuntu and Canonical".  Indeed, it has been one hell of a ride, and that post is merely the tip of the proverbial iceberg...

The people I've met, the things I've learned, the places I've been, the users I've helped, the partners I've enabled, the customers I've served -- these are undoubtedly the most amazing and cherished experiences of my professional career to date.

And for the first time in my life, I can fully and completely grok the Ubuntu philosophy:

I am who I am, because of who we all are

With all my heart, I love what we've created in Ubuntu, I love the products that we've built at Canonical, I love each and every person involved.

So, it is with mixed emotion that the Canonical chapter of my life comes to a close and a new one begins...

Next week, I have the honor and privilege to join the Google Cloud product management team, and work beside so, so, so, so many people who continue to inspire me.

Words fail to express how excited I am about this opportunity!  In this new role, I will be working closely with Aparna Sinha, Michael Rubin, and Tim Hockin, and I hope to see many of you at KubeCon Europe in Copenhagen later this month.

My friends and family will be happy to know that we're staying here in Austin, and I'll be working from the Google Austin office with my new team, largely based in Sunnyvale, California.

The Ubuntu community can expect to see me remaining active in the Ubuntu developer community as a Core Dev and a MOTU, and I will continue to maintain many of the dozens of open source projects and packages that so many of you have come to rely upon.  Perhaps I'll even become more active upstream in Debian, if the Debian community will have me there too :-)

Finally, an enormous THANK YOU to everyone who has made this journey through Ubuntu and Canonical such a warm, rewarding, emotional, exceptional experience!

Cheers,
@DustinKirkland

RFC: The New Ubuntu 18.04 LTS Server Installer

One of the many excellent suggestions from last year's HackerNews thread, Ask HN: What do you want to see in Ubuntu 17.10?, was to refresh the Ubuntu server's command line installer:

We're pleased to introduce this new installer, which will be the default Server installer for 18.04 LTS, and solicit your feedback.

Follow the instructions below, to download the current daily image, and install it into a KVM.  Alternatively, you could write it to a flash drive and install a physical machine, or try it in your virtual machine of your choice (VMware, VirtualBox, etc.).

$ wget http://cdimage.ubuntu.com/ubuntu-server/daily-live/current/bionic-live-server-amd64.iso
$ qemu-img create -f raw target.img 10G
$ kvm -m 1024 -boot d -cdrom bionic-live-server-amd64.iso -hda target.img
...
$ kvm -m 1024 target.img

For those too busy to try it themselves at the moment, I've taken a series of screenshots below, for your review.

Finally, you can provide feedback, bugs, patches, and feature requests against the Subiquity project in Launchpad:

• https://bugs.launchpad.net/subiquity

Cheers,
Dustin

10 Amazing Years of Ubuntu and Canonical

February 2008, Canonical's office in Lexington, MA

10 years ago today, I joined Canonical, on the very earliest version of the Ubuntu Server Team!

And in the decade since, I've had the tremendous privilege to work with so many amazing people, and the opportunity to contribute so much open source software to the Ubuntu ecosystem.

Marking the occasion, I've reflected about much of my work over that time period and thought I'd put down in writing a few of the things I'm most proud of (in chronological order)...  Maybe one day, my daughters will read this and think their daddy was a real geek :-)

1. update-motd / motd.ubuntu.com (September 2008)

• http://blog.dustinkirkland.com/2008/09/update-motd-in-ubuntu-intrepid.html

Throughout the history of UNIX, the "message of the day" was always manually edited and updated by the local system administrator.  Until Ubuntu's message-of-the-day.  In fact, I received an email from Dennis Ritchie and Jon "maddog" Hall, confirming this, in April 2010.  This started as a feature request for the Landscape team, but has turned out to be tremendously useful and informative to all Ubuntu users.  Just last year, we launched motd.ubuntu.com, which provides even more dynamic information about important security vulnerabilities and general news from the Ubuntu ecosystem.  Mathias Gug help me with the design and publication.

2. manpages.ubuntu.com (September 2008)

• http://blog.dustinkirkland.com/2008/09/announcing-ubuntu-manpage-repository.html

This was the first public open source project I worked on, in my spare time at Canonical.  I had a local copy of the Ubuntu archive and I was thinking about what sorts of automated jobs I could run on it.  So I wrote some scripts that extracted the manpages out of each one, formatted them as HTML, and published into a structured set of web directories.  10 years later, it's still up and running, serving thousands of hits per day.  In fact, this was one of the ways we were able to shrink the Ubuntu minimal image, but removing the manpages, since they're readable online.  Colin Watson and Kees Cook helped me with the initial implementation, and Matthew Nuzum helped with the CSS and Ubuntu theme in the HTML.

3. Byobu (December 2008)

If you know me at all, you know my passion for the command line UI/UX that is "Byobu".  Byobu was born as the "screen-profiles" project, over lunch at Google in Mountain View, in December of 2008, at the Ubuntu Developer Summit.  Around the lunch table, several of us (including Nick Barcet, Dave Walker, Michael Halcrow, and others), shared our tips and tricks from our own ~/.screenrc configuration files.  In Cape Town, February 2010, at the suggestion of Gustavo Niemeyer, I ported Byobu from Screen to Tmux.  Since Ubuntu Servers don't generally have GUIs, Byobu is designed to be a really nice interface to the Ubuntu command line environment.

4. eCryptfs / Ubuntu Encrypted Home Directories (October 2009)

• http://www.linux-mag.com/id/7568/

I was familiar with eCryptfs from its inception in 2005, in the IBM Linux Technology Center's Security Team, sitting next to Michael Halcrow who was the original author.  When I moved to Canonical, I helped Michael maintain the userspace portion of eCryptfs (ecryptfs-utils) and I shepherded into Ubuntu.  eCryptfs was super powerful, with hundreds of options and supported configurations, but all of that proved far to difficult for users at large.  So I set out to simplify it drastically, with an opinionated set of basic defaults.  I started with a simple command to mount a "Private" directory inside of your home directory, where you could stash your secrets.  A few months later, on a long flight to Paris, I managed to hack a new PAM module, pam_ecryptfs.c, that actually encrypted your entire home directory!  This was pretty revolutionary at the time -- predating Apple's FileVault or Microsoft's Bitlocker, even.  Today, tens of millions of Ubuntu users have used eCryptfs to secure their personal data.  I worked closely with Tyler Hicks, Kees Cook, Jamie Strandboge, Michael Halcrow, Colin Watson, and Martin Pitt on this project over the years.

5. ssh-import-id (March 2010)

• http://blog.dustinkirkland.com/2010/03/introducing-ssh-import-lp-id.html

With the explosion of virtual machines and cloud instances in 2009 / 2010, I found myself constantly copying public SSH keys around.  Moreover, given Canonical's globally distributed nature, I also regularly found myself asking someone for their public SSH keys, so that I could give them access to an instance, perhaps for some pair programming or assistance debugging.  As it turns out, everyone I worked with, had a Launchpad.net account, and had their public SSH keys available there.  So I created (at first) a simple shell script to securely fetch and install those keys.  Scott Moser helped clean up that earliest implementation.  Eventually, I met Casey Marshall, who helped rewrite it entirely in Python.  Moreover, we contacted the maintainers of Github, and asked them to expose user public SSH keys by the API -- which they did!  Now, ssh-import-id is integrated directly into Ubuntu's new subiquity installer and used by many other tools, such as cloud-init and MAAS.

6. Orchestra / MAAS (August 2011)

• http://blog.dustinkirkland.com/2011/08/formal-introduction-to-ubuntu-orchestra.html

In 2009, Canonical purchased 5 Dell laptops, which was the Ubuntu Server team's first "cloud".  These laptops were our very first lab for deploying and testing Eucalyptus clouds.  I was responsible for those machines at my house for a while, and I automated their installation with PXE, TFTP, DHCP, DNS, and a ton of nasty debian-installer preseed data.  That said -- it worked!  As it turned out, Scott Moser and Mathias Gug had both created similar setups at their houses for the same reason.  I was mentoring a new hire at Canonical, named Andres Rodriquez at the time, and he took over our part-time hacks and we worked together to create the Orchestra project.  Orchestra, itself was short lived.  It was severely limited by Cobbler as a foundation technology.  So the Orchestra project was killed by Canonical.  But, six months later, a new project was created, based on the same general concept -- physical machine provisioning at scale -- with an entire squad of engineers led by...Andres Rodriguez :-)  MAAS today is easily one of the most important projects the Ubuntu ecosystem and one of the most successful products in Canonical's portfolio.

7. pollinate / pollen / entropy.ubuntu.com (February 2014)

• http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html

In 2013, I set out to secure Ubuntu at large from a set of attacks ranging from insufficient entropy at first boot.  This was especially problematic in virtual machine instances, in public clouds, where every instance is, by design, exactly identical to many others.  Moreover, the first thing that instance does, is usually ... generate SSH keys.  This isn't hypothetical -- it's quite real.  Raspberry Pi's running Debian were deemed susceptible to this exact problem in November 2015.  So designed and implemented a client (shell script that runs at boot, and fetches some entropy from one to many sources), as well as a high-performance server (golang).  The client is the 'pollinate' script, which runs on the first boot of every Ubuntu server, and the server is the cluster of physical machines processing hundreds of requests per minute at entropy.ubuntu.com.  Many people helped review the design and implementation, including Kees Cook, Jamie Strandboge, Seth Arnold, Tyler Hicks, James Troup, Scott Moser, Steve Langasek, Gustavo Niemeyer, and others.

8. The Orange Box (May 2014)

• http://blog.dustinkirkland.com/2014/05/the-orange-box-cloud-for-free-man.html

In December of 2011, in my regular 1:1 with my manager, Mark Shuttleworth, I told him about these new "Intel NUCs", which I had bought and placed them around my house.  I had 3, each of which was running Ubuntu, and attached to a TV around the house, as a media player (music, videos, pictures, etc).  In their spare time, though, they were OpenStack Nova nodes, capable of running a couple of virtual machines.  Mark immediately asked, "How many of those could you fit into a suitcase?"  Within 24 hours, Mark had reached out to the good folks at TranquilPC and introduced me to my new mission -- designing the Orange Box.  I worked with the Tranquil folks through Christmas, and we took our first delivery of 5 of these boxes in January of 2014.  Each chassis held 10 little Intel NUC servers, and a switch, as well as a few peripherals.  Effectively, it's a small data center that travels.  We spend the next 4 months working on the hardware under wraps and then unveiled them at the OpenStack Summit in Atlanta in May 2014.  We've gone through a couple of iterations on the hardware and software over the last 4 years, and these machines continue to deliver tremendous value, from live demos on the booth, to customer workshops on premises, or simply accelerating our own developer productivity by "shipping them a lab in a suitcase".  I worked extensively with Dan Poler on this project, over the course of a couple of years.

9. Hollywood (December 2014)

• http://blog.dustinkirkland.com/2014/12/hollywood-technodrama.html

Perhaps the highlight of my professional career came in October of 2016.  Watching Saturday Night Live with my wife Kim, we were laughing at a skit that poked fun at another of my favorite shows, Mr. Robot.  On the computer screen behind the main character, I clearly spotted Hollywood!  Hollywood is just a silly, fun little project I created on a plane one day, mostly to amuse Kim.  But now, it's been used in Saturday Night Live, NBC Dateline News, and an Experian TV commercials!  Even Jess Frazelle created a Docker container. 

10. petname / golang-petname / python-petname (January 2015)

• http://blog.dustinkirkland.com/2015/01/introducing-petname-libraries-for.html

From "warty warthog" to "bionic beaver", we've always had a focus on fun, and user experience here in Ubuntu.  How hard is it to talk to your colleague about your Amazon EC2 instance, "i-83ab39f93e"?  Or your container "adfxkenw"?  We set out to make something a little more user-friendly with our "petnames".  Petnames are randomly generated "adjective-animal" names, which are easy to pronounce, spell, and remember.  I curated and created libraries that are easily usable in Shell, Golang, and Python.  With the help of colleagues like Stephane Graber and Andres Rodriguez, we now use these in many places in the Ubuntu ecosystem, such as LXD and MAAS.

If you've read this post, thank you for indulging me in a nostalgic little trip down memory lane!  I've had an amazing time designing, implementing, creating, and innovating with some of the most amazing people in the entire technology industry.  And here's to a productive, fun future!

Cheers,

:-Dustin