Liquid Software

By Moshe Yalo

January 17, 2017 by Fred Simon, JFrog Co-founder and Chief Architect, Co-author of Liquid Software: How to Achieve Trusted Continuous Updates in the DevOps World (2018).

Modern industry has evolved to the point where a company’s survival depends, amongst other things, on how quickly it can release software. This is true not only of technology companies, but also most companies- they all develop software to maintain their products, websites, eCommerce sites, reservation systems, mobile apps and more. Maintaining a competitive edge by continuously developing new capabilities, quickly fixing bugs and issues so as not to lose traffic, and rapidly resolving any security vulnerabilities to keep their systems safe are just a few of the reasons.

In the old days of monolithic, bi-annual software deliveries, a release was ceremoniously tagged with a version number, however that concept is melting away due to three factors. First, as companies use automation to reduce release cycles, customers are less and less concerned about the particular version they are running – they just want to be on the latest version. Second, as software becomes more and more distributed, software systems comprised of microservices don’t have a coherent overall version. Each microservice is updated independently, so the “macro version is constantly changing. Third is the explosion of connected devices making up the Internet of Things (IoT). As more and more devices get on the grid, managing the update of their software can only be handled through automatic updates, and devices don’t really care what version they’re running.

Extrapolating these trends into the not-so-distant future, we are moving towards a world where release cycles get so short, and microservices become so small that at any one time, it’s likely that something is being updated. In effect, software will become “liquid” in that we will be connected to “software pipes” that stream updates into our systems and devices; liquid software continuously updating our systems.

This mode of operation is already visible to some extent in our everyday lives. One example is Cloud services over which we have no control. The vendor updates the service and we just accept it transparently. Another example is the cellphone firmware and mobile app updates that most of us just accept, or configure our devices to let them happen automatically in the background, but for this to be widespread amongst enterprises there are still some challenges to overcome.

Trust and security:  Mechanisms must be in place to authenticate the many software providers that an enterprise uses, and to verify that the software flowing into their systems has not been tampered with.

Software quality: Since updates are automatic, software vendors must release software with a very high level of confidence.

Versionless software: Since software is becoming versionless, there must be some other way to identify exactly what a customer is running. For example, if a bug is found in production software, a vendor needs to identify which customer has received it. On the flip-side, if a customer reports a bug or an issue, the help-desk staff must be able to identify the software displaying it.

Transparency and coordination: With versionless software, there must be a different way to coordinate what is currently running with the software updating it to determine if the update is compatible and desired.

Decreasing release cycles: Companies are still struggling to reduce release cycles for several reasons: availability of tools, resistance to adoption of DevOps practices, the challenges of increasing automation and more. Nevertheless, there are companies that have reduced release cycles to a matter of seconds showing that it is indeed possible.

As software gets more and more distributed, and release cycles get shorter and shorter, eventually they will decrease to zero. At that point, software will be liquid, flowing continuously from development environments, through distribution platforms to automatically update systems and devices. The security risks inherent in automated systems with no human intervention will have to be mitigated by industry standard tools, and the whole process will have to be mediated through exhaustive metadata to provide transparency on the consumer side. As security and transparency progress, the emergence of automatic and continuous update of liquid software is only a matter of time.