Forem: Amy Hays

Upstream is June 7: Hear from maintainers of log4j and other top projects

Amy Hays — Wed, 31 May 2023 16:18:00 +0000

Upstream is one week away! Join us on June 7, and follow the trails blazed by open source maintainers of projects like log4j, Mongoose, urllib3, CherryPy—or walk the route of those using their creations at huge organizations like Fannie Mae, Amazon, Cisco, and more. RSVP now.

There's no other event quite like it—fully virtual, free, and multi-perspective, the goal of Upstream is to hear from everyone in open source—including maintainers and users alike.

Let's take a look at one hour-long block on the agenda. You can choose any of these paths:

1: Join us for the state of the open source maintainer panel featuring Jason Coombs of Setuptools and Cherrypy, Gary Gregory of the Apache Software Foundation, and Ceki Gülcü, creator of log4j version 1. Ever wondered what it was like to be on the maintenance team for a wildly popular project like log4j during one of the most notorious zero-day vulnerability fire drills? Here's your chance.

2: Tidelift co-founder Luis Villa sits down with Ben Adida, executive director of VotingWorks, to hear about the only open-source voting system used in United States elections.

3: Matthew Yonkovit of Scarf will share his tips, tricks, and best practices for open source adoption.

Throughout the day, we will hear directly from both the maintainers behind open source and the users who depend on their work. We expect some fascinating discussions, and can't wait to hang out with you for the day day.

BONUS: If you register and attend the event, we'll send you a free t-shirt and you'll be entered to win a $100 gift card. (Only those in the U.S. are eligible for the free shirt, sadly.)

The Upstream agenda is out, and it's 🔥

Amy Hays — Tue, 16 May 2023 16:28:01 +0000

It's happening! 🎉 The first pass at the Upstream agenda is out, and we hope you're ready for an action-packed day. If you haven't already marked June 7, 2023 on your calendars, you should do it now. RSVP here. ✅ (The first 500 U.S.-based registrants get a free shirt 👉...don't wait.)

This year’s theme is the accidental supply chain, and we can't wait to hear what the speakers have in store for you regarding this topic and others important to open source.

Here’s a preview of the day:

Luis Villa, Tidelift co-founder, will kick off the day by introducing the accidental supply chain theme—and give us some ideas for how the open source community can make it a little less...well... accidental.
Nithya Ruff, head of the open source program office at AWS, will discuss how we live in this world of unintended relationships between supplier and consumer, and who is responsible for making it work for both.
Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency, will share a unique perspective as someone within the agency responsible for strengthening cybersecurity and infrastructure protection.
Julia Ferraioli, co-founder of Open Source Stories, will discuss how the sustainability and supply chain conversations oftentimes leave out a critical factor in the equation: the people and social systems without which there would be no open source.
Mike Milinkovich, executive director of the Eclipse Foundation, will discuss how well-meaning attempts to regulate the global open source phenomenon run the risk of killing the very thing that made it successful in the first place.
Taylor Fairbank, Director of Growth at Distributive Aid, will tell the tale of his accidental supply chain, describing how he went from OSS maintainer to humanitarian aid worker.
Jose Palafox, Strategic Application Security Executive at GitHub, will share ways to secure your open source project on Github.com.
And tons more talks from experts throughout the open source community.

Throughout the day, we will hear directly from both the maintainers of the accidental supply chain and the consumers who depend on them. We expect some fascinating discussion, and can't wait to hang out with you all day.

Have you registered? The first 500 U.S.-based registrants will get a free t-shirt. 👕 Inventory is very limited so register quickly!

Upstream is June 7. Will you be there?

Amy Hays — Thu, 20 Apr 2023 21:01:14 +0000

We’re busy finalizing the agenda for Upstream, which takes place virtually June 7. And wow, do we have some great talks in the lineup. We’ll be sharing the full agenda soon, but let’s dig into the theme and keynote speakers a little bit first.

This year’s theme is the accidental supply chain, which is a topic we’ve been thinking about a lot here at Tidelift, especially amid all the recent attention on improving cybersecurity from government and industry around the world. Most open source maintainers did not sign up to be a part of a global software supply chain; instead, they started working on open source to fulfill a need, or to learn new skills, or for a myriad of other reasons.

But as more organizations are focused on the security of open source, and governments around the world increase their focus on cybersecurity, open source maintainers are being asked to do more and more.

The good news: this increased attention on open source software security will hopefully produce more resilient software. The bad news: Who exactly do we expect to do that work? The unpaid volunteer maintainer who finds themselves a part of an accidental supply chain?

That’s the theme we’re exploring this year at Upstream, and we have an excellent group of keynote speakers who will guide us through the day.

Luis Villa, Tidelift co-founder, will kick off the day by introducing the accidental supply chain theme—and give us some ideas for how the open source community can make it a little less...well... accidental.
Nithya Ruff, head of the open source program office at Amazon, asks the question: How do we live in this world of unintended relationships between supplier and consumer, and who is responsible for making it work for both?
Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency, will share a unique perspective as someone within the agency responsible for strengthening cybersecurity and infrastructure protection.
Julia Ferraioli, co-founder of Open Source Stories, will discuss how the sustainability and supply chain conversations oftentimes leave out a critical factor in the equation: the people and social systems without which there would be no open source.
Mike Milinkovich, executive director of the Eclipse Foundation, will discuss how well-meaning attempts to regulate the global open source phenomenon run the risk of killing the very thing that made it successful in the first place.

Interwoven between these keynotes, we’ll share talks from maintainers and enterprise technologists alike. We are still finetuning the agenda, but, spoiler alert: it’s shaping into an epic day you won’t want to miss.

The first 500 U.S.-based registrants are eligible for a free t-shirt. Stock is running low, so don’t hesitate. RSVP now!

Upstream is on June 7: keynote speakers and call for presentations

Amy Hays — Tue, 14 Mar 2023 16:36:25 +0000

Today, we’re delighted to announce our phenomenal keynote speakers for Upstream, which takes place virtually on June 7, 2023. As we’ve blogged about previously, this year’s theme is the accidental supply chain, and we can't wait to hear what these speakers have in store for you regarding this topic and others important to open source.

RSVP

Here’s who we have lined up:

Luis Villa, Tidelift co-founder, will kick off the day by introducing the accidental supply chain theme—and give us some ideas for how the open source community can make it a little less...well... accidental.
Nithya Ruff, head of the open source program office at Amazon, is an expert in the field, with decades of experience driving open source culture and coordination inside of organizations and engagement with external communities.
Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency, will share a unique perspective as someone within the agency responsible for strengthening cybersecurity and infrastructure protection.
Julia Ferraioli, co-founder of Open Source Stories, will discuss how the sustainability and supply chain conversations oftentimes leave out a critical factor in the equation: the people and social systems without which there would be no open source.
Mike Milinkovich, executive director of the Eclipse Foundation, will discuss how well-meaning attempts to regulate the global open source phenomenon run the risk of killing the very thing that made it successful in the first place.

We are also hard at work finalizing the rest of the agenda. Have an idea for a presentation that fits into our theme or a related subject? Submit a presentation idea for consideration. Our call for presentations is open till April 7.

And don’t forget to register for the event if you haven’t already! The first 500 U.S.-based registrants will get a free t-shirt. If you get 5 more people from your organization to register, we’ll also send you a viewing party kit.

Save the date: Upstream 2023 is June 7

Amy Hays — Tue, 31 Jan 2023 19:25:00 +0000

Today we’re excited to announce the date for Upstream 2023, which will take place this year on June 7. Upstream is an entirely virtual one-day celebration of open source, the developers who use it, and the maintainers who make it.

Want to reserve your spot? The first 500 registrants are eligible for a free shirt (U.S.-based only, sorry). Register now.

We’ve also opened the call for presentations (deadline is April 7!), and are actively looking for speakers to help us explore this year’s theme: the accidental supply chain.

Our Upstream theme: the accidental supply chain

Picture this: you keep running into bugs in the JavaScript application you're building for work. All the debuggers you find online are old, unmaintained, and not very good, so you fork one, fix it, and then put it back online and share it under an open source license, so others can use this new debugger for their own projects. Suddenly, lots of others are using it, and you're stuck with a choice:

Do you:

continue maintaining this debugger so others, including you, can use it or;
let it fall into disrepair so someone else has to come along and make a new debugger or fix yours?

And that, folks, is just one way to become part of an accidental supply chain, the theme of Upstream 2023.

In the wake of an increasing number of cybersecurity threats, government and industry alike are developing new standards, requirements, and guidelines that they expect open source software to meet.

This dilemma is something Tidelift co-founder and Upstream co-chair Luis Villa has likened to unfunded mandates. In U.S. politics, an “unfunded mandate” occurs when a government requires someone else (usually, a lower-level government organization) to do new work, while not allocating funding for this work.

In the debugger example, this is like asking the unpaid maintainer to maintain this debugger to a new heightened industry security and maintenance standard so you can continue using it in your organization’s applications—but not paying them to do it.

We think the concept of an accidental supply chain is ripe for conversation this year, especially in light of increasing demands on open source maintainers. Obviously at Tidelift we think part of the solution is paying maintainers to do this important work, but there are plenty of other ways we can make the accidental open source software supply chain, well, a little less accidental.

We’ve opened our call for presentations, and want to hear from you! We’re accepting presentations until April 7, 2023, but don’t wait too long. Last year slots filled up very quickly. Submit your talk here!

And don’t forget to RSVP for the event. The first 500 registrants are eligible for a free shirt (U.S.-based only, sorry). Register now.

Choose your own adventure: Upstream is Tuesday! ⛰️

Amy Hays — Fri, 03 Jun 2022 15:41:03 +0000

Wow: Upstream is less than a week away! Are you joining us Tuesday, June 7? We’ll kick off the day at 9:45 a.m. ET to greet you (we call this the hallway track), then sessions officially begin at 10 a.m. and run till 6:30 p.m. ET.

We've been working hard to carve out the perfect agenda, and it’s almost complete. The day will be action-packed, so we wanted to give you a sneak peek at the first two hours.

Josh Simmons, senior ecosystem strategy lead at Tidelift, and Donald Fischer, Tidelift CEO and co-founder, will kick off the day, followed by Deborah Bryant of Red Hat, who will discuss zen and the art of contributor maintenance: what have you done for them lately?

Then it's time to choose your own adventure:

Trail 1: Join Josh Simmons as he hosts a panel discussion on what it means to be a good open source citizen, featuring Al Gillen of IDC, Alyssa Wright of Bloomberg, Duane O’Brien of Indeed, and Rob Underwood of Goldman Sachs.
Trail 2: Join Tidelift co-founder Luis Villa as he discusses the 'we' behind open source projects with Python maintainer Seth Michael Larson.
Trail 3: Nancy Gariché, a senior developer advocate for the GitHub Security Lab, will discuss a maintainer-first approach to open source security.

And that's just the first two hours! Having a hard time figuring out which trail you'd rather explore? Good news: everything will be recorded, so you can explore other talks whenever you'd like.

And our team will be live all day in the hallway, offering trivia, giveaways, and fun conversations, and we can help guide you to choose the right path for you. It’s going to be awesome.

Will we see you there? Register here.

You're invited: What's on the maintainer wishlist for Hacktoberfest?

Amy Hays — Mon, 18 Oct 2021 19:26:15 +0000

Hacktoberfest, a month-long celebration of open source software that encourages OSS enthusiasts and beginners alike to contribute to projects, seems like the perfect opportunity for first time contributors to start participating in open source... but what are some ways you can add to a project while you’re still learning?

Join us Thursday, October 21 at 1 p.m. ET / 10 a.m. PT as Tidelift ecosystem strategy lead Josh Simmons and maintainer Isabel Costa sit down to discuss this topic. Josh will share some stats from a recent maintainer-only survey about the areas where maintainers need help most. Spoiler alert: it involves documentation and testing. Isabel will share what sorts of pull requests she’s most likely to merge. Josh and Isabel will also discuss ways maintainers might be able to make Hacktoberfest a success for their projects.

This will be a fun, casual discussion in which Josh and Isabel will explore:

Why do people contribute to open source?
What is the definition of a meaningful contribution?
What are some good first steps someone can contribute?
What areas do maintainers most need help with?

Bonus: RSVP and attend, and we’ll send U.S.-based attendees our newest Pay the Maintainers t-shirt!

Maintainer interview: Maintainer Andrew Kamal thrives on innovation

Amy Hays — Thu, 08 Apr 2021 15:17:54 +0000

Meet Andrew Kamal, maintainer of decentralized-internet, an open source library he maintains across languages from JavaScript to Ruby. Andrew has been a software developer for 14 years, since back before git, when developers had to use other methods of source control. Right now, Andrew is focused on blockchain, crypto, and theoretical tech.

Andrew was drawn to open source originally because he loves connecting to lots of other people. He can build a piece of code, share it, and people are able to fork it really quickly.

“I want lots of people to connect to my network,” Andrew said. “If it was under a paywall, it wouldn’t have a lot of users.”

That’s Andrew’s favorite part of being a maintainer—knowing that his projects can be used to help people in unintended ways, like protein synthesis, COVID tracking (related to genomics, variants and synthesis), or analyzing underwater algae blooms. This specific project, the analysis of algae blooms, used an underwater wireless networking project that introduced Andrew’s software development kit (SDK) through a defined network.

“I was able to utilize sonar as well in order to transcribe wireless signals underwater and get data in real time from the underwater sensors,” Andrew said.

This use case represents why Andrew originally created decentralized-internet—he wanted to create an SDK for people to build out large-scale distributed computing projects and applications.

“The main motivation was truly decentralizing tech in the hands of the people,” Andrew said. “I also wanted to create a tool that is censorship-resistant and privacy-focused.”

Being a maintainer isn’t always sunshine and algae blooms, though. Maintenance includes lots of debugging, which can be frustrating to most maintainers. Andrew said it’s his least favorite part.

But there’s a lot of cool innovative tech happening these days to keep Andrew excited, tech like Berkeley Open Infrastructure for Network Computing (BOINC). BOINC allows anybody to create a volunteer or grid computing networking, and Andrew has used it for computational pipelines before. BOINC led to the inception of many cool projects, like a linguistics tool that used grid computing to translate ancient texts like the Dead Sea Scrolls and Coptic and Aramaic texts, plus other amazing projects that mine cancer, work to discover aliens, and study climate change.

One day, Andrew hopes to build something that aids in curing a disease like cancer. He’s also interested in building aerospace technologies.

“I’m passionate about building stuff,” Andrew said. Some people get into tech for the money, but Andrew thrives on the innovation. That’s how he finds time to work on open source even when he’s really busy. It’s his passion, he says, so he will carve out time for it.
--

Andrew Kamal partners with Tidelift to provide commercial backing for decentralized-internet as part of the Tidelift Subscription. If you’re interested in reading more interviews with maintainers, you can read them here.

Introducing Free as in Friday, a casual conversation about open source and more

Amy Hays — Thu, 04 Mar 2021 16:41:06 +0000

Last week, I asked Tidelift co-founder and resident licensing guru Luis Villa when we can schedule his next webinar. He said, and I quote: “I had a thought last week that I can’t shake. SpeakeasyJS is a lifter’s Friday-afternoon chat series. And I’m sort of wondering if we should do that, as a lower-pressure, more conversational alternative to webcasts and podcasts.”

I said: “I love it.”

So Luis and Josh Simmons, Tidelift ecosystem strategy lead and current president of the Open Source Initiative (OSI), just went ahead and hosted their very first Free as in Friday. This first episode focused largely on the Open Source Initiative's upcoming board elections, so they invited special guest Deb Nicholson, General Manager at the OSI, and spent a casual hour discussing all things OSI and what exactly “open source” means today.

Here are a few highlights:

“In a world where millions of people use open source, they have a lot of different definitions of ‘open source.’ How do you deal with that?”

“OSI recently published a new mission statement. How does that impact strategy?”

If you missed it, don’t worry! You can watch the full episode below. Join us live for another episode tomorrow, March 5 at 4 p.m. ET (1 p.m. PT) on our Twitch channel.

We have a great lineup over the next few weeks, too:

March 12: Luis and Josh will be joined by Ashley Williams of the Rust Foundation

And if you love traditional webinars as much as I do, don’t worry: Luis and Josh are hosting another AMA on March 31. You can register for that here.

How urllib3 maintainer Seth Larson streamlined the release process

Amy Hays — Tue, 18 Aug 2020 16:19:24 +0000

Seth Larson has a history of adopting unmaintained open source libraries. It’s not that he seeks out orphaned packages--it’s usually because an abandoned library touches a project he’s working on, and the package owner is happy to hand off maintenance to him.

There are security concerns with just handing off a package to a stranger, of course, but because Seth is the lead maintainer of much-depended-upon Python project urllib3, an HTTP client for Python, it’s easy to verify he isn’t a security threat.

Seth has been working on urllib3 since 2016 when the previous lead maintainer Cory Benfield noticed Seth’s work on a smaller project and suggested Seth contribute to the Python Hyper project. This led him to urllib3, of which he became lead maintainer in 2019.

Streamlining the release process

Seth has worked hard since he became lead maintainer to organize releases in a way that won’t break anything for the millions of projects depending on urllib3. The release process used to be all manual, and even Seth, probably the most qualified person to update a new release, was super anxious about breaking something.

It’s no longer manual now—they decided the solution was to limit human intervention as much as possible in the release process. This means anyone, even someone who isn’t a contributor, can start a release candidate. Once there’s a candidate, integration tests are executed from their CI before publishing the package to PyPI. It’s all automatically driven and takes minutes now, rather than hours of anxiety.

There's always a flip side, though. The ease of release makes urllib3 a high-value target for malicious actors, which is why Seth uses a hardware key or two-factor authentication to protect his Google, GitHub, and PyPI accounts and requires approval from either himself or urllib3’s author, Andrey, on files that control releases via GitHub Code Owners.

Finding work-life balance

Seth officially maintains 60 projects in the Python index, many of which are small projects where he fixed one or two things. Luckily, urllib3 is very stable due to its widespread adoption and many past contributions. Even better, the company he works for as his day job, Elastic, allows him to contribute improvements to projects like urllib3 that are related to his daily work.

Working full-time in addition to maintaining many open source projects can lead to a blurred work-life balance, something he struggled with in 2019.

“I honestly have a hard time figuring out life-work boundaries,” Seth said. “Like, I sign off work and spend a few more hours looking at GitHub.”

Being able to help people through his work on open source makes the extra effort worth it for Seth, though. As of this writing, urllib3 is just shy of 2 billion downloads, the 6th most downloaded project on PyPI.

“Any day, I just look at the number of downloads, it blows my mind how many people this is helping every time there’s a new release,” Seth said. “I see this number and I think that millions of people’s lives have been improved and all I did was click a button.”

Seth Larson maintains urllib3 through the Tidelift Subscription, providing commercial support and maintenance for the hugely popular Python project.

Wanna read more interviews with maintainers? Check out Tidelift's series of maintainer interviews here.

How Jordan Harband maintains hundreds of npm packages

Amy Hays — Thu, 25 Jun 2020 14:07:45 +0000

Meet Jordan Harband: he currently maintains more than 200 npm packages.

Jordan’s foray into the world of open source began serendipitously. His first job was as a social worker in a group home, but he soon realized it wasn’t possible to raise a family in the Bay Area on a social worker’s salary.

So he switched gears and focused on his other passion, which was programming, and used those skills to help start a company called MixMatchMusic in 2006 out of the CEO’s family garage. It was originally a music collaboration and remixing community, then morphed into a phone app.

How to become a maintainer

Though MixMatchMusic was moderately successful, it never totally took off, so he started working as an engineer at a company called BrightKite in 2010. That’s when he submitted his first pull request to fix a bug in a jQuery plugin, and his work as a maintainer began.

“Over time I would fix bugs and things,” Jordan said, “and a lot of maintainers will be like, ‘Here, you do it,’ and I’d take over a project, because the maintainer wanted help.”

His maintainer portfolio grew slowly over time. One of the more popular packages he maintains is called es5-shim, which offers ECMAScript 5 compatibility polyfills for legacy JavaScript engines, like Internet Explorer 9. Jordan’s work as a maintainer cinched him an invitation to ECMA International's TC39, which is a group of experts who collaborate with the community to maintain and evolve the definition of JavaScript. He’s now a member of the group and an editor of the specification.

Maintaining polyfills

Many of Jordan’s packages are JavaScript polyfills, which are pieces of code used to provide modern functionality on older browsers that do not natively support it.

“Once a polyfill is fixed and working you don’t have to touch it much,” Jordan said. “With polyfills, I don’t need to entertain feature requests.”

A systematic approach to maintenance

For the projects he maintains that aren’t polyfills, like a query string parser called qs, he fields many feature requests because everyone has a certain format that they would like to work. In cases like these, Jordan has a systematic approach to maintenance, which helps him keep his code healthy.

“There’s an art to envisioning in advance which abstractions are going to scale to more use cases and require less breaking changes,” Jordan said.

Besides filtering feature requests, Jordan tries to support a wide range of compatibility. This means for something like his qs project, he applies any new changes to almost every older release stream.

“My philosophy is to make it as easy as possible to upgrade to the newest versions of their dependencies,” Jordan said. “I don’t want my stuff to ever be the reason something is harder for people to upgrade. The slightly increased maintenance cost on small packages is really worth the objectively larger amount of pain that will be caused to other people if I don’t do that.”

The more dependencies the better

He’s also a firm believer in small, single-purpose modules, which is sometimes a controversial viewpoint.

“I think strong, separate modules, with more dependencies are better,” Jordan said. “It’s not overkill to make a separate one- or two-liner.”

Jordan cites the left-pad debacle as an example. Quick refresher: in 2016, a maintainer unpublished all of his 200-plus modules from npm, which resulted in millions of broken builds and failed installations.

A lot of people thought it was overkill to make a separate package for a functionality left-pad provided. However, because of Jordan’s work on the padStart proposal for TC39, he had found bugs in every potential left-pad replacement he’d found online.

“But if you write an independent module, and you do it well,” Jordan said, “you’re gonna test all possible inputs to your function and therefore if someone uses it in a way you don’t intend, you cover it. You can’t misuse it.”

Jordan’s process for writing quality code includes writing thorough tests, having lots of people review it, and getting lots of people using it. These processes make it possible for Jordan to maintain as many packages as he does, and feel confident that most of his modules will remain bug-free.

And if there’s a bug, he said, he’ll fix it. But he’s confident there won’t be many bugs.

--

Jordan Harband maintains his many JavaScript packages through the Tidelift Subscription, providing commercial support and maintenance for es5-shim, eslint-plugin-react, object-keys, qs, resolve, is-callable, define-properties, and more. If you’re interested in learning more about the benefits of managed open source, check out the 451 Research Pathfinder Report: Managed open source.

Image courtesy of Edgar Chaparro on Unsplash