Forem: Cait Bixby

Upstream preview: Welcome to Upstream 2024

Cait Bixby — Tue, 04 Jun 2024 19:00:13 +0000

Upstream is this week on Wednesday (June 5!), and wow, our schedule is shaping up brilliantly. For the rest of this week, we’ll be giving you a sneak preview into some of the talks and the speakers giving them via posts like these. RSVP now!

Last year at Upstream, we talked about the accidental “open source software supply chain,” a term coined to help others understand the breadth of open source, but with it came a problematic one-to-one comparison of open source and other supply chains.

And clearly, open source maintainers weren't given the memo that they are part of this "supply chain." One poignant example: the viral blog post “I am not a supplier” by Thomas Depierre.

What our discussions last year showed was that open source isn’t one-size-fits-all, and it’s not meant to be compartmentalized in a phrase—it’s vast, it’s complex, and with that comes problems, some of which have existed from the start.

At this year’s Upstream, Tidelift co-founder and Upstream host, Luis Villa, will be welcoming attendees with an introduction to the Upstream 2024 theme: unusual ideas to solve the usual problems. Problems such as the rising consumption of open source that put stress on an already fatigued system—a system that sees big enterprise users relying heavily on open source projects created and maintained by unpaid volunteers.

Open source’s popularity has made it an even more tempting target for those who seek to exploit it, and highly visible vulnerability incidents like the recent xz utils backdoor hack have only added to the pressure. In the Upstream welcome, Luis will preview the day’s talks, including ones that illuminate these usual problems, like the panel “life after the xz utils backdoor hack,” where we’ll hear maintainer and industry perspectives on the xz utils incident and what it means for the future of open source.

However, it’s important to note that solutions play a big role in this day, too. When faced with a massively complex issue with its history of failing solutions, it’s hard not to tap out and turn to cynicism. In spite of this, in his opening talk, Luis provides an optimistic take that aims to circumvent the cynics and highlights how we’re already tackling the heavily nested problems of open source with innovative and thoughtful solutions. This year’s Upstream is exciting because it’s asking its speakers and attendees to embrace the challenge of finding different solutions to everyday problems, and we hope to see you there.

Upstream preview: The value of open source software

Cait Bixby — Tue, 04 Jun 2024 16:41:29 +0000

Upstream is next week on June 5, and wow, our schedule is shaping up brilliantly. For the rest of this week, we’ll be giving you a sneak preview into some of the talks and the speakers giving them via posts like these. RSVP now!

When asked about the estimated value of open source software, it’s likely assumed to be a big number—surely in the billions. However, a team at Harvard Business School and the University of Toronto took on the task of investigating the value of open source and found it was worth approximately 8.8 trillion dollars. (Read Tidelift co-founder and general counsel Luis Villa’s take on the announcement, including why he thinks it’s worth even more.) In comparison, the entire U.S. electrical grid is valued at 1.5- 2 trillion dollars, and the U.S. interstate highway system is valued at 750 billion dollars.

Simply put: open source software is an exceptionally valuable resource.

How did this number come to be? What does it mean for organizations using open source? Or those creating open source, the maintainers? Harvard Business School assistant professor Frank Nagle joins Luis Villa at this year’s Upstream on Wednesday, June 5, to explain how the project came to be, how he and his team landed on the headline-worthy 8.8 trillion dollar number, and why it’s never been a more apt time to discuss the importance of open source in the software supply chain.

If this number blows your mind (it should!) and you want to learn more, register for Upstream and power up your calculators on Wednesday, June 5. See you there!

About Frank Nagle

Frank Nagle is an assistant professor in the Strategy Unit at Harvard Business School. Professor Nagle studies how competitors can collaborate on the creation of core technologies, while still competing on the products and services built on top of them. His research falls into the broader categories of the future of work, the economics of IT, and digital transformation and considers how technology is weakening firm boundaries.

About Luis Villa

Luis Villa is co-founder and general counsel at Tidelift. Previously he was a top open source lawyer advising clients, from Fortune 50 companies to leading startups, on product development, open source licensing, and other matters. Luis is also an experienced open source community leader with organizations like the Wikimedia Foundation, where he served as deputy general counsel and then led the Foundation’s community engagement team. Before the Wikimedia Foundation, he was with Greenberg Traurig, where he counseled clients such as Google on open source licenses and technology transactions, and Mozilla, where he led the revision of the Mozilla Public License.

He has served on the boards at the Open Source Initiative and the GNOME Foundation, and been an invited expert on the Patents and Standards Interest Group of the World Wide Web Consortium and the Legal Working Group of OpenStreetMap. Recent speaking engagements include RedMonk’s Monki Gras developer event, FOSDEM, and as a faculty member at the Practicing Law Institute’s Open Source Software programs. Luis holds a JD from Columbia Law School and studied political science and computer science at Duke University.

Upstream preview: Secure by design with Aeva Black and Jack Cable from CISA

Cait Bixby — Fri, 31 May 2024 17:54:18 +0000

These days, secure by design is a fundamental concept when it comes to software development and security—it’s crucial in the open source software supply chain. The secure by design model often involves a thoroughness when it comes to vetting software ingested, vulnerability prevention, transparency (such as Software Bills of Materials, or SBOMS), and a general responsibility for the security and maintenance of an organization’s software applications. With those components in mind, it’s no wonder that open source software plays a critical role.

Recently, Tidelift signed the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design pledge. This Secure by Design pledge event, publicly held at the RSA conference in San Francisco on May 8th of this year, brought together companies and industry leaders to declare their efforts to work towards a more secure software supply chain, all while publicly documenting their progress.

This industry-wide effort to improve the nation’s cybersecurity is a promising step towards building security into our technology product proactively, rather than bolting it on as an aftermarket capability, and we’re so excited to announce that we’ll be welcoming two of CISA’s leading cybersecurity experts at Upstream this year!

Aeva Black, Section Chief for Open Source Security at CISA, and Jack Cable, Senior Technical Advisor at CISA, will be breaking down the details of Secure by Design, how it’s inspired by historical design-first initiatives, and how CISA is working with industry leaders to proactively improve business’ cybersecurity practices while working with and seeking feedback from the open source community.

Tidelift CEO and co-founder Donald Fischer hosts, and together they will be discussing next steps, desired outcomes, and how organizations can start securing the future of the software supply chain by working side-by-side with open source maintainers. If you’re looking to learn more about how the Secure by Design initiative was shaped and the actions organizations can take to start their journey into open source, you won’t want to miss this talk at Upstream on Wednesday, June 5.

About Aeva Black

Aeva Black is the Section Chief for Open Source Security at the U.S. Cybersecurity and Infrastructure Security Agency, and an open source hacker and international public speaker with 25 years of experience building digital infrastructure and leading open source projects. They previously served on the OpenSSF Technical Advisory Committee, OpenStack Technical Committee, Kubernetes Code of Conduct Committee, and led open source security strategy within the Microsoft Azure Office of the CTO. In their spare time, Aeva serves on the Board of the Open Source Initiative and enjoys riding motorcycles and supporting the local LGBTQ+ community.

About Jack Cable

Jack Cable is a Senior Technical Advisor at CISA, where he helps lead the agency's work on open source software security and Secure by Design. At CISA, Jack authored CISA's Open Source Software Security Roadmap and has co-led community efforts to standardize the security of package repositories. Prior to that, Jack worked as a TechCongress Fellow for the Senate Homeland Security and Governmental Affairs Committee, advising Chairman Gary Peters on cybersecurity policy, including election security and open source software security. There, Jack was the principal author of the Securing Open Source Software Act. He previously worked as a Security Architect at Krebs Stamos Group. Jack also served as an Election Security Technical Advisor at CISA, where he created Crossfeed, a pilot to scan election assets nationwide. Jack is a top bug bounty hacker, having identified over 350 vulnerabilities in hundreds of companies. After placing first in the Hack the Air Force bug bounty challenge, he began working at the Pentagon’s Defense Digital Service. Jack holds a bachelor’s degree in Computer Science from Stanford University and has published academic research on election security, ransomware, and cloud security.

Upstream rewind: the 2023 Upstream maintainer panel and the insights that resonate in 2024

Cait Bixby — Fri, 12 Apr 2024 15:06:04 +0000

As we count down to this year’s Upstream, we’ll be looking back at Upstream moments from years past. Discover how topics may have changed and how yesterday’s problems continue into today—and find out how they may lead into an uncommon solution to a common problem.

Last year’s Upstream theme was around the “accidental supply chain,” inspired by the rising determination by the industry to define the concept of an “open source supply chain” and the direct responses from open source maintainers challenging the notion, such as Thomas Depierre’s blog post entitled: I am not a supplier. In a traditional supply chain, there is a clear agreement between supplier and customer that includes a mutual exchange of value. Whereas, an open source supply chain lacks this mutual exchange of value and in its current state, is greatly imbalanced.

In the final panel of the day, we were joined by open source maintainers Jason Coombs, Gary Gregory, and Ceki Gulcu, to discuss open source software standards, the open source software supply chain, and how open source users can give back to those who create the open source software they rely on. As we think about this year’s Upstream theme, “unusual ideas to solve the usual problems,” the topics of this final panel resonate and will no doubt echo throughout this year’s Upstream event.

Log4Shell, xz utils backdoor—what’s next?

With the attempted xz utils backdoor hack at top of mind, it’s hard to imagine it not appearing in discussions at this year’s Upstream. No doubt, with the open source community and news outlets rolling out reactions and with many asking “how could this have been prevented?,” it will find itself at home in the maintainer panel, because who better to ask than the open source maintainers themselves? And for good reason, as the xz backdoor highlighted, just as Log4Shell did, the need to pay open source maintainers to build a stronger foundation for a secure and reliable software supply chain.

The maintainer of xz who was facing the deliberate attack was, in his own words at the time the hack began, “unpaid.”

“I haven’t lost interest but my ability to care has been fairly limited... it’s also good to keep in mind that this is an unpaid hobby project.”

The xz hack brings the reality of the current life as an open source maintainer. While paying open source maintainers is not the magic bullet, it should be considered the cornerstone of the efforts we as a community need to employ to improve the security and resilience of open source.

One of the maintainers on last years open source panel, Gary Gregory, reflected on the demand during the Log4Shell incident:

“When Log4Shell came in, the whole team stopped what they were doing and we dealt with that. I [was] on vacation that week. So vacation ‘bye-bye’.”

Not every urgent case can a maintainer drop everything to address the needs of a hobby project. Without compensation and a network of support, there are competing needs that in some cases, will trump the security and maintenance of an unfunded project—a day job, mental and physical health, and more. In cases like Log4Shell and xz, the demand for fixes comes from all angles and without support, enter: maintainer burnout.

Pay the maintainers! 📣

We shouldn’t have to ask maintainers to stop their lives to work hours on an issue without pay while organizations profit off of their efforts. Recently, open source was valued as a trillion-dollar industry, and open source maintainers are rarely the ones seeing the monetary benefits.

Open source maintainers are usually unpaid volunteers who are often working as a one-person team, many of which are experiencing maintainer burnout. In our 2023 state of the open source maintainer survey, we found that almost 60% of maintainers have quit or considered quitting maintaining one of their projects. What the open source maintainers from the panel had to say regarding compensation:

“There’s a reason why corporations employ people and pay them. Because that’s the best way to get work done. Getting paid should be considered normal, not out of the ordinary.”
Gary Gregory

“It’s only recently that I'm discovering that you can actually earn a living by doing open source. And I think it's a discovery for me, and I hope that this will become a possibility for other people as well.”
Ceki Gulcu

Additionally, we’ve found that the more maintainers get paid, the more they work on maintaining their open source projects and the more time they have to commit to aligning their projects to government and industry standards. A reliable income means more breathing room, more time to get projects where they want them to be.

— — — — — —

At this year’s Upstream, we’re excited to host another maintainer panel and we hope to see you there for the virtual event on June 5th! If you’d like to watch last year’s maintainer state of the union panel, you can watch it on-demand by following this link.

Upstream speaker spotlight: Mike Milinkovich, executive director of the Eclipse Foundation

Cait Bixby — Mon, 05 Jun 2023 14:00:00 +0000

Upstream is this week—June 7!—and wow, our schedule is shaping up brilliantly. Over the next few days we’ll share more details about the amazing speaker lineup. RSVP now!

Next up in our absolutely amazing speaker line up: Mike Milinkovich, executive director of the Eclipse Foundation. A little bit more about Mike:

Mike Milinkovich is a recognized industry leader and open source community champion. He has been involved in the software industry for over 30 years, doing everything from software engineering, to product management, to IP licensing. He has been the Executive Director of the Eclipse Foundation since 2004. In that role he is responsible for supporting both the Eclipse open source community and its commercial ecosystem. As an industry leader, Mike has sat on the Boards of the Open Source Initiative (OSI) and the OpenJDK community, as well as the Executive Committee of the Java Community Process (JCP).

Mike’s talk, Open source won, now comes the hard part, is so relevant it hurts. Open source is truly a magnificent feat of human collaboration—and, as Mike says in his abstract, one of the most successful socioeconomic experiments in history.

A Tidelift study we conducted a few years ago showed that over 92% of all software is built upon open source components. This means without open source, the world as we know it wouldn’t exist—think internet, smartphones, and social media, but those are just a few examples. But, Mike notes, with great success comes great responsibility. Responsibility that we have collectively managed to avoid. Until now. And this is the painful part. Around the world, governments are realizing that there is a global community, shaping the future that they don’t even influence, never mind control. And a global supply chain of open source software which is simultaneously unmanaged, unregulated, unsecured and critical to economic success.

The days of unconstrained open source innovation are coming to an end. The question is, what comes next? Well-meaning attempts to manage, regulate, and secure the global open source phenomenon run the risk of killing the very thing that made it successful in the first place: the ability to study, modify, and freely distribute a program with everyone, for any purpose.

Mike’s talk is going to discuss how we got here, and examine some policy options for the future that will protect open source from being destroyed by its own success. And we are eager to hear what he has to say, especially coming from his unique perspective as executive director of an open source community.

Upstream speaker spotlight: Nithya Ruff, head of the open source program office at Amazon

Cait Bixby — Thu, 01 Jun 2023 14:00:00 +0000

Upstream is next week—June 7!—and wow, our schedule is shaping up brilliantly. Over the next week we’ll share more details about the amazing speaker lineup. RSVP now!

We kicked off these speaker highlights with Julia Ferraioli of Open Source Stories, who closes the day with her talk, How we treat others is a supply chain issue.

Next up: Nithya Ruff! We are delighted to have Nithya Ruff, head of the open source program office at Amazon, as our opening external speaker at Upstream on June 7, 2023. Nithya will share her perspective on the accidental relationship between open source maintainers and consumers.

Most independent open source developers never intended to be a supplier to a Fortune 50 critical infrastructure project. Imagine a home cook suddenly having to serve their food intended for daily consumption, in a 2-star Michelin Restaurant. It was just not built or ready for that level of expectation and scrutiny.

In reality, that is what is happening with the success of open source in the world. Small one or two person projects suddenly come into the spotlight and discover that the world is now depending on them. To be fair, the Michelin restaurant did not know that their component came from a small home cook or a small farmer. It was brought in accidentally by their chefs or purveyors. It was all an accidental relationship that they now need to live with.

How do we live in this world of unintended relationships between supplier and consumer, and who is responsible for making it work for both?

More about Nithya: Prior to Amazon, she started and grew Comcast and Western Digital’s Open Source Program Offices. Nithya first glimpsed the power of open source while at SGI in the ‘90s and has been building bridges between companies and the open source community ever since. She’s also held leadership positions at Wind, Synopsys, Avaya, Tripwire and Eastman Kodak.

She is a passionate advocate and a speaker for opening doors to new and diverse people in technology and can often be seen speaking and writing on this topic. In fact, Nithya joined us for a panel discussion on best practices for inclusive development back in October 2022.

We can’t think of a better person to help us kick off the discussion on the accidental supply chain at Upstream on June 7, 2023. RSVP so you don’t miss it!

Upstream speaker spotlight: Julia Ferraioli, co-founder of Open Source Voices

Cait Bixby — Wed, 31 May 2023 20:17:17 +0000

Upstream is a week away—June 7!—and wow, our schedule is shaping up brilliantly. Over the next week we’ll share more details about the amazing speaker lineup. RSVP now!

This is the second year in a row that Julia Ferraioli is speaking at Upstream, and we are so happy that she agreed to join us again.

A little about Julia: she is an open source engineer, scientist, and analyst with over a decade of experience in launching, managing, and optimizing open source projects at scale at companies such as Google, Twitter, and Cisco.

Most recently, she is the co-founder of Open Source Stories, contributor to LeadDev, and sought-after conference speaker. Her background includes research in machine learning, robotics, HCI, and accessibility. Julia finds energy in developing creative demos, creating beautiful documents, and rainbow sprinkles. She’s also a fierce supporter of LaTeX, the Oxford comma, and small pull requests. (We love the Oxford comma over here on the Tidelift events team, too.)

Julia will be the closing keynote speaker at Upstream this year; her talk, titled How we treat others is a supply chain issue, fits in beautifully with the theme of this year’s event: The accidental supply chain. She will discuss how the sustainability and supply chain conversations often leave out a critical factor in the equation: the people and social systems without which there would be no open source.

Julia has written about the people and social systems of open source in the past, specifically in this blog post: Open source and social systems; and spoke about this last year at Upstream in her talk: A social model of open source: all the dynamics that are fit to print. We are excited to hear her more directly relate this topic to the open source supply chain, because sometimes people forget about the actual, real people who are creating and maintaining the code.

We can’t think of a better person to help close a day full of the discussion on the accidental supply chain at Upstream on June 7, 2023. RSVP so you don’t miss it!