Forem: Vincent

How to bootstrap your first developer conference

Vincent — Mon, 24 Jan 2022 21:07:24 +0000

We were stoked to pull off the first Ory Summit in October 2021, bringing
together an all-star group of developers who presented on the diverse ways in which they use Ory open source products. We bootstrapped the two-day Ory Summit with a core team of three people, supported by the rest of Ory, plus the presenters, members of our open source community who were generous with their time and energy.

All Ory Summit 2021 presentations can be watched again here.

Normally such events are executed with three times the amount of resources and
time, so we had to find an efficient framework for making our first conference a
success. In retrospect, we learned loads about how to run a live digital event
for developer communities, and that’s what we want to share in this article.

Why we held the Summit

Digital human communities usually center around recurring events that bring them
together in one place to share a communal spirit, exchange ideas, and get to
know each other. The Ory Summit is the first recurring event for the Ory
Developer Community.

Ory services provide free and open identity infrastructure for a lot of different platforms – examples include an Anime media aggregator called Animeshon, or SumUp, a payments company specializing in solutions for small businesses. We thought our developer community would enjoy more opportunities to share the challenges and solutions that arise as they integrate Ory services.

So you want to bootstrap a developer conference?

1. The Basics

Know your audience

It is hard to overstate how important this is. If you know your audience well,
you'll understand what they expect from a community event and how to reach and
engage them best. If you lack a clear picture of who your audience is, you may
cast the net too wide. Ask yourself: Do you want to organize an event for a
wide audience or the members of your community?

Good internet connection

This is self-explanatory. If your internet connection is not tailored to
support high-quality streaming, you'll have a bad time. 4-5mb/s up speed
should be the minimum to stream in decent quality; more is better!

Keep it simple

Don't overcomplicate the event. In practice, this means you have to cut
certain activities/parts of the event. If a half-comatose person can follow
your event proceedings, organization, and planning: you're doing it right. If
people need a half-hour introduction into how everything works and they still
don't get it, you have a problem, officer.

2. The Stack

If you have nothing but the basics mentioned before and some frontend skills, we
recommend the following for your tech stack:

Vercel Event Frontend
Youtube

It's free and easy to stream on Youtube, performance is good, and it's unlikely that your stream goes down. Plus, most people know the platform.

Chat

We use Slack for chats. Discord is also an option, plus a myriad of other chat apps. If you already have a chat platform for your community, just use that!

Authentication

GitHub OAuth. Most developers have a GitHub account. If you want an email/password option and more control, we recommend using Ory Cloud.

3. The Preparation

Prepare talks, workshops and find speakers:

This could be an article by itself so we'll keep it brief. Since you have
clearly defined your goals and audience for the conference, finding suitable
topics, workshops and speakers should come naturally. Keep your eye out for
opportunities; talk to your team, users, top community members, and
grandmother about presenting, organizing a workshop, or managing a Q&A
session. You may also want to publish a "Call For Papers". A CFP describes the
themes, topics, and formalities of the conference and lists important
information such as deadlines or the format of submissions.

Once we had all the speakers, workshops, and sessions lined up, we sent out a
"Speakers Package" to onboard speakers. The package contained a collection of
banners/logos/cards for social media and a step-by-step guide on how to use
the event platform and ensure smooth, stress-free performance on the day of
the event.

Organize backup presentations:

Hope for the best and plan for the worst. As with any live event, it’s
necessary to plan for last-minute cancellations or emergencies. Line up at
least a couple of replacement talks, which can come from your team or anyone
else you feel comfortable asking to be a replacement. You can also use group
discussions or ad-hoc workshops/hacking tutorials as backups, but keep in mind
that those require extra time and effort to plan. If all goes well and no
backups are required on event day, plan for a one-off session or a "surprise"
session near the end of the event to make use of one of them.

Practice with a dry run:

Create an environment that lets you simulate the real event as accurately as
possible. Ask members of your team/friends/relatives to act as fake visitors
or presenters. Don't do too many dry runs to preserve the goodwill of the
lovely people helping you. My specific advice: do one initial dry run followed
by one final "dress rehearsal". Feedback should be shared after the first dry
run and been taken care of when doing the dress rehearsal, which should
resemble a finalized version of the event.

Promote the event:

Our main channels for promoting the Ory Summit are the Ory Community Slack,
our newsletter, word-of-mouth, banners on our website, Twitter, and LinkedIn.
The most effective were our Slack, newsletter, and word of mouth. The optimal
place to market your event depends on where you interact most with your
community. In our context, personal connections and word-of-mouth are more
powerful means than traditional ads. We also promoted the conference on our
GitHub, some developer conference lists, and in team members' personal
networks. There are many ways to promote a conference and it's one of the most
crucial ingredients of a successful event.

4. The Event

Seemingly a million things occur in the days leading up to a conference. Here
are some general tips to ensure success:

Don't panic.
Keep the team and yourself fed, watered, and as well-rested as possible.
Double-check the technical infrastructure before and during the event, including equipment for recording, streaming, audio, and network connectivity.
Have fun.
Celebrate with an after-party 🥳.

5. What else?

Remember to keep it simple: Some things are mandatory, like a proper Code of Conduct (the geekfeminism CoC or the Berlin CoC are good examples), or good audio quality (encourage speakers to use headsets/earpieces with boom microphones instead of AirPods). Other features are optional for your first bootstrapped developer conference.

Here are several topics that we didn't delve into, but should be considered:

Code of Conduct & Inclusivity
Audio & Video Quality Optimization
Visual Branding
Landing Page
Interaction with Audience/Q&A
Interactive Workshops
Merchandise
Sponsors
Tickets (Free/Paid) ...and much more

6. After the event

Publish recorded presentations:

Remember to get permission from the speakers to do this!
Do a retrospective to get feedback:

We sent out an exit survey that 10% of the attendees filled out and asked Ory
team members to share feedback. Here are a few things we want to improve at
the next Ory Summit:

Use a simple event platform.
Publish recordings directly after the sessions.
Plan backups earlier.
More content for non-technical people.
More workshops & beginner sessions.

Analyze the data:

This depends on what you collected. Our main source of data was the exit
interview and some attendance metrics collected on the platform.
Organize the next event:

Take a deep breath, and begin planning your next event.

Ory Summit 2022 ⛰️

In light of how much fun we had at our first event, we are stoked for the Ory Summit 2022. Preparation has already begun and we will soon publish a call for papers and more. If the global health situation permits, there will be an option to attend the Ory Summit in person this year. It will take place in Q2/Q3 – the exact date coming soon.

We have many things planned for this year. While not wanting to spoil the
surprise, I think this is going to be the biggest Ory event ever 😁.

Thanks for reading and participating in the Ory Summit 2021. If you want to participate or help in any way, please reach out [via email(mailto:office@ory.sh) or on our chat.

Sustainable Open Source Software

Vincent — Wed, 15 Dec 2021 13:56:14 +0000

In this article we discuss the log4j incident, why people are worried about the open source software (OSS) supply chain, and how to work towards fixing it.

The spark: Log4Shell

Last week (Dec 9th) a major vulnerability was discovered in an open source logging project for Java called log4j. The vulnerability called Log4Shell would allow anyone to remotely run arbitrary code if they sent a message in the right format to the server. This is one of the worst attacks your system can be susceptible to and if you are interested in the technical details of the problem, here is an overview. The attack surface of Log4Shell is staggering, Amazon, Apple, Google, and the Apache Server are affected; it can almost not get bigger than this. We will see the real fallout of Log4Shell in the next weeks and months as right now servers worldwide are being scanned and prodded for this vulnerability.

Since there have been many supply chain attacks recently,the whole conundrum sparked a debate in the OSS and infosec community: Many believe that the OSS ecosystem is broken, maintainers need to become more professional and make OSS maintainer a real job. Some argued that in this case the problem was not that maintainers were unpaid, burnt out, and taken advantage of, but more how this particular feature was implemented in log4j (Note: Maintainer burnout is still a real and significant problem for security). Others insisted that open source is not broken - society and capitalism are the real culprits and everyone involved in OSS knows what they are getting into.

Open source as a model of distribution, development, or business is not a model of either a dystopian nightmare or an utopian dream. Every project is different and there are no silver bullet solutions to sustainability.

Open source maintainer as a real job

It is a real problem that software engineers maintaining critical software infrastructure used by governments and corporations worth billions are not able to make a living off of it. Maintainers often can only work on OSS in their free time. This is fine for a pet project, but critical infrastructure projects, such as logj4, should be more resilient. People who are well off enough or receive
enough donations to be able to work on their projects full-time are likely a tiny fraction of all open source maintainers.

In a perfect world, everyone who is maintaining such an important piece of code can do it full time and with adequate compensation. But this is not a perfect world. The best we can do is work on securing each link in the chain.

Sponsorships

GitHub sponsorships and
Open Collective are a good start, but not enough to sustain infrastructure development. For example, the Ory ecosystem (most notably Ory Hydra) - used by billion-dollar companies and securing >30 billion requests per month - has received 22k $ on Open Collective over the last six years. That is not a small amount compared to what most other OSS projects receive. Still, if split between the two original core maintainers
(@aeneasr and @zepatrik) it would amount to about 150$/month over the years, which is an absurd amount for a full-time maintainer that requires a deep level of expertise in security, cryptography and web infrastructure - not counting the additional maintainers
that have been added to the project since its inception.

Towards sustainable open source maintainership

Making a living off open source software and being able to work full time on it is a dream for many maintainers. At Ory, we are working hard to make this dream come true. All our open source packages (visit this page for a full overview) are now led by maintainers paid full time for their work.

Here are three practical steps that every OSS maintainer can take if they would want to professionalize their project:

Ask for help

Reach out to your network of contributors, maintainers, and software engineers.
See if anyone using your software at a business can make a sponsorship happen - much is possible when you are asking the right people.

Incorporate

This sounds scary, but it will be much easier (or rather possible at all) to collect funds from BigCorp if you are an LLC.

The trick is that you can easily incorporate a pass-through US LLC and open a business account for it even if you're not a US citizen.
(source)

Professionalize

Create a GitHub/GitLab organization for the project to make it more resilient (multiple code owners). Set up a landing page with clear links to your sponsorship channels and contact information.

This only scratches the surface of what is required to make OSS development sustainable. At Ory, we build a commercial service on top of our OSS work. This creates a positive feedback loop: As everyone is using the same base Ory services, improvements on the commercial Ory Cloud are based on improvements to Ory Open Source, while contributions from the OSS
community benefit users of Ory Cloud in the same way.

What about dependencies?

Dependencies play a major role in the saga of the log4j vulnerability and security complications in general. It is mind-boggling how big dependency trees can get, in many cases, people had no idea they were even running log4j between the thousands of dependencies in their stack.

Ory depends on many software packages (e.g. see the dependency list of Ory Kratos here), so it is also in our and our users best interest to ensure a secure and hardened OSS supply chain. Ory uses automated tooling in the CI pipeline to scan docker images and npm-packages for vulnerabilities as well as carrying out regular independent security audits of our libraries and dependencies. A "Software Bill Of Materials" can help as well, watch out for this topic in an upcoming blog post.

Conclusion

Is the path we chose at Ory the definite and only way to build and sustain open source software?

Probably not. For many projects a professional commercial structure would be overkill and many maintainers - for good reason - don't want to deal with the administrative, legal, and other matters that come with running a professional business. There are options for OSS maintainers to make a living off their craft, many more than there used to be just a few years ago. Big companies often want to support and fund the open source software their business runs on. The structures and frameworks for them to do this efficiently are still emerging, but we are confident that the future of software lies in OSS.

Open source isn’t broken. It’s working exactly as intended, and it’s by far
the most powerful force in the technology world, and it will outlive any of
the corporations so many people bend over backward to please today.
(source)

Fund open source software

How to pay for free software.
Back your stack analyzes the codebase and shows OSS dependencies and where to fund them.
GitHub Sponsors, the same principle as above on GitHub.
How to talk to your company about sponsoring an open source project.

If you want to support Ory Open Source, find us on Open Collective or better yet sign up for Ory Cloud and get immediate value for your support.

Ory Developer Conference

Vincent — Wed, 06 Oct 2021 14:43:13 +0000

Hey 👋

We are excited to invite you to our first developer conference Ory Summit, taking place on October 28th and 29th, 2021.

free , virtual
28.10 + 29.10

Topics range from

how to build your own Google-like IAM from scratch with open source,
modernizing your identity stack,
building robust authorization and authentication to
how to bootstrap a scalable complete SaaS infrastructure.

You will also have the chance to get some crisp and exclusive Ory Summit merch just by attending!

Learn more and Sign up here

First open source implementation of the Google Zanzibar

Vincent — Thu, 08 Apr 2021 15:09:31 +0000

Hey,

I just wanted to show you our open source implementation of the Google Zanzibar paper.
We just released the first working version:

https://github.com/ory/keto/releases/tag/v0.6.0-alpha.1

We spent a lot of time and effort to read, learn, and analyse the paper (https://research.google/pubs/pub48190/) and the release brings that all together.

There are still many things missing, but with a great community we hope to build the “Kubernetes” of permissions and access control!

I quote a bit from the paper to make clear what Ory Keto is:
"Determining whether online users are authorized to access digital objects is central to preserving privacy. [...]. Zanzibar provides a uniform data model and configuration language for expressing a wide range of access control policies from hundreds of client services at Google, including Calendar, Cloud, Drive, Maps, Photos, and YouTube. Its authorization decisions respect causal ordering of user actions and thus provide external consistency amid changes to access control lists and object contents. Zanzibar scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use."

If you have any questions, I am happy to answer them.

Ory Hydra 1.9: Open Source OAuth2/OIDC Provider

Vincent — Wed, 13 Jan 2021 11:31:44 +0000

ORY Hydra 1.9 has been released!

ORY Hydra is an OAuth 2.0 and Certified OpenID Connect Provider and implements all the requirements stated by the OpenID Foundation.
It issues OAuth 2.0 Access, Refresh, and ID Tokens that enable third-parties to access your APIs in the name of your users.

The open-source project has been built by the ORY community for about six years and we are proud to have handled more than 10 billion API requests in December 2020 from over 23.0000 different production environments.

ORY Hydra is written completely in GO, security first, high performance and developer friendly.

We value our community greatly and most development is driven by input from the community.

Check if ORY Hydra is the right fit for you!

ORY Hydra 5 Minute Tutorial: Set up and use ORY Hydra using Docker Compose in under 5 Minutes. Good for quickly hacking a Proof of Concept.

Check out our Discussions on Github or our chat if you have any questions or feedback.