 Hey everyone, thanks for joining us on our coverage of the Linux Foundation open source summit here in Austin, Texas, right at the JW Marriott Hotel. We'll be streaming live through the day. We have a bunch of different speakers lined up to talk to us. I should mention from the outset before we introduce our first guest is today is what do they call it? It's not zero day, but it's Co-located events day where so the main open source summit actually starts tomorrow today There are a number of co-located events though that have kicked off the open source security foundation I know is one Fin Ops is another one There's two or three others that I don't Recall right now to you. I don't know There's others as well. So a lot of people in hall. It's a little quiet where we are here, which is pretty cool But there's a lot of people in the various rooms listening to some amazing content With that said though, let me introduce you to our first guest here this week Their name is Ava Black We had a little conversation off-camera. I should have just clue you it, you know, sometimes I still mess up the day Pronouns and so Ava's promised to help me So if I mess up she'll correct us and hopefully they'll correct us excuse me There we go first one and we're doing the best we can with it. Anyway Ava that was a lot of preamble Tell people a little bit about yourself Well today I work at Microsoft in the office of the CTO I've been doing open source Contributions and community leadership for about 23 years now So I also sit on a couple different boards. I got elected to the board of the open source initiative Last year and the open SSF tack which is part of why I'm here today at the open SSF day Earlier this year for people who are familiar with tack Sorry technical advisory committee. So we're sort of we're not the governing board, right? But the open SSF technical advisory committee guides supports the technical projects in the open SSF So it's not the board of directors governing board that are making sort of if we want to call business decisions It's really the technical advisory We're where would you know what? It's a much more technical level of what I'd say the two go the two go hand in hand The board makes the business decisions around finance and events and marketing and the tack makes the technical Decisions around what projects become part of the open SSF how projects are governed what the structure is sort of the Templates for projects should become absolutely, and I want to delve more into the open SSF And especially from a technical point of view some of the things that they're involved in some of the other things that you're Involved in around that but before we do that I wanted to come back to this side and talk about your keynoting tomorrow I am and Not to let you know the cat out of the bag, but I Wanted to have you talk a little bit about it and before even does though I want to remind you all that in addition to the live-in-person Aspect of this event it is virtual so if you're watching us on text from TV or Facebook or LinkedIn or DevOps like I'm security Boulevard. Whatever wherever you're watching this. There's still time for you to register and Tune in to Ava's keynote tomorrow As well as the whole week where this is a full roster of some great great Sessions you can check out so check that out at Linux Foundation open source summit, but Ava Go ahead without giving too much away. I'm really excited to give the opening keynote tomorrow on Community codes of conduct Inclusivity how to build sustainable diverse communities really and it's it's a bit of a the short one It's just gonna be about five or six minutes kick off the morning with that content Part of the backstory is that we're in Texas and Texas has been passing some rather I'd say some some laws or some things that are not in accordance with our values around diversity So I'm gonna talk about that and what we can all do to make our community is more inclusive than a longer Discussion I have on Thursday on code of conduct Not as a tool of punishment, but as a tool of restoration and support for communities on Thursday afternoon. I love it Look if someone who lives in Florida Who am I to say anything? I mean quite frankly where we've got our own issues, but I Don't you want to get into it? But you know, but let's talk a little bit about the code of con so that in my mind here, there's two aspects number one is look We struggle at tech strong right we run devops.com security Boulevard container journal tech strong TV Digital CXL so more than several brands and we we are challenged around diversity right finding speakers You know what we do a lot of webinars we do a lot of video panels And if you couldn't tell I'm a I'm a white male right so when I host something we already got one white guy on the table here I need to we are constantly looking for diversity and quite frankly. It's a challenge Right, especially as we go deeper technically It's like there's an inverse law there, right where my my pool becomes smaller and So we're always Looking right always trying to find. Yeah, you know people who will represent a more diverse community When we do these kinds of video events But I don't think we're alone, right? It's not just Tech strong. It's not just my company. Yeah, everyone's working on this. Yeah, and everyone should be working on this Not it's not a pipeline problem There's no shortage of women and non-binary people who want to work in tech We have to make our communities welcoming for them to stay Yeah, I think you hit a nail on the head there And let me just mention it's not just non-binary or even women. It's people of color. Absolutely You know, we do something down home in Florida There's a school that opened near us called Boca Code where they teach people to be full-stack developers and we Sponsor of scholarship called engineering the change. We're actually doing a whole TV not TV video series on it This but we've been doing it for two years and we look for people who you know underrepresented communities, right? And Even there it's hard. I mean quite quite frankly getting people to apply And you know, it's a 12-week intense class Lot of people don't want to put the or don't have the privilege right to to dedicate 12 weeks The financial investment of that as well as the time. Yeah from family or child care Whatever it might be in the first hand don't have that. No, it's a hard it's a hard push So, you know, so that's one aspect, right? He's just finding the right people But then there's the second piece of it and I think you touched on it, which is how do you keep how do you nourish them? How do you nurture? How do you build a community? Yeah of practice in open source because that's what we're here to talk about as open source Yep, how do you build that in a way that? such a diverse community feels continually welcome and when there are Crises when there are incidents toes get stepped on accidents happen My experience working in in consent incident response for about seven years now 95% of the time it's an accident But you still have to work at it people still have to recognize the harm They did cause make amends learn do better and that's how we make communities safer We also do need to identify the few percent of people that are just being Being malicious and it's it's a real challenge the few people that are trying to do harm I don't want to focus on them because they are a really really small minority really is yeah, I Think the problem Is when that small minority runs into public policy like are all those people elected officials? Unfortunately, I don't know what I don't know. I don't know, but I mean For those out there who you know, maybe deal with this issue Without giving that minority more than they do you just ignore them do you somehow try to cut them out? Like you excise a tumor That's an analogy The one I like to talk about is called the analogy of a broken stair, right? We can't just ignore when there's someone in a community who's active the harming any minority in that group What happens when we do ignore that is the folks who are in the community for a long time know Oh, yeah, just just don't work with that person. We know that they just I don't know always try and get Always trying to do X or they're always kind of bad just ignore them The new people come in especially from underrepresented backgrounds and don't know that yet and get caught They trip on the broken stair And so for that reason we need groups like a code of conduct committee, which I was on in Kubernetes for a while to Identify these these situations reach out to that person Offer to work with them to address this not just automatically, you know excise the tumor But offer to support them Assuming good intention from the beginning and if they then demonstrate a lack of good intention then and only then push them out I'm sorry So I want to talk a little bit about open source though and yeah Look, I've been involved in open source software on the security side 20 Long time 25 years something like that. Yeah, 99 for me is when I got him. Yeah, I you know Would snore at Nessus and Ed map anyway But the nice thing about the open source community is I've always felt there was a much more welcoming Big tent kind of community as opposed to you know, maybe some others So I mean with all due respect, I think it's almost easier to do these codes of conduct kind of enforcement or you know enforcement seems like you have a stick but you know Stewardship right stewardship great work In the Linux Foundation, it's much harder when we go to like in security at the RSA show a black cat or a deaf card Well, it's not impossible in those. No, it's not. I have a lot of friends who are non-binary We can look at some of the infosek conferences have done a really good job and some that have tripped multiple times There's a recent incident with one of the V sides. That's all over Twitter I'm not gonna point attention to it more than that But we can see examples of good and bad that is and kind of what it surprised me with the one you're talking about Look, I was at the very first besides Las Vegas Long time ago. You beat me there. Oh, yeah, I was there the first time when they did it I was at the first B site San Francisco. I love that event I was a wrangler one year for B sites Vegas to it. Anyway, not to sponsor wrangler, but The whole B sites movement much like Linux Foundation was a very inclusive movement Yes from the get-go Jack Jack Daniels and team did a great job It bummed me out a little bit to see that that happened in a B sites Yeah, bummed me out a lot, too I've had a lot of trust for the B sides community and I know they're sort of syndicated or you don't want right and you don't want to make blanket, you know kinds of things But as a whole I've always had good experiences in B sides me, too But it this this sort of touches on something else, right? inclusivity feeds into security Okay, talk to me if if someone doesn't feel safe to be themselves in a community to put on my sort of deeper info sec hat right part of as I understand going for clearance is making sure there's no Compromise things like that. So if people need to feel safe emotionally to contribute Lest someone be able to push them out or apply leverage or scare them in some way And so from that from that angle specifically inclusivity is a security issue from another one. It's a sustainability issue You're talking about wanting to have diverse communities, but to do that we have to have people who contribute to open source pick up the you know The axe the bucket of water chocolate carry water that analogy and then stay around for a long time and then teach the next generation Yeah, that's about sustainability Especially in our security projects in open source. We have to encourage that. Yeah, I mean Yeah, it wasn't that long ago. We were reading about you know harassment and so forth that Worse than harassment attacks at at some Info-sex shows so I don't want to give a false impression. We've made progress But we have more to go and look back. Yeah, just that yes There's more to be done. One other quick point on the diversity thing and then I want to get a little technical Look you are who you are and you've been doing this a long time I am who I am I've been doing this a long time It's very different when you're 22 years old coming out of school and you're dealing with life and in its entirety and you are either non-binary or There's something else your person of color, whatever you're coming into this industry Right, and I mean people could look at you and say they're a role model. I Did I could hope good job No, I mean, but but that's the truth, right But they look at you and say well there they've been around a long time They they may not know the bumps and bruises along the way to get to where you are today And they may not understand Well, hopefully it's easier for that right because they've been trailblazers who kind of did this But what talk to people coming into our communities now whether it be Info-sex or open source or just technology in general What advice do you give? To to non-binary other underrepresented communities here you just Damn the torpedoes full speed ahead. You know, what's the right advice? I don't know that there is any one right answer or certainly not a one-size-fits-all answer, but To anyone non-binary trans gender non-conforming Other minority is coming into Info-sac or open source. I'd say find your people stick together and Find supportive communities work in them Help grow them help pass on that knowledge and make safety for others and community is that become more welcoming Will thrive those that are not welcoming will not thrive and that's part of the nature of open source. I Love it. All right We probably took a lot of time more than we want to but we still have more time Let's talk a bit now. So you're doing another session. I thought you said it was tomorrow afternoon. Yes tomorrow afternoon I'm giving a talk on git bomb Which is a terrible name people should never let me name open source projects name this one name this one I'm one of the two co-founders It is we've repurposed part of git. It's a version control system, but under the hood It's actually a blockchain believe it or not. Okay. It's a miracle tree And so we've repurposed part of that to handle software supply chain security in a Particular way that others aren't doing yet. This is complimentary to a spawn software bill of materials, right? It's complimentary to software signing projects like sigstore. It's complimentary to Build integrity sort of build observation like in todo. It solves a different problem and that is How do I know what's in this package? What's in this tin I like the analogy of a can of soup and say oh, it's Campbell's chicken noodle soup You kind of know what it is and if you want to buy it right if you have allergies They can look at the back and say well does it contain these allergens? But that's not enough information to for a recall if you buy soup and There happens to be a recall the store could actually call you up and say hey that can of soup Does it have this you know 10 digit number stamped on the bottom of it? Because they know how to trace back from the factory or the farm that it came from when there's a salmonella outbreak or something Mm-hmm all the way through the supply chain to the store to who bought it I want to enable that kind of artifact resolution across a supply chain in open source at Zero cost to developers and projects. I want it to be automatic in our build tools for every small project out there that doesn't have a budget to buy Run big infrastructure so that everyone who's consuming open-source software has more ability to trust What's in it? This doesn't solve security problems, but it helps people discover Later on after it's been built and downloaded and being run in production if there's a known vulnerability Somewhere deep in the dependency chain like log4j To two things. Yeah So first of all you had a very interesting conversation with my friend Chancy Wang at RSA last couple weeks ago Around S-bombs specifically, but around this whole idea now stunning. No kind of really delving to the ingredients if you will Yeah, and and you know Chancy Chancy small small woman. She she brought up a Interesting point which is this isn't soup this software And if I start giving you the recipe for my software, what's to stop you? From spinning up your own version of it, and if it's open source, well, that's fine You're allowed to do that, but if it's not open source will will proprietary software folks Be willing to play when they realize that they're giving out their recipes. So That's a totally great point and one we have taken into consideration Mm-hmm The get them projects doesn't give out the recipe It's just giving out the the fingerprint the little barcode of things not the details of how you made it or put it together and For commercial software because it's a it's a Merkel tree as a tree structure a Vendor who's combining open source and proprietary software can choose to selectively truncate the tree Distribute the rest of the tree with a stub there that you can then reattach under NDA if a customer asks Got it. I love it. Now Next question on this area that I want to explore is What's the is the goal here to be potentially to get like you mentioned artifacts get like maybe J. Frog Artifactory to include it with all of their Artifacts in in there in their repo or or maybe in the nexus nexus Nexus nexus or miter or miter even to sure. Yeah Is that kind of where this head this is where it could go. Yeah in the git bomb project. It's open source I'm not focusing on any of the commercialization of this But I can see ways where companies like those or SNCC who just run the project sure could totally Commercialize on this or build capabilities into their scanning tools So that's possible that would and I think enabling that isn't our primary goal But it's certainly secondary and we're taking it into account. I also just want to be clear that Get bomb is not part of open OS SF or Linux at this point Correct at this point in time But that's also a normal part of the process of the open SSF Projects usually spin up in kind of a neutral Non-affiliated space and then when they have a community around them They reach a certain maturity level then they might apply to join a foundation like the open SSF and go through a review process and so if I Speak from my my role on the open SSF technical advisory committee right now I'm actually helping to define that process for project intake In a way that supports everybody will there be sort of a Define things sort of like as in CNCF with sandbox Incubation all the way through to graduate. We are working on that right now We have a proposal getting ready to share from the tack to the governing board pretty soon That that defines all that it's it's analogous to the CNCF But not exactly the same because we are a different foundation. Absolutely. I have your thing All right Last thing for people who are more want more information around get bomb. Where can they go? Get bomb dev That's easy, and I assume it's probably on github too. It's on up on github. We have a github org I think I think it's git dash bomb on github and just get bomb g i t b o m dot dev Or tune into my talk Tuesday afternoon And you can do that even if you're not here in Austin again As I said in the beginning if you missed it it is available as a virtual event Well, hey, but this was probably the longest 15-minute interview you've ever done But I want to thank you for well, we had a lot to cover. We had a lot to cover I want to thank you. Thank you for all you do not not just for being on our show But for all you're doing for communities around open source and elsewhere as well as the security work Thanks so much for having me Alan. My pleasure