 Hey everyone, we're here back live in Austin at the Linux Foundation open source summit. We've had well this is day three of our coverage We've had some really really great discussions these last couple days and especially today I feel like we're really digging into stuff Our next guest is Navin Srinivasan. Yes, you're right Navin is with Endor Labs, but he's really here to talk to us today about being a contributor to Open source and open SSF projects, you know for those of us for those of you out there Sometimes we tend to say oh open source is great. You've got this Army of contributors right there's the countless untold You know horde of people who contribute. It's not really the fact Right the fact is most open source Projects and there's you know, the top ones get a lot of publicity but there's millions and millions of open source projects most open source projects Really only have a handful of contributors who let's go. Let's call them core. Yeah contributors And and unfortunately many many open source projects have one or two maintainers Mm-hmm that if something happened to them or they get a job or whatever that the future of the project is in and One of the nice things about what the Linux Foundation does is when they take these open source projects in as part of their Foundations whether it's open SSF or cloud native or CDF or what have you is that they Their mission is to ensure that there's a wider base of maintainers. There's a wider base of Contributors and it's sort of a pyramid and an even wider base of users so that it's a stable community It doesn't depend on any one person Anyway, I got that all out But Naveen here it informs us that he's probably one of the leading contributors across all the open SSF. Yes I know I was just mentioning this. I started contributing to open SSF in 2019 Early December especially on open SSF I've been from then up until now contributing to Many projects across open SSF Some of the critical projects that I contribute and I'm also maintainer is a project called scorecard So you are mentioning something right now There are some projects that are that have only few maintainers and if those maintainers go away Then it becomes a problem To answer those questions is where scorecard does like I want to talk about scorecard a little bit it scorecard essentially scans a million open source repositories and tells How is the health of the project? Are they maintainers are they they call a bus factor? So there's only one person bus factor if somebody hits by a bus not that you have to they can get another job I mean at that. Oh Are they updates happening right now in these last six months? Are they updates? If it's not and it's gonna be a red flag. So Everybody depends on open source. I don't know if you happen to see there's an xkcd comic with With all with large With large infrastructure with the one stick at the bottom. I'm sure you will have seen that But somebody from Nebraska maintaining that right the Nebraska bus Yeah, yeah, right. We've actually discussed this here in the last couple days. So but it's not it's not just a Comic it unfortunately. It's all too true. Absolutely. Absolutely So that's where I am I've been doing and it's been a fun journey. There's been ups and downs with everything but we In open SF have been able to give this data out to everyone So so it's initially open as this open as it is helping answer those questions that people don't know should I trust this? Right, so if I could put it in my own words scorecard is sort of a health check for the vitality Of an open source project Absolutely not talking about the code whether the code is secure or the code is good or not We're talking more about the the the community around this project. Is it It's both. Oh, it's both. It's both. It does it has 18 checks right now From do they follow good practices? Do they not follow bad practices? Well, what kind of good and bad practices? So let's take example Do they have code reviews? If it's your little comments? then probably Then what line of struggle says is many eyes looked at a code you're likely to reduce the number of bugs So same day if I have commit I'm the one who opens a commit and I'm the one who pushes the commit then it becomes kind of a red flag Do people are looking at that? That's that's that's to make sure that and bad practices It's initially I am not securing I'm not abiding my dependencies. I depend on everything else But I'm not abiding my dependencies. So so those are something like is it fuzzing a little large critical projects have to be fuzzing So those are different things that Scorecard does just to give you a general over your wallet. Yeah, no, I love it. So I I Don't want to embarrass you but how many maintainers are there for scorecard right now There are four four. Yeah, okay So scorecard is sort of eating its own dog food in absolutely absolutely be a successful viable. Yes Project that's excellent. Did you come up with the idea for scorecard or no? No, I didn't come up with the idea That's a good thought Scorecard was initially a weekend project like anything else by one of the Googlers He started the project Contributed to open SSF and there's a blog post. I've always had this edge of how do I solve this problem? There's a blog post about on my proxy in 2019 late November I saw that and I'm like That's what I want. I've been looking for this and initially There was one other contributor and a committer and I paired along with them went through the journey and after that People joined and started started becoming one of the most Critical project with an open SSF Excellent We're gonna jump into some of the other projects in open SSF, but I want to just tie the bow on scorecard Yeah, for people who want to maybe take a look at it use it Find out more where can they go? They can go to open SF get up org and Look for scorecard. It's open SSF get up org scorecard. That's what it is So it's open SSF dot github. It's oh it's github.com slash open Slash scorecard. Yes, right there. You have it. All right, but that's not the only project you contribute to What else are you involved in? I am Involved in another project called salsa salsa as well. Yeah, how to have your supply chain From provenance, how do you do that? And I also contribute to other sister projects of open SSF called six tour six tours essentially making the Ensuring you are signing your stuff It's like it's like having TLS certificates on your HTTPS But you're signing your artifacts and have it with Without keeping you the private keys for yourself and have an open way to know what is happening on that So it's proper authentication verification for your artifacts. Yes Got it that you keep in the Artifactory or some repository You can keep it anywhere, but how do I like the example? You've got an artifact. Let's assume your glass. It was built like this. How do I ensure? That's the artifact that I am looking for some way to sign that and put it in a in an open registry So that people can be like, is that the artifact? Is that the shot that I can trust? Was it built like that? So that way it helps everybody trust The artifact what I'm getting is what the it was intended Nobody did the man in the middle Changed things and upload something there being multiple of those like codecub and all those things That's what it doesn't try to avoid. I got it. Excellent So here's another good question that I'm sure our audience is gonna be interested in We have a lot of people out here who love open source that would love to be more involved in open source Unfortunately, they have day jobs. Sure. So how do you balance your day job with Endor with all of this open source activity? Yeah, I'm gonna talk a little bit My wife is not happy about it. Someone's paying the piper. Yeah. Yeah, so I've got two kids So so anytime I drive them around I'm in a gas station with my With my with my iPhone hooked up and have my MacBook opening and trying to do that. So Trying to balance this has been it's like it's like people love building cars people love. It's a hobby Love what you do. So I Matt so I said last year can I have a day can I have and get up you get a green bar for every day You right you commit I said I wanted yesterday last year not to have a single day without committing so from 2020 Jane one onwards up until now. I've managed to keep that straight up It's just a hobby when you and it's like any other habit in your life You just pick up a habit and you want to keep doing that and it's that's great And then what happens then you start having fun Then you get to come to these conferences and meet human beings with that and send you like oh, I Can put the face over to the name Yeah, and I thought they are different but when they when I met them in person I I get a lot of surprise. Yeah, how much more well not always some people are exactly what you thought they are I've been doing this a long time. Yeah, you meet people online And then you get a chance to meet them in person and sometimes you're surprised and sometimes you're not Yes, yes, but but it's nice because I don't get to talk to them But writing talking to them going and getting getting a coffee I'm sure I'm gonna enjoy this even better as I go about going absolutely Well, you know, first of all, I want to thank you for what you've been doing Because it really is it's on your people like you and your shoulders that this whole open-source movement Is what it is. Yeah, thank you dinner people. So congratulations. Thank you. Thank you And secondly man keep up the great work, but you know what is I'm a little older than you and I've raised my kids They're only this age once absolutely absolutely spend some time with them. Absolutely. I keep your wife happy. Yeah All right. Thank you. Naveen Shrinivas in here Lodges contributed open SSF maintainer of scorecard check that out as well