 Yeah, how about that? Do you feel like it? Yeah, then we all get warmer Yeah, okay. Yeah, I would say we get started We are We are we are getting towards the end. We still have few to go a few talks to go and we have a keynote from Mysterious speaker beautiful We have sustainable open source from floor, which is a community No, it's not it's not she's not well. Yes community. She's not community I'm not gonna tell you what she does is super long titled and I fell asleep midway, so Floor, please join me give it up for her, but I appreciate you for trying Yeah, you just try Hi, everyone. Yes, it's nice that you come sit a little bit closer So I feel a little bit of your warmth because I've been freezing in this room. I don't know about you All right, so sustainable open source in this modern world We rely on a lot of components for all of our stuff to work and for it to continue to work And I know you know this to be true But I still want to elaborate a little bit because I'm up here now and I'm giving a talk So if that was the statement that would have been a really really short talk So there's been an 2022 study by Ostra together with the synopsis group and it came back that 97% of 2400 plus Auditist code bases contain open-source software. Maybe you're not surprised. It is a large number though and some of the some of the sort of like subgroups sub industries that they were Investigating even sometimes contained up to 99% of open source in their commercial code base so large Enterprises and all kinds of companies Rely on libraries that are sometimes maintained only by a single individual in their free time And that creates potentially some attack surface, right? And sometimes organization will restrict their The the way that you can use their software or end-of-life versions that are actually open-source and that's all kinds of Difficult to do with and so in the next 30 ish minutes I'll get cues whenever I run over time I want to talk a little bit about the viability and the sustainability of open-source software So that we can all continue to enjoy the benefits that it brings So who am I my name is floor my full title is on there. So now you Now, you know I do enjoy my chickens a lot So hence this picture that was taken by this wonderful gentleman here in the front So if you ever need a new profile picture, you know now know how to go to who to go to I'm a staff community program Manager at Ivan. I just switched jobs actually last week. So don't ask me what I do because I don't really know yet I wasn't Ivan before but I just switch teams Ivan is a database as a service company So we have a couple of open source data tools that we manage and that we offer and we also contribute to these upstream projects Like Postgres and Kafka as well Previously I was at Microsoft and I was at Grafana Labs. I'm part of DevOps days a core team I organize DevOps days or co-organize the DevOps days Amsterdam and DevOps days ain't hope I'm Microsoft MVP also Organize a lot of meetups Contributing dot today is one of them that sort of started around pandemic time and was basically just conversations with a lot of open source maintainers and Anyway, like people in the open source space learned a ton from those meetups, too And what I've learned from those meetups I gave a talk at foster them earlier this year So if you want to check that out of what you how you can sort of spot healthy open source communities Then definitely go to the foster website All right, what are we gonna talk about today? We're gonna talk about some issues that are prevalent in open source these days and one of those is project relicensing their their Software in order for to avoid free riding from for instance cloud providers more on that later Or to avoid that bad people use people software to do more bad Or to alleviate some responsibility Also recently Relicensing because they couldn't secure funding and it was sort of like poses a threat if you don't give us funding Then we need to realize in order to make money out of this thing Here a little bit of feedback here. Is that okay? Is that normal? I hope that nobody in the audience. Here's this and another problem is this this idea of the project that is maintained by a single Individual in Nebraska. I'm sure you've all seen this xkcd comic That is absolutely like wonderful, and you'll see it around a lot and It is more prevalent than you would think or that you would want it to be so while curl is successfully maintained by Daniel Stenberg mostly in his lonesome for every curl. There is a log for J, right? That is actually yeah Not great and with every npm library you bring in you bring in a whole host of npm libraries and all their transitive Licenses for instance that you need to keep track of because that's creating an attack surface And there is a lack of resources that maintainers can tap into in order for them to really spend time on their project that You know like the uses by beer companies or enterprises We really warned them to spend on it And also maintainers can sometimes make very rash decisions. They're much like you and me in that way, right? Like sometimes they will want to protest something or they will want to have their opinions heard And sometimes they will use their work in order for people to actually listen to that Are these the only issues that are playing open source? Definitely not but again, I only have 30 minutes and I would love to talk to you about you know Like diversity equity and inclusion in open source or lack throw off But again, like let's let's focus on these two do topics and then maybe in the hallway or the barbecue We can talk about all the other things So in the recent years we've seen an increase of kind of open source Licenses And I want to have a look at a couple of them So for instance the comments clause that aims to restrict commercial free writing on open source code Especially cloud service providers who don't give back to open source projects And the comments clause actually conflicts with the FSD the free software definition Which is which claims the right to use software for any purpose and the open source definition the OSD in that the license shall not restrict any party from selling or giving away the software and There is a bunch of sort of ambiguous wording in that license And I don't want to give you a license lecture because that's not great But for instance, it says that their value it derived entirely or substantially But it doesn't really explain what substantially even means so like beyond what? Would with that actually come into play and MongoDB use that license for a while as that did Redis labs Redis labs actually combine it with Apache Which is a dual license and that brings in a whole host of other problems by the way because when when does what? work and Mongo then Switch to the SSPL Which is kind of like the GPL license, but with more restrictions and it's not approved by the open source Initiative if you're not aware open source initiatives are the initiative is the stewards of the open source definition So the OSD So there is a couple of licenses that you know become prevalent sort of the last recent years that are not actually Approved by the or like in line with the open source definition Redis source available is a is a recent license that came into play Elastic 2.0 is the license that recently came into play and I will focus on a little bit later A lot of services create their own licenses, which is even more difficult to sort of keep keep track of There is an interesting one that is the confluence community license For instance, which says that you can use modified distributes unless that it that competes with confluence business But of course that confluence business could change All right We don't know it could be like that could be a slippery slope So if they if they change what their business is like then then use using something You're using their software could then suddenly become illegal. So Difficult stuff this this and yeah Deserves a whole study of its own and most people that work in open source or work with open source Just want to make use of open source software and not be reading licenses all the time Also projects just switch license. So how to do with that? What he did at a conference not too long ago is that whenever a speaker takes a sip of water the people in the audience applaud because it's actually Really difficult to remember Thank you All right, and then there's also besides those kind of life's new new licenses or there's also another type of licenses that are For instance the ethical licenses So I don't know if anyone has heard of ethical source or the organization for ethical source But for instance, there's a couple of ethical licenses as well like the Hippocratic license That is a license that prohibits use of software in violation of internationally recognized human rights or the ml5 Which makes an explicit connection between a license and projects code of conduct So the ethical source Working groups as it over the past 20 years open source has of course proliferated right like it's everywhere But the developers in open source don't actually have any course of action to make sure that their work isn't used for bad causes and feel like the open source definition should move with the times and Figure out a way for open source developers to still Offer all of their keep offering all of their stuff in an open source manner But have some sort of way to sort of recourse Whenever a bad actor is using their software If you're interested in learning more about ethical source in particular, please check out ethical source dev Because I won't go into it much more All right, and I know what you're thinking like open source isn't about licenses Right like it's about the community and working together and openness and freedom and all of that beautiful stuff And licenses should just be a sort of like an instrument to make sure that people use the use software for in the right ways And but I do think that this whole discussion around the cloud restricted licenses was a really interesting and an important one to have with the community It's just not a way to save open source first because it's not compliant mostly with the open source definition But also it takes the code private and that can really hurt a community, right? So I'm Changing changing your software because you can't use a particular part of code anymore. That's that's really really difficult And it's I'm not entirely sure Or we're not entirely sure if that's something that really was necessary for the economic sustainability of some of these projects, right? Like mongo and elastic were really big companies in their own right So did they really need this they felt like yes, they felt used by for instance AWS And even taking enforceability out of the picture because it's actually really really hard To sue and win in cases of copyrights or patents infringement Changing to a more restrictive license might cause companies and community members to stay away from your from your projects And that's actually really detrimental to a community and ecosystem They so they do provide free writing. Yes, but that comes with That comes with its own set of problems, too Right So let's look at some examples of projects changing their license Quite recently that was a light band that changed Akka's license from Apache 2.0 to the BSL Version 1.1, which is a business source license and that started with that would have started with or did start in October with Akka version 2.7 Which I mean side rent if you change your license then Do it in a major version because you're actually breaking your API So 2.7 doesn't indicate like something actually really really changed, but okay and with any such change there's always talk of a fork right and then people that Advocate for that fork to bet to then take a sort of copy left or infectious License to make sure that whatever changes are made to the fork It's not something that the original project can just grab and benefit from because they changed their license So they shouldn't benefit from any community work anymore And while it's understandable that that sentiment sort of like arises It is Sort of the question of how effective this will be and if hurting our fellow devs is actually really what we want like They didn't that they likely didn't make this decision. So It might be really misdirected anger. All right, so there was talk of a fork and then there actually is a fork So Apache Pekko is the fork That is now incubated by the Apache Foundation and thus with the Apache to a point oil license and actually some people at the open source program office at Ivan are very much involved in this in this project, but shameless plug anyway Another another project that changed your license is elastic I don't know who Was who was affected by this but this was like this was a blow to the community. This was this was super hard and Yeah, so and and several players and eventually also decided to Drive a fork forward. So If you're familiar open search is the open source Alternative to elastic search that also disclaimer Ivan is very much involved in but so is AWS. So so much for like cloud providers that don't give back to the community yes, it's difficult because Elastic actually changed because of AWS, but they are also invested in in creating an alternative that continues to be open source and AWS is actually like really driving that forward as one of the main players and that's that's again something that is really really difficult You'll see a lot of open source project that almost have a single vendor behind them For instance Apache Kafka Ah Kafka is also in the Ivan portfolio or rather the decision of what makes it into the Kafka project is largely in Confluence hands and that that's that issue of the single vendor. You'll see a lot Databricks has a stronghold on sparks Google and beam beam are a very similar story, too Then Grafana lamps changed licenses to AGPL version 3 for Grafana and Loki and and tempo and Google warns against this using the AGPL saying that the risk heavily outweighed the benefits and then the Cloud native computing foundation, of course in response to the license change of third-party dependencies to the AGPL Encourages everyone to either switch to an alternative component freeze the component to the version prior to the license change or seek an exception like From the governing board, so needless to say they're not big fans If you install for instance electron you install 87 packages and that means 87 license dependencies and Every single package is likely to have their own dependencies as well and therefore even more licenses that you need to comply with as you can imagine license management can get really really really complicated and when done manually Can absolutely create technical depth so they're There are about like 300 plus different open source licenses and that list is ever-growing However, the good news is is that about 20 licenses account for like 80 percent of open source commonly used in enterprises So if you create a deny and allow a list of those type of licenses Together with a scanning tool that would already provide you with a pretty good starting point in managing your license exposure And of course there is license auditing tools as well that can send you notifications after projects change their license But it's very reactive right like you would rather know in advance whenever a project is in In danger of maybe potentially changing their license Or the ways I think you can use it I mentioned before that license litigation is actually really really hard True, but it does happen and you might end up Having needing to change your software in order to comply with the license of tools that you're using and That's not great. That's a lot of work and also you might actually get a lot of bad press for Not being able to comply with a license and especially in very sensitive industries. That's that's difficult for for a company Did you already show me some time or? Okay, I'm doing great. Okay reference time Dotam Horowitz who works for logs IO actually gave a really really interesting talks about when elastics change their license And how they dealt with that that change so definitely check out their talk Making friends here Okay, I want to switch gears a little bit and talk about maintainer now. You show me time. Okay about maintainers and about maintainer resources and There was a tight-lived survey in 2021 that Came back that 46% of maintainers are not paid at all. No big surprises there Only 26% earn more than a thousand per year, which I don't know what your all mortgages look like But that doesn't get you very far and Almost half of the responder responders Also said that they have considered to quit or they've either quit or considered to quit over and list that that Like a financial compensation as one of the prime motivators for that So open source libraries allow all of us to move faster, but if they're poorly maintained, then they're not healthy They can become a single point of failure. I feel like I'm I'm like preaching to the choir, but Who knows so I mentioned before that contributing today is a meetup that I ran and one of our guests was Henry Zeus of course the Babel maintainer and His story was really really interesting because he mentioned at one point that People around him got upset that he would spend a lot of time Fundraising for the project Just to make sure to keep it funded, right? so he spends time on talking on podcasts and To try and get donations And they were like but you should work on the project. Why are you not committing more code? Like what is what is this you're a maintainer? and He really struggles with this too because he feels almost like guilty whenever he's doing any kind of like marketing or promotion for the project and So we've we've come to this weird place where we think that whenever we're donating like we have a fast fund We donate 10k to a project Yes, but you know y'all are software people. What do you earn? And really you don't need to say this But the 10,000 is nothing and especially when your project is not necessarily set up to Kind of sort of distribute that kind of money to all of your contributors like it only reduces a lot of complexities. It doesn't really help a lot and And I think it's interesting that while a company would love to have some runway in order to do their job When you have an open source project That might actually send the wrong signal because you didn't need the money you you develop this project before without getting money. So now What do you need this for? And it sort of ties into this whole toxic notion that an open source the open source shouldn't be about money Right like you shouldn't you shouldn't be paid ever because only when you are in your mom's basement The price of sunlight then you're like this true unspoiled hacker, but it's ridiculous. It really is ridiculous anyway Check out this episode because it was really interesting There another reference time Bartolomé did a wonderful talk at state of open con earlier this month and talked about lessons learned Developing and maintaining the tunnels projects and sort of like yeah, what as a maintainer If he could go back to like baby baby Thanos maintainer What could he could he tell them and if you're anyway there? On on the YouTube so state of open con you can also check out dawn's talk about open source strategies was a really really good one, too Um All right, so some examples and I will rush to some of them of open source projects that You know sort of like went bad and then and then got of got all of us in a sort of a car fuffle One of them was for instance left pad. Do you all remember what happened to left pad sort of kind of so many hands All right, so left pad did almost nothing No, it's sort of like patted out the left-hand side of strings with zeros and spaces But still a thousand of projects relied on it including also bubble from Henry and When the maintainer removed the project from MPM out of spice these applications and like wild widely used bits of open source infrastructure were unable to Obtain the dependency and then fell over so The maintainer was really just grunt old some Some projects from kick if you know use the same sort of name and They wanted to claim that namespace on MPM and so Lawyers went after MPM's admins claiming brand infringement and instead of MPM Standing behind this maintainer who had by the way two hundred other projects hosted on MPM They decided to pull the project and he was he was very very angry There's many such examples Maybe you've heard of Seth Vargo and when he discovered that some of the things that he had developed for a chef were then used by ice the customs and integrations in in the US pulled pulled his code and When there was a whole upheaval over that he was like well, it's actually in my sort of will that if I were to die Tomorrow those those libraries would also be pulled from the internet. So better be ready Colors and faker JS anyone familiar with what happened for those It's like Right very popular projects very very popular to to illustrate callers has scored more than two a three point three billion downloads throughout its lifetime and has over 19,000 projects that depend on it and both both project were hijacked by the maintainer by the way and Later It became clear that it was likely because of the developer that had expressed an intention already of no longer supporting big companies with his free work And that businesses should actually either fork the projects or pay him and I quote a six-figure salary Which fair enough like we all rely on these projects. What why do we think we can get away with it? Another one is no node IPC. I'm running it low on time So I'm gonna I'm gonna quickly go through this but no IPC developer behind this sabotage some versions of the library in protest so this protest where for in protest of the ongoing war in Ukraine And so definitely users in specifically Russia and Belarus were effective but affected by this change Last week core. Yes. I don't know if you've seen this Definitely have a read. Oh My what a shit show? I didn't swear on stage today, sir We're in Europe do we can swear on say, okay Generally open source is part of our infrastructure and our products and our tooling And for this reason we need to care about it if as if they were our own projects No company will leave any of their critical Infrastructure or in-house develop tech tech unmaintained. So why are we willing to do so for the ones that are open source? Lock for Jay. Don't need to tell you about that So sometimes we think that open source is inherently Secure the code is out in the open So if anything if say if anything is broken right that people will see it and they will mitigate that right like But then how do you explain all of these things and how do you explain lock for Jay and heart bleed? So that many eyes argument is very very shaky because it needs the right people to look in the right places And I feel like most developers come to open source for solutions and not for more problems a lot of Stuff to back that up But I want to go quickly to some of the things that we can actually do to make sure that open source is sustainable So Making sure you all have a place in making sure that open source is sustainable One of those things is to invest your time and to invest your money But only when it's applicable sometimes people projects have enough of your pull requests All right enough already, but they do need help triaging issues or with code reviews So spend time where project might really need your time and spend money whenever they can Except for instance through get-up sponsors But only when it's applicable again make sure that you yourself are an excellent open source project Maybe put if you're a company put some maintainers on the payroll and make sure that they don't have to comply to the same Or they're not tracked by the same OCRs as the rest of your engineering department because open source moves at a different timeline So please like measure them accordingly as well join a foundation maybe And join forces with other organizations There are other organizations that rely in the same libraries than you do so make sure that you can maintain them together and they're not Dependent on just a one that one single vendor and when you participate in open source, please look at the principles of authentic participation Don't think that you can just fork a project and maintain a bunch of mirrors or all the projects that you rely on because Also, first of all congratulations Congratulations, you're now a maintainer of a lot of open source projects and people will come to you with all of their issues You don't want that but also open source projects are you know, like vulnerabilities get fixed too And sometimes our own abilities are in a code for really really long time weeks months years And you want to benefit from all of those patches too Good Totally in time right? You were great. You were great Thank you floor I'm gonna keep the water. You can keep the water Please it's give it out the floor again and I must say I Must say you were perfectly on time when you mentioned Investing in open source because the guy I saw the guys from rubberbunk coming in Hello. Oh, actually I I gave I gave a very similar talk to rubberbunk once so maybe they all remember me Fantastic do we have we have time for two questions if you're k-floor Do we have any questions? Yes, we do I am becoming increasingly worried about packages and maintainers Right to die right like my right to no longer maintain something and I you know I reached out to the colors and fakers maintainer. Yeah, that's super extreme, but also I was like, hey Thank you so much. Yeah We need to take totally illegal for Microsoft to then go and take on ownership that repository because a license Plainly states the roles and responsibilities of the end user, right? Yeah, not appropriate Right now There's a bunch of maintainers that don't want to be Incorporate open source. Yeah, and those are the ones that are mostly at risk So can we find alternative models to engaging with open source in the wild that doesn't require them to work at Google? No, yeah, because they shouldn't need to work at Google if they don't want to work at Google 100% I Feel like we have way too little avenues for For maintainers that don't want to be employed to be able to have a consistent income And that's absolutely a problem and that's something that we need to talk about And if that's if that's funding through some other way or helping them to actually be able to to get funding because that's also Complicated right like it's almost like you're running a business. What? So, yeah, there needs to be more work there and there is way too little work there It's pockets of money here and there and you're spent you end up spending too much time like Henry like just to get those pockets of money Consistently to make sure that your project can continue Yeah, so 100% agree Yes First of all like your shoes. Thank you. I love them too So my question is if you look at open source maintainers or software developers I think there's also a sort of social issue because if you have to maintain an open source project you also have to sort of lead a community and I think in that point of view the best example is in a store vaults being unable to communicate with the other kernel developers in a Way that people feel appreciated for the work they do and I think that's also one of the things that might Help those projects to prosper if we could Invest a bit more in that aspect Yeah, for me it would be super interesting to see if we can find some people to get more involved in open source that have some of those skills that Come into play whenever you want to start running a community so more attention for the non-code contributions, but maybe for building a community and Doing technical documentation really well and marketing and there's so many roles to play in open source and that are that go beyond Co's 100% and you can't be everything to everyone as single maintainer like that's just it takes a lot of time That's why companies have all of these different roles, right like Yeah, I wish that that would be more appreciated Yeah, but then you look at GitHub and you see only see the green little you know blocks for Co-changes and there should be green blocks for all kinds of things Yeah, thank you floor. Thank you. It was great. Definitely contribute to open source and I do have a couple of questions about the chickens, but I'll leave that later Yes, thank you. I'm just glad there was no chickens killed for the barbecue today. That's good. No No, no, no, there were a lot of there were a lot of veggies killed though. Yeah, okay. That's fine Okay, guys, we are going to have our next thought in 10 minutes so some of you may just have come in and You want to stay here the others? Please stay here. So we're gonna be together again in 10 minutes