 Hi, this is Yoosafil Bhartia. Today we have with us once again, Hillary Carter, SVP of Research and Communications at the Linux Foundation. Hillary, it's great to have you back on the show. Thank you. Great to be here. It's my pleasure to host you here again today and you folks, as usual, your research team, you folks come up with a lot of reports and recently you folks announced, I won't talk about that report but I also want to hear from you, it's March. What research reports you folks are working on or the reports that came out in the recent months? Well, where do I begin? Let me start with what has already come out this year so far. We've published four reports and we're not even through the first quarter of 2024. So, these reports are the generative AI report which provides insights on the 2023 survey we did on generative AI and we're super excited to have published that report because it has so many amazing insights about the significance of openness in this burgeoning technology domain and we're really enthusiastic for what it means for open source collaboration in all facets of generative AI and its impact across industries. So that was super exciting to be able to publish. We published a report with our project community EBPF called the State of EBPF quite simply and that was a qualitative study that focuses on the history and the impact of EBPF on application development, running custom programs inside Linux and Windows and how the project has made execution faster. It was great to work with the many organizations across the EBPF ecosystems. That was a great way to engage folks from that community. So check that report out. Another report we published was on open source license compliance. This one was authored by Ibrahim Haddad who leads our LFAI and Data Foundation and it's a thought leadership piece on leveraging Ibrahim's many years of experience in open source and running an umbrella project community and working with enterprise and having come from within enterprise bringing that perspective. Ibrahim spent many years at Samsung on how to best manage compliance issues for open source projects and how to leverage the existing tools that are available so that you have best practices in licensing and those tools being using a software composition analysis tools using programs or tools like a software bill of materials. So it reads very much like an ode to tooling and automation as one of the important facets of open source license compliance. Other reports we've launched new surveys but I think what we wanted to what we're also very excited about this year is the the publication of a report called maintainer perspectives on open source software security. When we look at this maintenance perspective in open source software report what was the idea behind the report? Is it the first time you folks are doing it or is it like you do at a regular basis? If it is the first time what led to that? If it is a regular report we'll also talk about the comparison with the previous report versus this report. So let's go deeper into this report. Yeah, wonderful, thank you. So maintainer perspectives on open source software security is a report that was derived from a study that we a survey that we ran in the middle of 2022 in partnership with the open source security foundation the open SSF as well as Sneak as it happens an SCA vendor company and we ran a survey that was really focusing on addressing cybersecurity challenges in open source software and we published an initial report on the survey findings entitled just that addressing cybersecurity challenges in open source software it was published at open source summit in Austin in June of 2022 and it told an important story but it didn't tell the full story and because of time constraints resource constraints we decided to focus on only one part of the data. This report that we published this year in 2024 is a different cut of that survey data where we had responses from maintainers and contributors we had 159 respondents out of about 400 overall open source contributors who identified as maintainers and contributors and from that group there were 79 maintainers and core contributors who answered questions specific to how they address security and having that insight really aligns with the work that we have done at the Linux Foundation over the course of many years and I'll go back to the beginning of our work in the space because the findings from this report that we just recently published reflect the evolution of the mindset of our developer and contributor community as it relates to security and building secure software by default. One of the first studies that we did probing into this issue of the maintainer and developer mindset was the FOSS contributor study which was published in the at the end of 2020 it was a collaboration with Harvard's laboratory of innovation science and co-authored by Frank Nagel, David Wheeler of the open SSF and others and thousands of developers all over the world were surveyed and what that report revealed was that we had a long way to go as it relates to having developers think about software security by default understanding developer motivations what that report revealed was we had significant gaps we had gaps in tooling we had gaps in resourcing we had gaps in motivation by developers in fact some were quoted as having reflected the view that working on fixing bugs was akin to a kind of soul destroying exercise that's not verbatim but that is the essence of some of the commentary that came through the study that it was seemed to be a real chore so that was four years ago we have since done numerous studies we did a follow-up report with Harvard census two on application libraries free and open source software application libraries scanning the data sets contributed by sc a vendor companies to identify the most prolific software application packages and use by doing so we could then identify which were the most widely used then do further research to determine who maintains them and ask them what they needed and so what we found in this research that was published recently maintainer perspectives on open source software security is that there has been this evolution in in terms of awareness efficacy motivation to secure software one of the most exciting findings from this report was that the perception that by the end of 2022 our respondents 62% of the respondents believed that maintainers and core contributors software would be more secure and when they were asked what their view was for software security by the end of 2023 10% there was a 10% bump believing that over time as we implement more tooling as we implement best practices as we recalibrate our resources that the trend to creating secure software is materializing like it's not just a wish and it's more than a chore it's becoming more real and easier to manifest so that is one of the most exciting findings that this report reveals and that's a long way to say we've come a long way but we've come a long way I will listen to you when you're talking about some of the you know like gap gaps in tools and a lot of things can you also talk about some of the like when we look at these reports when you look that's finding it also gives us a kind of perspective or that's the name also insight into some of the pain points that developers and maintainers fees can you also talk about some Linux Foundation initiatives that actually help the community so that you know whatever we are learning from these reports we're actually turning them into actions as well the fact that we have more well-defined best practices and I attribute that to the work of the open source security foundation the work that they are doing to create to support secure open source software development and to help software be securely developed securely maintained and securely consumed by fostering collaboration defining best practices and developing solutions such as scorecards or the best best practices badging program you know these tools are resources that are becoming better known and we have a dedicated project community that's funded and that is pursuing every avenue to build awareness and create pathways to collaboration bring in more organizations to help their efforts and they're making great strides so we're excited about the trajectory of the open SSF broadly and the best practices and tools that they're developing under under that organization and so combined the open SSF combined with other communities at the Linux Foundation other projects at Linux Foundation examples being our training and certification program we have half a dozen free training courses in secure software development starting with developing secure software is the title of the course LFD 121 it's like secure software development 101 we have express learning courses that are short 60 to 90 minute bite size snackable security training as well as paid certifications we have event tracks at open source summits or dedicated events such as the upcoming cloud native security conference in June and that is rallying the community across different project domains and within industries Phenosis work in the common cloud controls initiative there is so much going on we continue to do new security research we're launching a new survey on a cybersecurity education so one thing that we will be putting together is a home where people can come to learn about all of these different initiatives across the Linux Foundation what are the projects and then what are the the functional business units like training and events and research that support the effort to secure software broadly you folks also host a lot of events like next week we are going to KubeCon then it will be open source summit and turn off event how do you also kind of support these maintenance developers you know through events through funding through mentorship one of the research reports that we're doing which which carries on the theme of how we're supporting maintainer and developer communities is a study about developer relations we will be launching a survey this year in the first half of the year might not make the end of the first quarter but certainly in the it will be fielded in the second quarter on having a better understanding of which of these programs are valuable to developers what is their along their journey of being an open source software developer what are the resources that they find most valuable and what are the types of programs that they find really important what's the value of in-person events for example to bring open source software developers together to solve challenges so we were constantly learning about what our community needs and that's why I'm excited about research because we're the mechanism to ask these questions and engage this critical stakeholder community to help us help them and give them the resources that they need the tools the time the automation the support the events and the data last time when we were at open source summit even I talked a lot about sustainability can you talk with about what's new just give us an update on the the work that is going on in space yeah great question as sustainability is a topic near and dear to me we're excited that in July on the 9th and 10th the Linux foundation will be supporting a UN hosted event called ospos for good and will be continuing the conversation around how open source technologies are essentially foundational digital public goods that will accelerate the sustainable development goals that will create impact in climate impact in reducing poverty and creating financial inclusion can be valuable to good health and well-being and so we'll be participating in that event and we'll hope to announce more we also want to do more research in this area we have launched a new project project to Zama which is an anti-fraud collaboration a technology donated contributed excuse me to us from the Gates Foundation and it will accelerate financial inclusion because by scanning payments particularly in developing countries we can better protect people from fraud and bring more people into the financial system securely even if it's not the traditional financial system but it does play a role for banks as well so financial inclusion is a really important topic we'd like to do more research in this area we'd like to explore sustainable cities municipalities are responsible for generating an enormous amount of carbon and that's one of the topic areas we are in the cradle stages of exploring now but you can count on us to do more research in this area and certainly we'll be having a new project announcements that relate to all facets of advancing sustainable development goals Hillary thank you so much for taking time out today and you walk us through these reports the research work that your team is doing thanks for great insights and as you will I love to chat with you again soon thank you thank you so much swap