 Hi, this is your host, Sapil Bhartian. Today, we have with us once again, Heavier Perez, Chief Evangelist of Open Source and Security at Perfor Software. Heavier, it's great to have you on the show. Hey, great to be here again. Good talking to you. It's been a while. Today's topic is more or less about the state of open source. If we look at things in general, if we look at our own career, it was more about telling folks why to use open source for the benefits. Today, literally everybody is using open source with or without realizing that they are using it. The problem that comes with it, that if they don't know that they are using open source, they kind of fail to become good open source citizens because open source does not mean just consume. It also means you should be active participants. So once again, this topic can go in so many different directions. But if I ask you, you have been in this industry for so long, how do you see various open source today in terms of, of course, adoption, but more or less like awareness about that, hey, we are using open source? It keeps growing, so I'm built. It keeps growing. We just recently did a big survey, the 2022 state of open source report. And we were wanting to hear what's the real status, right? Especially focused on in organizations, right? I mean, obviously we know that many developers are using consuming contributing to open source, but we wanted to see what, you know, how much open source is being used in organizations. And first of all, it keeps growing. We ask a question, has your organization increased the use of open source over the last 12 months? And guess what? The answer was around it. Yes, right? 77% say yes. 36% of that 77% said significantly, right? They increased the use of open source significantly. So there are many points there that guide us to, yes, there's a lot more use and there's a lot more contributions to open source, the foundations, right? The Linux foundations and all the other, the Apache software foundation, they all keep growing. They all have more projects that are growing. We have some major areas, right? Around DevOps, around cloud native, around security, growing at a really fast pace. So if you're asking me as an evangelist of open source, I'm really, really excited about how much this is growing. Of course, there's also the fact that companies are at different levels of their maturity using open source. So that's an obviously another area that it has some really positive signs as well. When you say instead of open source support, who created that report? It was a work between Perforce, OpenLogic by Perforce, the brand that takes care of supporting open source packages, open source support. And we did this in collaboration with the open source initiative, OSI. So we're really, really thankful to, I mean, it was great to work with Stefano who's head in the OSI. And that also created more visibility. We had actually more than 2,600 respondents in six weeks, just six weeks, more than 2,600 responses. Right, and the reason I ask you was, I wanted to also discuss a bit about the company as well, that what do you folks do? How important open source to you folks or how are you associated with open source? Yeah, look, and I want to try to go quick on this one because I kind of spent an hour talking about it, but Perforce sells commercial software or are related to DevOps. Has been growing acquiring organizations. The most recent acquisition is Puppet. It made big news. So Perforce acquired Puppet just recently. And we have a number of products that are based on open source, right? So obviously Puppet based on open source. We have Zen, which is for PHP based on open source PHP. We have Blazemeter based on Jmeter, open source Jmeter. We have Jrebel based on Java. And we have OpenLogic, which is the brand that I work most closely with where we offer enterprise grade technical support for open source software. Now having said that, as you know, all software is based on open source software, right? So we do build all our other products with open source and support open source, right? So for example, in the case of Perfecto with for testing, we support all the open source testing frameworks and Android and with IPA management, we support GraphQL and I can go on and on and on, right? We all software, all companies are software companies now and they are all grade open source software. Perfect. Let's go back to the report that you folks did. We touched upon a bit. I also want to understand as it's quite clear that open source is literally running the word, but what kind of open source technology that you are seeing are in the adoption phase? Some are already in production phase. Lex Colonel, we should not even talk about it, but what do you see there? What interesting point finding on the survey, on the report, everyone talks about we hear a lot about cloud native, right? The use of containers, containerization, the use of orchestration or Kubernetes to orchestrate all those large volumes of containers. And depending who you talk to, so everyone is using it, yes. Well, something that we found that is it's only about 18% of the responders had Kubernetes in production. And that's a low number, 18%, right? So the realities are that, and we also asked, by the way, what's towards the end of the survey, what's the most desirable technologies, right? Tell me what do you want to go and do next? Right, then we ask, we gave options around, things around obviously data science and AI, machine learning and servers list and even quantum computing, but the number one most desirable technology was Kubernetes and Kubernetes operators, right, environments there. So there's still have, I think still has a long, long, long path to keep growing that, although some people are much more advanced than others, right? And as we know, the future is here and it's just unevenly distributed. When we talk about Kubernetes, I don't even want to open the can of words because it's a complicated, and that's the beauty is that there's a booming ecosystem around it. If you look in CNC of landscape, there are so many logos. The point I want to ask is that as the adoption is open source, technology is growing, what are some of the pain points that you see are common because what happens with the, let's say proprietary commercial software is, you have one throat to choke, you get a solution from a specific vendor. With open source, what happens is either you can do it yourself if you are big enough or you have teams or you have to go with a vendor. So what kind of pain point that you see people often face when it comes to embracing open source technologies? Did you cover that in the survey? Absolutely, yeah, absolutely. And we specifically ask, what are your open source support issues, right? Actually, before I answer that, let me tell you first when we ask, what are the reasons you are selecting those open source technologies, right? Because there's a correlation and there were three reasons to select the specific open source technologies. And by the way, we asked this question on every category, right? So from data technologies to DevOps and programming languages, frameworks and so on. And number one was, well, I want something that keeps growing, right? It keeps updating. I have new releases, new versions that release lifecycle. The other is I choose this technology because it's robust, because it's stable, right? And they were looking for those open source projects. And then the third one was interesting because I said, well, if we already have the expertise, in-house expertise on some of those technologies, most likely we're gonna continue to use those open source technologies, right? So if I have someone that is already familiar with Apache Kafka, well, most likely I'm gonna continue to use Apache Kafka on my projects. Now, moving these three top reasons to select open source technology, now to answer your question around the support challenges, they correlate actually very interesting, right? Number one support challenge is keeping up with all those updates and all those patches, right? Now that there's obviously more awareness around open source security, you know, most building abilities already have a fix. You just have to keep up with the patches, right? Updating the patches. So that was a support, a top support issue. The second one was a bit more related to software in general, which is we need support, we need help with configuration, with the scalability, with installations, right? The sale, and that's just part of the expertise that you need on the technologies. And then the third one, I was talking about, you know, if you have someone that is already familiar with the technology, most likely you're gonna continue to use that. Well, the top support challenge is the lack of experience and proficiency on those open source technologies, right? People saying, hey, I want to start using Kothman and Kubernetes, but I don't have the expertise, right? Or I'm gonna have to go and hire a lot of people, expensive resources. Or, you know, I want to start doing some AI and machine learning models. I can start, you know, we can do open source free software, but I need the expertise to help me with that. And I mean, there are all the reports, actually the Linux Foundation just issue the jobs report. And, you know, it's very clear that it's a good time to be an engineer. It's a good time to know about all these open source technologies because they are in high demand. Right, so well said. Now, since you are associated with the company which, you know, is offering commercial support, what we have seen in open source is that open source solves day one problem. You can get the code, get it started. Day two challenges are different. We're, you know, updating the software, patching it, keeping it safe and secure is killing it. And more importantly, the features functionality that you need, what happens with open source, not everybody in the community needs that and community goes with, you know, what most people want. So that functionality or feature may not be updated or it may never go to the upstream because not everybody wants it. That's where commercial players come into picture. Also, these commercial players keep open source sustainable day, you know, you folks not only contribute code, you also pay a lot of developers who are, you know, payrolls and you also support organizations as well. So can you also talk about the commercial aspect of open source to just, you know, reinforce the view that it is like some symbiotic relationship between, you know, commercial software and open source or commercial players who are supporting open source. And also when you, the reason I'm asking is that when you ask the survey when folks use open source, do they also look at the fact that this open source software also have some commercial backing so that they do know that tomorrow if they need support they can go and ring the bell of that company. I wrote a blog post exactly about this, right? And I'll probably send the link there because I talk about these topics, right? The use of open source and then what are the differences with commercial open source software, right? The case of the commercial open source software, I think it's very clear today that we have basically two models if people wanna call it models or two approaches to commercialize open source. One is open core, right? Organizations contributing to open source, supporting open source, growing open source, right? And there are many ways to do that. Many of them being part of foundations, Linux foundations, Apache foundations and all the other foundations and but then building a business with the commercial components, paid components around that open core. The other successful model is the SaaS software as a service, right? The hosting open source software, take care of the maintenance, take care of some of the keeping up with the updates and the patches that we were just talking about. So organizations can select to, for some of the technologies, just to stay with open source software, maybe get the support from other places, not just the community, but organizations like the one I represent and OpenLogic by Purpose or they can go for the commercial version of open source, helping them with the support, helping them with the maintenance piece of mind to have someone to call when there's an issue. I think we are growing both ways, right? And we see so many startups now that the model is just going with open source software, right? They just, they go and do open source. I work for a couple of startups where we were consuming just because of cost. Everything was based on open source software, right? And that also brings me to the next question since you have so much vast experience with open source and today, most companies that we're discussing, what advice you would give to companies who are relying a lot of open source, they are running their whole business on top of open source, how they should also become active players or content. It's not necessary that they should really invest, all the resources, not every company has all the resources to invest, but how they should participate in the whole win-win game of open source so that once again, they are not a third party who are sitting outside and consuming without having any say in the open source project. So talk about that also. Yeah, I mean, look, we see more and more companies that are not specifically considered technology companies, but they are cross-order verticals, cross-order industries, obviously the financial services industry, banking, telecom, so many other industries that are heavily involved on open source today. Now, one of the things that we ask on the survey that we show in the report is, the level of maturity on using open source, right? And I'm going back to your question of, how should they start? If they're already using consuming open source, take the next step to start open sourcing some of your software or developing the open in a public repository or thinking about getting more formalized that there are a couple of things, couple of trends actually. Now, one is a inner source, which is a way to start, right? Bring some of the, or all of those open source best practices in terms of having everyone working together, collaborating, but inner source is behind closed doors, right? Within the company, you have multiple divisions that might have different parts of the organization and make them work together. Inner source, it's seen as a great best practice and could be also a first step into, once we're done with this project, we can open source that. The second piece is, the second potential step is to formalize, create an office, what is known as open source program office today or OSPOS. In the report we, but only about 15% of our respondents have an OSPO, an open source program office. About 14% have an inner source or initiatives or projects, but depending on the industry, for example, financial banking insurance industries, they do more inner source projects and they also have more open source program offices. Just like you have a CISO, right? You have an office for security. Well, why not having an office for open source that will help you with compliance, licensing, strategically what to work on, what to invest on and what to consume. And by the way, keeping up with the latest versions and addressing security, right? So many, many good functions. We see that, I see that as a trend recently on the open source summit. There were a lot of talks, actually it was a full track around open source program offices. Excellent. Now that leads to create a two fork in our discussion number. When I do want to talk about open source summit, you were at the event, what kind of discussion do you saw there? You did touch that there were dedicated tracks about the open source program. But what was the theme this year because there was a big gap because of pandemic folks are now getting comfortable. They were there. So talk about, you know, what was your observation there? Well, first of all, it was well attended in Austin, Texas. So that was good to see a lot of people in person. For me, three takeaways. Number one, I would say about half or maybe roughly around half of the sessions, they were talking about security, right? So open source security is top of mind, you know, sessions that talked about vulnerabilities and finding vulnerabilities and putting together all these different repositories of vulnerabilities, they were well attended. So definitely it's top of mind. Obviously the open source security foundation is doing some great job. I mean, you know, recently with the executive order, the White House executive order and then some follow-ups on that. There are 10 streams of work that they are actually getting funded. So there's a lot of activity there. And obviously that was a big topic on the conference. The other takeaway for me is many of the sessions talked about and keynotes talk about the skills gap, right? And I mentioned it earlier, the fact that, you know, we keep going, there are more technologies and we don't have as many engineers or developers or operations engineers, site operations, security experts on those technologies. So there are a lot of initiatives around training, around certification on the technologies. Obviously there's a lot of stuff online and there are good steps on trying to address that. In fact, that's one of the streams around security and the initiatives with the rest of the industry. And then the third takeaway, I think we hear more and we're taking actions around diversity and inclusion. There was a very moving keynote about that. I went to another kind of discussion panel. People are much more aware, much more inviting, you know, contributing open source has always been diverse, right? And I think that there's more to come, but I'm really happy to see, you know, those initiatives and people talking about it. And the second forgot I was going to talk about was security and you did touch upon that. So, you know, security has already been, you know, taking a, you know, center stage in every aspect because we have seen a lot of, you know, vulnerabilities and a lot of exploitative, but open source security is becoming more important because it was again, everybody's running open source, but it is also very, very challenging if you want to talk about software supply chain, it's not just one product or service, depending on as you said the SaaS or whatever it is, is relying on not only so many different open source projects from different, you know, organizations, within those projects, they are different libraries. And then, you know, when you are creating your, you know, container images, you are pulling, you know, once again, packages from no one knows what repositories are there, there may be multiple maintainers of the same project. So from your perspective, did you also ask the concerns folks may have with security when they are embracing open source or they're like, hey, because it's open source, it's secure. What did you, you know, what insights you gather in this report? Yeah, it's interesting, right? So I mentioned that that's one of the major top three challenges in terms of keeping up with updates and patches. So, yeah, I mean, I completely agree with everything you just mentioned, right? That's the bottom line, that's the issue with security. Now, I don't think it's necessarily just about open source. It's about all software, right? Just the difference is that, you know, proprietary software, you just don't have access to the source code, but you don't know how many vulnerabilities are there. It's also based on open source software. And that's why some initiatives around bill of materials or software bill of materials are getting traction, right? Because like, if every product out there has the nutrients that you're gonna consume, the number of calories and ingredients, well, why not doing that for software and have a better idea of what it's in there? And when there's a, you know, a look for J0, critical vulnerability, why not go in and easily go and find, you know, the number one challenge, by the way, with look for J or for most critical vulnerabilities is where in my software, what software I'm using that has that library, right? And it could be not just a direct library, but a dependency that it's, you know, three, four layers down the chain, the software supply chain. So there are multiple initiatives. My advice, and we talked a lot about this at OpenLogity is, you know, keep up, keep up with the releases and through patches. And if, you know, you have a production mission critical application out there that you don't wanna touch, right? Well, test it, you know, pre-production environments, make sure that you test your patches, your updates and go for it because the risks are higher than doing nothing, right? And the way I convince people is I just tell them, look, you don't want your company name out there in the news, right? That's the next, the next breach or the next ransomware. You wanna take care of your security, you wanna take care of your patches. Harir, thank you so much for taking time out today. And now I talk about the company and but also, especially the report, also share your insights that what are the pain points when people embrace open source and how there are, you know, contributing or becoming a good open source citizens. So thank you for sharing all those insights. And I would love to have you back on the show. Thank you. Thank you. Great to be here.