 All right everyone we're gonna stay on track for the afternoon I notice there's less people in this room that are out What's wrong with you people get everyone to you know next time get in here get in here? The hallway track I know it's you know every year we get people saying they know the best part about this event is the hallway track But this afternoon. We're really gonna make up for it. We've got some really cool Announcements coming this afternoon to follow on the already awesome announcements. We had this morning You know again the continuous development foundation the merger of the Node.js foundation the JavaScript foundation the graph QL Just so many amazing announcements, and we have even more to come But I do want to get serious for a minute with everyone here So, you know this this is an event where leaders from the open source Industry and community all get together that that's why we call it the open source Leadership summit and you know one of the things that we're always concerned about is you're part of open source is that there's just an Anti-establishment sensibility that like why could you go to that meeting and I didn't get to go that meeting and you know This is just one of the few events the Linux foundation does For our members the rest of our events are obviously open to everyone but the the conversation I want to have this afternoon is as leaders in The industry as it relates to open source in the community As open source maintainers or very prominent developers We need to sort of think about How we can make something that has is so good that has Enriched ourselves and rich in others at the same time something we all like to talk about Something this concept that all of us are smarter than any one of us How can we make that? Even better like you know remember that IBM ad that I showed this morning where that little kid was you know being Communicated to and learning from everyone well part of the other part of open source that is so powerful is it's adaptability and We have some chance serious challenges and I think I want to show another ad from that series About some things that we should think about this afternoon And we roll the video there It is not the strongest of the species that survive nor the most intelligent, but the one most responsive to change Change is something that all of us have to think about and more and more these days as open source becomes in part and parcel to your business success To literally the backbone of the internet of our global economy something that Not only empowers us to do amazing things like the drones You saw this morning or the new 5g solutions that are coming out of AT&T But it also is a double-edged sword where if it isn't sustained properly if it's not Maintained by a massive collective effort The security and privacy of all of us is also at risk And that's what I want to talk to you all about this afternoon and issue some challenges for this group so that we can all collectively lead to better sustain open source and you know I started the event this morning by talking about open source sustainability and Describing how great projects work and they all work very very similarly Linux being sort of the best Example of this, but you know kubernetes and others are also in this category You have this amazing upstream project, you know linux changes nine times an hour It is the fastest growing most prolific largest most successful open source project ever And it is used not just to make products, but it's used to power Almost every global stock exchange. It's used for Systems that we telecommunications systems all of the internet systems that we rely on every single day You know companies use open source, you know, you don't build a GoPro with your own operating system You take Linux you implement it you make create a lot of value and that value does get reinvested Most Linux kernel developers today are professional developers Most of them are somewhere around the hallway track here because they don't ever come to the keynotes, but they're pros And this works, you know the the idea of a developer who's using Linux to run a Multi-hundred million subscriber 5g network in China For China mobile is providing not only labor back into the Linux kernel project But more importantly the innovation positive feedback loop of understanding what it's actually like to run an 850 million user global network That that information that innovation gets put back into the project in a really interesting not only positive feedback loop of labor economics, but of innovation economics and so the serious conversation we want to have this afternoon is What happens what are the implications when that virtuous cycle does not work and We've seen some recent and even not so recent examples of what ends up happening Everybody remembers Heartbleed how many people here remember Heartbleed in the in the open SSL project How many people here know that post Heartbleed we created something called the core infrastructure initiative We paid the two core maintainers of open SSL Andy Polya and Steve Henson $300,000 per year each to work full-time on open a cell for three years They helped refactor that code base Put down the bug backlog Significantly improves the shape of open SSL. We paid a chat rainy to work on bash We worked with Harlan down at the ntpd project to pay him to work full-time on ntpd in order to improve its security The open SSH maintainer Theodora paid him This is one of the most important projects out there Theo had been kind of going on his own These were important things Three four years later the question is what lessons did we learn? About these projects that stand at the intersection of critical to the privacy and security of all of us and Truly troubled in terms of resources in terms of the state of the project that Exposed us to an Equifax breach or a Heartbleed or worse and The unfortunate answer was very Tolstoy-esque That We generally found that most healthy open source projects were similar But that there was just a varying set of circumstances Across all of these different projects in terms of why they broke down and how they broke down and it could have been a Labor issue a personality issue a governance issue it could it was just there were so many different things we learned But you know we started to try and figure out patterns one of the patterns is The world itself isn't getting an early warning signal here in a meaningful and effective way The other thing that we understand is that a huge amount of the code We depend on is written by a bunch of unsung heroes Who maybe don't appear on stage at a Linux Foundation event or in front of 12,000 people at kube-con as Dan con incessantly reminds me they're gonna have 12,000 people at kube-con the biggest open source developer event ever But there's this whole set of other developers and they number in the thousands kind of working in the background And I want to show you what these folks look like you know they could be at an open SSL You know the the Steve Henson and Steve Marquez for so many years Maintained open SSL and funded it through doing FIPS compliance certification for To help fund that project for pay a Lot of people were pretty scared to hear that the internet at one point in time was essentially secured by two guys named Steve But there's a whole bunch of other steves out there and Bob's and Sue's and Kristen's and Tom's and here's what they look like Code gets built like this these days you choose a framework No, J s Ruby Python you name it You write your code you're writing a web app whatever it is mobile app you name it and then You use open source libraries to solve problems right this is what everybody does like they pull down different npm packages they write this code right and most of this code is open source and We know at the Linux Foundation that the core node J s maintainers Which we all work with these are very Special and interesting folks who work on the core framework. We know who they are they're supported We have the the open J s Foundation. We have ways of doing that But what about these folks? this long tail of Developers who work on essentially your dependencies Right when you build an application you create these dependencies on all these other Packages out there that a whole bunch of people are writing in some cases independently in some cases collectively This is who we need to think about And it's not just code that's being written here There are things that are needed for healthy open source so that all of our code can be Better quality more robust more secure, and there are just certain things that Rumor has it developers do not like to do I'm trying to think of a few of them But there's a whole bunch of them it turns out Testing Q&A documentation security audits dependency analysis and so forth and you know as we were like trying to figure out like how We could improve this and and trying to figure out like why this was happening a Very prominent developer tip me off that there's actually a series of books that explains Some of the non code or some of the dynamics around These things not getting done in a lot of open-source projects. I hadn't seen this series before But I hear it's extremely popular with a lot of developers I mean just nobody likes the right tests, you know, nobody likes to do a lot of this stuff But this all boils down to one thing For those projects that are critical to the security integrity of the internet That long tail of developers who work on these dependencies that we all need is that they need more resources And we hear this all the time. I showed this quote this morning a developer wrote this you know talking about you know listen it Everyone thinks you have to buy hardware, but you know who can afford to maintain all the software It actually is real work. How can somebody do that for free? Does anybody know like is anybody met this developer know who it might be? All right, you've yeah, you've heard me say this. It was Bill Gates In 1976 in an open letter to hobbyists Describing how you know this back then Software developers needed to get paid. I hear that Bill did actually end up getting compensated. Well For work But here's another interesting thing is I looked up, you know, we're like why why is this happening? Why is it that software developers aren't getting compensated for a lot of this kind of work? And it turns out developers actually is it are getting compensated and it's a pretty good job four of the top ten highest paying jobs in American 2018 based on median salary are Software-related enterprise architects offer development manager software and engineering manager software architect I mean I saw this and I'm like yes Developers are getting paid. In fact the only question I have about this statistic is why corporate council is number five I just don't get that one. I Couldn't help myself. I'm sorry if ever there's an opportunity for a lawyer joke. I always take it They're dolin right there's a Council right in the front here We also just do surveys every year on open-source jobs, right and in 2018 the demand for open-source developers is actually Extremely high like everybody wants to hire Open-source developers like I actually it's I get more phone calls and emails about Jim, do you know someone who no see is a kernel developer, right? You know like I just it's a constant stream into my Inbox for them. What's also interesting is that? We surveyed all of these folks who are open-source developers in a professional setting and the overwhelming response Which I think is somewhat expected to this audience was they love what they do More than what they get paid and I think part of that and there's a whole bunch of academic research out of the MIT and Harvard that backs this up Which is that the extrinsic value the money in open-source is one thing you got to have it but the intrinsic motivation of mastering one's craft Solving tough problems about being a part of a community bigger than yourself is this is much more inspiring What's incredible about it is that somehow we've managed to marry the two where open-source developers are not only like 87% Of hiring managers want more open-source talent and want to pay that talent But you get the same sense of community and motivation and joint problem-solving at the same time Which leads me to this the paradox Which is even though there are more job opportunities than ever in computer science in every aspect Some open-source maintainers not all but many are still not getting the funds they need For their projects to thrive Why We've been thinking a lot about this and there's a whole cottage industry There are tons of organizations that are trying to help solve this problem Get pay grad a pay tide lift is an insert interesting one This is a commercial software company a sort of commercial service companies in bed probably a better description That sort of targets those long-tailed developers and you could subscribe to tide lift and you can get Some kind of a support or some kind of commitment to maintain That long tail of projects that you particularly depend on as a single enterprise. There's Lots of blockchain and cryptocurrency related efforts Those may be I'm a little more unclear about whether a cryptocurrency related effort is going to be effective I went back and read Linus's original email from 1991 Hey Minix folks, my name is Linus Torvalds. I'm building this operating system. It's more of a hobby We're having an initial coin offering I've incorporated in the Cayman Islands and if you get your credit card Not sure if that one would have worked, but hey, you know like all of these are good Everyone should be trying to figure out ways to provide that same kind of positive economic feedback loop that makes open source great and we don't nobody knows the answer To to what any of these things will end up doing some of them fail on some of the may succeed We just don't know But I think that the real question here that it this is the challenge that I want to ask all of you to think about is Nobody's questioning the developers should get paid or not Like they should and get paid more and those silent developers that are working on stuff you depend on we should pay them You know if they need help, let's reach out and give it to them It doesn't have to be throwing money randomly, but reach a helping hand. They're helping you help them But I don't think that's the question. We depend on these folks. They should get paid. The real question is What is our collective? responsibility to make sure Open source software projects thrive. When is it more than a helping hand? When is it that we all need to work together because I'm something bigger is at stake And I want to offer today a few theories on when that might be the case. I Think we can all agree That this is the first thing that comes to mind. This is what people tell me more than you can possibly account That when our collective privacy and security is at risk When a patchy struts is only patched whenever there's a vulnerability by essentially one guy When open SSL is floundering When open SSH which provides secure communication between servers is maintained by Theo kind of on his own We need to think about that. We need to think about what our responsibility is to fix that and That this is actually a tough problem I know that because we've given out millions and millions of dollars to these projects and we decided a year ago to take a deeper look and The idea here was we needed to answer three simple questions So that we could understand when we have a collective responsibility here The first question is What is the most important shared software in the world? And I'm not talking about open SSL every time right there a great example They're the one everybody talks about but I want to know Who is collectively running across? Everyone by vertical industry by package by version number Based on some form of criticality What are you running in production and is it critical or not and when I say critical or not is it network facing is crypto involved? Give me the list package version number criticality by industry sector utilities retail aerospace and defense financial services That actually is an insanely difficult answer to get Right you would have to go in and apply software composition analysis tools to every company You could possibly talk to to get a statistical sample You would have to anonymize and correlate that data by package and version number you would have to then come up with an Algorithmic way to come up with a criticality score and then and only then can you get on to the next question? Which is who wrote this stuff? right Who who is writing the most critical software in the world and I'm not talking just their github handle Who are these people because ultimately is people who are doing this work? Who are these maintainers? What are their names? Where do they live? What motivates them? What do they think about? You can't fix something unless the people who can actually fix it are on board What's the health of that community? Did they get along with each other? Are they experiencing financial problems? What is it? If you can't figure out what the most important software in the world is and who wrote it Then you can't get to the third question Which is how do we help those projects? Help become healthy and more secure. What kind of incentives we can can we give them? So is it money? Is it seconding engineers from any of your companies who have some of the best engineers in the world to go help these people? Can we give them tools? You know Google has these amazing like the fuzzing tools that have come out of some of the companies that all of you work for The the application testing tools and so forth are amazing. How can we apply these resources? These are the questions we need to ask This is how we can solve the idea of open-source sustainability not just for the big projects, but for all projects which will help all of us and These are really tough questions and We want to answer them We've engaged in a partnership with Harvard University's lab for innovation science at Harvard Business School To create what we're calling our census to So it's part of our core infrastructure initiative several years ago We did a census of what the most important software in the world is It's criticality score But we mainly did this based on the Linux platforms out there and we came up with you know G zip and bash and open SSL and the usual suspects, but we need to go much bigger than that We're working with software composition analysis vendors People who actually have this data in a statistical form who are working with Harvard to anonymize that because that Information is not something that you know people want to share with the rest of the world But we can anonymize and aggregate in a way that gives us enough of an idea of what these shared software packages are so that we can get an idea better than shooting in the dark and Then the Linux Foundation is going to work to do the next part figure out who these folks are We are actually in a unique position at the Linux Foundation We have some great people on staff here Kate Stewart and others who are working on what I like to call open-source archaeology Going back and looking at all these projects and trying to track the provenance to the people who actually wrote this so we can Understand what they think what they do Their communities are healthy or not So this is something we have underway right now And that's not even what we're announcing today What we want to understand is how we can affect change once we get to the end of that third question it's that third question that I want to talk about today and This is another one where I can't believe I'm doing this, but I'm throwing up yet again Another letter from Bill Gates turns out the guy's super smart Back in January 2002 He sent a note out to all employees at Microsoft about software security at the time Microsoft was having meaningful challenges Relative to the software quality and security of its products that were sort of freaking out its customers if you recall at that time and And you know Bill Gates said We're gonna create this thing called the trustworthy and computer computing initiative He worked with a gentleman named Steve Lipner To implement it Steve has actually been helping us at the core infrastructure initiative He's a terrific guy if you ever get to hang out with Steve Lipter. I highly recommend it But the note cut to the chase was we're gonna take secure coding classes. We're gonna test our code We're gonna read all the code. We're gonna audit the code. We're gonna Create this entirely new process for application security or in his words trustworthy computing and It worked like Microsoft's code actually got quite a bit better And the question for all of us is that worked at Microsoft because Bill Gates had one last line that Wasn't explicitly in the letter and I'm maybe like embellishing a little bit here But like the implication as far as I could understand from the letter is if you don't do this, you're going to be fired We don't have that an open source No, you can't fire anyone trust me. I know What we need to do is change our culture We need to create a culture of secure coding and I don't have all the answers today I'm asking you. I'm challenging this group to help me with these answers We've tried in the core infrastructure initiative to come up with some incentive structures We have a badging program for our core infrastructure initiatives where I think a couple hundred two hundred and fifty odd projects have passed a couple thousand are applying Where people come in and they have to demonstrate that they take secure coding and the maintenance of their projects seriously It's not security theater. You have to really do this work and That has initially gotten some positive outcomes. We require this for many of our projects I think the CNCF requires this for any project in the cloud native computing project upon foundation order graduate to their top level But 250 projects couple thousand there. We need to do more right The other thing that we need to do is not just provide incentives, but we need to continually focus on diversity Maybe one of the reasons and I don't know if there's an exact causal effect here that this stuff is happening is because we're too myopic We come out here. We're all in the hallway track. You never come to hear me speak. It's really annoying You're talking to each other all the time but We need diversity from different cultures and We need diversity from underrepresented communities. I showed this this morning. I'm showing it again This is not a good statistic And it is there is no doubt That diverse communities create better outcomes that we get more people's perspectives We are going to be stronger and we need to work on this That is what we've been thinking about at the Linux Foundation a lot How can we promote better application security create a culture of secure coding? How can we provide more resources? How can you all provide more resources to these projects? And how can we get more diversity into our communities? all at once and So what we've done is built a software platform called community bridge Community bridge is a tool that we're offering to open-source communities These communities who need help To provide them with resources and help solve their key challenges How can we help provide funding to these projects? How can they make requests to everyone to help them? How can we give them security visibility? To their dependencies, how can we provide? secure enterprise grade security tools to these open-source developers and finally How can we match? people with funding requests to improve security in a way that promotes diversity So how could we for example? Fund an in a mentorship program where mentees come in the Linux kernel project and work on the huge bug backlog of Some are security vulnerabilities. Some are just outright bugs that Google is publishing every single day It's a really impressive list. Greg complains about it all the time How could we provide funding so that those mentees were from diverse backgrounds? pair them with mentors in an automated way and then have you all Companies that depend on open-source Offer job interviews to those mentees at the end of their program so that they could find jobs With good pay and health care benefits and labor rights fund open-source projects Disclut find security problems fix bugs Underwrite diversity more diversity better security more resources all at once. That's what we built It's targeted For use Linux foundation projects But mainly for those critical and emerging under-resourced projects that we all really use and depend on For the other 78 million projects on github or for your private repos you're on your own We're not saying that we're gonna close the door forever, but like that's not our focus today Here's what we're offering The first module that we're offering in this platform is a funding platform. This is a crowdfunding platform That will allow Maintainers to come in register on the platform raise funds for their projects set a set of funding goals Linux Foundation is going to provide matching grants To underwrite the goals for those projects We'll have a accounting transparent ledger where projects can be reimbursed through an expense management application We'll be able to fund these through not only credit cards Right over the internet But also through purchase orders and recurring commitments from any one of you because the Linux Foundation has purchasing relationships With over 1500 technology companies worldwide who are dependent on open source We're also providing standards and best practices for those projects as they come in and make funding requests Do you have a CII batch? Do you have a code of conduct policy in place? You have a modicum of governance? All of this will be in the funding module In addition, we're providing security visibility and enterprise grade security tools to these projects We're providing a commercial grade dependency analysis tool We'll be doing vulnerability detection for all these projects There will be a way that you can literally go in click on vulnerabilities through the dependency analysis and Remediate them through suggested remedies right in the application We've integrated with bug bounty programs in order to underwrite and provide bug bounty programs for open source projects That wouldn't normally be able to stand up a bug bounty program on their own We'll provide metrics about the project metrics of how they're spending their resources who's participating in it What their bug backlogs are diversity statistics and so forth. We're even providing static code analysis Particularly this is important to the Linux kernel project so that we can bind bugs quicker and fix them faster Finally our community bridge people component Helps with this Diversity issue and brings new blood into open source in an automated way from any country on earth From anyone with any background who has the skills to come in and give it helping hand Be paired with a mentor Be given a shot to succeed and have a career through participating in some of the most important open source projects in the world Projects can go in set financial goals Maybe do a security scan and say hey, we got to fix all this stuff They can then set up the skills they need to solve those problems They can invite mentors from their community who automatically sign up as mentors through a web UI Publish what they're looking for Those mentors have a set of guidelines and selection criteria that they can all set up in an automated way Mentees can create profiles of their skills. They can take tests in order to show and demonstrate those skills They mentors themselves can set up timelines where they want to do a three month or maybe a six month program Then finally employers can sign up to either Underwrite those mentorship programs or even more importantly Get qualified candidates at the end of those mentorship programs that you can interview for jobs at your firm I don't have to hire But if you sign up, we'd like you to give these people a shot at an interview so Your companies and organizations can all participate You can support your stack We have an integration with stackshare.io that shows through a crowd sourced way Which of your companies are using what open source and how you can support it? You can find new diverse talent sign up to the mentoring program You can monitor progress through the dashboard and more The Linux Foundation is also taking the lead on supporting developers and this is the challenge I want to offer out to all of you today We are going to be providing matching grants for the first 100 mentees and mentors through this program We're structuring the mentorship program so that mentees will for a three month in the program Receive fifty five hundred dollars stipend plus a five hundred dollars travel stipend to participate in a three month program For the kernel community, we're not even going to bother with the match. We're just going to outright fund some mentees right off the bat Second thing we're doing is every dollar goes to developer for the first ten million bucks Meaning we're going to eat the stripe fees. We're not going to charge any kind of fee. We're not doing this You know, there's no IPO at the end of the Linux Foundation rainbow here We want to fix and help these communities, right? every dollar goes to the developer We want it where we've hired a new Linux Foundation fellow our third Linux kernel fellow Where is she a con is here? There she is. All right. We stay right there Super happy to have you on board She will facilitate the kernel fellowships and other fellowships to help us make sure we get this right I think she's just uniquely suited as a developer in a community. That's kind of hardcore It's a tough community to be in and she is one of the top people in that community We already have folks who want to sign up. We want to spend this week Signing you up as well come in and participate If you are dependent on a long tail of projects that aren't represented in the current foundation or wherever you're working on We can provide you a path to provide those grants because in addition to charging no fees for the first 10 mil Matching grants for the first hundred mentors and mentees We are also doing a five hundred thousand dollar matching grant So if any of you want to set up a grant For projects that need help. Let's say you just a really dependent on a certain MPM package That's kind of struggling or you want to help open SSL or whatever it is Give us a list Give us an amount of money And we will match that dollar for dollar up to the first five hundred K I hope to leave this event this week with at least a million dollars To help out these projects. I'll pay half better application security More resources and more diversity all at the same time. That is the goal That's not the goal for me or for the Linux Foundation. That's the goal for you Let's do this together. We built the platform to do this together Now we didn't build this thing all by ourselves. We've got some folks here today who helped us build it as well Who so our launch partners are hacker one? We've integrated the platform with hacker one Martin Mekos is here today. We've integrated with meetup Let's say you want to fund a meetup You're a community and it may be small and we need just a Couple thousand dollars to do a meetup because we have a couple hundred people coming here You can go in integrate do expense reimbursement all through meetup.com and community bridge to get that done Sneak a commercial grade security and software composition analysis tool help this build out the commercial grade security functionality Sourced it's helping with static code analysis and other security tools and stack share is helping us identify Through crowd sourcing what open source projects people are using But before I get to that I Want to show you that this is actually real This is something that we're opening up to all of you this week We're gonna do a two week closed beta and then it's done. We're gonna open it up to the world This is something that we've already built Let's show it's gonna be a little bit of a long video and like I don't know what happened Shubra Where are you Shubra who is right over your stand-up Shubra Shuba and our development team have done an amazing job give him a hand Building this thing out Shubra weirdly waited to the very last minute to create this demo video I've never heard of that before in a software demo, but we did a quick video of this not all the data in this thing is real We we've cut it before we're releasing the actual tool gene So when you go in and log in after this and you want to check it out There's gonna be gated access will give you password But obviously there'll be a different set of data and then what you're gonna see here But let's let's check it out. Let's check out the platform and see how it works The world of open source is not just about engineering and technology It's a complex network of people and organizations Driving collective innovation to solve problems and create shared value Community bridge is a collaboration hub with the tools projects and the community at large needed to grow and thrive funding Funding provides a simple and transparent service for individuals and organizations to back open source projects and groups To get started maintainers can add their projects by providing some basic information The contributors they wish to support and their desired fundraising goals Providing a transparent view of how this project intends to use the funds. They are requesting 20% will be allocated to development 20% to marketing Once approved a project can be funded by individual backers and sponsoring organizations through a recurring commitment or one-time donations Invoicing support is also available to sponsors all across the world for larger donations The Linux Foundation has taken an initiative to waive all applicable platform fees and even payment processor fees for the first $10 million raised through the platform Hence 100% of the funds raised till we reach the goal goes directly into the hand of the maintainers We want to set the precedent and encourage large corporate donors to follow lead for the growth of the community Beneficiaries are invited to a project specific expensive by policy where they can submit receipts for expenses and invoices for development effort Maintainers are the first line approvers Validating that the submitted expenses are reasonable and legitimate Once approved community bridge administrative staff will verify funds are available and that reports meet regulatory Compliance before releasing funds to the beneficiaries The Linux Foundation will process necessary tax documents for anyone who donates or receives funds All transactions donations and expenses alike are tracked and are fully visible to all in a transparent ledger Community bridge also supports meet-ups and even scholarships for attending LF events people Money alone will not solve sustainability We need to attract the right talent to support and grow the project Community bridge provides a matchmaking service for projects mentors mentees and employers to create a sustainable growth model Like funding if a project hasn't already been added a maintainer can simply provide some basic information Specify the skills and interest areas. They are looking for invite the community mentors to teach and advise newcomers and How often or long the mentoring programs would run? Finally communicate what is expected from prospective candidates and a list of to-do screening tasks before they can be considered Once approved the project is available for accepting applications from prospective mentees and funds from sponsors and potential employers Individuals interested in growing their skills and being mentored can get involved at any time by creating a profile and Identifying their skills and interest areas If interested and applicable they can also sign up for diversity scholarship opportunities The Linux Foundation is taking a lead on creating a more open and diverse community And we'll be providing a dollar-for-dollar match for the first 100 diverse mentees Once a profile is created Candidates are auto matched with projects looking for similar skillset and interests as theirs They can apply to any project of their liking though Applying is a one-click process, but to finalize their application candidates must complete the tasks assigned to them These are the same screening tasks that the project manager defined and could include writing a cover letter or Submitting a pull request for a coding challenge Not to be left out a critical piece of the puzzle are the mentors These are skilled and experienced contributors who will be responsible for advising and guiding the candidates in the program Maintainers can invite mentors based on need and availability and often play the role themselves Once invited mentors are asked to build a simple profile to showcase their knowledge and experience to prospective mentees The goal is to feature these hero developers who educate and inspire our community whose tireless efforts make this possible Finally, there are many organizations that not only thrive from open-source technology, but who also foster and participate We want mentees graduating from the program to have viable career options Which allow them to remain active contributors and grow the project To this end we encourage organizations of all sizes to get involved first through funding the mentorships But not just end there Organizations can benefit from Community Bridge by hiring program graduates and employing them to support the projects They depend on they can show their interest in the project or specific skill areas They are looking to support and commit to providing job interview opportunities security The goal of this service is to provide visibility and actionable data for Maintainers and funders so that they can make informed decisions on areas to develop or where to fund Vulnerability reports are generated by a daily scan of the project Repositories and the dependent projects and libraries mapped via project manifests Supported languages are note.js, Ruby, Java, Python, Scala, Golang, .NET, PHP and Docker containers Defects and their severities can be tracked over time when injected Looking deeper we discover a host of security defects Some of which are fixable by a simple upgrade to a library or package version and some of which We don't have a simple published fix and need to change the code base Maintainers know their code best and should analyze for any false positives Triaging the defects we can find associated CVEs common vulnerability exposures and CWEs common weakness enumerations These vulnerabilities and weaknesses are directly linked to the research in the National Vulnerability Database In the CVEs there can be simple fixes identified For example, just the upgrade of the dependent library to a specific version Real-world evidences of this issue are also published source from hackers or fellow developers Clicking on the hacker one report we can find a bug captured during a bug bounty program Even steps to reproduce the bug have been provided by the hacker Similarly, we are able to access the research associated with weaknesses CVEs linked to the NVD The service is also designed to provide early warning to vulnerabilities which have been detected but may not have been logged into the NVD yet Triaging another issue where there was no easy upgrade path-based fix We get to see PRs from fellow developers, which you can use as a potential fix However, our goal is to just provide recommendations on possible remedies to the issues And leave the actual fix to the discretion of the maintainers We can find all upstream direct and transitive dependencies based on daily scans of the project repos Each dependent library or package is listed into an app dependency tree When auditing the app stack, this data is very handy to validate issues around incorrect builds And mapping the root cause of the security defects As a funder or user of this project, you can view all the different licenses in the stack The most interesting part of this data is that we also determine if a dependent library, package or project is already onboard the funding platform If so, as a funder, you can choose to back the dependent package along with the master project you are currently looking to fund This creates a network effect of sorts and sponsors can fund or back an entire stack Instead of just a project to enhance the sustainability of the ecosystem For select languages like C and C++ and in particular for projects that operate at the root level Example Linux kernel and don't have dependencies listed in manifests We provide static code analysis This is an early feature and we plan to expand support beyond C and C++ to all major languages You can find a detailed list of issues detected by the static code analyzer available for the project maintainers to review Maintainer review is needed to weed out false positives, which may not be applicable or handled elsewhere in the code base Exploring a detected issue, you can see the code level details where the issue is manifested Static code analysis doesn't just capture security defects, but all potential performance level For example memory leak, security level and code level defects for example null pointers Projects can allocate funds towards running a bug bounty program and hackers all around the world can submit real world reproducible bugs that are validated for authenticity You can see summary metrics around program details bounty amounts bugs detected and hackers paid etc Anyone can view publicly disclosed bug overviews for the project But maintainers have privileged access to the detailed full disclosure information We provide crowdsourced usage metrics about the project These metrics include companies and individual apps using the project as part of their stack This information is gathered from users who have voluntarily produced confirmation around the use within their private enterprise or public community environments Although there is no concrete guarantee of this data being accurate due to the voluntary nature of it It does provide indication to funders about the adoption of the project And its impact across the industry at large All right. Thank you for bearing with me On that I wanted to make sure that we showed you that this is real that you can take advantage of it today Again, we're going to do a two week closed beta And then we're going to release this to everyone to participate on I want to take the next few minutes to thank the folks that we've co-developed this with One of the things that makes this possible and one of the best parts about the being at the linux foundation Is we built this in a modular way That is very api driven Meaning that we are not an organization that's going to build out a commercial software competition analysis and Security vulnerability tool We're going to partner for that We're not going to build out a bug bounty program because that's a lot of work and we don't have the network We're going to partner with a whole bunch of folks and I want to bring them up on stage in a couple minutes But before we do that, I want to bring up our newest linux kernel fellow Shua to talk about the mentorship program shua come on up And talk to me about what we're doing with the kernel community. Please welcome our newest fellow So uh, tell us about uh, you know what we're doing I think you already have posted a blog post about this Probably like we wanted you to wait but the last few minutes maybe But tell us about the mentorship program for the kernel community and about How you came to come to the lf So i'm really excited to be here when jim asked me to come and work on the mentorship program at lf I'm like, yes. I want to do this because um I've been working with in open source and got involved doing my journey doing android Mainlining the android code and then went on to do other broader initiatives things Such as helping greg ro hartman with stable release maintenance and then also kernel cells test maintenance The broader things I gravitated towards them partly because it's important to have Such as the next foundation piece for a lot of the ecosystem. It's important to have the foundation strong um when So the important piece of that is we have Maintainers we have lots of developers Maintainers have critical subsystems. They need help So we want to continue to bring new talent and new Developers into the ecosystem kernel programming is complex. It is a large subsystem large subsystems And it's large and it is it's important for mentors Maintainers to be mentors and helping the new generation of leaders to grow and continue to sustain the ecosystem So that's why I'm this is really I'm excited about this because I want to do this though And so we're gonna we read so the first five mentees on the linux foundation So uh to three month programs six thousand dollars each you get a fifty five hundred dollar Payment and a five hundred dollar travel stipend And they're going to be you're going to be leading the charge to Get these kernel developers to act as mentors and to get these diversity candidates I should mention we are only going to pay for the first five that are diversity candidates If any of you want to pay for additional mentees We would love to work with you go into community bridge and fund it But uh, you're gonna be leading that charge. Yes. Yeah, so today I'm asking mentees to come and join And mentors to come to guide all these mentees mentees coming in and we have this year We are going to be doing two full-time Mentorship programs summer upcoming summer and then fall and one part time We do want to include part time because there are a lot of people that cannot spend Full time doing the work So we would like to include people that can only spend part time. So next year we want to increase that to three full-time Programs and two part time. Yeah, we really want to move the needle on this You know when shu and I first started talking we're like, hey, listen We can partner with organizations all over the world bring diverse candidates in You know quash that relatively large bug back log back That's really that's really important. Yeah And we want to do that and we want to improve the kernel quality also make the Strengthen the diversity and actually add diverse people into the community and strengthen it at the same time and then also We want to be able to train the kernel candidates and you know Colonel developers to make them available for the community partners. So that is also very important So new job candidates for you if we can improve the kernel create more diversity in the community and long-term leaders And find these folks jobs. That would be a great outcome. Thank you so much So we've also been working with some partners to help understand the requirements of open source program offices In terms of what they need to create mentorship programs for projects that they support And to provide grant writing and to that end remmy to cost maker from twitter Has been helping us out and we'd like to I'd like to invite him up on stage talk about His perspective on community bridge and what twitter is going to be doing with it remmy come on up All right Hi there everybody What's good open source leadership summit, uh, my name is remmy to cost maker and I Help hackers work together to use their powers for good I've been doing that for a while now and most recently I helped to run the open source program office at twitter Twitter, maybe you've heard of it Is this social network? It's what's where people go to find out what's happening in the world And it turns out that open source is a very important part of our origin story Open source has been baked into the dna of twitter since the beginning You know everything from our microservices architecture our build tools Even our emoji are released open source. So we have a broad set of concerns and We are committed at twitter to improving sustainability And diversity in open source and the community bridge project this partnership It helps to align a lot of different things It helps to align upstream mentors With downstream participants it helps to integrate third party services That a lot of us in ospos tend to depend on It helps to improve the transparency of where projects are spending their time and their resources It helps to align and provide incentives And ultimately it builds trust which is one of the most important things We have sort of a thesis in the open source program office at twitter and by we I mean mostly me because Brought it to it The idea is is that to grow anything you need three things heat light Love it's a little sappy, but It's true, right in open source. There's no guarantee that any of the seeds that you plant will grow But you can provide the best environment through which for those seeds to grow and that's Each of those things the heat which is the activity the resources the time that you invest directly The light which is the visibility that you bring to the projects and the community of people doing the important work And then the love which is the support the culture and a lot of the kinds of things that we're hoping to bring Through initiatives like community bridge so over the next Year or so twitter is going to be experimenting with this platform We're really excited to work with the partners. We're really excited and thankful for the invitation gym to be a part of this And you know, we're going to need all the help that we can get We're going to ease into it. We're going to start small with some of our healthiest communities We're going to ramp up with some mentors some folks from the inside that are willing to help Because it goes beyond just throwing money at the problem. We have to grow the community, you know, we don't just have You know, it's not just a free riding problem. It's a community problem And we need to build the operations and support For those resources to go where they need to go and be transparent and build trust And community bridge is one of the ways that we can do that and we're excited to partner So thank you, jim. Thanks a ton. Really appreciate it. Yeah, absolutely All right, that's not all So uh guy pyjami from uh sneak We couldn't have done it without you. So uh, you saw a lot of code out there for dependency analysis and security vote detection Sneak is a enterprise software composition analysis and security company That has helped us build this platform We really appreciate it. Tell us a little bit about what sneak does and uh, how you've been helping Sure. Okay. Thanks, jim. So uh, thanks, you know, we're excited to be a part of the community bridge and uh, in this initiative You know fundamentally, I think the reason I'm excited about this is that open source, you know, is hard. It's amazing It's hard. It's hard for me. It's hard for consumers sort of a new model of ownership It's just complicated and I do think a lot of the responsibility on us as foundations as vendors as tool providers Is to make it easy to make it easy to the right thing and simplify it So at sneak, you know, if you don't know much about us in our Our thesis has very much been around making security easy and specifically making security easy for developers First we try to make it easy by just finding out about vulnerabilities in these open source components So we you know, we have our own systems to try to Sort of track on the web, you know, there's a lot of open source activity That doesn't necessarily make it into a cv or an organized database because again practices are not perfect Let's try to fish those out and make it easy to just find and know about all these vulnerabilities in one place And then second is around integrating and making this uh, the understanding of which components you are using And whether or not they are vulnerable easy as part of your development process And last but not least We have a lot very much sort of this mindset of developers, right when we talk about all these contributors All these great people that we're pulling into the community These are generally speaking not security experts. They're not auditors. Most of them are developers You have to think about what does it make sense? You know, what what tool? What is Solution does the developer want and one for instance key aspect of that is developers Job doesn't end with finding issues. It ends with fixing them. So if we give them a solution to just give them a very long list of problems They're not going to be very happy. And so we built a lot of these automated remediation Components, I love that all of those are within community bridge because you know, that makes it Generally easy For people to do the right thing, you know for the maintainers for those creating and contributing to the project to understand Which components they're using fix find those vulnerabilities fix them do the right thing People want to write high-quality software and for the consumers to also notice the right thing understand You know, which vulnerabilities are in here and make your decision Understand whether whether that is a crippling element for you or better yet if you can chip in and help Yeah, move those forward. So really excited to be a part of this project and uh, see you thrive Thank you Uh, so, uh, we also got some help from Someone who has been prominent in the open source community for a long time is a good friend of mine Uh, the CEO of hacker one martin micas is here to tell us about how His community which is sort of aligned with the open source community Is going to help out, you know, martin i've talked to to lenis about how you know as a developer Sometimes it's super hard to understand the mind of hacker Right because you just have to he he just I remember he told me once he's like, I don't even know what's in those folks heads But you're helping us by connecting these two communities together Tell us about the hacker one integration and what you're doing at hacker one We we could say that with enough hackers every security challenge is shallow We've heard that before so some things stay the same and some things change and This community and we are always a place with lots of people who disagree on every single detail But always agree on collaboration That stays the same what's changing now is that every piece of software you develop has to be secure And it wasn't like that and I know because I was there developing all that insecure software That's now full of vulnerabilities But now we have assembled at hacker one We take us our mission to help you build safe and secure software And we have an army of 330,000 Ethical hackers who've signed up with hacker one to hack the hell out of your software And tell you what's wrong Because you will get hacked anyhow and it's better to be hacked by these kind people here on the posters Those are some of the best hackers in the world when they reach a certain level We make a dedicated poster so each one of those is one particular human being who's a brilliant brilliant hacker But we have over 300,000 of them that will help you And We're just delighted about community bridge because now it enables us to bring this to everybody in this community And allow you to get access to these people Even if you feel like you don't have the funding you don't have the resources You don't have to you don't know how to do it. We can now do it in a way That's easy to get going and that's what's so exciting with all of this Thank you We hope to find a lot of bugs and fix them. I really appreciate your support martin and we're happy to have you Let's give a high thanks jim Two more left here. So, uh, I called up What was it a couple months ago the ceo of stack share io? How many people here have seen stack share io? It's awesome. It's this cool tool or you can go on see what open source projects people are using You can compare the projects and so forth. I called up yonas and said we're doing this thing We can't figure out what everybody's using. Can you help us out and yonas was kind enough to help us Please welcome to the stage yonas from stack share dot. Uh, thank you All right, I'm going to well first of all honored to be here. Thank you very much. I'd like to have you Um, I'm going to make this very very brief and I've got some very simple slides here Let's start Gotta hit hit it hard. There you go. Uh, so for those that aren't familiar Stack share our mission is to make developers more productive By helping them learn about technology through the people and companies they trust So the problem is there's hundreds of thousands of tools out there, right? There's open source self-hosted Cloud sass past the list goes on right very difficult to choose which technologies you should use We're solving that by allowing developers and companies to publicly share which tools they're using in their tech stack And as all of us in this room know The modern tech stack is actually dominated by open source technologies, right? So more often than not you're using open source whether you know it or not Um, and so when jim called me up and said hey, I've got this thing that I think you guys could help with I immediately said yes Not only because of you know the fact that it's linux foundation and the work they do is is important But because this specific initiative community bridge is actually a very holistic Approach and it's not sort of this band-aid one-off solution, right being able to Sustainably fund security patches While increasing the diversity within the open source world is actually an amazing way to Help the entire ecosystem and stack share We're honored actually to be a small part of the solution here. Um, so Why are we here? So the the purpose of stack share, you know The reason we exist is because when you're going to adopt a tool particularly open source One of the main questions you have to ask is well, who else is using it, right? And right now it's kind of the difficult question to answer A lot of projects don't tell you who's using The software right which companies and Who else is using it some bigger projects do? And that have the resources so this is where stack share comes in We've actually built the world's most comprehensive Sort of like open source and sass Usage database that's crowdsourced again. This is all public data And we've brought it all together in one platform And the reason that this is important is because when you're funding a project, this is actually One of the things you want to know so What you'll see here actually starting today We've we've released a sort of new aspect of the platform You can not only see what companies like uber are using But you can actually see why they chose specific tools in their stack Particularly open source tools. So here you'll see connor who may be in the audience From uber Actually talking about yeager and why they decided to build it in open source and under cncf And so all this data is now available through a brand new graph ql api and point that A set of endpoints that we opened up specifically for linux That gives you access to all this information and when you're browsing profiles on community bridge you can actually see Who's using these projects and we see this as the beginning of much deeper integration and larger partnership But again, we're really happy to be able to help out here and Thanks for the opportunity. Awesome. Thank you. Thank you. All right. We're almost somewhere in the home stretch last but not least Iso con he is the ceo of sourced When I first got introduced to him, he said Jim We have all the code and we've cached it all and we're taking Machine learning tools and we're trying to get insight into patterns of code There's security implications all sorts of stuff. I said, can you help our open source projects with those tools? He agreed to do it. Welcome So today i'll be talking a little bit about Some of the things today we help enterprises around the world with and how we can start bringing this to open source projects One of the main emphasis I want to make though is already what jim had been talking about is that Today as developers we spend a massive amount of our time close to about 40 of our time Actually on bad code we spend hours debugging refactoring fixing vulnerabilities And one of the things that at sourced we've introduced today to open source communities to enterprises To individual developers running this on their computer is this notion of engineering observability The ability that today when we take an enterprise environment I'll talk a little bit later about how this reflects in open source communities at the very top level We set behavior through guidelines that can be a technology We choose to adopt or a best practice series of best practices we're going for and then further we go down in the organization We want to start enforcing these guidelines We want to make sure that new code that gets added Actually follows these practices and we can fix things proactively and at the end of the day when the actual developers touching the code We want to make sure that we can actually prevent and fix, you know violations This isn't so different today from governance in an open source Project where at the top level there you have the maintainer and then the widespread of practitioners below But at the end of the day when we look at projects and we look at code and and engineering In our opinion, it comes down to three parts It comes down to people it comes down to the actual behavior and it comes down to the technology that's there And what we see in open source reflects very much what we see in enterprises It's not common for us to work with a bank or a telecommunication company And find that you have over 20,000 projects Repositories spread out across your organization with dozens of years of history And today what we do with sourced is we can analyze That talent we can analyze who is actually writing that code. What skills do they have who are collaborating across projects We can identify knowledge leaders through pretty interesting machine learning models That are actually analyzing the core of the source code But we can also take all those guidelines and best practices and turn them into code Code that later you can then see where do we violate it track the impact measure it And also prevent violations and while doing this and ready jim talked a little bit about that today Both on the upstream and the downstream understanding. What do you actually use right? What are the languages and frameworks and libraries that you depend on but not just that how does your architecture look like What is the impact of changes in your dependencies and actually measuring the change from one technology to another often happening in big projects So at sourced we have two main components We're fully open core and open source company. What you see here actually is is available on github We run as a fully transparent remote organization. We are incredibly grateful and depend On and are exist today because of the open source community The sourced engine is what ingests all of the source code get version control data and other data sources And actually turn source code into a universal abstract syntax tree a universal language that allows you to do complex analysis Over what's actually in your code base And on the other hand we have look out which at the code review level helps you to take those codified rules and prevent further actual violations And a lot of this is powered by machine learning on code About four years ago when we started the company We decided to create a community for researching how machine learning techniques can be applied to source code analysis At the time we felt quite lonely us and a handful of academics today We're very happy to say that that's a massive community where we see researchers from almost every computer science University around the world and a lot of the companies here in the room also actually doing interesting work And so what we're announcing today is A lot of the things that we've been doing today are on the downstream We work inside large enterprises to analyze all of the source code that's there We have a community addition that you can run on your computer and analyze at the source code that you locally have But what we're going to be starting to do at Linux foundation is taking all of those upstream projects And providing that same level of analysis With the sourced engine to those projects And so we're very honored to be part of this We hope that we can start playing a small contribution to actually supporting open source So thank you very much jim and looking forward to seeing what the future brings same. Thanks. Nice All right That was a marathon. I appreciate you all standing here. We still have a couple of good speakers But I wouldn't be a very effective person introducing something new at the Linux foundation And I didn't if I didn't just give you a weight. There's more So last night as we were outside having S'mores on the lawn I got a call from a nap freeman the ceo of github And github at the very last minute he has decided to up the matching grant. So instead of $500,000 We now have $600,000 in matches And so i'm looking at all of you I'm looking at all of you We got uh two weeks private beta here Let's go ga with this thing with a couple million dollars in funds for these projects that need it Better security more diversity We can do this all at the same time funds for these developers This is what we want to do the last thought I'll leave it with and then i'm going to introduce our next speaker is This is the only the first five percent Of the functionality that we're going to be offering on community bridge We've spent a lot of time thinking about how we can create tools to make open source communities better To provide for easier ways for people to on ramp to communities to reduce the time the meantime to full request response And so on and so forth So throughout the year, we're going to be releasing more And we are always looking for co-development partners to help us make open source better There's no profit motive here. We're going to try and keep these fees at zero We want to build out robust functionality to help us all collectively help the open source projects we depend on So i want to thank you all for spending a ton of time listening to me And hope you all participate in community bridge with that Let's give a round of applause for our partners here