 This is Jerry Bain at the Coalition for Networked Information Spring 2023 meeting, and I'm joined in conversation today with Said Choudhury, Director of the Open Source Programs Office at Carnegie Mellon University. Thanks for being here, Said. Thank you, Jared. It's a pleasure to be here. So we're going to talk a little bit about the Open Source Program Office and your new role there. What is the Open Source Program Office and why have you decided to dedicate yourself to this work? Yeah, so the Open Source Program Office is a fairly new construct within the university setting. It's something that's been in the private sector for a few years, so we're still defining in many ways what an Open Source Program Office is. But I think of it as a convener of the community and a center of competency within a university to help better manage, curate, and share software. So raising awareness, providing capacity, consultation, expertise, bringing people together, acting as sort of a clearinghouse for resources and support. And then once you have better managed software, there are lots of different things that a university or different sets of universities might want to do. And we're exploring a lot of that. There's six so far funded through the Alford P. Sloan Foundation, there'll be another round coming soon. So we're starting to see a network and a community form around them. And why have I devoted my time to it? Well, I've always been focused on building infrastructure to support Open Scholarship, Open Science. And while in previous worlds I had responsibility for looking across articles, data, and software, this one is much more focused, as the name implies, on the software piece of it. I happen to think that there are some fundamental differences and characteristics around how software is produced and how it's shared and how communities are built. And also the impact in terms of supporting Open Science, through things like reproducibility or better engagement with communities. So at the previous funder session we heard about being more transparent, more inclusive, more accessible. I think Open Source Software is a great way to make those things happen. So I'm really eager to explore how to make those things work. And can you describe what your role is at Carnegie Mellon? Yeah, so I'm the director of the Open Source Programs Office. So I've been hired to basically help build out the office and to build out a set of services around that with some support from, as I mentioned, the Sloan Foundation, but also from CMU. Keith Webster, who is the dean of libraries at CMU, has been thinking about Open Science for a long time and has done some really great work at Carnegie Mellon, even beyond the libraries in terms of building interest and capacity for it. Also how the OSPO fits into that is a key part of my role. Also trying to think about sort of the external impact and potential and partnerships and collaboration for CMU researchers, CMU students, local community, all the way to federal agencies is a key part of it. We've hired recently a community manager who's going to help look at more of the internal facing, you know, community building efforts of faculty and students at CMU. So what should folks in higher education know or why should they care about what has primarily been a practice in technology companies? Yeah. So it's an interesting question and I agree with you that the OSPO itself has been primarily something in the tech sector or in the private sector, although I will say at this point companies like Walmart, American Airlines, whatever also have OSPO. So Open Source is everywhere. The estimates are anywhere between, you know, 95 to 98% of all software uses Open Source. So are you saying that there's a trend towards Open Source that's been happening? Yeah. So the interesting thing is while the OSPO has not been a university focus, Open Source has been in universities over the last decades as well. The fact that the private sector has been more intentional and strategic about it says to their credit and they have very clear business reasons for doing this. You know, there's a perception of, oh, they only do it for altruism and, you know, community relations. That's simply not true. I mean, that is a benefit. But there are bottom line decisions these companies have made. Now obviously universities are different in terms of the mission and the way we work and the composition of the roles. But we haven't been intentional strategic about Open Source software. Even though Open Source software started in universities well before the private sector picked up, there are cases of Open Source software coming out of universities like Hadoop that got adopted by the private sector and the Apache Foundation and so on. But universities are a little bit late in my opinion to come to realize that there is Open Source software being produced, there is Open Source software being used and that there's real value in being intentional and strategic and organizing around that. So it's more a matter of it's already been happening and now wouldn't you like this to be a little bit more intentional, particularly given a lot of the emphasis on Open Science? Right. So I'm just thinking out loud here about the OSPO office, you know, ten years ago you didn't see the CISO role very much. Exactly. Is this sort of the same sort of thing like you didn't see this around and it's sort of a new, what could you trace like, you know, roughly how long this has been fomenting? Yeah. No, it's a really good observation. So I think, you know, one of the things that Josh Greenberg, the program officer at the Sloan Foundation, who's funding these OSPO's had said to me about previous efforts when they funded Data Science Institutes is new roles were created in universities, right? So fifteen years ago there was no such thing as a data management consultant or a data wrangler or whatever those terms might be. So I think we'll start to see a lot of these new roles evolve in the university context. The advantage we have in some sense given what the private sector has done is they've kind of blazed the trail. They have community managers, they have maintainers, they recognize the value of those roles and I think that'll start to happen in the university context. So, you know, sort of the fomenting of it in some sense is, as I said, you know, open source has been in universities for a long time, but as there's been more of a shift over time through, you know, OSTP memos and public access, the White House declaring 2023 as the open science is we're seeing a shift from articles to data to software. And in many ways the software piece is critical for reproducibility, transparency, things of the nature, but we don't have as much of an understanding what's an appropriate policy structure, what are the appropriate licenses, you know, what should the federal funders expect of universities. So there's a greater recognition that it's a critical piece, but there isn't as much awareness or capacity yet. You talked about your role. Can you talk about the role of open source at a university? I mean, when I think about it as just a layman, I think, oh, I'm going to get Blender. Great. Maybe I'll help develop Blender. Sure. What do we need you to do? And I don't mean to be insulting. I'm just like, I want to understand what are you tracking? What are you directing? If it's open source and it's just kind of out there, it's free. What needs to be wrangled? Not insulting at all. As I said, these are early days. You're not the only one with these questions. Better to get this out now than to keep it hidden. So in essence, the way I've argued about open source software is it is a primary research object. Just like articles, just like data, there's open hardware, there's other kinds of things. But open source software is a primary research object. I think you won't get a lot of disagreement about that. So in a university context, if you ask someone, do you care about open source? You'll get a wide degree of answers. But if you ask, do you care about research outputs? Everyone will say, yes, of course, I care about that. So it has the benefit of activating the whole university support around research, interest and support on research. And when you start to think of, well, yeah, it is a primary research object, therefore, we should know how we're producing it. We should know how we share it and what impact it's having, not only in the academic sense of citation and connections to data and so on, but local communities, other universities, other companies. A really important partnership is with Tech Transfer, which typically looks at commercialization, which is an option around open source software. But ultimately, they are about new forms of impact as well. So trying to measure those, I think, is key. But where are we today? I couldn't tell you all the open source software that's being produced at Carnegie Mellon. And I would submit, no university could tell you that right now. So we have some foundational types of information and pieces of infrastructure to put into place before we can start really addressing those things. But they can happen in parallel, right? We don't have to wait until we have this full inventory to start all those other kinds of useful strategic things. That makes a lot of sense. Can you talk about the connections between open source and cybersecurity? Yeah, so I can. But I will point out a talk that was given recently at Carnegie Mellon by the director of CISA, the Cyber Security and Infrastructure Security Agency, Jen Easterly. It was called unsafe at any CPU speed. I would encourage your listeners to look it up and either watch the talk or read the transcript, because she did a great job talking about exactly this question. I'll be sure to put that in the show notes for this. That'd be great. So I think the key question is that open source software is a part of critical infrastructure now, digital infrastructure, but it's increasingly connected to physical objects, right? So my television is now an open source software platform. It runs Android, OS, and quite frankly, sometimes it's flaky and whatever, right? So it's not to say that there are still a lot of questions to explore around this, but open source software is becoming a key part of everyday life. And therefore, any issues around its security or its vulnerabilities can affect your everyday life. And I think I don't mean to speak for the director of CISA. I do think people should listen to the talk directly. But a fundamental premise was the comparison to the auto industry in the past, right? So decades ago, if people had accidents and they were hurt and they died, there was a sense of, well, you're just a bad driver, right? It's your fault. But over time, we recognized that putting that burden on the user is not appropriate, and that the auto industry has a much more robust capability to make structural changes that cascade throughout the system. And now you have seatbelts and airbags and crumpled zones and crash testing and so on. And our premise was the same thing needs to happen with software. And there's an educational aspect to this. There's a regulatory aspect to this multiple dimensions. But the good thing is open source software is indeed open. So a lot of people talk about the log4j security instance that happened, and it was a very serious issue. But it was addressed openly by the community as well. Going back to automobiles, I used to own a Honda. I guess I shouldn't pick on that company. I'm sure this happens to all companies. They sent me this very nice letter saying, we need you to come in to get your airbags replaced. So I'm sitting here thinking, wait, what does that mean? I've been driving this car. I hope I'm OK on the drive over there. Exactly. And I think they gave me a free oil change. We know that's compensation. It ultimately comes down to trust. I'm trusting this auto manufacturer to do the right thing and have done all the things before that recall happened to make sure it shouldn't happen, and then after the recall happens that they'll do the right thing. Well, OK, is that better than putting trust into a community of universities or even companies who are working openly and saying, here are the security issues that are involved, and here's how we're addressing them. And you only hear about the ones that hit the news, right? You don't hear about the hundreds of cases that come up where there are processes in place. There are organizations in place that make sure it never happens. So it's a key part of how we think about security. Cybersecurity particularly gets integrated into things we do every day. But there's nobody, since the Department of Defense you name it, that's saying, don't use open source software. Everybody's saying, we have to continue to get the benefits here. We just need to do it in a safe and secure way. So can you talk about any suggestions you might have for any institutions that are interested in establishing an OSPO at their university? Sure. So at a session earlier today, we had a panel, which I would encourage people to look at the recording. The six institutions have been funded by the Sloan Foundation were represented there. We also have produced a playbook or a guide about exploring open source software within your university and then if it desirable how to create an open source programs office. I'd mentioned the Sloan Foundation recent call for OSPO as part of an informational session for that. We recorded a description of that guide and an overview of those questions. But beyond those resources, I think there's a community that's starting to form. Basically around university OSPOs. So you've got these six that are funded now. There'll be a few more. I'm hoping that that group obviously will have its own internal kinds of goals and considerations but can become a place where people start to see common patterns evolve and even differentiating patterns that might resonate with the type of institution that people are working in. But it is early days. I would be remiss if I said, oh, we've got a clear pattern and this is what you do. A lot of this is learning, sharing those learnings and evolving from there. But I think we've gotten enough of a foundation through those resources I mentioned that people would start. And where might someone find that guide you referenced? So the guide is available on a website for an organization called OSPO++. I can send you those resources as well. And then the informational session is on the Sloan Foundation site for launching the next set of OSPO's. And I can point you to that as well. Great. So Said, is there anything about this that we haven't touched on that you'd like to mention? Yeah. One thing in particular, the role of working with communities. So we've heard this throughout the CNI, which I think is really great, is how do universities better engage with people outside of the walls in the university? Speaking very broadly, whether that's within your city or throughout the world. And I was involved in some work previously when I was at Hopkins and we're starting to explore this at CMU as well. Where open source, using open source helped build the connection with the local community center in terms of trust, in terms of transparency, in terms of believing that we weren't here to just say, we know what your problems are and we're going to solve them for you. There's a group at Carnegie Mellon called the Center for Shared Prosperity and the director of that group said it very eloquently. He said, our goal is to give people in Pittsburgh the agency to solve their own problems. And one of the ways universities can act is equals or partners, right? Not say where the experts, you're the victims, is through open source. So anyone can look at the code, anyone can join typically the Slack channels where the development is happening. Anyone can contribute, anyone can say, I don't think this is the way this should be. Anyone can test the user interface, anyone can participate in the design. That's a really powerful way of signaling to the community that we're not here just to tell you what to do or how to do it, we want to work with you. And I think open source software plays a key role in that. There's somebody in Pittsburgh who has many roles, but he's sort of a force of nature in the community. His name is Majestic Lane. And he said this incredible phrase where he said, what we need to do is flatten the landscape. It's not about helping people come up a hill, right? It's about flattening the landscape so they can walk on their own. And I think open source software can play a key role in that. Great way to end, thanks so much for your time, Jerry. Appreciate it. Thanks, Jerry. Appreciate it. I appreciate it.