WEBVTT

00:00.000 --> 00:11.520
Good morning everyone, our first speaker today is Margaret Tucker, she's a public policy manager

00:11.520 --> 00:17.760
at GitHub and is passionate about getting developers opinions on policy making when it comes

00:17.760 --> 00:24.560
to open source software. In her talk today, she'll be discussing with us the challenges

00:24.640 --> 00:30.480
of policy making, copyright issues, etc. when it comes to goat collaboration platforms such

00:30.480 --> 00:40.320
as GitHub, please welcome Margaret Tucker. Thank you. All right, well, I will be honest,

00:40.320 --> 00:47.680
I'm a bit of a technical guinea pig when it comes to the AV, so bear with me. Okay, it's great.

00:48.560 --> 00:56.480
All right, so kind of a long title here, but generally this QR code refers to a paper,

00:56.480 --> 01:00.880
I'll talk about the paper at the end. It's relevant, but this is a bit of a different talk.

01:02.160 --> 01:09.520
So hi, my name is Margaret Tucker and I'm a policy manager at GitHub. GitHub has a developer policy

01:09.520 --> 01:14.880
team, which means that we represent the interests of developers, policy makers,

01:15.840 --> 01:23.040
and I will say most of my work is explaining what is a developer, what is co-collaboration,

01:23.040 --> 01:28.320
what is open source, and I'm going to assume I don't need to explain any of that to you all.

01:29.520 --> 01:36.400
So instead, I'm going to kind of walk through how code the developer community and the norms

01:36.400 --> 01:41.520
and nuances of open source have influenced our approach to content moderation on GitHub.

01:42.240 --> 01:44.240
So yeah, let's get started.

01:49.760 --> 01:54.720
So first, a really important component to note that code is different from other content.

01:55.280 --> 02:00.160
So typically, when we're interfacing up policy makers who are attempting to legislate,

02:00.160 --> 02:03.840
also, is there any way, is there any way we can turn off the other micro-missie?

02:06.240 --> 02:08.240
Bit echoey.

02:10.960 --> 02:16.160
Hello? Okay. It's still pretty echoey, I'm sorry, but yeah,

02:16.160 --> 02:22.000
typically when we're talking to policy makers who are attempting to legislate on issues pertaining

02:22.000 --> 02:28.160
to online platforms, what they're thinking about is the big platforms, you know, it's meta,

02:28.160 --> 02:34.960
it's talk, it's all of those. And so when we try to explain what our platform is,

02:34.960 --> 02:41.840
who our users are, everything like that, what's really important is we identify that code,

02:41.840 --> 02:47.120
software code, shared on our platform is distinctly different from other user-generated content.

02:48.160 --> 02:53.120
And it's functional purpose creates unique considerations for platform moderation.

02:53.280 --> 02:58.880
I'm going to walk through these and then we'll get into some more information about how the

02:58.880 --> 03:03.920
free and open source developer community have influence art approach. So first, I'll talk about the

03:03.920 --> 03:10.000
content on the platform and then I'll talk about the community that uses it. So yeah, these three

03:10.960 --> 03:17.680
interesting kind of elements of content are copyright, dual use, and the network effects have

03:17.680 --> 03:26.240
taken down. So we'll walk through all three of those. All right, so first off, code has different

03:26.240 --> 03:32.320
copyright concerns, especially when it comes to the free and open source community. So first off,

03:32.320 --> 03:37.680
the functional purpose of code is distinctly different from other content. Just as there's,

03:37.680 --> 03:43.040
you know, only so many ways to fry an A, there's only so many ways to instruct a computer to do

03:43.040 --> 03:49.040
something. And so there's a lot of independent duplication that arises on, you know,

03:49.040 --> 03:55.120
code collaboration platforms and just in open source development. And because of that functional

03:55.120 --> 04:01.040
nature, there's a lot of independent duplication. And that means that the typical approaches

04:01.040 --> 04:07.440
of copyright just don't make sense. And so this is something that we kind of come up with a lot

04:07.440 --> 04:13.680
of what one piece is that also the, you know, the norms and nuances of the open source

04:13.680 --> 04:19.680
community and you need that people share their code under permissive licenses. And that means that,

04:19.680 --> 04:24.880
you know, the kind of, oh, this is mining, you can't use it norms of copyright, do not apply

04:24.880 --> 04:31.360
when it comes to open source. And so this is kind of come to a head in a couple of instances. So

04:31.360 --> 04:36.240
again, when policymakers are thinking about platforms, they're not typically thinking about

04:36.320 --> 04:42.480
code collaboration platforms. And that often comes up in copyright. So for example,

04:42.480 --> 04:49.680
trying to set up upload filtering these types of practices has come up quite a bit.

04:50.880 --> 04:55.920
And so a one-case study that the EU copyright directive, or all of you familiar with this debate

04:55.920 --> 05:03.760
was in 2018, I'll give you a quick spiel. So the EU copyright directive, when it was initially

05:03.840 --> 05:10.720
proposed, it contained language that was concerning for open source development. The, you know,

05:10.720 --> 05:16.880
potential of requiring upload filtering for code would just be unworkable for so many reasons.

05:16.880 --> 05:21.680
As we talked about independent duplication, you know, the norms of sharing and remixing.

05:22.480 --> 05:26.640
And also there was a bit of a value gap. So, you know, the argument that we need to

05:26.640 --> 05:32.880
introduce upload filtering for copyright violation just didn't make sense on platforms where

05:33.040 --> 05:38.160
there wasn't monetization, where there just, there wasn't any reason for this to happen.

05:38.960 --> 05:47.760
And frankly, you know, I think it wasn't a purposeful, it wasn't a purposeful exclusion.

05:47.760 --> 05:53.440
And so we were able to work with, you know, other stakeholder, civil society, the open source

05:53.440 --> 05:59.920
community, and activate developers to advocate for an exemption specifically for code collaboration

05:59.920 --> 06:05.520
platforms. So that's, you know, example of some of the copyright concerns that we experience.

06:07.360 --> 06:14.480
Another big one is dual use. So, as I said, you know, the functional nature of code creates

06:14.480 --> 06:19.600
just a lot of different considerations. And one of those is dual use. So, you know,

06:19.600 --> 06:25.280
basically technologies that could be used for a lot of positive purposes could also have some

06:25.280 --> 06:30.240
negative ones. There's, you know, a certain degree of neutrality when it comes to technology,

06:30.240 --> 06:35.360
a printer could print something really offensive, you know, code could do bad things and good things.

06:36.320 --> 06:43.440
And so, we kind of tow this line quite a bit, and it's something that our content moderation policies

06:43.440 --> 06:50.240
are considering quite bad. So, a big one, although, is our approach to security research.

06:50.960 --> 06:56.720
So, in 2021, we tried to overhaul our policies related to security research.

06:57.680 --> 07:04.400
And in doing so, we, on GitHub, we will launch a 30 day notice in comment period when we have

07:04.400 --> 07:11.680
substantive changes to our site policies. And in this instance, we opened the notice in comment period

07:11.680 --> 07:18.000
because we were trying to create more clarification that we explicitly allow dual use security

07:18.000 --> 07:23.520
research on the platform. Now, you know, this is, this is malware, this is exploits, this is,

07:23.520 --> 07:31.920
you know, people sharing code that could be used for nefarious purposes, but is could also

07:31.920 --> 07:38.720
be used for legitimate research. And so, in doing so, we, we kind of, I would say, it's not completely

07:38.720 --> 07:43.840
oh, all of this is allowed. So, one, you know, anything that is being used in active attacks,

07:44.480 --> 07:52.800
that is not allowed. Also, we encourage security researchers to label their code. So, people don't

07:52.800 --> 07:58.960
accidentally download something that could have negative impacts on their computers.

08:00.240 --> 08:05.840
And another component is that we have a robust appeals and reinstatement process. And so,

08:05.840 --> 08:11.840
we will oftentimes work with maintainers who may have code that seems like it was offending,

08:11.840 --> 08:17.120
we take it down, we work with them to make it clear that it's meant for legitimate research.

08:18.000 --> 08:22.880
So, there's kind of this, this important process because, you know, code is, it's useful. And so,

08:22.880 --> 08:28.000
we don't want to, we want to keep as much up as possible within, you know, the bounds of the law

08:28.000 --> 08:35.040
and what's, you know, safer other users. One that's, it's pretty recent. We introduced this update

08:35.040 --> 08:44.880
in, I think April of 2024 was our approach to, to deepfake. So, we updated our policies on synthetic

08:44.880 --> 08:52.880
media to explicitly disallow the use of deepfake tools for the creation of non-consensual

08:52.880 --> 08:59.200
intimate imagery and disinformation. So, again, it's kind of towing the line because we do want

08:59.200 --> 09:04.720
to get have to be a place that can share these technologies. It's important for this research to

09:04.720 --> 09:09.680
happen out in the open. So, everyone can see it. So, people can develop detecting tools,

09:09.680 --> 09:14.800
so people can study it. So, all of that legitimate research is really important to our platform.

09:14.800 --> 09:20.160
And so, that's why, again, we had this kind of balance of saying, look, we support legitimate

09:20.160 --> 09:26.640
research. But that said, if your project is fine-tuned, explicitly, you know, encouraging,

09:26.640 --> 09:32.800
using this, you know, tool to create deepfakes, create disinformation, and that's disallowed.

09:33.680 --> 09:40.000
And so, again, we had a 30-day notice in comment period. We introduced the policy. We got feedback,

09:40.000 --> 09:46.800
clarifying some things. And so, that's been put into place. And it's been, I would say we were right

09:46.800 --> 09:51.280
along the line with, you know, a lot of policy makers have been expressing concern with this. And

09:51.280 --> 09:57.040
it's important to show that you're taking action while also explaining why it is valuable to have,

09:57.040 --> 10:02.080
you know, research shared on your platform. Even if it could potentially be used for a negative

10:02.080 --> 10:09.440
purposes. This one isn't noted, but another big piece is, you know, circumvention tools,

10:09.440 --> 10:15.600
copyright. And a lot of things that could be used as circumvent copyright can also be used for

10:15.600 --> 10:22.960
really beneficial purposes. So, accessibility, archiving, journalistic purposes. So, that's another

10:22.960 --> 10:31.760
really important one. All right. So, next off. So, moderation of

10:32.080 --> 10:39.360
moderating code requires careful deliberation of the context and network effects. So,

10:39.360 --> 10:46.160
code is functional. Code that is shared openly is often widely used downstream, lots of downstream

10:46.160 --> 10:52.480
dependencies. And that means that, you know, when a platform like get have takes down code,

10:52.480 --> 10:58.400
we have their expectations. Like, I'm sure all of you have expectations in how our platform

10:58.480 --> 11:05.440
should behave towards developers. And so, we definitely, you know, try to have a careful

11:05.440 --> 11:10.640
deliberation of what a take down code potentially means to the community if it's, you know, something

11:10.640 --> 11:19.040
is widely used. And so, this, this, an interesting example. So, YouTube DL, any of you familiar with

11:19.040 --> 11:25.600
the YouTube DL take down kind of a hollow blue. So, but it was an important hollow blue. I'll say that.

11:25.600 --> 11:34.240
So, YouTube DL, I believe it was 2021. That might be incorrect. But so, the YouTube DL was

11:34.240 --> 11:39.680
widely used a video downloading tool. I think I had used it before. I even came to get,

11:39.680 --> 11:47.520
it's really well-known. And so, YouTube DL, basically, we had taken it down and response to a

11:47.520 --> 11:55.200
copyright report from the RI AA, the Recording Industry Association of America, I believe.

11:55.200 --> 12:01.200
And the reason we took it down immediately is because it alleged circumvention. And so, safe harbor

12:01.200 --> 12:09.120
liability protections on platforms do not protect circumvention tools. So, we took that immediately.

12:10.000 --> 12:15.920
But it was a project that was very valuable and widely used. And because of that, there was quite

12:15.920 --> 12:23.680
a bit of community outcry. And so, we were able to work with the electronic frontier foundation

12:24.320 --> 12:30.000
and, you know, some other civil society groups who were able to explain why this tool was not

12:30.000 --> 12:36.640
actually in violation of technological prevention measures. And so, yeah, this is an interesting

12:36.640 --> 12:44.320
one. So, after YouTube DL, we overhauled our review process. We added an engineer to our team.

12:44.320 --> 12:51.520
And so, circumvention claims are subject to both legal and technical review. I will say this

12:51.520 --> 12:57.760
case continues to be active. It's a bit complicated. And so, you know, we hope that things land

12:57.760 --> 13:03.600
in a positive place for developers. It also led to us establishing a developer defense fund to

13:04.800 --> 13:11.200
give money for developers who are dealing with legal cases. But yeah, it's one of those things where,

13:11.200 --> 13:16.960
you know, you want to, you know, have your platform work within the bounds of the law, but that

13:16.960 --> 13:22.880
also means that these, you know, useful items of code can be taken down and have mass and network

13:22.880 --> 13:31.760
effect. So, again, we try to have a balance. All right. So, I'll get into the more

13:31.760 --> 13:40.800
fostered-me pieces of the talk. So, as I might have mentioned before, we, we know that our

13:40.800 --> 13:45.440
community has expectations for us and expectations about how we conduct or in governor platform.

13:46.320 --> 13:54.800
And so, moderating the developer community specific requires a lot of nuance. So, some elements

13:54.800 --> 14:01.600
of the developer community and open source norms. So, we, you know, both open source or site policies

14:01.600 --> 14:09.200
have an open 30 day notice in comment period. We, you know, try to keep everything as, as transparent

14:09.200 --> 14:14.880
as possible. We have a transparency center. It's also as repository. We try to give away as much

14:14.880 --> 14:21.440
information as possible. And so, that's a big piece. It's trying to embody the values of the open source

14:21.440 --> 14:27.360
community and the way that we conduct things and be as open and transparent as possible. Another

14:27.360 --> 14:32.800
big component is platform moderation beyond take downs. And I think this is a piece where we really

14:32.800 --> 14:39.360
diverge from other user-generated content platforms. I'll say, you know, I've used platforms like

14:39.360 --> 14:43.920
Instagram and if something's taken down that's usually it, the, you know, appeals and reinstatement

14:43.920 --> 14:52.240
processes is not as robust as ours. But, you know, as mentioned, because code is functional code

14:52.240 --> 14:59.200
can be widely used across, you know, different downstream dependencies. We've developed a pretty broad

14:59.200 --> 15:07.520
suite of different moderation actions that we can take. So, you know, for something that may be

15:07.520 --> 15:13.840
content that is within our terms of service and acceptable use policies, but may say have a

15:13.840 --> 15:19.760
adult content or something like that. We encourage people to clearly label it. We can apply

15:19.760 --> 15:26.320
interstitials, which, you know, give sort of a pop-up that gives more information about a project

15:26.320 --> 15:34.480
before people use it. We also can, you know, for projects, we can, we can de-index them. We can,

15:34.560 --> 15:40.080
you know, do things that kind of change the visibility or add friction to access without taking

15:40.080 --> 15:46.800
down code that may be unused. Also, there's have been some instances where maintainers or just

15:46.800 --> 15:53.920
users violate our platform are, you know, acceptable use policies, terms of use. And we also have

15:53.920 --> 15:59.840
approaches that can, you know, restrict the maintainers use of the platform while still keeping code

15:59.920 --> 16:05.440
it was widely available as possible. So, there's a lot of different approaches. Something to note

16:05.440 --> 16:10.720
that I'm not sure if the people are aware of, but we, we cannot edit lines of code. There's a

16:10.720 --> 16:17.120
wide, you know, it's both technically and I would say ethically, in, in feasible for our platform.

16:17.120 --> 16:21.920
And so that means that, you know, because we can't edit the code itself, we do have to have a

16:21.920 --> 16:28.480
lot of interaction with developers, you know, kind of work through, you know, the appeals process

16:28.480 --> 16:34.320
with maintainers. But yes, so it's, it's an important thing that have that kind of, you know,

16:34.320 --> 16:38.960
I would say robust and, you know, varied approach depending on the offense or try to keep as much

16:38.960 --> 16:46.160
code up as possible. And yes, so finally, something that is really essential on a platform like

16:46.160 --> 16:51.840
GitHub is community content moderation. Our platform would be nothing without the efforts of volunteer

16:51.840 --> 16:57.600
maintainers working on their projects. And so the element of encouraging community content

16:57.600 --> 17:04.080
moderation is a really important piece. So, we both provide tools for maintainers to, you know,

17:04.800 --> 17:10.240
have, you know, moderate contributions in their projects, set expectations, you're lots of different things.

17:16.560 --> 17:22.000
Actually, here, let me go back a second. So, on the community content moderation piece,

17:22.080 --> 17:29.760
I will say that GitHub has noticed a pretty massive influx of spam on our platform. And so something

17:29.760 --> 17:36.640
we're kind of working towards is thinking about what maintainer tools we need to build out. So,

17:36.640 --> 17:41.920
once we move into the kind of Q&A portion, I open your thoughts and I'll also provide information on

17:41.920 --> 17:50.160
how you can get into contact with us. All right, next up. So, this is a very recent case study,

17:50.160 --> 17:56.640
the XC, back door incident. It's a pretty fascinating one. How many of you are familiar with XC?

17:56.640 --> 18:05.200
Okay, everyone, great. So, I'll keep the background brief. But XC is a pretty, I think that I really

18:05.200 --> 18:10.880
hope that we have as much of a reflection of it as we did from after solar winds, because just because

18:10.880 --> 18:16.080
this was stopped before it happened, it could have been much worse. And frankly, a lot of the issues

18:16.080 --> 18:20.640
that it has raised, I think, are, you know, something that we really need to address within the

18:20.640 --> 18:27.760
community, especially on the side of industry. So, yeah, XC was an interesting case. So, it was a

18:27.760 --> 18:35.840
several years sophisticated social engineering approach to installing a back door. So, over the

18:35.840 --> 18:41.920
course of, I think, three years, say, both a user and a couple of sock puppet accounts kind of

18:41.920 --> 18:51.200
gained control and became a combinator of a widely used project, XC utils. And the back door was

18:51.200 --> 18:57.840
discovered by, I think, an engineer completing, you know, routine maintenance. And it was something

18:57.840 --> 19:03.840
where, you know, typically, GitHub does not try to immediately take down a project. But we weren't

19:03.840 --> 19:08.720
able to get in touch with the maintainers. We didn't know who was involved. And so, this was an

19:08.800 --> 19:13.840
instance where we did use the, I would say, like, last resort approach of taking down a project.

19:14.640 --> 19:19.520
And then, as things became more clear, we were able to get in touch with the, the real maintainer,

19:19.520 --> 19:25.680
not the bad one. And so, we were able to get in touch with them. We gave, you know, them, the

19:25.680 --> 19:32.880
choice and how they wanted to approach bringing it back up. And this one, you know, I think that there's

19:32.960 --> 19:39.920
a lot of things that we need to learn from XC. So one that I think is a topic of conversation

19:39.920 --> 19:44.480
that's gaining a lot more traction is open source of sustainability and art dependence and, you know,

19:44.480 --> 19:51.440
volunteer maintainers. This is a project that was so widely used, but yet it was being maintained

19:51.440 --> 19:58.080
by one maintainer. This is, you know, it just happens too often. And so, some things that get

19:58.080 --> 20:03.920
have specifically is doing to approach open source sustainability and, and, you know, supporting

20:03.920 --> 20:10.480
maintainers. So we have the get-have sponsors program. We recently announced the creation of the

20:10.480 --> 20:19.280
get-have open source sustainability fund. And then we've also supported the, I think, the sovereign

20:19.280 --> 20:27.120
tech fund through Germany's, like, their creation of funds and within the US, I'm forgetting the

20:27.120 --> 20:31.520
name of the agency, but there's also one within the US. So anyway, we, we were trying to, you know,

20:31.520 --> 20:36.960
I would say be the change and also take responsibility because, you know, the balance of responsibility

20:36.960 --> 20:41.440
when it comes to open source sustainability really should lead on players with the most resources.

20:42.240 --> 20:47.040
And, yeah, so I think, you know, there's, there's a lot of other takeaways from from XC,

20:47.520 --> 20:54.320
another piece is, you know, discussing maintainer burnout, being able to offload projects effectively.

20:55.280 --> 20:59.520
And, yeah, so I think it's, it's hopefully something that just because it was averted won't be

20:59.520 --> 21:03.200
forgotten. And then we can really learn from it and move forward positively.

21:06.080 --> 21:11.040
All right, so I'm getting to that end of my talk. I'll be frank, I've, I've gone very quickly,

21:11.040 --> 21:15.840
but I hope that means that we can, you know, have some interesting time for conversation.

21:15.840 --> 21:21.040
But I'll, I'll kind of touch on some new frontiers and new issues that we're facing for content

21:21.040 --> 21:27.040
moderation. So a big one is, you know, AI, I'm sure you guys are all sick of hearing about it,

21:27.040 --> 21:33.360
everything's AI. And, and, and I am too, but it is something that is, you know, it's really transforming

21:33.360 --> 21:38.320
what it means to be a software developer. It's transforming, you know, the, the moderation approaches

21:38.320 --> 21:44.000
that we have to take because AI can also be, you know, like a, a means to have, you know, like

21:44.720 --> 21:49.600
mass, like spam campaigns and things like that. And so I think we're, it's definitely something

21:49.600 --> 21:55.600
we're experiencing. And so a good habit is interesting because we are both a provider of AI

21:55.600 --> 22:02.160
developer tools. And we're a platform that can be used to host models. And so the, the deep

22:02.160 --> 22:06.800
big policy, I would say is one of our first sort of moderation stances that has been specifically

22:06.800 --> 22:12.480
about AI. But it's definitely something that we're, you know, kind of participating in dialogue

22:12.560 --> 22:20.240
about, um, we recently participated in a partnership on AI workshop about the value chain of AI tools,

22:20.240 --> 22:24.160
um, and you know, who should take responsibility for what? Because it's, it's a lot of different

22:24.160 --> 22:32.160
players, the supply chain there. Um, but yes, so another big thing, um, so the, the question of what

22:32.160 --> 22:37.920
does AI need for software development is kind of existential because arguably, you know, AI is

22:38.000 --> 22:43.760
already making it a lot easier to build software. Um, and that means that there are going to be a

22:43.760 --> 22:47.840
lot more software developers in the future. And so think about a world, get, get, get how I think we

22:47.840 --> 22:53.840
have a 150 million developers in our platform. Um, we have a stated goal that we want one billion

22:53.840 --> 23:01.680
on get have by 2030. So we'll see how that plays out. But I'm very curious to see what the, you know,

23:01.680 --> 23:08.560
the AI revolution means, um, for, um, you know, developers. And so I think a concern is, you know,

23:08.560 --> 23:14.400
how will we scale moderation as our platform becomes larger, more global. And I think it's just a

23:14.400 --> 23:19.840
broader question for the open source community, um, you know, right now because, you know, we, we have

23:20.240 --> 23:25.600
volunteer maintainers because we have community content moderation. We've been able to scale, um,

23:25.600 --> 23:30.720
but it is of challenge. And I think that, you know, while our platform is more resource, we, we,

23:30.800 --> 23:34.560
we definitely, you know, it's, it's something that will be, you know, broadly a challenge for the open source

23:34.560 --> 23:42.720
community. And so I think it's definitely a dialogue. We need to have. All right. So, um, next step,

23:42.720 --> 23:47.840
I'll, I'll, I'll say this, there's a lot of ways that you can get in touch with us. Um, and we really

23:47.840 --> 23:53.040
do me, we're, we're a developer policy team, our focuses on the interests of developers. And so there's

23:53.040 --> 23:59.600
quite a few ways if you want to, um, you know, be collaborative of us. If you want to, um, share your thoughts,

23:59.680 --> 24:05.120
highlight, you know, important, um, you know, pieces of legislation that you're noticing and wanting

24:05.120 --> 24:09.040
to know what we're doing about it. Um, there's quite a few different ways you can collaborate.

24:09.040 --> 24:14.960
So, um, first off on our site policy, so how we govern the platform itself. Um, as I mentioned,

24:14.960 --> 24:20.560
we do have this 30 day notice and comment period versus the Santa site policy changes. Um,

24:20.560 --> 24:25.680
those changes are announced on our blog posts. Um, and so that is something that you can participate in.

24:26.560 --> 24:31.200
But that's that you can always comment on our site policies. And um, I am one of the maintainers

24:31.200 --> 24:36.240
for our site policy repo. And I do read every issue and pull requests that goes into there. And

24:36.240 --> 24:42.080
a lot of people just notice typos and, you know, offer like, you know, opportunities for clarification.

24:42.080 --> 24:46.400
So, there's a lot of different ways to engage. It does, you know, like, I definitely think it's

24:46.400 --> 24:50.640
something if, if you're curious about how we govern our platform. That's an interesting place to go.

24:51.600 --> 24:57.200
Um, we also have a developer policy repo. Um, I would really like to, you know, use that more in our team.

24:57.200 --> 25:01.840
So, encouraging all of you, if you have thoughts, if you have ideas, research to share any

25:01.840 --> 25:07.840
cool projects related to developer policy, um, you can open an issue in our repo. Um, and finally,

25:07.840 --> 25:15.840
you can email us at policy at gethave.com. All right. So, man, I've spread through that. Um,

25:16.000 --> 25:21.920
but hopefully, if any of you have questions, then we can get into that. Um, this QR code is, um, for a

25:21.920 --> 25:28.320
paper, I co-authored with members of our trust and safety and legal team at gethave. It's, you know,

25:28.320 --> 25:34.880
more, I would say a more research and policymaker focus, you know, explanation of how we approach

25:34.880 --> 25:40.160
a moderation of a developer platform. Um, so yeah, encourage you to read it if you're interested.

25:40.240 --> 25:45.040
And, um, yeah, thank you. And I would love to have questions. So, if anyone, you know, has,

25:45.040 --> 25:48.000
has questions, I would appreciate that. So, maybe, thank you.

26:10.160 --> 26:37.200
Um, my question is, one of the big topics at our team, and we are actually curious, what is

26:37.360 --> 26:41.760
your opinion on the lifetime of a, of a branch in the get.

26:47.120 --> 26:52.640
My opinion on the lifetime of a branch and get, um, I don't know if I have necessarily a great answer

26:52.640 --> 26:57.360
to that. Um, I'll be frank, I am not a software developer. My background, the open source

26:57.360 --> 27:03.120
community is from GIS. So, um, I will say, I definitely think that the, the, the question of

27:03.120 --> 27:08.800
open source sustainability, how we maintain things continually and also offload them. Very important,

27:08.800 --> 27:12.400
but yeah, I, I'm sorry. I don't have a really specific answer for that. But thank you.

27:14.560 --> 27:21.680
The working, um, this working. Oh, I'm amazing. Thanks. Uh, first, thanks for your talk. Um,

27:21.680 --> 27:29.680
my questions mostly towards automation, within your review or moderation process, especially since

27:29.680 --> 27:37.440
I used to be a security researcher. GitHub was big on providing IOCs, but also finding malicious

27:37.440 --> 27:43.840
packages and everything. So, how much automation do you actually use? Because you mostly talked

27:43.840 --> 27:49.120
about your team adding one engineer that sounds kind of concerning for me if there's one engineer

27:49.120 --> 27:54.320
in this team. How much do you actually invest in automating finding malicious code, finding

27:54.320 --> 28:00.640
code that should just not be on the website and how do you report on it? Then how could we

28:00.640 --> 28:06.000
as researchers find that better? Yeah, that's a great question. So, I'll also, um, the, the

28:06.000 --> 28:12.720
engineer added to our team was added to our, um, our policy team. And so, he was once an engineer,

28:12.720 --> 28:18.960
or once a lawyer, then became an engineer. And so, he specifically for our, um, like a technological

28:19.040 --> 28:25.280
circumvention review. So, a little bit separate. Um, I, I believe that we do use a bit of proactive

28:25.280 --> 28:30.160
moderation when it comes to security. And so, we have a pretty advanced security lab that both

28:30.160 --> 28:35.920
looks into vulnerabilities in open source itself and then also on GitHub. Um, so, I do understand

28:35.920 --> 28:44.240
that we use proactive moderation for that. Otherwise, um, I believe that, um, um, C. Sam and, um,

28:44.400 --> 28:50.080
like terrorist content are other things that we do, um, proactive moderation for, um, but yeah.

28:50.080 --> 28:55.360
So, it's definitely something that we, we resource quite a bit. Um, our security team is,

28:55.360 --> 29:01.600
I would say, like, pretty, it's a massive focus. Like, both GitHub, Microsoft, like, security

29:01.600 --> 29:03.600
is, I would say, like one of our top priorities.

29:03.680 --> 29:14.400
Um, I would like to thank you for the talk. And for the work you do, as I'm a

29:14.400 --> 29:22.400
entertainer, I sometimes reported spam to the platform. It was really quickly handled. So,

29:22.400 --> 29:28.880
sometimes I find non-sensical commits or comments in discussions. And I find that this account

29:28.960 --> 29:36.080
is active for the past weekend. Post it to 100 triples. So, it's really, uh, easy to see once you see

29:36.080 --> 29:43.680
it once. But my question was, uh, about the point, uh, you wanted a billion developers on GitHub

29:44.480 --> 29:51.280
in a really short time frame. The statistics I saw over the past years say that there is 20 to 30

29:51.360 --> 29:58.480
million developers in the world. So, how do you scale to a billion? Does it include spam and AI

29:58.480 --> 30:06.160
or? You, so we have 20 to 30 million? Yeah. I'm not sure about that. So, we do have 150 million

30:06.160 --> 30:13.760
users in the platform, um, estimated. Um, yeah. So, I, I, I, I, I think that this scaling question is a

30:13.760 --> 30:20.240
lot about, you know, what, you know, AI tools and natural language prompts can do for creating software.

30:20.240 --> 30:23.920
And so, that's, that's, I think that's the, the big thing of the scaling is just making it

30:23.920 --> 30:29.280
so much easier to, um, you know, like, lifting the barriers. Um, though I will say, like, I do,

30:29.280 --> 30:34.160
it was necessarily a question. But as of maintainer, like, I, I just want to say, like, we are

30:34.160 --> 30:39.280
very aware of the spam issue. And it's something that we're working to resolve, or, you know,

30:39.280 --> 30:43.920
not necessarily resolve the deal with. Um, so, again, like, that that asking for feedback,

30:43.920 --> 30:49.200
like, we're really open to ideas, um, on, on that topic specifically, because it's something that

30:49.200 --> 30:53.840
we have noticed a pretty massive influx in and are, are working to resolve. So, anyway, thank

30:53.840 --> 30:54.640
you for your work.

31:10.960 --> 31:13.040
I can hear you. I can repeat your question.

32:19.920 --> 32:26.800
Okay. So, um, there were two questions. The first one was on code as speech and what we do to

32:26.800 --> 32:31.360
reflect human rights principles. So, I'll address that, and then I'll do the AI one. Um, so yeah,

32:31.360 --> 32:38.320
it's a great question. Um, so we both, um, I would say, forgetting the specific principles. But we,

32:38.320 --> 32:42.240
we're in line with both, you know, UN Human Rights principles, so the Santa Clara principles.

32:42.240 --> 32:47.440
And so that is something that informs her approach. Um, code has been defined as speech by legal

32:47.520 --> 32:52.400
precedent. And so that, that is just, you know, a component of it. Though code is speech,

32:52.400 --> 32:56.480
code is also, it's a unique thing. So, I think that is, you know, like a different approach.

32:57.520 --> 33:02.960
And so, yeah, definitely something that, um, you know, we try to take as, you know, I would say,

33:02.960 --> 33:08.240
open, um, of an approach as possible, transparent about our moderation actions. Um,

33:08.240 --> 33:14.240
another big piece of, with GitHub is that we are, what we believe is the largest US platform,

33:14.400 --> 33:18.960
globally available, including in China, which, you know, definitely creates a lot of concerns for,

33:18.960 --> 33:23.920
you know, being able to be as globally available as possible, but also working within different

33:23.920 --> 33:29.840
legal jurisdictions. So, a lot of complicated things there. Um, and then your second question was about AI,

33:29.840 --> 33:39.520
and you know, honestly, I think that's something that we really need to do more on.

33:39.760 --> 33:45.120
And so, we have been looking at how other model marketplaces are approaching AI tools.

33:45.120 --> 33:51.520
So, at the moment, we haven't issued any explicit guidelines, but we did something that we're discussing,

33:51.520 --> 33:56.000
um, not just so you don't to compete with hugging face or whatever, but just, you know, be clear on

33:56.000 --> 34:01.920
what's most useful. Um, but that said, I definitely think that open source is, you know, an excellent

34:01.920 --> 34:06.720
approach for being as, you know, transparent as possible. And so, I, I think that just sharing your,

34:06.720 --> 34:09.920
your code on GitHub if it's an AI tool is really helpful.

34:37.680 --> 34:51.740
Um, and

34:59.120 --> 35:03.680
uh, yeah. Thanks for the talk. And, um, took two questions.

35:03.680 --> 35:12.120
questions. One is, what do I do if I recognize that code, which is made by my company

35:12.120 --> 35:18.360
appears in an open source project, another question which is slightly related to this

35:18.360 --> 35:26.640
dimension, this repose, where we can submit issues. So is this the place to do that? Because

35:26.640 --> 35:33.640
these are some kind of, you know, issues, what we don't really want to share, the exact details

35:33.640 --> 35:40.240
about, and these are public repose. So how do we solve this?

35:40.240 --> 35:48.760
Yeah, thank you for your question. So one thing we do encourage is that people reach out

35:48.760 --> 35:53.320
to maintainers directly. A lot of these disputes can be resolved without a platform getting

35:53.320 --> 35:59.120
involved. So I think that's the first point. You know, I don't know this specific case,

35:59.120 --> 36:03.640
what, you know, the licensing, all of that, I don't know this situation, but I would say

36:03.640 --> 36:09.800
in general, you know, interacting with people directly and explaining things is the best approach.

36:09.800 --> 36:22.240
And yeah, I don't know, what was the second part of your question? Oh, how to get in contact

36:22.240 --> 36:29.800
with this? Yeah, so definitely, I would say the developer policy repo is, you know,

36:29.800 --> 36:35.200
if you have an idea about, you know, more of the public policy world. So it can really

36:35.200 --> 36:40.360
be anything, it's not a very active repo, and I'll be honest, I read everything. So if any

36:40.360 --> 36:45.880
of you want to get in touch with our team, like it is very much like we do read it, the policy

36:45.880 --> 36:50.800
I could have email. That is a good thing for a specific questions and queries, though,

36:50.800 --> 36:55.640
if you have a trust and safety concern, I think it's probably best to, you know, do that

36:55.640 --> 37:01.040
through our platform itself. And yeah, in the site policy repo is specifically about governing

37:01.040 --> 37:17.560
our sites or platform policies. Thank you. Any last questions? All right. Well, thank you so

37:17.560 --> 37:23.080
much. You've been a great audience, and I really appreciate your engagement. And yeah,

37:23.080 --> 37:27.880
yeah, keep in touch with us. We're here at Boston because we want to meet developers and

37:27.880 --> 37:31.720
share, you know, how we govern our platform with you. So anyway, thank you.