WEBVTT

00:00.000 --> 00:13.000
Let's start, okay. Hi everyone. Welcome to a talk you probably have never understood what

00:13.000 --> 00:17.600
it would be like before. We didn't know either. Mine is Michael Windsor. I run a project

00:17.600 --> 00:25.040
called Alpha Omega, and this is my friend Mirko. Hello. If you haven't figured out, I'm

00:25.040 --> 00:30.840
allowed and talking to one. Mirko gets things quietly done behind the scenes. So we're

00:30.840 --> 00:34.040
going to start by just talking about our respective projects and how we do things. And so

00:34.040 --> 00:38.040
with that, I'm going to head off to Mirko. I was thinking you did a little bit more of an

00:38.040 --> 00:44.040
intro, but I didn't do that. No, no, I didn't. So yeah, so the idea for this talk was basically

00:44.040 --> 00:50.040
to come together to talk about how to combine the efforts like this life before actually,

00:50.040 --> 00:57.040
and to talk about how, like industry and, you know, private, you know, initiatives can,

00:57.040 --> 01:02.040
you know, combine the effort basically that thing, right? And Michael, me, we have been talking

01:02.040 --> 01:07.040
for some time now, and we thought we do this talk together to actually, you know, also invite

01:07.040 --> 01:13.040
you into our thinking here. And that's really about also the session to be able to do a little bit of

01:13.040 --> 01:17.040
instruction of the organizations and what we thought, but then we'd be really like to make this

01:17.040 --> 01:21.040
a collaborative thing so that you can also share your thoughts around things either from the

01:21.040 --> 01:26.040
private sector or from the public sector or whatever background is or whatever suggestions you

01:26.040 --> 01:32.040
might have. So I start with just quickly saying some sentences about southern tech agencies.

01:32.040 --> 01:37.040
So my name is Mirko. I'm the head of the southern tech fund, which is now one of the programs

01:37.040 --> 01:43.040
within the southern tech agency. Still, yeah, the major thing that the thing that you might also

01:43.040 --> 01:49.040
know, we taking application, it's apply dot southern tech, southern tech, so we have to

01:49.040 --> 01:56.040
adjust to the new website. And, but we also have other programs like the southern tech resilience,

01:56.040 --> 02:02.040
which my colleague Tara is leading, who's also thankfully organizing a lot of around this

02:02.040 --> 02:06.040
funding there from here, thanks to that as well. And then also southern tech fellowship,

02:06.040 --> 02:11.040
I talked a little bit briefly about the thing earlier, so that's also a very interesting

02:11.040 --> 02:18.040
program where we invest into open source maintainers directly. So there's like six people right

02:18.040 --> 02:23.040
now, we started right first of January, so I'm very, very happy that we could make this happen.

02:23.040 --> 02:29.040
There's lots of effort as you can imagine, because we are public procurement laws as we

02:29.040 --> 02:34.040
have to stick to them and then I'm very happy that we can make it. So it's like six people

02:34.040 --> 02:39.040
working with us from very different backgrounds from very different technologies and areas

02:39.040 --> 02:46.040
with this one person taking care of cycling the eggs, also in the room I believe. And then

02:46.040 --> 02:53.040
there's other folks from the Python ecosystem, we have contributed to curl in there.

02:53.040 --> 02:57.040
We have people working on open street maps, so there's very different maintainers.

02:57.040 --> 03:02.040
And we want to pilot this only six people right now, but we want to make sure to learn

03:02.040 --> 03:09.040
from this experience now for both of us and for the maintainers, of course. And then to

03:09.040 --> 03:13.040
scale this in the future, also depending a little bit of our own funding

03:13.040 --> 03:19.040
situation, so we are an organization that's what I'm supposed to say, that is funded

03:19.040 --> 03:24.040
or like, you know, financed by the German Ministry of Economic Affairs and Climate

03:24.040 --> 03:32.040
Action, and we are very hopeful that this will also continue after the new, so there

03:32.040 --> 03:38.040
will be elections in Germany soon, and we hope that people also get our budget, you know,

03:38.040 --> 03:43.040
confirm again. And yeah, on the next slide, I just wanted to do a little bit of, yeah,

03:43.040 --> 03:49.040
that's our nation statement, so we are maintainers fund, so it's really not about, you

03:49.040 --> 03:54.040
know, innovation or AI or something like that, it's more like really the boring stuff,

03:54.040 --> 04:00.040
like maintenance of digital core infrastructure, like we used to talk about this one, like

04:00.040 --> 04:06.040
think of the look for days and all that, that is basically only visible when it's getting

04:06.040 --> 04:11.040
to become a problem, right, those kind of things. And on the next slide, I just want to say,

04:11.040 --> 04:16.040
we are growing, we are hiring, we have a jobs page out, so if you want to go there,

04:16.040 --> 04:22.040
you get paid to work on this problem. Yeah, you get up with me, and not all colleagues

04:22.040 --> 04:27.040
of course, and yeah, I just have a look, I just want to say, this is still running until

04:27.040 --> 04:32.040
next Thursday, like on February 6th, we are closing the application for this cycle, so if you

04:32.040 --> 04:37.040
want to have a job and open source, please apply, and then I'm handing over to Michael

04:37.040 --> 04:41.040
for my family. Okay. Excellent.

04:42.040 --> 04:46.040
All right, so I'm Michael Windsor. I run this project called Alpha Omega. I co-founded it

04:46.040 --> 04:52.040
in 2021, 2022, when I worked at Google with a colleague of mine named Michael Skaveta who

04:52.040 --> 04:58.040
isn't Microsoft, and if you read their mission, you look at our mission, it's an awful

04:58.040 --> 05:06.040
lot of overlap. We are very focused on security. Security outcomes in open source, and essentially

05:06.040 --> 05:12.040
helping solve the decades-long, like 60 years of technical debt in open source security,

05:12.040 --> 05:16.040
because people have been focused on other things, and now we have to fix all the problems.

05:16.040 --> 05:22.040
And it's a hard problem. The way we think about Alpha Omega, when we first started, we were thinking

05:22.040 --> 05:27.040
about Alpha representing the top 100 most critical projects, and then Omega was the long

05:27.040 --> 05:33.040
tail. It turns out there is no interesting top 100. There's an awful lot of very important

05:33.040 --> 05:38.040
projects, and Alpha has come to represent points of leverage, where we can go and work on areas.

05:38.040 --> 05:42.040
By the way, don't take pictures. I have a QR code at the end with the entire deck available

05:42.040 --> 05:48.040
for you to save your time. You're running out of pixels, otherwise. Film pixels isn't there?

05:48.040 --> 05:55.040
So we now focus on points of leverage, where we can with relatively tactical, small investments

05:55.040 --> 06:02.040
or not small, cause entire ecosystems to change their priorities, to start doing work, to improve

06:02.040 --> 06:07.040
doing and benefit hundreds or thousands or even millions of developers. There are people in this room

06:07.040 --> 06:12.040
who are doing work on our behest, and by that I mean, be there, do something, and that's

06:12.040 --> 06:17.040
really one of the key things. The scale part is still as hard. We have tried a variety of

06:17.040 --> 06:22.040
efforts on how do we solve improving security on the hundreds of thousands of millions of

06:22.040 --> 06:27.040
projects, some of which are no longer maintained, and yet still actively used.

06:27.040 --> 06:32.040
How do we fix that? And we've tried and learned a lot of things.

06:32.040 --> 06:38.040
We, I should have mentioned before, we are funded today by Microsoft Amazon and Google.

06:38.040 --> 06:42.040
I know in this in climate, this is a different set of audiences like that, but they are very committed

06:42.040 --> 06:47.040
to putting this money into the space. The total funding so far has been eight or nine million

06:47.040 --> 06:53.040
dollars with another few more coming in this year, and we have a four-prong strategy.

06:53.040 --> 06:59.040
So, a significant amount of our investment goes towards making it someone's job to solve

06:59.040 --> 07:05.040
the security problem in a particular ecosystem. Mike, raise your hand. This is Mike.

07:05.040 --> 07:13.040
Mike is working on securing PI PI among other things.

07:13.040 --> 07:18.040
The package managers are the app stores of software development. They represent points of policy,

07:18.040 --> 07:25.040
points of trust, points of choke points where we can introduce new behaviors, and Mike has been

07:25.040 --> 07:29.040
doing a standing work towards that, and he has a colleague named Seth Larson, who has been operating

07:29.040 --> 07:34.040
across the entire Python ecosystem and influencing beyond that. And so we've already seen

07:34.040 --> 07:37.040
tremendous success with that, and we're going to keep doing that kind of work. It's expensive.

07:37.040 --> 07:41.040
These people want to get paid. They want to have a life. They want to travel to the expense of events.

07:41.040 --> 07:47.040
It's crazy. The package repos remain very interesting points of leverage for the

07:47.040 --> 07:51.040
interest in points of leverage for us, and so we also invest in direct,

07:51.040 --> 07:56.040
it's a contract work or project to go off and make tactical improvements. One of my favorite examples is a

07:56.040 --> 08:01.040
project called home brew. Everybody here use it. Well, I think it just went live.

08:01.040 --> 08:04.040
It's been in beta for about six months.

08:04.040 --> 08:09.040
Home brew now has end-to-end attestations with six stores, so that the bits coming from the source

08:09.040 --> 08:13.040
repo all the way to the binary on your workstation or more importantly on your GitHub

08:13.040 --> 08:20.040
actions build environment are fully checked and signed the whole way. So no tampering can happen with those bits along the way.

08:20.040 --> 08:24.040
That's huge. It means everybody using home brew now has a more secure set on their tool chain,

08:24.040 --> 08:29.040
which means we can start to make assertions about the validity of something coming out of that tool chain.

08:29.040 --> 08:36.040
If you haven't read Ken Thompson's articles on trusting trust, please go do so, and then you'll stop sleeping for a long time.

08:37.040 --> 08:40.040
I kind of really see this is actually where we start most of the time.

08:40.040 --> 08:46.040
It is amazing how much everybody learns when you start by doing an audit.

08:46.040 --> 08:50.040
When a group comes to us and says, we need improvements in our security. Give us money.

08:50.040 --> 08:52.040
You'd be like, what was the last time you did not it?

08:52.040 --> 08:56.040
We don't need not it. Great. Yes you do.

08:56.040 --> 09:00.040
And how they're ready to take on an audit is very compelling and interesting.

09:00.040 --> 09:03.040
What happens when they do the audit? How they respond to the audit?

09:03.040 --> 09:07.040
How that problem changes? And do they become more secure focused?

09:07.040 --> 09:11.040
Do they stop having the same problems or in fact, is it just allow the rinse repeat?

09:11.040 --> 09:14.040
See you in 18 months with a bunch of the same bugs showing up.

09:14.040 --> 09:22.040
All it's our cost effective, have longitudinal effects, and have significant impact on a particular ecosystem that is being audited.

09:22.040 --> 09:27.040
And then finally, because none of us know a damn thing about what we're doing in this space.

09:27.040 --> 09:30.040
It is all new. People are still making things up every day.

09:30.040 --> 09:35.040
We have a certain chunk of our readers is going towards just things we don't know if they're going to work or not.

09:35.040 --> 09:40.040
Experiments, innovation, just stuff that seems like a worthwhile try.

09:40.040 --> 09:46.040
So with that, we're here today to talk about what we've been doing together.

09:46.040 --> 09:51.040
The lessons and learnings that we have had and the conversations we have and how we're looking at working together.

09:51.040 --> 09:55.040
We come from very different sort of funding entities.

09:55.040 --> 10:03.040
Our operational model is quite different. You know, you're looking now at the entire funding sort of fund application process for AlphaMega.

10:03.040 --> 10:05.040
You talk to me.

10:05.040 --> 10:10.040
I work with you. I collaborate on something. I tell you straight up if it's bullshit or I tell you straight up if I want to make this work.

10:10.040 --> 10:14.040
And sometimes I come talk to you and say, I want to fund your work and they're like, who will help you?

10:14.040 --> 10:16.040
It's different.

10:16.040 --> 10:22.040
But at the end of the day, we talk a lot now about the things that work, the things that don't work, what we want to do or whatever.

10:22.040 --> 10:28.040
And so we thought we'd take some time right now just to share some of the things that have been very interest to us.

10:28.040 --> 10:30.040
I talked about audits.

10:30.040 --> 10:32.040
That's a big deal.

10:32.040 --> 10:35.040
One of the key things for me and I'll just to kick this off.

10:35.040 --> 10:38.040
There are no small dependencies.

10:38.040 --> 10:41.040
You know, the old joke that I know small parts in theater, only small actors.

10:41.040 --> 10:43.040
There are no small dependencies.

10:43.040 --> 10:51.040
Every dependency in your entire graph, the full transit of space has total access to your build environment and total access to your runtime environment.

10:51.040 --> 11:02.040
So the least interesting, least effective, small little string parser thing somewhere down there, right, is now a really juicy point of attack into some applications of a structure.

11:02.040 --> 11:06.040
And we have a very poor handling of that.

11:06.040 --> 11:09.040
That sort of one of the lessons from the XE process.

11:09.040 --> 11:15.040
We did an audit with the Airflow project where we didn't audit their code.

11:15.040 --> 11:19.040
We audited all 719 dependencies.

11:19.040 --> 11:21.040
And we didn't audit their code.

11:21.040 --> 11:23.040
We audited their security posture.

11:23.040 --> 11:25.040
It was awesome.

11:25.040 --> 11:27.040
We learned a lot.

11:27.040 --> 11:29.040
We didn't finish the auditing well as too many.

11:29.040 --> 11:32.040
We're developing tools to get there.

11:32.040 --> 11:35.040
But it's changed our approach to scale.

11:35.040 --> 11:40.040
Our original approach to scale, we're trying to automate techniques and automatically filing bugs and automatically filing mediation.

11:40.040 --> 11:41.040
We've all seen those bots.

11:41.040 --> 11:43.040
It's not a great story.

11:43.040 --> 11:46.040
And the teams that came back, we like say we went out and did all this stuff.

11:46.040 --> 11:47.040
Look at what the work we did.

11:47.040 --> 11:55.040
It was like going out to the Pacific garbage patch and coming back with a robot for the plastic saying, look, and nobody gives a shit.

11:55.040 --> 12:01.040
But now we can talk about Airflow as a beach that has been cleaned by its community.

12:01.040 --> 12:06.040
And by virtue of spending a relatively small amount of money, daunting that supply chain,

12:06.040 --> 12:10.040
I've actually caused the entire Airflow engineering culture and community.

12:10.040 --> 12:19.040
60 engineers, probably, to prioritize security work and more importantly, to prioritize the care and feeding of their supply chain.

12:19.040 --> 12:25.040
And so here's the conclusion of that lesson that I'm going to give Mirko a chance to talk.

12:25.040 --> 12:27.040
Open source projects.

12:27.040 --> 12:33.040
Love to complain about how the corporations above them are consuming the source good for free and not giving them anything exchange.

12:33.040 --> 12:34.040
It's true.

12:34.040 --> 12:35.040
A lot of it happens.

12:35.040 --> 12:44.040
Open source projects are just as bad as their corporate complainers in that they consume their upstream supply without even talking to them.

12:44.040 --> 12:51.040
People like in wire guard and open SSH are using XEU tools and they didn't have a single point of contact.

12:51.040 --> 12:58.040
If you work in a company and you have a vendor and you don't know who the vendor is, it's a bad story and yet we all do the same thing.

12:58.040 --> 13:00.040
And so there's a simple model.

13:00.040 --> 13:07.040
You have to apply one of the three F's to your supply chain. You either fix it, you fork it, or you forget about it.

13:07.040 --> 13:13.040
Thank you.

13:13.040 --> 13:15.040
Thanks, Michael, on point.

13:15.040 --> 13:25.040
I think what we've learned, I talked a little bit about the Fellowship Program last year that was a big learning for me obviously because we had so many like insights with the survey that we did.

13:25.040 --> 13:32.040
And that's really also really helping Adriana, so there should speak louder.

13:32.040 --> 13:41.040
Yeah, that was really a big learning class because that is kind of the window into the community as well when you really start working with Fellowship.

13:41.040 --> 13:54.040
Or like with the community, especially when they started the collaboration for me, I mean it started only like in January, but I have so many insights now from working with those people directly that is really something that I can feel is very

13:54.040 --> 14:07.040
you know beneficial for the whole ecosystem that we really start working with open source maintainers directly, not just funding them, but getting into the collaboration and asking the interesting questions.

14:07.040 --> 14:22.040
Like what is your current, you know, what you're thinking about, what's top of mind for you currently and just get into that conversation and learn about the different needs that people might have and that's really interesting for me because I said it earlier as well.

14:22.040 --> 14:41.040
I think there is no one silver baller that I think the ecosystem is very diverse and very different, so money might help here and there and that's also what we are doing for Omega is also doing, but there might be also other instruments that we need to take care of and that's only when you have the conversation with those open source maintainers directly.

14:41.040 --> 14:58.040
So like what we also learn every day or like every month is we are financing projects but then in the end we request the final report and that then report for us has like five very easy questions and it's like something like yeah what does it change for you.

14:58.040 --> 15:25.040
But what has changed for you throughout the investment bias of an agency for instance and there's lots of things where people are just sharing their learnings and that's also learning for us to them right so when we have one portrait sitting here on the room who said like you know what if you wouldn't have you know invested in us then we probably would be in the different other situation right now because we you work kind of a life saver for us right and that's that's interesting because at some point.

15:25.040 --> 15:41.040
You want to improve our projects or when I have projects improve for already on a good stage we're going to be going to make sure that they really maintain their their maturity but at some point we also want to help people to to get out of the trouble that they're currently in so that's.

15:41.040 --> 15:56.040
So that's a lot of like learnings that we have throughout our work but then again what's also interesting for me because I have this industry background as well so I'm not another source maintainer and I'm I'm just a consumer.

15:56.040 --> 16:14.040
And consumer all my life right and then for the industry I also know that there also be consumers and I want to get into the conversation to really leverage the potential that we have there in order to get more people into really contributing to the funding of open source but also developing together new instruments and that's why we here we want to talk about that.

16:14.040 --> 16:35.040
And we're like collaborations and about like what can we do together but not only to just you know at to each other but maybe also use a little bit of a scaling thing there right where we maybe identify things where we can really make a difference together by identifying I don't know gaps that we wouldn't have seen each of each other but maybe also like.

16:36.040 --> 16:42.040
So there were so many things you said they were great one of the which is like asking people to write what they did.

16:42.040 --> 16:51.040
Amazing effect when we ask like the PSF to do anybody who does a grant with us we ask them to put a monthly report together and get hub.

16:51.040 --> 16:58.040
We want to blog post the beginning and a blog post at the end and then we do an annual report and there'll be a link to our annual report and it's it's amazing reading.

16:59.040 --> 17:09.040
The PSF started doing this monthly report to us and they're like well this is pretty good stuff we're writing down and they started sharing it internally in the Python software foundation organization and then brought it to the Python ecosystem.

17:09.040 --> 17:13.040
And of course it had a great effect it created this week that people were following.

17:13.040 --> 17:18.040
And one of the reasons that we are now spending more more time talking is that.

17:18.040 --> 17:27.040
We see these fascinating sort of like I don't know how to describe it knock on effects or cascading effects of our investments and our work together and independently.

17:27.040 --> 17:37.040
So when we fund staffing we really hope that the organizations that we've funded we find a way to make those roles permanent and staffed as part of their budget.

17:37.040 --> 17:39.040
In practice that has been very hard.

17:39.040 --> 17:44.040
But what has happened is a lot of energy has flowed behind those people.

17:44.040 --> 17:50.040
And so as long as that thin edge of the wedge is driving more investment around that it's really powerful.

17:50.040 --> 17:59.040
And you know one of the things that we're going to try to do this year is do some audits or some things put us together and we're going to ask for.

17:59.040 --> 18:05.040
Other organizations corporations to come along even with a little bit of money or a little bit of engineering resources.

18:05.040 --> 18:10.040
And that sort of brings me to like you know people often talk about funding.

18:10.040 --> 18:11.040
All right.

18:11.040 --> 18:20.040
If you look at the most healthy open source projects today, the ones that are just vibrant and growing, they are resource not funded.

18:20.040 --> 18:28.040
And the more you can connect your project to an entity that has resources which means they have some path to money or they have some.

18:28.040 --> 18:31.040
Resourcing staffing of some kind.

18:31.040 --> 18:36.040
The more you can connect that work to their needs in their agenda, the easier it is for you to go to market and succeed.

18:36.040 --> 18:43.040
And you know airflow is an open source project widely used but also widely monetized.

18:43.040 --> 18:48.040
And so the engineering companies that are operating as a hosted service have engineers very close to revenue.

18:48.040 --> 18:53.040
It's very easy for those engineers to be put on to airflow to accept the governance of the project.

18:53.040 --> 18:54.040
It is a well-governed project.

18:54.040 --> 18:55.040
It's patchy.

18:55.040 --> 18:58.040
No one company has control so it has all the good things.

18:58.040 --> 19:01.040
And it has a lot of engineering resources that are now trickling down.

19:02.040 --> 19:05.040
And that pattern is really interesting to me.

19:05.040 --> 19:10.040
And I think that it sort of reflects sort of going back to the exit details of this problem.

19:10.040 --> 19:11.040
And I'd love your thoughts here.

19:11.040 --> 19:16.040
There's an inequality of resourcing across our ecosystem.

19:16.040 --> 19:19.040
We have projects that are very well funded.

19:19.040 --> 19:21.040
Corporations that are well funded.

19:21.040 --> 19:26.040
And we have lots of smaller projects that represent tremendous risk that are not well funded.

19:26.040 --> 19:31.040
And we need to find a way to percolate those resources and to reduce that inequality.

19:31.040 --> 19:36.040
I just want to go over to you then again.

19:36.040 --> 19:39.040
But one thing that might be interesting to point out again.

19:39.040 --> 19:42.040
But it just realized today is that also our black booking model,

19:42.040 --> 19:43.040
Michael, it's a little bit different.

19:43.040 --> 19:45.040
You are very hands-on on the things you are doing.

19:45.040 --> 19:46.040
You are there.

19:46.040 --> 19:49.040
You talk about yourself or the better end in the industry.

19:49.040 --> 19:53.040
You have those 40 years of experience and being very technical as well.

19:53.040 --> 19:54.040
Being hands-on on the projects.

19:54.040 --> 19:57.040
Whereas we are a little bit more hands-off than that we got.

19:57.040 --> 20:03.040
We are putting a lot of trust into the communities and technologies we are working with.

20:03.040 --> 20:04.040
So that's a little bit different.

20:04.040 --> 20:06.040
But still there's overlap on the things we are doing.

20:06.040 --> 20:10.040
So one example that we might just briefly talk about is a clips where we,

20:10.040 --> 20:15.040
from our perspective, that's just a collaboration by surprise.

20:15.040 --> 20:20.040
It's just like we are doing the same investing in the same organization.

20:20.040 --> 20:23.040
It's a different goal behind it.

20:23.040 --> 20:26.040
But with the same objectives maybe.

20:26.040 --> 20:28.040
I think it's a great example.

20:28.040 --> 20:33.040
The clips Foundation is one of the best run open source governance projects there are.

20:33.040 --> 20:34.040
It's really well run.

20:34.040 --> 20:37.040
It's very professional, very competent.

20:37.040 --> 20:40.040
And it was interesting to us because it is a very diverse set of projects.

20:40.040 --> 20:42.040
It's not a Python ecosystem where Ruby won.

20:42.040 --> 20:48.040
It is a bunch of projects that have a variety of the same inequalities across those projects

20:48.040 --> 20:49.040
that are there too.

20:49.040 --> 20:56.040
And we are staffing a security team in that organization to drive cross-foundation security infrastructure

20:56.040 --> 20:59.040
and practices, vulnerability management and so forth.

20:59.040 --> 21:03.040
If you haven't seen Marta's talks on vulnerability management, I encourage you to do so.

21:03.040 --> 21:05.040
She's amazing.

21:05.040 --> 21:10.040
And we were very interested in, you know, the work that we did, the funding that we produced

21:10.040 --> 21:15.040
and the team that was in there, ultimately put them in a position to go to the EU

21:15.040 --> 21:21.040
and to put themselves in a sort of leadership position with respect to the CRA and drive significant changes.

21:21.040 --> 21:27.040
We part of that conversation and that I think empowered them to go and ask for resources and get them both

21:27.040 --> 21:35.040
from the EU and STA towards, you know, the ORC and other entities that are trying to

21:35.040 --> 21:43.040
essentially solve this non-trivial problem of how do we do open source in a increasingly sort of regulated context.

21:44.040 --> 21:47.040
And so it all comes back to the end of the day.

21:47.040 --> 21:53.040
If you make it someone's job, humans, if you make it their job to worry about a problem,

21:53.040 --> 21:55.040
good things are going to happen.

21:55.040 --> 21:57.040
So should we start taking some questions?

21:57.040 --> 21:58.040
Okay, we're going to do that.

21:58.040 --> 21:59.040
So we're going to take questions.

21:59.040 --> 22:02.040
This gentleman here has had his hand virtually up since the beginning of the talk,

22:02.040 --> 22:03.040
wanted to say something.

22:03.040 --> 22:04.040
So go for it.

22:04.040 --> 22:05.040
Thank you.

22:05.040 --> 22:09.040
I want to first of all, I want to say thank you for dropping a seat with culture.

22:09.040 --> 22:10.040
Yes.

22:10.040 --> 22:16.040
Culture, especially in regards to audit and rather moving the fear and embracing,

22:16.040 --> 22:20.040
it has actually been a wonderful feedback loop, I think that's essential.

22:20.040 --> 22:26.040
So I wanted to ask both of you what element of culture impacts of open source communities,

22:26.040 --> 22:29.040
impacts elements such as maintenance.

22:29.040 --> 22:34.040
So because independent of size of user base of open source projects,

22:34.040 --> 22:39.040
to me, the culture of each project is just so essential to its future,

22:39.040 --> 22:46.040
sustainability, its future use patterns, user types, et cetera.

22:46.040 --> 22:48.040
Could you repeat the question part of that?

22:48.040 --> 22:49.040
Sorry, what?

22:49.040 --> 22:58.040
What is your opinion on the relationship between culture and what it processes that it's

22:59.040 --> 23:01.040
that it's exposed dependent on?

23:01.040 --> 23:02.040
Fair enough.

23:13.040 --> 23:18.040
So repeating the question as concise as I can, what is sort of the relationship between the culture of an organization

23:18.040 --> 23:21.040
and the audits that happen in that organization?

23:21.040 --> 23:23.040
You should start.

23:23.040 --> 23:24.040
I'm going to make up a bit.

23:24.040 --> 23:26.040
Thank you so much, Mark.

23:27.040 --> 23:30.040
No, I think for us it's a we have a very holistic approach,

23:30.040 --> 23:31.040
as you talk about agencies.

23:31.040 --> 23:35.040
That might be also different because our format is very, very much focused on security.

23:35.040 --> 23:41.040
And that's also for us, a very, very interesting and important objective and outcome.

23:41.040 --> 23:44.040
But we look at the whole thing a little bit more holistically.

23:44.040 --> 23:47.040
And you know, a good maintain code, happy maintainers,

23:47.040 --> 23:53.040
for my perspective perspective automatically lead into like a better security posture.

23:53.040 --> 23:54.040
That's what we're doing.

23:54.040 --> 23:57.040
And then we're not only investing in audits,

23:57.040 --> 23:59.040
but we're also investing community management for instance.

23:59.040 --> 24:03.040
And in things where we pay people to get into, you know,

24:03.040 --> 24:06.040
work with their communities and, you know,

24:06.040 --> 24:11.040
bring new more diverse collaborators on board and all that stuff.

24:11.040 --> 24:13.040
So that's also important for us.

24:13.040 --> 24:16.040
Which gave me time to think of a good answer as well.

24:16.040 --> 24:20.040
No, I think it really depends on that community,

24:20.040 --> 24:22.040
but also the state of the project and where they are.

24:22.040 --> 24:26.040
And one of the hardest problems today is that on the smaller projects,

24:26.040 --> 24:29.040
an audit is an overwhelming thought in the first place.

24:29.040 --> 24:34.040
And the first responses, you do an audit and you're going to find all kinds of problems.

24:34.040 --> 24:36.040
I don't have any time.

24:36.040 --> 24:39.040
And one of the lessons we've learned is that if you've got people who are working,

24:39.040 --> 24:40.040
and you talked about this in another context,

24:40.040 --> 24:43.040
nights and weekends, to do this work,

24:43.040 --> 24:47.040
you can't pay them to have more nights and weekends.

24:48.040 --> 24:52.040
And so even when we've talked about coordinating security workshops,

24:52.040 --> 24:55.040
to help them do basic hygiene of their repo,

24:55.040 --> 24:57.040
and they just see it as more work.

24:57.040 --> 25:01.040
Now the cultural problem there, if I may be a little bit sort of paternalistic,

25:01.040 --> 25:05.040
right, is that they're focused on growth goals

25:05.040 --> 25:07.040
or contain sustainability of their popularity,

25:07.040 --> 25:10.040
their project, everybody's essentially competing for attention

25:10.040 --> 25:12.040
or resources in some way.

25:12.040 --> 25:15.040
It's the world we live in for better and for worse.

25:15.040 --> 25:21.040
And so in that world, security tends to take a second,

25:21.040 --> 25:25.040
sort of footing compared to growth and other success metrics,

25:25.040 --> 25:30.040
things like the CRA are intentionally creating pressure on that dynamic.

25:30.040 --> 25:33.040
And it's not easy and it's going to be messy.

25:33.040 --> 25:38.040
There are projects that probably need to work on an end of life strategy.

25:38.040 --> 25:43.040
And that's, by the way, super hard because it's all very well for someone to say,

25:43.040 --> 25:47.040
I'm done. There's a bunch of downstream consequences of that.

25:47.040 --> 25:49.040
But also if you're looking somewhere up here,

25:49.040 --> 25:52.040
you're like, I want to get rid of this thing here because it's dead,

25:52.040 --> 25:54.040
but it's 16 layers between you and that.

25:54.040 --> 25:57.040
You can't go and get rid of that. You have a long list of problems.

25:57.040 --> 25:59.040
We're being pressed for time and we're answering so much time

25:59.040 --> 26:02.040
of questions. So that gentleman there is next on my list. Sorry, sir.

26:02.040 --> 26:08.040
It's Christmas. You said talk to me and we have conversation.

26:08.040 --> 26:15.040
I tried and think of a make-up site doesn't.

26:15.040 --> 26:20.040
There's a form. I feel within, didn't hear anything back.

26:20.040 --> 26:25.040
So maybe it did something wrong. There's no other contact information.

26:25.040 --> 26:28.040
So the question was, how do I apply it out for a make-up?

26:28.040 --> 26:31.040
And there's a form. And you fill it in and maybe you didn't get a response back.

26:31.040 --> 26:36.040
I will admit that since you're talking to the entire operations team of the alpha-mega process,

26:36.040 --> 26:40.040
that it's almost certainly my fault. In practice,

26:40.040 --> 26:48.040
we are, we benefit from a very short cycle of attention and focus and decision-making.

26:48.040 --> 26:50.040
And occasionally things fall through the cracks.

26:50.040 --> 26:54.040
And knock again on the door. I'll be outside after this talk.

26:54.040 --> 26:58.040
But we also, we make decisions quickly in terms of not even worth our time.

26:58.040 --> 27:00.040
And I'm not saying that's the case. If you have no idea which one you are,

27:00.040 --> 27:04.040
but we are very clear and crisp and what we're able to do.

27:04.040 --> 27:08.040
Because we are that way we can do things in ways that I think my colleague here

27:08.040 --> 27:11.040
would sometimes envy, but I also envy his process as well.

27:11.040 --> 27:14.040
And I'd love to have a government funding me one day that would be great.

27:14.040 --> 27:19.040
So we're going to take one more question from this gentleman here and then we'll probably run

27:19.040 --> 27:22.040
out of time and kick them out. Oh, he's in charge of the room, so he can take one.

27:22.040 --> 27:26.040
But the other is the solution, the solution about that you talk to each other on a regular basis.

27:26.040 --> 27:30.040
And my question here is, did you identify things where it's okay?

27:30.040 --> 27:40.040
You look like you do that, but it's impossible for both of you, like organizations to actually go in there.

27:40.040 --> 27:44.040
And you know, is there something that would tell you, like, we need to put,

27:44.040 --> 27:50.040
you get these or these partners on the board to do certain other things that you can do now.

27:51.040 --> 27:57.040
So we focus, the question was, is there anything in our, like, things that be discussed,

27:57.040 --> 28:01.040
which could be possible that are not possible right away?

28:01.040 --> 28:05.040
And then we focus very much on the things that are might be possible in the future.

28:05.040 --> 28:09.040
It's a one thing that is discussed is security audits for instance to, you know,

28:09.040 --> 28:14.040
to some match, jointly fund them matching together and helping, you know,

28:14.040 --> 28:16.040
leveraging the thing.

28:16.040 --> 28:19.040
Positive or other partners as well in that field. That was one thing.

28:19.040 --> 28:23.040
And then on the other hand, like, I for mega has some experience around, like,

28:23.040 --> 28:27.040
funding folks like Mike over here, or like Cecil Austin, and we are also doing, you know,

28:27.040 --> 28:30.040
this fellowship program, we will also fund folks directly.

28:30.040 --> 28:34.040
And then there was a conversation around how can we combine things to do something together,

28:34.040 --> 28:37.040
and that field as well. So we are more focusing on the things that might be possible,

28:37.040 --> 28:40.040
but still it's in the early stages of this collaboration.

28:40.040 --> 28:43.040
And we, yeah, just in the beginning.

28:44.040 --> 28:46.040
Should we do one more? Yeah, one more.

28:46.040 --> 28:53.040
So a lot of sexes of the project depends on how the sexes of a project depends on how good their business is.

28:53.040 --> 28:58.040
How much do you spend time with these funded projects in helping improve their business?

28:58.040 --> 29:02.040
So they are, you know, not depending on external funding,

29:02.040 --> 29:05.040
because sometimes you need extra funding to manage a funding.

29:05.040 --> 29:07.040
So.

29:07.040 --> 29:08.040
How do you help?

29:08.040 --> 29:09.040
I love this question.

29:09.040 --> 29:13.040
I can quickly answer because there's one gentleman in the room where we had exactly this conversation,

29:13.040 --> 29:15.040
and we'd be discussed this.

29:15.040 --> 29:21.040
And one thing that we are, that we've done for the first time is kind of a business model workshop kind of thing,

29:21.040 --> 29:26.040
where we try to sit down with the open source project and identify things that might be, you know,

29:26.040 --> 29:30.040
making them possible to monetize the thing in the future,

29:30.040 --> 29:34.040
which is only a tiny little thing to organize such a workshop,

29:34.040 --> 29:37.040
but we are in the starting of of of this one as well.

29:38.040 --> 29:40.040
So I have two answers.

29:40.040 --> 29:42.040
One is when we do work with a project,

29:42.040 --> 29:45.040
especially if it's sort of a build a thing that does a thing.

29:45.040 --> 29:49.040
Like, you know, the home brew work, we funded trail of bits that you do the engineering work,

29:49.040 --> 29:53.040
but the, you know, I was like, well, who's going to own this at the end of the day?

29:53.040 --> 29:57.040
And obviously it was the home brew collective is doing it.

29:57.040 --> 30:01.040
And so although the proposal came from William at trail of bits, he's amazing.

30:01.040 --> 30:04.040
I sat down with Mike from home brew and said,

30:05.040 --> 30:07.040
I'd rather fund you and then have you own this and he's like,

30:07.040 --> 30:08.040
no, don't fund me.

30:08.040 --> 30:09.040
My collective is a nightmare.

30:09.040 --> 30:10.040
I don't want to deal with that.

30:10.040 --> 30:12.040
I shouldn't have said that.

30:12.040 --> 30:15.040
Yeah, he didn't really say that, but he wanted to go direct to them,

30:15.040 --> 30:17.040
walking it back.

30:17.040 --> 30:19.040
We still recorded.

30:19.040 --> 30:20.040
Oh gosh.

30:23.040 --> 30:24.040
What am I going to do?

30:24.040 --> 30:28.040
So, so, but I made a very clear to Mike,

30:28.040 --> 30:30.040
you have to own the code afterwards, right?

30:30.040 --> 30:33.040
Because one of the, and we talked about this one of the previous sessions,

30:33.040 --> 30:37.040
one and done funding creates another interesting set of problems, right?

30:37.040 --> 30:41.040
We actually keep funds in reserve for our staffing things,

30:41.040 --> 30:46.040
so that if I don't play the opx politics well with Microsoft Amazon and Google,

30:46.040 --> 30:49.040
that I have, hopefully, around a year's worth and reserve,

30:49.040 --> 30:53.040
so that I don't pull the rug out because the worst thing you could do is hire somebody to work on security

30:53.040 --> 30:55.040
and then take them away, right?

30:55.040 --> 30:59.040
So, but that sustainability of a project really matters.

30:59.040 --> 31:02.040
And one of the conversations that I was having with Mike earlier today is,

31:02.040 --> 31:07.040
notably, some of our critical open source infrastructure has a revenue stream based on

31:07.040 --> 31:13.040
descending growth, descending donations, and has a transactional operational cost

31:13.040 --> 31:15.040
and security needs that look like this.

31:15.040 --> 31:20.040
And so, rethinking the economics of those systems is part of what I do.

31:20.040 --> 31:25.040
We're being given the times up signal, which seems, you want to add something to this, right?

31:25.040 --> 31:29.040
Yeah, so to the level down, and we have, we're trying to engage with it.

31:29.040 --> 31:34.040
Just on one aspect, because we talked about funding and resources,

31:34.040 --> 31:39.040
and just to make you very clear that with some of the tech pages we're trying to

31:39.040 --> 31:44.040
make governments realize that people who work for an open source project,

31:44.040 --> 31:48.040
often times, may take infrastructure that is a public service,

31:48.040 --> 31:51.040
but we're not paying with the public money for it.

31:52.040 --> 31:55.040
So, we're not understanding ourselves, like, founders,

31:55.040 --> 32:00.040
but we want to build a new kind of organization that pays for something that's

32:00.040 --> 32:04.040
required to rely on, as of right?

32:04.040 --> 32:06.040
Because it's not a bit of a roller over it,

32:06.040 --> 32:08.040
and it's not a nice to have this foundation.

32:08.040 --> 32:13.040
So, I think when we talk about funding and flexibility on what's we need to put that

32:13.040 --> 32:18.040
into the mix, because that's a missing part in it.

32:18.040 --> 32:23.040
Very much agreed.

32:23.040 --> 32:27.040
So, I'll painfully summarize that for the stream.

32:27.040 --> 32:31.040
People maintain and critical open source are public good infrastructure

32:31.040 --> 32:35.040
and need to be supported by public infrastructure resources.

32:35.040 --> 32:39.040
Without, I think, thank you, Archmerco, for time today and here as well as that.