Zen. Or, the art of open-source maintenance

Today: the debate over compensating open-source maintainers takes on a new challenge thanks to supply chain security regulations, Microsoft promises customers its AI products will be totes legal, and this week in enterprise moves.

Zen. Or, the art of open-source maintenance
Photo by Mufid Majnun / Unsplash

Hello and welcome to Runtime! Today: the debate over compensating open-source maintainers takes on a new challenge thanks to supply chain security regulations, Microsoft promises customers its AI products will be totes legal, and this week in enterprise moves.


Don't give me that do-goody-good bullshit

The open-source software movement unleashed a torrent of innovation and economic activity by creating free, reusable building blocks for the internet infrastructure that runs the world's economy. More than two decades later, the maintenance bill for those projects is coming due.

Maintaining an open-source project is an extremely important and underappreciated job, the kind of work people take for granted until something goes wrong, and there are increasing calls to compensate maintainers directly for their efforts. Countless open-source projects have been used to build software, some of which are maintained by foundations with nine-figure annual budgets and some of which are maintained by one or two people in their spare time.

  • "This is perhaps the most valuable supply chain in the world that's ever been built," said Luis Villa, co-founder and general counsel of Tidelift, during Tidelift’s Upstream conference Wednesday.
  • The problem is open-source developers and maintainers didn't necessarily set out to become "suppliers," which implies an ongoing commitment to those projects that they simply might not have the time or interest in doing.
  • But the idea of paying open-source maintainers does not sit well with everyone, because it can distort the incentives for working on open-source projects and allows big software companies to avoid responsibility for their product decisions.
  • "Supply chain security is a problem that exists mostly because the consumers are doing a poor job of understanding what dependencies they have, and then responding to them and making the updates," said Brian Fox, co-founder and CTO at Sonatype and governing board member of the OpenSSF.

All software — open source or commercially produced — requires maintenance.

  • Running code in different ways over time can produce bugs that would have been nearly impossible to detect during the initial build, and intrepid cybercriminals around the world are constantly poking at software to find holes they can exploit before maintainers can release a patch.
  • The discovery of the SolarWinds hack in late 2020 — followed next year by the race to patch the Log4j vulnerability in late 2021 — led to the development of the Biden administration's push for SBOM requirements and the introduction of the Cyber Resilience Act by the European Commission, both of which require companies to attest to the security of their software.
  • But according to a recent survey conducted by Tidelift, more than half of open-source maintainers were not aware that new security standards had been developed both by industry groups like the OpenSSF and NIST, the federal body overseeing the SBOM rollout.
  • And among the maintainers who were aware of the requirements, nearly 40% said they had no intention of following through and 19% said they weren't sure what to do.

Chad Whitacre is head of open source at Sentry and co-creator of FOSS Funders, a project designed to funnel contributions from individuals and companies using open-source software to those maintainers.

  • "This is in all of our collective self interest to make sure that these things are sustained," Whitacre said.
  • According to Tidelift's survey, 47% of maintainers said they would follow the new security guidelines if they were compensated for the effort to update their projects.
  • But this is uncharted territory for this movement, and there are lots of questions about how effective compensation and regulation will actually be when it comes to improving software security.
  • "The last thing you need is a bunch of mercenaries driving around trying to collect bounties for adding features to a project that they don't know anything about," Fox said.

Still, like all maintenance issues, it's a problem that will only get worse with time.

  • "The effort to improve cybersecurity cannot just stop at defining and publishing new standards," Tidelift wrote in its survey report.
  • "This data revalidates the need for investment, especially from organizations that rely on open-source components, in the open-source maintainer community," the report said, and those organizations certainly include governments.

Read the full story on Runtime.


Come on the amazing journey

Burned in the past by vendors, big enterprise tech organizations tend to move slowly, even when operating within one of the greatest AI hype cycles ever created. Microsoft, the orchestrator of the latest cycle, unveiled plans Thursday to nudge those customers along the "journey" to AI glory.

"...today we are announcing three AI Customer Commitments to assist our customers on their responsible AI journey," Microsoft announced in a blog post explaining its approach to guiding your forced march to AI. It promised to share information about its own experiences deploying AI, help customers comply with "legal and regulatory requirements" that will spring up as regulators learn more about the AI "journey," and help its legions of partners work with customers to tie up all the loose ends.

It's hard to understand why any customer of Microsoft's (or any vendor, really) should feel better about embracing its AI tools now that the company has issued a set of vague promises to follow rules that no one has yet created. The simple truth is that no one — not even the creators of AI technology — has any idea where it's heading, and everyone is proceeding at their own risk.


Enterprise moves

Ian Knight joined Isovalent as chief revenue officer after a long stint at Red Hat.

Susan St. Ledger is now president of worldwide field operations at HashiCorp, after working in similar roles for Okta and Splunk.


The Runtime roundup

HashiCorp beat Wall Street expectations for revenue after a 37% jump, but its stock was pummeled Thursday after announcing plans to lay off 8% of its workforce.

Google Cloud announced new partnerships with Salesforce, Twilio, and Mayo Clinic while also rolling out a new security tool designed for AI workloads.

Google's DeepMind AI unit announced that it had figured out how to sort items in a list 70% faster than existing methods, which sounds trite but has already been adopted by the C++ programming language as a time-saver.

AWS has a new "military grade" rack server for hybrid cloud customers. Really think they should have gone with "tactical" there.

Adobe's Firefly AI image generator is now available for enterprise customers to slap cool images on hastily constructed PowerPoints explaining their AI strategies.


Thanks for reading — see you Saturday!

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.