Transcript
Olimpiu Pop: Hello, everybody. I’m Olimpiu Pop, an editor with InfoQ, and tonight, we have Eddie Knight to demystify the European Cyber Resilience Act. I can try to give an introduction, but he’s a proper Knight, and he has so many titles in so many organizations, so I’ll just let Eddie do the intros. Eddie, tell us a bit about what you’re doing these days.
Eddie Knight: So Sonatype is my employer within Sonatype. I am the OSPO lead, which means I manage our relationships primarily externally with the Linux Foundation and a few others, such as the Eclipse Foundation and Apache Foundation. But most of my scope is within the Linux Foundation personally, which has me on the Technical Oversight Committee for FINOS, the financial technology arm of the Linux Foundation. And that’s because my background is in finance. I was at Bank of America and then at Morgan Stanley before Sonatype. Because I have a security and compliance background I am the co-chair for the security technical Advisory group for CNCF. And in the course of those duties, some of the stuff that we’ll talk about here in a bit, a lot of the activities have overlapped with OpenSSF, the Open Source Security Foundation, and so I maintain a few projects over there as well. So yes, you’re right. I am kind of everywhere.
Olimpiu Pop: So just to make it short, you are supported by Sonatype, your employer, to do a lot of good stuff in the open source field.
Eddie Knight: That’s exactly it.
Software supply-chain threats are growing at alarming rates [02:03]
Olimpiu Pop: Thank you for simplifying that for me. First of all, congrats for the keynotes that you just gave on KubeCon. Michael and you did an excellent job. So I will just try to dig deeper on those points because the Cyber Resilience Act in Europe raised a couple of eyebrows through the years. But before we go there, as you said, you’re with Sonatype and Sonatype has a decade behind it of doing reports on what happens in the open source community in the supply chain. And as we know the software is hitting the world, and obviously now the AI is hitting the world. So let’s look a bit at that. How did the supply chain evolve in this decade? Okay, good. Thank you for that.
Eddie Knight: Yes, so the last decade of the software supply chain. I think one of the biggest wins that we’ve had is there’s fewer and fewer people that are saying, “We don’t use open source”. I should put that in air quotes. Fewer people are saying that, and you’ll find that a lot of people who are saying that are using Java and they’re running Linux machines, and they say, “We don’t use open source”. Like, okay, cool, how are you doing anything? Like Python. “We’re a Python shop that doesn’t use open source”. Exactly, my friend. That is an open-source language. And so we’re seeing fewer and fewer of that. So that’s a big win.
We’re also seeing a massive influx in just discussion around supply chain security. A decade ago, we didn’t have the term supply chain security. I wasn’t working in this space. I wasn’t thinking about this space. I was a culprit in this space of backdooring dependencies into my firms and trying to take shortcuts to increase business value by taking shortcuts. But we see a lot more people just having these discussions now, and that’s a huge, huge benefit because on the flip side, the last three years we’ve seen the number of attacks on the open-source supply chain double every single year, and it’s just a huge space.
Olimpiu Pop: That means if it doubled every year, now after a decade, it’s a lot. You are the quant here.
Eddie Knight: That’s a good number.
Artificial Intelligence is an accelerator; it can be used for defending or on the offensive side [04:12]
Olimpiu Pop: You are the quant here. But for me it seems that that’s a lot. I remember the last time when I checked it, and I think that was last year in October, it was a quarter of a million attacks solely in the supply chain. So that’s a lot, and I’m expecting that things changed also, given that AI is creating a new leverage. Do you have any insights about that? How did the AI change the game?
Eddie Knight: On the defensive side, at least at Sonantype, we’ve always used machine learning for, I think the last… Again, before I joined the firm, maybe six or seven years ago, machine learning was starting to get brought into analyzing, and that’s how when you crack open our tools, we’re able to tell you, “Hey, your software has copy pasted code from a known vulnerability or known exploitable”. Whether it’s malware or a vulnerability, the way that we’re able to tell you, you copy pasted it over is through machine learning.
So machine learning in that aspect has been around for a while, but the generative AI that we have these days is kind of having the opposite effect. It’s allowing known exploits to be obfuscated, to be done in different ways, to be manipulated or just to be performed by people who otherwise knew nothing about it. At the beginning days of ChatGPT, I was able to go in there and describe the types of attacks I wanted to protect against and get ChatGPT to explain exactly how I would build malware to distribute. So that is definitely the reason that since generative AI has become public, we’ve seen this doubling every single year is definitely, it’s downstream from AI becoming a more publicly accessible resource for the good and the bad.
Olimpiu Pop: Okay, so just to put it that plainly, this new wave of generative AI, it’s a bicycle more or less. It makes you run faster, but if you’re on the wrong side, you just go over the cliffs or somebody will push you over the cliffs and then your falling will be much longer. Okay, thank you for that. And in order to just put, I know that I said a very academic term here, and it’s a lot in terms of the effects hackers have around us. I just read the other day a paper from Harvard that was putting it in context financially, and it was something like, currently the money that are being put into open source is around $4.15 billion, but the impact financially that is going on the other side, it’s around $8.8 trillion. So for each dollar that we invest in open source, we get $2,100 as a return. So that’s a good ROI. I know, and given it’s-
Eddie Knight: I think that even get past my marketing budget. I think they’d even be happy with that ROI.
Olimpiu Pop: Okay. That’s good. So just to make it even more plain than that, it could be a return of 212X. So that’s a lot. So I think everybody will be very happy with that output. Okay. And let me remember a bit the things that I did while I was doing research on these kind of things. And looking at what was happening in the supply chain and the hackers, I found a couple of enemies, let’s call them, for the plane developer, and those were malicious actors, obviously the people that they just want to put the hand in your pocket, take your money, bring it private information or anything else that can be sold on the black market. Then a couple of years back, state actors came into play and that was something new for me. It was becoming espionage. So all these kind of things that are done for. I’ll not name countries or anything else, but mainly state actors that just wanted our skin.
The open-source communities worked with the EU to shape the Cyber Resilience Act into the form that allows it to help developers [08:02]
And last but not least, it was used as a weapon, again, in different parts of the world. But the feeling was that also bureaucracy is an enemy of the plane programmer. And I know that you as a company, Sonatype, especially Brian Fox was very involved with the Cyber Resilience Act. I know that he was a partisan of making things plain. And me being a European, I was very happy to see that the European Union listened, took in the information that was provided by the companies involved in open source, and it actually came something out that everybody was happy with.
I know that last year when the final version was signed or voted, people were very happy and a bunch of companies, the Eclipse Foundation and probably the Linux Foundation as well, they just came together and they said, “Okay, now we’re going to work to see through in terms of implementation”. What’s your insight on that? I mean, you are actually one of the main contributors into making things right. Anything to be added there?
Eddie Knight: Oh, that’s an overloaded question.
Olimpiu Pop: Let’s make it plain. What’s the most important thing that we have to know now as an industry. Just plainly when should we start worrying about CRA?
Eddie Knight: I would say don’t worry about it. Think about it. Don’t have anxiety about it. There’s so many benefits to the CRA if we all play ball, but that’s not what you were meaning. You’re meaning when do we need to start actioning? And there’s two big numbers to remember. The first is, I believe it’s June 11th, 2026, which is if you have a known exploitable vulnerability in your software, you will have reporting requirements after that date. The second is going to be the… Well, there’s a mid-tier, there’s midline, but the end of 2027, so December 11th, 2027 is going to be the full effect. So all of the rules that are written down that your compliance staff are going to need to understand and metabolize are all going to be in full effect at the end of 2027, which is a pretty good amount of time to train people up, make sure we have the systems in place.
Olimpiu Pop: So we still have two years more or less?
Eddie Knight: Yes.
Olimpiu Pop: So it would be like a soft landing. There are intermediate steps, right?
Eddie Knight: That’s the intent. That’s the intent. Yes. And I’m actually really proud of the folks who made those decisions and those timelines because that middle timeline is actually more for themselves ish in that there’s this middle of 2027, there’s a requirement on themselves to have tooling, resources. They need to be notifying auditors. Those types of activities are all needing to be done something like half a year before the full rollout. And so there’s this staggering to it that’s actually really, really beneficial and makes it just a lot more possible for it to be done well.
Olimpiu Pop: Okay, good. That sounds digestible, but I know that during your keynote, you had the slide with a lot of dots and a lot of lines. I felt that I need a PhD only to comprehend half of it. So let’s look a bit-
Eddie Knight: Yes, the FUKAMI slide.
Olimpiu Pop: Yes.
Eddie Knight: That’s the FUKAMI slide. It’s the scary slide. It’s all you need to know is how these a hundred actors connect to each other in the relationships and responsibilities between them, and then you’re done. There’s a lot of different nuanced bits that are in there. Now in the keynote, the intention is like, hey, you don’t need to worry about all of that right now. If you find yourself in this picture, worry about the lines that you connect to. But understanding this entire ecosystem of the auditing, the regulation, the other regulations that are impacted by this regulation, all of those different types of things, don’t worry about understanding. Absolutely all of it. Action. Take action on finding yourself in this picture, finding the relationships that you have with other people in this picture and what responsibilities you have because of that. There is action that can be taken here, and it doesn’t mean you need to understand the entire giant picture.
How does the CRA help prevent other “Christmas Miracles” like the Log4Shell [12:10]
Olimpiu Pop: Okay, great. So let’s see if I got it right. It depends where I’m positioned in that picture. So in my plain understanding, that will be I’m either downstream or upstream. Somebody is using what I’m building or I’m using somebody else’s. Of course, it’s oversimplified because theoretically it should be both ways and I would consume other libraries and other people might use mine. So let’s get back to history. A couple of years back in December morning around 4:00 AM, I was just trying to do some proper work, and then I got an email that said that a brown splash hit the fan, and that brown splash was Log4J.
Eddie Knight: Yes. The Christmas Miracle.
Olimpiu Pop: Exactly the Christmas Miracle. That pretty much started everything. Well, it didn’t start everything, but it created a domino effect in that area because from that point on, a lot of countries started putting cyber legislation in place. I know that United States started doing something. I don’t know if something out of that is still available or it’s still in use today, but that what happened. So now I’m just thinking about the guys in Nebraska that were proper heroes for doing that stuff for the Log4J library and making sure that everything is fixed. What would the CRM mean for them today and tomorrow?
Eddie Knight: Yes, I made Log4J. You’re using Log for J. Somebody found an exploit on my software that I wrote, and now you have to clean up and find every single place that it was installed and do an update and make sure that that update’s not breaking things. So in that situation, your question is how does the CRA help you in this story?
Olimpiu Pop: To me as a consumer, and what’s the impact for you as the maintainer of Log4J?
Eddie Knight: So in the past, especially prior to this example of Log4J, it was not a universal standard to have much of anything between the maintainer and the consumer. Now we know that the financial services industry is highly regulated and it’s very standard. It’s an industry standard to have some middle steps in there where there’s an approval process, there’s a scanning process, there’s a artifact storage process in between you and me as the maintainer and the consumer. And when those systems are in place, we saw that the financial services industry, at least the customers of Sonatype who are using of those things, we know that those proper tools are properly in place, had an average of four days to recover all of their Log4J instances for large enterprises.
Comparatively speaking, the universal average of updating all resources from the Log4J incident was four weeks. So not having anything between the maintainer and the consumer is a serious problem because you need that visibility, you need those pre-checks. You need reminders, alerts, tracking, just everything. You need a lot of support there. And when it’s there, life is easy.
The CRA is doing something similar to that, not in a technical sense, but in a kind of a social sense. There’s these rules that are being put in place in between me as the maintainer of this code base and you as the consumer. So that way you know that somebody has come in and looked at this process all along the way before it got to you, and that might mean your bosses had to follow more rules. It might mean that the steward who is hosting and supporting me as a maintainer has more rules that they have to follow, but because of those rules and putting more steps between us, what we’re going to find is that there’s just going to be a lot more of a streamlined relationship so that way there’s less to worry about. And it’s going to be a win. It’s going to shift from compliance being done 100% inside your firm.
When you need to pull something down, you need to have somebody on your team go and research and look at who’s maintaining that. Just all the data that you need to pull in to be able to do a proper analysis of this. Instead of that always being done by you, what we’re going to see is a shifting outward to more shared responsibility, especially for these bigger packages like Log4J. We’re going to see a lot more shared responsibility happening because everybody’s going to be needing to follow the same rules, and it’s just going to be significantly more practical to have the stewards who are supporting those maintainers offset some of those costs and have the audits be done in a public space so that way everybody can share this knowledge and these resources. And when one enterprise is adopting a tool and bringing it up to snuff, everybody in the world is going to benefit from that.
Olimpiu Pop: So, for me, that doesn’t sound that scary. It sounds like we are just putting some steroids in open source, making sure that everybody really benefits from what it’s doing and that it becomes more of a community. Is that correct, more or less?
Eddie Knight: I know not everybody’s looking at it that way. That’s the way I’m looking at it. Absolutely. Yes.
OpenSSF Baseline assist with the CRA adoption [17:36]
Olimpiu Pop: Happy to have the same optic. Well, obviously while I was talking about these things, because I did the first share of presentations in this space, I was starting with the line that the European Union doesn’t innovate, but it regulates. We are very good at regulating things. But now looking at that, my feeling is that they are just looking that we do it properly and people are actually safe from that point of view because it has a huge responsibility. And just an example popped in my mind during that period, I was working in the company that was doing only JavaScript and everybody was laid back, okay, it’s good. We are not using Java. Nothing affect us. Two, three hours down the line, everybody was in panic mode because actually we were using a cloud service that under the hood obviously was using Java due to its benefits. And then again, we had to start over again and just work with other stuff. So yes, I understand the benefit for that.
And as you started initially, you are part of a lot of organizations, a lot of work groups in the open source space. What tools can we use? I mean, obviously understanding the legislation is very complex, but I know that OpenSSF has a bunch of tools that are very useful. For instance, I liked a lot the scorecards. What do you have in the back pocket that we can send developers to?
Eddie Knight: Yes, so scorecards is a really good tool to get a quick pulse. I would say make sure you’re sending developers to scorecard and not your regulatory compliance folks, because scorecard, there’s a set of recommendations that are in there that are actually really good recommendations, but they’re not vetted by a large community body. They’re not mapped to guidelines such as frameworks and regulations and things like that yet conversations are in place about changing that.
But as things currently stand, it’s what a core very good set of engineers has identified as things to improve, to lock down your projects, and a really good tool to be able to point that at a million and a half repos every single week and give every single developer a quick little snippet of code that you can put in your pipeline so you can update your checks whenever you want. You can just run it. And for the general public, there’s this massive database of results. So you can see what the score of any one of a million and a half projects is rating according to these checks.
So it’s really good for a quick view. It’s best for developers because it’s giving you actual practical changes that you can do right now. The other thing inside OpenSSF that contrasts to that. So the downsides that I just mentioned from Scorecard are being addressed in the project called the Baseline, which we’ve just been talking about, which it’s the open source project security baseline. And the purpose of the baseline is to compensate for exactly the things that I just listed off. We are trying to take a set of known cybersecurity best practices and guidance, things like NIST 800-53, things like the CRA, and bring those down and say, how does this apply to open source projects? But how does this apply to every single open source project generically as a literal baseline for open source projects?
In these set of controls there’s 40 of them. I think that’s the right number. It’s round numbers. So I never trust round numbers. Last I checked, there’s 40 and they’re divided into three levels. There’s some topical organization to them, and there are assessment requirements for every single one of them. So you can look at it and you can say… I almost want to recite off some to you, but just as an example, you need to have MFA turned on. And so now I can just stop and think, “Oh yes, for all of my projects MFA’s turned on except for, you know what? I think I didn’t think about it for one of them. Let me go and do that right now”.
And so it’s really good for developers in that aspect to just give this checklist all the way down of, hey, these are the things that are true for every single project. And those 40 are divided up into three levels where the bottom level is 18 or 20 checks that are just like, hey, if you’re a single developer, you could still do this. And the top ones are like, hey, you need to do a security self-assessment. And that’s connecting a lot to the CRA where the CRA is asking open source projects to assess their own security and make attestations and say like, hey, this is where I stand. And that’s the kind of stuff that we would expect from projects with more maintainers, more users, things like that.
But that level one criteria is something that just has never existed for open source projects. So you just have that key central cohesive recommendations. And so that’s something coming out of OpenSSF that I’m very proud of. I think it’s just a really good project that everybody can benefit from. And on the horizon from that last thing I’ll talk about, because there’s too much, and you’ll never get to talk again if I keep going, but on that topic of the baseline, we are currently working with the Linux Foundation, the LFX Insights platform, to get a subset of those checks that can be run against public repos, the way that scorecards being run against 1.5 million, some odd repos. We are working with LFX Insights to set up a system where that same kind of scanning can be done, but now the results are actually mapped to regulatory expectations such as the CRA, and that’s something that’s trying to be provided to open source maintainers, which is really, really exciting.
Olimpiu Pop: So let me break down in levels and points what you said. So the scorecard tool, by the way, it has really nice logo. I like the logo, so that’s how I choose the scorecard. Yes, it’s the best logo ever. That’s useful for day-to-day developers to ensure that they, first of all, they can check their open source project or even internally their project. And that was my recommendation usually. So now you can correct me whether it was proper or improper recommendation to be used when we are choosing a library to incorporate, to adopt in our project. At least that was my view. It was good to check and then compare between that.
Eddie Knight: Yes, so I’m a little bit on the fence about that because there’s not a guidance on what is a good threshold, and it’s a score of zero to 10, and the average score is less than 4.5. It’s something like four. So if you want to have just a decent number, five is a decent number, but that’s not considering. You might have done some of this stuff that isn’t actually securing your project. You might’ve set up a fuzzing tool, but for your project, that might not be boosting your security for your particular situation as much as some other elements. So you might be increasing your score without necessarily making a significant impact.
Olimpiu Pop: Improving the security.
Eddie Knight: And then on the other side of the exact same point is five out of 10 sounds horrible. That’s horrible. And so I think a lot of folks just don’t know how to read. If you see a nine, you see a 10, it’s like, oh, cool, they’re passing. No, no, no. Those projects are doing everything that these engineers that are maintaining scorecard could think that they could measure. That’s a really, really good score. I looked at one of the open telemetry scores, they have like 70 repos, but one of them was a 9.9, and I was here in middle of a conversation with them and I’m like, “How did you do that?” He’s like, “Oh, that’s not my repo. But yes, I guess they just did everything wild to see scores that high”. But as a reader, as a consumer, we’re not trained to know, “Hey, dude, above four is a pretty good score”.
How the CRA-related controls can be used to enhance the security of your project [25:32]
Olimpiu Pop: So that means that in life, like in everything else, we just have to make sure that the tool is fit for our purpose and understand exactly what’s there. So actually look beside the number. So we’ll have the number as a guiding principle, but then we should look at the things that are actually of interest to us because as you said, there are some things that are there, okay, we are communicating if we have bugs or not or stuff like that. So we actually have to aim to have the most important things in place. Good.
And then you mentioned about the baseline. And the baseline, it reminded me about during the period when I was doing certification. Not really happy about those times. So I still have some cold sweats during the night about those things, but my feeling is that these things are appropriate and they are level. So theoretically if I’m doing those, I’ll be ticking some boxes that will assure my audience that some particular operations were made and now some sanity mechanisms are in place. One more question on this. How often should it happen? Should it happen every time when we are doing a release or is it on a time-scale?
Eddie Knight: Yes, that’s a really good question. So on one hand, if you have automated checks, you should just run them all the time, put them on a cron, put them on your pull requests, put them on your commits, just run them all the time. Now granted, you’re going to burn a lot of energy doing that, and you might just lose your mind. So I think the thing to consider is, again, which of these values matter to you? With the baseline, what we’ve tried to do is say, hey, every single one of these values always matters. But some of them are like, hey, is this data populated?
The quality of that data might be arbitrary like your security policy. You might have a janky security policy, but you have it. It exists, but it’s maybe not super clear for readers. It doesn’t matter how often you run that check. There’s a degree to which compliance will not always equate to security, and that’s a really important thing that I think we don’t talk about enough.
Olimpiu Pop: So we should talk more about it, right? Okay, so what more… I mean, talking is okay, but more than that, what would be actions that we need to take in that spectrum to be on the safer side? Can you name one, two?
Eddie Knight: As far as what controls can we meet or what can we do as a community? Because I’ve got answers for both.
Olimpiu Pop: Let’s have both because it’s the day when we can be eager to hear more about it.
Eddie Knight: Yes. So there are plenty of controls on multi-factor that I talked about. There are very technical controls. Those should just always be in place and always check those. Always. You should just be scanning for those. If you’re a user and you’re seeing that some of these detailed technical controls are out of place, like there’s status checks aren’t being run on commits, things like that, it’s like, oh, they should raise a red flag. I have a repo right now that I am not running my status checks and not requiring code reviewers on. I hope that you would come to me and tell me, “Hey, we want to use this”, and this is where the community part comes in. I hope you would come to me and say like, “Hey, we want to be using this, but we know that the standard is that you should be doing these certain things”.
And then I would say, “Oh, well, I wasn’t ready for you to be using that in prod”. If your response is, well, we are ready to use it in prod, then you and I should work on implementing those things and making sure that’s in place. And then there’s the other side, which is the clarity of the security documentation. The secure by default is not always possible, so we have to have secure configuration documentation. This is how you turn on Flux, the continuous deployment GitOps platform. You can’t just kick it up and turn it on without there being some security risks that you need to account for in your system, and you need to flip some switches and stuff. It just came out of a meeting with their maintainers. Flux has documentation around what you should do, but every time a new feature is added, there’s a chance that that documentation is going to go stale.
Knowing what it means to do a securely configured deployment of this application is extremely, extremely important. And so as a community, we need to be more ready and willing to raise our hand when we say, “That wasn’t clear. That looks like it was out of date”. Nobody likes hearing make a pull request, but at least file an issue. At minimum say you have some security documentation that you clearly cared about at one point, and I don’t think it’s up-to-date anymore, or I’m not sure it’s up-to-date anymore. Could you just timestamp this and let everybody know that you reviewed it?
Maintainers are almost universally motivated by end user requests. What the user is asking for is what the maintainers are going to build. The exception is when their bosses are a user. That might be the more powerful line of feedback. But if you’re able to come in and just let folks know like, “Hey, I’m using this. I was trying to use that piece of documentation. Your documentation is a feature for me. Your security documentation is a key feature for me”. Help the maintainer prioritize it, even if you can’t help the maintainer improve it.
Olimpiu Pop: Okay, fair enough. So I don’t know why, but in my head, a simple rule came out, applied the Little Girl Scout rule. So either raise a hand, tell somebody that you found a problem or even better just go on and fix the issues. And that’s it. Okay. One last question. We are obviously in the land of CNCF. Kubernetes is obviously a very big community and looking around here, there are a lot of folks, what’s here to be taken from other people? I mean, not everybody’s in the operation side, but underneath the tool, a lot of things are running on Kubernetes. There are a lot of other tools that are here that are used on a day-to-day basis by all of us, either knowingly or unknowingly. Anything else that we have to take either as a learning from this event or even more, what should the guys on the CNCF learn from the CRA and what they have to do next?
Eddie Knight: So a lot of what I’ve been doing has been the security slam this week, right? We’ve had four different sessions, OpenTelemetry Flux, of the two graduated projects. The two sandbox projects are Mesury and Oskal Compass. And so my Headspace very much in lessons learned from this experience where we have been working with the project maintainers to create a backlog list of security tasks that could be done, security documentation that could be improved with the Flux guys. It’s been prototyping a new security feature, which has just been absolutely wild, occupying a lot of my Headspace clearly.
I think the biggest takeaway that I’ve been hammering on and trying to drill in is that all of these needs to be a community effort. So the Cyber Resilience Act divides us up into manufacturers as well as maintainers who might be manufacturers and might not be manufacturers. And then we have stewards that an open source project may fall under or an open source project may not fall under a steward.
So we’ve got maintainers, we’ve got stewards, we’ve got manufacturers, and we’ve got the consumers. And in middle of all of those are the members. So everybody here is most likely a member of CNCF, and if not, you’re a beneficiary of the members who are paying to keep the lights on here. So the members are at the middle of being maintainers and manufacturers and stewards and consumers of all of this open source tooling. And if we can just together collectively decide that we’re in this together for real, for real this time, we can start sharing so much of this burden of regulatory compliance. And instead of just doing compliance, we can start doing compliance in a way that results in real security outcomes. And that is only going to be coming from actual cross the aisle, cross the like JFrog and Sonatype working together sort of thing, right?
Cats and dogs need to be solving problems together. And when we do that and we approach these really difficult complex topics with an open heart, we are going to be able to upgrade and elevate the community in ways that have just never happened before. And this double every year attack on the software supply chain is going to keep going. People are going to keep just burning electricity on AI programs, trying to get vulnerabilities in trying to get exploits, building malware. And what they’re going to be met with is a mountain of community resistance that is growing just as fast.
How the CRA describes different roles of the individuals and organisation involved in open-source [34:32]
Olimpiu Pop: First of all, I think this would be a very good speech for winning the Miss Universe thing. It’s a lot of peace in the world and a lot, but yes, you’re totally right. So I think the message is that we should all work together for a brighter future, meaning that it’s us or them. On my presentation, I used to have a pirate flag that was positioning the dark side of the web, also pretty much the hacking right under China in terms of GDP. And that’s scary because both China and the US are the first in the second position, and we are talking about trillions, and that’s important that we all work together regardless of the name of the company that we are working under to make the future brighter and safer for all of us. And I know I promised that that will be the last question for you, but you said something that raised the question. You mentioned open source maintainers and then manufacturers. What’s the difference? How should I position myself from that point of view?
Eddie Knight: In our keynote, we’re not allowed to discuss vendors and manufacturers. We can discuss products and maintainers. With you, I can actually just say names to use examples about anything that is an open source piece of technology, and the maintainers are everybody who brings that thing to life. They’re reputationally associated with it. They’re the leaders in producing this thing.
Olimpiu Pop: That’s an individual.
Eddie Knight: An individual, yes.
Olimpiu Pop: Okay, so me, if I’m doing a pool request to Kubernetes, I’m becoming a maintainer of Kubernetes or it’s about the company that is powering and putting money and burning hours of their employees.
Eddie Knight: No. So you could be a contributor. The contributors aren’t really captured in the CRA as much just by making a PR, your contributor. The maintainers also kind of aren’t really called out too much in the CRA, right? Because even though the maintainers are part of the governance structure of this project, right? Open source is software standards and community. And so this open source project is the software that is built by the community. In the case of Kubernetes, you’ve got all three. Those maintainers who are part of the governance structure in this project are not necessarily manufacturers. However, our cloud providers are delivering Kubernetes to us at a price. They are bringing Kubernetes to market. The maintainers are not bringing Kubernetes to market. So Kubernetes, while it is still just in a code base, it is an idea, it’s a concept, it’s fun, but it’s not a product at that point.
Olimpiu Pop: Okay, good. So that means that if I’m manufacturing something, I’m just, I don’t know writing books and I put them on the shelf and then I’m more or less a maintainer and whatever. But if I transform that in a bookshop, then I’m providing that service. So that’s the point when I should be worried about, right?
Eddie Knight: Yes. There’s another spin on this where you have folks such as Control Plane who are the exclusive support providers for Flux. They pay their maintainers to work on Flux. So those humans are at once. Those humans are themselves maintainers and they’re employed by and associated with the manufacturer. So the manufacturer is the corporate entity at this point who is providing support, but the individuals within that corporate entity might also themselves be maintainers.
Olimpiu Pop: You can see that you work in finance. It’s a lot. It’s a mouthful. So yes, I understood it. Thank you. Any close statements, anything that I missed asking you to just wrap up everything?
Eddie Knight: Yes, I appreciate talking about this. I appreciate you creating space for this. Definitely. I appreciate you entertaining my Miss Universe philosophy. I think there’s going to be an increase in money changing hands where you’re going to have third party audits. You’re going to have a rise of manufacturers providing support, where now the consumers of Kubernetes are going to be incentivized to not run vanilla Kubernetes anymore because they don’t want to be the manufacturers. They want to offset some of that risk. And so their choice is going to be either continue paying their compliance and security staff to lock down their vanilla deliveries prior to bringing it to market or work with a support system, somebody that’s providing support, somebody that’s delivering this. And so where the money is being spent might start changing hands a little bit more. But the net value I anticipate is going to be largely beneficial.
I think that it is a zero-sum game in how we’re spending the money. It’s going to be spent somewhere, but what we’re going to see is we’re going to start consolidating who is actually taking on the liability of securing these different products. And in doing so, they’re going to have the capability of doing it at a much higher level than they’ve ever had before. And that is going to be a change. It’s going to be a different way of doing things, but it will be a net improvement for everybody. And that’s why Miss Universe, I’m saying, this is awesome. This is really good for us. We need to pay attention that we are doing this together.
Olimpiu Pop: Yes, I totally agree with that. It feels that the coming of age of the software industry, because up to now it felt like more or less people were working in their garages, even if they were working in corporations. And now it’s actually putting some structure into place that would allow us to play ball and just have a united front Eddie, thank you. Enjoy the rest of the conference.
Eddie Knight: Thank you. It’s always a pleasure.
Olimpiu Pop: Thank you, Eddie.
Mentioned:
.
From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.
