Cisco has stepped up its contributions to the open source community, and its head of open source warns that urgent problems such as software supply chain security won't be solved until more corporations do the same.
Stephen Augustus also plays several leadership roles in the open source community. He is a Kubernetes project maintainer and member of the Kubernetes steering committee within the Cloud Native Computing Foundation (CNCF), as well as a member of the steering committee for the Linux Foundation's TODO Group.
He is a contributor to projects within the Open Source Security Foundation (OpenSSF) and a Governing Board alternate. He served as KubeCon + CloudNativeCon program chair from 2020 to 2021 and gave a keynote presentation at this week's KubeCon + CloudNativeCon EU 2022.
Augustus met up with SearchITOperations after his keynote to discuss his work in open source communities, and his mission to encourage more open source contributions from corporate enterprises.
In your keynote, you said Cisco has recently changed the way it's interacting with the community. What does that mean?
Stephen Augustus: We want to highlight that over the last few months, Cisco has emerged as one of the top contributors to OpenTelemetry, and we recently announced Telescope, which is a full stack observability product. I'm also one of the maintainers of Scorecard and Allstar, which are some of the projects built by the best practices working group within OpenSSF. We're shifting the way we're showing up in the community. My goal is to make sure that we're targeting critical components that are undeniably and desperately in need these days -- one of the big things is the software supply chain security conversation.
What do Scorecard and Allstar do to address the need for software supply chain security?
Augustus: Scorecard provides visibility into the posture of individual repos, using a variety of modular technologies to tell if a repo is well-maintained: Are there vulnerabilities in the code? Are [maintainers] doing static analysis? Are folks doing code reviews for the repo? Are the contributors that contribute to that repo from a diverse set of companies or affiliations? These are critical for the sustainability of individual open source ecosystems. Scorecard quantifies that and reports on that. It has a scoring system for each of these checks, and it comes back with a report so users can get an understanding of, say, whether a repo is more or less vulnerable, or more or less sustainable than it used to be.
There are some similarities between the information sets used by Scorecard and Allstar, and we see them as a dual community. Allstar will report back to maintainers on certain things that they may or may not be doing. Do you have binary artifacts checked into your repos? Do you have outside collaborators configured on those repos? Right now, it primarily does reporting. It'll open up a GitHub issue and say, 'Hey, here's a thing that you missed in your repo.' But we're going to build functionality to fix some common misconfigurations.
If we look at this from the open source contribution perspective, say you're the head of an OSPO [open source program office], this is a nice tool set to be able to report against. Some of the newer Cisco open source projects are in a separate GitHub org that has Allstar turned on by default, so anyone who's migrating a project into that org automatically gets the benefit of some of that reporting. I use that as an initial benchmark to evaluate against, and it gives me an opportunity to structure a conversation in a way that is built by the external community. But it also helps us provide feedback to the community and act on some of that feedback ourselves as maintainers.
End-user training and education is part of the OpenSSF's mobilization plan. How will the community address training and skills gaps around open source security?
Augustus: It's really a larger conversation around sustainability of the communities. How do we take users and turn them into contributors? How do we take contributors and turn them into maintainers? It's something that needs to be nurtured, and it's something that needs to be actively invested in -- not just by the maintainer communities, but also the companies behind them. When you think about where the education should come from, my first thought is, we need to empower people who are already doing the work. It's not just 'Can we build a new training program or curriculum within academia to do this?' It's, 'Can we train maintainers who are on the ground right now about how to do effective vulnerability management? How do we build a program for that?' Because then you get to multiply who you can train just by teaching the maintainers how run those programs locally.
Is that program up and running yet?
Augustus: One of the many next steps now that we've publicized the mobilization plan is that each of these companies has gone back internally and said, 'What can we put together from a resourcing perspective?' It's important to allow maintainers to identify who else we should be speaking to, whether it's maintainers of programming language communities like Node.js and Golang and so on. As a maintainer myself for Kubernetes and a few other places, I'm not really excited about the idea of random people coming into my project and suggesting that I do something a certain way, so I want to be very careful that we're treading lightly in how we approach these communities. We have to make sure it's a conversation, not something that's mandated by OpenSSF or the government.
OpenSSF is seeking funding for open source security that's many times more than what it's raised so far. Are you optimistic that it will get that funding?
Stephen AugustusHead of open source, Cisco
Augustus: Absolutely. Based on the conversations we've had, it's very clear to folks who are getting involved in this effort that we need to figure out how to be effective and really protect software on the internet. This doesn't really get done as a volunteer [effort]. We've done the volunteer thing. We've spent so much time as a community with volunteers, and when you can't tie your objectives and key results internally to maintaining an open source community, it falls apart. What if your primary maintainer for this critical project is a college student? If you're a large corporation that depends on open source software, you need to get to the table, and you need to back it up with funding. There's no way around it.
How can the CNCF and the OpenSSF get more companies, especially end-user companies, to make open source contributions?
Augustus: With KubeCon, we started involving end users on a [conference] program chair level. You have Jasmine [James], a senior engineering manager for productivity at Twitter, who's now a program chair for KubeCon + CloudNativeCon EU 2022 -- that's an end-user company, right there. Then you look at keynote speakers like Emily Fox, an engineer at Apple, and Ricardo [Rocha], computing engineer at CERN. You see the evolution of some of their stories, like Apple traditionally being a quiet player in the space to being able to talk a little bit more openly about what their infrastructure looks like and how they're contributing back to the community.
The same is true for OpenSSF. [JPMorgan Chase (JPMC)] and Citi were at that meeting in DC [with the Biden administration May 12]. They're leading by example. If you're a financial [services company], you're a lot more likely to come to the table when you see JPMC or Citi also there.
Is there anything that people don't know about open source contributions or open source security that they should know? What's most misunderstood about the projects that you're working on?
Augustus: There are so many ways to be effective in projects that doesn't involve writing, reviewing or approving code. Especially as we look at some of these sustainability efforts where the needs are around technical writing or product management, it's a different beast. Managing open source as a product is something that we don't spend enough time discussing. That expertise is sorely needed.
You mentioned some of those resources in your keynote, the special interest groups (SIGs) that have to do with open source contributions and contribution strategy.
Augustus: On the Kubernetes level, there is SIG Contributor Experience or SIG ContribEx. And then on the CNCF level, it's TAG ContribStrat, the technical advisory group for contribution strategy.
For companies that are interested in getting involved in some of these efforts, TODO Group is a phenomenal resource that not enough people are taking advantage of. It's a forum to have discussions about how the internal operations are going in your company and how to improve. For example, we have some financial OSPOs -- Bloomberg, Goldman -- that are part of TODO Group. It'd be cool to see people from more verticals and more academic OSPOs. It'd be cool to see companies who are considering what their open source strategy should be, or considering starting up an open source program office, coming to have that conversation with us. It doesn't work well when it happens in isolation. We are at our best when we're all together.
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.