Welcome to Upstream 2024: Unusual ideas to solve the usual problems
A recent Harvard Business Review study found that open source is worth $8.8 trillion. To put that in perspective, the US interstate highway system is valued at only $742 billion and the entire U.S. electrical grid is valued at only $1.5 - 2 trillion. So, in a world where open source has become one of the most valuable pieces of infrastructure we have, why is open source health and security still not a solved problem? In the wake of the recent xz utils hack, where an unpaid and underappreciated open source maintainer was taken advantage of by an extremely sophisticated hacker, Luis Villa will use this opening talk to make the case that our current way of “fixing” open source health and security is simply not working, and that we need to explore new ideas that match the value of what we’ve created. We’ll surface some of the best ideas we’ve heard through the course of the day.
“How much is open source worth?” is an age-old question. Thanks to new work from professors at Harvard and University of Toronto, it is also a question with a new, creative, and important answer. In this fireside chat, Luis Villa sits down with Frank Nagle, assistant professor in the Strategy Unit at Harvard Business School, to discuss the recent paper called The Value of Open Source Software that Frank co-authored. This paper concluded that open source is worth $8.8 trillion dollars.
One of the biggest concerns with modern patch management is that we haven’t truly challenged our thinking around “patching everything” in 40 years. Yet available evidence shows that most vulnerabilities do not and will not ever see exploitation. In this conversation with Tidelift CEO and co-founder Donald Fischer, Red Hat VP of Product Security Vincent Danen will challenge some of the common perceptions about open source software security. By changing how we think about open source security from an exercise in creating “vulnerability-free” software (a compliance-driven exercise) to one where the purpose is minimizing the potential or severity of a breach (a risk-driven exercise), we may actually reduce our security costs and improve our outcomes at the same time.
In late March, we all dealt with yet another attack on a popular open source project; this time, in the Linux-level package used for file compression called xz utils. What was most sinister about this attack, though, was how deeply it impacted trust within the open source community. The attacker spent years engineering multiple sock puppet accounts to gain the trust of the volunteer xz utils maintainer. In this panel moderated by Tidelift VP of product Lauren Hanford, we’ll talk to Josh Bressers of Anchore; Shaun Martin of BlackIce; Jordan Harband, prolific Javascript maintainer; Rachel Stephens from RedMonk; and Terrence Fischer from Boeing to get a diverse mix of perspectives on how this changes the landscape of open source software supply chain security.
Secure by design: a proactive approach to open source health and security
In this session two of CISA’s leading security experts will share more about the industry-wide effort they are leading to make security a core business requirement in products versus an aftermarket technical feature. They’ll share historical analogies of where this design-first approach has had real impact in other industries, and they’ll cover how they are working directly with industry leaders and the open source community to proactively improve practices in ways that will lead to the security outcomes we need.
Fireside chat: How a large Canadian telecommunications organization built an OSPO
When this Canadian telecommunications’ corporate security team came up with directives and policies, they realized that many of these security directives were around open source—and there was no shared foundation in IT on how to follow them. There was no support, tooling, guidance around licensing. This was back in 2019, long before Log4Shell shook the world. This telecommunications company knew that they wanted to leverage the strategic advantages of open source to compete in the telecom market, so they decided to build a process around open source internally, and the OSPO was created. In this fireside chat, Tidelift VP of product Lauren Hanford sits down with Aisha Gautreau, who leads the OPSO at this large Canadian telecommunications company, to hear about the journey of this nascent OSPO and what advantages they have leveraged so far.
Government carrot, government stick: Exploring two contrasting approaches to improving open source security
Governments are starting to believe that their traditional hands-off approach to open source no longer makes sense. But what then? Europe is providing examples of both “carrot” and “stick”: providing incentives to people and organizations to do more security work (i.e. the carrot) or penalizing them for not doing the work or after security incidents happen (i.e. the stick). In this fireside chat, Tidelift co-founder and general counsel Luis Villa sits down with Fiona Krakenbürger from the Sovereign Tech Fund and Mirko Boehm from the Linux Foundation Europe to discuss the impending CRA legislation in the EU (the biggest government stick to date) and the Sovereign Tech Fund’s “carrot” approach to funding open security.
In this session I'll give an overview of what the problem is with submitting CVEs to GitHub issues—why it's frustrating for compliance teams and maintainers both. I'll cover the nature of vulnerability scanners and compliance requirements that make security teams submit numerous unvalidated vulnerabilities upstream. I'll also talk about why these reports drive maintainers crazy, and the current standards are unrealistic. I'll then highlight how the solution to this problem comes from both sides: clearer maintainer security policies and better understanding of what compliance requirements actually are. I'll talk about why Argo's security policy is a great starting place, and that vulnerability scanners need to focus on upstream direct dependencies instead of the endless transitive dependency pain.
Panel: New approaches to open source security and resilience from the financial services industry
For obvious reasons, the financial services industry has been a leader in embracing new approaches to ensuring the security and resilience of the open source software we all depend on. In this panel we'll learn what a few top experts are doing within their organizations to harden their defenses and invest in the open source they depend on, while sharing advice and strategies that all organizations can take back to inform their own work.
This talk summarizes my 15 years making open source tools. Some of them have become popular (PostCSS, Autoprefixer, and Nano ID have more than 60M downloads per month) but most projects did not (but their fails taught me more than the successful projects). The talk is not about the dark patterns, but about the things which many maintainers forget: about the users and the fact, that users don’t have enough time: — Why open source dream is a lie? — What are good and bad reasons to create an open source project? — How to write docs readable (even for users who have a hard-working day)? — What to do if you are not a native English speaker? — How to deal with hate? — A few tricks to reduce burnout a little.
Panel: State of the open source maintainer in 2024
What's it like to be an open source maintainer in 2024? In an annual Upstream tradition, we sit down with a group of maintainers to hear directly from them to find out. This year's panel includes Valeri Karpov from Mongoose, Irina Nazarova of Evil Martians, Tatu Saloranta of jackson-databind, and Wesley Beary, who maintains popular Ruby projects fog and excon. We'll ask them about how the recent xz utils hack made them feel, how community and project health looks from their perspectives, ways enterprise users and organizations can help maintainers, and much more!
