There has been an evolutionary explosion in the size, shape and number of open-source projects over the past decade. In 2010, source code host site GitHub had 1 million repositories. By 2018, it had risen to 100 million. Today, the site’s code search shows 278 million repositories, and by the time you read this article, that number could be over 300 million.

The number of developers contributing to and accessing code from open-source projects has grown as well. GitHub alone has over 80 million users, and the wider community is probably a lot larger than that. Major projects, such as OpenStack, receive billions of dollars in support from companies, including Red Hat Inc., IBM Corp. and Hewlett Packard Enterprise Co. But thousands of small projects are unfunded and irregularly maintained, and critical vulnerabilities remain undetected.

“Projects that are used everywhere, by everything, with significant outsized impact on the industry are not getting funded, [because they] aren’t flashy enough, aren’t exciting enough,” said Erica Windisch (pictured, bottom left), architect for developer experience at Twilio Inc. “But a vulnerability in it brings everything and everybody down and has possibly billions of dollars of impact to our industry.”

Windisch spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, for an AWS Heroes Panel during the AWS Startup Showcase: Open Cloud Innovations event. Windisch was joined by Liz Rice (top left), chief open source officer of Isovalent Inc.; Brian LeRoux (top right), co-founder and chief technology officer of Beginner Corp.; and Casey Lee (bottom right), chief technology officer at Gaggle.Net Inc. They discussed achieving real business outcomes with open source. (* Disclosure below)

AWS Heroes share knowledge and success stories

Rice, LeRoux, Windisch and Lee are all AWS Heroes, a title given to leaders who share AWS knowledge and facilitate peer-to-peer learning within their communities.

“I’ve been in this game for a while, and I tend to just put my fingers in a lot of little pies,” Windisch said.

Those “little pies” include OpenStack, Docker, and OpenTelemetry. Her focus at Twilio is the developer as a user, and she is an advocate of AWS’ software developer kits.

At Gaggle, SDKs are used by developers, providing “a nice on-ramp for developers to use the tools and languages they’re used to, and then also go deeper as they need,” Lee said.

Lee is the creator of the GitHub tool Act, and like the other panel members, he is very active in the open-source community.

Rice chairs the Technical Oversight Committee at the Cloud Native Computing Foundation, and as an ambassador for OpenUK, she campaigns for use of open tech.

“That means I get to see a lot of what’s going on across a very broad range of cloud-native projects,” she said. She is currently most excited about the potential of eBPF technology.

As for LeRoux, the open-source project Architect, which is built on top of AWS’ Serverless Application Model, is taking up most of his time these days. But he still makes time to “keep a hairy eyeball” on what’s happening in the Apache Foundation, where he is a member.

LeRoux feels honored to be part of the open-source community. “It’s real science,” he said. “We get to verify each other’s work and expand and build on human knowledge.”

As members of both the AWS startup ecosystem and the open-source community, the panel members understand the needs of business and open source. They are all active contributors, project founders and open-source advocates.

Securing the software supply chain

The insecurities in open-source code were publicized in a 2020 study that showed 91% of open source used in commercial applications was from code that had not been recently maintained. And the United States government’s “Executive Order on Improving the Nation’s Cybersecurity” prompted a focus on security and compliance as companies were required to provide a software bill of materials, or SBOM, that detailed where code came from.

Despite this, it took the Log4j vulnerability for businesses to really pay attention to the potential risk of basing their infrastructure and applications on open-source code. Part of the problem is that it is almost impossible for companies to track the provenance of the code embedded in their infrastructure and applications.

“Enumerating your dependencies is not trivial today,” Rice said. Creating a way to track open-source components is an ongoing effort, and the open-source and commercial communities will need to work in tandem to create a solution, she added.

Companies sometimes compromise their security by using code from projects without a code of conduct, according to Windisch. This causes a conundrum where they are using the code, but because the project doesn’t have a code of conduct, their employees are prohibited from maintaining it.

“So you’ve locked yourself into a place where you’re depending on software that your employees are not allowed to contribute to,” Windisch said.

Lee believes that there needs to be a way to make it more clear “how important this software is, how many people depend on it, and how many people are contributing to it.” Projects such as the Open Source Security Foundation have been created to do just this, but they are “just getting off the ground,” Lee added.

Sell services, not code: A new model for open-source funding

Finding a way to fund projects without compromise is an issue the open-source community has struggled with since its inception.

“We know that there’s a commercialization aspect that helps us fund these projects, but how we compose the open versus the commercial sources is still a bit of a tricky question and a tough one for a lot of folks,” LeRoux said.

The open-source project Backstage is a good example of how open source and business can work together for mutual benefit, according to Rice. Sponsored by music streaming platform Spotify Inc., Backstage is currently going through the incubation process at the CNCF, and while the project is 100% open source, startups are emerging that offer a hosted managed version of Backstage, offering services around Backstage, or offering commercial plugins into Backstage, according to Rice.

“I think it’s really fascinating to see those ecosystems building up around a project,” she said. “I’m a big believer that you cannot sell the open-source code, but you can sell other things that create value around open-source projects.”

Being involved in open source benefits business

Companies need to get skin in the game and become involved in open source, according to LeRoux. Donating financially to a sustainable open-source project is a great way to start, and even tweeting about an open-source project is contributing to it. But to be considered an active member of the community, companies need to commit their employees’ time to contributing and maintaining code.

“A lot of these enterprises could benefit a lot from getting more active with the open-source foundations that are out there,” LeRoux said.

The saying “A rising tide lifts all boats” is apt for open source, according to Rice. “We can raise security; we can reduce the amount of dependency on unmaintained projects collectively,” she said.

Enterprise can also look to open source as a way to fill their skills gap by using the community as a hiring channel, LeRoux pointed out.

“There’s a lot of benefit to the larger organizations that can do this,” he said. “They’ll have a huge pipeline of really qualified engineers right out the gate without having to resort to cheesy whiteboard interviews.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: Open Cloud Innovations event. (* Disclosure: AWS sponsored this segment of theCUBE. Neither AWS nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE