The world was ill-prepared for COVID-19 — from the early days in 2020 to the waning days of 2021, there’s plenty of evidence to support that statement. From the direct impact of the virus itself (initial testing and diagnosis) to vaccine development and distribution, to the indirect impacts (primarily the shift to work from home), the world and society was challenged again and again and again. And those challenges continue even today and stretch out before us in 2022.
But how do those challenges intersect with open source?
Open source is renowned for its borderless, badgeless “democratization” of technology development. Tough, interdisciplinary problems get solved at scale sooner with more eyes, more ideas, more use cases brought to bear. Through open, cross-company collaboration, COVID research and vaccine development happened swiftly. With a community-first ethos, public health issues surfaced more quickly — from data collection at scale to testing clinic operations, vaccine appointment apps and crowd-sourced maps highlighting the location of available at-home test kits. And the open source community, long accustomed to remote work, brought sage advice and insights to a workforce forced to remain apart for another year. If there’s anything good to be gained from the pandemic, the open source community can bring at least three lessons:
1) Innovation can happen even if you don’t sit side by side with your colleagues on a daily basis.
2) Collaboration across boundaries and badges can result in creating better solutions faster.
3) A strong community can scale solutions many-fold to benefit an even broader audience – a local neighborhood community, a county, a population.
So, how can we infuse the “rest of the world” with this collaborative spirit? By employing open source ethos, we can create effective, interoperable solutions that can help put an end to such things as a global pandemic. Let’s take a short, and admittedly biased walk through this year’s open source headlines with an eye towards a broader impact.
A Supply Chain Makes Headlines
Supply chains, once the province of logistics companies and sourcing departments, were all the rage this year. But the supply chain we’re talking about here is not the one that impacts delivery of flour, toilet paper or holiday toys. No, this one is the software supply chain – it’s all the components, whether you built them or not, that make up a piece of software. It’s been asserted in a variety of research reports and analyst opinions, that a new application is only 20-30% new code. The rest is re-used software components, some of them open source. No modern application today is built without open source — nearly all software is a combination of open source and unique, proprietary code — it’s all part of your software supply chain. And what’s top of mind for everyone is the ability to secure that supply chain, shielding it from bad actors and unwanted intrusions.
That’s the crux of the matter behind this year’s security headlines: the early spring SolarWinds breach captured the attention of many, followed by other transgressions, all leading to a late spring U.S. Executive Order on Improving the Nation’s Cybersecurity requiring a software bill of materials or SBOM.
Because you can’t secure what you don’t know exists, an SBOM is basically a list of everything that your software includes. What it is (integrity), and where you got it (provenance). The Executive Order specifically includes requirements for “maintaining accurate and up-to-date information on the provenance of software code or components and controls on internal and third-party software components, tools and service present in the software development process.” In short: document your software supply chain. And, while you’re at it, use automated tools and processes to maintain a trusted source code supply chain to ensure code integrity at all times. No small feat.
But the open source community was already head over heels on this topic — and has been for several years. From the ongoing efforts of the Linux Foundation’s Automated Compliance Tooling (ACT) initiative, featuring Tern, to the Cloud Native Computing Foundation’s white paper on Best Practices for Securing Software Supply Chain, the open source community is actively pursuing solutions.
The Linux Foundation’s OpenSSF takes on the mantle of software security by gathering industry leaders under one “foundation” to tackle these ecosystem problems. It’s not one vendor, one type of software or one industry that seeks a solution to software security — it’s all of us. It’s a community problem, ideal for the open source community and VMware, like its peers, is heavily involved in finding solutions. And with the recent announcement of the Log4j vulnerability, this collaborative work is more important than ever.
Diversity Plus Inclusion Yield Better Answers
The headlines didn’t stray too far from the diversity topic this year compared to last year, but what changed was the inclusion of well, inclusion. The teams you create must be diverse, but for the benefit to be realized, you need to take the next step: ensuring that everyone is actively included. An apt analogy: get invited to both the dance and the dance floor.
The open source community actively seeks diversity AND inclusion and knows the work is never done. Inclusion can be found not only in the people contributing, but also in the words and actions of that community. And language — or rather, the short-hand cryptic slang that we often lapse into — can be a significant barrier to participation. If you can’t understand what people are saying, if their language is so obtuse and riddled with acronyms, it’s nearly impossible to join in. The CNCF continued their hard work in ridding the ecosystem of offensive language, aiming for more inclusive terminology. GitHub’s Demetris Chetham spoke about their D&I program for maintainers at All Things Open while Nigel Brown spoke about the language barrier in his presentation LGTM.
And seek diversity and inclusion from more than just the sage “code warriors” — reach out beyond those comfortable confines and open your community to newbies and rookies. The “next generation” open source leaders wait at the edges, looking for a place and a space where they can participate. As VMware’s Bebe Landau remarked in her blog, if you leave the door open just a bit wider, who knows who you might onboard to your project.
The Collaborative Work from Home Approach in Open Source
The world witnessed a historic shift in the 2020 job market and while some companies formerly offered working from home as a perk, in 2021 it’s become the status quo. In fact, some big tech companies (e.g. Twitter, Meta (aka Facebook)) informed workers that they can work from home indefinitely, even after many offices (hopefully) reopen in 2022.
Remote work — works. Not always, not for everyone. But it certainly works better today than it did two years ago. While working from home, being isolated from peers became the status quo for many workers – in open source communities that’s been the norm since the very start. It’s how the open source world “gits work done,” if you’ll pardon the pun. In many instances the hoopla around work from home and the mindset shifts it caused, triggered chuckles and shoulder shrugs in the community. For them the reaction was, “What’s the big deal? We’ve been doing this for years.”
Open source community norms — sharing in the open, communicating and collaborating across time zones, using different tools and methods — brought new skills to a workforce uncomfortable with the lack of face to face interaction. And while the open source community prides itself on its self-sufficiency, it too, craves human interaction. A community is based on a shared experience, and deeper bonds can benefit from personal interaction.
And so the brief, but tentative return to in-person conferences this past fall (All Things Open, KubeCon North America, AWS Re:Invent, and the Linux Foundation Member Summit) gave a few adventuresome souls a taste of what we’ve all been missing these past two years. Perhaps 2022 will offer more opportunities in the second half of the year.
Wrapping up 2021
So, let’s close the books on this year and look forward to the next. This year provided many opportunities to collaborate, creatively in the open to seek answers to tough problems. We’re not done yet, and 2022 looks to be as “exciting” as 2021 proved to be.
While many organizations, technical and non-technical, reacted to the challenges of 2020 by enlisting staff to build customized technologies and organizational strategies in isolation, there’s another way. As open source advocates know, you can find better, more inclusive answers faster when all the smart minds can participate. We’ve seen that play out in the development and delivery of the COVID-19 vaccines in unprecedented time.
You can make a difference. Join an open source community, contribute your skills, whatever they may be, and be a part of an innovative, shared solution that readies our community for the unexpected and changes the world for good.
It’s a big thought to ponder, one that we leave you with until next year. See you all in 2022.