1 00:00:04,960 --> 00:00:19,999 [Music] 2 00:00:20,560 --> 00:00:25,359 good morning I am Adam um that is my dog 3 00:00:23,480 --> 00:00:26,400 Stanley who listens to me ramble a lot 4 00:00:25,359 --> 00:00:28,279 about the sorts of things I'm going to 5 00:00:26,400 --> 00:00:30,279 be talking about for the next 25 minutes 6 00:00:28,279 --> 00:00:32,880 or so and he only falls asleep about 7 00:00:30,279 --> 00:00:36,079 half of the time um in the past I've 8 00:00:32,880 --> 00:00:37,800 been a PHP core contributor I worked at 9 00:00:36,079 --> 00:00:39,600 New Relic for several years on 10 00:00:37,800 --> 00:00:42,360 instrumenting various runtime languages 11 00:00:39,600 --> 00:00:43,840 I got a film degree somewhat by accident 12 00:00:42,360 --> 00:00:46,719 um and today I work at the rust 13 00:00:43,840 --> 00:00:48,160 foundation on ecosystem security and 14 00:00:46,719 --> 00:00:50,000 with a special Focus around Supply 15 00:00:48,160 --> 00:00:52,680 chains at the moment and I'm also a 16 00:00:50,000 --> 00:00:55,440 member of the rust projects crates.io 17 00:00:52,680 --> 00:00:58,280 team which is the right grust version of 18 00:00:55,440 --> 00:01:00,079 PPI this talk is sort of related to that 19 00:00:58,280 --> 00:01:01,320 work but also sort of not and I'm pretty 20 00:01:00,079 --> 00:01:03,359 much not going to mention rust again for 21 00:01:01,320 --> 00:01:05,280 the entire talk because it's not really 22 00:01:03,359 --> 00:01:07,560 anything language 23 00:01:05,280 --> 00:01:10,680 specific um the title for those who 24 00:01:07,560 --> 00:01:12,840 haven't somehow uh gotten thoroughly 25 00:01:10,680 --> 00:01:15,240 sick of it refers to this 26 00:01:12,840 --> 00:01:18,119 XKCD um and we're just going to 27 00:01:15,240 --> 00:01:21,439 basically dig right into uh that little 28 00:01:18,119 --> 00:01:22,720 project or at least try and find it so 29 00:01:21,439 --> 00:01:24,799 most of you have probably heard this 30 00:01:22,720 --> 00:01:26,240 story already um feel free to look at 31 00:01:24,799 --> 00:01:27,799 your phones or your laptops for a couple 32 00:01:26,240 --> 00:01:29,320 of minutes while I summarize it if you 33 00:01:27,799 --> 00:01:32,240 already know all this but I'm just going 34 00:01:29,320 --> 00:01:35,079 to quickly put us all on the same page 35 00:01:32,240 --> 00:01:37,560 so supply chain security has been 36 00:01:35,079 --> 00:01:39,159 obviously a buzzword for you know at 37 00:01:37,560 --> 00:01:41,600 least a couple of years maybe maybe a 38 00:01:39,159 --> 00:01:45,320 few now um but it really got thrown into 39 00:01:41,600 --> 00:01:48,280 sharp focus in uh February this year um 40 00:01:45,320 --> 00:01:49,520 as a result of this project XZ um which 41 00:01:48,280 --> 00:01:51,840 it's really nice to be in Australia and 42 00:01:49,520 --> 00:01:55,079 be able to say Zed uh instead of North 43 00:01:51,840 --> 00:01:58,320 America it's a compression standard um 44 00:01:55,079 --> 00:01:59,880 like gzip Zed standard lots of others um 45 00:01:58,320 --> 00:02:02,479 that's been in widespread use for 46 00:01:59,880 --> 00:02:04,079 several years um quite a few dros uses 47 00:02:02,479 --> 00:02:06,680 like their their core their core 48 00:02:04,079 --> 00:02:08,640 compression uh format the core of it is 49 00:02:06,680 --> 00:02:10,200 an open source project called exed utils 50 00:02:08,640 --> 00:02:11,760 that provides a C library to handle 51 00:02:10,200 --> 00:02:13,840 compression and decompression and 52 00:02:11,760 --> 00:02:15,480 binaries to do on the command line 53 00:02:13,840 --> 00:02:18,480 python has wrapped this in the standard 54 00:02:15,480 --> 00:02:20,680 Library since uh 3.3 which was quite a 55 00:02:18,480 --> 00:02:23,400 while ago um so it's you know it's part 56 00:02:20,680 --> 00:02:26,680 of python as well so for most of its 57 00:02:23,400 --> 00:02:28,280 history XZ has been a single man project 58 00:02:26,680 --> 00:02:30,160 written and maintained by a guy called 59 00:02:28,280 --> 00:02:33,080 lass cin whose name I'm sure I just 60 00:02:30,160 --> 00:02:34,720 mangled cuz he's Danish um like a lot of 61 00:02:33,080 --> 00:02:37,040 Open Source maintainers the amount of 62 00:02:34,720 --> 00:02:38,959 time that he's been able to devote to uh 63 00:02:37,040 --> 00:02:41,680 his project over the years has varied a 64 00:02:38,959 --> 00:02:44,239 lot right um and so a couple of years 65 00:02:41,680 --> 00:02:46,920 ago he got a handful of not very 66 00:02:44,239 --> 00:02:50,280 friendly mailing list posts um like this 67 00:02:46,920 --> 00:02:52,280 one um on a very otherwise quiet mailing 68 00:02:50,280 --> 00:02:53,519 list uh basically insinuating that he 69 00:02:52,280 --> 00:02:55,599 wasn't doing a good enough job of 70 00:02:53,519 --> 00:02:58,000 triaging bugs or responding to feature 71 00:02:55,599 --> 00:03:00,080 requests um and I'm just going to quote 72 00:02:58,000 --> 00:03:02,040 the last couple of sentences of this you 73 00:03:00,080 --> 00:03:03,920 ignore the many patches bit rotting away 74 00:03:02,040 --> 00:03:06,680 on this mailing list right now you choke 75 00:03:03,920 --> 00:03:09,080 your repo why wait until 540 to change 76 00:03:06,680 --> 00:03:11,360 maintainer why delay what your repo 77 00:03:09,080 --> 00:03:12,720 needs this is actually one of the friend 78 00:03:11,360 --> 00:03:13,959 having been an open source maintainer 79 00:03:12,720 --> 00:03:15,440 for many years off and on this is 80 00:03:13,959 --> 00:03:17,319 actually one of the friendlier messages 81 00:03:15,440 --> 00:03:18,720 that you sometimes get um but it's still 82 00:03:17,319 --> 00:03:20,239 kind of not nice right like you're not 83 00:03:18,720 --> 00:03:22,400 going to walk away feeling good about 84 00:03:20,239 --> 00:03:25,760 yourself I also just want to point out 85 00:03:22,400 --> 00:03:27,440 that this appears to have been um crap 86 00:03:25,760 --> 00:03:29,120 basically like as far as I can tell it 87 00:03:27,440 --> 00:03:31,720 wasn't falling behind he just there 88 00:03:29,120 --> 00:03:35,640 wasn't a ton to do 89 00:03:31,720 --> 00:03:38,000 so but around the same time a savior 90 00:03:35,640 --> 00:03:40,959 appeared uh a new contributor called 91 00:03:38,000 --> 00:03:42,959 Gan um Gia provided several bug fixes 92 00:03:40,959 --> 00:03:45,360 was apparently very helpful uh both on 93 00:03:42,959 --> 00:03:46,680 and off the mailing list and partly most 94 00:03:45,360 --> 00:03:49,560 importantly they weren't a driveby 95 00:03:46,680 --> 00:03:51,439 contributor right they stuck around um 96 00:03:49,560 --> 00:03:53,319 they were around for a couple of years 97 00:03:51,439 --> 00:03:55,760 and eventually lass promoted J 2 98 00:03:53,319 --> 00:03:57,200 co-maintainer status and J released xed 99 00:03:55,760 --> 00:04:01,439 utils 100 00:03:57,200 --> 00:04:04,799 5.6.0 in February this year 101 00:04:01,439 --> 00:04:07,079 that release included a back door most 102 00:04:04,799 --> 00:04:09,159 of the back door was not in the git 103 00:04:07,079 --> 00:04:11,519 repository for xed UTS but it was only 104 00:04:09,159 --> 00:04:13,879 in the source tabbles it is depressingly 105 00:04:11,519 --> 00:04:16,840 common in the SeaWorld for your source 106 00:04:13,879 --> 00:04:19,040 tabbles to your releases to not be 107 00:04:16,840 --> 00:04:20,720 reproducible from the repository easily 108 00:04:19,040 --> 00:04:24,880 because they often include pre-compiled 109 00:04:20,720 --> 00:04:26,759 artifacts because autocon is terrible um 110 00:04:24,880 --> 00:04:28,919 mostly this is to prevent people from 111 00:04:26,759 --> 00:04:32,160 having to be exposed to the full horror 112 00:04:28,919 --> 00:04:34,160 um side to the aside um this is actually 113 00:04:32,160 --> 00:04:36,000 obviously not XZ this is work I did in 114 00:04:34,160 --> 00:04:37,120 the rust ecosystem earlier this year to 115 00:04:36,000 --> 00:04:39,479 basically try and look at where the 116 00:04:37,120 --> 00:04:41,120 packages match their repositories lots 117 00:04:39,479 --> 00:04:42,680 of every ecosystem is doing this kind of 118 00:04:41,120 --> 00:04:44,720 work python definitely is as well I 119 00:04:42,680 --> 00:04:46,479 think probably the next two speakers in 120 00:04:44,720 --> 00:04:49,080 this room probably know of efforts that 121 00:04:46,479 --> 00:04:51,160 are going on uh right now to do this but 122 00:04:49,080 --> 00:04:52,960 this is this is happening everywhere the 123 00:04:51,160 --> 00:04:54,880 exact details of the back door don't 124 00:04:52,960 --> 00:04:56,360 really matter it was theoretically 125 00:04:54,880 --> 00:04:58,680 really bad it would have allowed 126 00:04:56,360 --> 00:05:00,440 essentially arbitrary SSH access to any 127 00:04:58,680 --> 00:05:02,360 system that it was targeting 128 00:05:00,440 --> 00:05:05,560 what does matter is it was implemented 129 00:05:02,360 --> 00:05:07,320 just just sloppily enough that a guy 130 00:05:05,560 --> 00:05:10,280 called Andres fre who was doing 131 00:05:07,320 --> 00:05:13,400 unrelated testing work for a drro found 132 00:05:10,280 --> 00:05:17,720 it a few weeks later critically before 133 00:05:13,400 --> 00:05:19,280 most dros had shipped xed 5.6 um by the 134 00:05:17,720 --> 00:05:21,520 way I use Arch it had already shipped 135 00:05:19,280 --> 00:05:24,600 xed 5.6 but conveniently the back door 136 00:05:21,520 --> 00:05:26,800 didn't work so that was good we got 137 00:05:24,600 --> 00:05:28,840 super lucky on this if this had been 138 00:05:26,800 --> 00:05:30,840 more competently implemented I don't 139 00:05:28,840 --> 00:05:34,960 think it would have been 140 00:05:30,840 --> 00:05:37,199 um we we're just we're lucky that it was 141 00:05:34,960 --> 00:05:39,400 kind of not super well 142 00:05:37,199 --> 00:05:41,160 done and yet in some respects it was 143 00:05:39,400 --> 00:05:42,800 super Well Done Right like somebody put 144 00:05:41,160 --> 00:05:44,919 in like two years of effort to be a 145 00:05:42,800 --> 00:05:46,759 maintainer on this project and actual 146 00:05:44,919 --> 00:05:48,240 effort and if you find me when I'm 147 00:05:46,759 --> 00:05:50,120 drinking beer later I can tell you about 148 00:05:48,240 --> 00:05:51,600 the betting pool uh that I'm aware of 149 00:05:50,120 --> 00:05:55,160 for who was actually responsible for 150 00:05:51,600 --> 00:05:57,639 this and who the favorites are um open 151 00:05:55,160 --> 00:05:59,080 source can give many eyes and make bugs 152 00:05:57,639 --> 00:06:02,160 shallow but I don't think this would 153 00:05:59,080 --> 00:06:03,960 have been caught quickly in most cases I 154 00:06:02,160 --> 00:06:05,319 think we got as said very lucky which 155 00:06:03,960 --> 00:06:09,240 then scares me because how many of these 156 00:06:05,319 --> 00:06:11,039 Exist Elsewhere so that's the background 157 00:06:09,240 --> 00:06:12,919 um there 158 00:06:11,039 --> 00:06:14,160 were a couple of things that were 159 00:06:12,919 --> 00:06:15,680 interesting which I've already touched 160 00:06:14,160 --> 00:06:17,599 on one of them was It was kind of hidden 161 00:06:15,680 --> 00:06:20,880 because it wasn't in the repo and the 162 00:06:17,599 --> 00:06:24,199 second one is that it wasn't it wasn't 163 00:06:20,880 --> 00:06:27,479 an attack that was being caused by a 164 00:06:24,199 --> 00:06:29,120 maintainer like security PE Dr language 165 00:06:27,479 --> 00:06:31,199 and Dro security people tend to have 166 00:06:29,120 --> 00:06:32,960 tended historically to worry more about 167 00:06:31,199 --> 00:06:34,639 what happens if a maintainer gets their 168 00:06:32,960 --> 00:06:36,599 like password compromised or something 169 00:06:34,639 --> 00:06:39,400 like that like this is why tofa is a big 170 00:06:36,599 --> 00:06:41,039 thing why you know ubo has a you know 171 00:06:39,400 --> 00:06:43,919 thriving business 172 00:06:41,039 --> 00:06:46,120 Etc this was someone who'd spent 173 00:06:43,919 --> 00:06:47,479 multiple years gaining trust to get into 174 00:06:46,120 --> 00:06:49,720 a position where they could do this the 175 00:06:47,479 --> 00:06:53,120 call was coming from inside the 176 00:06:49,720 --> 00:06:55,160 house but the thing that I also keep 177 00:06:53,120 --> 00:06:57,319 coming back to on this is like it's not 178 00:06:55,160 --> 00:07:00,000 the inside baseball security side of 179 00:06:57,319 --> 00:07:01,919 this it's like how this happened if 180 00:07:00,000 --> 00:07:05,160 you'd ask me in January what do I know 181 00:07:01,919 --> 00:07:06,319 about xed I could have probably told you 182 00:07:05,160 --> 00:07:07,680 it was I could have told you it was 183 00:07:06,319 --> 00:07:09,080 compression standard I could have told 184 00:07:07,680 --> 00:07:11,639 you it was a bit better than bzip not 185 00:07:09,080 --> 00:07:13,520 quite as good as Zed standard you know 186 00:07:11,639 --> 00:07:14,879 something along those lines I didn't 187 00:07:13,520 --> 00:07:17,000 know who maintained it I've never heard 188 00:07:14,879 --> 00:07:18,639 of lass Colin before that I don't I've 189 00:07:17,000 --> 00:07:20,319 never heard of Gan it's one of those 190 00:07:18,639 --> 00:07:21,879 libraries that gets installed by like 191 00:07:20,319 --> 00:07:24,280 some package that's part of the base set 192 00:07:21,879 --> 00:07:27,440 of packages on you know most Linux drro 193 00:07:24,280 --> 00:07:28,879 and Mac OS and so on you know it's it's 194 00:07:27,440 --> 00:07:32,039 something that's implicitly being part 195 00:07:28,879 --> 00:07:33,319 of python for almost a decade um I'd 196 00:07:32,039 --> 00:07:36,440 actually like to think I pay attention 197 00:07:33,319 --> 00:07:37,879 to this stuff but I missed this I didn't 198 00:07:36,440 --> 00:07:39,879 know this was like I didn't Noti this 199 00:07:37,879 --> 00:07:43,039 was a oneman project from a guy who was 200 00:07:39,879 --> 00:07:45,319 getting heat on a mailing list um about 201 00:07:43,039 --> 00:07:48,680 how he wasn't doing a good enough job so 202 00:07:45,319 --> 00:07:52,520 it's literal metaphorical 203 00:07:48,680 --> 00:07:54,240 Nebraska so like most of you all I hope 204 00:07:52,520 --> 00:07:56,919 um I would like the things I depend upon 205 00:07:54,240 --> 00:07:58,319 to be stable and secure some 206 00:07:56,919 --> 00:07:59,919 dependencies are stable because they 207 00:07:58,319 --> 00:08:01,919 literally never change but that's 208 00:07:59,919 --> 00:08:03,280 actually pretty rare like even xed which 209 00:08:01,919 --> 00:08:04,440 the format hasn't changed for over a 210 00:08:03,280 --> 00:08:05,759 decade still had a little bit of 211 00:08:04,440 --> 00:08:08,800 development going on right you know 212 00:08:05,759 --> 00:08:11,400 people invent new dros and build systems 213 00:08:08,800 --> 00:08:12,280 and all sorts of stuff so there's still 214 00:08:11,400 --> 00:08:15,000 going to be 215 00:08:12,280 --> 00:08:18,000 releases so my contention which I don't 216 00:08:15,000 --> 00:08:19,879 think is controversial is that projects 217 00:08:18,000 --> 00:08:21,879 are more likely to be stable and secure 218 00:08:19,879 --> 00:08:25,000 if they're properly supported we're kind 219 00:08:21,879 --> 00:08:26,520 of in maslo territory here right like I 220 00:08:25,000 --> 00:08:29,120 don't want an open source maintainer 221 00:08:26,520 --> 00:08:31,400 having to worry more about you know say 222 00:08:29,120 --> 00:08:32,919 how or food as their primary concerns 223 00:08:31,400 --> 00:08:34,279 and that's before we even start thinking 224 00:08:32,919 --> 00:08:35,959 about like parts of the world where 225 00:08:34,279 --> 00:08:37,839 those are actually higher up the pyramid 226 00:08:35,959 --> 00:08:39,959 because your home is getting blown 227 00:08:37,839 --> 00:08:44,200 up 228 00:08:39,959 --> 00:08:45,640 so that's the rub how do we find people 229 00:08:44,200 --> 00:08:47,320 where they are worried about those low 230 00:08:45,640 --> 00:08:49,959 levels of the pyramid and where they 231 00:08:47,320 --> 00:08:52,920 could use some help and how can we what 232 00:08:49,959 --> 00:08:54,160 is going on in metaphor and possibly 233 00:08:52,920 --> 00:08:56,480 literal 234 00:08:54,160 --> 00:08:58,000 Nebraska so how do we find them how do 235 00:08:56,480 --> 00:09:00,040 we find what they need and how do we 236 00:08:58,000 --> 00:09:01,480 maybe help them um so I'm going to talk 237 00:09:00,040 --> 00:09:03,640 about this I said a little bit from a 238 00:09:01,480 --> 00:09:07,079 python perspective um you know I only 239 00:09:03,640 --> 00:09:09,640 have you know 25ish minutes and also you 240 00:09:07,079 --> 00:09:11,480 know python um but nothing I'm talking 241 00:09:09,640 --> 00:09:14,200 about is exclusive 21 ecosystem I'm 242 00:09:11,480 --> 00:09:17,360 going to guess most of us in this room 243 00:09:14,200 --> 00:09:19,040 even if your job is theoretically just 244 00:09:17,360 --> 00:09:21,519 python you probably do more than just 245 00:09:19,040 --> 00:09:23,160 python right like when I've had jobs are 246 00:09:21,519 --> 00:09:25,040 python I'm still you're still writing in 247 00:09:23,160 --> 00:09:27,519 my case it was usually JavaScript like 248 00:09:25,040 --> 00:09:28,959 to to do front ending stuff so you've 249 00:09:27,519 --> 00:09:30,880 probably got dependencies in multiple 250 00:09:28,959 --> 00:09:35,360 EOS systems multiple languages and this 251 00:09:30,880 --> 00:09:37,200 applies to all of them so let's dig a 252 00:09:35,360 --> 00:09:39,040 little bit into a specific project so 253 00:09:37,200 --> 00:09:41,320 this project is called zulip it is best 254 00:09:39,040 --> 00:09:43,720 summarized as a fully open- Source slack 255 00:09:41,320 --> 00:09:46,240 alternative uh the Russ project uses it 256 00:09:43,720 --> 00:09:48,160 as a uh as its primary method of 257 00:09:46,240 --> 00:09:51,120 communication and conveniently it's 258 00:09:48,160 --> 00:09:53,640 written in Python with jeno as the 259 00:09:51,120 --> 00:09:55,880 framework so like most python projects 260 00:09:53,640 --> 00:09:58,760 we have a requirements file in the repo 261 00:09:55,880 --> 00:10:00,079 uh it's not a p project. tomal um it 262 00:09:58,760 --> 00:10:02,240 might be now actually it was a few 263 00:10:00,079 --> 00:10:05,440 months ago I looked at this um and it's 264 00:10:02,240 --> 00:10:07,480 even locked which is nice so when I'm 265 00:10:05,440 --> 00:10:08,959 working on a project I usually hopefully 266 00:10:07,480 --> 00:10:10,440 know my direct dependencies but I 267 00:10:08,959 --> 00:10:12,320 definitely don't know the transitive 268 00:10:10,440 --> 00:10:15,560 dependencies right like I that's not a 269 00:10:12,320 --> 00:10:17,000 layer I tend to look at so but 270 00:10:15,560 --> 00:10:19,440 conveniently we do have them all laid 271 00:10:17,000 --> 00:10:21,200 out so let's let's dig into that um I 272 00:10:19,440 --> 00:10:23,399 used a tool called sift to generate an 273 00:10:21,200 --> 00:10:25,760 sbom uh software build of materials from 274 00:10:23,399 --> 00:10:27,640 the requirements uh the reason for doing 275 00:10:25,760 --> 00:10:29,120 that in theory you could go straight 276 00:10:27,640 --> 00:10:31,200 from the requirements file and dig 277 00:10:29,120 --> 00:10:33,399 through through the pii API and figure 278 00:10:31,200 --> 00:10:35,320 out like what repo matches and things 279 00:10:33,399 --> 00:10:36,639 like that just don't like you know it's 280 00:10:35,320 --> 00:10:39,120 it's a lot easier if you have if you use 281 00:10:36,639 --> 00:10:43,480 a tool that already exists for this 282 00:10:39,120 --> 00:10:45,079 there are zulip has 301 unique python 283 00:10:43,480 --> 00:10:47,639 dependencies which I'd actually say is 284 00:10:45,079 --> 00:10:49,720 on the low side honestly um it's a 285 00:10:47,639 --> 00:10:52,240 different language but crates.io which I 286 00:10:49,720 --> 00:10:54,959 work on uh has almost 500 rust 287 00:10:52,240 --> 00:10:57,000 dependencies and exactly 288 00:10:54,959 --> 00:10:58,760 1,999 JavaScript 289 00:10:57,000 --> 00:11:01,160 dependencies I assume a bunch of them 290 00:10:58,760 --> 00:11:04,040 are like pad and things like that but 291 00:11:01,160 --> 00:11:06,399 sure so I can use this data to basically 292 00:11:04,040 --> 00:11:08,959 get any other metadata I'm interested in 293 00:11:06,399 --> 00:11:12,399 but here's the thing I don't have the 294 00:11:08,959 --> 00:11:14,120 time or the energy to look at like 300 295 00:11:12,399 --> 00:11:16,440 projects in depth right like we've got 296 00:11:14,120 --> 00:11:19,519 to filter this down somehow I can look 297 00:11:16,440 --> 00:11:22,320 at five GitHub repos but 300's kind of 298 00:11:19,519 --> 00:11:24,680 pushing it I assume at some point my you 299 00:11:22,320 --> 00:11:25,720 know if it's a if it's a paid thing my 300 00:11:24,680 --> 00:11:27,040 boss would probably like me to do 301 00:11:25,720 --> 00:11:28,360 something more productive and if it's an 302 00:11:27,040 --> 00:11:31,240 unpaid thing I'd probably just like to 303 00:11:28,360 --> 00:11:31,240 do something more productive 304 00:11:31,839 --> 00:11:35,040 and as we work through this it's 305 00:11:33,839 --> 00:11:37,079 important to remember this is still 306 00:11:35,040 --> 00:11:39,279 incomplete right like CFT doesn't jump 307 00:11:37,079 --> 00:11:40,560 to the c dependencies or the rust 308 00:11:39,279 --> 00:11:42,720 dependencies if using something like 309 00:11:40,560 --> 00:11:44,839 cryptography that those python packages 310 00:11:42,720 --> 00:11:46,480 have and that's before we even start 311 00:11:44,839 --> 00:11:49,200 thinking about base packages in the 312 00:11:46,480 --> 00:11:51,320 container image your operating system 313 00:11:49,200 --> 00:11:52,839 kernel there are limits to how deep you 314 00:11:51,320 --> 00:11:55,200 want to go right like it's probably 315 00:11:52,839 --> 00:11:57,320 impossible to directly help the 316 00:11:55,200 --> 00:11:59,680 sustainability of say the people in in 317 00:11:57,320 --> 00:12:01,920 you know Taiwan working at the chip Fab 318 00:11:59,680 --> 00:12:04,639 but you definitely at least want to be 319 00:12:01,920 --> 00:12:07,279 conscious of this as you start digging 320 00:12:04,639 --> 00:12:09,000 down okay so there's how we evaluate 321 00:12:07,279 --> 00:12:10,800 this is honestly tricky so there are 322 00:12:09,000 --> 00:12:12,440 scorecards out there like the op ssf 323 00:12:10,800 --> 00:12:15,560 scorecard that attempt to capture 324 00:12:12,440 --> 00:12:17,240 various metrics and quantify them um you 325 00:12:15,560 --> 00:12:18,720 can access this information on depths. 326 00:12:17,240 --> 00:12:21,560 which Nikki ringland who I just met will 327 00:12:18,720 --> 00:12:23,959 be presenting in the very next slot um 328 00:12:21,560 --> 00:12:25,839 but these aren't necessarily the right 329 00:12:23,959 --> 00:12:28,600 or only tools that are available for the 330 00:12:25,839 --> 00:12:31,160 job although the raw data is itself 331 00:12:28,600 --> 00:12:31,160 useful 332 00:12:31,480 --> 00:12:36,519 so one thing I just kind of want to 333 00:12:34,240 --> 00:12:38,320 touch on here is the current state of 334 00:12:36,519 --> 00:12:39,920 security School cards doesn't 335 00:12:38,320 --> 00:12:41,800 necessarily capture all of the risks 336 00:12:39,920 --> 00:12:44,040 that you might be interested in like if 337 00:12:41,800 --> 00:12:45,760 you think back to the the profile of 338 00:12:44,040 --> 00:12:48,959 again X Zed as an 339 00:12:45,760 --> 00:12:52,720 example you know XZ like I said I I 340 00:12:48,959 --> 00:12:55,040 would argue XZ was not a terribly 341 00:12:52,720 --> 00:12:57,160 unhealthy project on the face of it like 342 00:12:55,040 --> 00:12:58,440 you know maybe there were patch of bit 343 00:12:57,160 --> 00:13:00,360 rting on the mailing list but I'm not 344 00:12:58,440 --> 00:13:01,880 really convinced that 345 00:13:00,360 --> 00:13:04,440 were 346 00:13:01,880 --> 00:13:05,800 so it's important a lot of these 347 00:13:04,440 --> 00:13:07,399 scorecards currently because they're 348 00:13:05,800 --> 00:13:09,519 coming out of a security space which is 349 00:13:07,399 --> 00:13:12,839 also where I work they're very good at 350 00:13:09,519 --> 00:13:14,079 capturing security risks so you know are 351 00:13:12,839 --> 00:13:16,199 they published securely are the 352 00:13:14,079 --> 00:13:20,720 artifacts reproducible do they match 353 00:13:16,199 --> 00:13:22,160 their sources Etc but it's harder to 354 00:13:20,720 --> 00:13:24,839 capture some of the more human aspects 355 00:13:22,160 --> 00:13:26,279 of this now to give op ssf they're due 356 00:13:24,839 --> 00:13:28,360 they're actually trying pretty hard like 357 00:13:26,279 --> 00:13:29,480 I'll just go back to that for a second 358 00:13:28,360 --> 00:13:31,399 like you know right at at the top 359 00:13:29,480 --> 00:13:32,519 there's code reviewed there's maintained 360 00:13:31,399 --> 00:13:35,279 like you know these are things are 361 00:13:32,519 --> 00:13:38,000 trying to capture like these are scores 362 00:13:35,279 --> 00:13:40,760 they're trying to capture are people 363 00:13:38,000 --> 00:13:45,440 basically do people care are people able 364 00:13:40,760 --> 00:13:48,560 to care about this package um 365 00:13:45,440 --> 00:13:50,279 but that's still it's hard to quantify 366 00:13:48,560 --> 00:13:51,639 and I'm it's still you know there there 367 00:13:50,279 --> 00:13:53,759 were two categories there and there are 368 00:13:51,639 --> 00:13:55,839 several more that go into this score 369 00:13:53,759 --> 00:13:58,440 that are secur more security 370 00:13:55,839 --> 00:13:59,959 focused security is important I should 371 00:13:58,440 --> 00:14:03,360 probably say this because my job title 372 00:13:59,959 --> 00:14:06,759 includes the word security 373 00:14:03,360 --> 00:14:08,959 but as I said earlier my contention is 374 00:14:06,759 --> 00:14:10,600 for security to happen you also need 375 00:14:08,959 --> 00:14:14,720 sustainability I don't think you can 376 00:14:10,600 --> 00:14:16,759 have the security without people in good 377 00:14:14,720 --> 00:14:19,600 places 378 00:14:16,759 --> 00:14:21,120 so trust me when I've maintained open 379 00:14:19,600 --> 00:14:22,279 source projects I already know if I 380 00:14:21,120 --> 00:14:23,639 don't have enough hours in the day I 381 00:14:22,279 --> 00:14:25,880 know I don't have enough hours in the 382 00:14:23,639 --> 00:14:27,639 day or reviewers or testing so it's 383 00:14:25,880 --> 00:14:29,959 crucial to sort of understand where the 384 00:14:27,639 --> 00:14:31,279 problem spaces are 385 00:14:29,959 --> 00:14:32,440 because it might be more complicated 386 00:14:31,279 --> 00:14:33,800 than just throwing money at the problem 387 00:14:32,440 --> 00:14:35,399 and I'll come back to this in a bit 388 00:14:33,800 --> 00:14:36,720 although also if you have the ability to 389 00:14:35,399 --> 00:14:38,720 throw money at the problem please throw 390 00:14:36,720 --> 00:14:41,320 money at the problem um you know 391 00:14:38,720 --> 00:14:42,560 maintainers would appreciate that but 392 00:14:41,320 --> 00:14:45,720 you've also got to do it in the right 393 00:14:42,560 --> 00:14:47,160 way because just throwing angry issues 394 00:14:45,720 --> 00:14:49,160 at maintainers saying you need to do 395 00:14:47,160 --> 00:14:50,880 this extra security thing because you 396 00:14:49,160 --> 00:14:53,600 know the scorecard says you need to is 397 00:14:50,880 --> 00:14:56,639 actually not super helpful um the person 398 00:14:53,600 --> 00:14:58,120 at the other end probably cares um on 399 00:14:56,639 --> 00:15:00,399 some level they might say they don't 400 00:14:58,120 --> 00:15:02,959 because that's a defensive re reaction 401 00:15:00,399 --> 00:15:05,759 but they probably also have their own 402 00:15:02,959 --> 00:15:07,000 things they need to be focusing on so 403 00:15:05,759 --> 00:15:10,160 again I'll come back to this a bit at 404 00:15:07,000 --> 00:15:14,199 the end but figuring out how to provide 405 00:15:10,160 --> 00:15:15,880 support is important so okay so what 406 00:15:14,199 --> 00:15:18,240 health factors can we look at little are 407 00:15:15,880 --> 00:15:20,160 more that we can try and quantify to 408 00:15:18,240 --> 00:15:21,800 some extent and I said some of these you 409 00:15:20,160 --> 00:15:23,560 know some of these are on deps dodev and 410 00:15:21,800 --> 00:15:26,320 the and the op ssf 411 00:15:23,560 --> 00:15:28,000 scorecard um issue count obviously uh 412 00:15:26,320 --> 00:15:29,319 how many issues being open but the the 413 00:15:28,000 --> 00:15:31,480 actually important one is actually how 414 00:15:29,319 --> 00:15:33,319 many issues are being closed or assigned 415 00:15:31,480 --> 00:15:35,839 or you know triaged essentially how much 416 00:15:33,319 --> 00:15:37,639 is actually getting dealt with PO 417 00:15:35,839 --> 00:15:38,839 requests essentially the same thing how 418 00:15:37,639 --> 00:15:40,440 many things are getting reviewed how 419 00:15:38,839 --> 00:15:42,720 many things are getting closed how many 420 00:15:40,440 --> 00:15:44,920 things are at least getting you know a 421 00:15:42,720 --> 00:15:47,040 comment something that's not from you 422 00:15:44,920 --> 00:15:48,360 know the latest llm hype bot that's 423 00:15:47,040 --> 00:15:52,000 trying to analyze 424 00:15:48,360 --> 00:15:53,279 it number of maintainers is a tricky one 425 00:15:52,000 --> 00:15:56,120 because small projects the healthy 426 00:15:53,279 --> 00:15:57,519 number often is actually one um but you 427 00:15:56,120 --> 00:15:59,519 know if you're looking at a bigger at a 428 00:15:57,519 --> 00:16:01,160 bigger project you know if there's 429 00:15:59,519 --> 00:16:02,800 100 poor requests being opened a month 430 00:16:01,160 --> 00:16:04,639 and there's one maintainer that's 431 00:16:02,800 --> 00:16:07,800 probably an issue that ratio is probably 432 00:16:04,639 --> 00:16:09,279 a problem recent activity level again 433 00:16:07,800 --> 00:16:10,880 this one can be misleading because if 434 00:16:09,279 --> 00:16:12,560 it's a stable project that's doing a 435 00:16:10,880 --> 00:16:14,279 stable thing maybe there's not a lot of 436 00:16:12,560 --> 00:16:15,839 recent activity CU it doesn't need to be 437 00:16:14,279 --> 00:16:18,759 but it's saying you have to be conscious 438 00:16:15,839 --> 00:16:21,199 of and this is kind of related I don't 439 00:16:18,759 --> 00:16:23,279 mean diversity in the in the Dei sense 440 00:16:21,199 --> 00:16:24,720 here I just mean how many commit authors 441 00:16:23,279 --> 00:16:26,680 are there and this is related to the 442 00:16:24,720 --> 00:16:29,120 maintainer one but again the ratios can 443 00:16:26,680 --> 00:16:32,079 kind of matter here right if there's you 444 00:16:29,120 --> 00:16:34,160 know 100 committers and one 445 00:16:32,079 --> 00:16:36,000 maintainer maybe that maintainer needs 446 00:16:34,160 --> 00:16:38,160 some 447 00:16:36,000 --> 00:16:40,120 help and again you know just to 448 00:16:38,160 --> 00:16:42,560 reiterate the point there are different 449 00:16:40,120 --> 00:16:44,120 shapes of projects like what XZ looks 450 00:16:42,560 --> 00:16:46,519 like is very different to what Django 451 00:16:44,120 --> 00:16:48,480 looks like which is very different to 452 00:16:46,519 --> 00:16:50,319 you know pick a project what what 453 00:16:48,480 --> 00:16:52,040 Twisted looks like for 454 00:16:50,319 --> 00:16:54,440 example 455 00:16:52,040 --> 00:16:57,079 so it's important to balance that level 456 00:16:54,440 --> 00:16:58,920 of scale and the level of recency right 457 00:16:57,079 --> 00:17:01,920 you know how how active does the project 458 00:16:58,920 --> 00:17:04,240 need to be um if there's you know if if 459 00:17:01,920 --> 00:17:05,919 every po request is getting closed but 460 00:17:04,240 --> 00:17:07,199 it's getting addressed then well okay 461 00:17:05,919 --> 00:17:09,679 maybe it's just a singular maintainer 462 00:17:07,199 --> 00:17:10,839 who has a very strong Vision that may or 463 00:17:09,679 --> 00:17:12,520 may not affect your choice of whether 464 00:17:10,839 --> 00:17:15,400 you want to continue maintaining dep 465 00:17:12,520 --> 00:17:18,120 depending on their project but it's 466 00:17:15,400 --> 00:17:20,039 valid so I threw together some some 467 00:17:18,120 --> 00:17:22,199 basic code to take that s bomb and just 468 00:17:20,039 --> 00:17:24,120 like throw out the raw numbers the op 469 00:17:22,199 --> 00:17:25,679 ssf has tools for this as well like the 470 00:17:24,120 --> 00:17:27,160 specifics of this don't really matter 471 00:17:25,679 --> 00:17:30,240 I'm going to zoom in on a couple of 472 00:17:27,160 --> 00:17:32,320 these I've redacted the names um 473 00:17:30,240 --> 00:17:33,679 basically because I don't actually I 474 00:17:32,320 --> 00:17:35,000 don't not I think anybody in this room 475 00:17:33,679 --> 00:17:36,559 would do this this is something I put in 476 00:17:35,000 --> 00:17:38,720 more for American audiences but like I 477 00:17:36,559 --> 00:17:41,160 don't want anyone going on a crusade 478 00:17:38,720 --> 00:17:43,320 right like you know just because just 479 00:17:41,160 --> 00:17:45,200 because a particular python project has 480 00:17:43,320 --> 00:17:46,720 bad numbers doesn't mean they that you 481 00:17:45,200 --> 00:17:48,080 need to go like be a knight in shining 482 00:17:46,720 --> 00:17:50,840 armor 483 00:17:48,080 --> 00:17:52,160 immediately or as I another way I put it 484 00:17:50,840 --> 00:17:54,280 a couple of times is do not go start 485 00:17:52,160 --> 00:17:56,760 ganning these 486 00:17:54,280 --> 00:17:58,840 dependencies so what did I 487 00:17:56,760 --> 00:18:01,559 find hello lights must be 10 minutes 488 00:17:58,840 --> 00:18:03,600 minutes a mixture of things which is why 489 00:18:01,559 --> 00:18:06,080 the the human element is important so 490 00:18:03,600 --> 00:18:08,480 again redacted the the names so here's a 491 00:18:06,080 --> 00:18:10,440 package that accept sponsorship has a 492 00:18:08,480 --> 00:18:11,840 lower commit rate recently so you can 493 00:18:10,440 --> 00:18:13,400 see like the percentage of expected 494 00:18:11,840 --> 00:18:16,039 commits is sort of lower than the 495 00:18:13,400 --> 00:18:18,600 historical average and haven't closed an 496 00:18:16,039 --> 00:18:20,880 issue in the in the last they haven't 497 00:18:18,600 --> 00:18:22,520 closed an issue in the last month um 498 00:18:20,880 --> 00:18:23,400 well they've closed some issues in the 499 00:18:22,520 --> 00:18:25,960 last 500 00:18:23,400 --> 00:18:27,720 month they've also historically had a 501 00:18:25,960 --> 00:18:32,400 lot of contributors but you know there's 502 00:18:27,720 --> 00:18:34,159 not a ton of activity right now so on 503 00:18:32,400 --> 00:18:36,280 the bright side they accept sponsorship 504 00:18:34,159 --> 00:18:40,080 both the repo and the organization that 505 00:18:36,280 --> 00:18:42,120 owns this so this is one where if I was 506 00:18:40,080 --> 00:18:44,440 in a position to you know offer some 507 00:18:42,120 --> 00:18:46,000 some support or ideally convince the 508 00:18:44,440 --> 00:18:48,159 people I work for if it's a work project 509 00:18:46,000 --> 00:18:49,600 to offer some support then this would 510 00:18:48,159 --> 00:18:51,600 probably be a good candidate right like 511 00:18:49,600 --> 00:18:53,960 this would be worth digging into 512 00:18:51,600 --> 00:18:55,919 further um here's another example of a 513 00:18:53,960 --> 00:18:57,600 package that is probably fine they don't 514 00:18:55,919 --> 00:18:59,240 take sponsorship they've got lots of 515 00:18:57,600 --> 00:19:01,840 contributors they have 516 00:18:59,240 --> 00:19:04,720 they're active they've got a lower open 517 00:19:01,840 --> 00:19:06,120 PR and issue rate they're closing issues 518 00:19:04,720 --> 00:19:07,960 they're efficient they don't accept 519 00:19:06,120 --> 00:19:09,360 sponsorship and I'm kind of jealous a 520 00:19:07,960 --> 00:19:10,400 little bit to be honest so they're 521 00:19:09,360 --> 00:19:13,039 they're probably 522 00:19:10,400 --> 00:19:14,440 fine and as a final example here are a 523 00:19:13,039 --> 00:19:15,960 couple of dependencies from the same 524 00:19:14,440 --> 00:19:19,360 organization and repo they're 525 00:19:15,960 --> 00:19:20,840 technically different packages um again 526 00:19:19,360 --> 00:19:22,000 I sort of look at this and I think maybe 527 00:19:20,840 --> 00:19:23,760 they could you know maybe they could use 528 00:19:22,000 --> 00:19:25,280 a little bit of help they do have a good 529 00:19:23,760 --> 00:19:26,679 um they do have a good commit rate 530 00:19:25,280 --> 00:19:28,960 they've got plenty of contributors but 531 00:19:26,679 --> 00:19:31,159 they do accept sponsorship and they're 532 00:19:28,960 --> 00:19:33,919 not closing issues at the rate that you 533 00:19:31,159 --> 00:19:35,559 would probably hope so again since they 534 00:19:33,919 --> 00:19:37,000 they accept sponsorship maybe that's an 535 00:19:35,559 --> 00:19:39,679 option right you know maybe you can kick 536 00:19:37,000 --> 00:19:42,600 them some some some cold hard 537 00:19:39,679 --> 00:19:43,880 cash but again I just want to reiterate 538 00:19:42,600 --> 00:19:46,039 at this stage we're still really just 539 00:19:43,880 --> 00:19:48,000 identifying potential candidates for 540 00:19:46,039 --> 00:19:50,559 support at some 541 00:19:48,000 --> 00:19:53,240 point you kind of have to actually 542 00:19:50,559 --> 00:19:55,760 engage a human element of this or you 543 00:19:53,240 --> 00:19:58,240 know an llm maybe I 544 00:19:55,760 --> 00:19:59,679 guess you know spend half an hour an 545 00:19:58,240 --> 00:20:02,480 hour just looking at the recent issues 546 00:19:59,679 --> 00:20:03,600 in PRS skim the chat backlog and so on 547 00:20:02,480 --> 00:20:05,440 because if you've already narrowed it 548 00:20:03,600 --> 00:20:07,880 down to like you know a few then you've 549 00:20:05,440 --> 00:20:09,600 got the time to go do this because the 550 00:20:07,880 --> 00:20:11,159 need for support doesn't always manifest 551 00:20:09,600 --> 00:20:12,720 as overtly as like somebody putting up 552 00:20:11,159 --> 00:20:15,799 the flag saying they want sponsorship on 553 00:20:12,720 --> 00:20:17,080 GitHub right um I know of a a rust team 554 00:20:15,799 --> 00:20:19,240 for example right now that's struggling 555 00:20:17,080 --> 00:20:21,440 with lack of uh maintainer time and yes 556 00:20:19,240 --> 00:20:22,520 we're we're doing something about that 557 00:20:21,440 --> 00:20:23,840 but you wouldn't know that if you 558 00:20:22,520 --> 00:20:25,360 weren't actually on their chat Channel 559 00:20:23,840 --> 00:20:27,200 because from the outside most of those 560 00:20:25,360 --> 00:20:31,080 metrics actually look fine it's just 561 00:20:27,200 --> 00:20:34,320 that they're clearly approaching burnout 562 00:20:31,080 --> 00:20:36,280 so you don't know that just based on a 563 00:20:34,320 --> 00:20:38,480 scorecard necessarily it helps you 564 00:20:36,280 --> 00:20:40,480 narrow it down and helps you think about 565 00:20:38,480 --> 00:20:43,600 what's truly fundamental to whatever 566 00:20:40,480 --> 00:20:45,600 you're working on but it doesn't get you 567 00:20:43,600 --> 00:20:47,559 all the way to I should actually support 568 00:20:45,600 --> 00:20:49,919 this or not support 569 00:20:47,559 --> 00:20:50,919 this all right so we've got a we've got 570 00:20:49,919 --> 00:20:53,039 a short 571 00:20:50,919 --> 00:20:56,120 list we found some projects that might 572 00:20:53,039 --> 00:20:58,440 need some help what can we do okay if 573 00:20:56,120 --> 00:21:01,360 you have a budget and you can give money 574 00:20:58,440 --> 00:21:03,600 and and they want money give them money 575 00:21:01,360 --> 00:21:08,320 like this is this is not rocket science 576 00:21:03,600 --> 00:21:12,120 um obviously it's late 2024 um money is 577 00:21:08,320 --> 00:21:14,600 not as abundant as it once was alas um 578 00:21:12,120 --> 00:21:16,919 but you know if you work at a company 579 00:21:14,600 --> 00:21:20,440 that depends on open source software and 580 00:21:16,919 --> 00:21:22,240 you don't have a budget to basically 581 00:21:20,440 --> 00:21:24,039 support your 582 00:21:22,240 --> 00:21:26,200 dependencies start finding out if you 583 00:21:24,039 --> 00:21:27,880 could add one like ask people I know 584 00:21:26,200 --> 00:21:29,279 multiple people at multiple companies 585 00:21:27,880 --> 00:21:31,440 who basically 586 00:21:29,279 --> 00:21:33,440 got this by just going and asking in 587 00:21:31,440 --> 00:21:35,400 somebody in a position of power just 588 00:21:33,440 --> 00:21:37,000 being like we never thought about this 589 00:21:35,400 --> 00:21:38,320 like this is an existential thing if 590 00:21:37,000 --> 00:21:40,120 you're building on top of an open source 591 00:21:38,320 --> 00:21:42,360 stack and everybody's building on top of 592 00:21:40,120 --> 00:21:45,080 an open source stack there are also 593 00:21:42,360 --> 00:21:47,919 Clearing Houses like um tidelift 594 00:21:45,080 --> 00:21:50,679 ecosystem foundations hi um that may 595 00:21:47,919 --> 00:21:51,919 provide donation opportunities but since 596 00:21:50,679 --> 00:21:53,840 the point of this was to find 597 00:21:51,919 --> 00:21:55,760 underserved dependencies in your 598 00:21:53,840 --> 00:21:56,760 dependency graph chances are they 599 00:21:55,760 --> 00:21:58,279 probably have the same sort of blind 600 00:21:56,760 --> 00:22:01,200 spots you might have because they're 601 00:21:58,279 --> 00:22:03,120 probably using the same scorecard 602 00:22:01,200 --> 00:22:04,559 fundamentally another option I think is 603 00:22:03,120 --> 00:22:07,919 often underused in the corporate world 604 00:22:04,559 --> 00:22:09,799 is in kind donation um donating 5 or 10% 605 00:22:07,919 --> 00:22:12,039 of a of an ic's time to help with 606 00:22:09,799 --> 00:22:14,080 project tasks is actually huge for a lot 607 00:22:12,039 --> 00:22:16,200 of projects and maintainers I know 608 00:22:14,080 --> 00:22:17,640 personally for things I maintain I'm 609 00:22:16,200 --> 00:22:19,720 really time poor so that's actually the 610 00:22:17,640 --> 00:22:22,000 kind of help I would generally like more 611 00:22:19,720 --> 00:22:23,520 I mean I also like money but you know 612 00:22:22,000 --> 00:22:26,080 practically the time's actually more 613 00:22:23,520 --> 00:22:28,600 effective project tasks here don't mean 614 00:22:26,080 --> 00:22:30,120 necessarily writing code um I have a 615 00:22:28,600 --> 00:22:32,440 sneaking suspicion the most useful thing 616 00:22:30,120 --> 00:22:34,440 I ever did in open source was triaging 617 00:22:32,440 --> 00:22:38,200 the bug fire hose for PHP for a couple 618 00:22:34,440 --> 00:22:41,880 of years um triage documentation 619 00:22:38,200 --> 00:22:44,279 Community Management code reviews design 620 00:22:41,880 --> 00:22:47,200 these are all things that an individual 621 00:22:44,279 --> 00:22:49,320 can help with plus there a huge bonus if 622 00:22:47,200 --> 00:22:52,360 you say have someone go do code 623 00:22:49,320 --> 00:22:53,559 review having someone who knows a bit 624 00:22:52,360 --> 00:22:54,960 about that project even if it's 625 00:22:53,559 --> 00:22:56,600 transitive and five levels down 626 00:22:54,960 --> 00:22:58,520 independency graph might be really 627 00:22:56,600 --> 00:22:59,919 useful if you get a if you get a we 628 00:22:58,520 --> 00:23:02,159 weird bug most of us probably have 629 00:22:59,919 --> 00:23:03,919 stories of like oh that one time that 630 00:23:02,159 --> 00:23:07,600 this bug was caused by Solaris having a 631 00:23:03,919 --> 00:23:08,679 weird get time of day issue um yeah like 632 00:23:07,600 --> 00:23:11,080 these that's the kind of domain 633 00:23:08,679 --> 00:23:13,720 expertise that you can't necessarily buy 634 00:23:11,080 --> 00:23:16,279 but you can definitely invest 635 00:23:13,720 --> 00:23:18,159 in um if you are at a larger Place 636 00:23:16,279 --> 00:23:21,039 sponsoring infrastructure can often be a 637 00:23:18,159 --> 00:23:22,400 useful way of helping projects um open 638 00:23:21,039 --> 00:23:23,679 source projects of a certain size 639 00:23:22,400 --> 00:23:26,960 usually get pretty good support from 640 00:23:23,679 --> 00:23:28,000 large infrastructure uh providers um 641 00:23:26,960 --> 00:23:29,640 definitely a little more challenging 642 00:23:28,000 --> 00:23:30,919 that used to be again I have stories 643 00:23:29,640 --> 00:23:34,360 probably shouldn't tell them on stage on 644 00:23:30,919 --> 00:23:36,640 video um but smaller projects often 645 00:23:34,360 --> 00:23:38,200 don't get that and it's often not 646 00:23:36,640 --> 00:23:40,039 covering everything so getting credits 647 00:23:38,200 --> 00:23:41,919 or donations to cover infrastructure 648 00:23:40,039 --> 00:23:44,799 Services Etc can really 649 00:23:41,919 --> 00:23:47,520 help but the most important thing to do 650 00:23:44,799 --> 00:23:49,159 is actually just to engage go to the 651 00:23:47,520 --> 00:23:51,320 person who go to the maintainer of the 652 00:23:49,159 --> 00:23:55,760 project ask them what they need um send 653 00:23:51,320 --> 00:23:57,200 them an email I don't think I know too 654 00:23:55,760 --> 00:23:59,120 many maintainers I'm going to guess it's 655 00:23:57,200 --> 00:24:01,279 about 1 or 2% of the population 656 00:23:59,120 --> 00:24:03,600 who would do anything other than be 657 00:24:01,279 --> 00:24:04,720 extremely grateful that you asked you 658 00:24:03,600 --> 00:24:06,520 might not get an answer for a while 659 00:24:04,720 --> 00:24:09,559 they're probably busy but they 660 00:24:06,520 --> 00:24:11,000 definitely want to know but if you're 661 00:24:09,559 --> 00:24:12,919 going to do that you need to be in a 662 00:24:11,000 --> 00:24:14,520 position to follow through empty 663 00:24:12,919 --> 00:24:16,320 promises don't help and they just waste 664 00:24:14,520 --> 00:24:19,480 people's time 665 00:24:16,320 --> 00:24:20,799 so you know provide the help that you 666 00:24:19,480 --> 00:24:23,640 are offering 667 00:24:20,799 --> 00:24:25,600 basically so the punchline the talk is I 668 00:24:23,640 --> 00:24:27,320 really lied with the title um I was a 669 00:24:25,600 --> 00:24:29,039 liar yesterday when I did my lightning 670 00:24:27,320 --> 00:24:31,399 talk on multiple levels and now I'm a 671 00:24:29,039 --> 00:24:33,080 liar today quantification doesn't 672 00:24:31,399 --> 00:24:35,600 actually get you everything it just gets 673 00:24:33,080 --> 00:24:37,840 you the starting point to make the 674 00:24:35,600 --> 00:24:40,799 judgments that you need to make to judge 675 00:24:37,840 --> 00:24:43,320 what to support and what might need help 676 00:24:40,799 --> 00:24:44,799 um I just want to S you know the point 677 00:24:43,320 --> 00:24:46,880 of talk really is that we can take 678 00:24:44,799 --> 00:24:49,320 things that we already have lock files s 679 00:24:46,880 --> 00:24:51,399 bombs um The Dirty Little Secret of s 680 00:24:49,320 --> 00:24:54,520 bombs is that lock files are s bombs 681 00:24:51,399 --> 00:24:56,120 really but anyway um use them to find 682 00:24:54,520 --> 00:24:59,840 the components that are the Nebraska in 683 00:24:56,120 --> 00:25:01,919 the dependency graph and then go out and 684 00:24:59,840 --> 00:25:03,559 figure out what level of support you can 685 00:25:01,919 --> 00:25:04,720 provide and even as an individual that 686 00:25:03,559 --> 00:25:06,200 might just as I said it might just be 687 00:25:04,720 --> 00:25:08,000 donating some time helping with code 688 00:25:06,200 --> 00:25:10,159 review helping with documentation 689 00:25:08,000 --> 00:25:11,880 something like that because at the end 690 00:25:10,159 --> 00:25:13,799 this is a human problem like almost 691 00:25:11,880 --> 00:25:16,159 every problem in Tech well a bunch of 692 00:25:13,799 --> 00:25:18,240 them in llm problems but most of them 693 00:25:16,159 --> 00:25:19,960 are human problems which you need some 694 00:25:18,240 --> 00:25:22,039 level of intuition and experience with 695 00:25:19,960 --> 00:25:24,760 with open source and to do that you have 696 00:25:22,039 --> 00:25:27,640 to show up and 697 00:25:24,760 --> 00:25:29,919 help um thank you I intend to share the 698 00:25:27,640 --> 00:25:31,600 code eventually but dev.d shares most of 699 00:25:29,919 --> 00:25:33,559 this anyway so this is not as important 700 00:25:31,600 --> 00:25:34,720 as it used to be um but if I can SP you 701 00:25:33,559 --> 00:25:37,080 the horrors of figuring how to piece 702 00:25:34,720 --> 00:25:38,399 together the GitHub graph and rest apis 703 00:25:37,080 --> 00:25:40,960 I'm happy to because I had to do it 704 00:25:38,399 --> 00:25:43,480 professionally for a couple of years um 705 00:25:40,960 --> 00:25:44,840 I think we started slightly late I can 706 00:25:43,480 --> 00:25:46,760 probably take one or two questions if 707 00:25:44,840 --> 00:25:48,240 there are any uh but again thank you if 708 00:25:46,760 --> 00:25:51,360 you like the talk I'm Adam and if you 709 00:25:48,240 --> 00:25:51,360 didn't like the talk I'm Tom 710 00:25:54,120 --> 00:25:58,760 Eastman thank you so much um and as the 711 00:25:57,279 --> 00:26:05,399 token for appreciation 712 00:25:58,760 --> 00:26:05,399 this is my awesome thank you thanks