Episode 10: Managing Risks and Opportunities in Open Source with Frank Nagle & David A. Wheeler

Panelists
Kate Stewart | Sean Goggins | Georg Link
Guest
Frank Nagle (https://podcast.chaoss.community/guests/frank-nagle)
David A. Wheeler (https://podcast.chaoss.community/guests/david-wheeler)
Sponsor
Linode (https://www.linode.com/)
Show Notes
[00:02:40] We start off on the topic of looking at metrics that are useful for identifying what’s going on in a Software Configuration Management system. David tells us what it is and if there’s a difference between building software and deploying it. Also, figuring out which components you’re going to bring in, to your overall system.
[00:07:55] Kate wants to know how much do the hidden dependencies play a role in risk of using Open Source and using projects, and do we see things people aren’t expecting? Sean asks if there are high profile cases where folks did not manage those dependencies terribly well and bad things happened.
[00:14:09] Sean wants to know what kind of metric might help to identify that kind of programmer error that results in malicious code being introduced into a project and are there other ways that we could measure the existence of that phenomenon? CII Best Practices Badge is talked about here.
[00:16:38] Kate mentions a survey that came out late last year of the most popular software that came out recently, and there’s some top packages that were identified through the analysis that had come from the scanners and everything else. Of those packages, how many of them have badges? Frank tells us the analysis he did and the results (report linked below).
[00:19:45] Sean talks about things he’s observed when it comes to packages and dependencies and which ones are more popular in the course of the project. He wonders if anyone on the panel has started thinking about how do we assess things that are within a repository and what challenges does that pose from a metrics perspective?
[00:23:34] License Risk on a project is discussed here by Kate and David.
[00:28:09] Sean wants to know if he’s creating an Open Source software project and he Googles “Open Source Software licenses,” is he in a pretty safe space or are there other Open Source licenses that are pretending that they’re Open Source? David tells us where to look to find out.
[00:29:32] Frank tells us what kinds of metrics or pieces of what they’ve talked about as being significant in both economic impacts and the future of work.
[00:33:53] Sean wants to know in regard to Frank’s survey, what kinds of things he is looking to measure that we can’t with trace data from a repo.
[00:36:39] Georg asks Frank if he’s has some early insights that might be interesting with the survey.
[00:39:02] David and Frank tell us places you can check out to learn more.
Picks
[00:40:28] Kate’s picks are to check out Software Transparency reports and check out Allan Friedman’s session at RSA “Taking Control of Cyber-Supply Chain Security.”
[00:41:26] Georg’s pick is OSI/Brandeis course on Open Source communities.
[00:42:36] Sean’s pick is Covid-19 streaming movie binge called “Hanna” on Amazon Prime.
[00:43:08] David’s picks are his website DWheeler.com and a website that Cloudflare put up called, “isbgpsafeyet.com.”
[00:46:44] Frank’s pick is a working paper that was just released called, “Open Source Software and Global Entrepreneurship.”
Links
Frank Nagle Twitter (https://twitter.com/frank_nagle?lang=en)
Frank Nagle Website (https://www.hbs.edu/faculty/Pages/profile.aspx?facId=566431)
David A. Wheeler Twitter (https://twitter.com/drdavidawheeler?lang=en)
David A. Wheeler Website (https://dwheeler.com/)
CII Best Practices Badge Program (https://bestpractices.coreinfrastructure.org/en)
CII-FOSS Survey (https://hbs.qualtrics.com/jfe/form/SV_enfu6tjRM0QzwQB)
“More Than a Gigabuck: Estimating GNU/Linux’s Size” by David A Wheeler (https://dwheeler.com/sloc/redhat71-v1/redhat71sloc.html)
Reproducible Builds (https://reproducible-builds.org/)
SPDX License List (https://spdx.org/licenses/)
Core Infrastructure-Preliminary Report and Census II of Open Source Software (https://www.coreinfrastructure.org/wp-content/uploads/sites/6/2020/02/census_ii_vulnerabilities_in_the_core.pdf)
OSI-Brandeis course on Open Source Technology Management (https://www.brandeis.edu/gps/future-students/learn-about-our-programs/open-source-technology-management.html)
Hanna-Amazon Prime (https://www.amazon.com/Hanna-Season-1/dp/B07L5N7P32)
Is BGP safe yet? (https://isbgpsafeyet.com/)
“Open Source Software and Global Entrepreneurship” paper by Frank Nagle, Nataliya Wright, and Shane Greenstein. (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3636502)
NTIA Software Component Transparency (https://www.ntia.doc.gov/SoftwareTransparency)
Allan Friedman’s session at RSA “Taking Control of Cyber-Supply Chain Security.” (https://vshow.on24.com/vshow/RSAConference2020APJ/#content/2502653)
Credits
Produced by Justin Dorfman at CodeFund (https://codefund.io/)
Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/)
Show notes by DeAnn Bahr at Peachtree Sound (https://www.peachtreesound.com/)
Ad Sales by Eric Berry at CodeFund (https://codefund.io/)
Special Guests: David A. Wheeler and Frank Nagle.

Panelists

Kate Stewart | Sean Goggins | Georg Link

Guest

Frank Nagle
David A. Wheeler

Sponsor

Linode

Show Notes

[00:02:40] We start off on the topic of looking at metrics that are useful for identifying what’s going on in a Software Configuration Management system. David tells us what it is and if there’s a difference between building software and deploying it. Also, figuring out which components you’re going to bring in, to your overall system.

[00:07:55] Kate wants to know how much do the hidden dependencies play a role in risk of using Open Source and using projects, and do we see things people aren’t expecting? Sean asks if there are high profile cases where folks did not manage those dependencies terribly well and bad things happened.

[00:14:09] Sean wants to know what kind of metric might help to identify that kind of programmer error that results in malicious code being introduced into a project and are there other ways that we could measure the existence of that phenomenon? CII Best Practices Badge is talked about here.

[00:16:38] Kate mentions a survey that came out late last year of the most popular software that came out recently, and there’s some top packages that were identified through the analysis that had come from the scanners and everything else. Of those packages, how many of them have badges? Frank tells us the analysis he did and the results (report linked below).

[00:19:45] Sean talks about things he’s observed when it comes to packages and dependencies and which ones are more popular in the course of the project. He wonders if anyone on the panel has started thinking about how do we assess things that are within a repository and what challenges does that pose from a metrics perspective?

[00:23:34] License Risk on a project is discussed here by Kate and David.

[00:28:09] Sean wants to know if he’s creating an Open Source software project and he Googles “Open Source Software licenses,” is he in a pretty safe space or are there other Open Source licenses that are pretending that they’re Open Source? David tells us where to look to find out.

[00:29:32] Frank tells us what kinds of metrics or pieces of what they’ve talked about as being significant in both economic impacts and the future of work.

[00:33:53] Sean wants to know in regard to Frank’s survey, what kinds of things he is looking to measure that we can’t with trace data from a repo.

[00:36:39] Georg asks Frank if he’s has some early insights that might be interesting with the survey.

[00:39:02] David and Frank tell us places you can check out to learn more.

Picks

[00:40:28] Kate’s picks are to check out Software Transparency reports and check out Allan Friedman’s session at RSA “Taking Control of Cyber-Supply Chain Security.”
[00:41:26] Georg’s pick is OSI/Brandeis course on Open Source communities.

[00:42:36] Sean’s pick is Covid-19 streaming movie binge called “Hanna” on Amazon Prime.
[00:43:08] David’s picks are his website DWheeler.com and a website that Cloudflare put up called, “isbgpsafeyet.com.”
[00:46:44] Frank’s pick is a working paper that was just released called, “Open Source Software and Global Entrepreneurship.”

Links

Frank Nagle Twitter

Frank Nagle Website

David A. Wheeler Twitter

David A. Wheeler Website

CII Best Practices Badge Program

CII-FOSS Survey

“More Than a Gigabuck: Estimating GNU/Linux’s Size” by David A Wheeler

Reproducible Builds

SPDX License List

Core Infrastructure-Preliminary Report and Census II of Open Source Software

OSI-Brandeis course on Open Source Technology Management

Hanna-Amazon Prime

Is BGP safe yet?

“Open Source Software and Global Entrepreneurship” paper by Frank Nagle, Nataliya Wright, and Shane Greenstein.

NTIA Software Component Transparency

Allan Friedman’s session at RSA “Taking Control of Cyber-Supply Chain Security.”

Credits

Produced by Justin Dorfman at CodeFund
Edited by Paul M. Bahr at Peachtree Sound
Show notes by DeAnn Bahr at Peachtree Sound
Ad Sales by Eric Berry at CodeFund

Special Guests: David A. Wheeler and Frank Nagle.

Support CHAOSScast