►
From YouTube: SOS Sustainable Open Source by Floor Drees
Description
Free and Open Source Software is eating the world, but is at the same time a victim of its own success. Large enterprises rely on libraries maintained by the proverbial individual in Nebraska. Individuals or organizations may restrict the use of their technology or EOL versions of their software, posing real challenges to organizations depending on that technology. How can we as organizations, and individuals contribute to the viability and sustainability of open source for the generations to come?
B
A
A
B
Good
luck
but
I
appreciate
you
for
trying
yeah,
you
did
try
hi
everyone.
Yes,
it's
nice
that
you
come
sit
a
little
bit
closer,
so
I
feel
a
little
bit
of
your
warmth,
because
I've
been
freezing
in
this
room.
I,
don't
know
about
you
all
right,
so
sustainable
open
source
in
this
modern
world.
We
rely
on
a
lot
of
components
for
all
of
our
stuff
to
work
and
for
it
to
continue
to
work
and
I
know.
B
B
So
there's
been
an
2022
study
by
ausra
together
with
the
synopsis
group,
and
it
came
back
that
97
of
2400
plus
audited
code
bases
contain
open
source
software.
Maybe
you're
not
surprised.
It
is
a
large
number,
though,
and
some
of
the
some
of
the
sort
of
like
subgroups
sub-industries
that
they
were
investigating
even
sometimes
contained
up
to
99
of
Open
Source
in
their
commercial
code
base.
B
So
large,
Enterprises
and
all
kinds
of
companies
rely
on
libraries
that
are
sometimes
maintained
only
by
a
single
individual
in
their
free
time,
and
that
creates
potentially
some
attack.
Surface
right
and
sometimes
organization
will
restrict
their
the
the
way
that
you
can
use
their
software
or
end-of-life
versions
that
are
actually
open
source
and
that's
all
kinds
of
difficult
to
to
do
with,
and
so
in
the
next
30-ish
minutes
I'll
get
cues
whenever
I
run
over
time.
B
I
want
to
talk
a
little
bit
about
the
viability
and
the
sustainability
of
Open
Source
software,
so
that
we
can
all
continue
to
enjoy
the
benefits
that
it
brings.
So
who
am
I?
My
name
is
Flor.
My
full
title
is
on
there.
So
now
you
now,
you
know,
I
do
enjoy
my
chickens
a
lot
so
hence
this
picture
that
was
taken
by
this
wonderful
gentleman
here
in
the
front.
B
So
if
you
ever
need
a
new
profile
picture,
you
know
now
know
how
to
go
to
who
to
go
to
I'm
a
Staff
Community
program
manager
at
Ivan.
I
just
switched
jobs
actually
last
week.
So
don't
ask
me
what
I
do
because
I
don't
really
know
yet.
I
was
at
iPhone
before,
but
I
just
switched.
Teams
Ivan
is
a
database
as
a
service
company.
So
we
have
a
couple
of
Open
Source
data
tools
that
we
manage
and
that
we
offer-
and
we
also
contribute
to
these
Upstream
projects
like
postgres
and
Kafka
as
well.
B
Previously
I
was
at
Microsoft
and
I
was
at
grafana
Labs
I'm
part
of
devops
day's,
core
team
I
organize
devops
day
sort
of
co-organized
devops
days,
Amsterdam
in
devastates,
eindhofer
and
Microsoft
MVP,
also
organize
a
lot
of
meetups
contributing.
Today
is
one
of
them
that
sort
of
started
around
pandemic
time
and
was
basically
just
conversations
with
a
lot
of
open
source
maintainers
and
anyway,
like
people
in
the
open
source
space
learned
a
ton
from
those
meetups
too,
and
what
I've
learned
from
those
meetups
I
gave
a
talk,
I
forced
them
earlier
this
year.
B
B
We're
going
to
talk
about
some
issues
that
are
prevalent
in
open
source
these
days
and
one
of
those
is
a
project
re-licensing
their
their
software,
in
order
for
to
avoid
free
writing
from,
for
instance,
Cloud
providers
more
on
that
later,
or
to
avoid
that
bad
people
use
people's
software
to
do
more
bad
or
to
alleviate
some
responsibility
also
recently
re-licensing,
because
they
couldn't
secure
funding
and
it
was
sort
of
like
posed
as
a
threat.
If
you
don't
give
us
funding,
then
we
need
to
re-license
in
order
to
make
money
out
of
this
thing.
B
B
They're
much
like
you
and
me
in
that
way,
right
like
sometimes
they
will
want
to
protest
something
or
they
will
want
to
have
their
opinions
heard,
and
sometimes
they
will
use
their
work
in
order
for
people
to
actually
listen
to
that
are
these
the
only
issues
that
are
plaguing
open
source?
Definitely
not,
but
again,
I
only
have
30
minutes
and
I
would
love
to
talk
to
you
about.
B
So
in
the
recent
years
we've
seen
an
increase
of
kind
of
Open,
Source
licenses
and
I
want
to
have
a
look
at
a
couple
of
them.
So,
for
instance,
the
comments
closed
that
aims
to
restrict
commercial,
free
writing
on
open
source
code,
especially
cloud
service
providers
who
don't
give
back
to
open
source
projects
and
the
commons
Clause
actually
conflicts
with
the
FSD.
The
free
software
definition,
which
is
which
claims
the
right
to
use
software
for
any
purpose
and
the
open
source
definition.
B
The
OSD
in
that
the
license
shall
not
restrict
any
party
from
selling
or
giving
away
the
software
and
there's
a
bunch
of
sort
of
ambiguous
wording
in
that
license
and
I
don't
want
to
give
you
a
licensed
lecture,
because
that's
not
right,
but
for
instance,
it
says
that
their
value
is
derived
entirely
or
substantially.
But
it
doesn't
really
explain
what
substantially
even
means
so
like
beyond
what
would
with
that
actually
come
into
play
and
mongodb
use
that
license
for
a
while,
as
that
did
redis
labs.
B
Redis
labs
actually
combine
it
with
the
Apache,
which
is
a
dual
license,
and
it
brings
in
a
whole
host
of
other
problems
by
the
way,
because
when,
when
does
what
work
in,
then
you
switch
to
the
sspl,
which
is
kind
of
like
the
GPL
license,
but
with
more
restrictions
and
it's
not
approved
by
the
open
source
initiative.
If
you're
not
aware
open
source
initiatives,
are
the
initiative?
Is
the
stewards
of
the
open
source
definition
so
the
OSD?
B
So
there
is
a
couple
of
licenses
that
you
know
become
prevalent,
sort
of
the
last
recent
years
that
are
not
actually
approved
by
the
or
like
in
line
with
the
open
source.
Definition
read
a
source
available
is
a
is
a
recent
license
that
came
into
play.
Elastic
2.0
is
the
license
that
it
recently
came
into
play
and
I
will
focus
on
a
little
bit
later.
A
lot
of
services
create
their
own
licenses,
which
is
even
more
difficult
to
sort
of
keep
keep
track
of.
B
There's
an
interesting
one
that
is
the
Confluence
Community
license,
for
instance,
which
says
that
you
can
use
modified
distributes
unless
that
that
competes
with
Confluence
business.
But
of
course,
like
Confluence
business
could
change
right.
You
don't
know
it
could
be
like
that
could
be
a
slippery
slope.
So
if
they,
if
they
change
what
their
business
is
like,
then
then
use
using
something
you're
using
their
software
could
then
suddenly
become
illegal,
so
difficult
stuff.
B
This
this
and
yeah
deserves
a
whole
study
of
its
own
and
most
people
that
work
in
open
source
or
work
with
open
source
just
want
to
make
use
of
Open
Source
software
and
not
be
reading
licenses.
All
the
time
also
projects
just
switch
license
so
how
to
deal
with
that,
but
he
did
at
that
conference
not
too
long
ago,
is
that
whenever
a
speaker
takes
a
sip
of
water,
the
people
in
the
audience
applaud,
because
it's
actually
really
difficult
to
remember.
B
All
right
and
then
there's
also
besides
those
kind
of
like
new
new
licenses
or
there's
also
another
type
of
licenses
that
are,
for
instance,
the
ethical
licenses.
So
I
don't
know
if
anyone
has
heard
of
ethical,
Source
or
the
organization
for
an
ethical
Source
but,
for
instance,
there's
a
couple
of
ethical
licenses
as
well
like
the
hypocratic
license.
That
is
a
license
that
prohibits
use
of
software
in
violation
of
internationally
recognized
human
rights
or
the
ml5,
which
makes
an
explicit
connection
between
a
license
and
a
Project's
code
of
conduct.
B
B
It's
just
not
a
way
to
save
open
source
first,
because
it's
not
compliant
mostly
with
the
open
source
definition,
but
also
it
takes
the
code
private
and
that
can
really
hurt
Community
right.
So
changing
changing
your
software
because
you
can't
use
a
particular
part
of
code
anymore.
That's
that's,
really
really
difficult
and
it's
I'm
not
entirely
sure
or
we're
not
entirely
sure.
If
that's
something
that
really
was
necessary
for
the
economic
sustainability
of
some
of
these
projects,
right,
like
and
elastic,
were
really
big
companies
in
their
own
right.
B
So
did
they
really
need
this?
They
felt
like
yes,
they
felt
used
by,
for
instance,
AWS
and
even
taking
enforceability
out
of
the
picture,
because
it's
actually
really
really
hard
to
Sue
and
win
in
cases
of
copyrights
or
patents.
Infringement
changing
to
a
more
restrictive
license
might
cause
companies
and
community
members
to
stay
away
from
your
from
your
projects
and
that's
actually
really
detrimental
to
a
community
and
ecosystem
they.
So
they
do
provide
free
writing.
Yes,
but
that
comes
with
that
comes
with
its
own
set
of
problems
too
right.
B
Quite
recently,
that
was
a
light
bend
that
changed
akas
license
from
Apache
2.0
to
the
BSL
version
1.1,
which
is
a
business
source
license
and
that
started
with
that
would
have
started
with,
or
did
start
in
October
with
akka
version
2.7,
which
I
mean
side
rent.
If
you
change
your
license,
then
do
it
in
a
major
version,
because
you're
actually
breaking
your
API.
So
2.7
doesn't
indicate
like
something
actually
really
really
changed,
but
okay
and
with
any
such
change,
there's
always
talk
of
a
fork
right
and
then
people
that
advocate
for
that
fork.
B
And
while
it's
understandable
that
that
sentiment,
sort
of
like
arises,
it
is
sort
of
the
question
of
how
effective
this
will
be
and
if
hurting
our
fellow
devs
is
actually
really
what
we
want
like
they
didn't
that
they
likely
didn't
make
this
decision.
So
it
might
be
really
misdirected
anger
all
right.
So
there
was
talk
of
a
fork
and
then
there
actually
is
a
fork.
So
Apache
pekko
is
the
fork
that
is
now
incubated
by
the
Apache
foundation
and
thus
with
the
Apache
12
point.
B
B
I,
don't
know
who
was
who
who
was
affected
by
this,
but
this
was
like
this
was
a
blow
to
the
community.
This
was
this
was
super
hard
and
yeah.
So
and-
and
several
players
then
eventually
also
decided
to
drive
a
fork
forward.
So
if
you're
familiar
open
search,
is
the
open
source
alternative
to
elasticsearch
that
also
disclaimer
Ivan
is
very
much
involved
in,
but
so
is
AWS,
so
so
much
for,
like
Cloud
providers
that
don't
give
back
to
the
community.
B
Yes,
it's
difficult
because
elastic
actually
changed
because
of
AWS,
but
they're
also
invested
in
in
creating
an
alternative
that
continues
to
be
open.
Source
and
AWS
is
actually
like
really
driving
that
forward
as
one
of
the
main
players
and
that's
that's
again,
something
that
is
really
really
difficult.
You'll
see
a
lot
of
Open
Source
projects
that
almost
have
a
single
vendor
behind
them.
For
instance,
Apache
Kafka
Kafka
is
also
in
the
Ivan
portfolio,
or
rather
the
decision.
B
What
makes
it
into
the
Kafka
project
is
largely
in
Confluence
hands
and
that
that
that
issue
of
the
single
vendor
you'll
see
a
lot
database
has
a
stronghold
on
Sparks.
Google
on
bean
beam
are
a
very
similar
story
too
then
grafana
lamps
changed
licenses
to
agpl
version
3
for
grafana
and
Loki
and
and
Tempo
and
Google
warns
against
the
this.
Using
the
agpl
saying
that
the
risks
heavily
outweigh
the
benefits
and
then
the
cloud
cloud
native,
Computing
Foundation,
of
course,
in
response
to
the
license.
B
B
If
you
install,
for
instance,
electron
you
install
87
packages,
and
that
means
87
license
dependencies
and
every
single
package
is
likely
to
have
their
own
dependencies
as
well,
and
therefore
even
more
licenses
that
you
need
to
comply
with.
As
you
can
imagine,
license,
management
can
get
really
really
really
complicated
and,
when
done
manually
can
absolutely
create
technical
debt.
So
there
there
are
about
like
300,
plus
different
open
source
licenses,
and
that
list
is
ever
growing.
B
However,
the
good
news
is:
is
that
about
20
licenses
account
for
like
80
percent
of
Open
Source
commonly
used
in
Enterprises.
So
if
you
create
a
denying
an
allow
list
of
those
type
of
licenses
together
with
the
scanning
tool,
that
would
already
provide
you
with
a
pretty
good
starting
point
in
managing
your
license
exposure
and,
of
course
there
is
license
auditing
tools
as
well.
B
B
I
mentioned
before
that
license.
Litigation
is
actually
really
really
hard
true,
but
it
does
happen,
and
you
might
end
up
having
needing
to
change
your
software
in
order
to
comply
with
the
license
of
tools
that
you're
using
and
that's
not
great,
that's
a
lot
of
work
and
also
you
might
actually
get
a
lot
of
bad
press
for
not
being
able
to
comply
with
a
license
and
especially
in
very
sensitive
Industries.
That's
that's
difficult
for
for
a
company.
B
B
B
So
he
spends
time
on
talking
on
podcasts
and
to
try
and
get
donations
and
they
were
like,
but
you
should
work
on
the
project.
Why
are
you
not
committing
more
code
like
what
is
what
is
this
you're
a
maintainer,
and
he
really
struggles
with
this
too,
because
he
feels
almost
like
guilty
whenever
he
is
doing
any
kind
of
like
marketing
or
a
promotion
for
the
project,
and
so
we've
we've
come
to
this
weird
place
where
we
think
that
whenever
we're
donating
like
we
have
a
false
fund,
we
donate
10K
to
a
project.
B
Yes,
but
you
know,
y'all
are
software
people?
What
do
you
earn
annually?
You
don't
need
to
say
this.
You
can
follow
along
later.
You
can
talk
about
later,
but
the
ten
thousands
is
nothing,
and
especially
when
your
project
is
not
necessarily
set
up
to
kind
of
sort
of
distribute
that
kind
of
money
to
all
of
your
contributors
like
it
only
introduces
a
lot
of
complexities.
B
It
doesn't
really
help
a
lot
and
and
I
think
it's
interesting
that,
while
a
company
would
love
to
have
some
runway
in
order
to
do
their
job,
when
you
have
an
open
source
project,
that
might
actually
send
the
wrong
signal
because
you
didn't
need
the
money
you,
you
developed
this
project
before
without
getting
money.
So
now,
what
do
you
need
this
for?
B
And
it
sort
of
ties
into
this
whole
toxic
notion
that
an
open
source,
the
open
source
shouldn't
be
about
money
right,
like
you
shouldn't
you
shouldn't
be
paid
ever
because
only
when
you
are
in
your
mom's
basement
the
price
of
sunlight,
then
you're
like
this
true
unspoiled
hacker,
but
it's
ridiculous.
It
really
is
ridiculous,
anyway,
check
out
this
episode,
because
it
was
really
really
interesting
there.
Another
reference
time.
B
Bartolome
did
a
wonderful
talk
at
state
of
open
con
earlier
this
month
and
talked
about
Lessons
Learned
developing
and
maintaining
the
tunnels
projects
and
sort
of
like
yeah
what
as
a
maintainer,
if,
if
he
could
go
back
to
like
baby
baby
Thanos
maintainer,
what
could
he
could
he
tell
them?
And
if
you're
anyway
there
on
on
the
YouTubes
of
state
of
open
Con,
you
can
also
check
out
Don's
talk
about
open
source
strategies.
It
was
a
really
really
good
one
too
all
right.
B
One
of
them
was,
for
instance,
lastped.
Do
you
all
remember
what
happened
to
laugh
pets,
sort
of
kind
of
so
many
hands
all
right,
so
left
pad
did
almost
nothing.
No,
it
sort
of
like
padded
out
the
left-hand
side
of
strings
with
zeros
and
spaces,
but
still
thousands
of
projects
relied
on
it,
including
also
Babel
from
Henry,
and
when
the
maintainer
removed
the
project
from
npm
out
of
spice
these
applications
and
like
while
widely
used
bits
of
Open
Source
infrastructure
were
unable
to
obtain
the
dependency
and
then
fell
over.
B
Some
projects
from
Kik,
if
you
know,
use
the
same
sort
of
name
and
they
wanted
to
claim
that
namespace
on
npm
and
so
lawyers
went
after
npms
admins
claiming
brand
infringement
and
instead
of
npm
standing
behind
this
maintainer,
who
had
by
the
way
200
other
projects
hosted
on
npm.
They
decided
to
pull
the
project
and
he
was.
He
was
very,
very
angry.
B
There's
many
such
examples,
maybe
you've
heard
of
Seth
Fargo
and
when
he
discovered
that
some
of
the
things
that
he
had
developed
for
a
chef
were
then
used
by
Ice.
The
customs
and
Integrations
in
in
the
US
pulled
pulled
his
code
and
when
there
was
a
whole
upheaval
over
that,
he
was
like
well,
it's
actually
in
my
sort
of
will
that
if
I
were
to
Die
Tomorrow
those
those
libraries
would
also
be
pulled
from
the
internet,
so
better
be
ready,
colors
and
faker.js.
B
By
the
way
and
later
it
became
clear
that
it
was
likely,
because
the
developer
had
expressed
an
intention
already
of
not
or
longer
supporting
big
companies
with
his
free
work
and
that
businesses
should
actually
either
Fork
the
projects
or
pay
him
and
I
quote
a
six-figure
salary
like
we
all
rely
on
these
projects
like
what.
Why
do
we
think
we
can
get
away
with
it?
B
Another
one
is
no
no
RPC
I'm
running
it
low
on
time,
so
I'm
gonna,
I'm
gonna
quickly
go
through
this,
but
node
IPC
a
developer
behind
this
sabotage
some
versions
of
the
library
in
protest.
So
this
protest,
where
for
in
products
of
the
ongoing
war
in
Ukraine,
and
so
definitely
users
in
specifically,
Russia
and
Belarus,
were
effective
affected
by
this
change.
B
Last
week,
courges
I,
don't
know
if
you've
seen
this
definitely
have
a
read.
Oh,
my
God,
what
a
show
I
didn't
want
to
swear
on
stage
did
I
sure
did
we're
in
Europe
the
weekends
we're
almost
there.
Okay
generally
open
source
is
part
of
our
infrastructure,
enough
products
and
our
tooling,
and
for
this
reason
we
need
to
care
about
it.
If,
as
if
they
were
our
own
projects,
no
company
will
leave
any
of
their
critical
infrastructure
or
in-house
developed
text
take
unmaintained.
B
So
why
are
we
willing
to
do
so
for
the
ones
that
are
open
source
lock4j?
Don't
need
to
tell
you
about
that,
so
sometimes
we
think
that
open
source
is
inherently
secure.
The
code
is
out
in
the
open.
So
if
anything,
if
so,
if
anything
is
broken
right,
like
people
will
see
it
and
they
will
mitigate
that
right
like.
B
But
then
how
do
you
explain
all
of
these
things?
And
how
do
you
explain
log
for
J
in
Hartley,
so
that
many
eyes
argument
is
very
very
shaky
because
it
needs
the
right
people
to
look
in
the
right
places
and
I
feel
like
most
developers
come
to
open
source
for
Solutions
and
not
for
more
problems,
a
lot
of
stuff
to
back
that
up.
B
But
I
want
to
go
quickly
to
some
of
the
things
that
we
can
actually
do
to
make
sure
that
open
source
is
sustainable.
So
making
sure
you,
you
all
have
a
place
in
making
sure
that
open
source
is
sustainable.
One
of
those
things
is
to
invest
your
time
and
to
invest
your
money,
but
only
when
it's
applicable.
B
So
please,
like
measure
them
accordingly
as
well.
Join
a
foundation
maybe
and
join
forces
with
other
organizations.
There
are
other
organizations
that
rely
on
the
same
libraries
than
you
do
so
make
sure
that
you
can
maintain
the
together
and
they're
not
dependent
on
just
the
one
that
one
single
vendor
and
when
you
participate
in
open
source.
Please
look
at
the
principles
of
authentic
participation.
B
Don't
think
that
you
can
just
Fork
a
project
and
maintain
a
bunch
of
mirrors
or
all
the
projects
that
you
rely
on,
because
also,
first
of
all,
congratulations.
Congratulations!
You're!
Now
a
maintainer
of
a
lot
of
Open
Source
projects
and
people
will
come
to
you
with
all
of
their
issues.
You
don't
want
that,
but
also
open
source
projects
are,
you
know,
like
vulnerabilities,
get
fixed
too,
and
sometimes
vulnerabilities
are
in
a
code
for
a
really
really
long
time
weeks
months
years
and
you
want
to
benefit
from
all
of
those
patches
too.
C
A
A
D
Recently
worried
about
packages
and
maintainers
right
to
die
right
like
my
right
to
no
longer
maintain
something
and
I.
You
know
I
reached
out
to
the
colors
and
fakers
maintainer
yeah
they're
super
extreme,
but
also
I
was
like
Hey.
Thank
you
so
much.
That
was
the
kind
of
action
that
we
need
to
take
totally
illegal
for
Microsoft
to
then
go
and
take
on
ownership
of
that
repository
because
a
license.
D
Plainly
states
the
rules
and
responsibilities
of
the
end
user
right,
yep,
not
appropriate
right
now,
there's
a
bunch
of
maintainers
that
don't
want
to
be
in
corporate
open
source
and
those
are
the
ones
that
are
mostly
at
risk.
So
can
we
find
alternative
models
to
engaging
with
open
source
in
the
wild
that
doesn't
require
them
to
work
at
Google?
No.
B
Yeah,
because
they
shouldn't
need
to
work
at
Google
if
they
don't
want
to
work
at
Google,
100
I
feel
like
we
have
way
too
little
avenues
for
for
maintainers
that
don't
want
to
be
employed
to
be
able
to
have
a
consistent
income
and
that's
absolutely
a
problem,
and
that's
something
that
we
need
to
talk
about
and
if
that's,
if
that's
funding
through
some
other
way
or
helping
them
to
actually
be
able
to
to
get
funding,
because
that's
also,
this
is
complicated.
Right,
like
it's
almost
like
you're
running
a
business.
B
What
so
yeah
there
needs
to
be
more
work
there
and
there's
way
too
little
work
there.
It's
pockets
of
money
here
and
there
and
you're
spend
you
end
up
spending
too
much
time
like
Henry,
like
just
to
get
those
pockets
of
money
consistently
to
make
sure
that
your
project
can
continue
yeah
so
100
degree.
C
So
my
question
is:
if
you
look
at
open
source,
maintainers
or
software
developers,
I
think
there's
also
a
sort
of
social
issue,
because
if
you
have
to
maintain
an
open
source
project,
you
also
have
to
sort
of
lead.
The
community
and
I
think
in
that
point
of
view,
the
best
example
is
the
historical
is
being
unable
to
communicate
with
the
other
kernel
developers
in
a
way
that
people
feel
appreciated
for
the
work
they
do
and
I
think
that's
also
one
of
the
things
that
might
help
those
projects
to
prosper.