►
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
Keynote: LF Research: Developer-Centric Insights and Opportunities - Hilary Carter, VP Research, Linux Foundation
A
The
other
report
that
we
did
in
2020
was
the
foss
contributor
study.
This
was
a
project
we
did
in
collaboration
with
harvard
the
laboratory
for
innovation
science,
and
we
learned
some
really
important
things
in
that
project.
We
learned
that
the
top
three
motivators
for
developers
have
nothing
to
do
with
money,
they're
about
learning,
they're,
about
building
features,
and
so
on.
We
learned
that
security
responsibilities
can't
fall
solely
to
contributors.
A
There
needs
to
be
a
balance
between
project
interests
and
enterprise
projects
and
their
needs,
and
that
we
really
have
to
enhance
the
positive
trend
that
employee
contributions
make
to
open
source
projects.
It's
a
very
interesting
foundation
and
from
these
two
2020
research
projects,
linux
foundation,
said
hey.
This
is
really
useful
stuff.
We
need
to
do
more
of
this.
We
need
to
look
at
open
source
and
the
entire
paradigm
and
understand
what
is
going
on
in
open
source,
broadly
across
all
different
technology
projects,
and
so
linux
foundation,
research
was
born.
A
We
launched
the
program
in
april
of
2021.
I
came
on
board
to
kick
off
a
very
dedicated
research
initiative
where
we
would
create
a
series
of
deliverables
that
would
describe
what's
taking
place
in
open
source
project
communities
and
in
doing
so,
create
a
shared
utility.
A
utility
that
would
inform
public
policy
could
inform
enterprise
strategy.
A
It
would
and
will
inform
and
does
inform
the
programming
across
individual
technology
projects.
It
helps
us
determine
through
data
and
insight.
How
do
we
prioritize
our
efforts?
What's
working?
What's
not
working
so
well.
So
here's
how
we
go
about
the
business
of
conducting
open
source
research.
One
of
the
first
ways
we
look
at
open
source
is
through
industry,
verticals,
we've
so
far
published
projects
in
financial
services
and
film
and
entertainment
in
education
and
training,
and
oh
something.
I'm
missing.
A
Energy
energy
and
resources
really
important
stories
about
what
is
going
on
in
these
industry
verticals
and
what
they
do
is
they
provide
a
pathway
for
for
other
organizations
within
these
industries
to
say
hey
if
if
this
is
going
on
in
europe
or
if
these
companies
are
collaborating
in
an
open
capacity,
we
can
too
we're
also
looking
at
what's
happening
in
open
source
along
tech
horizontals.
So
far,
we've
published
projects
in
ai
and
data,
blockchain
storage
technologies,
soon
to
be
cloud,
non-fungible
tokens
and
so
on,
so
lots
of
good
stuff
coming
at
the
tech
horizontal
level.
A
We
also
look
broadly
at
at
issues
that
don't
fit
neatly
into
an
industry
vertical
or
attack
horizontal,
but
that
impact
the
whole
of
the
open
source
ecosystem
issues.
Like
the
developer
contributor
dynamic,
what's
going
on
in
these
communities,
how
can
we
serve
the
needs
of
developers
and
community
at
developers
and
contributors?
A
What
are
the
issues
around
diversity?
Equity,
inclusion?
How
are
these
facets
shaping
the
success
of
our
project
communities
and
are
they
attracting
the
right
kind
of
talent?
What's
going
on
in
standards
what's
happening
in
cyber
security?
A
A
So
last
month,
at
kubecon
valencia,
we
launched
world
of
open
source
a
new
framework
to
explore
open
source
dynamics
at
a
geographic
level,
whether
that's
looking
at
the
globe,
a
continent,
a
country
or
regions
within
countries,
things
like
silicon
valley
as
a
phenomenon
or
the
city
of
toronto
and
how
it's
nurtured
a
very
special
kind
of
blockchain
ecosystem
like
what's
happening
at
the
geographic
level.
It's
really
interesting
way
to
look
at
the
dynamics
and
how
we
can
perhaps
build
bridges
across,
perhaps
fragmented
geographic
regions.
We
shall
see.
A
A
We
publish
open
data
so
that,
if
you
want
to
do
your
own
research
with
survey
data
that
is
made
available
to
you,
we
do
me
we
do
remove
any
personally
identifiable
information
but
feel
free
to
use
any
of
the
data
sets
that
you'll
find
specific
to
our
published
projects.
To
date,
we
often
also
host
webinars
and
and
panels
at
events,
so
stay
tuned
for
all
kinds
of
research,
deliverables
and
activities
that
affect
your
particular
areas
of
interest.
A
The
first
thing
which
may
seem
obvious,
may
not
but
open
source
development
is
a
fun
thing
and
what's
interesting
is
linus
torvalds
when
he
released
linux
kernel
said
not
doing
anything
big,
just
doing
something
for
fun.
It's
still
fun
and
this
particular
stat
comes
from
our
industry
vertical
report
in
financial
services.
A
Open
source
collaboration
is
fun,
so
that's
really
good
and
it's
fun
for
a
majority
of
respondents
and
it
it's
a
theme
that
repeats
in
research
over
and
over
again.
Certainly
in
conversations
another
truth
developers
take
personal
interest
in
their
work.
They
left
doing
this
very
intrinsically
motivated
group,
so
good
stuff
developers
can
contribute
after
hours.
They
may
contribute
to
multiple
projects.
A
Why?
Because
it's
fun
they're
intrinsically
motivated
to
do
it.
It's
a
very
healthy
bit
of
data
lots
of
hearts
there
training
is
super
important
and
is
the
need
that
we
are
addressing
at
the
linux
foundation
by
offering
training
and
certification
programming,
two-thirds
of
developers
need
more
training
to
do
their
jobs.
Where
do
they
need
training,
primarily
in
cloud
container,
orchestration
kubernetes?
A
Secondly,
in
linux
kernel.
Thirdly,
in
devops,
cyber
security
is
running
a
close.
Fourth,
we
will
release
our
10th
annual
training
and
jobs
report
in
two
weeks
time
right
here
at
open
source
summit,
north
america,
at
the
marriott,
so
hopefully
you'll
be
coming
back
in
two
weeks,
and
you
can
dig
into
this
year's
findings
on
training
and
certification
dynamics
specific
to
this
community
policy
barriers.
A
A
A
A
S-Bombs
one
of
the
first
cyber
security
research
reports
we
did
was
on
software
bill
of
materials
and
their
role
in
cyber
security.
Readiness
are
s-bombs
a
good
thing.
You
bet
they
are
when
we
produce
s-bombs
the
number
one
development
is
better
understanding
of
dependencies,
and
when
we
know
what
our
dependencies
are,
we
can
better
find
and
patch
vulnerabilities.
A
So,
regardless
of
the
format,
s-bombs
are
a
great
thing
to
adopt
and
we're
we're
seeing
an
increase
in
their
use.
Thanks
to
the
executive
order
passed
by
the
biden
administration
last
may,
devs
are
phenomenal
phenomenal
stewards
and
champions
of
their
projects.
This
particular
quote
about
sense
of
community
and
responsibility
to
shepherd.
The
work
comes
from
carol,
payne,
who's,
part
of
the
academy
software
foundation,
the
linux
foundation,
project
community,
that
is,
building
shared
technologies
for
film
animation
and
gaming,
and
this
kind
of
advocacy
led
to
the
formation
of
the
academy
software
foundation.
A
At
the
linux
foundation.
It
was
totally
developer
led
the
developer
said
we
need
to
get
together.
We
need
to
share
our
intellectual
property
and
work
on
this
common
tech
together
and
then
film
studios
can
do
what
they
do
best,
which
is
compete
on
other
things.
Let's
not
compete
on
tech
stacks.
Let's
compete
on
story
on
art
on
how
we
use
the
technology
to
deliver
a
better
film,
and
it
was
the
developers,
the
engineers
who
brought
the
management
teams
and
the
lawyers
together.
A
It
was
really
fascinating
work
and
another
amazing
dev
led
story
that
came
out
through
the
research
process.
Being
an
open
source
developer
also
has
its
benefits.
Maybe
some
of
you
are
totally
focused
on
building
proprietary
tech.
Open
source
has
its
benefits
being
able
to
build
on
the
work
of
other
people
and
then
go
about
your
business
of
differentiation.
A
Not
unlike
the
past
example.
I
just
gave
in
film
and
entertainment
is
a
great
thing.
That's
how
open
can
be
leveraged
an
open
source
devs.
Similarly,
they
mitigate
risk
through
collaboration.
The
risk
path
is
reduced
because
you
have
the
benefit
very
obviously,
of
many
eyes,
multiple
viewpoints
and
cross
checks.
A
A
There's
a
lot
of
responsibility
on
their
shoulders?
What
can
we
do
to
ease
the
burden
and
reduce
risk?
Consequently,
and
aren't
you
all
glad
that
demand
for
your
time
and
talents
exceeds
supply
because
you're
in
a
really
healthy
position
in
terms
of
career?
This
is
a
this
is
a
phenomenon,
but
it
does
create
strain
on
the
ecosystem
at
large,
because
the
demand
for
open
source
is
far
exceeding
the
supply
of
talented
contributors
to
create
the
code.
A
Research,
as
happens
sometimes
produces
some
uncomfortable
truths,
and
when
we
have
asked
questions
about
diversity,
about
equity,
about
inclusion
about
feeling
welcome,
sometimes
we
don't
get
answers
that
are
super
helpful
super
cheery
and
we
have
some
some
work
to
do.
We
have
some
issues
to
address,
to
help
make
our
environments
more
inclusive,
more
welcoming,
not
all
developer
experiences
are
universally
positive.
Not
everybody
feels
welcome
and
sometimes
there's
active
discrimination.
A
A
A
So
that
is
a
snapshot
of
a
few
of
the
highlights.
What
I've
learned
about
the
develop
developer
community
through
research
projects,
I'm
going
to
share
now
a
couple
of
reports
that
are
coming
up
that
I'd
like
to
make
you
aware
of
earlier
today,
you
heard
brian
bellendorf
talking
about
the
work
of
the
open
source
security
foundation.
A
A
We
also
know
that
we
can't
simply
throw
money
at
this
problem
to
encourage
developers
to
work
work
on
cyber
security.
So
how
do
we
deal
with
this?
What
do
we
need
to
do
now,
so
my
colleague
steve
hendrick
and
I
at
the
open
source
security
foundation
governing
board
meeting
in
november,
hosted
a
bit
of
a
roundtable
and
said:
what
do
you
need?
What
is
the
data
that
is
going
to
best
inform
your
programming?
A
A
Is
it
regulatory
issues?
Do
we
need
a
vulnerabilities
reporting
system,
and
then
it
came
out?
Why
don't
we
just
ask
the
maintainers,
committers
and
developers
what
it
is
that
will
help,
and
so
we
did
so
in
two
week
weeks
time
we're
publishing
a
report
on
open
source
software
security
in
collaboration
with
sneak
and
we're
looking
at
the
role
of
tools
and
best
practices
from
the
point
of
view
of
maintainers,
committers
and
developers
at
large
asking
them.
How
do
we
deal
with
security
if
something
happens
to
a
maintainer
or
if
they
retire,
or
something
else
happens?
A
And
the
great
thing
is:
is
that
brian
and
his
team
at
open
ssf
are
wholeheartedly
committed
to
implementing
these
practices
and
to
creating
buy-in
so
that
we
achieve
our
ends?
We
have
a
lot
of
support
from
the
community
very
broadly,
but
we
have
to
know
where
to
prioritize
our
efforts,
so
in
terms
of
priorities,
looking
at
popular
projects
is
really
important.
So
one
of
the
data
points
that
came
through
is
looking
at
improving
dependency
management
dependencies
drive
our
conversations
about
software
supply
chains
and
only
24
percent
of
survey.
A
A
On
this
note,
I
will
say
our
census
2
report
that
brian
referenced
earlier
used
data
from
three
software
composition,
analysis,
firms
sneak
fossa
and
synopsis,
and
it
is
but
a
snapshot
of
the
most
popular
projects.
It
is
by
no
means
comprehensive
and
in
order
to
make
research
better
and
the
data
more
insightful,
we
need
more
data.
A
We
need
more
organizations
to
come
forward
and
share
their
data
sets.
So
we
have
a
better
picture
of
what
the
most
popular
application
libraries
are.
So
we
know
where
to
focus
our
efforts,
the
example
being
the
spring
framework
library
found
in
nine
percent
of
all
java
projects,
because
it
was
a
popular
project.
It
was
quickly
identified.
A
The
remote
co
execution
vulnerability
was
quickly
identified
in
the
spring
lots
of
eyes
on
it,
so
finding
out
what
those
priority
projects
are.
Those
popular
projects
super
super
important
to
our
work
going
forward
and
you
can
help
we're
also
engaging
presently
in
another
project,
looking
at
maintainers
and
we're
looking
specifically
at
the
maintainers
of
the
popular
application,
libraries
that
were
identified
in
our
census
to
report.
Why?
Because
real
people
are
maintaining
code
bases,
it's
not.
You
know
a
fantasy
land
of
things
that
are
created
by
bots.
These
are
about.
This
is
about
human
beings.
A
A
A
A
Europe
leads
in
a
number
of
ways.
They
are
huge
respondents
to
our
surveys.
We
have
as
many
respondents
to
the
foss
contributor
survey,
an
initial
lf
research
surveys
from
europe
as
north
america.
They
also
lead
in
academic
citations
in
open
source
research.
What
we
want
to
know
is
what
is
the
adoption
of
open
source
like
in
europe?
What
are
the
challenges?
What
is
unique
so
that
we
can
serve
the
community
and
reduce
fragmentation,
keep
those
bridges
alive
and
well
across
all
of
our
regions.
So
please
help
us
out
share
the
survey
with
other
people.
A
The
criteria
is
your
resident
of
europe
you're
at
least
part-time
employed
and
you're
over
18.,
and
please
remember,
research
is
a
team
sport
can't
thank
you
enough.
If
you've
participated
in
lf
research
to
date,
either
by
giving
an
interview
participating
in
a
survey
will
always
protect
your
personal
information
stay
in
touch
and
if
there's
anything,
we
can
do
to
help
you
do
your
jobs
better.
Let
us
know.
Thank
you
very
much.