Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Continuous Delivery Foundation / cdCon 2022 / 24 Jun 2022
Continuous Delivery Foundation / cdCon 2022 / 24 Jun 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Keynote: LF Research: Developer-Centric Insights and Opportunities - Hilary Carter

Description

For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/

Keynote: LF Research: Developer-Centric Insights and Opportunities - Hilary Carter, VP Research, Linux Foundation

A

Hi everybody good morning, it's great to be here. So what are we going to talk about today?

A

I'd like to introduce linux foundation, research and tell you how we're building on a foundation of research excellence at the linux foundation, and I want to share some fun facts that we have uncovered about the developer community in our first year of operation.

A

I want to discuss some soon to be published, developer-focused research projects that will very likely be of interest, and I want to tell you more about how you can get involved in the research process and how we can all get value by working together.

A

So, let's dig in so linux foundation has a history of producing some pretty impactful research reports that revolve around developer communities in 2020, two notable projects included the linux kernel history report, which looked at best practices and tooling infrastructure, and how those two elements were really responsible for the ubiquity of the linux operating system, helping it become the universal operating system and and how those elements uh really shape the success of software projects.

A

The other report that we did in 2020 was the foss contributor study. This was a project we did in collaboration with harvard the laboratory for innovation science, and we learned some really important things in that project. We learned that the top three motivators for developers have nothing to do with money, they're about learning, they're, about building features, and so on. We learned that security responsibilities can't fall solely to contributors.

A

There needs to be a balance between project interests and enterprise projects and their needs, and that we really have to enhance the positive trend that employee contributions make to open source projects. It's a very interesting foundation and from these two 2020 research projects, linux foundation, said hey. This is really useful stuff. We need to do more of this. We need to look at open source and the entire paradigm and understand what is going on in open source, broadly across all different technology projects, and so linux foundation, research was born.

A

We launched the program in april of 2021. I came on board to kick off a very dedicated research initiative where we would create a series of deliverables that would describe what's taking place in open source project communities and in doing so, create a shared utility. A utility that would inform public policy could inform enterprise strategy.

A

It would and will inform and does inform the programming across individual technology projects. It helps us determine through data and insight. How do we prioritize our efforts? What's working? What's not working so well. So here's how we go about the business of conducting open source research. One of the first ways we look at open source is through industry, verticals, we've so far published projects in financial services and film and entertainment in education and training, and oh something. I'm missing.

A

Energy energy and resources really important stories about what is going on in these industry verticals and what they do is they provide a pathway for for other organizations within these industries to say hey if if this is going on in europe or if these companies are collaborating in an open capacity, we can too we're also looking at what's happening in open source along tech horizontals. So far, we've published projects in ai and data, blockchain storage technologies, soon to be cloud, non-fungible tokens and so on, so lots of good stuff coming at the tech horizontal level.

A

We also look broadly at at issues that don't fit neatly into an industry vertical or attack horizontal, but that impact the whole of the open source ecosystem issues. Like the developer contributor dynamic, what's going on in these communities, how can we serve the needs of developers and community at developers and contributors?

A

What are the issues around diversity? Equity, inclusion? How are these um facets shaping the success of our project communities and are they attracting the right kind of talent? What's going on in standards what's happening in cyber security?

A

So we do take a very broad look at some ecosystem-wide dynamics. A new framework has been launched this year. We realized that starting with three was a great place to start, but there's really another way to look at open source and that's from a geographical point of view.

A

So last month, at kubecon valencia, we launched world of open source a new framework to explore open source dynamics at a geographic level, whether that's looking at the globe, a continent, a country or regions within countries, things like silicon valley as a phenomenon or the city of toronto and how it's nurtured a very special kind of blockchain ecosystem like what's happening at the geographic level. It's really interesting way to look at the dynamics and how we can perhaps build bridges across, perhaps fragmented geographic regions. We shall see.

A

So what do we produce? The first thing we produce is a written report.

A

We use lots of infographics I'm going to use examples of these infographics in this presentation today and by the way, if you see anything that you, like all of our research infographics, are available at linuxfoundation.org.

A

Slash research feel free to pull in any of the data use them in your presentation. All of our content is creative, commons and open, as is the data from surveys.

A

We publish open data so that, if you want to do your own research with survey data that is made available to you, we do me we do remove any personally identifiable information but feel free to use any of the data sets that you'll find specific to our published projects. To date, we often also host webinars and and panels at events, so stay tuned for all kinds of research, deliverables and activities that affect your particular areas of interest.

A

So now, let's get into some fun facts about the developer community that so far in the 13 research projects we have published found some interesting things about this community.

A

The first thing which may seem obvious, may not but open source development is a fun thing and what's interesting is linus torvalds when he released linux kernel said not doing anything big, just doing something for fun. It's still fun and this particular stat comes from our industry vertical report in financial services.

A

Open source collaboration is fun, so that's really good and it's fun for a majority of respondents and it it's a theme that repeats in research over and over again. Certainly in conversations another truth developers take personal interest in their work. They left doing this very intrinsically motivated group, so good stuff developers can contribute after hours. They may contribute to multiple projects.

A

Why? Because it's fun they're intrinsically motivated to do it. It's a very healthy bit of data lots of hearts there training is super important and is the need that we are addressing at the linux foundation by offering training and certification programming, two-thirds of developers need more training to do their jobs. Where do they need training, primarily in cloud container, orchestration kubernetes?

A

Secondly, in linux kernel. Thirdly, in devops, cyber security is running a close. Fourth, we will release our 10th annual training and jobs report in two weeks time right here at open source summit, north america, at the marriott, so hopefully you'll be coming back in two weeks, and you can dig into this year's findings on training and certification dynamics specific to this community policy barriers.

A

The regulatory environment is significant and it impedes developer contributions in some industries more than others, particularly financial services, but healthcare as well and government, and this kind of information helps us to inform programming, helps us to inform our conversations with regulatory bodies to try to reduce some of these regular regulatory barriers so that we can have more participation.

A

This particular stat that 45 of respondents in our financial services survey have outright prohibition of any kind of open source contribution. So that's not super productive and it even extends to um community rooms. Chat rooms that are specific to projects.

A

Contributors are afraid to comment in these environments for fear that, let's just say, the securities and exchange commission might take an interest in what is being stated.

A

So it's incumbent upon us to work together with regulators to help them better understand. Open source and to think about a way forward to encourage more productive collaboration for everyone's collective benefit.

A

We know that developers are also largely responsible for innovation, that is creating software defined industries, and I don't know this having come from the blockchain space, this is very much a bottom up creation that software is redefining brick and mortar industries.

A

It's also happening in in film and entertainment developers are creating the future. It's very much bottom up, it's not coming from an organization on down, so that has to be incredibly gratifying.

A

S-Bombs one of the first cyber security research reports we did was on software bill of materials and their role in cyber security. Readiness are s-bombs a good thing. You bet they are when we produce s-bombs the number one development is better understanding of dependencies, and when we know what our dependencies are, we can better find and patch vulnerabilities.

A

So, regardless of the format, s-bombs um are a great thing to adopt and we're we're seeing an increase in their use. Thanks to the executive order passed by the biden administration last may, devs are phenomenal phenomenal stewards and champions of their projects. This particular quote about sense of community and responsibility to shepherd. The work comes from carol, payne, who's, part of the academy software foundation, the linux foundation, project community, that is, building shared technologies for film animation and gaming, and this kind of advocacy led to the formation of the academy software foundation.

A

At the linux foundation. It was totally developer led the developer said we need to get together. We need to share our intellectual property and work on this common tech together and then film studios can do what they do best, which is compete on other things. Let's not compete on tech stacks. Let's compete on story on art on how we use the technology to deliver a better film, and it was the developers, the engineers who brought the management teams and the lawyers together.

A

It was really fascinating work and another amazing dev led story that came out through the research process. Being an open source developer also has its benefits. Maybe some of you are totally focused on building proprietary tech. Open source has its benefits being able to build on the work of other people and then go about your business of differentiation.

A

Not unlike the past example. I just gave in film and entertainment is a great thing. That's how open can be leveraged an open source devs. Similarly, they mitigate risk um through collaboration. The risk path is reduced because you have the benefit very obviously, of many eyes, multiple viewpoints and cross checks.

A

I know that in the research process, my research, because it takes place in an open source type of environment and is subject to many more eyes than it was in a previous research program- is way better. It's way better for it. It's a great methodology.

A

We've learned that devs shoulder a ton of responsibility.

A

A recent report published in collaboration with harvard is that the most widely used software is developed only by a handful of contributors, specifically 136 devs were responsible for more than 80 percent of lines of code in one of the top 50 packages, so it becomes incumbent upon all of us to say how can we support this group?

A

There's a lot of responsibility on their shoulders? What can we do to ease the burden and reduce risk? Consequently, and aren't you all glad that demand for your time and talents exceeds supply because you're in a really healthy position in terms of career? This is a this is a phenomenon, but it does create strain on um the ecosystem at large, because the demand for open source is far exceeding the supply of talented contributors to create the code.

A

Research, as happens sometimes produces some uncomfortable truths, and when we have asked questions about diversity, about equity, about inclusion about feeling welcome, sometimes we don't get answers that are super helpful super cheery and we have some some work to do. We have some issues to address, to help make our environments more inclusive, more welcoming, not all developer experiences are universally positive. Not everybody feels welcome and sometimes there's active discrimination.

A

We know that minority groups struggle people who don't feel welcome are from disproportionately underrepresented groups, women, racial groups, lgbt community people with disabilities and so on, and why does this matter? Well, when we have diverse teams, we create better technology.

A

That is a well-researched fact when we have people with various backgrounds, various perspectives, diversity and thought, as well as diversity in physical and geographical profile. We create better tech, plain and simple, so it is something that we need to keep striving for.

A

So that is a snapshot of a few of the highlights. What I've learned about the develop developer community through research projects, I'm going to share now a couple of reports that are coming up that I'd like to make you aware of earlier today, you heard brian bellendorf talking about the work of the open source security foundation.

A

Securing software supply chains is absolutely research priority priority numero uno at the linux foundation. It's why we started off with s-bombs, but we are only getting started.

A

Securing software supply chains is a big topic, it's a grand objective and we need the processes to be informed by data.

A

Our fos contributor survey revealed some pretty ugly truths about cyber security, as well developers report spending only two percent of their time on security issues, but not only that there's this sentiment that working on patches and bug fist fixes is a soul, withering or soul, destroying exercise, it's boring and that's the challenging sentiment, and it came through loud and clear in the contributor report.

A

We also know that we can't simply throw money at this problem to encourage developers to work work on cyber security. So how do we deal with this? What do we need to do now, so my colleague steve hendrick and I um at the open source security foundation governing board meeting in november, hosted a bit of a roundtable and said: what do you need? What is the data that is going to best inform your programming?

A

How do we encourage developers not just to eat their veggies but to be inspired and motivated to work on cyber security like what do we need, and where do you prioritize your effort?

A

So we asked the board. We had a 20-minute discussion. A couple of questions: are you looking for more census data? Are you looking for data around the process model around where in the sales implementation are? Are we getting stuck?

A

Is it regulatory issues? Do we need a vulnerabilities reporting system, and then it came out? Why don't we just ask the maintainers, committers and developers what it is that will help, and so we did so in two week weeks time we're publishing a report on open source software security in collaboration with sneak and we're looking at the role of tools and best practices from the point of view of maintainers, committers and developers at large asking them. How do we deal with security if something happens to a maintainer or if they retire, or something else happens?

A

What do we need to do around policy around open source software development, and how can we improve resourcing and tools and what incentives do you want or need so that we can serve this community through better programming?

A

And the great thing is: is that brian and his team at open ssf are wholeheartedly committed to implementing these practices and to creating buy-in so that we achieve our ends? We have a lot of support from the community very broadly, but we have to know where to prioritize our efforts, so in terms of priorities, looking at popular projects is really important. So one of the data points that came through is looking at improving dependency management dependencies drive our conversations about software supply chains and only 24 percent of survey.

A

Respondents felt that strong dependency management was in place, so dependencies are an issue that we need to deal with. Our developers want the issue to be dealt with and prioritizing popular projects is a really good way to start what is being used.

A

On this note, I will say our census 2 report that brian referenced earlier used data from three software composition, analysis, firms sneak fossa and synopsis, and it is but a snapshot of the most popular projects. It is by no means comprehensive and in order to make research better and the data more insightful, we need more data.

A

We need more organizations to come forward and share their data sets. So we have a better picture of what the most popular application libraries are. So we know where to focus our efforts, the example being the spring framework library found in nine percent of all java projects, because it was a popular project. It was quickly identified.

A

um The remote co execution vulnerability was quickly identified in the spring lots of eyes on it, so finding out what those priority projects are. Those popular projects super super important to our work going forward and you can help we're also engaging presently in another project, looking at maintainers and we're looking specifically at the maintainers of the popular application, libraries that were identified in our census to report. Why? Because real people are maintaining code bases, it's not. You know a fantasy land of things that are created by bots. These are about. This is about human beings.

A

We need to understand what the pressures are on maintainers. How many projects do they work on? Where do they live? Why do they do what they do? What do they need and that's the community we want to serve because so much is so much responsibility rides on their shoulders.

A

So if you are a maintainer, if you know a maintainer of a popular repository widely used open source software, we would love to talk to them. Please connect anybody, who's willing to have a conversation for an hour and tell us what's going on that's how we can help.

A

So here's how you get involved anybody here from europe yay, please scan that qr code and take our survey. It's our first regionally focused study on what's happening in open source in europe.

A

Europe leads in a number of ways. They are huge respondents to our surveys. We have as many respondents to the foss contributor survey, an initial lf research surveys from europe as north america. They also lead in academic citations in open source research. What we want to know is what is the adoption of open source like in europe? What are the challenges? What is unique so that we can serve the community and reduce fragmentation, keep those bridges alive and well across all of our regions. So please help us out share the survey with other people.

A

The criteria is your resident of europe you're at least part-time employed and you're over 18., and please remember, research is a team sport can't thank you enough. If you've participated in lf research to date, either by giving an interview participating in a survey will always protect your personal information stay in touch and if there's anything, we can do to help you do your jobs better. Let us know. Thank you very much.