1 00:00:00,539 --> 00:00:03,539 foreign 2 00:00:08,099 --> 00:00:14,460 good morning everybody welcome back for 3 00:00:11,099 --> 00:00:16,320 the second day of pycon Australia uh I 4 00:00:14,460 --> 00:00:18,180 will be your MC for this session my name 5 00:00:16,320 --> 00:00:19,680 is Russell and it is my distinct 6 00:00:18,180 --> 00:00:21,420 pleasure this morning to introduce our 7 00:00:19,680 --> 00:00:23,820 first speaker in this block coming in 8 00:00:21,420 --> 00:00:25,500 virtually from over the Internet uh 9 00:00:23,820 --> 00:00:27,420 Amanda casari will be speaking to us 10 00:00:25,500 --> 00:00:29,580 about our dependencies or our dependency 11 00:00:27,420 --> 00:00:31,820 on open source dependencies please make 12 00:00:29,580 --> 00:00:34,440 her welcome 13 00:00:31,820 --> 00:00:37,140 all right 14 00:00:34,440 --> 00:00:39,780 hello again everyone it's a delight to 15 00:00:37,140 --> 00:00:41,760 see you uh or not because I can't see 16 00:00:39,780 --> 00:00:43,379 you but I trust that there is a lovely 17 00:00:41,760 --> 00:00:45,600 audience of people in person because you 18 00:00:43,379 --> 00:00:47,399 have all come as a special guest of our 19 00:00:45,600 --> 00:00:49,559 friend salty the sea otter here and her 20 00:00:47,399 --> 00:00:51,600 many friends 21 00:00:49,559 --> 00:00:54,180 um so I am excited to be talking today 22 00:00:51,600 --> 00:00:57,780 about navigating the murky Waters where 23 00:00:54,180 --> 00:00:59,219 uh hang on I I did that one already 48 24 00:00:57,780 --> 00:01:01,440 hours ago 25 00:00:59,219 --> 00:01:03,300 um so you know 26 00:01:01,440 --> 00:01:05,580 look uh 27 00:01:03,300 --> 00:01:07,560 present Amanda I get it you're here to 28 00:01:05,580 --> 00:01:10,159 talk about our dependency on open source 29 00:01:07,560 --> 00:01:14,460 dependencies I'm super excited for you 30 00:01:10,159 --> 00:01:19,320 uh you're forgetting one thing uh which 31 00:01:14,460 --> 00:01:22,560 is uh this this isn't uh my talk 32 00:01:19,320 --> 00:01:24,479 um so it's only the second slide uh I 33 00:01:22,560 --> 00:01:26,520 haven't even gotten to the title 34 00:01:24,479 --> 00:01:28,439 um here's the Shameless self promotion 35 00:01:26,520 --> 00:01:31,320 for the last talk 36 00:01:28,439 --> 00:01:32,460 um but uh I have added in multiple 37 00:01:31,320 --> 00:01:33,360 things of this it will be a roller 38 00:01:32,460 --> 00:01:34,500 coaster 39 00:01:33,360 --> 00:01:38,400 um we'll have Shameless self-promotions 40 00:01:34,500 --> 00:01:40,740 Shameless run promotions side quests 41 00:01:38,400 --> 00:01:43,979 um and it's a solid talk all the extras 42 00:01:40,740 --> 00:01:46,380 exist because like I said this is 43 00:01:43,979 --> 00:01:47,939 actually not my talk that's right this 44 00:01:46,380 --> 00:01:51,119 talk was originally written and 45 00:01:47,939 --> 00:01:53,159 performed and I mean presented by myself 46 00:01:51,119 --> 00:01:54,960 and your very own brilliant Nikki 47 00:01:53,159 --> 00:01:56,040 ringland who I hope made it to the room 48 00:01:54,960 --> 00:01:57,720 it sounds like there might have been a 49 00:01:56,040 --> 00:01:59,040 slight emergency beforehand if not we'll 50 00:01:57,720 --> 00:02:00,600 be showing up and hopefully we'll throw 51 00:01:59,040 --> 00:02:04,799 popcorn and huckle me accordingly 52 00:02:00,600 --> 00:02:07,200 because this is V 2.0 of a talk that we 53 00:02:04,799 --> 00:02:10,440 created together and gave the lesbians 54 00:02:07,200 --> 00:02:12,300 who Tech Summit in June of 2022. Nikki 55 00:02:10,440 --> 00:02:13,739 was kind enough to allow me to shine it 56 00:02:12,300 --> 00:02:15,660 off and take it out for another spin 57 00:02:13,739 --> 00:02:17,879 with all of you today 58 00:02:15,660 --> 00:02:19,800 uh for those of you familiar with the 59 00:02:17,879 --> 00:02:21,660 Australian program Bluey it might be 60 00:02:19,800 --> 00:02:23,640 that this representation of ourselves as 61 00:02:21,660 --> 00:02:25,980 very specific adults on that show is all 62 00:02:23,640 --> 00:02:28,020 you need to know who we are uh in case 63 00:02:25,980 --> 00:02:31,140 you are not one of those lucky folks 64 00:02:28,020 --> 00:02:32,700 some context about myself I am a pale 65 00:02:31,140 --> 00:02:34,620 white woman with light hair and eyes who 66 00:02:32,700 --> 00:02:36,300 wears glasses I am a researcher and 67 00:02:34,620 --> 00:02:37,920 engineer at Google where I'm currently 68 00:02:36,300 --> 00:02:39,720 leading a team focused on research and 69 00:02:37,920 --> 00:02:42,599 education in our open source programs 70 00:02:39,720 --> 00:02:44,819 office I am using my nighttime DJ Voice 71 00:02:42,599 --> 00:02:46,560 tonight because the last time I gave a 72 00:02:44,819 --> 00:02:48,660 talk my kids complained that I was 73 00:02:46,560 --> 00:02:51,540 talking too loud hopefully that will not 74 00:02:48,660 --> 00:02:55,080 top in tonight I'd like to let Nikki 75 00:02:51,540 --> 00:02:58,140 introduce herself but since she's not 76 00:02:55,080 --> 00:03:00,900 here in the Stream with me and she might 77 00:02:58,140 --> 00:03:02,580 be busy in the audience with you I get 78 00:03:00,900 --> 00:03:04,980 to make it all up 79 00:03:02,580 --> 00:03:08,760 Dr Nikki ringland also works at Google 80 00:03:04,980 --> 00:03:10,500 she was hired in the year 2137 to hire 81 00:03:08,760 --> 00:03:12,659 and build a team based on her 82 00:03:10,500 --> 00:03:15,599 groundbreaking Research into human time 83 00:03:12,659 --> 00:03:17,760 travel for Fun and Profit unfortunately 84 00:03:15,599 --> 00:03:20,340 for Nikki one of the scientists on her 85 00:03:17,760 --> 00:03:22,440 team forgot to carry a one causing her 86 00:03:20,340 --> 00:03:24,780 to leave all relevant miseries as she 87 00:03:22,440 --> 00:03:27,480 came into the past only retaining her 88 00:03:24,780 --> 00:03:29,879 cover story fortunately for US future 89 00:03:27,480 --> 00:03:32,099 Nikki was kind of a selfish jerk who 90 00:03:29,879 --> 00:03:34,319 didn't believe in sharing so no one else 91 00:03:32,099 --> 00:03:36,780 has been able to replicate her work on 92 00:03:34,319 --> 00:03:39,180 this timeline also fortunately for us 93 00:03:36,780 --> 00:03:41,340 present day Nikki is a wonderful human 94 00:03:39,180 --> 00:03:43,560 being who believes that credit is always 95 00:03:41,340 --> 00:03:45,360 best when shared freely and access to 96 00:03:43,560 --> 00:03:47,280 education and information is a human 97 00:03:45,360 --> 00:03:50,159 right 98 00:03:47,280 --> 00:03:52,319 so my first Shameless self-promotion and 99 00:03:50,159 --> 00:03:54,900 friend promotion and sidequest are now 100 00:03:52,319 --> 00:03:56,519 all complete For Those whom it helps you 101 00:03:54,900 --> 00:03:58,019 can find these slides with detailed 102 00:03:56,519 --> 00:04:01,940 speaker notes which I may or may not 103 00:03:58,019 --> 00:04:05,760 stay on script to at bitly that's bit.ly 104 00:04:01,940 --> 00:04:08,760 backslash OSS depths Dash 105 00:04:05,760 --> 00:04:08,760 r-a-n-b-o-w-s-n-e-k2023-slides 106 00:04:13,200 --> 00:04:16,799 I would like to begin by acknowledging 107 00:04:15,239 --> 00:04:18,660 and paying respect to the traditional 108 00:04:16,799 --> 00:04:20,820 owners of the various lands on which we 109 00:04:18,660 --> 00:04:22,620 meet today I'm joining you from Land 110 00:04:20,820 --> 00:04:24,660 which has served as a site of sustenance 111 00:04:22,620 --> 00:04:26,580 community meeting and exchange among 112 00:04:24,660 --> 00:04:29,280 indigenous people since time immemorial 113 00:04:26,580 --> 00:04:31,199 the Western Abenaki are the traditional 114 00:04:29,280 --> 00:04:33,240 stewards of these Forest lands and 115 00:04:31,199 --> 00:04:36,540 Waters in Vermont which they call 116 00:04:33,240 --> 00:04:38,100 indakina or Homeland we respect their 117 00:04:36,540 --> 00:04:39,419 spiritual and live connections to this 118 00:04:38,100 --> 00:04:41,400 region and remember the hardships 119 00:04:39,419 --> 00:04:43,020 they've endured both past and present 120 00:04:41,400 --> 00:04:45,000 including violence and force 121 00:04:43,020 --> 00:04:47,520 displacement at the hands of colonizing 122 00:04:45,000 --> 00:04:49,380 peoples As We Gather in this physically 123 00:04:47,520 --> 00:04:50,940 dispersed and virtually constructed 124 00:04:49,380 --> 00:04:53,100 meeting as we share our knowledge 125 00:04:50,940 --> 00:04:54,419 teaching and learning practices may we 126 00:04:53,100 --> 00:04:56,340 give thanks for the opportunity to share 127 00:04:54,419 --> 00:04:59,940 in the joys of this place where I am 128 00:04:56,340 --> 00:05:03,780 coming to you from and to protect it 129 00:04:59,940 --> 00:05:05,520 so this is a talk about technology we 130 00:05:03,780 --> 00:05:07,020 will be as human-centered as we can 131 00:05:05,520 --> 00:05:08,520 achieve starting with our communal 132 00:05:07,020 --> 00:05:09,960 agreement that everyone here comes from 133 00:05:08,520 --> 00:05:11,460 different backgrounds and understandings 134 00:05:09,960 --> 00:05:12,419 of the concepts we'll be talking about 135 00:05:11,460 --> 00:05:13,919 today 136 00:05:12,419 --> 00:05:15,360 the words we use may have a different 137 00:05:13,919 --> 00:05:17,400 meaning in your disciplinary area of 138 00:05:15,360 --> 00:05:18,720 work to get us all starting from the 139 00:05:17,400 --> 00:05:21,840 same meeting we're going to spend a few 140 00:05:18,720 --> 00:05:24,720 minutes defining key Concepts 141 00:05:21,840 --> 00:05:26,759 open sourced when aligned specifically 142 00:05:24,720 --> 00:05:29,280 with software has a very specific 143 00:05:26,759 --> 00:05:32,160 definition which relies on the criteria 144 00:05:29,280 --> 00:05:34,800 governed by the open source initiative 145 00:05:32,160 --> 00:05:37,259 these have to do with access to source 146 00:05:34,800 --> 00:05:39,060 code and other musts and must Nots which 147 00:05:37,259 --> 00:05:41,460 relate to distribution and authorship 148 00:05:39,060 --> 00:05:47,160 rights you can learn more about these 149 00:05:41,460 --> 00:05:50,940 criteria at opensource.org backslash OSD 150 00:05:47,160 --> 00:05:53,160 next we have a dependency this is simply 151 00:05:50,940 --> 00:05:56,160 referring to when one piece of software 152 00:05:53,160 --> 00:05:58,820 relies on another piece of software 153 00:05:56,160 --> 00:05:58,820 very simple 154 00:05:58,880 --> 00:06:05,600 uh okay next I guess sometimes that's 155 00:06:02,160 --> 00:06:08,280 true the reality is this definition is 156 00:06:05,600 --> 00:06:11,580 oversimplifying things 157 00:06:08,280 --> 00:06:13,979 so what we've got here is that a 158 00:06:11,580 --> 00:06:15,479 dependency of a package or aversion is a 159 00:06:13,979 --> 00:06:17,699 separate piece of software that is 160 00:06:15,479 --> 00:06:19,560 imported by the package for the build 161 00:06:17,699 --> 00:06:22,319 so let's say you want to use the python 162 00:06:19,560 --> 00:06:24,780 package matplotlib to do that awesome 163 00:06:22,319 --> 00:06:27,360 data science project so you import it 164 00:06:24,780 --> 00:06:28,560 but to do that you first you've got to 165 00:06:27,360 --> 00:06:30,479 install it 166 00:06:28,560 --> 00:06:32,400 and when you do that it automatically 167 00:06:30,479 --> 00:06:35,280 downloads and installs a bunch of magic 168 00:06:32,400 --> 00:06:37,020 for you uh 169 00:06:35,280 --> 00:06:40,080 so hey I'm sorry what was that do that 170 00:06:37,020 --> 00:06:42,180 one more time keep going 171 00:06:40,080 --> 00:06:44,460 uh-huh okay I installed that plot lip 172 00:06:42,180 --> 00:06:48,120 cool cool cool uh what's all this other 173 00:06:44,460 --> 00:06:50,819 stuff okay that was the dependency I 174 00:06:48,120 --> 00:06:52,979 want to use and it's installing its own 175 00:06:50,819 --> 00:06:55,500 dependencies 176 00:06:52,979 --> 00:06:57,479 uh the thing is each of these little 177 00:06:55,500 --> 00:07:00,300 progress Bars were the other packages 178 00:06:57,479 --> 00:07:03,419 that were installed as dependencies of 179 00:07:00,300 --> 00:07:06,240 the dependency I installed so here's 180 00:07:03,419 --> 00:07:08,699 your nice tidy dependency tree right oh 181 00:07:06,240 --> 00:07:10,020 no there's a vulnerability that's just 182 00:07:08,699 --> 00:07:12,900 been discovered in one of those 183 00:07:10,020 --> 00:07:14,580 dependencies so an example of this is 184 00:07:12,900 --> 00:07:18,479 what when the popular logging package 185 00:07:14,580 --> 00:07:21,660 that you were using maybe log4j had a 186 00:07:18,479 --> 00:07:23,039 vulnerability discovered yeah so I don't 187 00:07:21,660 --> 00:07:24,479 know about you remote code execution was 188 00:07:23,039 --> 00:07:26,819 on your holiday wish list two years ago 189 00:07:24,479 --> 00:07:29,400 not for anybody 190 00:07:26,819 --> 00:07:31,740 um if you're lucky the vulnerability is 191 00:07:29,400 --> 00:07:33,120 in one of your direct dependencies that 192 00:07:31,740 --> 00:07:34,560 one little thing that you can see 193 00:07:33,120 --> 00:07:37,560 immediately 194 00:07:34,560 --> 00:07:40,199 but the vulnerability isn't a package in 195 00:07:37,560 --> 00:07:42,660 an indirect dependency something further 196 00:07:40,199 --> 00:07:45,660 down the tree then your options are more 197 00:07:42,660 --> 00:07:47,160 limited uh with log4j it turned out that 198 00:07:45,660 --> 00:07:48,900 this case that was more than 80 percent 199 00:07:47,160 --> 00:07:52,319 of the open source packages on Maven 200 00:07:48,900 --> 00:07:55,979 Central use log4j so some 16 201 00:07:52,319 --> 00:07:57,660 000 packages were indirectly impacted 202 00:07:55,979 --> 00:08:00,240 a surprise 203 00:07:57,660 --> 00:08:02,340 this is also too oversimplified that's 204 00:08:00,240 --> 00:08:04,080 not quite accurate chances are the 205 00:08:02,340 --> 00:08:06,599 dependency graph doesn't look like a 206 00:08:04,080 --> 00:08:09,539 nice clear tree hope you're all ready 207 00:08:06,599 --> 00:08:11,340 it's a dependency graph and it might be 208 00:08:09,539 --> 00:08:14,639 highly connected 209 00:08:11,340 --> 00:08:17,940 so that vulnerability even if it's a 210 00:08:14,639 --> 00:08:21,120 direct dependency is likely not only a 211 00:08:17,940 --> 00:08:23,039 direct dependency but also an indirect 212 00:08:21,120 --> 00:08:25,139 dependency 213 00:08:23,039 --> 00:08:27,780 if you want to find out more how much of 214 00:08:25,139 --> 00:08:30,120 a mess it is here my friends is the 215 00:08:27,780 --> 00:08:32,099 second Shameless self I mean friend 216 00:08:30,120 --> 00:08:34,380 because Nikki wrote that section the 217 00:08:32,099 --> 00:08:36,240 second Shameless friend promotion for 218 00:08:34,380 --> 00:08:38,279 another Nikki's talks explaining this 219 00:08:36,240 --> 00:08:40,380 even more in detail especially around 220 00:08:38,279 --> 00:08:44,039 what happened with log4j 221 00:08:40,380 --> 00:08:47,040 uh time for more definitions let's talk 222 00:08:44,039 --> 00:08:50,459 supply chain 223 00:08:47,040 --> 00:08:53,100 concept of a supply chain refers to the 224 00:08:50,459 --> 00:08:55,320 people and processes for making and 225 00:08:53,100 --> 00:08:58,080 distributing a product and it's often 226 00:08:55,320 --> 00:09:01,019 applied to manufacturing a supply chain 227 00:08:58,080 --> 00:09:03,600 is a process of getting a product to the 228 00:09:01,019 --> 00:09:06,839 customer now here like in the previous 229 00:09:03,600 --> 00:09:09,600 it's not a tree it's a graph there is 230 00:09:06,839 --> 00:09:12,180 iterative reuse one of a product Supply 231 00:09:09,600 --> 00:09:15,300 chains is n number of products and N 232 00:09:12,180 --> 00:09:18,300 Supply chains and an endless supply of 233 00:09:15,300 --> 00:09:20,940 turtles all the way down 234 00:09:18,300 --> 00:09:23,040 now a software supply chain refers to 235 00:09:20,940 --> 00:09:25,200 the people and processes for making and 236 00:09:23,040 --> 00:09:27,839 distributing a software product 237 00:09:25,200 --> 00:09:30,540 a supply chain is a process of getting a 238 00:09:27,839 --> 00:09:32,160 product to the customer and in the 239 00:09:30,540 --> 00:09:33,720 software domain we will focus on the 240 00:09:32,160 --> 00:09:35,880 software development process itself 241 00:09:33,720 --> 00:09:37,560 which is again dependencies all the way 242 00:09:35,880 --> 00:09:40,620 down 243 00:09:37,560 --> 00:09:43,320 so a list of ingredients slash bill of 244 00:09:40,620 --> 00:09:45,000 material materials is another term used 245 00:09:43,320 --> 00:09:47,399 in manufacturing 246 00:09:45,000 --> 00:09:49,740 a software bill of materials is a 247 00:09:47,399 --> 00:09:53,339 complete formally structured list of 248 00:09:49,740 --> 00:09:55,860 components libraries modules that are 249 00:09:53,339 --> 00:09:57,600 required to Bill like compile and Link a 250 00:09:55,860 --> 00:09:59,880 given piece of software and the supply 251 00:09:57,600 --> 00:10:01,620 chain relationships between them so 252 00:09:59,880 --> 00:10:04,620 these components can be open source or 253 00:10:01,620 --> 00:10:08,399 proprietary free or paid and widely 254 00:10:04,620 --> 00:10:10,380 available or have restricted access 255 00:10:08,399 --> 00:10:12,899 wait and so 256 00:10:10,380 --> 00:10:14,959 why why are all these fundamental 257 00:10:12,899 --> 00:10:16,980 concepts so important 258 00:10:14,959 --> 00:10:19,080 much of our modern technical 259 00:10:16,980 --> 00:10:22,140 infrastructure is built on and with 260 00:10:19,080 --> 00:10:24,660 dependencies from open source 261 00:10:22,140 --> 00:10:26,459 which is great right there are obvious 262 00:10:24,660 --> 00:10:28,800 benefits when it comes to building with 263 00:10:26,459 --> 00:10:31,920 open source dependencies we love open 264 00:10:28,800 --> 00:10:34,980 source it's awesome for so many reasons 265 00:10:31,920 --> 00:10:36,420 uh I mean very selfishly 266 00:10:34,980 --> 00:10:37,980 um it stops us from having like 267 00:10:36,420 --> 00:10:40,260 selfishly as a developer the person who 268 00:10:37,980 --> 00:10:41,940 wants to use it uh I stop stress from 269 00:10:40,260 --> 00:10:43,800 having to reinvent things that already 270 00:10:41,940 --> 00:10:45,720 work it's fantastic I don't have to 271 00:10:43,800 --> 00:10:47,579 reinvent anything 272 00:10:45,720 --> 00:10:49,200 um I don't have to do duplication of 273 00:10:47,579 --> 00:10:52,880 effort I can use other people's work 274 00:10:49,200 --> 00:10:52,880 that's maybe Nimble and quick 275 00:10:52,920 --> 00:10:58,019 um also selflessly uh there's a low 276 00:10:55,980 --> 00:11:00,240 barrier model for sharing your work with 277 00:10:58,019 --> 00:11:02,760 the world while maintaining control over 278 00:11:00,240 --> 00:11:05,399 your ideas there's many versions of Open 279 00:11:02,760 --> 00:11:07,560 Source licenses that allow you to do the 280 00:11:05,399 --> 00:11:10,560 level of control and transparency and 281 00:11:07,560 --> 00:11:13,680 iteration that you want 282 00:11:10,560 --> 00:11:14,640 I'm also very selflessly science belongs 283 00:11:13,680 --> 00:11:17,160 to everyone 284 00:11:14,640 --> 00:11:19,019 like when there was a discovery of being 285 00:11:17,160 --> 00:11:21,660 able to see black holes and those 286 00:11:19,019 --> 00:11:23,519 scientists were able to very quickly put 287 00:11:21,660 --> 00:11:26,339 out how they were able to image that 288 00:11:23,519 --> 00:11:28,860 using open source software uh both for 289 00:11:26,339 --> 00:11:30,480 the explaining how the things were 290 00:11:28,860 --> 00:11:32,040 processed and then explaining how the 291 00:11:30,480 --> 00:11:33,839 science work behind it and then sharing 292 00:11:32,040 --> 00:11:35,579 the code and the imagery is all at once 293 00:11:33,839 --> 00:11:38,720 in a lovely little package Jupiter 294 00:11:35,579 --> 00:11:38,720 notebook was fantastic 295 00:11:39,240 --> 00:11:43,440 um also very shelfishally uh you get to 296 00:11:41,760 --> 00:11:45,420 share things as you work on it and get 297 00:11:43,440 --> 00:11:46,560 people's help along the way so other 298 00:11:45,420 --> 00:11:48,600 people see you work if you have 299 00:11:46,560 --> 00:11:50,940 questions if you have struggles if they 300 00:11:48,600 --> 00:11:52,440 can work with you they can just see you 301 00:11:50,940 --> 00:11:53,700 struggle because sometimes that's 302 00:11:52,440 --> 00:11:55,920 something that helps people feel better 303 00:11:53,700 --> 00:11:57,779 about themselves but really when it 304 00:11:55,920 --> 00:11:59,640 comes down to it like being able to work 305 00:11:57,779 --> 00:12:02,220 in a public space in an area that you 306 00:11:59,640 --> 00:12:03,540 get to choose that's can be quite hard 307 00:12:02,220 --> 00:12:05,880 to figure out if you're just building 308 00:12:03,540 --> 00:12:07,680 that from scratch having open source is 309 00:12:05,880 --> 00:12:09,779 a ready-made Community is lovely for 310 00:12:07,680 --> 00:12:12,000 that 311 00:12:09,779 --> 00:12:15,180 um selflessly 312 00:12:12,000 --> 00:12:18,360 um open source out software can be a 313 00:12:15,180 --> 00:12:20,720 means not the only but can be one means 314 00:12:18,360 --> 00:12:23,760 to decentralize power and Technology 315 00:12:20,720 --> 00:12:26,880 open source broke the copyright mold 316 00:12:23,760 --> 00:12:29,160 that only authors get to say who and how 317 00:12:26,880 --> 00:12:31,680 a copyright is used which was the 318 00:12:29,160 --> 00:12:33,779 original reason and creation for it so 319 00:12:31,680 --> 00:12:36,000 as part of the freedom and open source 320 00:12:33,779 --> 00:12:38,700 history I think that we cannot ignore 321 00:12:36,000 --> 00:12:42,200 the fact that copyright law has been a 322 00:12:38,700 --> 00:12:42,200 central part of this along the way 323 00:12:42,380 --> 00:12:46,139 when you build with open source 324 00:12:44,459 --> 00:12:48,600 dependencies you also have to consider 325 00:12:46,139 --> 00:12:50,820 the strengths the constraints that are 326 00:12:48,600 --> 00:12:52,560 involved with being able to share things 327 00:12:50,820 --> 00:12:54,540 with the world under certain kinds of 328 00:12:52,560 --> 00:12:57,839 licenses 329 00:12:54,540 --> 00:12:59,639 so one of these again selfishly there 330 00:12:57,839 --> 00:13:01,860 are legal implications on what you can 331 00:12:59,639 --> 00:13:04,260 do with open source depending on the 332 00:13:01,860 --> 00:13:05,820 license that is released under I say 333 00:13:04,260 --> 00:13:07,620 that this is selfish as well because 334 00:13:05,820 --> 00:13:10,440 again like from the person who's going 335 00:13:07,620 --> 00:13:12,000 and consuming it you may want more 336 00:13:10,440 --> 00:13:14,459 freedoms than whatever the license 337 00:13:12,000 --> 00:13:16,380 allows you to do but guess what that's 338 00:13:14,459 --> 00:13:18,240 not your choice it's the people who 339 00:13:16,380 --> 00:13:20,639 actually create and release the software 340 00:13:18,240 --> 00:13:23,100 who get to say what kind of license is 341 00:13:20,639 --> 00:13:25,440 used for it what you use after that may 342 00:13:23,100 --> 00:13:27,060 depend on the license before that this 343 00:13:25,440 --> 00:13:28,560 is why an open source you still get 344 00:13:27,060 --> 00:13:30,240 questions about how things are going to 345 00:13:28,560 --> 00:13:31,980 change upstream or Downstream and 346 00:13:30,240 --> 00:13:34,200 there's a whole bunch of licenses that 347 00:13:31,980 --> 00:13:36,600 fit under open source that allow you to 348 00:13:34,200 --> 00:13:38,519 make those decisions 349 00:13:36,600 --> 00:13:40,079 with open source software again other 350 00:13:38,519 --> 00:13:41,519 people see your work this is the thing I 351 00:13:40,079 --> 00:13:43,019 said before that was great why are you 352 00:13:41,519 --> 00:13:45,420 saying it's bad now Amanda it's because 353 00:13:43,019 --> 00:13:47,940 I worked it's a lot of work to maintain 354 00:13:45,420 --> 00:13:50,040 yourself in an open space right so if 355 00:13:47,940 --> 00:13:51,839 any of you have any inclinations like me 356 00:13:50,040 --> 00:13:53,579 sometimes I turn into that little Trash 357 00:13:51,839 --> 00:13:55,260 Panda and I'm like don't touch my stuff 358 00:13:53,579 --> 00:13:56,700 just leave it alone it's there for a 359 00:13:55,260 --> 00:13:58,980 reason I don't want you interacting with 360 00:13:56,700 --> 00:14:00,959 it I just wanted to put it out there 361 00:13:58,980 --> 00:14:03,899 now this isn't exactly the most dividing 362 00:14:00,959 --> 00:14:05,160 way so from my perspective uh you know 363 00:14:03,899 --> 00:14:06,720 putting things up where I mean people 364 00:14:05,160 --> 00:14:08,760 use it great putting things where people 365 00:14:06,720 --> 00:14:10,800 can see you also not so great 366 00:14:08,760 --> 00:14:13,260 uh also if you want other people to use 367 00:14:10,800 --> 00:14:15,000 it they have expectations of you even 368 00:14:13,260 --> 00:14:18,000 when you don't want to support them 369 00:14:15,000 --> 00:14:19,920 right so log4j happens all of a sudden 370 00:14:18,000 --> 00:14:21,420 everyone starts calling you and saying 371 00:14:19,920 --> 00:14:22,920 when are you going to be able to support 372 00:14:21,420 --> 00:14:24,959 love for Jay when are you going to be 373 00:14:22,920 --> 00:14:26,399 able to support log4j when are you going 374 00:14:24,959 --> 00:14:28,980 to be able to support log4j and you're 375 00:14:26,399 --> 00:14:30,540 like look it's holidays I just want to 376 00:14:28,980 --> 00:14:32,760 go to the beach I'm hanging out with my 377 00:14:30,540 --> 00:14:34,620 friends but the reality is is that other 378 00:14:32,760 --> 00:14:36,839 people are using your work and other 379 00:14:34,620 --> 00:14:38,519 people are relying on your work and at 380 00:14:36,839 --> 00:14:40,079 some line there has to be there where 381 00:14:38,519 --> 00:14:42,000 people and their livelihoods start to 382 00:14:40,079 --> 00:14:45,120 depend on you in a way that you didn't 383 00:14:42,000 --> 00:14:48,300 anticipate and you may not want 384 00:14:45,120 --> 00:14:51,420 um so real talk recognizing and setting 385 00:14:48,300 --> 00:14:53,459 your boundaries is not selfish the level 386 00:14:51,420 --> 00:14:55,380 of transparency and access to your time 387 00:14:53,459 --> 00:14:58,740 is not something you may have signed up 388 00:14:55,380 --> 00:15:00,540 for this is also why licensing exists so 389 00:14:58,740 --> 00:15:02,639 that you can put things into the world 390 00:15:00,540 --> 00:15:04,560 decide where it wants to go how people 391 00:15:02,639 --> 00:15:06,120 can use it but this is also where you 392 00:15:04,560 --> 00:15:08,160 can put communication into the world 393 00:15:06,120 --> 00:15:10,500 about whether or not you plan to be 394 00:15:08,160 --> 00:15:14,339 there if problem happens 395 00:15:10,500 --> 00:15:15,000 it's kind of the use it your own recipes 396 00:15:14,339 --> 00:15:17,579 um 397 00:15:15,000 --> 00:15:19,019 talking about risk open source keeps 398 00:15:17,579 --> 00:15:21,180 changing 399 00:15:19,019 --> 00:15:23,279 not like last eight months have been 400 00:15:21,180 --> 00:15:25,860 exceptionally high volume around any of 401 00:15:23,279 --> 00:15:28,560 that but what we expect it to look like 402 00:15:25,860 --> 00:15:30,240 tomorrow I mean what I expected to look 403 00:15:28,560 --> 00:15:31,920 like six months ago is not how it looks 404 00:15:30,240 --> 00:15:33,300 today but that's also totally fine so 405 00:15:31,920 --> 00:15:34,980 what it looks like tomorrow may not look 406 00:15:33,300 --> 00:15:37,380 like what it looks like today 407 00:15:34,980 --> 00:15:39,240 more recently we've seen a higher rate a 408 00:15:37,380 --> 00:15:41,040 systemic level security issues which 409 00:15:39,240 --> 00:15:44,040 impact everyone using open source 410 00:15:41,040 --> 00:15:46,320 software we also seen a lot of movement 411 00:15:44,040 --> 00:15:48,959 from certain organizations to try to 412 00:15:46,320 --> 00:15:50,940 change what open source is means and 413 00:15:48,959 --> 00:15:53,040 could mean in the future based on what 414 00:15:50,940 --> 00:15:55,139 they want to call Open Source because 415 00:15:53,040 --> 00:15:57,180 they're trying to take the term and go 416 00:15:55,139 --> 00:16:00,120 from something specific to something 417 00:15:57,180 --> 00:16:01,740 generic the power in that is when you 418 00:16:00,120 --> 00:16:04,079 move from something specific to 419 00:16:01,740 --> 00:16:07,079 something generic is the generic term 420 00:16:04,079 --> 00:16:09,120 means less but carries all of the work 421 00:16:07,079 --> 00:16:10,440 and the weight that went into that 422 00:16:09,120 --> 00:16:12,300 specificity 423 00:16:10,440 --> 00:16:13,920 so the folks who want to be able to use 424 00:16:12,300 --> 00:16:15,779 it generically and Define their own 425 00:16:13,920 --> 00:16:18,240 boundaries are relying on that 426 00:16:15,779 --> 00:16:20,399 specificity to carry them forward in a 427 00:16:18,240 --> 00:16:22,860 way that both carries Goodwill makes 428 00:16:20,399 --> 00:16:24,660 them money and also costs things from 429 00:16:22,860 --> 00:16:26,519 the folks who did so much in the 430 00:16:24,660 --> 00:16:29,699 specific area 431 00:16:26,519 --> 00:16:31,920 I bring this up because we are forced to 432 00:16:29,699 --> 00:16:36,300 change previous ideas of what security 433 00:16:31,920 --> 00:16:37,920 and stability looks like even now 434 00:16:36,300 --> 00:16:38,940 um when you work with open source 435 00:16:37,920 --> 00:16:41,880 software 436 00:16:38,940 --> 00:16:43,680 just like now you are subject to all of 437 00:16:41,880 --> 00:16:45,779 the Legacy problems the known the 438 00:16:43,680 --> 00:16:48,420 unknown the known unknowns the open 439 00:16:45,779 --> 00:16:49,980 source Legacy brings with you so if you 440 00:16:48,420 --> 00:16:52,079 think that you could just do it better 441 00:16:49,980 --> 00:16:54,779 in five seconds based on understanding 442 00:16:52,079 --> 00:16:57,839 the problem I can't wait to see you put 443 00:16:54,779 --> 00:17:01,019 that out into the world the good news is 444 00:16:57,839 --> 00:17:02,399 is that eyes on the code does improve 445 00:17:01,019 --> 00:17:05,699 security 446 00:17:02,399 --> 00:17:08,400 however I think that Linus's law is a 447 00:17:05,699 --> 00:17:11,400 myth a strong belief still held so like 448 00:17:08,400 --> 00:17:13,980 many eyes make less bugs is not true 449 00:17:11,400 --> 00:17:17,220 it's not true these days maybe it was 450 00:17:13,980 --> 00:17:19,500 then it's definitely not now however by 451 00:17:17,220 --> 00:17:21,720 making sure everybody can see the work 452 00:17:19,500 --> 00:17:23,579 that's happening it also means that 453 00:17:21,720 --> 00:17:26,040 things are open and transparent in a way 454 00:17:23,579 --> 00:17:27,839 that we can work on them together rather 455 00:17:26,040 --> 00:17:29,100 than waiting for someone else to sell us 456 00:17:27,839 --> 00:17:31,679 the fixes 457 00:17:29,100 --> 00:17:33,960 things are not improved when they are 458 00:17:31,679 --> 00:17:36,780 fixed they are improved when we are 459 00:17:33,960 --> 00:17:39,360 committed invested and motivated to work 460 00:17:36,780 --> 00:17:41,900 on them together 461 00:17:39,360 --> 00:17:46,140 as we said people rely on your work 462 00:17:41,900 --> 00:17:49,440 happy holidays you get an rce you get an 463 00:17:46,140 --> 00:17:51,780 rce you get an rce when things pop up 464 00:17:49,440 --> 00:17:53,460 all of a sudden you have expectations 465 00:17:51,780 --> 00:17:55,440 that you have or have not set with 466 00:17:53,460 --> 00:17:57,900 people who will use your work to tell 467 00:17:55,440 --> 00:18:00,360 you whether or not you are available to 468 00:17:57,900 --> 00:18:03,480 work on them if you work in industry and 469 00:18:00,360 --> 00:18:06,059 you have built on open source you have a 470 00:18:03,480 --> 00:18:09,179 requirement to meet your customers where 471 00:18:06,059 --> 00:18:11,520 they are with those security fixes if 472 00:18:09,179 --> 00:18:14,280 you are not being paid for your work the 473 00:18:11,520 --> 00:18:16,380 same expectation isn't there but this 474 00:18:14,280 --> 00:18:18,480 also means that corporations need to be 475 00:18:16,380 --> 00:18:20,580 working back into the world that they 476 00:18:18,480 --> 00:18:22,860 are not getting paid for and fixing 477 00:18:20,580 --> 00:18:25,020 things upstream and keeping the rest of 478 00:18:22,860 --> 00:18:27,620 the comments maintained even if it 479 00:18:25,020 --> 00:18:30,840 doesn't help the market 480 00:18:27,620 --> 00:18:33,179 again other people know you rely on 481 00:18:30,840 --> 00:18:35,400 their work so a risk that can happen in 482 00:18:33,179 --> 00:18:38,160 open source that we have seen even more 483 00:18:35,400 --> 00:18:40,380 recently in the past few years is that 484 00:18:38,160 --> 00:18:42,539 people can take advantage of that they 485 00:18:40,380 --> 00:18:44,460 can work deep in a dependency change to 486 00:18:42,539 --> 00:18:47,039 make changes either to make a political 487 00:18:44,460 --> 00:18:49,080 message or to be able to affect 488 00:18:47,039 --> 00:18:50,880 vulnerabilities in a way that makes 489 00:18:49,080 --> 00:18:53,400 their work more visible because they 490 00:18:50,880 --> 00:18:54,840 want that visibility I'm not going to 491 00:18:53,400 --> 00:18:56,940 bring that up here we talk about that in 492 00:18:54,840 --> 00:18:58,740 another talk there's also the problem 493 00:18:56,940 --> 00:19:00,240 that when other people know that you 494 00:18:58,740 --> 00:19:02,160 rely on their work they can take 495 00:19:00,240 --> 00:19:04,679 advantage of that being what we 496 00:19:02,160 --> 00:19:09,059 essentially refer to as toxic jerk faces 497 00:19:04,679 --> 00:19:11,760 who hurt people but become the UN the un 498 00:19:09,059 --> 00:19:14,760 uh the person who cannot be lost from a 499 00:19:11,760 --> 00:19:17,100 team so we get rock stars and ninjas who 500 00:19:14,760 --> 00:19:20,100 become Central to a movement when really 501 00:19:17,100 --> 00:19:21,419 they're just a jerk that doesn't mean we 502 00:19:20,100 --> 00:19:23,760 can't change things that's what we're 503 00:19:21,419 --> 00:19:25,320 all here to do to change things speaking 504 00:19:23,760 --> 00:19:26,880 of which this is one of the most lovely 505 00:19:25,320 --> 00:19:28,679 conferences I've ever been to and I'm 506 00:19:26,880 --> 00:19:30,059 not even there so thank you all so much 507 00:19:28,679 --> 00:19:31,020 like you were a force of change and I 508 00:19:30,059 --> 00:19:32,400 love you all 509 00:19:31,020 --> 00:19:34,200 I hope you're cheering for yourselves 510 00:19:32,400 --> 00:19:35,520 even though I can't see it please send 511 00:19:34,200 --> 00:19:38,100 me pictures 512 00:19:35,520 --> 00:19:40,200 the ecosystem itself is much more than 513 00:19:38,100 --> 00:19:42,240 the Kodi bits that we call dependencies 514 00:19:40,200 --> 00:19:43,860 and it's more than the code that you 515 00:19:42,240 --> 00:19:46,320 care about most 516 00:19:43,860 --> 00:19:47,760 that's right okay second uh third fourth 517 00:19:46,320 --> 00:19:48,660 Shameless self and for information I 518 00:19:47,760 --> 00:19:50,220 lost count 519 00:19:48,660 --> 00:19:52,380 um so several examples I just talked 520 00:19:50,220 --> 00:19:53,880 about were things broke are covered in 521 00:19:52,380 --> 00:19:56,280 more detail by my talk with Julie 522 00:19:53,880 --> 00:19:58,140 ferrioli black swans of Open Source this 523 00:19:56,280 --> 00:20:00,480 is different than Russell Keith McGee's 524 00:19:58,140 --> 00:20:03,600 black swans of Open Source from pycon I 525 00:20:00,480 --> 00:20:05,880 think that was in 2019 Russell uh but 526 00:20:03,600 --> 00:20:08,580 both brilliant ideas black swans lots of 527 00:20:05,880 --> 00:20:10,799 ways all the way down different concepts 528 00:20:08,580 --> 00:20:13,020 still like this one here go check it out 529 00:20:10,799 --> 00:20:15,120 there might be a sing-along there is a 530 00:20:13,020 --> 00:20:16,620 sing-along it's recorded 531 00:20:15,120 --> 00:20:19,380 okay getting back to talking about 532 00:20:16,620 --> 00:20:21,419 software as an ecosystem surprise it's 533 00:20:19,380 --> 00:20:22,919 not just a graph it's the OS and the 534 00:20:21,419 --> 00:20:25,679 build system and the package managers 535 00:20:22,919 --> 00:20:27,120 and cdms and then it's not just the OS 536 00:20:25,679 --> 00:20:30,000 and the build system and the package 537 00:20:27,120 --> 00:20:32,520 managers and cdms it's your OS and build 538 00:20:30,000 --> 00:20:34,500 system and package managers and cdms and 539 00:20:32,520 --> 00:20:37,080 their os's and build systems and package 540 00:20:34,500 --> 00:20:38,700 managers and cdms and their os's and 541 00:20:37,080 --> 00:20:41,520 build systems and package managers and 542 00:20:38,700 --> 00:20:44,460 cdms so like we said all the way down 543 00:20:41,520 --> 00:20:45,900 it's all the parts and all the bits even 544 00:20:44,460 --> 00:20:48,900 more 545 00:20:45,900 --> 00:20:51,660 it's more than just the software 546 00:20:48,900 --> 00:20:53,700 it's a system it's a technical system 547 00:20:51,660 --> 00:20:56,039 a technical system but there's even more 548 00:20:53,700 --> 00:21:00,419 parts you depend on that are not evident 549 00:20:56,039 --> 00:21:02,640 even if you understand the gnarly graph 550 00:21:00,419 --> 00:21:04,740 it's a socio-technical system 551 00:21:02,640 --> 00:21:07,140 and that's not just a technical system 552 00:21:04,740 --> 00:21:08,520 of Technical Systems people of all kind 553 00:21:07,140 --> 00:21:11,039 contributors full-time employees 554 00:21:08,520 --> 00:21:12,539 volunteers unpaid labor visibility and 555 00:21:11,039 --> 00:21:13,919 visibility people write the docs that 556 00:21:12,539 --> 00:21:15,840 organize sponsorships they handle 557 00:21:13,919 --> 00:21:17,220 finances they do the AV thank you so 558 00:21:15,840 --> 00:21:19,140 much Patrick you've been a delight to 559 00:21:17,220 --> 00:21:20,400 work with uh there's people who are 560 00:21:19,140 --> 00:21:21,960 working in the room right now I don't 561 00:21:20,400 --> 00:21:23,880 even know who everybody is but I just 562 00:21:21,960 --> 00:21:25,740 have a Shameless plug again 563 00:21:23,880 --> 00:21:27,299 that there are lots of folks who are 564 00:21:25,740 --> 00:21:29,039 working on lots of different things and 565 00:21:27,299 --> 00:21:30,419 we should talk more about all of those 566 00:21:29,039 --> 00:21:32,220 parts there's other work coming up for 567 00:21:30,419 --> 00:21:34,080 that that's why Salty's there 568 00:21:32,220 --> 00:21:36,120 it's a complex ecosystem of 569 00:21:34,080 --> 00:21:38,520 socio-technical systems 570 00:21:36,120 --> 00:21:40,320 again when we start looking at all the 571 00:21:38,520 --> 00:21:42,120 work that everybody is doing we also 572 00:21:40,320 --> 00:21:44,220 have to talk about organizational 573 00:21:42,120 --> 00:21:46,020 organizations within this we pay a lot 574 00:21:44,220 --> 00:21:47,960 of money to people who do a lot of 575 00:21:46,020 --> 00:21:50,159 things we pending money to foundations 576 00:21:47,960 --> 00:21:51,720 non-profits Industry Program offices 577 00:21:50,159 --> 00:21:53,700 professional boards what are they all 578 00:21:51,720 --> 00:21:57,080 doing the government policy and 579 00:21:53,700 --> 00:21:57,080 regulation what are they doing 580 00:21:57,419 --> 00:22:02,940 so we have many ecosystems a ecosystem 581 00:22:00,059 --> 00:22:05,220 many ecosystems and as a part of these 582 00:22:02,940 --> 00:22:06,780 many ecosystems I just want to make sure 583 00:22:05,220 --> 00:22:08,059 I'm not going to be cut off too quickly 584 00:22:06,780 --> 00:22:10,320 and I want to talk if you have talk 585 00:22:08,059 --> 00:22:12,179 ecosystems also have nutrient flows and 586 00:22:10,320 --> 00:22:13,679 energy Cycles so how do we translate 587 00:22:12,179 --> 00:22:14,580 this to practical applications and we 588 00:22:13,679 --> 00:22:15,720 don't want you to talk about coral 589 00:22:14,580 --> 00:22:17,039 relief Samantha we're talking about open 590 00:22:15,720 --> 00:22:19,320 source software 591 00:22:17,039 --> 00:22:20,760 so again open source software 592 00:22:19,320 --> 00:22:22,380 dependencies 593 00:22:20,760 --> 00:22:24,840 there are things that we can do to take 594 00:22:22,380 --> 00:22:26,159 all of these Concepts which shape in my 595 00:22:24,840 --> 00:22:28,200 brain Nikki's brain all of my 596 00:22:26,159 --> 00:22:30,000 collaborators and talk more about like 597 00:22:28,200 --> 00:22:31,799 how can we influence change and direct 598 00:22:30,000 --> 00:22:33,240 change in this area I'm just going to 599 00:22:31,799 --> 00:22:34,559 give you three takeaways 600 00:22:33,240 --> 00:22:36,179 one 601 00:22:34,559 --> 00:22:39,600 watch your software 602 00:22:36,179 --> 00:22:41,820 so recognize that what you choose to use 603 00:22:39,600 --> 00:22:44,640 is going to have implications down the 604 00:22:41,820 --> 00:22:47,159 road watch your dependencies so that you 605 00:22:44,640 --> 00:22:49,260 can understand the organizations you're 606 00:22:47,159 --> 00:22:52,140 supporting by using that software with 607 00:22:49,260 --> 00:22:55,140 those dependencies and so what's an 608 00:22:52,140 --> 00:22:58,320 organization Amanda well in open source 609 00:22:55,140 --> 00:23:01,380 ecosystems this could be large-scale 610 00:22:58,320 --> 00:23:03,480 organization and investment who's paying 611 00:23:01,380 --> 00:23:05,280 to maintain the things who's paying just 612 00:23:03,480 --> 00:23:07,200 to maintain a trademark also important 613 00:23:05,280 --> 00:23:09,000 but for different reasons where's 614 00:23:07,200 --> 00:23:11,460 Community scale organization and 615 00:23:09,000 --> 00:23:13,919 investment happening where policy change 616 00:23:11,460 --> 00:23:16,200 is being pushed for when an organization 617 00:23:13,919 --> 00:23:18,780 is pushing for certain policy changes 618 00:23:16,200 --> 00:23:20,280 either in regulatory systems or being 619 00:23:18,780 --> 00:23:22,260 able to push against changes in 620 00:23:20,280 --> 00:23:24,000 regulatory systems what does that mean 621 00:23:22,260 --> 00:23:25,679 about the software that you're using and 622 00:23:24,000 --> 00:23:28,080 supporting that ultimately gets funded 623 00:23:25,679 --> 00:23:30,240 as part of that organization when is it 624 00:23:28,080 --> 00:23:33,059 that organizations may put out messages 625 00:23:30,240 --> 00:23:35,159 about diversity equity and inclusion but 626 00:23:33,059 --> 00:23:37,080 they don't actually do those things that 627 00:23:35,159 --> 00:23:39,720 they're saying beyond the report 628 00:23:37,080 --> 00:23:42,659 when do they require marginalized people 629 00:23:39,720 --> 00:23:44,580 from their Community to step an up and 630 00:23:42,659 --> 00:23:46,559 demand change when that should be coming 631 00:23:44,580 --> 00:23:49,260 from the top 632 00:23:46,559 --> 00:23:51,620 so again a great time promise last 633 00:23:49,260 --> 00:23:53,760 Shameless self and friend promotion 634 00:23:51,620 --> 00:23:55,799 depths.dev you can find out more about 635 00:23:53,760 --> 00:23:57,240 which projects depend on you can dive a 636 00:23:55,799 --> 00:23:58,620 little bit deeper and understand who's 637 00:23:57,240 --> 00:24:00,600 writing that where that's coming from 638 00:23:58,620 --> 00:24:04,020 what's their affiliation all good things 639 00:24:00,600 --> 00:24:06,120 to know also who does the.dev I will 640 00:24:04,020 --> 00:24:08,100 also say who does the.dev with Katie 641 00:24:06,120 --> 00:24:10,740 McLaughlin and salty the sea outer who 642 00:24:08,100 --> 00:24:12,840 is there in multiple places is still 643 00:24:10,740 --> 00:24:14,520 very much a work in progress this is the 644 00:24:12,840 --> 00:24:16,080 across project that Katie and I have 645 00:24:14,520 --> 00:24:18,179 worked on together when we're doing 646 00:24:16,080 --> 00:24:20,640 research to try to make more visible the 647 00:24:18,179 --> 00:24:22,919 invisible work which comes and sustains 648 00:24:20,640 --> 00:24:25,559 open source and if you have suggestions 649 00:24:22,919 --> 00:24:28,860 and want to join us we love you 650 00:24:25,559 --> 00:24:30,600 okay last part watch your ecosystems 651 00:24:28,860 --> 00:24:32,520 again I can rant on this longer we can 652 00:24:30,600 --> 00:24:35,220 talk about this more but this is a 653 00:24:32,520 --> 00:24:36,960 complex interdimensional ecosystem uh 654 00:24:35,220 --> 00:24:38,460 interdimensional yes there are many 655 00:24:36,960 --> 00:24:39,539 different dimensions and how we are 656 00:24:38,460 --> 00:24:41,159 thinking about this so when I think 657 00:24:39,539 --> 00:24:43,320 about like complex ecosystems and 658 00:24:41,159 --> 00:24:44,820 sources and sinkholes Things That Kill 659 00:24:43,320 --> 00:24:46,440 open source projects and communities 660 00:24:44,820 --> 00:24:49,440 things that enable open source project 661 00:24:46,440 --> 00:24:51,720 communities I want to help and put more 662 00:24:49,440 --> 00:24:53,460 food pellets into the system and less of 663 00:24:51,720 --> 00:24:54,659 the poison pellets into the system that 664 00:24:53,460 --> 00:24:56,760 are just like draining and causing 665 00:24:54,659 --> 00:24:59,880 things to die so that for me is the like 666 00:24:56,760 --> 00:25:00,900 enablement versus like things that kill 667 00:24:59,880 --> 00:25:02,280 um so there are things in our control 668 00:25:00,900 --> 00:25:04,140 there are things that are not in our 669 00:25:02,280 --> 00:25:06,240 control but there are forces that are 670 00:25:04,140 --> 00:25:08,159 impacting both of those and trying to 671 00:25:06,240 --> 00:25:10,380 understand what is it that's enabling 672 00:25:08,159 --> 00:25:12,900 and empowering what is it that's driving 673 00:25:10,380 --> 00:25:15,120 things down stealing energy and time and 674 00:25:12,900 --> 00:25:17,520 people that we care about and how we 675 00:25:15,120 --> 00:25:19,620 enact change on those and it seems 676 00:25:17,520 --> 00:25:22,320 really hard but I want to encourage you 677 00:25:19,620 --> 00:25:24,840 not to give up hope 678 00:25:22,320 --> 00:25:26,820 um in closing I hope that today as we 679 00:25:24,840 --> 00:25:28,980 talk about all these things we can break 680 00:25:26,820 --> 00:25:32,159 that mental model that Simplicity is a 681 00:25:28,980 --> 00:25:35,220 if we could just solve this problem this 682 00:25:32,159 --> 00:25:37,320 comic gets brought up all the time 683 00:25:35,220 --> 00:25:41,159 because it's where people want to 684 00:25:37,320 --> 00:25:44,039 emphasize if we can just solve this one 685 00:25:41,159 --> 00:25:45,960 problem we can move forward in solving 686 00:25:44,039 --> 00:25:48,179 all the problems 687 00:25:45,960 --> 00:25:50,400 but I want to emphasize that we cannot 688 00:25:48,179 --> 00:25:52,740 move forward effectively and sustainably 689 00:25:50,400 --> 00:25:55,140 to address dependencies on our open 690 00:25:52,740 --> 00:25:58,559 source dependencies until we break this 691 00:25:55,140 --> 00:26:01,860 over reductionist model because in 692 00:25:58,559 --> 00:26:04,620 reality this is closer to today's modern 693 00:26:01,860 --> 00:26:06,600 open source digital infrastructure it 694 00:26:04,620 --> 00:26:08,279 serves as a reminder that there are more 695 00:26:06,600 --> 00:26:10,740 forces at work in the open source 696 00:26:08,279 --> 00:26:13,740 dependency ecosystem than the implied 697 00:26:10,740 --> 00:26:17,279 and under-resourced one person in a 698 00:26:13,740 --> 00:26:20,940 remote area those people do exist and we 699 00:26:17,279 --> 00:26:23,400 should look for them but we cannot we 700 00:26:20,940 --> 00:26:26,100 cannot absolutely ignore the large-scale 701 00:26:23,400 --> 00:26:28,320 forces at work with staggering amount of 702 00:26:26,100 --> 00:26:30,539 global privileges resources and 703 00:26:28,320 --> 00:26:32,940 Investments lots of money is being 704 00:26:30,539 --> 00:26:34,740 thrown around about these problems is it 705 00:26:32,940 --> 00:26:36,659 going to the right places does that 706 00:26:34,740 --> 00:26:38,820 money have accountability how are they 707 00:26:36,659 --> 00:26:41,159 making that information most visible how 708 00:26:38,820 --> 00:26:43,320 are they making it transparent we cannot 709 00:26:41,159 --> 00:26:46,620 forget that moving forward as we 710 00:26:43,320 --> 00:26:49,140 continue to examine who has voice power 711 00:26:46,620 --> 00:26:51,240 and access in these decisions will 712 00:26:49,140 --> 00:26:52,919 impact us all and if we aren't going to 713 00:26:51,240 --> 00:26:55,260 be the ones to ask for change for it 714 00:26:52,919 --> 00:26:58,559 nobody else will 715 00:26:55,260 --> 00:27:00,120 so in want to say thank you uh to Nikki 716 00:26:58,559 --> 00:27:02,520 not only for your friendship and your 717 00:27:00,120 --> 00:27:04,740 collaboration uh but for allowing me to 718 00:27:02,520 --> 00:27:07,500 revise this talk with zero oversight 719 00:27:04,740 --> 00:27:08,880 because I knew you were too busy anyways 720 00:27:07,500 --> 00:27:10,020 um thank you Katie McLaughlin for 721 00:27:08,880 --> 00:27:11,520 bringing our deer salt to the Seattle 722 00:27:10,020 --> 00:27:13,620 and her many friends to the conference 723 00:27:11,520 --> 00:27:15,000 to become everyone else's friend and for 724 00:27:13,620 --> 00:27:16,380 not giving up on our cross and ocean 725 00:27:15,000 --> 00:27:20,059 work even when it goes into maintenance 726 00:27:16,380 --> 00:27:23,100 phase occasionally for months years 727 00:27:20,059 --> 00:27:25,200 and thank you all pycon Australia 728 00:27:23,100 --> 00:27:29,659 endlessly for allowing me to share time 729 00:27:25,200 --> 00:27:29,659 with you even from many many miles away 730 00:27:36,320 --> 00:27:41,340 thank you very much Amanda are you 731 00:27:38,940 --> 00:27:44,340 available for questions or 732 00:27:41,340 --> 00:27:46,440 yes if we have any remaining time and if 733 00:27:44,340 --> 00:27:48,000 not then I can be on Discord time for 734 00:27:46,440 --> 00:27:50,640 one quick question if uh if there's 735 00:27:48,000 --> 00:27:52,200 anyone in the audience who wants one 736 00:27:50,640 --> 00:27:53,700 okay I will get one in just to make sure 737 00:27:52,200 --> 00:27:55,799 you're not left alone 738 00:27:53,700 --> 00:27:57,480 um you have mentioned this is this is 739 00:27:55,799 --> 00:27:59,700 obviously all the open source context 740 00:27:57,480 --> 00:28:01,440 not all software is open source there's 741 00:27:59,700 --> 00:28:04,020 also closed Source are these problems 742 00:28:01,440 --> 00:28:05,220 unique to open source or a closed Source 743 00:28:04,020 --> 00:28:07,740 just have them and we just can't see 744 00:28:05,220 --> 00:28:10,080 their underwear in public 745 00:28:07,740 --> 00:28:13,320 so I think that this problem is not 746 00:28:10,080 --> 00:28:15,900 unique to open source we have obviously 747 00:28:13,320 --> 00:28:18,960 seen uh every now and then some very 748 00:28:15,900 --> 00:28:20,039 nice PR announcements come out from a 749 00:28:18,960 --> 00:28:21,840 company about how they're making 750 00:28:20,039 --> 00:28:24,480 strategic moves 751 00:28:21,840 --> 00:28:26,100 um layoffs are continue to be ongoing 752 00:28:24,480 --> 00:28:28,020 around the world in the tech industry 753 00:28:26,100 --> 00:28:29,700 license change happens regulation 754 00:28:28,020 --> 00:28:31,860 happens all of these other things are 755 00:28:29,700 --> 00:28:33,480 still existing for the Mixed world that 756 00:28:31,860 --> 00:28:35,700 is software technology in the modern 757 00:28:33,480 --> 00:28:37,500 infrastructure and money moves in 758 00:28:35,700 --> 00:28:39,779 different places so no this is not 759 00:28:37,500 --> 00:28:41,880 unique the fun thing that we get 760 00:28:39,779 --> 00:28:44,460 differently from open source is where we 761 00:28:41,880 --> 00:28:45,720 get to see components of it but again I 762 00:28:44,460 --> 00:28:46,860 think there's a lot of well we hope we 763 00:28:45,720 --> 00:28:48,720 brought up in this talk is that there 764 00:28:46,860 --> 00:28:51,120 are a lot of mental models that people 765 00:28:48,720 --> 00:28:52,500 feel complacent in and failed to 766 00:28:51,120 --> 00:28:54,059 recognize where the challenges and the 767 00:28:52,500 --> 00:28:56,520 complexities lie 768 00:28:54,059 --> 00:28:58,140 okay thank you very much Amanda everyone 769 00:28:56,520 --> 00:29:00,620 please again another round of applause 770 00:28:58,140 --> 00:29:00,620 for Amanda