<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Key discoveries from Upstream 2023

Amy Hays
by Amy Hays
on June 8, 2023

Don't miss the latest from Tidelift

Yesterday, for the third year in a row, we took an expedition upstream to connect the people who make open source with those who use it and wow, what a day! This year’s virtual, free event was the biggest yet, and we really enjoyed spending the day with hundreds of you, celebrating open source and talking about ways to make it work better for everyone.

Watch now

Here are some of the highlights:

  • Tidelift co-founder Luis Villa kicked off the day by introducing this year’s theme: the accidental supply chain, with this provocative observation: “We are building the first global, commercial, regulated supply chain that is composed of unpaid volunteers who don’t think of themselves as suppliers.”

  • We celebrated the 5th SBOM-iversary with the SBOM king himself, Allan Friedman of CISA. Allan pointed out that June 7 was the day the government started taking software bills of materials seriously, and shared why software transparency is so important. You can check out his full talk here.

  • Nithya Ruff of Amazon took us on a fine dining experience…well, sort of. She explained how these days our access to open source libraries is a veritable smorgasbord of goodness, but many of the chefs are home cooks, not master chefs. What does this accidental relationship mean? You can hear her thoughts now.

  • Julia Ferraioli closed the day talking about one of the most important and often overlooked aspects of the open source software supply chain: how we treat the humans at its heart.

  • Mike Milinkovich of the Eclipse Foundation took a hard look at what comes next, now that open source has won. The days of unconstrained open source innovation are coming to an end. He asks, what now? And then shares his answers.

  • Tidelift VP of product Lauren Hanford shared the results of a multi-year effort to pay open source maintainers to ensure their packages meet important security standards like OpenSSF scorecards and the NIST SSDF. Spoiler alert: paying maintainers works!

  • Luis Villa also hosted a bundle of fireside chats exploring alternative supply chains, like train supply chains (chat with Deutsche Bahn), voting supply chains (chat with VotingWorks), and AI supply chains (chat with industry experts).

  • We hosted some epic panels:
    • Tidelift CMO Chris Grams sat down with Seth Larson of urllib3, Al Gillen of IDC, and Lauren Hanford to discuss the findings from our recent state of the open source maintainer report. It was a fascinating discussion!

    • In our annual tradition, the state of the maintainer panel, maintainers Jason Coombs, Ceki Gülcü, and Gary Gregory chatted about their experiences as open source maintainers today, while Ceki and Gary shared what it was like to be on the log4j maintainer team as the Log4Shell vulnerability was unfolding.

  • The chatter in the hallway was abuzz with discussion on Tobie Langel’s talk breaking down recent EU legislation and how it relates to open source licensing and liability.

  • Taylor Fairbank’s tale of his own accidental supply chain, from OSS maintainer to humanitarian aid logistician, is one you don’t want to miss.

  • We also heard from several maintainers themselves, including Valeri Karpov of mongoose.js, Felix Böhm of Cheerio, Seth Larson of urllib3, and Jordan Harband, who maintains so many npm projects we can’t list them all here.

And those are just a few of the talks! Donald Fischer, Tidelift CEO and co-founder, sums up the day in his closing keynote. You can relive the whole day now!

Upstream 2023 watch now