The case for attending Upstream on June 5

Upstream is June 5, and the day is looking like it is going to be amazing. Over the next week, we are continuing our sneak preview into some of the talks and the speakers via posts like these. 

Today, I want to make the case to you for attending Upstream this year. Upstream is a one-day, virtual, completely free event curated by Tidelift and designed to celebrate open source, the people who use it, and the people who make it.

This year, we’ve chosen the theme “unusual ideas to solve the usual problems” around open source health and security. To introduce you in more detail to this theme, we’ve asked the exceptionally talented Forrest Brazeal to illustrate some of the “usual problems” for us (and all of these cartoons are licensed CC-BY-ND so feel free to share ‘em if you like ‘em!).

Here goes!

Open source has some old problems

It's 2024, and, last I checked, the amazing open source ecosystem we rely on is struggling. 

Corporations feast on freely available open source code, while expecting volunteer open source maintainers to foot the bill of keeping it secure and well maintained. 

We've created a vulnerability identification and remediation industrial complex that is overwhelming development teams with extra work and false positives and seems more focused on security theater than reducing actual risk. 

Meanwhile over 60% of open source maintainers have either quit or considered quitting their work because they are burnt out, underpaid, and overwhelmed, putting the health and future of the code we depend on at risk.

None of these are new problems, in fact some of the issues related to the security and long-term health of open source have been following us since the term “open source” was coined in the late ‘90s.

But, every year, open source extends its reach as the ubiquitous infrastructure that all of our technology, and in some ways, all of our civilization, relies upon. And this makes the health and security of open source a more and more pressing priority.

People are starting to pay attention 

While open source health and security may be the usual problems for open source die hards, what’s unusual is, in the wake of recent software supply chain attacks impacting open source like the xz utils hack a few months ago or the Log4Shell incident before that, now your mom and dad, your husband or wife, and your next door neighbors are reading about open source’s issues in everyday news.

The question “"Why is so much of the internet’s infrastructure run by volunteers?" literally was the subject of a piece in The Economist (yes, that The Economist) a few weeks ago. 

I actually, no lie, got this (excellent) Gizmodo story Open-Source Cybersecurity Is A Ticking Time Bomb sent to me by my dad. NPR just released a deep dive for drive time entitled The hack that almost broke the internet. The New York Times has covered the story. What’s next, Vanity Fair? 

Which brings us to Upstream

Against this backdrop of increased interest in open source health and security, I’m thrilled by the group of people we’ve brought together for Upstream on June 5. I’ve had the pleasure of previewing many of the talks we’ll be sharing, and many of these people, in keeping with the “unusual ideas to solve the usual problems” theme, are bringing unusual and inspiring ideas to share with you.

Here’s a taste:

• Vincent Danen, VP of Product Security at Red Hat has a really unusual idea: our current system for vulnerability patch management is broken and we need a revolution! By changing how we think about open source software supply chain security from an exercise in creating “vulnerability-free” software (a compliance-driven exercise) to one where the purpose is minimizing the potential or severity of a breach (a risk-driven exercise), we may actually reduce our security costs and improve our outcomes at the same time.
• Jack Cable and Aeva Black from the US Cybersecurity and Infrastructure Security Agency also have an unusual idea: bake security into our technology products by design rather than bolting security on as an aftermarket feature.
• Fiona Krakenbürger from the Sovereign Tech Fund and Mirko Böhm from the Linux Foundation Europe will share unusual “carrot” (providing incentives to people and organizations to do more security work) and “stick” (penalizing them for not doing the work or after security incidents happen) approaches to improving open source security already being tested in Europe. 
• Gabriele Columbro and Tosha Ellison from FINOS will join John Mark Walker from Fannie Mae to enlighten us on new methods to improve open source security being driven out of the financial services industry, which has long been a leader in embracing new ways to help open source software become more secure and resilient.
• Frank Nagle from Harvard Business School will share highlights from his recent research that found that our shared open source infrastructure is worth 8.8 trillion dollars, and discuss with Tidelift co-founder Luis Villa some interesting ways we might preserve or expand that value, including what we can learn from other important “public good” infrastructure like roads, bridges, and the electrical grid.

There's much, much more, but you should go check out the full agenda for yourself.

If you love open source, if you rely on it in your work, if you make it yourself, or you just care about its future, please come join us on June 5th for Upstream. We can’t wait to see you there!