1 of 100

Description

Unforeseen incidents in technology are on the rise, with enduring effects on the systems we build as well as how users interact with them. With open source ecosystems increasing in complexity and growth as sociotechnical systems, we must examine how often these events are happening and if they are truly unexpected.

This talk will explore a series of events in open source history, some of which came as a surprise to users of the open source project and industry as a whole, had a wide and long-lasting impact on technology, or was inappropriately rationalized after the fact with the benefit of hindsight.

2 of 100

Remember when we broke the Internet?

…oops

julia ferraioli

Cisco Open Source

@juliaferraioli

amanda casari

Google Open Source

@amcasari

3 of 100

Slides & notes: bit.ly/breaking-the-internet

@amcasari

@juliaferraioli

4 of 100

Remember when we broke the Internet?

…oops

julia ferraioli

Cisco Open Source

@juliaferraioli

amanda casari

Google Open Source

@amcasari

[julia] Hi folks! Welcome to “Remember when we broke the internet?" Now, maybe you're here to listen to how amanda and myself have personally broken the Internet, but I'm afraid we are not going to be telling those horror stories today. We're going to take a look at times when open source – or something very similar to it – has caused disruption in our technological landscape. And that's not nearly as straightforward as the retrospectives would have you believe, because it's all interconnected. We’ll be diving into complex, sociotechnical systems and how they intersect with open source.

Sneak peak: you are not going to see a single line of code (sorry!).

What you will be seeing might amuse you – or be slightly embarrassed for us. Who knows!

https://openclipart.org/image/2000px/278137

5 of 100

We are so very excited to be here with you.

julia ferraioli

Open source archaeologist

@juliaferraioli

amanda casari

Open source scientist

@amcasari

6 of 100

Open source must…

be available
be modifiable
be redistributable
be technology-neutral
protect the author's integrity

distribute the license
not discriminate against people or groups
not discriminate against fields of use
not restrict other software
not be specific to a product

@amcasari

@juliaferraioli

[julia]

This is super dry. I promise we'll get more entertaining after this slide.

There's certain criteria that open source has to fulfill in order to be considered technically open source. These were laid out in the open source definition in 1998, and are still stewarded by the Open Source Initiative.

So, here we go.

In order to be open source, the code must be available, modifiable, and redistributable. Those are the ones most people know. But also, it has to be technology-neutral and protect the integrity of the author's IP. Open source does not remove intellectual property rights! Also, you are obligated to distribute the license of any open source software that you use (asterisks apply).

Finally, there are things that it can't do and still be open source. It can't discriminate – against people, groups, or fields of use. That means that you can't prevent industries that you don't like from using your project. It also can't restrict the usage of other software, so project A cannot prevent you from using project B, and it can't restrict the type of product that you use it for.

Dry part done. I promise.

7 of 100

A very brief introduction to complexity theory

@amcasari

@juliaferraioli

8 of 100

A very brief introduction to sociotechnical systems theory

@amcasari

@juliaferraioli

9 of 100

Open source is a complex system.

@amcasari

@juliaferraioli

10 of 100

Open source is a sociotechnical system.

@amcasari

@juliaferraioli

11 of 100

What are “black swan” events?

@amcasari

@juliaferraioli

12 of 100

Black swan event

A black swan event disrupts the status quo, causing systemic change which seem inevitable in hindsight

13 of 100

Context matters.

[julia] DEEP BREATH - SLOW DOWN

In order to explain specific black swan events, we have to look at them in their historical context.

Find anyone who has worked in open source for more than a few weeks, and they will have stories of “the way it used to be”.

Looking back further, as we do in open source science and archaeology, we distinctly see where open source has evolved over time, as well as where evolution happens through disruption of norms.

[amanda] Wait, julia. This is super important — we need to explain the context of how things change over time, the norms that exist, so everyone understands how BIG these disruptive events are. Maybe we can try a different way to run through a timeline?

[julia] Well, what do you propose?

[amanda] How about…..a song?

https://unsplash.com/photos/wQ0lQlgPeiA

14 of 100

We Didn’t Start The Open Source Fire 🔥

@amcasari

@juliaferraioli

15 of 100

Antikythera

@amcasari

@juliaferraioli

16 of 100

Mathematicians

@amcasari

@juliaferraioli

17 of 100

Ada Lovelace

@amcasari

@juliaferraioli

18 of 100

Difference Engines

@amcasari

@juliaferraioli

19 of 100

World wars

@amcasari

@juliaferraioli

20 of 100

Alan Turing

@amcasari

@juliaferraioli

21 of 100

Grace Hopper debugs

@amcasari

@juliaferraioli

22 of 100

Public domain

@amcasari

@juliaferraioli

23 of 100

ARPANET

@amcasari

@juliaferraioli

24 of 100

Now we can all typeset

@amcasari

@juliaferraioli

25 of 100

Software copyright — like a book,

not a light

@amcasari

@juliaferraioli

26 of 100

GNU guy comes on the scene

@amcasari

@juliaferraioli

27 of 100

MIT license

@amcasari

@juliaferraioli

28 of 100

Macintosh

@amcasari

@juliaferraioli

29 of 100

Commodores

@amcasari

@juliaferraioli

30 of 100

Free software’s on the run

@amcasari

@juliaferraioli

31 of 100

Morris worm

@amcasari

@juliaferraioli

32 of 100

licensing

@amcasari

@juliaferraioli

33 of 100

GPL or BSD?!

@amcasari

@juliaferraioli

34 of 100

Linux

@amcasari

@juliaferraioli

35 of 100

Python

@amcasari

@juliaferraioli

36 of 100

Combat boots for everyone!

@amcasari

@juliaferraioli

37 of 100

Pause. Rewind.

@amcasari

@juliaferraioli

38 of 100

The Morris Worm

(1988)

@amcasari

@juliaferraioli

39 of 100

Created and inadvertently* released by Robert Tappan Morris, student at Cornell, as part of a research experiment
Exploited vulnerabilities in: Unix sendmail, fingerd network service, and transitive trust
Impacted ~10% of the global Internet
Many firsts!

One of the first computer worms distributed via the Internet
First felony conviction in the US under the 1986 Computer Fraud and Abuse Act

@amcasari

@juliaferraioli

[amanda]

The Morris Worm or “The Worm”, was created and inadvertently* (where the asterisk indicates a point that is a little contentious but we all agree to be congenial people) released by Robert Tapplan Morris.

Morris was a student at Cornell, but released the worm via a system at MIT in order to prevent it from being traced back to him, as part of a research project examining internet systems and how their open protocols could be exploited.��This worked much quicker than Morris expected. By exploiting multiple operating system vulnerabilities, and most importantly the transitive trust that existed at the time between system administrators and users, the Morris Worm infected about 10% of the global Internet in a matter of days.

There are many notable firsts from this event, which include being the first computer worm to be distributed via the Internet (as opposed to traded floppy disks or removable media). Morris was also the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act.

The Morris Worm, Wikipedia

The Internet Worm Incident, Eugene Spafford (1989)

40 of 100

Impact of open source:

You can no longer assume that everyone is operating in everyone else’s best interest
Demonstrated Internet’s reliance on partionable, distributed systems and open knowledge sharing

What changed as a result:

Pivot in security regulation + international laws for the Internet
Super homogeneity in computer systems now a risk vector
Pivot to preference of proprietary, supported software
Now you have to remember your passwords

@amcasari

@juliaferraioli

[amanda] So why does this event matter to open source and how is it a black swan event?

Using our magical glasses of hindsight, we can clearly see where the status quo was changed and influences how we operate today:

We do not assume that everyone is operating in everyone else’s best interest. This event happened in November 1988, just months before GPL and Linux were released for the first time. We cannot ignore the human interests, community expectations, and social trust that existed at the time of these releases, all of which were fundamentally impacted by The Morris Worm.
The reaction to and recovery from the Morris Worm demonstrated the robustness of the Internet when designed as a partionable and distributed system, which prioritized open knowledge sharing. Morris quickly worked to move fixes to the worm onto multiple mailing lists, and system administrators worked together to isolate damage and prevent impacted systems from infecting farther.

Because of The Morris Worm, the Internet and the software which it runs on changed:

Pivot in security regulation and international laws
We didn’t want all systems to look alike anymore. Super homogeneity was seen as a risk, rather than an efficiency.
There was a hard lean, especially in industry and government, to move to proprietary systems.

Now, back to the song! Time for the chorus - everyone who knows this, please join in!

41 of 100

We didn't start the fire

42 of 100

It was always burning, since

the world’s

been turning

43 of 100

We didn't start the fire

44 of 100

No, we didn't light it, but we try to fight it

45 of 100

Javascript

@amcasari

@juliaferraioli

46 of 100

Ruby

@amcasari

@juliaferraioli

47 of 100

Murphy vs Libby

@amcasari

@juliaferraioli

48 of 100

“Open source” gets a name

@amcasari

@juliaferraioli

49 of 100

CVEs ain’t Cheap

@amcasari

@juliaferraioli

50 of 100

ASF

@amcasari

@juliaferraioli

51 of 100

And LF

@amcasari

@juliaferraioli

52 of 100

PSF

@amcasari

@juliaferraioli

53 of 100

What the F!?!?

@amcasari

@juliaferraioli

54 of 100

Tcpdump trojan

@amcasari

@juliaferraioli

55 of 100

Git’s released for keeps

@amcasari

@juliaferraioli

56 of 100

GNU guy

Drives Away

More women

Every day

@amcasari

@juliaferraioli

57 of 100

Everyone’s

got a blog

@amcasari

@juliaferraioli

58 of 100

Maintaining’s

Now a slog

@amcasari

@juliaferraioli

59 of 100

“Dive Into…”

vaporized

@amcasari

@juliaferraioli

60 of 100

Codes of COnduct

on the rise

@amcasari

@juliaferraioli

61 of 100

Underpaid

@amcasari

@juliaferraioli

62 of 100

Unmaintained

@amcasari

@juliaferraioli

63 of 100

OpenSSL Compromise

@amcasari

@juliaferraioli

64 of 100

Pause. Rewind.

@amcasari

@juliaferraioli

65 of 100

Heartbleed

(2014)

@amcasari

@juliaferraioli

66 of 100

Security flaw identified in OpenSSL (cryptography library used in TLS, bounds check bug)
Exposed unencrypted user-data
Also exposed secrets (cookies, passwords, etc…) opening users up to impersonation
Affected websites, phone systems, databases, game services, operating systems, VPNs, payment processors
Compromised at least two major government databases

@amcasari

@juliaferraioli

67 of 100

Impact of open source:

Open source may be distributed, but maintainership isn’t necessarily
Raised awareness that most contributors are volunteers
Many eyes make all bugs shallow, but eyes don’t merge pull requests

What changed as a result:

Increased funding towards developers and maintainers
More research and tooling on open source supply chains
Corporations paying more people to work on open source full-time

@amcasari

@juliaferraioli

[julia]

This really drew attention to the fact that while open source is distributed, maintainership doesn’t have to be. Very few people realized beforehand that OpenSSL was maintained by effectively one person at the time, and maintained entirely on a volunteer basis. While an argument in favor of open source is that “many eyes make all bugs shallow”, the fact of the matter is that a maintainer’s time is extraordinarily limited. In OpenSSL’s case, the maintainer didn’t have enough time, given their job, to mitigate Heartbleed.

This resulted in companies paying the core maintainer to work full time on OpenSSL. It also increased interest in open source sustainability, supply chain analysis, and tooling to support it. Even more companies that relied upon open source saw sponsored development and open source contributions as an investment in their own stability.

Now, back to the song! Time for the chorus - everyone who knows this, please join in!

68 of 100

We didn't start the fire

69 of 100

It was always burning, since

the world’s

been turning

70 of 100

We didn't start the fire

71 of 100

No, we didn't light it, but we try to fight it

72 of 100

Transitive dependencies

@amcasari

@juliaferraioli

73 of 100

Gnarly Graphs, not clean trees

@amcasari

@juliaferraioli

74 of 100

Naming Things is Tricky

@amcasari

@juliaferraioli

75 of 100

“Left-Pad Not in Registry”

@amcasari

@juliaferraioli

76 of 100

Pause. Rewind.

@amcasari

@juliaferraioli

77 of 100

left-pad

(2016)

@amcasari

@juliaferraioli

78 of 100

Started as a trademark disagreement over an npm package name
npm sided with trademark holder
Developer deleted all his npm packages, including left-pad
left-pad was a transitive dependency for many other packages, causing widespread failure
npm restored the un-published package

@amcasari

@juliaferraioli

79 of 100

Impact of open source:

Unpublishing code and releases is perfectly legal under open source terms
Node.js development philosophy led to decreased awareness of dependency complexity

What changed as a result:

Increased visibility of the costs of maintainer burnout
Discussion about maintainer rights and open source contractualism
Additional scrutiny around privately-run package managers for open source software

@amcasari

@juliaferraioli

[amanda] This had notable impacts in both open source and the node ecosystem specifically.

We do have to say that unpublishing code and releases is perfectly legal under open source terms. We’ve heard of the phrase “free to fork” which refers to the fact that licenses outline sharability (or not), reusability (or not), and attribution (or not).

This also put a bright spotlight on the Node.js development philosophy, which led at the time to a decreased awarements of dependency complexity.

As a result, we yet again got a glimpse into the increasing costs of maintainer burnout, as well as kicking off a new round of discussions around maintainer rights and open source contractualism.

There was also additional scrutiny placed around privately-run package managers for open source software, which remains a contested discussion with the current emphasis placed on “securing the software supply chain.”

Okay, we were on a roll. Deep breath. Let’s go back to the song.

80 of 100

What was once community

@amcasari

@juliaferraioli

81 of 100

Now’s Become a “strategy”

@amcasari

@juliaferraioli

82 of 100

Driving towards the stock exchange

@amcasari

@juliaferraioli

83 of 100

Yet Another License Change!

@amcasari

@juliaferraioli

84 of 100

Pause. Rewind.

@amcasari

@juliaferraioli

85 of 100

licensing…wars?

…shifts?

(2018-present)

@amcasari

@juliaferraioli

86 of 100

Companies started to use open source as a business strategy
Simultaneously, The Cloud was becoming the new standard
Cloud providers started offering managed open source-as-a-service
Companies who developed the open source found themselves not realizing profits from these managed services
In response, they moved away from open source licensing for their pro[je|du]cts

@amcasari

@juliaferraioli

[julia]

So, we have done an amazing job at convincing people of the value of open source. Well done us! The pendulum may have swung a bit far though, and what was once an expression of freedom, counterculture, and a bit of subversion became part of a business model. Companies developed open source software with the goal of monetization.

Additionally, it was around this same time that the big next thing, called "The Cloud" offered companies a way to not have to be in the datacenter business anymore. It gave them flexibility and the ability to focus on core differentiation instead of optimization. Service providers saw the opportunity to further take load off of their customers by offering to run these open source projects as managed services.

This effectively cut the companies who developed the software originally out of the equation and missing out on the anticipated profits of their investment. So they explored other options, and in some cases switched away from open source models altogether.

87 of 100

Impact of open source:

Cloud providers adhered to the terms of the license
Made scaling open source technologies easier for customers

What changed as a result:

Introduction of open core and source available licenses, but falsely branded as open source
Exposed weakness of open source as a business model
Schismed the contributor communities, in some cases
Started conversations about open source citizenship as practiced by companies
…and also, capitalism?

@amcasari

@juliaferraioli

[julia]

Dramatic oversimplification, I know.

I have personal opinions on this matter, which are not uncontroversial, but the long and short of an analysis will show that cloud providers did exactly what open source allows them to do. Were they monetizing open source? Yes. Had others done this before them? Yes. Was it the same way that a proprietary product uses open source? Not necessarily, but the technological landscape had shifted towards developer productivity in a way it hadn't before.

This has had a tremendous impact on open source. We saw and still see a muddying of the open source waters, with the introduction of terms such as "open core" and "source available" as companies try to keep their reputations as open source companies without actually being open source.

We have seen public, capital F Forks that attempt to keep the project going as it had been prior to relicensing. In some cases, that has bifurcated the community around the project and led to confusion.

There's also an increasing discussion around how companies can participate in the open source ecosystem in an additive way, and sometimes even more important in the ecosystem's view, how to do so in a way that can be measured and verified.

Oh and yes, we talk about the intersection of open source and capitalism. We always had been talking about it, but it has shifted.

You know the drill – one final chorus to wrap things up!

88 of 100

We didn't start the fire

89 of 100

It was always burning, since

the world’s

been turning

90 of 100

We didn't start the fire

91 of 100

But when we are gone,

It will still burn on….

92 of 100

and on, and on, and on, and on, and on, and on, and on….

93 of 100

We Didn’t Start The Open Source Fire 🔥

@amcasari

@juliaferraioli

94 of 100

#TODO(everyone)

95 of 100

Transparency is no longer a core tenet.

@amcasari

@juliaferraioli

96 of 100

Glue work is critical but not recognized.

@amcasari

@juliaferraioli

97 of 100

Narratives are not complete.

@amcasari

@juliaferraioli

[julia] this is something that no one wants to talk about! The history of open source, like most histories, are largely told from one perspective. And that hampers our ability to both reason about how events have come to pass, as well as influences technology decisions in the future. Open source has a cult of personality problem, and that contributes to problems in sustainability, reliability, and overall longevity of the ecosystem.

We need to shine lights on these missing or untold narratives, including the glue work that makes open source go. This may seem at odds with calling out the cult of personality problem, but they're actually two sides of the same coin. An imbalance in celebrating these untold narratives leads to some work being undervalued and flashy, credit-baiting work being overvalued. A sustainability, reliability, and longevity problem.

Narratives are not complete…but they should be.

https://unsplash.com/photos/DZpc4UY8ZtY

98 of 100

No, we didn't light it, but we try stay to fight it

@amcasari

@juliaferraioli

99 of 100

thank you!

julia ferraioli

Open source archaeologist

@juliaferraioli

amanda casari

Open source scientist

@amcasari

100 of 100

References

Black swan theory definition: bit.ly/black-swan-theory

Socio-technical systems theory: bit.ly/sts-theory

Fairness and Abstraction in Sociotechnical Systems: bit.ly/fat19-sts

Open Source Stories: opensourcestories.org

StoryCorps: bit.ly/oss-stories-storycorps

Open source timeline: bit.ly/oss-timeline

These slides: bit.ly/breaking-the-internet