JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 39

Open Source is bigger than you can imagine

Josh Bressers

Vice President, Security

Anchore

2 of 39

$ whoami

3 of 39

The data

4 of 39

This is all of the data from ecosystems

5 of 39

Versions per month

6 of 39

How big is big?

8.1 million

7 of 39

How big is big?

93 million

8 of 39

Number of versions

35,000

9 of 39

What has 25,000 versions?

10 of 39

Number of versions per package

11 of 39

How do all the ecosystems compare?

12 of 39

What do the various ecosystems look like

13 of 39

How big is this really?

4 million total packages

What if we audited 1000 a day?

That’s 11 years of audits

14 of 39

How big is this really?

4 million total packages

What if we audited 1000 a day?

That’s 11 years of audits

And we’re publishing about 8000 new releases per day

15 of 39

How many people are maintaining these things?

16 of 39

0-50 just npm

17 of 39

But the popular projects aren’t one person!

1.4 Billion

18 of 39

But the popular projects aren’t one person!

Percentiles

95th percentile is 2000 downloads

So let’s look at downloads > 100,000

19 of 39

But the popular projects aren’t one person!

20 of 39

But the popular projects aren’t one person!

OK, but everything over a million downloads is different!

21 of 39

But the popular projects aren’t one person!

22 of 39

But the popular projects aren’t one person!

ONE BEEELLLION!!!

23 of 39

But the popular projects aren’t one person!

24 of 39

Who is doing this?

Credit: Tidelift 2023 Open Source Maintainer Survey

25 of 39

Wait, what about this downloads graph

26 of 39

Zoom and enhance (10,000)

27 of 39

Zoom and enhance (100)

28 of 39

How many packages are more than a year old?

29 of 39

Also CVE growth

30 of 39

NVD is broken

A consortium can fix it!!!

31 of 39

CVE by year

32 of 39

The Kernel

33 of 39

The Kernel

34 of 39

Everyone is being crushed

35 of 39

Are we doomed?

Probably not

36 of 39

What’s the point of it all?

“If I had an hour to solve a problem I'd spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.”

– Albert Einstein

37 of 39

It’s an infinite game

Finite Games: Known players, fixed rules, an agreed-upon objective (e.g. baseball).

Infinite Games: Known and unknown players, changeable rules and the objective to keep the game in play (e.g. the cold war).

38 of 39

Open source is different

There’s nothing wrong with open source, this is how it works

There’s something wrong with what we expect from open source

39 of 39

Questions?