About
Today I talked with Dawn Foster, the Director of Open Source Community Strategy at VMWare.
Dawn and I had a lot of fun talking through the many lessons she’s learned over the past 20 years working with open source communities. For anyone who’s interested in assessing the risks and evaluating open source projects that your company is using, then you must listen to this podcast – I promise you will learn A LOT!
Transcript
hey everybody welcome back to the 24th
episode of open source for business
brought to you by open teams my name is
henry badgery and today i talk with dawn
foster who’s the director of open source
community strategy at vmware dawn and i
had a lot of fun talking through the
many lessons she’s learned of the past
20 years working with open source
communities and for anyone who’s
interested in assessing the risks and
evaluating open source projects that
your company’s using then i promise you
you will learn a lot if you listen to
this podcast
now whether you are a user developer
manager or if you’re just curious about
the industry then open teams is the
place to find the information news
training and support that you need to
thrive with open source software now
that the introductions are out of the
way let’s dive in
well dawn thank you so much for joining
me on the podcast today thanks for
having me i’m happy to be here i’m very
happy you’re here and we’ve joined i
know we had a little chat a few weeks
ago and i’ve been really excited to get
you on the podcast so thank you
just to give the audience a bit of
context so you are the director of open
source community strategy at vmware at
the moment but i’d like to get a bit of
an idea of how you really got into your
position today how you got into open
source yeah so i
i sort of joke that i got into open
source a bit accidentally i i came out
of university with a computer science
degree in the mid 90s and i ended up as
a unix systems administrator
and i worked for a manufacturing company
who did not like to pay for anything
related to ite so i ended up using a
bunch of open source software just
because it was it was what i could use
it was what we is what we could afford
is what i could um i could do and so i
used a ton of open source software and
then you know i did some different
things at that company but fast forward
a few years i ended up at intel around
2000 or so
and they needed someone to
help them evaluate
which open source developer tools right
and linux developer tools as well even
the non-open source ones like borland um
they wanted me to look at which ones
were likely to be strategic for intel in
the future meaning we should put some
time and effort into
optimizing those for the latest
processors
and a big part of that was evaluating
the communities behind these open source
projects
and i sort of got i ended up with this
project because they looked at me and
they were like well you did unix which
is like linux and you know what open
source is which is more than a lot of
people back in 2000 and so that’s kind
of how i ended up with the project and i
got more and more fascinated by how
these communities operated
and you know because looking at it from
the outside it just looks like chaos
it’s just people throwing code all over
the place and how does this even work
um but there are like you know really
defined structures and and we know that
now and it’s easier to find and we have
better ways of defining governance and
and the way these projects work and how
the communities operate
but i just i get so fascinated by that i
eventually sort of turned it into a
full-time job and so i’ve been doing
open source community and community
strategy work for
i guess a little over 20 years wow
that’s incredible and you would have
seen the communities completely just
change in terms of how they operated we
all moved to github i think they became
a lot more with technology they worked a
lot more and collaborated a lot more
over the internet in a much better way
so what are some of the things you
actually saw uh change over those years
and evolve i guess from when you started
to now within communities and how they
operate i know that you said there’s
there were additional governance
structures now we get a better idea of
how they run but i thought it’d be nice
to really talk about that evolution of
the community and how it works
yeah absolutely um there’s a lot of
things that have changed over the years
the the tooling is certainly one which
you mentioned so it used to be you’d
send patch dips to mailing lists and
people would evaluate them and then
eventually merge them into whatever
source code repository you were using
and that um is a
it’s a bit of a hurdle for new
contributors for sure um
the tools we use now github github makes
it really easy
to you know to contribute something new
to a project for the first time with a
pull request
so the the tools have definitely evolved
evolved quite a bit
i also think that the behavior in
communities has evolved significantly in
in the years
so codes of conduct weren’t really a
thing before
and some of those communities were
really toxic and the linux kernel
community for example was super toxic
and you just you either had to deal with
it or you had to leave and
and now you know most communities have
codes of conduct that are enforced and
you know we we know now that you can’t
you just can’t let those bad apples run
rampant through your community because
it makes everyone miserable and it’s not
a good place to be
and so i think the communities now are a
lot more proactive about you know
frankly booting people even if even if
they have great code and they’re you
know doing interesting things if nobody
wants to work with them i think we’ve
gotten a lot more proactive about
booting them out of the communities yeah
but the other thing that’s changed a lot
is just the conversations around open
source whether it’s in the community or
with companies so in in 2000
every conversation started with you know
i’m afraid of the gpl will this
contaminate all of my code i’m terrified
of open source this was back during the
sco ibm lawsuit and so people were just
terrified of open source they weren’t
sure that they could use it they were um
yeah they were super afraid and so every
conversation was convincing them no it’s
okay you know you can use this it’s
going to be fine
and now people just people take it for
granted i mean look at
projects big projects like kubernetes
that you know run a lot of just the you
know modern infrastructure
i think definitely yeah there’s been a
huge advancement in licenses but also
just the communities like you said and
how they are very different they’re no
longer as toxic maybe there are a few
toxic ones but we’re definitely
advancing in a great direction and over
the years what has been your favorite
open source project that
maybe you’ve worked with or that you’ve
seen from the sideline and why
oh my gosh it is so hard to pick a
favorite um
but
i would have to say i would have to say
migo which was
around
gosh 2010
11
it was a mobile open source operating
system i worked at intel at the time and
this was kind of a joint project with
with nokia it was under the linux
foundation but it was a lot of people
from intel and nokia participating in
that and it evolved out of nokia’s mimo
community and out of intel’s mobilin
community
and i met so many fascinating people in
that in that community it was just i had
i had so much fun
um working you know so i was one of the
two community managers we had it was we
had me and then we had someone from uh
from nokia and so he had coverage kind
of during the european side and at the
time i lived in portland oregon so i had
coverage during the u.s side
and it was i just met so many so many
fascinating people and that so that
honestly so that is my favorite thing
about open source in in general
is that i have made so many amazing
friends over the years and deep
connections and deep relationships with
people that i’ve never worked at we’ve
never worked at the same company we’ve
never lived in the same town but they’re
people who when they come to
come to the uk will literally stay in my
house
and you know some of my dearest friends
are people that i
and you see them at all the conferences
so you know you see them and hang out
with them for kind of you know a week at
a time several times a year and so you
do get to know these people really well
and you have friends all over the world
i can go
i can go most places and find someone
that you know i can go to lunch with or
or whatever regardless of which you know
which city i’m in which country i’m in
and i find that fascinating
it definitely is fascinating and talking
with you i can just tell that you’re
very a community oriented person uh
you’ve got you can understand how the
developers are working you understand
how the community is working you’re
friendly you’re bubbly
what are some of the key characteristics
of a good community manager these days
how do you find that great community
manager oh yeah so i would say that the
the biggest thing to look for is
actually um
probably flexibility and
um
broadness of scope so one of the things
that is
one of the things also interesting about
open source communities is every single
one of them is different
so they’re they’re not all the same and
you know part of the reason i’ve been
able to do this for more than 20 years
is because every new community that i
get involved with is different in some
way and there’s always there’s always
something new there’s something
different and as you know so i do mostly
community strategy now so i’m not
directly managing communities but when i
was my approach to it was different for
every single community that i managed
because you go in and you look at things
and and you talk to people and you
figure out what works in that community
and what doesn’t and what i see is
is the role of a community manager in a
lot of cases is frankly it’s problem
solving it’s it’s looking at what’s
working and what’s not
and being able to find the right people
find the right you know maybe
technologies find the right approach to
fix things that that aren’t working well
and that are causing pain for people in
the communities so you know one example
of this was that at puppet
when i worked there the first thing that
i did like first significant project was
to fix the contributor license agreement
process now that’s not really a
community manager thing but that was the
biggest pain point in the community
because you know all the pull requests
are on github the contributor license
agreement was integrated into our
ticketing system which was redmine and
so the developers had no way to know
whether this
ticketing system was the same as this
hub id to be able to match their
contributor license agreement
so you know we
built a built a bot because there
weren’t a lot of bots that did this back
in back at that point but
you know it’s not really a community
manager thing but it was just such a
problem in the community that fixing
that allowed me to do other more more
community oriented things so you’re
really sitting in between all of these
developers and and you’re seeing how
everything works all their interactions
all of their processes and you really
the glue behind these open source
projects you’re making sure continues to
work you’re making sure that it
continues to improve that can people
want to actually contribute contribute
because i understand it must have been
probably the biggest thing stopping free
people from contributing to that open
source project yeah it was stopping us
from merging their contributions for
sure um
yeah and you know and there are other
things that are i think really important
for for community managers uh one of
them is being
being the person who knows who to talk
to when something comes up so so you
know it’s not really networking but it’s
being able to make connections between
people so if i know that you know joe on
one side of the project is working on
this thing and betsy on the other side
is working on something that’s almost
exactly the same i should be connecting
those those two people and so i actually
spent a lot of time behind the scenes uh
connecting people and pointing people to
things and
um sort of in a way being the person
behind the curtain uh in a lot of ways
so there’s there are different
approaches to community management and
leadership there’s the um i’m a rock
star and i want everyone to know that
i’m the the leader of this community and
i’m really important
um that’s one approach that’s not the
approach that i favor i the way i look
at it is if i am if i am so visible in
the community that i’m the only one
doing things then that’s that’s not
managing the community that’s doing all
of the the work and not letting anyone
else do anything so i spent a lot of
time trying to just trying to convince
people to you know to work on things
i’ll convince people to give talks at
conferences i’ll convince people to you
know submit a pull request for something
that they’re interested in and so i
spent a lot of time behind the scenes
convincing people to do things
and being so involved with the community
you’ve obviously learned a lot over the
years about like i said how everything
works but also the risks um and also how
you actually evaluate open source
software projects that a company is
using i know that’s something that you
have a lot of experience doing so can
you talk a bit about how companies
listening can actually go about that
process yeah that is something i’ve
become really passionate about lately
and so that’s definitely more on the
community strategy side of things than
community management but you know and
it’s something that i’ve started
thinking more about um in in the past
couple of years at pivotal and then at
vmware and you know i start looking at
some of the projects that we rely on
and
and thinking
you know realizing that there are lots
of risks associated with this so
the biggest the biggest example recently
was uh openssl this is a couple of years
ago so openssl is a technology that
almost everyone in the world uses right
it’s this open source project it’s used
by almost every company in the world
it’s massive
um and there was a huge security
vulnerability in there i think it was in
the cryptography library
uh and we all learned that there was
a couple of people part-time maintaining
this project and that was it they had no
funding no resources
and all of a sudden there’s this
gigantic security vulnerability that’s
affecting almost every company in the
world and there’s no one to no one to
fix it
um they did fix it and some companies
kind of pulled together to get some
resources to help improve this
particular situation but it gets you
thinking about how many how many others
of these are there and
and what are some of the other
risks associated with it so you know
you’ve certainly got the
not enough contributors not enough
maintainers um risk but you know
licensing risk is another one that comes
up a lot
recently so you know mongodb and redis
re-licensed um
the biggest recent example was probably
elastic when they re-licensed
elasticsearch and kibana and put those
under what is not an open source license
so those are no longer open source
projects
and the license that they put them under
is problematic for a lot of companies
our lawyers took one look at it and you
know we do a lot of open source we use a
lot of different licenses you know we
have some favorites but um but they they
took one look at this license and they
were like nope uh
we are we are not using anything under
this license within the company
um
and we have we have elasticsearch
embedded in a lot of our products and
i’ve been talking to a lot of other big
open source program offices who are
there we’re all in the same situation
because
elasticsearch and kibana are
prolific
across the industry we use them for for
lots of things within within products
and now all of a sudden it’s not open
source and you know you can pay for it
there are some there’s some forks you
can embrace and some of those are
problematic too
but you know that’s the other another
big example of a risk that you should be
you should be thinking about for these
projects that you incorporate in your
in your products
and one of the reasons you end up with
with this particular risk the licensing
risk is because it’s not under a neutral
foundation it’s owned by an individual
company and they can kind of do what
they want with it um you know we’ve seen
this with with other open source
projects
and so any open source project even if
it’s an open source project from a big
company like like google or
you know
amazon
those those two can be problematic
because that company gets to kind of
decide what to do with that project and
the rest of us really don’t have much
say in the matter if it’s owned by a
company so that’s the other thing that i
kind of push towards is is neutral
governance so putting putting these
projects under neutral foundations like
the linux foundation apache software
foundation eclipse
cncf there’s lots of lots of really good
ones and we do this regularly within
vmware so we have open source projects
that we start
and once they start to get kind of
broader adoption and other people start
contributing and there starts to get
kind of an interest in it
in a lot of cases we’ll contribute that
to a foundation so we’ve contributed
some projects to the linux foundation
the cncf recently historically we
contributed a few to the apache software
foundation
so it’s something that i think i think
is important because i do think it’s a
risk you look at these projects that are
owned by individual companies and
and that’s that is it is a potential
risk here to your company in embracing
those for like like i said licensing and
you know all kinds of other other risks
and then there are some that are really
kind of specific to the community so we
talked about you know historically there
were a lot more toxic communities
but you can you can legitimately put
your employees at you know physical and
mental risk by putting them in
um
in projects where
there is a toxic environment another one
is responsiveness so that’s another
thing i look at when i look at risk so
does the project does the community
respond quickly to pull requests issues
are they do they give good feedback do
they merge a lot of them or do they
close them without merging them
and so you can get a pretty good feel
for whether you’re likely to get your
bug fixes or other other patches
contributed back upstream by looking at
the responsiveness and if they’re not
responsive that’s that’s a risk because
you could end up with an awful lot of
technical debt that you have to maintain
yourself because no one will merge your
patches
okay so you really need to look closely
at the licenses how the community works
make sure it’s not toxic um and many
other things but one thing that really
intrigued me is the fact that elastic
has done what they’ve done and where
does that leave a company like vmware
you put a lot of time and money towards
building critical software
infrastructure upon this open source
project what’s the next step for your
company then what do you do yeah and
because because vmware is large and this
this problem cuts across our business
units different business units are
taking different approaches some of them
are saying i’ll buy the commercial
license from elastic and and just just
pay for it and not use an open source
technology at all
we have some other business units that
are embracing um the amazon aws fork
called open search which has a few i
think governance challenges right now so
i’m not
i’m not sure that’s a great option but
it’s probably the easiest option for
people to embrace uh short term
we’re actually encouraging our business
units where possible to replace it with
another technology entirely um so
something something like for example um
apache solar which is a similar
nosql database to elastic
but it’s it’s under the apache software
foundation so it’s under a neutral
foundation we’re not going to get the
rug pulled out from up from under us and
there might be other things we could
replace it with but we’re encouraging
we’re encouraging our business units to
think about replacing it with with
another technology
and underlying elastics move is this
something because they haven’t been able
to really monetize the open source
project so they’ve got vcs and investors
on their back saying hey look we’ve
invested this amount of money it’s been
this amount of time you said that you
could turn this into a viable business
and so now they’ve kind of gone behind
and against what everyone
originally believed and respected them
for and has have completely
changed i guess the underlying meaning
of the whole project that is exactly the
problem yes um and
you know and this is why we’ve seen this
with the companies that we’ve seen this
with so you know we saw this with um
with mongodb
we saw this with elastic um grafana labs
was another recent example but you look
at these um what’s happening is that
these companies really haven’t been able
to monetize the open source projects
that they spend a lot of time
contributing to so if you look at the
contributions to projects like
elasticsearch it’s mostly people from
elastic so they’re putting all the work
and effort into it and
they’re realizing that people like like
amazon are making all the money off of
it because they’re repackaging it and
offering it as a service on aws
so amazon is paying you know elastic and
i’m just using amazon as an example this
happens all the cloud providers are kind
of in a similar similar situation they
use these open source technologies they
repackage them and then they sell them
but they don’t really have to give
anything back to companies like elastic
or mongodb or
or anyone else so
these little companies who are under
lots of financial pressure from vcs or i
think elastic’s a public company so from
their um you know shareholders
it’s
you know it’s it’s hard to look at that
look at somebody else making all of your
money and and you’re struggling to
um you know to support the company
and it’s a challenge you know i can i
i’m sympathetic to the problem they have
for sure but um it’s it’s what happens
when you
base your entire business on a
particular
open source technology and
don’t have a good solid
you know business model around how
you’re going to make money with it and
i think you mentioned kind of what it
might be a red flag to a company that is
using an open source project or looking
to see whether they want to use an open
source project a red flag in the sense
that hey look this cut this open source
project might do what elastic did or
they might change their
underlying license in the future and the
one that you mentioned was the
governance structure so i think that’s
what it would have been like people
actually contributing to it it’s mainly
elastic employees um can you maybe
explain a bit of how you look at that
red flag and and you kind of
use that as an indication then to
decide whether you use an open source
project and what other red flags are
there for companies listening
that they might be able to
to recognize within open source projects
yeah one of the things i look at from a
governance perspective is i look at
other organizations that are in
leadership positions or sorry employees
from other organizations that are in
leadership positions so if you look at
um i always use the amazon example if
that’s one i’m familiar with you you
look at open search and all of the
maintainers and leaders for that project
work at amazon and you read the forums
and there are lots of mentions of um you
know well we’ll have to discuss that
with our internal stakeholders and come
back to you with a decision
so it’s clearly being run like a
proprietary product um but it’s being
run slightly more in the open so you can
see a bit of how the sausage is made um
but not actually participate in the
decisions of how the sausage is made
so so one of the things i look at i look
i look at a few things with governance
so ideally it’s a neutral foundation and
not a company so that’s kind of step one
step two would be having clearly
documented governance structures that
outline how people move into and out of
leadership positions and having that
done in a way that
um it’s really clear so there are things
like you can put in place like
contributor ladders where you know you
start as
you know maybe you’re triaging issues
and then you can move up to being kind
of a you know more of a contributor who
reviews other people’s requests like a
reviewer
you know and then eventually maybe move
up into a maintainer position where
you’re making decisions on the project
or even
you know even moving into uh like a
leadership position like a steering
committee for example or a technical
oversight committee something like that
so i look for these leadership
structures and i look for
i look for organizational diversity
across those leadership structures so if
i see a project where all of the leaders
and all of the maintainers work for a
single company then it’s pretty clear
that that company is making the
decisions
and especially if there’s no clear path
for any of our people to you know move
into leadership positions i am unlikely
to encourage our
um
you know our employees to contribute to
these communities
because you know all you’re giving them
is sort of free labor and
never getting to really have a seat at
the table
and and if you do get into kind of a
chicken and egg situation where you know
you don’t want to necessarily put in
place like really heavy governance
structures right away before
before you have other people
contributing but you need you need some
structure and you need some path and
some understanding of who makes the
decisions and how they’re made
and i think
i actually think that projects like like
open search would be better off if they
were just honest about the fact that
right now the decisions are being made
internally within amazon because what
they’re saying is the decisions are in
the open we do everything in the open
it’s an open project
but you look at the behavior and the
behavior doesn’t match the the values
that they say they have as a project
and
i i think that you you get a healthier
community if people come to the
community knowing what they can and
can’t do within the community okay that
makes a lot of sense and i’m sure it
would definitely be very useful for a
lot of the people listening
one thing i wanted to trace back to that
i know you mentioned earlier on was the
fact that vmware donates a lot of its
licenses to foundations uh foundation so
can you talk a little bit about that
strategy why vim where does it how how
it works
yeah so so the i’ll start by talking a
little bit about how how vmware
approaches open source so we we look at
open source as
as really the way to get innovation so
right now
most modern software is based on open
source projects like kubernetes for
example so it gives us by by using some
of these really common open source
technologies it gives us you know faster
time to market
more access to innovation increased
productivity
but you really only get those benefits
if you also contribute back to these
projects and
and collaborate with other people on
these projects so
you know we look at both collaborating
in and building diverse communities so
that we can we can solve our challenges
we get new opportunities but we also
are working on things that solve
challenges across the whole
the whole ecosystem and so
you know by building on top of these
industry standard components we we have
better products we have software that’s
more innovative more interoperable more
scalable secure
but we also think that you you get a lot
of advantage because you get a lot of
the advantage by working with other
companies
that’s how you get the innovation right
sometimes it’s better for the project to
put it under a neutral foundation
so i can give you i can give you an
example um so we
have a few cloud native
projects so projects like contour and
harbor for example
which are
in the cncf ecosystem they’re cloud
native technologies they’re used a lot
with projects like kubernetes
and what we found was that you know we
were starting to get traction other
people were using these projects other
people were contributing to them and
rather than trying to continue to
maintain that internally at vmware by
putting it under a neutral foundation
that reduces the barriers to
contribution from other companies it
increases the confidence in the project
because it’s not owned by a single
company it’s owned by you know a
well-known foundation like the cncf
and it you know it just gives people a
better experience i think for
contributing to some of these some of
these projects and
you know because the cncf has strict
requirements for moving from like you
know incubating in sandbox and graduated
you
run through a process that makes the
project stronger like you could run
through that process yourself as an
individual company
but by doing it with the cncf you get
you just get a lot more feedback you get
a lot more people working on it and so
we see that as being being a big benefit
um what you what you give up is you give
up control so you know vmware no longer
controls those projects but that’s
that’s fine we’re active participants
we’re still you know some of the we
still have a lot of the maintainers we
still contribute and it’s it’s okay that
we don’t have final say or final control
over the project because we’re we’re
doing the right things for for the
industry as a whole and that’s that’s
the way to look at it
one of the things that we don’t do is we
don’t do it for um marketing purposes so
you see people trying to stuff things
into foundations because they think that
this app dead project with you know the
marketing
forces of a big foundation behind it
will all of a sudden make this um
let’s face it like really crappy project
um better and and that’s that’s not
that’s not a solution so we really look
at it from the standpoint of wanting to
innovate and work with other companies
and collaborate with people as being the
you know what we look for when we
contribute them to foundations i think
it’s definitely something i’ve heard a
lot uh in the last few years is people
people kind of i guess trying to just
get rid of the technical debt so they’re
open sourcing projects and it seems like
quite a very bad strategy i know that
it’s proven to be a bad strategy today
but that’s all we have time for today so
thank you so much for your time jordan
it’s been it’s been lovely chatting and
i hope we get to do this time time in
the future too thanks this is a lot of
fun i really enjoyed it awesome thank
you and to everyone listening if you
like what you listen to today then check
us out on youtube give us a like
subscribe and if you’re listening to
this on apple podcast then please leave
review letting us know what you think so
thanks very much everyone thank you dawn
and until next time
[Music]
