Open Source Summit 2023 - Open Source is Winning, But We Can Still Lose

Transcript

1. Databases run better with Percona

2. Open Source is Winning But we can still lose! [email protected]

   @Stoker

3. © Copyright 2023 Percona® LLC. All rights reserved About This

   Session Open Source databases became more popular than their proprietary counterparts in late 2021 which is a big thing. While this may be a win there are still several areas where the commercial competitors do much better. First, there is a lot of handholding for customers during trial periods and nearly constant outreach to ensure product adoption. Second, error messages are often written by junior developers (the least skilled) that give often cryptic declarations of the issue at hand to the befuddled. And we often treat projects that drive billion dollar companies as if they are still a group of hobbyists coders. In short we may have a better product but the environment around using that product needs to be upscaled rapidly or we risk sliding back into the days of proprietary dominated software constrained lives. 3

4. © Copyright 2023 Percona® LLC. All rights reserved Open Source

   is Winning But we can still lose!

5. © Copyright 2023 Percona® LLC. All rights reserved Hi, I

   am Dave Stokes Technology Evangelist for Percona Author MySQL & JSON - A Practical Programming Guide (more on my sordid background later) 5

6. © Copyright 2023 Percona® LLC. All rights reserved 6 A

   quick trip back to the past.

7. 80 Column World A Time Before Open Source

8. https://world.hey.com/vini/the-sacred-80-column-rule-5d2d5c9e “Thou shalt not cross 80 columns in thy file”

   The sacred 80 column rule originated from IBM 80 column punch cards, was reinforced by early terminal and printout restrictions, and is still common in coding standards today, including the Linux kernel standard. 8

9. 9 You’ll never get fired for buying IBM! Ironically the

   IBM PC started the end of that well worn adage.

10. One vendor Before open-source 10 Software Hardware Support Maintenance User

    Group NCR Singer RCA Burroughs UNIVAC Digital Wang Xerox IBM HP Vendors ZERO Interoperability

11. 11 Operating systems killed off by Digital that I used:

    • TOPS-10 • RSTS-E • VAX/VMS • ULTRIX Your investments in discontinued systems where wiped out when your vendor chose.

12. UNIX from Bell Labs (AT&T) / UCB 12 Ran on

    several types of hardware Licensing Issues AT&T was never fun to deal with

13. Sort of Unixes 13 HPUX SUNOS / Solaris Domain/OS Xenix

    And MANY others claiming to be POSIX compliant, limited interoperability

14. And then … a miracle happened! 14

15. 15

16. Confession! I am a database person and I view the

    world through a database lense!

17. © Copyright 2023 Percona® LLC. All rights reserved Popularity of

    open source DBMS versus commercial DBMS -https://db-engines.com/en/ranking_osvsc 17

18. © Copyright 2023 Percona® LLC. All rights reserved https://www.architecture-performance.fr/ap_blog/database-engines-trends-dashboard/ 18

19. © Copyright 2023 Percona® LLC. All rights reserved 19 This

    forecast is pretty concerning for every database save PostgreSQL.

20. So, databases are doing well But is everything doing well?

21. © Copyright 2023 Percona® LLC. All rights reserved From Synopsis’s

    OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT 2023 21 Of the 1,703 codebases scanned in 2022 • 96% contained open source software • 87% included security and operational risk assessments

22. © Copyright 2023 Percona® LLC. All rights reserved From Synopsis’s

    OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT 2023 22 • 53% of codebases had license conflicts • 31% of codebases contained open source with no license or a custom license • 89% of codebases contained open source more than four years out-of-date • 91% of codebases contained components that had no new development in the past two years

23. © Copyright 2023 Percona® LLC. All rights reserved From Synopsis’s

    OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT 2023 23 • The average number of open source components in a given application this year was 595.

24. © Copyright 2023 Percona® LLC. All rights reserved From Synopsis’s

    OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT 2023 24 • 84% percent of codebases contained at least one known open source vulnerability, an almost 4% increase from the 2022 edition of the OSSRA report. • And 48% of the codebases we examined contained high-risk vulnerabilities, down only 2% from last year. High-risk vulnerabilities are those that have been actively exploited, already have documented proof-of concept exploits, or are classified as remote code execution vulnerabilities.

25. © Copyright 2023 Percona® LLC. All rights reserved Percentage of

    code base with vulnerabilities 25 █ 47% jQuery █ 31% Lodash █ 23% Bootstrap (Twitter) █ 11% jackson-databind █ 10% Spring Framework █ 6% Netty Project █ 5% XStream █ 5% Apache Tomcat*

26. © Copyright 2023 Percona® LLC. All rights reserved 45% of

    organizations worldwide will have experienced attacks on their software supply chains by 2025 –Gartner

27. © Copyright 2023 Percona® LLC. All rights reserved Technical Debt

    actually helps open source!? 27 Technical debt from poor software quality hampers delivery of new capabilities. Like other parts of industry and government, the defense industrial base spends more time and effort correcting technical debt than on proactive, creative, or preventive work That is to say, slower adoption of open source--and the innovation, speed, and dexterity it provides--allows archaic practices to persist. But technical debt and heavy regulations are slowly giving way, enabling more usage of open source.

28. © Copyright 2023 Percona® LLC. All rights reserved So, we

    are winning, right? 28

29. What next? It is not time to relax and rest

    on our laurels??

30. © Copyright 2023 Percona® LLC. All rights reserved Snatching Defeat

    From The Jaws of Victory 30 We often have great ideas like Software Bills Of Materials but it does no good if that information is not reviewed and acted upon. Do we really need 117 npm packages for JSON encoding? What could we have developed instead? (https://www.npmjs.com/) The learning curve for beginners is ever steepening which does deter some away. And politicians have noticed open-source too! Beware the law of unintended consequences

31. © Copyright 2023 Percona® LLC. All rights reserved Open Source

    Licensesesesesessess 31 There are over 1,400 licenses - Wikipedia.com Over 100 - OpenSource.org The Most Popular License on Github: “ “ ↑ This is a BIG problem in our future

32. © Copyright 2023 Percona® LLC. All rights reserved Further, variants

    or customized versions of standard open source licenses can place undesirable requirements on the licensee and require legal evaluation for possible IP issues or other implications. The JSON license is a prime example of a customized license. Based on the permissive MIT license, the JSON license adds the restriction that “The software shall be used for good, not evil.” The ambiguity of this statement leaves its meaning up to interpretation, and many lawyers would advise against using software so licensed, especially in the context of Merger & Acquisition scenarios. 32 The Lawyer Full Employment Act?

33. However, of the 1,481 codebases examined by the Black Duck

    Audit Services team that included risk assessments, 91% contained open source that had no development activity in the last two years—no feature upgrades, no code improvements, and no security issues fixed over the past 24 months. This probably means that the project is no longer being maintained, especially in the case of smaller projects. Software ageing like milk 33 Open source projects, by definition, are the product of an undefined number of contributors and maintainers. This structure makes open source a collaborative effort, but the challenge is the lack of incentive for contributors to perform maintenance activities. Important projects like Kubernetes often have healthy support, but there are also plenty of projects maintained by only a handful of people.

34. 34

35. When you assume … 35 Last summer, several malicious packages

    were found in npm, (the default package manager for the JavaScript runtime environment Node.js.), that had the capability of harvesting sensitive data from forms embedded in mobile applications and websites. The packages, downloaded thousands of times, typo-squatted other popular and trustworthy packages. Any version of these packages should still be considered vulnerable and malicious. (Examples include Icon-package, Ionicio, Ajax-libs, and more.) Looking back at breaches and notable vulnerabilities over the past five years or so, a common theme is trust. Organizations and end users must have some level of trust in the software they use, and in the people who develop and supply it. Simply put, companies are trusting that every node in their supply chain has the same security and quality safeguards as they do—a dangerous assumption. Are we too trusting? npm as an example

36. © Copyright 2023 Percona® LLC. All rights reserved Of the

    1,481 codebases examined by the Black Duck Audit Services team that included risk assessments (see page 7), 91% contained outdated versions of open source components. That means an update or patch was available but had not been applied. 36 Outdated?

37. © Copyright 2023 Percona® LLC. All rights reserved There can

    be valid reasons for not keeping software up-to-date. A DevSecOps team might determine that the risk of unintended consequences outweighs whatever benefit would come from applying the newer version. Embedded software may be at minimal risk from vulnerabilities that can only be introduced from an external source. Or it could be a time/resources issue? With many teams already stretched to the limit building and testing new code, updates to existing software can become a lower priority except for the most critical issues. 37 Outdated?

38. © Copyright 2023 Percona® LLC. All rights reserved It seems

    most likely that the majority of the 91% is due to the DevSecOps team not knowing that there is a newer version of the open source component available—if they are aware of the component at all. Organizations are often most familiar with commercial software, for which patches and updates are pushed automatically, so they don’t have to concern themselves with monitoring for updates. Open source functions quite differently. Implied with the use of open source is the user’s responsibility to be aware and in control of a component’s security and stability, and to seek out new versions and patches for the components as they become available. 38 Outdated?

39. Are SBOMs ‘the bomb’ 39 Maybe, maybe not. Just ‘knowing

    the pieces’ is not enough.

40. How do we audit /report outdated software? 40 Do we

    need ‘report cards’ on software? Or an easy way to check status? It does not matter if we have millions of eyes on the code if someone is playing ‘Three Card Monte’ with us?

41. 41 Maybe a college/university program that teaches software engineering and

    management through the maintenance of abandoned projects? Do we need to adopt homeless software?

42. Not Making Enough $? Change the license!

43. Changed license to Server Side Software license A company that

    offers a publicly available MongoDB as a service must release the software it uses to offer such service under the terms of the SSPL, including the management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the source code made available. 43 Changed license to Business Source License, code will eventually be open source … in a few years A Tale of Two Products MongoDB MariaDB’s Maxscale

44. © Copyright 2023 Percona® LLC. All rights reserved What are

    users to do after a license change? 44 Status Quo – forever Fork last version Find alternative Rewrite around Each of these options have their own associated risks and costs. And have to be made after ‘surprize’ announcement vendor. No guarantee new software won’t change!

45. © Copyright 2023 Percona® LLC. All rights reserved What are

    we to do? 45 • What if you do not notice the license change? ◦ Exposure ▪ Financial $$$! ▪ Legal $$$++! ▪ Security What else are you missing? ▪ Public “Cheap #%@$%@!” ▪ Future Incompatibilities, other vendors • What if you do notice the license change and do nothing? ◦ Loss of job ◦ Financial, legal, and public risks as in the above

46. Professionalism Things we need to do better to ensure we

    win!

47. © Copyright 2023 Percona® LLC. All rights reserved RTFM does

    not cut it 47 How do we improve the initial customer experience? • Handholding • Support • Community • Education Commercial software generally does a much better job guiding the customer’s initial steps.

48. © Copyright 2023 Percona® LLC. All rights reserved Lack of

    turn key options for many make commercial alternatives attractive • Ikea is great if you like little allen wrenches and can read diagrams Troubles with integrating with other packages that are old a familiar • How does this software work with the spreadsheet used in the shipping department? The key tenets of open source are not high on the list of desired features of general public • That’s great but how does ot help me run payroll on Thursday? We need to stress functionality and adaptability over elitist stance • Artisanal may be better but what is the bottom line cost? Hobbyist mentality Too many have this mind set 48

49. © Copyright 2023 Percona® LLC. All rights reserved https://www.theregister.com/2023/05/03/linux_distro_hopping/?td=rt-3a 49

50. © Copyright 2023 Percona® LLC. All rights reserved “Hi, just

    checking on how you are doing. I saw you downloaded XXX and I wanted to offer my help if you have questions about getting it up and running. Please ignore this message if you are doing okay but please contact me if you have any issues or see our website.” “Hey, I just wanted to let you know that there is a new upgrade for XXX and invite you to XXX-Con.” “Did you know there was a Meetup group for XXX in your area next tuesday? We’d like to see you and let you meet other users. And we are supplying pizza and soda at 7PM.” Going the extra mile 50

51. © Copyright 2023 Percona® LLC. All rights reserved Error messages

    are your lifeline to the user of you product. Usually they are written by junior developers. The error messages may make sense to those who know, intimately, the source code. Others need GUIDANCE!! ‘Values must be numeric for phone number’ is better than a stark ‘bad value’ pop-up. Avoid obscure references like ‘grok’, skip baseball metaphors if your code is used outside of North America, and refine for clarity. Make error messages polished, professional, and informative - as if your grandma was using your code. Error messages should not be hard to grok! 51

52. And we will not will them all. Nor do we

    want to! How do we win?

53. © Copyright 2023 Percona® LLC. All rights reserved How do

    we promote and position ourselves? Marking is not a dirty word. Improve overall experience, overall image Better coordination along entire process CI/CD to include SBOM checks Better communication We ARE in competition with commercial software 53

54. © Copyright 2023 Percona® LLC. All rights reserved If a

    library is upgraded on day 1, how long should it take for dependant products to follow? Outside audits? Reporting? How does this impact long term support options? Example: EXT3 versus distros versus RDMS Standards for upgrades 54

55. © Copyright 2023 Percona® LLC. All rights reserved Projects that

    are abandoned Projects looking for help • Mentors Keep from reinventing the wheel Project list 55

56. https://speakerdeck.com/stoker [email protected] @Stoker

57. Thank You! percona.com