Viktor
00:00:00.049
There are people who simply think that their main role is typing on a keyboard, and I understand if that's what you think that your job is. I understand how disappointed you must be and how much you must be complaining because your job is no more. You just did not receive the memo.
Darin
00:01:24.621
It seems like right now we have humans that are using AI to add drive by prs, expect 'em to be merged. We also have AI working against some open source projects. They'll fork a project and hey, we'll get a whole brand new project, and that whole thing no longer exists. But the worst part of this is the people working on open source. What's gonna happen to them? That's what we're talking about today. Viktor, what do you think?
Viktor
00:01:54.944
Oh, it's complicated. That's sort of thing. Yeah, that's, that's the answer. That always works. I see a lot of complaints about contribution to open source, and there are story, there are conflicting complaints. Let's start with that, right? Opensource projects will complain that people don't contribute to them. Right. Uh, so it's all in the hands of, uh, employee of a company behind the project or something like that. But then also I hear projects in the past now much more complaining that people are contributing too much with ai. We cannot review this something this big, right? Or this is a slop and things like that. And I feel very conflicted about all that, to be honest. Because I feel that many maintainers are forgetting that their primary role should be empowering people to contribute to that project and that empowerment slows them down and it should slow them down, right? Because it's investment. And I feel that the barrier to entry to open source projects was never lower than it is now. I see that all around. People want to contribute, and of course they're contributing with ai, but then they're receiving, sometimes justified, sometimes unjustified blockers from maintainers, and I'm not sure how to react to that.
Darin
00:03:32.856
Well, let's think about some of the blockers. Now, initially you were saying this around a company. Let's think about a couple that aren't a company. We have curl maintained by Daniel in January 26th, he shut down his bug bounty program.
Darin
00:03:48.268
have Ghostie from Mitchell Hashimoto, right? Not a company. I mean, he's got the money of a company. We'll leave that there. Uh, but a again, he is now shut down drive by prs. If you put in a drive by pr, you're effectively banned from contributing. It doesn't mean that you can't use ai, but you better have a whole thing in place. I am guilty of doing a drive by PR that I still have to fix six months later, because I added too many tests, Because I couldn't justify all the tests. So I need to back out. All the generated test and really just write some real tests. Viktor, you're using AI for daily development? I'm using AI for daily development. Where's that line between AI assisted and just AI slop drive by?
Viktor
00:04:37.412
I don't know whether we can distinguish it by looking at prs, Can you know for certain how much a person was involved in a pr, right? Whether that's a hundred percent human, whether that's a hundred percent ai, whether that's ai, uh, managed by a human. The only way you can figure it out is kind of like, oh, no human would be, would be willing to do this. Right? But that does not feel right, like a right criteria. So here's what I really think and that's that the quality of code we do depends in big part on the instructions we give to ai. We probably agree on that one, right? If you say develop a new feature, that's not the same thing as saying, develop a new feature should do this and that. You should do it like this, you should do it like that, et cetera, et cetera, et cetera, right? Write tests and don't write tests. If you write tests, write them this way, and so on and so forth, right? We probably agree that there is a big difference depending on how much information guidance we provide to AI right now, if you do agree on that, what does that mean for projects? And my answer is we need to invest in putting those guidelines inside ripples and we need to solve the problem that existed long before ai. And that's that, uh, contributing to open source project largely depends on tribal knowledge or some obscure documentation that nobody's ever going to read. And that's if you're lucky. Right. So what we should do, at least what I'm trying to do in my tiny relevant projects, is, okay, I'm going to create, uh, skills MD or Cloud md. I'm going to create, uh, skills themselves, um, sorry, I said Skills, MD Agent md, skills themselves, and so on and so forth. That will serve two purposes. First, When I work on those projects, I want to spend less time guiding things, guiding AI, and more time figuring out what should be done and when should be done and how it should be done, but also empower potential contributors to do the right thing. 'cause they will be using ai. Let's face it, we, cannot fight that. I think that whomever is trying to fight and say, no AI in this project, you're making a terrible mistake. Terrible mistake. We just need to figure out, okay, since this is the new reality, how do we make most of it?
Darin
00:07:16.996
So your recommendation is adding in an agents md, technically right now, a CLO md, just to cover both sides and then put all of the con, what we would typically put in a contributing MD in there. But written in a way that's correct for the agents.
Viktor
00:07:36.313
Yeah, I, I wouldn't say that it's only Cloud MD or, you know, there are some skills that there, there are different directories. There's a lot to be done there. So without necessarily going into details for every specific use case. Right. But yeah, we need to provide those instructions. We need to enable agents to follow the rules that we will set. And I repeat, this is a future tense that I said. I said it intentionally not the rules that we had.
Viktor
00:08:09.975
I, I, it's, I'm, I'm not a hundred percent sure yet of all the rules. What I'm a hundred percent sure is that some things do not work, or cannot work as they were. So here, here's an, here's a. Paraphrased a version of a con of a real conversation I had a while ago, and that's that. Okay, so we got, uh, 20,000 lines pr uh, we got a huge number of prs. We cannot allow that because we can review all those things and then I ask, and so you have a problem of, so, um, do I understand right that the problem is that we have now more contributions? Thanks to ai and that's bad because we haven't changed the way how we review things so we cannot catch up. So yesterday we had a problem that we don't have enough and now we have a problem, that we have too many. Is that the issue? Isn't that a great problem to solve? Right? And if it is, can everything stay the same in and we only change one? Step in a pipeline, in a workflow in SDLC, and the answer is no.
Darin
00:09:21.741
you just said it right there. This is a, a retelling of the assembly line problem that we've had over and over again, except it's all right in the middle of the development cycle, which is what we typically don't, we talk about the development cycle going faster. But even within the development cycle, we've got these steps even there that it's, we're getting backlogged in in that use case. Here's one thing I think we could put in. I think it's one thing if you require issues to be associated with prs,
Darin
00:09:57.696
then if the issue is opened, it should be opened in a certain way. If you're on GitHub, you have issue template. So you could tell the agent, Hey, look, if you're trying to fix something and there's no issue here, uh, you should put in an issue and then you can attach the PR to the issue.
Darin
00:10:14.106
Right? That would be a, a sane first thing to do if, even if you don't do anything else at this point.
Viktor
00:10:20.324
correct. Correct. And it wasn't go way beyond that. This is how we do up, this is how we create the PR once we are finished. Right? So you were talking about earlier part of the process. This, this is what we do. those are the security issues that we always fix. Those are the security issues that we can say, ah, if we fix it, it's okay. It doesn't matter if you don't. These are the. It's code reviews, right? Uh, how we do them, uh, how we instruct the agent, what to do with them. So there, there is a ton of things to do and I think that we are hearing those issues mainly in open source, because that's the public debate, but closed source is having the same issues.
Darin
00:11:06.002
I wanna stick there with the people. Let's go back to your original example there of we've got too much,
Darin
00:11:12.992
A lot of open source maintainers are not. They're, they're just not, and a lot of them are bailing because A, they're tired of it. It's like, I didn't sign up for this. I signed up for maybe one or two a month, not one or two every 30 minutes.
Darin
00:11:32.267
So how do we, again, we're trying to figure out is, is there a way to deal with this? 'cause if we have this, what we used to have was a slow trickle. Of prs if we were doing well, now we've got either a garden hose or a fire hose worth of prs, potentially, depending on the project. How does the human side of this fit in? I mean, how do we say no without going down the path of being sort of, I don't know how to properly say it, but without being totally bad.
Viktor
00:12:03.018
I, I'm not sure what to tell you, man. It's kind of, we need to enhance the whole cycle. if somebody says I'm overwhelmed by this, the answer is, okay, how can we make it less overwhelming? How can we make you do be faster or do less? And again. I, I will give you only one chance to answer what the solution is, at least within development, how to make somebody more productive, do less, and so on and so forth.
Darin
00:12:33.474
Then we can get also in a big world of hurt because think about xz. You had somebody that had worked themselves into the project Over time, slowly
Darin
00:12:48.174
we're seeing variations of that to where somebody can AI work themselves into a project fast. But if you've got people working themselves in slowly into a project and then become bad actors. You know, that doesn't help us any because okay, we, we went from having five PRS a month now to a hundred PRS a month,
Darin
00:13:07.419
and we need help to review. Great. You bring somebody on and then all of a sudden they go, they become the bad actor. How do you keep the project safe on that, or not even project just within a company? I mean, 'cause there are bad actors now that will send you a laptop and allow you to, they'll work for you and pay you a part of what they're making.
Viktor
00:13:27.546
Let me first say how we cannot approach safety, and that's by blocking everybody. that's how companies traditionally approach safety. I'm going to prevent you from deploying to production because that might be a safety risk. I've seen that many, many, many, many, many times. Not literally prevent, but kind of you are going to hate yourself at the end of this process so that I can check the box being safe. nobody should be allowed to. You have the, the option or, or the power to block everybody because of their interests. Okay. So if there is anything the data is good at that's crunching data, nobody can tell me that there is nothing that AI can help in making things safer. There's the same issue I mentioned earlier. If one, if you have one weak link in SDLC, everything is weak. Everything is slow. I cannot explain how impressed I am, for example, with Code Rabbit
Darin
00:14:38.688
Not sponsored, but we'll listen to you. I said they're not a sponsor of the show, but hey, we'll be glad to talk to you, but, but you're impressed by Code Rabbit.
Viktor
00:14:48.151
Yeah, it catches things. It, it's not anymore how it was like a year ago or longer that it gives me some stupid, uh, suggestions. Like, uh, I don't know. The formatting here spaces a set of tabs who, who, who, you shouldn't be doing this, right? It gives meaningful feedback that I would not catch fast. I love it. I'm not saying that I'm not reviewing anymore myself. I am but I can focus on things that matter and let it catch things that normally I wouldn't catch simply because I wouldn't have time. So me plus AI makes those PRS safer. Imagine that it's the same quantity of prs. There is no AI involved. It helps me still a lot.
Darin
00:15:36.077
So if it's you plus ai, plus an AI watching the ai, then you're just becoming a business analyst effectively.
Viktor
00:15:44.953
I'm becoming a manager. I kind of, did you look at this? Are you sure? Well, what do you think about that? Right? It's the conversations that I did have in my relatively short career as a product manager, right? Your job is to figure out what the team missed and what the team did wrong, and what do you think team did? Well, that's my role now, and that's very conflicting with. There are people who simply think that their main role is typing on a keyboard, and I understand if that's what you think that your job is. I understand how disappointed you must be and how much you must be complaining because your job is no more. You just did not receive the memo.
Darin
00:16:37.030
We're talking about all of this around open source, but in enterprises, how much of the actual software do you think that is written is not open source or I'll flip it around how, how many dependencies within enterprise software are open source?
Viktor
00:16:53.718
Okay. That's, that's different than written. Most of what is written in enterprise is not open source, but most of what is used is open source. Yes.
Darin
00:17:03.082
So assuming that is true, and we believe that is true for a 95% or greater, right? We'll, we'll leave some wiggle room there. What happens when that project maintainer decides, you know what? I'm done. I'm shutting it down. Or they don't shut it down. They just leave it and. The security scanners start picking up on new security items, and then you're getting yelled at by your ciso saying, okay, hey, we've gotta get these things fixed. And your answer is, well, the maintainer iss not there anymore. And the CISO says, tough for you. You gotta fix it.
Viktor
00:17:48.785
Exactly. And now actually I had a case and that was with VLLM. I dunno, the project, that's the matter, right? And, after a lot of digging and stuff like that, I realized that it's planned for, uh, second half of this year what I really, really needed. do you know what I did? I just said it to my, I added it, modified it in my project with a to-do item, check half a year from now. whether we should revert this change. I should have contributed just to be clear, but in that specific case, I did it just so that my part works. Right. Without, because contributing needs to be taken more, more seriously. Right. Because there is a very big difference between my use case and everybody's use case. Right. but yeah, I just fixed it. That's beautiful, isn't it?
Darin
00:18:41.809
As long as you can do it. Yes. But a lot of times I, well, I know you can. Here's the problem. Sometimes, boy, this is gonna be a broad statement, and I'm glad I'm retired. I've seen an enterprise, not always the greatest level of developers, even though they've been outta school for 20 years, they're still writing code like it's 20 years old. I'm also like that. So we can't expect people to be able to fix something that they're just using because that is not in line with what is on their table right now to do.
Viktor
00:19:20.584
Well thanks to that the companies like where I work, have business. That's why you pay red Cut, that's why you get real os. For a lot of money, even though it's essentially the same as open source version. Right?
Viktor
00:19:37.897
not attacking Now Rail. Just using this example. Yeah. That that's when you pay and that's fair. That's, that's why Open Source exists. That's how it's financed. I think that the problem is the other direction. What if the value that you're paying for is now much lower with the ai? Because a lot of business around companies based on open source was something like, there are two main components. First, you pay somebody to jump in when things go very terribly wrong Things support. second is you can do this yourself. Everything that enterprise options on top of opensource are doing, you can do. It's just that you doing this will cost you infinitely more than you paying me for this Now. What happens if you doing this all of a sudden start costing less, and that can result in two situations. One is that the price that you're pay paying needs to go down. To be competitive, Because essentially if you say it would cost you 1 million, but if you gimme a hundred K, you get it. Now, if it costs a hundred K, you can, I cannot say, uh, if you gimme a hundred K because you gimme the same amount, why? Why would I give you money if I can do it? And it'll be done as I need it? As I want it. So either the enterprise software drops in a price or. It disappears essentially, or there is a third option. The value that we are giving on top of open source increases drastically. And I'm going to ridiculous. Now, if I say, Hey, you are going to gimme a hundred K for those five features that are, would cost you 1 million, then I now need to say, if I want to maintain the price of a hundred k. I'm going to give you 50 features. That means that I need to increase my development drastically, and I cannot do that by hiring 10 times more people because then my cost is still skyrocketing.
Viktor
00:21:59.772
There is always going to be. Software done by professionals and software done by amateurs. That does not change how professionals do software will change drastically. How we price it, what the expectations are, all that stuff is going to change Professionals stay The biggest value we bring to the table, or will be bringing in the future with AI is taste. There are people who have good taste around certain subject, and there are people who don't. And by taste, I don't mean this cookie tastes great. I mean, you need to be very experienced to distinguish, cheap painting from, an amazing, potentially very expensive painting, right? You need to be an art critic to distinguish those. Same thing goes for software. Professionals stay what they do. Very different.
Darin
00:22:58.227
If you're talking to somebody within a company right now and they need to go through and audit their open source dependencies. I mean, there's mechanical ways to do that today, right? We'll know that, okay, what's the license on it? Can we use it? Blah, blah, blah. Okay, that's easy. That's not the type of audit I'm talking about. The type of audit I'm talking about is, I think doesn't exist today of what is the health of the project, of this dependency that, that we're using. How do we know that we can depend on this dependency? For the next five years. I mean, how do, how do, is it maintained, right? Is it maintainable and is it being maintained?
Viktor
00:23:43.400
Correct. That's something that humans cannot do. I dare you, I dare you to make that assessment for Kubernetes because you know why I dare you? Because the next, if, if, if you accepted there and we make agreement that we'll speak only after you're finished, I will never speak to you again, man.
Viktor
00:24:07.850
And that, that's big. You can say smaller projects still kind of. Okay. Let, let, let's pick a small project. How comfortable you would you be to assess truly yourself CUL curl.
Viktor
00:24:24.412
Mm-hmm. So you, you, you just kept a trust. Now we can do it. And I'm not saying it's perfect. I'm not saying it's great, but you are more likely to do it now than bef ever before.
Darin
00:24:37.876
Oh, I can't even imagine what a true audit. Like I said, there's automated tools to help you with the audit. That's not the type of audit again, I'm talking about. It's like,
Viktor
00:24:49.594
like, if, if you want reload this. Okay. So. It's not, we use this library. No, no, no, no. that library within the context of our application, the parts of that library that we use and the way how we use it, is it okay or not? Okay. That's very different from accessing, uh, assessing the whole library. Right. Because it always depends on the context.
Darin
00:25:11.465
Right, because you might only be using here, here's an example. Let's say you're using Spring framework, but in Rea, and you installed the whole thing for your app. Just because. Because you know that's what you do, but all you're using is just Spring security
Viktor
00:25:31.903
Now, auditor will tell you that you're wrong. That you need to audit everything. And let me tell you why, because that audit is so cumbersome and it takes so much time. It is so expensive that we need to add, audit it not only for what you're doing now, but what you might ever do in the future, which is ridiculous.
Viktor
00:26:04.913
Because once they give you green light, that's forever. Forever, and ever, because I'm never doing it again. And your context will change over time, right? You're using 1% of spring tomorrow, you might use 5% of spring in your application. That's a completely different assessment, right?
Darin
00:26:24.039
Yeah. Because all of a sudden when we get a new CTO and they say, oh, Java's dead. Everything's go now.
Viktor
00:26:29.811
how often were you in situations that you worked with some company and there is a list of things that can be used and that list probably haven't, hasn't been updated in years and kind of you're stuck with it. Those are the 10 things you can use. Figure it out that, because that's how far we could go with our audit.
Darin
00:26:50.685
It's almost like the Apollo 13 mission when they're trying to fix the scrubber. Right? Okay. We've got, we have duct tape, we have this thing, we have this thing, and you have. A whole team trying to figure out, okay, how do we do this to send it up to three people to actually do it?
Darin
00:27:04.635
oof all. So let's talk about some ways that people are trying to deal with this, and I've got some notes on this. Uh, the way Ghostie is doing it, Mitchell Hashimoto requires disclosure of AI use. That seems reasonable. Like if you're using ai, just say you're using AI. Seems good. zero tolerance for bad AI contributions. Okay. It seems okay.
Viktor
00:27:30.844
Let me rephrase it and see and hear your reaction. What do you think? Uh, zero tolerance for bad contributions.
Viktor
00:27:41.734
Why does it matter whether it was done by AI or not? Maybe my mom did it. it's bad contributions. That's what you don't want. And what are bad contribution, and here's the, here's the kicker. What are bad contributions? Do you really, I, I don't know, internals of ghostly, so I'm not speaking necessarily of ghostly, but kind of, is it clear without doubt what is good and what is bad? Or is it based on somebody's taste? Right. Kind of like you put on the clothes for tonight's gala, and I will tell you whether I like it or not. And depending on that, you will need to change or not, right? No. We need clear. If if you want to go down that track, then you need to invest time. And I'm not saying that that's not, that's ghost case. Just to be clear, you need to invest time to say, okay, this is good. Yes, yes, yes. No. No. Yes. No. Yes. No. You can do this. You cannot do this 10,000 lines of in a pier is not acceptable. Cool. What is the acceptable number of lines?
Viktor
00:28:48.159
Yeah. I understand if I would be him. And this is, this is basically project that I probably don't even want. Contributions. Cool. Kind of like it's your project, it's your right to do it. But if you want contributions, then you need to enable people to contribute and that that's not just by making a project public.
Viktor
00:29:16.319
I've been in those projects, to be honest, where I did my contributions and they turned out not to be good. let me tell you that in all those cases, it wasn't because I was a bad actor, but because I had no idea what is good for that project. Or maybe I wasn't good enough Either. Either of those two cases is very likely.
Darin
00:29:39.532
So we talked about ghost's way of dealing with it curls way. They were in Hacker one, we talked about the bug bounty, and now they've just moved everything over to GitHub because anytime you put a bounty on something that tends to incentivize crap prs because you know, hey, you're getting paid. So I don't think that's a bad thing.
Viktor
00:29:59.901
I, I don't like the idea of being incentivized like that for a pr I think it's not positive.
Darin
00:30:08.515
There are some funding models that are starting to pop up. Uh, the EU has a, a program that they're contributing to some open source projects. Uh, one program. Called the open source pledge is they're pledging $2,000 a year to, per developer minimum. Now, and I don't have all the details on it, but let's, let's assume that that is true. Is it worth my time for $2,000 a year to deal with whatever's coming in to me? Let's, let's break that down. Let's say I work on it an hour a week. Would that be right? No. An hour. A how many hours? I don't know. I can't do math. There's usually, there's typically 2000. You work 2000 hours in a, in a year,
Darin
00:31:00.370
right? 50 weeks. 40, 40 hours a week. If you're in Europe, it's less than that. But going with American here, so if I'm working on something that's, I got 50 weeks. 50 weeks, that means I'm going to make $40 a week. I am going to be making $8 a day if I'm working on it five days a week. This is the same math that I also apply to paying for AI tools. Right. Once you break it down to, okay, what's the daily cost or the daily income? $2,000 is not worth it for me.
Viktor
00:31:40.337
Now let, let give you a different scenario. Let's say that there is a project you're passionate about and you work on. It doesn't matter how, what amount of time you spend a year in this story, right? It's a passion that you work on. and you get 2000 as recommendation for that. I think it would be awesome. Is that your kind of source of income? Absolutely not. But hey, Ike cyber on, gimme $2,000. Will that actually be my source of income? No. Would I appreciate it very much. 'cause I'm already working on it. That's my, I'm passionate about. I about. it. I, I work on it. It's a nice recognition and I think this is going to sound awful for me. Money is the real recognition of almost anything. It is, it's very easy and cheap to give stickers and say, oh, you can, you can say that. Uh, you, you can be proud to be contributor of this foundation or whatever. Right? Everybody can do that. I can do that. That in, I, I'm gonna give you a virtual sticker if you contribute to my project.
Viktor
00:32:53.856
No, no virtual. Realistically, I need to print it. It costs money. Come on, be realistic. Right. $2,000. Sounds awesome. I I, I'm very much, in favor of it, assuming that this is not a full time job, right. This, this the project that you would be contributing, nevertheless.
Darin
00:33:12.223
Yeah. I mentioned the, the sovereign tech fund that the EU is funding, they're treating public software, like public infrastructure.
Darin
00:33:22.228
That is a completely foreign concept to someone like me that lives in the United States. I mean is that just normal over in Europe to where you just throw things into buckets and it's like, because I know Germany is a big thing about open source, always has been. Right. That's, they've said what's their, their flavor is, uh, suse, right? That's, is that correct? Yeah. SUSE is typically in Germany. Uh,
Darin
00:34:00.844
As public infrastructure, because. I, I'm playing it out in, I'm thinking us. It's like, okay, we pay, you know, the government pays for the roads and everything else. Well, the, the people do through taxes, but you know, the money's there. But then you have the enterprises use the infrastructure. But if the infrastructure wasn't there, the enterprises couldn't be there.
Viktor
00:34:31.805
I mean, I'm not now talking about the quality that, but it is, right. there are certain things that. And we can have a long debate where to, to draw the line. But there is a, there are, there are certain things that, are better done by governments and there are certain things that are done better done by, private sector, right? Uh, like streets in a city, right? We're not going to patch every, everybody patches their part of the street, in front of the house. And I'm talking, I'm intentionally saying city, not kind of countryside, right? and there are some things, and I'm fully in favor, favor of private, businesses and all this stuff, but have like electricity's probably public infrastructure up to some point in us, right?
Viktor
00:35:22.017
Okay. Mostly it's private. Okay. Yeah. Okay. So there are differences in our case, kind of, uh, internet, electricity. Uh, you know, voter, the Republic, and they, they might be operated by private companies, just to be clear, but they don't own, the infrastructure itself. And it makes sense for software to be like that as well. Kind of, uh, to give you an example, When, and without stressing whether it's good or bad. Right? But fiber that goes to my home that's not from a specific company, so that if I actually choose to change the company, I'm, uh, I, I'm without internet.
Viktor
00:36:04.113
So, okay. So if you change, this is my curiosity. If you choose to change the provider, you need to wait until that provider brings cables to you.
Viktor
00:36:14.058
All the way throughout. So if, if there is a hundred miles between you and them, that's a hundred miles that they need to bring.
Darin
00:36:28.718
Yeah. So that kind of infrastructure isn't Yeah. There there's very little infrastructure that is purely owned by public roads, sewer, water. Now, all those things are,
Viktor
00:36:44.941
which sewer image? Sewer is say kind of like, oh, you just raised, uh, 10 times the price that I need to pay whenever I go to toilet. You say, yeah, okay. I'm gonna change the company. We are gonna build sewer system from Wisconsin to wherever you are, and $5 billion later you will have a working toilet.
Darin
00:37:08.648
yeah, that's. Well, if, if it could happen anywhere, it could happen in the States, let's put it that way. It's, I'm down with that, so
Viktor
00:37:16.861
trying to draw the line just to be clear, But the everywhere there are, there are, there are both, right?
Darin
00:37:21.938
yeah, that was pretty funny. Uh. So let's think about certain ways that this can be solved. We've talked about, you know, we, what we're trying to eliminate is drive by. So whether it's AI or not ai, right? That's we, we want quality so that we can justify spending time on the quality. I'm talking to myself because I still have to go fix that one. We talked about money, you know, paying the contributors maintainers. Okay, sure. Why not? That's, that's fine. companies that are using open, I'm gonna bang this bell again. Companies that are using open source internally and not supporting open source financially should be, if they can,
Viktor
00:38:06.197
Let me just put additional piece of information. Companies that are using open source, that's a hundred percent of the companies
Darin
00:38:17.885
yes, so. I, I will give a little bit of grace on, let's say it's a, a true nonprofit, uh, okay. Nonprofit. Nonprofit. If you can throw even something. That's great. Or at least the backlink of, Hey, here's what we're using. Because to me, sometimes we're talking about you're gonna be paid in, uh, exposure. Well, okay. Sometimes exposure is fine in use cases to where that's not part of their core thing. But I know a lot of nonprofits that pay for software, so if an enterprise can't pay for it, but a nonprofit can. Mm.
Viktor
00:38:56.113
Look, if, if companies relying on open source, which are a hundred percent of the companies, uh, would stop paying other companies like, like Red Hat and start developing that in-house, uh, that would be great for open source. Because here's what would happen. That enterprise would develop a fix or a fee missing feature, and they would keep it to, to themselves they have no interest really to, to contribute back. Uh, but that would be the very beginning. Later on, they would realize that now I cannot upgrade anymore. I cannot benefit from other new things coming in. Eventually you would realize that and eventually you would realize that whatever you developed in house on the top of open source or not, whatever, but significant part of it, you need to put back so that you can continue the upgrade lifecycle.
Darin
00:39:49.208
Yeah, it's, it's foundational to your system. Let's say you're using Spring framework, um, just as an example,
Viktor
00:39:59.487
That that's what most companies will start with. They will fork it and they will add whatever they're missing and then eventually they would realize I cannot stay on the fork.
Darin
00:40:11.586
Well, this goes back to your example earlier. You, you effectively forked by putting in the fix you needed with a, to do that. That's effectively a fork.
Darin
00:40:21.825
So people do that all the time and they remember to go back and do the to do and get back in line and everything's happy because you have a business reason why you need to make that change.
Darin
00:40:34.650
It's not, and you know it's coming or you know that you've submitted it. This, this is another twist of that. You've submitted it and the project declines it, not because of garbage, but it goes against what the project wants to do.
Darin
00:40:51.692
But in, in that case, to me, your answer is forking or moving on to something else.
Viktor
00:40:57.351
More likely moving on to something else, kind of like I would, personally, I would never permanently fork anything. Never, uh, temporarily. Yeah. Yeah. I, I, I do that. It's fine. Kind of this, this will take me through the next two months. But that's temporary solution.
Darin
00:41:18.148
very temporary. What can industry do? I mean, the tooling's gotta get better. So GitHub, GitLab, Atlassian, all those companies have gotta come up with better things. Code Rabbit. Is, I, I will say I have not used Code Rabbit yet.
Viktor
00:41:34.506
Uh, stop. Stop. We need to stop this recording and you need to, to go and, and, and, and use code Rabbit man.
Viktor
00:41:50.453
Yeah, and it's not going to be the only thing. There are many other moving pieces, but yeah.
Darin
00:42:01.323
Just like how we used to think when GitHub was just a first GitHub, it was a Git repository. Then they added issues. They added actions, they added, you keep going, right? They added all the other things.
Viktor
00:42:12.760
Here's a simple, ridiculous example of, of an amazing value. When GitHub added, the check that actually, prevents you from pushing, uh, or permanently pushing something that has, uh, vulnerability, like exposed password, that was one of the most amazing features they ever added there. And you know, what happened is that, I noticed that I started pushing, passwords and my credentials to GI GitHub only after they implemented that feature. I dunno if you know that I, I was never pushing it before or.
Viktor
00:42:52.224
That's when I started pushing because I, 'I, I, I was never aware that I pushed a path for the credential until that moment. So it must be that I never did it.
Darin
00:43:02.941
Just never. Yeah. Okay. about foundations? We talked about, I, I, I hesitate using the word burnout, but people just get fed up and it's like, or they're like me, they just age out and just don't wanna work on stuff anymore.
Darin
00:43:17.315
Uh, what, you know, what can foundations do? I mean, like the, the side thing has been mental health, but it's, it's just been a side play for all the foundations. Does that need to be escalated within the foundations? It's like, Hey, look, if you want the project to last, here's things you need to do to make it have longevity, like proper, like, okay, this is one thing because again, I'm getting old, proper planning for when people leave. Right. Somebody comes on day one. You need to go ahead and have an exit plan for them on day two or soon.
Viktor
00:43:50.368
Especially, I think that found apart from, better for foundation to own it than any single entity, which we probably agree for the community, not necessarily for business. The critical role of foundation is establishing rules like those that we were talk, uh, discussing before. Like, here's an example. you cannot graduate a project in CNCF without having a serious security audit. And that's very important because there is a clear rule, kind of like this needs to happen for you to do that, and it's a clear signal to the users. Okay? So graduated pro uh, projects. Past security audit. I don't even need to think about it. I don't need to wonder whether it happened or no, because that's, that's one of the many rules that the foundation set,
Darin
00:44:47.929
I could go off on a different tangent there, but I'm gonna ask one question. Once something has graduated, does it ever get a security audit again?
Viktor
00:45:01.690
So That does not mean the secure, just to be clear, uh, security experts are coming all the time. It's just that yeah, you follow certain patterns and it's not only security audit, but also that, part of that security audit is whether, uh, your processes are relatively safe, right? So it's not only what is the current of state of your. Code base, which is a big part of it, but also what is, what are your processes? How do you accept the pr? How do you merge a pr?
Darin
00:45:35.126
type stuff. Right? That, that, that amount of rigor has to go into place. I just wasn't sure if it, like, if it was a one and done or if it happened again at some point.
Viktor
00:45:45.049
one is when you're graduating. Yeah, that's, that. That's the one that will give you the headache. You cannot imagine, right? And it's a good thing. but it continues after that to a lesser extent.
Darin
00:45:58.365
I'm gonna bring up one thing that might be a bit bit controversial in order to minimize all these extra prs coming in. Again, AI or not ai, let's just change the license to A BSL type license and move on. Leave the source available. But make it BSL and that way you don't have to worry about it. 'cause nobody in their right mind would submit PRS to A BSL licensed project. Right.
Viktor
00:46:27.332
nobody would, in their right mind, would make a serious investment in BSL project. Not that nobody would submit a pr. Would you
Viktor
00:46:46.323
No, but I don't think it's a joke. I mean, kind of I'm thinking, I'm not submitting anything, but low effort to BSL.
Darin
00:46:55.582
But that is a, an option for projects that just don't wanna deal with the mess anymore. Just change your license
Darin
00:47:09.648
Nothing wrong with that. I know companies that have done that and they've been successful. I, I think that's fine.
Viktor
00:47:16.451
where I might see things differently than many other maintenances that I think that contributors. Should be cherished and trained over time. Right. I, I, I want to get the person who knows not nothing about the project and invest time in that person. So that person next year is a really, really productive maintainer of the project. Right. That's probably, that's what I believe we should be doing. And we should be doing the same thing with agents. They're going to make a mess and we are going to learn from it and we are going to add additional skills, rule sets, memory files, whatever it is, and it's going to be slightly better and it's going to be slightly better, and so on and so forth. And we will get to the point where hopefully there will be project. Here's my prediction. There will be projects that over time will establish such good guidelines. For agents that we will be discussing whether that feature should be like that or not. Whether it is a valuable addition to the project or not. Whether the direction is correct or not, not the code. We will get to that point. I'm a hundred percent sure of that. It'll take time. It'll be complex. It'll cost a lot, but we'll get there and we will in the future, be discussing whether this feature should functionally like this or not. When we review prs.
Darin
00:48:55.395
What do you think of this? Open source has always had a, a free ride problem, a contr contribution problem. AI didn't cause it, but it's supercharging it. Do you agree or disagree with that? You're silent, so I guess you agree.
Viktor
00:49:27.443
thank you so much for listening. Tell, tell me whether you agree or not Now. And now he, he comes the tricky part. I disconnected myself. I thought it's an out auto.
Darin
00:49:37.530
Oh, okay. Okay. So open source has always had a a free ride problem and sometimes a contribution problem, right? Sometimes we have too many people using it for free and not enough contributions. That's been around in general, right? That's not all projects, but most projects AI didn't cause the problem, but it's supercharging it now. It's potentially, okay. AI is forking it. Going back to what we were talking about earlier, or we're getting a a lot of drive by, I'm assuming you agree with that statement, right. AI is fundamentally changing for good or bad, how we deal with open source projects.
Viktor
00:50:13.703
A hundred percent. It's fundamentally changing. I have no answers. How will it look like? But it is fundamentally changing it. Yes, I will. I will drop one more thing here. And this is going to be science fiction. This is the future. What happens when agents are picking the projects and not you anymore? Eh? What happens when you tell the agent, I want this, whatever that is. He says, okay, I need those three projects to do that. That would change the the open source landscape.
Darin
00:50:52.650
I am effectively doing that today because I'm writing in languages that I don't know, or AI is writing in languages for me that I don't know. So it's picking the libraries that it wants to use because it knows about it.
Viktor
00:51:04.601
But right now it is picking. Okay. So I think that this is the change we will get. Right now. It is picking based on its knowledge what happens if you get to the point where it is not ba picking based on its training, but it goes shopping,
Viktor
00:51:26.054
right? It goes in analyzing and saying, okay, I'm not going to rely on my training. I'm going to do the same thing that you would do, Dar. Now, if you would start a new project, you would probably spend some time investigating and, right. Shall I do it like this? Or maybe you would do it as you were doing it always, let's say the former, right? Uh, we might get to that point then it is making purchases or at least recommending purchases. Okay. So to do what you just asked me, I will need, 5,000 bucks. Of investment.
Darin
00:52:01.864
And you'll either happily say, okay, do it or you'll say, no, thank you. It sounds like a variation of the, open claw experiment that Jeremy Olson was doing. The guy we talked about on the live streams on Friday, he had an open claw. Thing running that's named Max Token. You watched it on Twitter or X, and basically he gave it a thousand dollars. It's like, Hey, you've got a thousand dollars. You have to keep yourself alive. And I haven't kept up with it where it's at, but basically it's creating its own projects to pay for its own compute and everything else.
Viktor
00:52:38.206
Now what do we do now? Forget about the, what were we doing in the past and that, that we were always trying to balance the price of purchasing and price of doing. Doing it costs money. We pay people to do stuff. Purchasing costs money. We pay somebody to get part of the solution. Right? And the, there is always a balance between those two, We don't build our own operating system. That would cost, that would be much more expensive than getting one for free or paying right now. When agents start analyzing those things and saying, okay, this will cost me this amount of tokens. Or I can buy this, I can buy those three things and then spend, uh, 3 million tokens instead of, uh, 1.5 million tokens. Then actually that's the optimal solution. Let's go.
Darin
00:53:29.021
Actually, it'll spend 1.5 and then realize he can spend another 1.5 watching Netflix. And they're, they're just like us. So Viktor, these questions are to the listener, so you can go take a nap. Now. Uh, if, if you're a team lead, uh, one thing you might want to consider, if you haven't done a dependency audit yet, try to go beyond just running the standard tools. Take a look at anything that's really important to you. Figure out what is the true health of that project? Is it active? When was the last release? Figure out those things because is it abandoned and that's putting you potentially at risk or not? If you're running an open source project, you might wanna take a look at how ghosty and curl are doing it, and then that way you need to protect your time as a maintainer. So what do you think over to the slack workspace? Go over to the podcast channel. Look for episode number 3 46, and leave your comments there.