By clicking “Accept all”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Cookie Policy for more information.
Scarf Sessions is a new stream where we have conversations with people shaping the landscape in open source and open source sustainability. This post will give a recap of the conversation Scarf CEO, Avi Press and I had with our guest Stefano Maffulli.
Stefano is the Executive Director of the Open Source Initiative(OSI) and a long time advocate of open source. He joined us to discuss standards that should exist around open source packaging and distribution. He also talked more in depth about what the OSI is currently up too.
For the full interview please see the video posted on our YouTube channel.
The article quoted Avi, who talked about how Scarf was able to leverage its distribution data to uncover who was downloading and using our packages. Scarf noticed the Russian government was downloading some of its packages and moved to block the traffic. “Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice.”
Stefano was excited to see a tool that maintainers could leverage and feel empowered to stop bad actors using their software.
Stefano: "As maintainer of a project or as a developer of some open source software, you have no ways of limiting the nasty usage of your software. It feels like you have no way to empower, you know, using your powers to say, look, I don't want my software to be used for nefarious purposes.
And, that's why, you know, while we were having these conversations about whether the open source movement can have a say to help populations that are being attacked by an oppressor. That's how you and I met."
What can open source developers do about bad actors?
Both Avi and Stefano agreed this was a complicated topic. What kind of powers do maintainers have?
Open source software is pervasive but what tools do maintainers have to stop bad actors?
Stefano: "We feel like we must use the tools that we know how to use, which is our licenses and, copyright and contract law."
Stefano also mentioned that the current tools developers rely on are not powerful enough because for example bad actors are not going to obey the law.
Stefano: "On one hand, you enable dissidents with strong encryption. Yyou enable free speech. On the other hand, you also empower terrorist organization to go, you know, behind the surveillance. So I think a lot of the conversations that I hear about the, role of developers in civil activism is relying on tools that are not really powerful enough in my opinion, like contract law or copyright."
However distribution data is another tool maintainers could use.
Maintainers can also be creative with how they block the usage of their software. Many maintainers and open source communities stop bad actors by refusing to provide support.
How do you see distribution playing a role in any facet of open source?
Avi believes distribution plays a role in every facet of open source.
Avi: "Yeah, I think that distribution plays a role in pretty much every one of these different sections when it comes to things like security. How do we respond to CVEs when we find them? Knowing what organizations rely on a given vulnerable package can make it a lot easier to you know, to do damage control and tell people that they need to upgrade proactively."
"I think when we talk about, “how do we make sure that open source developers are building financially sustainable projects or secure projects?” It really comes down to having the distribution data. And having observability into that can really enable a lot of these opportunities.
I think distribution touches just about every aspect of this. And we're really just starting to scratch the surface on kind of the various ways, which this can be powerful. And I think the same thing for all the political activism aspects that we were talking about. This just gives you another tool in the tool chain that you can use to, be creative as was said earlier."
What kind of standards, if any, should exist for open source packaging and open source distribution?
Stefano reiterated that the OSI are the stewards of the open source definition. They don’t write it but maintain it for the community. He believes more conversations in terms of the development of standards for distribution should be encouraged amongst stakeholders.
Avi made the point that these conversations are important. For example, many package registries do not require two factor authentication. This means a single person, who has the power to push a new package version to millions of devices overnight, could easily have their password leaked. He reiterated that it is vital for the OSS community to have best practices and standards around these kinds of situations.
What are the latest problems or questions when it comes to licensing, as it pertains to the OSI?
The OSI is starting to investigate the impact of artificial intelligence on open source. Stefano talks about how AI is a weird blend of software and data that blurs the line between what users own and no longer own when sharing their content.
Stefano proposes questions like:
What kind of licenses should be on top of an application that uses AI?
What is the right of the user and the right of the developers?
He reiterates that changes to technology always bring new challenges to existing standards and definitions.
What do you think the next 20 years of open source looks like?
Stefano: “Our role in the next 20 years is to continue educating and advocating the benefits of open source and to continue to build bridges so that these open source communities can continue to evolve and thrive around new challenges.”
Avi agreed collaboration within open source will help us to continue developing processes and systems that keep open source sustainable and secure.
He mentioned that Scarf is now a sponsor of the OSI.
To that end, we encourage others to consider becoming a sponsor or donating as well. Together we can all work to advocate the benefits of open source for the next 20 years and beyond.
This is some text inside of a div block.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Scarf Sessions is a new stream where we have conversations with people shaping the landscape in open source and open source sustainability. This post will give a recap of the conversation Scarf CEO, Avi Press and I had with our guest Stefano Maffulli.
Stefano is the Executive Director of the Open Source Initiative(OSI) and a long time advocate of open source. He joined us to discuss standards that should exist around open source packaging and distribution. He also talked more in depth about what the OSI is currently up too.
For the full interview please see the video posted on our YouTube channel.
The article quoted Avi, who talked about how Scarf was able to leverage its distribution data to uncover who was downloading and using our packages. Scarf noticed the Russian government was downloading some of its packages and moved to block the traffic. “Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice.”
Stefano was excited to see a tool that maintainers could leverage and feel empowered to stop bad actors using their software.
Stefano: "As maintainer of a project or as a developer of some open source software, you have no ways of limiting the nasty usage of your software. It feels like you have no way to empower, you know, using your powers to say, look, I don't want my software to be used for nefarious purposes.
And, that's why, you know, while we were having these conversations about whether the open source movement can have a say to help populations that are being attacked by an oppressor. That's how you and I met."
What can open source developers do about bad actors?
Both Avi and Stefano agreed this was a complicated topic. What kind of powers do maintainers have?
Open source software is pervasive but what tools do maintainers have to stop bad actors?
Stefano: "We feel like we must use the tools that we know how to use, which is our licenses and, copyright and contract law."
Stefano also mentioned that the current tools developers rely on are not powerful enough because for example bad actors are not going to obey the law.
Stefano: "On one hand, you enable dissidents with strong encryption. Yyou enable free speech. On the other hand, you also empower terrorist organization to go, you know, behind the surveillance. So I think a lot of the conversations that I hear about the, role of developers in civil activism is relying on tools that are not really powerful enough in my opinion, like contract law or copyright."
However distribution data is another tool maintainers could use.
Maintainers can also be creative with how they block the usage of their software. Many maintainers and open source communities stop bad actors by refusing to provide support.
How do you see distribution playing a role in any facet of open source?
Avi believes distribution plays a role in every facet of open source.
Avi: "Yeah, I think that distribution plays a role in pretty much every one of these different sections when it comes to things like security. How do we respond to CVEs when we find them? Knowing what organizations rely on a given vulnerable package can make it a lot easier to you know, to do damage control and tell people that they need to upgrade proactively."
"I think when we talk about, “how do we make sure that open source developers are building financially sustainable projects or secure projects?” It really comes down to having the distribution data. And having observability into that can really enable a lot of these opportunities.
I think distribution touches just about every aspect of this. And we're really just starting to scratch the surface on kind of the various ways, which this can be powerful. And I think the same thing for all the political activism aspects that we were talking about. This just gives you another tool in the tool chain that you can use to, be creative as was said earlier."
What kind of standards, if any, should exist for open source packaging and open source distribution?
Stefano reiterated that the OSI are the stewards of the open source definition. They don’t write it but maintain it for the community. He believes more conversations in terms of the development of standards for distribution should be encouraged amongst stakeholders.
Avi made the point that these conversations are important. For example, many package registries do not require two factor authentication. This means a single person, who has the power to push a new package version to millions of devices overnight, could easily have their password leaked. He reiterated that it is vital for the OSS community to have best practices and standards around these kinds of situations.
What are the latest problems or questions when it comes to licensing, as it pertains to the OSI?
The OSI is starting to investigate the impact of artificial intelligence on open source. Stefano talks about how AI is a weird blend of software and data that blurs the line between what users own and no longer own when sharing their content.
Stefano proposes questions like:
What kind of licenses should be on top of an application that uses AI?
What is the right of the user and the right of the developers?
He reiterates that changes to technology always bring new challenges to existing standards and definitions.
What do you think the next 20 years of open source looks like?
Stefano: “Our role in the next 20 years is to continue educating and advocating the benefits of open source and to continue to build bridges so that these open source communities can continue to evolve and thrive around new challenges.”
Avi agreed collaboration within open source will help us to continue developing processes and systems that keep open source sustainable and secure.
He mentioned that Scarf is now a sponsor of the OSI.
To that end, we encourage others to consider becoming a sponsor or donating as well. Together we can all work to advocate the benefits of open source for the next 20 years and beyond.
Latest blog posts
Tools and strategies modern teams need to help their companies grow.
This playbook will guide you through the steps to set up and embed a Scarf Pixel on your documentation pages, README files, or any other web properties associated with your project, in this case we will focus specifically on documentation.
Today, the most commonly accepted metrics for open source adoption and growth are heavily focused on the contributors and community (the idea is healthy contributions should equate to healthy adoption). While these are useful metrics, they are only part of the picture. This guide is built for those at open-source-based companies who are responsible for growth and adoption.
We’ve got some exciting news: Scarf just launched a powerful, native integration with Salesforce, bringing Scarf’s rich open source usage data directly into your CRM. No more bouncing between tools or setting up S3 data exports—you can now get all the insights you need where you already do your work.
Scarf, a platform designed to provide open-source projects with deeper insights into their users and usage patterns, was the answer ARMO needed. By integrating Scarf into Kubescape, ARMO was able to regain visibility into which company has been using Kubescape, filling the gap left after their CNCF contribution.
The foundation of Scarf company tracking is IP Address attribution. Our Company Tracking algorithm considers confidence and reputation scores from multiple sources to provide what we believe to be the best matching data in the industry. In a nutshell, Match Feedback allows you to fix and fine-tune your company matches.
We're thrilled to announce that Scarf has successfully completed the SOC 2 Type 2 examination! This might sound like legal jargon at first glance, but let’s break down what this means for us, our users, and the open-source community as a whole.
Exporting data tracked by Scarf is essential for analytics, reporting, and integration with other tools. Scarf adds open-source usage metrics to the data you already collect, giving you a fuller picture of how your project is used. This helps you monitor trends, measure impact, and make better data-driven decisions.
Scarf helps you unlock the full potential of your open source project by collecting valuable usage data in three key ways: Scarf Packages, in-app telemetry, and tracking pixels. In this post, we’ll break down each of these powerful tools and show you how to use them to optimize your open source strategy.
In this playbook, you’ll learn how to integrate Scarf into an Apache Software Foundation project. It details how the Preset team implemented Scarf in their Apache Superset project, as shared during our first-ever Scarf Summit on July 16th, 2024.
Implementing telemetry in your open source project helps you determine whether people are testing your software and continuing its use over time. Such insights not only confirm if the developed software meets users' needs but also helps identify which versions are being adopted and which might be vulnerable to the latest bugs or other issues.
Prisma turned to Scarf for a monthly Strategic Insights Report. By integrating Scarf into various parts of their web and software delivery infrastructure, Prisma now knows relevant details about their users in terms of company size, industry, location and much more.
This playbook will walk you through setting up Scarf to get a clearer picture of how people are interacting with your open-source project. You’ll learn how to create and use Scarf Pixels, track open source project documentation views, measure engagement across social media, and more.
CopilotKit implemented Scarf to gain visibility into their open-source community. By adding Scarf to their documentation, they could see which companies were actively engaging with their resources, providing valuable insights into potential leads and customer segments.
Tracking downloads of your open-source projects is key to understanding user engagement. With Scarf, you can see which businesses are using your project, which versions are popular, which platforms are being targeted, and more. This playbook will show you how to set up Scarf to monitor your project’s downloads.
On July 16th, we hosted our first-ever Scarf Summit, celebrating analytics for open source and the significant improvements we’ve made to the Scarf platform. In case you missed it, here’s a recap of all the key updates shared by our Engineering Leader, Aaron Porter.
In this episode of the Haskell Interlude Podcast, Joachim Breitner and Andreas Löh sit down with Avi Press, the founder of Scarf, to discuss his journey with Haskell, the telemetry landscape in open source software, and the technical as well as operational challenges of building a startup with Haskell at its core.
Scarf Basic and Premium tiers have long had the ability to sort their open source usage data by company, domain, events, last seen, and funnel stage. But our customers have been wanting more. Now you can hyper target by combining region, tech stack, and funnel stage, making outreach as refined and low friction as possible.
Understanding open source user engagements and usage is obscured by a lack of actionable data, a result of its inherent openness and anonymity. Embracing a data-driven approach to open source projects helps them not only grow, but also understand the keys to their success, benefiting everyone involved.
As an open source company, Garden knew how hard it was going to be to get usage data. Adding Scarf for analytics on open source downloads turned anonymous numbers into company names. Using Scarf’s privacy-first analytics also helped Garden to know what kind of companies were using their OSS and where they were located.
Once Heroic started using Scarf, they learned that they were even more popular than they thought they were. Using Scarf, they were able to determine where, by country, their users were downloading from, and how many per day.
Any LF project maintainer can use Scarf without needing any further approval from the foundation. Scarf is offering all LF projects free accounts with a few additional features over our base free version. LF projects will get usage data like docs, downloads, and page views with unlimited free seat licenses and data retention.
Union is an open source first company. It uses Scarf to drive their DevRel strategy and improve their open source project. It also uses Scarf to power its consultative sales approach to help customers where it makes sense. Union has been successfully leveraging Scarf funnel analysis to shape the product to better fit the market so that they can focus on ensuring that companies can get value from Flyte sooner.
In this latest episode of "Hacking Open Source Business," Avi Press and Matt Yonkovit sit down with Adam Jacob, the co-founder of Chef and current CEO of System Initiative. With a rich history in the open-source world and numerous thought-provoking opinions, Adam delves into the intricacies of open-source commercialization, offering valuable insights and alternative strategies to the commonly held Open Core model.
Smallstep wanted to understand the impact of their open-source project on enterprise adoption of their commercial security solutions. Smallstep uses Scarf to better understand user interactions and software usage, providing insights into its user base and potential customer segments as an important signal for commercial use.
Diagrid was founded in 2022 by the creators of the popular Dapr open source project. Making data-driven decisions for a commercial company built on an open source project that had no real concrete data, was a real challenge. Diagrid translated Scarf data into valuable insights for marketing and product development of their commercial product.
When we approached the project of building Scarf, we turned to our favorite language: Haskell. Little did we know, this decision would shape our story in more ways than one.
Unstructured had so much usage of their open source, but so little data. Prior to Scarf, they mostly had GitHub information for things like downloads and stars. It was difficult to separate the good signal from the noise without any specific information that would help them to better target this large and growing open source user base or data to influence their product roadmap.
It’s happening! Scarf is part of the Common Room Signal Partners program. Soon, you will be able to integrate your Scarf data into your Common Room platform for a more complete view of all of your user signals.
We are thrilled to announce that we have successfully completed a Type 1 System and Organization Controls 2 (SOC 2) examination for our Scarf Platform service as of January 31, 2024.
When Scarf emerged back in 2019, many people expressed skepticism that usage analytics would ever be tolerated in the open source world. 5 years later, Scarf has shown this once solidified cultural norm can indeed change. Learn how Scarf's journey mirrors a broader shift in open source culture and why embracing usage analytics could shape the future of open software development.
Apache Superset is an open-source modern data exploration and visualization platform that makes it easy for users of all skill sets to explore and visualize their data. We spoke with Maxime Beauchemin, founder & CEO of Preset, and the original creator of both Apache Superset and Apache Airflow, who shared with us Superset's experience using Scarf.
Haskell, a cutting-edge programming language rooted in pure functionality, boasts static typing, type inference, and lazy evaluation. The language's ongoing evolution is bolstered by a diverse array of organizations, including the Haskell.org committee. This committee strategically leveraged the Scarf solution for testing purposes.
We’re pleased to share a final recap of the latest Scarf updates for December and 2023 as a whole. Join us in this last edition of our 2023 newsletters.
In the open source ecosystem, user behaviors are diverse and conversion tracking poses unique challenges frequently leaving traditional marketing strategies insufficient. Recognizing this gap, we are excited to introduce a brand new way for businesses to make sense of this opaque and noisy signal – Open Source Qualified Leads (OQLs).
In recent years, a notable development in the open source landscape is the growing number of large corporations considering the transition from open source licenses to more restrictive models like the Business Source License (BSL). This trend raises further questions about the sustainability and future of open source projects, particularly when large players alter their approach.
A recent release of Scarf added the ability to track and report on custom URL parameters. If you are looking to gain more intelligence around how you open source users interact with your project and download your software using link parameters in key situations can reveal interesting and helpful trends that can help you grow your user base and unlock open source qualified leads.
In the ever-evolving landscape of open source software, data collection has become a hot-button issue. As the open source community grows and software becomes increasingly integral to our daily lives, concerns about data collection ethics have emerged.
In today's fast-paced tech world, the Developer Relations (DevRel) role has moved from the periphery to the center stage. Companies, irrespective of their size, are now seriously considering the worth of having a dedicated DevRel team. But, how do you quantify the success or failure of such an effort? What metrics should companies use? This post dives deep into understanding the commercial Return on Investment (ROI) of DevRel.
Monetizing open source software is a challenging task, but it can also be highly rewarding. Unlike traditional software, you're essentially competing against a free version of your product. So, how do you sell something that is inherently free?
In the dynamic realm of community management, marketing, and developer relations, success depends upon more than just attracting attention. It's about fostering meaningful relationships, nurturing engagement, and amplifying your community's impact.
This guidebook shows you how to implement a call-home functionality or telemetry within your open-source software while at the same time being transparent and respectful of your users data. Let's explore how to build a minimal, privacy-focused call home functionality using a simple version check and Scarf.
Many open source contributors are reluctant or skeptical about metrics. They think metrics are overrated, irrelevant, or even harmful to their projects and communities. But in this blog post, we argue that metrics are essential for making better decisions, improving the experience for users and contributors, and demonstrating the impact and value of your open source work. We also share some tips and examples from OSPOs and DevRel teams on how to choose and use metrics effectively.
Many open-source developers rely on GitHub as their primary documentation source. But this can be a costly mistake that can affect your project’s success and adoption. In this blog, we’ll explain why you need to build your own docs site and how to do it easily and effectively.
Open source projects and companies need data to grow and enhance their performance. However, many open source leaders and communities overlook or reject metrics and depend on intuition, relationships, or imitation. Data can help you spot problems, opportunities, and false positives in growth strategies. In this blog post, Matt Yonkovit shows you why data is important for open source success and how it can offer insights and guidance for open source projects to reach their goals and make better decisions.
Open source software continues to be a vital part of enterprise operations in Q2 2023, as more and more companies adopt open source solutions for their business needs. In this blog post, we will examine the state of open source usage in Q2 2023 and the trends that are shaping the future of open source.
DevRel is a vital function for any organization that wants to engage with the developer community and grow its user base. However, there is no one-size-fits-all solution for where to place DevRel within the organizational structure. In this blog post, we explore three common strategies for DevRel placement: marketing, product, and hybrid. We discuss the advantages and challenges of each strategy, and provide some tips on how to decide which one is best for your organization and goals.
In the open source industry, identifying and engaging users is a major challenge. Many users download software from third-party platforms that do not share user data with the software company. Gating content behind a login or an email form can help, but it can also alienate potential users who value their privacy and convenience. In this blog post, we explore the pros and cons of gating content in the open source industry, and we offer an alternative solution that can help you identify and connect with your users without compromising your content.
Open source software depends on the power of its community. But how do you know if your community is healthy and thriving? In this blog, you will learn how to use metrics to track and evaluate your community’s activity, engagement, growth, diversity, quality, and impact. You will hear from founders, DevRel experts, and investors who share their best practices and tips on how to measure and improve your community’s performance and value.
Learn how to overcome the challenges of open source software marketing and turn anonymous data into qualified leads. In this blog post, we’ll show you how to use download data, web traffic, and documentation views to identify potential customers and grow your sales pipeline. Discover how to track downloads, website traffic and documentation views with Scarf Gateway and the Scarf Tracking Pixel.
This blog post outlines ten common mistakes made by founders of open source startups, from failing to ask the right questions to neglecting the standardization of key metrics. By offering guidance on how to avoid these pitfalls, it provides a roadmap to successfully commercializing open source projects.
Many people believe that making money from open source projects is an arduous or even impossible task. However, with the right strategies it is possible to build a sustainable business while keeping the spirit of open source intact. By evaluating the market fit and commercial viability of an open source project before considering funding and monetization, one can realistically begin to explore the financial potential of an open source project. Here's how to do it.
This blog emphasizes the importance of a comprehensive approach to lead generation in the open source software space. Amid the challenges of anonymous usage and privacy regulations, strategies focusing on download activity, community engagement, and web traffic can maximize lead identification. Employing lead scoring and maintaining a list of active software users can further enhance sales outcomes in this unique market.
Here at Scarf, we've developed a solution to help open source projects and businesses gain more insight into their users and their download traffic - Scarf Gateway. Here's how it works.
We are thrilled to announce our latest partnership with Clearbit (https://clearbit.com/). This collaboration will offer Scarf users and customers an enriched array of data about their user base, significantly enhancing the quality of information you already value from Scarf.
The popularity of open source software is not in doubt, but little concrete public data exists beyond human-generated surveys on adoption usage. In this blog post, we will explore the state of open source usage in Q1 2023 and the data illustrating how open source is becoming an increasingly important part of enterprise operations.
The success of DevRel (Developer Relations) and community efforts in open source can be challenging to measure, as there is often a disconnect between the goals and expectations of the community and the business. This blog post discusses the challenges of measuring the success of DevRel and community efforts in open source.
Successful open source projects don't always translate into successful open source businesses. However, by focusing on building a kick-ass product, raising awareness, making the product easier to use, and fostering a strong open source community, you can set the stage for converting users into paying customers.
You can use the open source Scarf Gateway to switch hosting providers, container registries, or repositories without impacting end users in the future.
What is driving all this tech layoffs? , What is their impact on the open source software industry? We will walk through all the potential reasons from an economic downturn, herd mentality, excessive borrowing and spending due to low interest rates, and growth at all costs as the main reasons behind the layoffs. Companies can continue to grow in this tight economic market if they are focused on optimizing efficiency and sustaining the right growth.
At the All Things Open conference, Emily Omier, a seasoned positioning consultant, sat down with Avi Press (Founder and CEO, Scarf) and Matt Yonkovit (The HOSS, Scarf) to discuss how to message, position, and validate your open source product on The Hacking Open Source Business Podcast. You can watch the full episode below or continue reading for a recap.
On the Hacking Open Source Business podcast, Joseph Jacks aka JJ (Founder, OSS Capital) joins Avi Press (Founder and CEO, Scarf) and Matt Yonkovit (The HOSS, Scarf) to share what you need to know before starting a commercial open source software (COSS) company and how you can set yourself and your project apart in a way that attracts investor funding. As an investor who exclusively focuses on open source startups, JJ provides a VC perspective on what he looks for when evaluating investment opportunities.
On The Hacking Open Source Business podcast, CEO Chris Molozian and Head of Developer Relations Gabriel Pene at Heroic Labs elaborate on their usage and shift to open source and how it accelerated their adoption.
In this recap of the first episode of the Hacking Open Source Business Podcast, co-hosts Matt Yonkovit and Avi Press, Scarf Founder and CEO, dig into a recent controversy that highlights the challenges open source projects face trying to create sustainable revenue streams to support a business or a non-profit that funds the project’s growth.
Scarf Sessions is a new stream where we have conversations with people shaping the landscape in open source and open source sustainability. This post will give a recap of the conversation Scarf CEO, Avi Press and I had with our guest Stefano Maffulli.
Community is important to the success of open source software. To understand and grow a community, project founders and maintainers need visibility into various technical, social, and even financial metrics. But what metrics should we be using?
Should Python eggs be deprecated in favor of wheels? What does the data show? This post explores how the right data can make decisions like this easier for maintainers and Open Source organizations.
In a new blog post series, we'll highlight great OSS projects that are using Scarf. Today, we are featuring IHP, a modern batteries-included Haskell web framework
Our mission here at Scarf centers around enhancing the connections between open source software maintainers and end users. Learn how Scarf + Nomia can reduce the complexity and increase the efficiency of the end-user open source integration experience.
Today, the most commonly accepted metrics for open source adoption and growth are heavily focused on the contributors and community (the idea is healthy contributions should equate to healthy adoption). While these are useful metrics, they are only part of the picture. This guide is built for those at open-source-based companies who are responsible for growth and adoption.
We’ve got some exciting news: Scarf just launched a powerful, native integration with Salesforce, bringing Scarf’s rich open source usage data directly into your CRM. No more bouncing between tools or setting up S3 data exports—you can now get all the insights you need where you already do your work.
Stefano Maffulli: An Exploration on Standards for Open Source Packaging and Distribution
Facebook
Twitter
linkedin
Email
Scarf Sessions is a new stream where we have conversations with people shaping the landscape in open source and open source sustainability. This post will give a recap of the conversation Scarf CEO, Avi Press and I had with our guest Stefano Maffulli.
Stefano is the Executive Director of the Open Source Initiative(OSI) and a long time advocate of open source. He joined us to discuss standards that should exist around open source packaging and distribution. He also talked more in depth about what the OSI is currently up too.
For the full interview please see the video posted on our YouTube channel.
The article quoted Avi, who talked about how Scarf was able to leverage its distribution data to uncover who was downloading and using our packages. Scarf noticed the Russian government was downloading some of its packages and moved to block the traffic. “Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice.”
Stefano was excited to see a tool that maintainers could leverage and feel empowered to stop bad actors using their software.
Stefano: "As maintainer of a project or as a developer of some open source software, you have no ways of limiting the nasty usage of your software. It feels like you have no way to empower, you know, using your powers to say, look, I don't want my software to be used for nefarious purposes.
And, that's why, you know, while we were having these conversations about whether the open source movement can have a say to help populations that are being attacked by an oppressor. That's how you and I met."
What can open source developers do about bad actors?
Both Avi and Stefano agreed this was a complicated topic. What kind of powers do maintainers have?
Open source software is pervasive but what tools do maintainers have to stop bad actors?
Stefano: "We feel like we must use the tools that we know how to use, which is our licenses and, copyright and contract law."
Stefano also mentioned that the current tools developers rely on are not powerful enough because for example bad actors are not going to obey the law.
Stefano: "On one hand, you enable dissidents with strong encryption. Yyou enable free speech. On the other hand, you also empower terrorist organization to go, you know, behind the surveillance. So I think a lot of the conversations that I hear about the, role of developers in civil activism is relying on tools that are not really powerful enough in my opinion, like contract law or copyright."
However distribution data is another tool maintainers could use.
Maintainers can also be creative with how they block the usage of their software. Many maintainers and open source communities stop bad actors by refusing to provide support.
How do you see distribution playing a role in any facet of open source?
Avi believes distribution plays a role in every facet of open source.
Avi: "Yeah, I think that distribution plays a role in pretty much every one of these different sections when it comes to things like security. How do we respond to CVEs when we find them? Knowing what organizations rely on a given vulnerable package can make it a lot easier to you know, to do damage control and tell people that they need to upgrade proactively."
"I think when we talk about, “how do we make sure that open source developers are building financially sustainable projects or secure projects?” It really comes down to having the distribution data. And having observability into that can really enable a lot of these opportunities.
I think distribution touches just about every aspect of this. And we're really just starting to scratch the surface on kind of the various ways, which this can be powerful. And I think the same thing for all the political activism aspects that we were talking about. This just gives you another tool in the tool chain that you can use to, be creative as was said earlier."
What kind of standards, if any, should exist for open source packaging and open source distribution?
Stefano reiterated that the OSI are the stewards of the open source definition. They don’t write it but maintain it for the community. He believes more conversations in terms of the development of standards for distribution should be encouraged amongst stakeholders.
Avi made the point that these conversations are important. For example, many package registries do not require two factor authentication. This means a single person, who has the power to push a new package version to millions of devices overnight, could easily have their password leaked. He reiterated that it is vital for the OSS community to have best practices and standards around these kinds of situations.
What are the latest problems or questions when it comes to licensing, as it pertains to the OSI?
The OSI is starting to investigate the impact of artificial intelligence on open source. Stefano talks about how AI is a weird blend of software and data that blurs the line between what users own and no longer own when sharing their content.
Stefano proposes questions like:
What kind of licenses should be on top of an application that uses AI?
What is the right of the user and the right of the developers?
He reiterates that changes to technology always bring new challenges to existing standards and definitions.
What do you think the next 20 years of open source looks like?
Stefano: “Our role in the next 20 years is to continue educating and advocating the benefits of open source and to continue to build bridges so that these open source communities can continue to evolve and thrive around new challenges.”
Avi agreed collaboration within open source will help us to continue developing processes and systems that keep open source sustainable and secure.
He mentioned that Scarf is now a sponsor of the OSI.
To that end, we encourage others to consider becoming a sponsor or donating as well. Together we can all work to advocate the benefits of open source for the next 20 years and beyond.
By clicking “Accept all”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Cookie Policy for more information.