Ep. #9, The Future of Commercial Open Source with Matt Trifiro

Brian Douglas: Welcome to another installment of Open Source Ready. John, how you doing?

John McBride: I'm doing great, Brian. I've been going deep on some AI personal projects, which has been a lot of fun. What about you, how are you doing?

Brian: I'm doing good. I actually just got back from brunch, weekday brunch 'cause it's--

Not usually supposed to talk about like the day we're recording, but it is Valentine's Day the day we're recording. So took the wife out because I've got kids and it's hard to coordinate babysitting when you have kids and all that other stuff.

But I'm ready to go. Got two cups of coffee in and we have a guest. Matt, welcome on the podcast.

Matt Trifiro: Thank you, Brian.

Brian: Cool. So Matt, you actually listen to the podcast quite a bit. We actually had a conversation months ago about just topics around open source, and you've got a pretty good background in the space.

So why don't you let the listeners know, like what you've been working on, what's your relationship with the space?

Matt: Starting with open source?

Brian: Yeah, yeah, let's go with that.

Matt: Yeah, I'm in the center of creating a new foundation that is designed to be part of the open source ecosystem, and it is called the Commercial Open Source Startup Alliance.

There's a couple important things to that. One is, you know, it wasn't that long ago that you'd get some dirty looks in a room if you used the word commercial and open source in the same sentence, right? And I think we've matured as a culture, you know. It's not so much about cramming the worldview down people's throats. Like we can have those discussions, but open source is unabashedly commercial.

Some open source, excuse me, is unabashedly commercial. It doesn't all have to be commercial. And there's a giant economic opportunity to bring more capital into that ecosystem, which will spin off more intellectual property into the commons, which is what benefits everybody in the long run and is one of the benefits of open source.

So I'm trying to build that ecosystem around startups and investors and really create a safe space for anybody who wants to have an open and honest conversation around commercial open source.

Brian: Yeah and the foundation itself, is it officially open?

Matt: It is not. I mean, it's, yeah, yeah, so I'm waiting in line for legal to like form all my stuff. There's some big transactions that are being worked on now, but I've got plans in place.

We're tentatively looking to have an event in San Francisco end of second quarter. So like late May, early June. It will involve a lot of commercial open source stuff.

Should be pretty interesting. But I don't have the legal foundation in place yet, but I know what it's going to be like and then we'll make a big deal about announcing it.

Brian: Yeah, and you hit the nail on the head, which is like when we talk about commercial and open source. Like there is like a cost movement. And I know quite a few folks like in the VC side that have been involved in this movement.

A lot of companies have chosen to think about what the product is and how they make money a lot earlier in the life cycle of open source. So as of recently, we've seen a lot of license changes for stuff that's been established.

We saw license changes get reversed as well. But I want to actually jump in first and talk about this conversation we had off air about IP law. Because I thought you had a really, really fascinating talk around IP law.

Matt: Yeah, it really informs a lot of my decisions that I'm happy to do it. And I think I said, do you know where IP law comes from? And everybody gives me that look.

And it's kind of an unfair question because I don't really expect you to know, but everybody feels like they should know the answer to that. I mean, the answer, so I won't make people twist in the wind.

The answer is Article I of the Constitution, like it is right there. And if you read it, it's very peculiar because it empowers Congress to make laws that give the creator, the author, the musician, the whoever, the inventor, limited time exclusive rights for the thing they create or invent, okay?

But there's a purpose attached to it. There's a purpose and that it is for promoting the Sciences and useful Arts and science is capital S and art is capital A.

So the theory was essentially, and I'm going to simplify it, that the more knowledge and tooling and capability that we can distribute as widely as possible to society is going to have the highest benefit, right? So we don't want to create systems that encourage people to keep inventions secret or ideas secret or works of art secret, okay? We want to create a system that encourages people to do more of this.

So we'll make a deal. And the deal is if you create something and you agree that eventually, it will go into the public domain, it doesn't say it this way, but this is what happens. I agree to put it in the public domain, then intellectual property law will protect you until that happens.

But we know something, and that is everything will end up in the public domain. And so first thing is just the interesting thing, like we should pass any intellectual property discussion through the lens of, is it promoting science and the useful arts?

And I think a lot of times we come up with no, but you know, the government's messy and you never get it right all the time. But yeah, maybe Disney shouldn't have the copyright to Mickey whatever, you know, whatever, you know, they just happened to get an extension the year that it was expiring.

So, you know, it's like in all domestic government, but in general, I think it works fairly well. So what's open source?

Open source is just a different kind of agreement between the community or the developer and the combination of the stakeholders, that the creator who has exclusive rights to that stuff they created, that's all theirs, a hundred percent, is agreeing to accelerate the contribution of that work into the public domain, essentially to make it more available along that spectrum.

So they're releasing rights, they're giving rights to the community away. And so when you start thinking about that, you're like, okay, well there's all kinds of different, you know, first principle ways we could think about what function is open source having?

What function does a project have? What function does a maintainer have? What function does a foundation have? And you know, if we had 10 hours, I'd be happy to tell you all this.

So why don't you pick the things that you either want me to defend, or you want me to double click on?

John: We'll have you on a follow up episode for sure.

Brian: Yeah, yeah, so in the context of, 'cause like there's a lot of conversation around like, okay, we've got some projects. So HashiCorp had, what was it? It's not Vault. Vault actually has another companion project that's open source.

John: Terraform.

Brian: Yeah, Terraform has OpenTofu. And I just talked to OpenBao just last week actually. Which is the Vault version of that.

But who owns the rights of, like, if it's open source, who owns the right of Terraform? Like is it okay that that OpenTofu shipped its competitor?

Matt: I mean, yeah. So there's a written document, it's called a license. And that license says that all the code that's covered by this license, which was up to whatever version HashiCorp had contributed until they changed the license.

And again, change is not the right word, okay? They didn't change the license. What they did is they said, the engineers that we pay so that they can go send their kids through college and write software and put food on the table and all that, the people that we pay to make those works, we're going to keep to ourselves for a little bit longer than we normally would.

So they just changed the license of the stuff from here on that they create with their own money. Which, you know, it's not as evil as some of these other ways of framing it sound.

Now, one thing I will say about it is there was an implicit expectation, right? That was mismatched. And I think both people had a mismatch.

And I think, you know, good intentions, I think if you had asked Mitch Hashimoto, you know, back before he had a corporate board and all that, I think he would've said it's going to be open source forever. That's what I want it to be.

And that's the other thing is I've talked to, you know, part of starting COSSA, I've talked to all these commercial open source pioneers that have arrows in their back because they, you know, did something that was characterized as a rug pull or something like this.

And even if you, you know, reasonable people could argue and say, you made the wrong decision. There's an ethical thing that you just didn't get right here. I can tell you it was painful for all of them.

And not a single one of them is like, I don't believe in open source. Like it was wrong. No, all of them were like, it was the hardest decision I ever had to make.

I was attacked by the community that I love and it wasn't set up right. We never accounted for this situation. We never imagined this situation, and maybe we didn't solve it right. But we didn't have very many tools to work with.

Anyway, I think it's very interesting when you go back to these first principles and you actually talk to the individual that are causing these decisions. It's a lot less, you know, conspiratorial and it's something we could fix.

Brian: So you're working in this foundation for commercial open source. There's a big question around capital investment in open source and like how money is distributed as well.

'Cause like, not everyone gets to the point where they're like, okay, like actually not everyone gets to the benefit at this point where it's like, oh, we have so much adoption, what do we do next?

So the decisions that eventually take on capital and like become sustainable and like eventually have a business around open source, do you find that it's better if someone makes that decision earlier on?

Or is it something that's okay to like build a huge community and then one day add the company on top of that?

Matt: Wow. I think all paths are reasonable. I mean, I think the reality is different things start for different reasons.

I mean, there's a whole other, so the way I recharacterized the question was where do new open source projects come from and how do they become sustainable?

That's kind of how I think about it. And so where do they come from? Well, some of them come from, because someone's trying to scratch their own itch, right?

Richard Stallman needed to fix the printer driver or whatever, right? It's like some of these things, and I think that maybe it grows in popularity and that needs to take another contributors, or maybe that's just that one person's gift to the universe.

And maybe that's a crotchety old person that has the whole world on, you know, on leverage. And now we have to think of other things to do. How are we going to replace this? All that exists.

But then that's just one model. The other model is you've got an enterprise where you've got, you know, a team of two to 25 people that are working on some really cool technology and enterprise says, you know what? This isn't core to what we do.

We think that if we contribute to the open source, we can get some other peer groups of our company standardizing around it and contributing to it, we'll get more money for our dollar, right? And everybody else will benefit and it'd be fine.

And at that point, like it wasn't a commercial thing. It was commercial in the sense that, let's just take Kafka, it was commercial in the sense that LinkedIn was paying the salaries of the people that were maintaining Kafka, right?

Well, those people decided they wanted to build Confluent. Right? Now it could have continued it just being Kafka and, you know, nobody builds business around it.

And the same was like, you look at the labs at the universities, you know, I mean, that's a path of founding a company or it's a path to just some research that somebody gets a PhD around and then goes doesn't just something else.

I mean, I don't know if I'm answering your question.

Brian: It is true 'cause like I know a few folks at UC Berkeley or recent graduates of UC Berkeley's like ML programs who now have VC-backed startups, like instantly, like magically have investments.

Matt: Okay, so you did ask a question in there that I think I didn't answer yet, and that was how long should people wait? Okay. All right, so my opinion as an entrepreneur, you should preserve as much optionality as you can possibly tolerate because you really don't know what the future looks like.

And so I wouldn't start by open sourcing my code unless I had a really clear go-to market strategy that depended on that. And then the faster I can open source it, the better.

So if I'm cal.com and I'm like, the way to take on Calendly is da da da da, we're just going to open source this thing and you know, get a big plugin universe going and you know, whatever the strategy, I don't know what the strategy is.

I like the tool and use it, but I don't know what the strategy is, but that was like kind of a day one startupy thing.

So I think you want to preserve as much optionality as possible and when you make the decision, do it very mindfully because there's some one-way doors or some doors that are very hard to not go back from. Once you've contributed your IP to a foundation. Like it's the foundation's IP now, right? It's like a conservation easement on your farmland. You know, an agent in conservancy now owns that.

So here's the other thing. Startups are hard to begin with, but a startup that's trying to both execute a startup strategy and an open source strategy has a, it's a geometrically complex problem. And that's part of my other passion.

That's why it's the Commercial Open Source Startup Alliance is because I think that's where we can have a huge impact. It also plays a way to track good capital, but also I think one way to bring more capital is to make more investible startups and helping them understand those interactions, those complexities.

Like if you decide to have your main growth vector be through your open source community, that is going to change fundamentally, it should, where you get to spend your marketing dollars, because you're going to probably spend a lot more on dev rel than you're going to on Google ads and what kind of salespeople you hire, right?

You'll start with sales engineers probably, I hope, if you're selling to a technical audience. Anyway, you see what I'm saying, right?

Brian: Yeah.

Matt: It's like having a strategy that involved the open source dimension and the other dimension is super complex and I want to help people, you know, give them guide rails so they can make those decisions at the appropriate time and make them with some confidence even if they are, you know, bet the company bets, which sometimes they can be.

Brian: John, I wonder if you have a question because you just opened source some stuff that you've been working on.

John: Yep.

Brian: Yeah, I don't know if you have a thought for Matt and maybe he can help.

John: Yeah, I have been thinking a lot about this actually recently. So I've been open sourcing and building some AI agent frameworks in Go partly because, you know, there's nothing really that exists like this in Go.

And I think mostly because Go has, you know, some kind of weird abstractions around schemas and JSON serialization, which is critical for AI agents' calling tools. But that's some of the nitty gritty details.

What I've been thinking a lot about is like, you know, part of that adoption piece where it, you know, open sourcing this almost feels like table stakes to get people to use the library.

And then, you know, like years down the road, if I ever wanted to do anything that, you know, built on top of that, you know, I don't think you could even monetize a library even, you know, I know people have done it and I know people have been like sponsored in the past.

I'm thinking of like the Astro team and Sentry or Netlify sponsoring them, basically paying their salaries, like you said. But, you know, the adoption piece had to happen first.

So I sort of see this like chicken or the egg problem where it's like, you know, this is things I'm inventing, that yeah, essentially I'm giving away for free, but I'm never going to get anybody to use my thing that I invented unless I give it away for free first.

Matt: Well--

Your giving it away for free is your strategy for getting people to use it. It's the freemium version of your product if you ever have a product.

You know, I don't want to be like super crass at all, but I think it really helps to just try to look at everything through a economic exchange window, right? Like, look, it is perfectly awesome if what you get out of this is the joy of having other people use it, right?

If that's all it becomes, like I do stuff like that all the time, I have plenty of stuff. Like I'm not trying to monetize my blog post. I spent two days toiling over something and you know, it's a gift. It's a gift.

And I think it's a perfectly reasonable way for an open source project to come into being and exist and maybe eventually go out of existence or maybe eventually turn into something that is amazing.

And the only thing that's going to restrict you, so your trade off, right, you trade off again this way for free, is that there's some chance that someone will beat you to the monetization around your own project.

I mean, that's really the main downside, I guess if you want you, you create your own cap, you enable your own competition in a way that you didn't want to.

John: Yeah. I really want to get you and Adam Jacobs in a room to talk about this.

Matt: Oh, I love Adam Jacobs. Yeah, he was one of the first people I talked to when this wasn't even a website yet. This is like this crazy idea I had.

John: We had him on the show and it was kind of a mind blowing conversation for me 'cause I almost had this reckoning of like all these past open source projects that I've been a part of at VMware and Pivotal and even AWS and like, sort of some of the missteps we've made.

But, you know, one of the things he talked about was when companies quote unquote open core themselves, where you kind of open source the core part of this piece, and then maybe you build on top of it, you know.

And then really you've sort of made it more difficult or you've reduced the actual attainable market for this core piece of technology that now is just out there with an open source license to use.

Matt: I think there are plenty of counter examples where that's not true, Android. How's Google monetizing it?

They're building software on top of it that if you want authentication and you know, these are the expensive things that Google's done, you have to have a license with them and Google get this default search in the Play Store.

And Android is by far, you know, right behind Linux in terms of, well, based on Linux, right? It's kind of reciprocal.

I love Adam and I think the thing Adam, I really, you know, violently agree is you have to know what your plan is. Like, you have to think about it, like you don't have to monetize your open source. You don't have to get other intellectual property contributions to your open source.

In fact, you don't have to truly OSI compliant open source. You know, some of them are these licenses, I don't know which one it is, maybe the business source license, but it's like source available.

So you can read the source code and if we ever go out of business, there's a clause that you can build on top of it, but you don't have a license to do anything with it. You have to get a license from us with that.

But every line of code that we write two years after it's written becomes part of the free version. And you know, maybe two years is too long of the technology, but like, it makes certain open source people prickle and I understand because it's lots of complexity and it maybe it isn't really a good thing that we should have.

But from a, like what are we trying to do from a society standpoint that look pretty good to me. You know, it's like they took, I could have an eight year team patent, but I'm just going to do two years to, you know.

Anyway, I could go on and on and on and on. But I think there's really lots of different, every situation's different and it's hard to put in a box. It's good to have models. You could say, I want to be like that, right?

John: Yeah, I think that's great. I mean, and you even brought up a piece there that I sort of wanted to touch on about, you know, things eventually going back into kind of the societal bucket and you know, forwarding on, you know, the science and arts and everything, those patents and those things eventually landing back in the public domain.

One thing, and maybe I'm playing a bit of the devil's advocate here that sort of pops up for me is the tragedy of the commons and sort of what can happen around these things that everybody's using and then maybe sort of deteriorate away or cause like, you know, more trouble or harm to the ecosystem that they're a part of.

Matt: Yes, I totally know the argument. I totally appreciate the argument, but let's look at what really happens in the real world.

John: Playing devil's advocate here.

Matt: Yeah, yeah, yeah. So we've invented plenty of systems for co-owning cooperatively land, like all the roads in the United States, right?

And we've got a system. Yeah sure, it's imperfect and, you know, but we all contribute to this thing and we all get to use it more or less, right? It's a common, and there's no tragedy there, really.

So when people say the tragedy, the idea is like there's this common thing that's unpoliced, a common resource and that someone's going to go steal and use more than their fair share and the whole society's going to crumble.

And it's kind of like the, you know, why libertarian doesn't work and you know, it's a philosophy, it's a worldview. Okay, but let's really look at this.

So first of all, in real world, the community forms together and they're like, you do that again and you know, we're going to, you know, hang your kid by his feet on the tree, right?

So some of these do solve themselves even if there is a tragedy that emerges that causes them, you know, sometimes we have to, democracies are hard, right? We've got to overcorrect.

Nobody believes that someone's going to really like burn down the garden and then someone burns down the garden. So, okay, we need some rules, no burning down the garden.

John: Right, right.

Matt: So tell me a tragedy of commons in open source. You don't really have to, but if we were to have a deep conversation, you might find one or two, but like there's no tragedy of the commons to Linux.

There's no tragedy of the commons at Kubernetes, CNCF, right? Where is all this tragedy in the commons?

You know, there are some examples where like this person on this thing that everybody's using and he's not underpaid, but you know, it's probably 'cause he's surly and nobody likes him and he can't get a job as much as anything else.

I mean, I don't think anybody's actively trying to not solve for risk in their software supply chain, right? So the premise would be the guy who built this thing, you know, you, that XKCD cartoon with the one guy, the one supporter, and this one thing that everything's good with toppling.

Like, you don't think we can find another a hundred companies that can pitch in a thousand dollars and lose this guy a hundred thousand dollars a year and just say, please do this and you know, now we do that. And he says, no, well, what are our choices? Let's fork it and do our own.

John: Yeah. My hot take on this is that developers, especially solo developers of those types of projects, and I've experienced this honestly, we're very bad at like, marketing ourselves or really like doing the business side of it, of going and asking companies for a couple hundred bucks or a thousand dollars or something.

Like, hey, you use this thing like, help me out. Right?

Matt: Sure.

John: That leads into another question I had for you. You know, most of the examples that I do see around the tragedy of the commons in open source revolve around maintainer burnout and what that can do to the security supply chain within, you know, XYZ, all these other projects that consume a thing.

Is there a maintainer burnout problem? Like what has been your perspective on that?

Matt: I mean, yeah, there's evidence just like there's a bus problem too, right?

John: Ah, yeah.

Matt: So for people that know what the bus problem is, how small of a bus do you have to lose off a cliff before your entire project is gone? And some projects have a bus that holds one person, right?

It's kind of a horrible metaphor, but yeah, it's the bus. I think it's a little a variation on that. And it's actually, those are both variations on how do you build a sustainable project, right?

Like with any organization, right? Like people are going to burn out. It's not like it doesn't happen, it happens in law firms all the time. So what do you do? You have a succession plan, you have, you know, you build systems in place now, okay, so that doesn't exist.

Well, maybe we should go do it. Who should do it? Well, maybe one of these nonprofit foundations can find a little extra budget.

And that's the beauty of a nonprofit foundation actually is like, you know, the Linux Foundation only has 108 funded projects, but it's got thousands of projects, right?

But there's a hundred, maybe say 118, it's something got that it's 10% of the total about that bring in the money. Well, where's all that money go? It goes back to those projects. And the rest is redistributed to those projects that can't fund themselves.

Now is enough of it getting to the right people? Probably not in some cases, but I think it's, again, I think they're all solvable problems.

You know, I don't think there's like, like everybody's trying to like, get away with, you know, getting one more day out of this poor guy.

I just don't think the right systems have been put in place and somebody has to do that and it's hard. I'll give you another example.

Like, I think it's perfectly reasonable that somebody would say, let's say we lightly agree with intellectual property. The people that created are creating value and they're voluntarily giving it over in exchange for something, a business advantage, a community, a dollar, whatever, right?

Let's just assume that, well, maybe the government should buy some of it just like it does with land, right? And maybe it should eminent domain some things that are so important, you know, some secret algorithm that TikTok has.

Let's go pay a fair price for it. Put it in the public domain. We've figured out, we've solved this in other places, right?

Anyway, I just think the challenge is we don't yet have enough literacy in open source to be able to have these conversations, right?

Like all this stuff that we just talked about today, how many rooms could you walk in and like start the conversation where you're at right now?

Brian: Yeah, definitely not a Thanksgiving conversation for sure.

Matt: But even with the practitioners. You know, it's amazing how people confuse these very basic things like free software and open source.

Well, why are they confused? It's 'cause they're confusing. They're used to mean not just two different things. They're used to mean like 20 different things.

Brian: Yeah. And it's also good to note as well is like you look at engineering, let's just say like mechanical engineering, all the practitioners and how long that's been in the field.

Like we're talking hundreds of years from Industrial Revolution, like when it comes to software like 1970 on, like the half-life of engineers, it's much shorter.

I guess what I'm getting at is like, maybe does AI basically make this more approachable? 'Cause this is going to be another one of these hot takes.

Matt: I wasn't expecting that question.

Brian: What I'm getting at is like, okay, I'm hypothetically a developer because I can prompt a full on application and I'm leveraging open source.

So now I'm more in vogue to have this conversation that we're having right now of like, hey, who owns this code? Where does this go?

I guess what I'm saying is like, is is there a world where this becomes more pop culture?

Matt: I think it has to.

I mean it's the silent infrastructure that runs the entire planet. And the other thing, the other thing is like, you know, it's not just the software, it's not the thing at the other end. When you think about it, it is the mechanisms that make that thing possible.

And so let's look at Linux. Linux arguably is the largest installed base software that's ever been built. And it probably is one of the most complex pieces of software that ever been built.

In December, there was one release that I was looking at just randomly and I was like, what is in a Linux release? Because I'm not a developer, right?

And so I'm reading these things and it's like 13,000 patches I'm estimating is from memory. 13,000 in one release from 3000 developers globally. 200 companies paying for a large percentage of those developers to make those 13,000 contributions in one release.

What private company could ever execute an innovation system like that? Not a chance. Think about that. Like, it's a fundamentally different way to bring technology. Like you can't compete against that.

So you better get on top. You better figure out another business to be in like building servers that run it. I actually was going to tie one more thing back to the tragedy of commons because I think this is all really important.

Another difference in tragedy of commons is when we tend to think of the tragedy in the commons, we tend to see it in the real world. It involves a physical resource that actually can be diminished.

The thing about software is there's zero marginal cost to every copy of software. So if you built it and you've done it and I take and do something with it, that's zero cost to you.

The only thing that might be harm is now I can compete with you. But like that's what open source is, right? So I think there is an important dynamic where it's kind of this zero marginal cost, which actually fuels the argument that all of it should be open and free, right?

How can you not give medicine to people who need it if it costs us nothing to do? How can you not give knowledge to people who can make use of it if it costs us nothing to give?

And you're in a whole different place. You're now you've got this ethical argument which, and our compromise is okay, you know, X years.

John: Yeah, this is great. This is great, for me, the thing that I think about again, that, you know, maybe I'm playing devil's advocate here again, is sort of the definition around open source AI and the physical aspects of that.

Because nobody, well, some people are, but people are not taking, you know, the 600 billion plus parameter models and running them on their MacBook or even a cluster of like 3800s or something.

Like, you need H100s and you need like these ginormous pieces of hardware and electricity really, and your power bill is just going to go up, up and up, to run these, to fine tune them to build on top of them.

It seems that it sort of stands in contrast to that ethos of software being a sort of ephemeral thing that just can, you know, transfer bytes here or there. But then we get like open source LLM models. Maybe blockchain was like this for a little while, but that's kind of fallen out of vogue.

You know, it's so much harder without the physical aspects, the physical hardware aspects to actually do open source AI or some of these like big distributed computing things.

Matt: But it's all, it's also hard to run your own supercollider.

John: And somebody made this argument to me about Kubernetes at one point where it's like, it's hard to run Kubernetes yourself.

And I was like, it is, but there's also software systems that are making that easier. And I would say today, it's getting better and better.

So maybe I'm making an argument to my own argument here, but yeah, what would you say to those, you know, like big picture aspects of like big systems that, you know, claim to be open source?

Matt: So let me say, because I think there's maybe different ways of interpreting that question. So is the question, even though the software's free and you have access to it, it's still this like elite group of people that's going to get to actually use it.

John: Exactly.

Matt: Okay. Yeah. So it's an unsolved problem, but how have we solved things like this in the past? Well look at any major infrastructure, I mean a natural thing. I mean, you know, the internet was DARPA before it was private.

So it's very reasonable that the government would step in at some point and, you know, maybe take a university and, you know, take whatever big badass data center they have now and make it bigger and badass, or maybe we'll just inherit the NSA's data center that they're aging out. It's like now a bunch of H100s or something.

But I think there will be a common resource that's made available, like all the other things that are important to life, like electricity and water. And I just think it feels to me like that's what's going to happen and whether you're using it as a consumer or you're using it as a developer or researcher or something like that.

Like we want as many people as possible researching on this stuff. And I think as long as those principles remain in place, which, you know, you don't see very many people talking about.

That's why I think that's the role of like the Linux Foundation and these other foundations.

It's like we should be talking about it. Like this is important, this is valuable to us as a society. This is going to make it better for our kids and it's going to, you know, mean that we can solve all those problems that we want technology to solve. Like what if an asteroid, you know, we'd love to have an answer to that. And if technology and knowledge is more widely distributed, chances are we'll get to that answer faster.

John: Yeah, that's a great perspective.

Brian: Yeah. Well I do want to be conscious of time 'cause I do have a read that I think is really relevant to this conversation. So Matt, my question to you is, are you ready to read?

Matt: I'm definitely ready to be read to.

Brian: Excellent. So there's a paper actually came out of Harvard late last year, I think Q4, about the value of open source software.

I dunno if you've seen this come across your desk. I know Jim had emailed this months ago in his newsletter.

It came out of Harvard and it really pulls out a couple different gems, which is like 96% of all the world's software is maintained by 5% of the world's engineers.

And they used a ton of data, like open data sets for this. The other thing that they showed of came together with was the COCOMO method, which I'll struggle to think of what the acronym is with all those C's, but it's basically like they identified the demand side and the supply side of software.

So it got down to, I think within trillions of how much revenue would be lost if enterprises had to replace the open source they depend on, and then they were able to attribute that to a single engineer. So I don't have the hard numbers, but it's said the paper.

Matt: Yeah, I think the way that I've interpreted the big number, the 80 billion number, and I believe that's called the demand side number, which means if all that software would disappear, this is how much we would have to pay as a society to recreate it.

And so the argument at a very, one very superficial level that is the economic value of that open source software, which is a big number. But there's a lot of other economic values that suffer from it.

Brian: Yeah, I mean 80 billion is like, I mean that's a huge number, especially considering like, okay, we see things like Terraform, like, ah, man, everyone's on Terraform, like enjoying and like being able to share very quickly, like being accessible to the cloud.

If that disappears, that's a huge notch against everyone who's like dependent on this one system, which is why we now have OpenTofu, which gives us an alternative.

And in the event that HashiCorp makes a different change, I'm actually not even sure what the adoption is for OpenTofu.

I did want to have them on the podcast to talk about, I guess 12 months, I guess 13 months they've been at it.

So it'd be interesting to find out about adoption, but basically I thought it was fascinating. I've been noodling on that because my day job been really thinking about how do you represent your effort and your contribution.

'Cause like a lot of times we're doing open source on the job, off the job on the weekend, how do you show that value back to your employer, that this is important work.

Matt: Yeah, no, it's really interesting. And I think that also gets down to, you know, one of the reasons that the Linux Foundation is successful is because it kind of operates at the center of really the three entities.

You've got the person, right, the individual, me, I have a job, an employee, I'm an employer, you know, I'm a father, all these things. And you have the organizations, you know, that's the company.

It's Coca-Cola or Disney or Joe's Tire Shop. And then you have the projects is the community essentially, it's a community organization that like sustains and holds that project together.

And really all three of those constituencies, you know, are playing a very important role in this. And you have to balance all the needs across them.

And there's value exchanges across all of those. Like, everybody's getting something out of it.

So to your question specifically is that the one thing that makes that not as simple as I just described it as, like these three things, the triangle is that the individuals sometimes are part of an organization and sometimes they're part of a project and sometimes they're just themselves. And so I think the answer to that is you have to show them potentially three different ways to look at it depending on what hat they're wearing at that moment.

Brian: Yeah, it's a complicated problem,

Matt: But that's the answer, right? It's like as an employer, well you said how do you calculate the worth of that? I mean, it's lots of value to the company, right?

So there's a recruiting hiring value, right? I get access to better engineers on my important project potentially.

There's a, I'm one the cool kids, right? Like nobody wants to work for Walmart, oh wait, they have Linux kernel developers. Okay, Walmart might not be that bad, right?

So there's all these, you know, you can go through a bunch of them. It's not just the cost to the enterprise to replace that software. It's the advantage that the vendor or the contributor gets from all of that as well.

So there's a lot more economic value that's created to the entire system than that one number we have, which is, you know, it's a nice big number and it's a good number, but it's just one piece of a tiny piece of the total value added, I think.

And then what's the value of that being contributed back into society? We should be able to calculate the net present value of that property becoming free to everybody. It's public domain faster.

Brian: Yeah, there's an organization out there has all this data.

Matt: Get those Harvard buffoons back here. We'll talk to them about it. No, but I think, I think you're right, Brian, converting it into dollar value is a really important way to talk about this.

Brian: Yeah. John, did you have any reads?

John: I had a very quick read this week. It was a blog post titled, Leaking The Email of Any YouTube User For $10,000, which that doesn't really make a lot of sense.

This was essentially a bug bounty disclosure from Google that they paid some of these hackers, the $10,000. Because they discovered a way to basically unmask or unwrap the email address of anybody on YouTube, which, you know, kind of a big booboo.

Matt: If you blocked somebody on YouTube, I think, I think if you blocked them, it meant you blocked it across all Google services and there's some Google service like Gmail that exposed the email address that you blocked. It was something like that, wasn't it?

John: Exactly, exactly. And what they used, what they used was an old school Google product that's kind of been rotting away and they just kind of followed the train with this.

And my big takeaway from this is that like, you know, people love to talk about, you know, open source projects rotting, you know, out in the open.

But like big companies have this same problem where they just have these old services and old things sitting around that are rotting away and then being used by hackers to unwrap your email address from YouTube.

Brian: That is fascinating. But if anybody wants to reach out to me on YouTube, please sponsor.

John: There you go.

Brian: Like and subscribe. Excellent. Well with that, Matt, thanks so much for the conversation. This was very insightful. And listeners, stay ready.