Presenters

ATTENDEES

Eric Hanselman
Chief Analyst for Technology, Media and Telecom
S&P Global

Thomas di Giacomo
Chief Product Officer
Cloud Native Computing Foundation

Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of emerging tech lives. I'm your host Eric Hanselman, Chief Analyst for technology, media and telecom at S&P Global Market Intelligence. And today, we're going to be talking about open source. I'm here at SUSE Con in Berlin and joining me is Thomas di Giacomo, Chief Product Officer and also a member of the board member of the Cloud Native Computing Foundation. Welcome to the podcast.

Thomas di Giacomo

Thank you for having me.

Eric Hanselman

Great to have you here. We, of course, have been spending the last few days, talking all things open source in so many different ways. But I want to dig into a little bit of really some of what's been going on in the open-source world. There's been seemingly some back and forth in terms of what certainly I'd see as some of the original ideals for some of the vendors and providers who've been sort of an open-source sort of shifting back and forth. Maybe start off with a little bit of background in terms of the fundamentals about open source.

Thomas di Giacomo

Yes. Let's start with that. So the open source started quite some time ago and I mean at SUSECON, at SUSE specifically, it really started with Linux as one of probably the largest, biggest open source successful project initially. There's many more to it now so I would argue that open source is extremely successful today. All the innovation is coming from open source. The world is running on open source. So it's from a pure technology standpoint, where they are. People understand the value of collaboration, operability as well.

So like you can easily integrate different open source technologies together. You can try things, you can give that in people's hands to play with that, provide feedback or develop their own extensions to it. So it started with the fact that people wanted to have access to software and to do things with software, then the open-source licensing game as well to put some guidelines around that, what can we do with the software to the code and get access to the code, redistributing the code and all of that. So all great things.

Eric Hanselman

Well, I think in some ways, the success has been large enough that I think for many enterprises, just simply being able to keep up with the explosion of open-source efforts, the pace of projects, the way in which they've expanded has become a challenge into and of itself. But then, of course, they got folks who are actually providing your management of these projects, some level of vetting of the capabilities. Again, as I listened to you know, when I've got my security hat on, ensuring the security of the code.

You've now got a set of options that help to actually give some definition to that and some assurances that the code is securely built, has long-term support in a lot of cases and ways that really make it help it align to what has been sort of the historic enterprise perspective. And then hopefully, maybe bring enterprises into a more agile and innovative mindset. But that's one of the things I've been seeing is weak, so much that's going on.

Thomas di Giacomo

That's a very interesting contrast between the, I wouldn't say it's the wild west, but you get a lot in open source. You can find a lot of things. There are millions of projects, open-source technologies, everybody can start one. It doesn't mean you should adopt it blindly.

Yes. Just because it's out there. I mean, you can test it, but you need also to be guided as an enterprise. If you're not in the IT infrastructure software business yourself, you need some help to understand what it is that you need for your own business needs. So first of all, start with your purpose. So like what are you trying to achieve in terms of your IT strategy and then try to find partners, our trusted advisors to help guide you in the open-source advantage hangar. But in the open-source world. I'm trying to say it in a very positive way.

And because as we mentioned, there's like the health of the community. Is it being driven by a single company? Is the technology sound, safe, future-proof? Is it going to be around? If you adopt a new technology, you wanted to keep running for quite a while. Like you don't want that to disappear the next morning. If your business and mission-critical workloads depend on that, then you need to have some kind of insurance that it will be there for quite some time.

Eric Hanselman

Well, if you look at what the CNCF has been doing, of course, that whole curation process of being able to go bring projects under an umbrella, to bring them through the process of maturation. Again, offering some perspective in terms of what that, how that ecosystem moves forward.

Thomas di Giacomo

So again, best practices in terms of governance, how to actually develop open-source projects and ensuring neutrality, and that everybody has a voice, but that it's also like done in the right way and also vetting that it's not dependent on like one company, there's the right open source license. There's open source and there's open-source, right? So the project we start as well, sometimes with projects by open-source. Like everything we do today is open source. So I've got my engineers, they innovate, they develop.

I've got a project, they play and they do things open source always on Github. It's not mature enough to go to a foundation. It's like Sandbox exploring experimentation. Then once you reach a level of maturity, then you can think about there's a need for that. It starts to make sense. The technology makes sense. Let's have that in a foundation of like CNCF.

And in CNCF, you have like 3 level of project as well as from Sandbox, to graduate with some specific criteria, to move from one level to the other level because it's been -- I mean, a lot of those learnings came from Linux as well. It's been wrong foot, 30 years, 1991, I think it was started. So that's very important. And then that still only open-source projects. It's not products. So when you mentioned enterprise, what enterprise companies need, they need products. They don't need -- I mean, they get the open-source capabilities, all the innovation, all the technology.

Eric Hanselman

But realistically, you're looking for something, won't you?

Thomas di Giacomo

Exactly. And that they can call somebody if something goes wrong, they can actually have the insurance that is going to be updated, secured. Like I mean, you mentioned security server. Obviously, it's key. We see that every day and then it doesn't come just by magic. So you still have that provider and partner and trusted adviser relationship that you need to work with someone to get this security you need on the open source components that makes sense to you as well, yes.

Eric Hanselman

And it's not the jigsaw puzzle kind of capability. You want to be able to have something that you're assembling into a much larger hole. You're talking about legacy, I caught a conversation earlier that reminded me that container orchestrator, the primary container orchestrator, their Kubernetes has just turned 10 years old just last month. So this is something where we've got certainly communities that have become mature enough to be able to really carry these forward.

But it really is that process of ensuring that all of the different pieces continue to work together, advance together. I touched on my favorite security piece and the CNCF is now investing significantly in code quality and security testing.

Question and Answer

Thomas di Giacomo

An Open SSL, there are projects like that, that bring actually the security aspect front and center of open source. I mean in the past, there were a lot of discussions about this open to more secure, less secure and like all those type of discussions. And I would argue that today, it's better to see what you have in front of you because then it's not security by being blind, right?

So it's security, by actually have your eyes open and see things. But you need to constantly take that into account, automate processes, build security from the entire chain, the supply chain from 0 and it's a little bit not 0 to 10, but it's every step of the way, security needs to be baked in.

Eric Hanselman

Well, your point is, it's a loop. It is continuous. Well, but I thought it was one of the open-source principles, you have visibility, you have eyes on code and the idea that many eyes can make defect shallow that you've got lots of folks who are looking at it. Of course, we've been through a couple of situations in which without, I think, a broad understanding, in fact, there weren't a lot of eyes because we didn't have the community support to be able to carry it.

Things like Heartbleed, which most of our listeners know about. But that's one of those things from a CNCF perspective, from a SUSE perspective. These are things that you actually now can have the organized efforts to ensure that there are enough eyes and that, in fact, that there are enough people to encode review that you can raise level of security.

Thomas di Giacomo

That's a life cycle aspect to open-source projects. So at the beginning, everybody is excited about a new open-source project. After 10, 15, 20 years, if you're -- like people might lose interest or they move on, they change job and then nobody is looking at it anymore or except a couple of maintainers and then that's where for very critical components of the security stack, then you want to make sure that it's not depending on one person because that becomes very risky and unfair to that person to begin with, because everybody is complaining about that.

But so we need to step up. Foundation is better also companies. At the end of the day, today, open source is largely being developed by companies who have interest in the advancement, the use and the combination of open-source technologies together, including large cloud providers, including AI software, hardware vendors, including everybody, right? So we have to be grown-ups and come together and make sure that all those security critical projects are being taken care of even if they are not sexy today.

Eric Hanselman

Well, that's some -- one of those challenges that as projects mature, they're less exciting, but yet, nonetheless, critical. If they're the substrate on which most of a set of other capabilities rest, you've got to make sure that, that's solid. But again, one of those things that, especially if you look at the CNCF's efforts, a lot of good things that are happening there in terms of with.

Thomas di Giacomo

Yes, it is. That's something that we need to constantly improve and look at and then we're working on it as a foundation.

Eric Hanselman

Well, I mean, fundamentally, it's ensuring that a lot of that spirit of open source, it continues to carry through. And we've seen a number of, I guess, transitions back and forth, and we'll see where these shake out around licensing and shifts and the idea. I think specifically HashiCorp and instead of shifting, what was an open core model in which the core capabilities were open and available enhancements and such, were wrapped around it. They actually decided that they wanted to shift the way they were actually managing and licensing.

And now, of course, with our acquisition, there's that question of whether or not they're going to shift right back into more fully open environments. It's one of those things that we've discussed in previous episodes about sort of what that shift is and what it means. It can complicate things a little bit in terms of perceptions. It actually does. Now, I'm not judging, every company, they have their business strategy, business model or whatever, at SUSE world, very lucky.

That's actually starting with Linux, the open-source aspect of it is actually empowering us to do more than Linux. So we do cloud-native, edge, AI. We have many solutions now and we have the same model, it's pure open source, not open call, subscription-based. And I think what we got right by introducing alter priced Linux was we are not relying -- well, I mean, we need to -- we take the upstream of insource projects, but we do a downstream product of it, did the exact same source code, but it's two different animals.

You don't manage a project like you manage a product even if it's the same resource card. And some companies, when you are start up, it's very difficult. People often think about that way too late. So if they think about how to monetize the value add that they provide with open-source, too late because they start with adoption, but adoption doesn't mean monetization. So it is true in many early stage.

Thomas di Giacomo

But you're right, it creates confusion in the open source world and some we saw customers that have been using those technologies and they say, "Well, now no one is ensuring me that the open source technologies I'm using today are going to remain open source." And so at SUSE, the answer is yes, it's going to remain open source. But in the broader ecosystem, there's a greater risk that it doesn't happen.

Eric Hanselman

We see changes in licensing terms even in commercial software, which we've seen a lot of.

Thomas di Giacomo

Yes. Now the beauty with open source is that as much as people should not fork things, you can always, if there's enough interest, if there's enough people willing to do something, if you're not happy with the direction of the technology, then take it and do it and contribute and the work. So we've done that with Open ELA with Oracle and CIQ, for instance. I mean in CNCF, OpenTofu another example of that. Now it's not good or bad, but it's an option.

Eric Hanselman

Exactly. If the community wants to take a different direction, if there's something about the way in which a project is headed, it's a great example of, hey, there were concerns about the licensing model. So they headed in a new direction.

Thomas di Giacomo

Because you cannot do that with crosse-source. So when you've got a cross-source company, no names, but was changing their license model as well and there are prices, all of that, then you don't have that choice to actually go your own way or even more stack. So yes, so there's some challenges, and I feel like, especially HashiCorp and other companies that if they think about their monetization aspects earlier, much earlier than when it...

Eric Hanselman

Again, early on in most companies, I don't know if the startups that you have what seems like a good idea and that you get into market conditions that maybe change a little bit in terms of where it goes.

Thomas di Giacomo

So with AI, I know it's about data, otherwise not only the source code, so you need to think about all of that as well as data.

Eric Hanselman

We managed to hold off the -- our mean time to AI was actually pretty significant. All right. So...

Thomas di Giacomo

Mean time to AI, I like that. Mean time to AI.

Eric Hanselman

Our listeners have heard. This is one of those things that you tend to joke about. But it is, I think, certainly a very basic change whether or not it is fundamental, existential. I'll leave that up to the greater debate, but it does also open up that world in terms of -- or open up a whole set of new possibilities in terms of what you need for infrastructure, what has to be layered on top of that. One of those things that we see in a lot of our end user research and the voice and enterprise data is that there are greater concerns about openness.

I think because we've been through the transition to cloud, and I think the general idea about, "Wow, we've got cloud capabilities that we can easily access and there are lots of different capabilities." And yet, I think there wasn't a full understanding about the extent to which you could build in dependencies and the way you are building applications in those environments.

And so coming now to AI, I think there's been a little more cognizance of the fact that this is an environment where especially when this is large volumes of what are the most valuable aspects of your business, the data about how it's operating, all of those capabilities. Again, openness becomes that much more about the concern.

Thomas di Giacomo

Yes, that's 2 or 3 main reasons. One is, like you said, with cloud, when people started to develop applications for certain clouds, the portability of that, you can restrict yourself very quickly. And so that's the challenge, like the more services you use from a cloud, the more you lock yourself on that cloud, which might be the right thing to do, right? But then you lose on the portability. And yes, it's today is the same.

So to me, I would -- like the recommendation which we were doing is that you should not lock yourself on one LLM world because it's still moving very fast. There will be very context-based specialized models as well, you want to add your own data to that in a secure private way. So you should like leave your options open for now and really open, not like OpenAI, like open, open. Truly, yes.

And that's why at SUSE, we're having a solution to actually provide choice in the LLM that you use, secure the data as well so that you can actually benefit from the outcome of that without compromising on where you're sending your data and what you're doing with your company confidential later as well because we see -- I mean, in fact, inside SUSE I was talking to the CIO. We had to limit the access of our employees to generally available AI applications because we don't want them to have our meeting minutes, a company data, customer contract data going…

Eric Hanselman

Like most organizations are in that situation?

Thomas di Giacomo

Yes, exactly. And that's a pity because we could do a lot with those tools. So we want to use those tools in a secure way for an enterprise. It feels a bit like the open-source benefiting from the open source technologies, benefiting from AI in an enterprise context. So we need to ensure security, privacy, control and support.

Eric Hanselman

We got to be able to have all of those aspects that you have the ability to control so that you can actually leverage the real value so you don't have those constraints about what you're doing with data, where it's headed, all those capabilities in terms of where that happens to fit. If we think about where this direction is headed, it seems to be one of those things that there is -- AI is giving even greater push to open approaches, not only to the models and capabilities and great that we have a set of open models in at least a number of different avenues today.

But to your point, we are in such an early stage in terms of both model capabilities. I think in many ways, our understanding of the potential of AI, it's applications and where we're headed. There's still so much further to go.

Thomas di Giacomo

Yes. And I mean, as any company at SUSE, we see that from like if you think about your function in a company like from a marketing standpoint, what marketing can benefit from our legal or I'm the CTO here, so I have engineers, and I'm doing a Copilot pilot, right? So and SUSE is very specific because we develop open source products, distributions.

Actually, we stitch or we package a lot. We don't develop that away, we develop upstream with our products, like when we ship to the Linux, we develop 5% to 10% of Linux, of the Linux Kernel, we are very proud of that, but that means that there's still 90%, we don't develop. So it's very different to scale than if you're developing an application, what is the benefit and how can you use gen AI for developments in that context?

What does it mean to the open-source license so the code that you generate with, so there are very interesting topics from an engineering standpoint, use of AI at CNCF, we are working on that as well as the same. I mean, the foundation they have to also have a position on that, can we use gen AI? What's the providence of code that gets generated. That raises a whole set of questions. More importantly, what are you training on? And what about the licenses? Are you respecting the open source licenses when you do the training?

And then yes, can you push what's being generated without a human? Like at this stage, you need a human to press the button. Like you need someone who is going to review what's been generated and then you could see that like almost completion on steroids. And then that's kind of okay. Let's...

Eric Hanselman

It seemed to have at least enough cautionary outcomes in terms of code quality of what's being generated. Certainly something at least for the near term. Who knows? Maybe we'll get model confidence down the road enough to be able to do more with that.

Thomas di Giacomo

And I think you mentioned that so like it's -- the use cases are still unclear where like people are still finding what they can do with the technology. So the technology is moving very fast. The use cases, so everything is there's a lot of moving pieces.

And again, I think you need to explore as a company, the benefits you can get for your own business based on your processes and then what type of industry you're in. And then once you have your use case, then you should look at the technology stack that could actually implement your use case and not the other way around. So as a technologist, as Sean said, the use case comes first, right? And yes.

Eric Hanselman

Well, again, it's something where you're trying to innovate and really get outside of traditional thinking, being able to get out and play. And again, a great environment in which open source gives you the tools to be able to do that with -- by minimizing risk.

Thomas di Giacomo

You explore. Exactly.

Eric Hanselman

Well, this has been great. I appreciate all the insights. It's been great to be back here at SUSECON and thanks for being on the podcast.

Thomas di Giacomo

Thank you. Thank you for running here at SUSECON and it was a pleasure having that discussion with you.

Eric Hanselman

Thank you. And that is it for the episode of Next in Tech. Thanks for staying with us. And thanks to our production team, including Sophie Carr, Gary Susman and [indiscernible] on the marketing and events team and our agency partner, the One Nine Nine. Please keep in mind that statements made by persons who are not S&P Global Market Intelligence employees represent their own views and are not necessarily the views of S&P Global Market Intelligence. I hope you'll join us for our next episode where we're going to be dipping back into the metaverse. Join us then because there's always something Next in Tech.