Stefano Maffulli: An Exploration on Standards for Open Source Packaging and Distribution

Scarf Sessions is a new stream where we have conversations with people shaping the landscape in open source and open source sustainability. This post will give a recap of the conversation Scarf CEO, Avi Press and I had with our guest Stefano Maffulli.

Stefano is the Executive Director of the Open Source Initiative(OSI) and a long time advocate of open source. He joined us to discuss standards that should exist around open source packaging and distribution. He also talked more in depth about what the OSI is currently up too.

For the full interview please see the video posted on our YouTube channel.

Stream Recap

How or why did Avi and Stefano first connect?

Stefano reached out to Avi after reading the NewStack article Where Does Open Source Fit into Russias War with Ukraine?.

The article quoted Avi, who talked about how Scarf was able to leverage its distribution data to uncover who was downloading and using our packages. Scarf noticed the Russian government was downloading some of its packages and moved to block the traffic.
Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice.

Stefano was excited to see a tool that maintainers could leverage and feel empowered to stop bad actors using their software.

Stefano: "As maintainer of a project or as a developer of some open source software, you have no ways of limiting the nasty usage of your software. It feels like you have no way to empower, you know, using your powers to say, look, I don't want my software to be used for nefarious purposes.

"And, that's why, you know, while we were having these conversations about whether the open source movement can have a say to help populations that are being attacked by an oppressor. That's how you and I met."

What can open source developers do about bad actors?

Both Avi and Stefano agreed this was a complicated topic. What kind of powers do maintainers have?

Open source software is pervasive but what tools do maintainers have to stop bad actors?

Stefano: "We feel like we must use the tools that we know how to use, which is our licenses and, copyright and contract law."

Stefano also mentioned that the current tools developers rely on are not powerful enough because for example bad actors are not going to obey the law.

Stefano: "On one hand, you enable dissidents with strong encryption. Yyou enable free speech.
On the other hand, you also empower terrorist organization to go, you know, behind the surveillance. So I think a lot of the conversations that I hear about the, role of developers in civil activism is relying on tools that are not really powerful enough in my opinion, like contract law or copyright."

However distribution data is another tool maintainers could use.

You dont have to do business with people who you dont politically or socially agree with. And distribution seems to be one of those areas where we actually can give open source projects and maintainers a bit more leverage over their own work.- Avi Press

Maintainers can also be creative with how they block the usage of their software. Many maintainers and open source communities stop bad actors by refusing to provide support.

Open source is about collaboration but you can pick and choose who you collaborate with. - Stefano Maffulli

How do you see distribution playing a role in any facet of open source?

Avi believes distribution plays a role in every facet of open source.

Avi: "Yeah, I think that distribution plays a role in pretty much every one of these different sections when it comes to things like security. How do we respond to CVEs when we find them? Knowing what organizations rely on a given vulnerable package can make it a lot easier to you know, to do damage control and tell people that they need to upgrade proactively."

"I think when we talk about, how do we make sure that open source developers are building financially sustainable projects or secure projects? It really comes down to having the distribution data. And having observability into that can really enable a lot of these opportunities.

"I think distribution touches just about every aspect of this. And we're really just starting to scratch the surface on kind of the various ways, which this can be powerful. And I think the same thing for all the political activism aspects that we were talking about. This just gives you another tool in the tool chain that you can use to, be creative as was said earlier."

What kind of standards, if any, should exist for open source packaging and open source distribution?

Stefano reiterated that the OSI are the stewards of the open source definition. They dont write it but maintain it for the community. He believes more conversations in terms of the development of standards for distribution should be encouraged amongst stakeholders.

Avi made the point that these conversations are important. For example, many package registries do not require two factor authentication. This means a single person, who has the power to push a new package version to millions of devices overnight, could easily have their password leaked. He reiterated that it is vital for the OSS community to have best practices and standards around these kinds of situations.

What are the latest problems or questions when it comes to licensing, as it pertains to the OSI?

The one thing that has always been fascinating to me is the impact of new technologies on the open source definition. - Stefano Maffulli

The OSI is starting to investigate the impact of artificial intelligence on open source. Stefano talks about how AI is a weird blend of software and data that blurs the line between what users own and no longer own when sharing their content.

Stefano proposes questions like:

• What kind of licenses should be on top of an application that uses AI?
• What is the right of the user and the right of the developers?He reiterates that changes to technology always bring new challenges to existing standards and definitions.

What do you think the next 20 years of open source looks like?

Stefano: Our role in the next 20 years is to continue educating and advocating the benefits of open source and to continue to build bridges so that these open source communities can continue to evolve and thrive around new challenges.

Avi agreed collaboration within open source will help us to continue developing processes and systems that keep open source sustainable and secure.

He mentioned that Scarf is now a sponsor of the OSI.

To that end, we encourage others to consider becoming a sponsor or donating as well. Together we can all work to advocate the benefits of open source for the next 20 years and beyond.