We speak to Spotify’s open source tech lead, Per Ploug, on supplier relationship management in open source
There are some business and IT leaders who will point to the billions Microsoft is investing in ChatGPT and question whether open source has the ability to do similar things. Per Ploug, open source tech lead at Spotify, thinks so. He says an enormous amount of innovation and knowledge is built up over time in open source. This is now being commoditised.
As an example, Ploug points to an artificial intelligence (AI)-based open source image generator tool. “You don’t need to be a machine learning PHD to understand this tool, but it represents a massive amount of innovation,” he says. The tool effectively combines the AI know-how of the open source community into a simple command that any user can run via a Linux terminal screen.
Business and IT leaders will also point to open source’s security failings, however.
Ploug was part of an IT security team managing the Log4J vulnerability. “I think it is interesting to see how these poor maintainers, who are spending their free time on this project, got overwhelmed by security companies and big enterprises yelling at them for not handling this fast enough,” he says.
People choose to use their free time to maintain open source code, out of passion, because they like doing so. But, says Ploug, “the expectation that people work out of passion is part of the problem with open source”.
The large enterprises using products affected by Log4J had no idea where it was being used. They had no idea where the vulnerable Java logging tool exploited by Log4J had been deployed. “Nor did they know how to fix it themselves because it was just something they took off the shelf,” says Ploug.
He says many companies did not take time to understand how it actually works, claiming “they just consumed it blindly”.
Ploug adds: “I think we need to be more thoughtful about how we consume these things and actually understand the technology.” In doing so, he says enterprise users who deploy such open source technology will not only have a better idea of how they are affected by a vulnerability or bug, but they will also be in a better position to fix problems themselves.
“When you consume open source code, you should also start training your staff and begin contributing to these projects,” he adds.
It is still not a common practice for companies to support open source projects financially. Ploug would like to see more companies that use open source offer financial support for such projects.
Looking back at open source security issues, Ploug does not believe the concept of a software security supply chain works for open source. Since the maintainers of open source code are not being paid, they are not a supplier, he says. “You don't have a supply chain.”
By sponsoring projects, however, or developing the technical know-how required to support maintainers directly, enterprise users have a way to reduce risk and protect those mission-critical applications that rely on open source components.