Introducing Hyperlight: Virtual machine-based security for functions at scale
The Microsoft Azure Core Upstream team is excited to announce the Hyperlight…
2020 fundamentally changed how many companies and teams work—seemingly overnight, remote-first cultures became the new norm and people had to change how they communicate and collaborate. However, for those of us who have been deeply engaged in open source, remote work has been our norm for many years because open source communities are large, globally distributed, and require effective collaboration from developers around the world. We’ve had ample time to create and refine many digital-first practices.
It’s no surprise that open source adoption and usage grew significantly this year. New data from GitHub’s 2020 Octoverse report shows there were over 60 million new repositories created this past year, and more than 56 million developers on GitHub. When people had to stay home, developers came together to find community and connections through open source. And though open source developers had a lot of established remote practices, this year challenged companies of all sizes to integrate their open source software experiences and development models in new ways, bringing new learnings as a result.
We wanted to share four places where Microsoft is learning from and growing our engagement in open source over the last year that we hope can be useful for any developer or team looking to build and collaborate in 2021.
Success in open source is just as much about your own contributions to the community as it is about what you learn from the community. Behind every pull request, issue, and code snippet, is a person. It’s important to connect with them—to listen, learn, and empathize with them. They offer a different perspective and feedback that your team may not be thinking of.
I hear conversations in meetings (one of the new virtual hallways) about making sure we get feedback from industry users who are well outside the Microsoft faithful. With this new feedback, I hear a collective sound of Microsoft’s perspective expanding and our gratitude for the new and different views we are receiving.
One example of community feedback changing our perspective was when the Dapr project received a lot of user feedback requesting a streamlined API to retrieve application secrets. The Microsoft team working on Dapr had not planned that work in the current cycle, but the community made it very clear that this new API would solve a lot of problems that developers were facing.
The Dapr maintainers worked closely with community members who submitted multiple PRs to add this functionality, covering everything from code to documentation to samples. After this was added, we found that customers also picked up this functionality and used it in their Dapr implementation.
This reminded us that listening to community feedback is extremely valuable, and that given opportunity, encouragement and support, community members will contribute effort to make requirements a reality.
To help drive Microsoft’s open source efforts, we have an Open Source Programs Office (OSPO), whose goal is to help our employees consume and participate in open source safely, effectively, and easily.
Over the last year, we have heard from more and more enterprise customers—from retailers to banks to auto makers—who are looking to establish similar offices and practices internally. We share and discuss best practices on how to find the balance between setting policy while also empowering employees to do the right thing. While OSPOs will look different depending on your company’s needs, a few common practices we often discuss include creating a cross-functional group, setting clear policies (and making them easy to find and understand!), investing in tooling, and providing rewards and motivation. We’ve shared our guidance and policies and we look forward to continuing to build out our own internal practices, and to share our learnings along the way to help others do the same.
Using open source in your development process has many advantages, including increased time to market, reduced cost of ownership, and improved software quality. However, open source, like any software, has its risks—open source can contain security defects that lead to vulnerabilities—and new research shows security vulnerabilities often go undetected for more than four years before being disclosed. Because open source software is inherently community-driven, there is no central or single authority responsible for quality and maintenance. Source code can be copied and cloned, leading to outsized complexity with versioning and dependencies. Worse yet, attackers can become maintainers and introduce malware.
As more systems and critical infrastructure increasingly rely on open source software, it’s more important than ever that we build better security through a community-driven process. Securing open source is an essential part of securing the supply chain for every company. In 2020, we came together alongside GitHub, Google, IBM and others to create the Open Source Security Foundation (OpenSSF). The group is helping developers with resources to identify security threats to open source projects, providing education and learning resources, and finding ways to speed up vulnerability disclosures. In the coming year, the OpenSSF looks to provide hands-on help to improve the security of the world’s most critical open source projects.
Big companies and big open source projects know that important information has to be communicated broadly and frequently across different channels. Even with this knowledge, Microsoft had to change rapidly this year just as so many other companies did. We no longer had moments of serendipitous interaction where you learn something helpful from bumping into someone in the coffee line, walking with a colleague to a meeting, or waiting with someone for the elevator.
This year, we learned the importance of over communication, which has been a hallmark of open source communities. Over communication is key because uncertainty can be more stressful than either good or bad news.
Take, for example, the Kubernetes project—it has never had an office and today they have 407 chat channels, which run the gamut from regional user groups to developer discussions about particular technology subsystems. These chat rooms—whether they are IRC channels, Twitter hashtags, Teams, or Slack —*are* the offices of open source projects.
While chat rooms are the new water cooler, they are temporal and transient. They are not the new announcement email or documentation repository. In the same way that no one is expected to know what happened in every meeting or conversation in the office kitchen, few people read the history of chat rooms when they return to their desk. Understanding how communication has changed and what expectations are set for every medium allows internal communication to remain a critical support of a good collaborative culture.
These four investment areas are just as important to good corporate culture and health, as they are part of open source collaboration. We strongly believe that most of the hard (and, by that we mean interesting) problems of today will take a team or the whole industry to solve. This means we all need to be trustworthy and (corporately) self-aware participants in open source.
A few years ago if you wanted to get several large tech companies together to align on a software initiative, establish open standards, or agree on a policy, it would often require several months of negotiation, meetings, debate, back and forth with lawyers… and did we mention the lawyers? Open source has completely changed this: it has become an industry-accepted model for cross-company collaboration. When we see a new trend or issue emerging that we know would be better to work on together to solve, we come together in a matter of weeks, with established models we can use to guide our efforts.
As a result, companies are working together more frequently, and the amount of cross-industry work we’re able to accomplish is accelerating. In 2020 alone, Microsoft participated in dozens of industry groups, associations, and initiatives—from long-standing established organizations, like the Linux Foundation and Apache Foundation, to new emerging communities like Rust and WebAssembly. This work across companies and industries will continue in the year ahead and we look forward to learning, growing, and earning our place in open source.
Check out more in our 2021 developer insights blog series: