{"id":5027,"date":"2019-06-20T16:21:59","date_gmt":"2019-06-20T16:21:59","guid":{"rendered":"http:\/\/redmonk.com\/jgovernor\/?p=5027"},"modified":"2019-06-20T16:35:52","modified_gmt":"2019-06-20T16:35:52","slug":"github-satellite-2019-berlin-the-social-code-its-just-dependencies-all-the-way-down-and-up","status":"publish","type":"post","link":"https:\/\/redmonk.com\/jgovernor\/github-satellite-2019-berlin-the-social-code-its-just-dependencies-all-the-way-down-and-up\/","title":{"rendered":"GitHub Satellite 2019 Berlin. The Social Code &#8211; It\u2019s Just Dependencies All The Way Down and Up"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The keynote at GitHub Satellite 2019 in Berlin last month was a model of crisp story-telling. The comms team did a bang up job. The opening narrative was engaging and emotionally powerful. It asked us to think about our place in the world, our role as collaborators, at a very deep level. It began, as some of the best stories do, at cosmic scale, with a black hole. Not just any black hole, but the black hole at the center of the Messier 87 galaxy.<\/span><a href=\"http:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-5028\" src=\"http:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole.jpg\" alt=\"\" width=\"601\" height=\"338\" srcset=\"https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole.jpg 976w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole-300x169.jpg 300w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole-768x432.jpg 768w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole-702x396.jpg 702w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/black-hole-480x270.jpg 480w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/a><br \/>\n<span style=\"font-weight: 400;\">Doctor Katie Bouman led the team that created the algorithm for Continuous High-resolution Image Reconstruction using Patch priors (CHIRP), and we were honored that she made an appearance at the event. It&#8217;s definitely worth watching the <a href=\"https:\/\/youtu.be\/sGC2rwOiaWc\">official video<\/a> on that score.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">GitHub\u2019s keynote expressed the value of collaboration at scale, particularly the value of telemetry data based on this collaboration. It demonstrated the value of a hosted platform in allowing new approaches to software maintenance and management, for example search and replace (grep and replace) globally, even across different codebases in multiple repos. GitHub has been delivering new features at a furious pace recently, and is finally beginning to significantly leverage it\u2019s incredible data assets based on instrumenting the work of software developers everywhere to create new products and services.\u00a0 <\/span><span style=\"font-weight: 400;\">Key themes in the keynote were global interconnectedness, collaboration, sponsorship and security.<\/span><\/p>\n<h1>What Katie (and a global team) Did<\/h1>\n<p><a href=\"http:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/katie-joined.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-5029\" src=\"http:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/katie-joined.png\" alt=\"\" width=\"600\" height=\"561\" srcset=\"https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/katie-joined.png 674w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/katie-joined-300x281.png 300w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/katie-joined-480x449.png 480w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/katie-joined-670x627.png 670w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">As Doctor Katie Bouman made very clear in her presentation, science is collaborative. Scientific breakthroughs don\u2019t happen in isolation. The image of the black hole was based on the work of scores of people. At a simple level, Bouman said:<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">\u201cMy role has been about combining techniques from astronomy and computer science\u201d<\/span><\/p>\n<p>Software isn&#8217;t just eating the world, it&#8217;s eating the universe. <span style=\"font-weight: 400;\">I had been told beforehand that Bouman would feature in the keynote, so I must admit that just for a moment when she appeared on screen I wished she\u2019d been able to make it to Berlin in person. Then this happened.<\/span><\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The complete team who worked on to capture the first black hole picture on stage during <a href=\"https:\/\/twitter.com\/natfriedman?ref_src=twsrc%5Etfw\">@natfriedman<\/a> keynote at <a href=\"https:\/\/twitter.com\/hashtag\/GitHubSatellite?src=hash&amp;ref_src=twsrc%5Etfw\">#GitHubSatellite<\/a> <a href=\"https:\/\/t.co\/jSYf7h5Qu3\">pic.twitter.com\/jSYf7h5Qu3<\/a><\/p>\n<p>&mdash; Anupam Dagar (@anupamdagr) <a href=\"https:\/\/twitter.com\/anupamdagr\/status\/1131468775147081729?ref_src=twsrc%5Etfw\">May 23, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><span style=\"font-weight: 400;\">We met Andrew Chael, Dr Kazu Akiyama, Sara Issaoun, Dr Lindy Blackburn, Dr CK Chan and Dr Roman Gold. So cool!<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Bouman also then thanked all the open source contributors whose work the team had used. GitHub had analysed its data, based on the projects used such as Numpy, to discover that 21,485 people had contributed to software projects that had been used to create the image of the black hole. <\/span><span style=\"font-weight: 400;\">It\u2019s just contributors all the way down.<\/span><a href=\"http:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers.jpg\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-5030\" src=\"http:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-1024x768.jpg\" alt=\"\" width=\"600\" height=\"450\" srcset=\"https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-1024x768.jpg 1024w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-300x225.jpg 300w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-768x576.jpg 768w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-480x360.jpg 480w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-107x80.jpg 107w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers-836x627.jpg 836w, https:\/\/redmonk.com\/jgovernor\/files\/2019\/06\/numpy-maintainers.jpg 1200w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">image above from this <a href=\"https:\/\/twitter.com\/bitandbang\/status\/1131459795138035712\">delightful Twitter thread<\/a> by Tierney Cyren<\/p>\n<p><span style=\"font-weight: 400;\">GitHub had reached out to contributors who in some cases, until that point had no idea they had helped to underpin Chirp. I am pretty sure everyone in the Satellite crowd at that point felt like a small yet important part of a far far bigger whole. I did.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">GitHub then announced two new features at this point playing to the contributor insights theme<\/span><\/p>\n<p><b>Community contributors<\/b><span style=\"font-weight: 400;\"> &#8211; a maintainer can get to know their extended team by looking at Insights in a repo, which will now provide a list of folks that have contributed to the project\u2019s dependencies. Whose shoulders is the project standing on?<\/span><\/p>\n<p><b>Dependent repositories<\/b><span style=\"font-weight: 400;\"> &#8211; a feature which provides some signal about the popularity of a package. \u201cUsed by\u201d indicates how many other packages rely on it.<\/span><\/p>\n<h1>Hygiene, Dependency, Currency<\/h1>\n<p><span style=\"font-weight: 400;\">GitHub had made its point about planet scale collaboration. But with so many parties involved, the potential attack surface grows exponentially. That\u2019s a whole new planet scale challenge. The next section of the keynote introduced Shanku Niyogi, GitHub SVP Product, and the key theme for him was security in an age of mass dependencies.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Security at the moment is frankly a bit of a mess. While the package management revolution with tools like NPM and Rubygems has made developers more productive, it also opens up worrying new attack vectors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Yet another shoe dropped in November 2018 when event-stream a Node.js module with nearly 2M downloads a week was <a href=\"https:\/\/blog.npmjs.org\/post\/180565383195\/details-about-the-event-stream-incident\">compromised<\/a>. It was injected with malicious code programmed to steal bitcoins in wallet apps, after the project was taken over by a new maintainer (it was a social engineering attack). The vulnerability specifically targeted a bitcoin walled called Copay, but it could have been general purpose and far far worse. If it could have been worse than means someone will make it general purpose and try the same style of attack again and it will be worse. Our open source software supply chains are out of control. This was a failure of both governance and code.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">One reason security is currently such as a mess is human factors, made more complicated by corporate factors. Folks often don\u2019t want to publicly admit their code has a breach, so they can end up in a confrontational stance with people that identify potential breaches, as they look into it and fix the issue. Generally someone that identifies a breach will take it to the maintainer first but state of the art in Common Vulnerabilities and Exposures (CVE) is not good. Bounty programs can help align incentives but the industry needs to establish a standard set of common social and technical protocols to make the vulnerability disclosure discussion easier, with a trusted place to have that conversation.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With that in mind GitHub introduced a tool for maintainers to <\/span><a href=\"https:\/\/github.blog\/2019-05-23-introducing-new-ways-to-keep-your-code-secure\/\"><span style=\"font-weight: 400;\">create security advisories<\/span><\/a><span style=\"font-weight: 400;\"> (now in beta), which could begin to shape a standard format over time. Importantly this tool also creates a private space to bring together researchers, maintainers, developers, and security teams before publishing.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Jessie really likes this feature:<\/span><\/p>\n<p>https:\/\/twitter.com\/jessfraz\/status\/1131569352069865472<\/p>\n<p><span style=\"font-weight: 400;\">Once a vulnerability is published, GitHub could offer services such as scanning repos and notifying maintainers. To that end GitHub also announced a partnership with White Source on vulnerability libraries. GitHub Dependency Insights offers an overview of the security state of your dependencies, and also license information. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Things get useful with automation and GitHub had news on this score, with the acquisition of Dependabot, also announced during Niyogi\u2019s keynote. Dependabot automates dependency updates for Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java and Elm apps.\u00a0<\/span><span style=\"font-weight: 400;\">GitHub can now not only potentially scan for dependencies, but also automate security fixes to rectify them. Dependabot monitors your code for dependencies and then automatically creates pull requests to update your libraries to required versions. Currency is one of the most important factors in improving code security, so this tuck in acquisition is very welcome. This kind of good hygiene is so important with modern code with many dependencies. It\u2019s like having GitHub continuously flossing and brushing your teeth for you. GitHub already had some related functionality &#8211; for example token scanning, ensuring developers don&#8217;t leave authentication tokens in their code.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Another interesting possibility would be for a maintainer to have a button to ask GitHub for help with a vulnerability, with code savvy security architects acting like on call SREs to help people deal with issues. The great majority of developers aren\u2019t security specialists, so GitHub could do a lot to help out if a CVE was found in a library that a lot of important projects relied on. This was not announced at the show, but it would make for a really useful service.\u00a0<\/span><\/p>\n<h1>Sponsorship and The New Patronage Economy<\/h1>\n<p><span style=\"font-weight: 400;\">The last major strand of the keynote came in a great presentation by Devon Zeugel, introducing the new GitHub Sponsors platform, kind of like a patreon for developers. I wrote about this kinds of model <\/span><a href=\"https:\/\/redmonk.com\/jgovernor\/2017\/07\/25\/the-new-patreon-economy\/\"><span style=\"font-weight: 400;\">here <\/span><\/a><span style=\"font-weight: 400;\">&#8211; obviously a tip jar isn\u2019t going to pay the bills for most developers, and it won\u2019t offer US healthcare insurance &#8211; but anything that reduces friction in making payments to developers looks like A Good Thing. Some projects could be self-sustaining; some developers have huge followings. For now the program is in a limited beta &#8211; anyone with a GitHub account can sponsor anyone with a prequalified Sponsored Developer account, with recurring payments.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To my mind one of the most interesting facets of the product development is that the payments are managed by Stripe, which has some sophisticated multi-payment systems designed expressly for \u201cGig economy\u201d platforms and users. I am not a fan of the gig economy term in general, in that it can be used to both describe very well off people taking advantage of digital platforms, or less well off people being taken advantage of by digital platforms. On the whole though software developers are reasonably well paid, and there is a structural difference between a developer getting paid and an Uber driver getting paid for their work. The Sponsors function will become more interesting as we see, for example, corporate accounts, where a bank, insurance company or retailer easily paying a developer, or set of developers, that maintain a library or project they rely on. The nature of the firm is always up for grabs.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A nice touch is the GitHub Sponsors Matching Fund, which matches up to $5000 per sponsored developer in their first year of sponsorship. One major concern is that network effects are going to network effect, power laws are going to power law &#8211; that is, a vanishingly small proportion developers are going to take the vast share of sponsorship money, unless this is very very judiciously managed by GitHub. \u00a0<\/span><\/p>\n<h1>The Friedman Effect<\/h1>\n<p>In closing I think it&#8217;s worth talking a bit about Nat Friedman, himself, who took the reins as GitHub CEO last October. He has made a substantial difference to GitHub in a short space of time, most visibly and importantly in his, and now the company&#8217;s, bias to shipping. GitHub&#8217;s culture was already changing, as he arrived. The company had just shipped Actions, an important new capability, but Friedman took that momentum and added more velocity. A company that rarely seemed to ship anything now ships useful new functions pretty much every week. It was instructive that in weeks proceeding Satellite GitHub shipped a a few cool new things &#8211; such as notifications for gists, and GitHub on the go, improving the mobile experience. Employees seem energised by the change. Developers certainly are. Picking up the pace of development was particularly important given the pace of product development at GitLab, with its monthly release cycles, and strong sales execution.<\/p>\n<p>Friedman is also hiring well &#8211; to supplement an already strong talent base. Niyogi brings a wealth of experience with him from Microsoft and Google Cloud. I also found out at Satellite that GitHub is hiring Erica Brescia to run operations &#8211; she&#8217;s a very smart, likable operator, having sold her last company Bitnami to VMware.<\/p>\n<p>Friedman is a nerd, he&#8217;s one of us, and he has been in the open source trenches for years. GitHub is going to continue moving ever more quickly. One of the toughest jobs for Friedman will be managing the balancing act of turning GitHub into a broad platform, while sustaining an ecosystem of partners while it also competes with them. But shipping new features is definitely no longer a problem.<\/p>\n<p>&nbsp;<\/p>\n<p>Here&#8217;s a bonus video of my thoughts from GitHub Satellite.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class='youtube-player' width='640' height='360' src='https:\/\/www.youtube.com\/embed\/8NGtv0zpML4?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent' allowfullscreen='true' style='border:0;' sandbox='allow-scripts allow-same-origin allow-popups allow-presentation'><\/iframe><\/span><\/p>\n<p>GitHub and GitLab are both clients. GitHub paid for my travel and expenses to Berlin.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The keynote at GitHub Satellite 2019 in Berlin last month was a model of crisp story-telling. The comms team did a bang up job. The opening narrative was engaging and emotionally powerful. It asked us to think about our place in the world, our role as collaborators, at a very deep level. It began, as<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[1],"tags":[454],"class_list":["post-5027","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-github"],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9wfjh-1j5","_links":{"self":[{"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/posts\/5027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/comments?post=5027"}],"version-history":[{"count":0,"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/posts\/5027\/revisions"}],"wp:attachment":[{"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/media?parent=5027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/categories?post=5027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/redmonk.com\/jgovernor\/wp-json\/wp\/v2\/tags?post=5027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}