Break Free from VirusTotal with ReversingLabs Threat IntelWatch AMA Replay
reversinglabs

ConversingLabs: Who Will Maintain Open Source's Future

In this episode of ConversingLabs, host Paul Roberts interviews Abigail Cabunoc Mayes, who is responsible for Open Source Maintainer Programs at GitHub – the world’s leading development platform – about the uncertainty of open source’s future. This uncertainty is caused by a steady decline in Gen Z maintainers, which presents a major software supply chain security risk. Abigail explains how in order to welcome and retain young maintainers, the OSS community must understand the perspectives of Gen Z, and ensure their needs are met. She will also walk through actions that the community can immediately take to address this growing uncertainty.

EPISODE TRANSCRIPT

Paul Roberts: [00:00:00] Hey there everybody, and welcome back to another episode of the ConversingLabs podcast. I'm your host, Paul Roberts, and I'm the director of editorial and content here at ReversingLabs. And today with us in the ConversingLabs studio, I'm thrilled to have with us Abby Cabunoc Mayes, who is responsible for the open source maintainer program at GitHub, and I guarantee you know what GitHub is, it's one the world's leading development platforms.

Abby, welcome. 

Abigail Cabunoc Mayes: Thank you. Very excited [00:01:00] to be here. 

Paul Roberts: Yeah, so we're gonna be talking really about the future of open source in some ways, and some of the challenges that are facing the open source community from continuing the great work that's been done over the last 30 or 40 years. Before we get going though, for folks who aren't familiar with you or don't know of you, just talk a little bit about yourself and the work that you do there at GitHub. 

Abigail Cabunoc Mayes: Yeah my name's Abby. I'm based in Toronto, Canada. It's getting a little bit chilly here, which is nice after a hot summer.

Paul Roberts: Leaves turning. Are the leaves turning? 

Abigail Cabunoc Mayes: Not yet. Soon, I think we'll see. Yeah. Are they turning there in Boston? 

Paul Roberts: Not yet. Not yet. 

Abigail Cabunoc Mayes: Okay.

Paul Roberts: Yeah.

Abigail Cabunoc Mayes: Well soon-

Paul Roberts: been too warm.

Abigail Cabunoc Mayes: It'll be beautiful. 

Paul Roberts: Yeah. Trees haven't gotten a message, but they will soon. 

Abigail Cabunoc Mayes: Soon. Yeah. It's September. It has a bit of time.

But I run open source maintainer programs at GitHub and I actually started my career at a cancer research institute. So I was writing software for scientists and my grandmother had passed away from cancer. So this is really meaningful work for me. And [00:02:00] when I was there I saw how incredible open source was for innovation.

Like scientists in Japan were collaborating with researchers in the UK and that was all because of some tools that I was writing in the open. So that's where I really saw the power of open source. And then when Mozilla launched Mozilla Science Lab, I went over there just to help. More scientists do open source.

And slowly my role shifted to the broader open source ecosystem, 'cause I do think open source is the best way that we can innovate and make the best discoveries that we can for our world. And now that's brought me to GitHub, where I can actually work with maintainers every day and make sure that we're solving the problems that they really need right now.

And a big one right now is the graying of open source and this need for the next generation. 

Paul Roberts: Yeah. So one of the things that kind of got you on ConversingLabs' radar was this really pretty thought provoking blog post that you wrote for GitHub "Who will maintain the future?" [00:03:00] And rethinking open source leadership for new generation.

One of the things you pointed out was. Data from this maintainer survey that this organization Tide Lift did, that just showed that the population of open source maintainers is aging rapidly. It's more than the percentage of maintainers age 46 to 65 is doubled just in the last four or five years.

And the same time the percentage of maintainers at a younger age, kind of 20, 26 or younger has shrunken. What put that on your radar? Is that something that you have observed directly at GitHub? Talk just a little bit about that research and also what your thoughts are. 

Abigail Cabunoc Mayes: Yeah, it's something that I've been seeing over the last few years, but reading that research really, I didn't know it was that bad, just seeing the numbers.

It's oh, that's a really big drop in young contributors. And it really hit home to me because when I was a student in university, I had joined this campus club and I was one of [00:04:00] two first year students that showed up at the first meeting that year. Everyone else was like third year or fourth year, and like that club was great.

Some of them are still my friends today. Shout out to Lemar Glau. But in the next few years, all of the people that were leading the club had graduated and then I had to step up and looking back, I really wasn't ready for it. And it was a lot of work getting new people in. And one of my big focuses after that first year where I was the only one of two who joined, I realized we needed to make sure first year students were joining so that the club can just keep continuing over the years.

So I'm seeing that happen in open source today where graying isn't inherently bad, but you know, life changes. People start families. They can't do their open source as much anymore. They're retiring, and the problem is we don't have the next generation coming in, and that's what the numbers are showing us.

The next generation isn't stepping up. So yeah, I wrote this blog post just to start thinking about what we could do about that. 

Paul Roberts: Yeah. Yeah. And [00:05:00] this is an issue that many organizations face, right? Many industries face as well. Based on the work that you do or you've done at GitHub working with maintainers, do you see the consequences of this actually playing out of this sort of like you were saying, this sort of aging of the maintainer population and also corresponding with that, a lack of engagement investment from folks who are younger and more able to contribute?

Abigail Cabunoc Mayes: Yeah, I'd say one of the number one concerns I hear is about burnout. So many maintainers are just overworked and they're just unable to keep up with everything that's going on. They get burned out and then there's no one to step up and there's no one to help share the load in the first place. So that's a big one. But also like retiring, that's a big one. And just aging generally. 

Paul Roberts: It's interesting because if you look back at the open source movement, going back 30 years, you know what have you, it was really fueled by young-

Abigail Cabunoc Mayes: Yeah.

Paul Roberts: [00:06:00] Engineers, software developers. And in some ways it was a way to get your career started, right? You could contribute to open source projects and that would hone your skills. Also give you a network that you might use professionally as you went out, looked for jobs, is something you could point to and say this is evidence of the work that I've done. Did this code update to this project, or I'm a maintainer here.

Does that dynamic- I mean, we're gonna, we'll talk about AI and stuff, obviously the software development field and profession is changing as we speak. But that's recent. Is that dynamic changing, do you think of what, how younger people are coming into software development as a profession?

Abigail Cabunoc Mayes: And I think the opportunity is still there for younger people to come in and make their name an open source. I think sometimes it's a little bit harder because a lot of open source is more established, so contributing to a big project is a bit intimidating. But one thing that I put in the blog post was an exercise that I did with Mozilla for a long time is personas and pathways where I encourage projects to think of personas to represent [00:07:00] the diversity that they wanna see in their project, the diversity of contributors they wanna see in their project.

Taking that idea, let's think about what the Gen Z persona looks like and what research says about Gen Z. And it was interesting how a lot of them are digital natives, very aware of like how to do things and how to code often. But they're a little bit wary of just completely open platforms.

So they prefer things like Discord where it's like a little bit gated and they can experiment without fear of being cringe or, yeah, being too exposed and open source very much has this mindset right now of oh, just try it. Just jump in. And contribute. But that's often a little bit too high of a bar for the average Gen Z person right now based on what we've seen with the research.

So things like mentorship or just more sandbox spaces could make a big difference there. But yeah, we are seeing less Gen Z, but I think it's more of us not- how to phrase this, but [00:08:00] yeah, like they're not as aware of open source and they're not, there's isn't an easy onboarding for their generation compared to ours.

Paul Roberts: And in some ways the processes and structures that exist were created by like Gen X people, like myself, and with a different- and using different technologies with different capabilities, right? Things like Discord did not exist, 25, 30 years ago. But today they do, and there is so much you can do with those.

But yeah, that would seem to be a problem is needing to bring those in line with the types of experiences and online communities that younger people are accustomed to. Let's talk about one of the big challenges I see is just the huge number of legacy open source projects that are out there that need help, could use new young people.

And we saw this play out from a security standpoint with XZ Utils, right? Hugely important, encryption program, [00:09:00] single maintainer really burned out and was able to get fit manipulated by malicious actors who, who got maintainer level access to that project. Yeah. Fortunately it got snipped out early, but underscored this same, this dynamic that you're talking about, is there a way to get younger people interested, not just in some new cool project, but in all of these legacy projects? And if not, what do we do? 

Yeah, what I've seen work is some of the bigger projects, they have mentorship programs and they have, they've built sandboxes. They do a lot of outreach to universities. I think things like that work. But the problem is for a lot of these overworked and burnt out maintainers, they don't have the time to set up a formal mentorship program or even just mentor the people that do come along. So a lot of what I've been thinking about is how can we help this next generation onboard to open source without burdening the maintainer more? 

Abigail Cabunoc Mayes: Because the solutions that I see work, it's the maintainer doing more things to make their project more welcoming to Gen Z. But I don't know [00:10:00] how we get Gen Z involved in projects where the maintainer's just too overworked to make easier pathways. 

Paul Roberts: So when you spoke at the Open Source Summit, you introduced this idea of this kind of persona that you called Sam. Of a, kind of Gen Z coder. And what Sam would be looking for if they were to get involved in, an open source project, what might be an incentive for them and what their priorities might be, and also their limitations. Talk a little bit about Sam, who they are and what it would take to get them more engaged in the open source community.

Abigail Cabunoc Mayes: Yeah, and Sam was based on a lot of the published research on Gen Z. So there's some studies from Deloitte, McKinsey that I was looking at, and for a real project, maybe you should base this on some real people, but the research is pretty good too. But Sam is 23, Gen Z, they/them, self-taught on YouTube, wants to contribute to climate tech, but is a little bit intimidated by [00:11:00] repos and how open source works generally. And this is something I saw in the research where a lot of Gen Z was self-taught on platforms like YouTube. And they were also very purpose driven. So they wanted like a big mission. They wanted to understand the mission of the project and be a part of that. Which is something I've seen over time, but it's more-

Paul Roberts: Which is an amazing quality by the way. Yes. Yes. Very much needed.

Abigail Cabunoc Mayes: So I think making little tweaks, like making the mission of your project really prominent on your README or if you are talking about that project do you think try out like a video format?

'Cause if Sam's learning how to code on YouTube, if they see a little ad or a little clip that might introduce 'em to your project. But yeah, leading with purpose, adding some visual media and then just making it clear how that open source project works, because every project's a little bit different.

So understanding like the- having clear contributing guidelines, they understand where they can contribute and how decisions are made. 

Paul Roberts: And compensation. Let's talk about compensation.

Abigail Cabunoc Mayes: Yeah. Yeah. [00:12:00] Yes. That was a big thing in the research. 

Paul Roberts: Yeah. So one thing about Gen Z is they got a lot more debt than previous generations, and they got a cost of living that's probably higher than any generation in recent memory. So compensation matters a lot, but traditionally has not been a part of the open source formula. So yeah, talk about that. 

Abigail Cabunoc Mayes: No, I definitely agree and I think the research showed, I can't remember the exact percentage, but most of Gen Z was living paycheck to paycheck.

So compensation is really needed for them to have the bandwidth to contribute to open source more meaningfully. So I've seen a few experiments where projects will send little stipends to contributors, which works really well. But if you can contract out a little bit of work, I think that would make a big difference for Gen Z.

Paul Roberts: The other thing that you talked about in your Open Source Summit was this kind of framework called the mountain of engagement, which, really interesting. It sketches out and thank you for doing this. It sketches out this path, really [00:13:00] for a potential Gen Z contributor to follow from, introductory types of experiences up into the kind of maintainer level.

Talk just about what that work looks like and what you think a good way to operationalize that might be. 

Abigail Cabunoc Mayes: Yeah and this is a framework that I developed with some colleagues at Mozilla. And I found it so useful. I've brought it with me to GitHub. But really it sketches out a pathway from how a person first hears about a project, so first discovers it, all the way up to leadership and like potentially maintaining that project. So discovery could be they saw a clip on TikTok or they heard about it at a conference. It's another thing we're seeing less Gen Z at in-person conferences. So thinking about, yeah- so thinking about like, where do you wanna advertise your project to reach this new generation is really important. But then you need to think about this step-

Paul Roberts: Not on 60 minutes.

Abigail Cabunoc Mayes: Yeah, it's true. And then also they're not looking at GitHub trending, which I thought was really interesting. But how do they get from [00:14:00] first hearing about that project to actually contacting you? So usually that's because they're excited about what it's doing. So that's why it's so important to lead with that mission or that purpose.

So for Sam if they see a climate tech project using a language that they know that would make them that much more likely to go into first contact, and then knowing how to actually contact someone from the project. You can drop a link to the Discord. Or, here's our README, or say Hi at this meetup.

So making it clear how someone can first contact you is really important. From first contact, how do they actually participate? When do they start making issues? When do they start actually showing up to meetups and participating? And traditionally, I think it's still true for Gen Z, it's like just being clear about how to participate. So having that good contributing guidelines, having some good first issues involved is really important. For Gen Z specifically, it's really leaning into that purpose driven work and maybe even offering a bit of mentorship since it is a big [00:15:00] barrier for them to jump into something so open. Often, it's their first time doing something that openly, so mentorship can help or providing that like smaller Discord space or that smaller closed space where they can participate a little bit. So this is, we're halfway up the mountain. I hope you're still with me. But once they're participating-

Paul Roberts: Keep going.

Abigail Cabunoc Mayes: How do they keep on participating? And traditionally, this is definitely still true for Gen Z, it's that recognition. So making sure that you're actually thanking people. A simple thanks goes a long way. And, from the volunteerism research. I think, I can't remember the stats. I should have looked up stats before I came on this podcast, but-

Don't worry about it.

Having a thanks from someone that's part of the project. A thanks and a personal invitation makes 'em far more likely to keep on participating and to keep involved in the work. And then even connecting that work to the mission, especially with Gen Z, if you can show them that, Hey, this bug that you fixed will help us fix climate [00:16:00] science. I can't think of a better solution there, but some way to connect to their tiny piece that they contributed to the bigger mission makes them far more likely to come back and just keep contributing. So once they've reached, sustained participation, I find this next step is the one I'm most interested in.

It's networks participation. So when do they start inviting others into the group? And that's where you really unlock a lot more growth in your project. If you can really get people in the project that are like multiplying themselves and inviting others. So that could be starting some sort of mentorship program.

So then they're becoming mentors and bringing others in, or having some sort of like new contributor hackathon where they're encouraged to bring their friends. But just encouraging people to bring others in, very important.

Then the last one's leadership. And that could be anything from running a meetup to running the entire project. And that, I think is where compensation is so important. If someone has a leadership role in your project for Gen Z, compensation makes a really big difference in their ability to step into that [00:17:00] role. Otherwise, it's, they may not have the bandwidth. 

Paul Roberts: The data point, I think, 86% of Gen Z workers prioritize mentorship and skill development. That was from the Deloitte survey. It is really interesting 'cause I think maybe at a high level, when people think about, the open source contributors- it's a you're a sole contributor, you're doing your work and Yeah, you're part of this larger group, but it's self-driven and, obviously self-funded. Generationally though, Gen Z very different. They want the mentorship, they want the engagement, they wanna be part of a larger group. And like you said, cause.

Abigail Cabunoc Mayes: Yeah.

Paul Roberts: That is a meaningful and substantial shift, really. I'd say from what we saw maybe 20 or 30 years ago. 

Abigail Cabunoc Mayes: Yeah, I agree.

Paul Roberts: Yeah. So what can an organization like GitHub do, either from a platform standpoint or just from a organizational standpoint, to promote- I think your ideas are right on- what can GitHub do to promote them?

And also, organizations like Google [00:18:00] and Meta and others that have been very supportive of the open source community, obviously rely very heavily on open source software, Microsoft as well. And have a lot of resources. What might they do to foster some of the changes that you're talking about?

Abigail Cabunoc Mayes: Yeah, for corporations, I think the number one thing is paying maintainers and getting money to these open source projects.

Paul Roberts: Open your wallet.

Abigail Cabunoc Mayes: Makes a huge difference. Exactly. Yes. Open your wallet. I know GitHub has a GitHub Secure Open Source Fund, where projects get 10K to go through security training bootcamp, which we've seen, I've seen it super useful because it creates both a community of maintainers who can-

maintainers don't often get spaces to talk to each other, I find. So this creates stronger connections so people can support each other and I think it just helps the ecosystem overall. Then they're also just securing the supply chain this way. But programs like that I think we need from corporations.

And promoting these kinds of ideas where for this I've run several workshops with [00:19:00] maintainers on how to use the mountain of engagement, how to think about some personas that you want in your project and walk through that, which projects have found helpful. But, helping maintainers have the bandwidth to implement these things, a lot of times they need a little bit of money so that they have the bandwidth to do that. But they just need that space. Yeah. 

Paul Roberts: So obviously here, ReversingLabs, we're very focused on software security, both from a malware detection standpoint, also software supply chain security, and you and I are talking in a week where we've seen a huge attack targeting, open source maintainers, phishing attack with the goal of putting cryptocurrency-stealing malware in some really widely used open source packages.

What are the lessons from that, and what are some changes that you could see to make maintainers less vulnerable to those types of attacks? Because, now for all of their volunteer work and effort, they're being targeted by cyber criminals and nation-state actors, which just adds to the stress.

Abigail Cabunoc Mayes: Yeah.

Paul Roberts: What's your [00:20:00] takeaway from what happened this week and what changes we might make to protect maintainers a little bit from this type of thing? 

Abigail Cabunoc Mayes: It's tough 'cause it was a series of attacks where it's really preying on the maintainers' wants to be more secure. It's oh, you're 2FA, oh come secure this. And they-

Paul Roberts: Yeah.

Abigail Cabunoc Mayes: So it's- 

Paul Roberts: That was the lure, yeah. Strengthen your account. It's ironic but like you said, good maintainers will wanna do that. 

Abigail Cabunoc Mayes: Yeah, and good maintainers wanna do that. They wanna make things secure. They know that there's been a lot of attacks lately in the last few years. But I think it does point to this maintainers just being overworked and burned out.

A lot of them, they see that and they, they don't have the time or the mental capacity to investigate a little bit more. They just see security and then they jump on it. But I think we need to find ways to help maintainers be less overworked and so that they can be more secure. 

Paul Roberts: Do you think some of the open source platforms should be almost pulling those maintainers for those big projects into [00:21:00] almost a separate tier where they're- especially now, where it's listen, you're being actively targeted, you've got huge reach and we need to give you extra support, whether that's monetary or otherwise to help you out? 

Abigail Cabunoc Mayes: Yeah, I think that would be great. I know at GitHub we do have a different tier for like popular projects and they were the first to be flagged into 2FA. Just knowing the importance there. But definitely I think for these popular open source projects, so we need to be supporting them. They're definitely under-resourced often, and, both monetarily, but also just the in-person work that needs to be done. 

Paul Roberts: Yeah. I think this issue around, the future of open source is a super important question to be asking. And so I guess, wrapping up here, I'd ask you with all this kind of good context that you've given us, what are the next steps? What can we do to start bending that curve and, talk five years from now and say, oh, actually we've seen a big uptick in, 20 and 30 something folks getting involved in open source projects? What's gonna get us there? 

Abigail Cabunoc Mayes: Yeah, I think [00:22:00] just starting to try a few of the techniques that might reach a Gen Z audience a little bit better. So try a little bit of video content. I know you might not wanna make a TikTok, but maybe try it, maybe join some Discord communities and talk about your project there instead of just on Mastodon where it tends to be a little bit older. So just try a few things to reach that younger audience. And then when they do come, try to mentor them.

I know you maintainers are burned out, but be selective. Find people who are motivated by the mission of your project. They have the time. Gen Z tends to have a lot more time to, to give, to open source than older generations. And then they're willing to learn from you. So if you find someone like that, take time to mentor them. And I think that'll make a big difference in this curve. 

Paul Roberts: Yeah. In some ways what we see is the tragedy of the commons, right? Of these folks who are, have done all this amazing work, created amazing software that other people use and rely on heavily, but often, don't give [00:23:00] back to the commons. Don't help support it. And the types of things you're thinking about, I think you're totally right with the TikTok videos and just changing the way the messaging. But it almost to me sounds like we might need some large organizations to really get involved in doing that, just collectively, right? To provide the resources and time and effort to do that, to kinda lift all boats, so to speak, 'cause that's what will happen. Yeah. In my mind, we get more developers. Really interesting.

Abigail Cabunoc Mayes: No, I definitely agree.

Paul Roberts: Yeah. Abby, is there anything I didn't ask you that I should have or anything you wanted to say that I didn't give you a chance to say? 

Abigail Cabunoc Mayes: No, this was great. Thank you for having me on. It was a pleasure to chat. Had a great conversation. 

Paul Roberts: Same here. And we'd love to have you on again. I'm super interested in the work that you're doing and I think, again, the problems you're focused on are really important and deserving of our attention. Thank you for the work you're doing. 

Abigail Cabunoc Mayes: Of course. Yeah. Thank you so much. 

Paul Roberts: And thanks everyone for listening. Stay tuned. We've got more ConversingLabs episodes coming up in the next few weeks. And Abby, thanks so much for joining us and we hope to see you [00:24:00] again.