Episode 10

Managing Risks and Opportunities in Open Source with Frank Nagle & David A. Wheeler


24 July 2020

48 mins 40 secs

Your Hosts
Special Guests

About this Episode


Kate Stewart | Sean Goggins | Georg Link




Show Notes

[00:02:40] We start off on the topic of looking at metrics that are useful for identifying what’s going on in a Software Configuration Management system. David tells us what it is and if there’s a difference between building software and deploying it. Also, figuring out which components you’re going to bring in, to your overall system.

[00:07:55] Kate wants to know how much do the hidden dependencies play a role in risk of using Open Source and using projects, and do we see things people aren’t expecting? Sean asks if there are high profile cases where folks did not manage those dependencies terribly well and bad things happened.

[00:14:09] Sean wants to know what kind of metric might help to identify that kind of programmer error that results in malicious code being introduced into a project and are there other ways that we could measure the existence of that phenomenon? CII Best Practices Badge is talked about here.

[00:16:38] Kate mentions a survey that came out late last year of the most popular software that came out recently, and there’s some top packages that were identified through the analysis that had come from the scanners and everything else. Of those packages, how many of them have badges? Frank tells us the analysis he did and the results (report linked below).

[00:19:45] Sean talks about things he’s observed when it comes to packages and dependencies and which ones are more popular in the course of the project. He wonders if anyone on the panel has started thinking about how do we assess things that are within a repository and what challenges does that pose from a metrics perspective?

[00:23:34] License Risk on a project is discussed here by Kate and David.

[00:28:09] Sean wants to know if he’s creating an Open Source software project and he Googles “Open Source Software licenses,” is he in a pretty safe space or are there other Open Source licenses that are pretending that they’re Open Source? David tells us where to look to find out.

[00:29:32] Frank tells us what kinds of metrics or pieces of what they’ve talked about as being significant in both economic impacts and the future of work.

[00:33:53] Sean wants to know in regard to Frank’s survey, what kinds of things he is looking to measure that we can’t with trace data from a repo.

[00:36:39] Georg asks Frank if he’s has some early insights that might be interesting with the survey.

[00:39:02] David and Frank tell us places you can check out to learn more.


  • [00:40:28] Kate’s picks are to check out Software Transparency reports and check out Allan Friedman’s session at RSA “Taking Control of Cyber-Supply Chain Security.”
  • [00:41:26] Georg’s pick is OSI/Brandeis course on Open Source communities.
  • [00:42:36] Sean’s pick is Covid-19 streaming movie binge called “Hanna” on Amazon Prime.
  • [00:43:08] David’s picks are his website DWheeler.com and a website that Cloudflare put up called, “isbgpsafeyet.com.”
  • [00:46:44] Frank’s pick is a working paper that was just released called, “Open Source Software and Global Entrepreneurship.”


Frank Nagle Twitter
Frank Nagle Website
David A. Wheeler Twitter
David A. Wheeler Website
CII Best Practices Badge Program
More Than a Gigabuck: Estimating GNU/Linux’s Size” by David A Wheeler
Reproducible Builds
SPDX License List
Core Infrastructure-Preliminary Report and Census II of Open Source Software
OSI-Brandeis course on Open Source Technology Management
Hanna-Amazon Prime
Is BGP safe yet?
“Open Source Software and Global Entrepreneurship” paper by Frank Nagle, Nataliya Wright, and Shane Greenstein.
NTIA Software Component Transparency
Allan Friedman’s session at RSA “Taking Control of Cyber-Supply Chain Security.”


Support CHAOSScast