There are some business and IT leaders who will point to the billions Microsoft is investing in ChatGPT and question whether open source has the power to do similar things. Per Plug, the open source tech lead at Spotify, thinks so. A huge amount, he said Innovation and knowledge Open source builds over time. It is now being commoditized.
As an example, Plug points to an artificial intelligence (AI)-based open source image generator tool. “You don’t have to be a machine learning PhD to understand this tool, but it represents a huge amount of innovation,” he says. The tool effectively combines AI knowledge from the open source community into a simple command that any user can run through a Linux terminal screen.
Business and IT leaders will also point to the security failings of open source.
Plug was part of an IT security team that managed Log4J vulnerability. “I think it’s interesting to see how these poor maintainers, who are spending their spare time on this project, are overwhelmed by security companies and big enterprises yelling at them for not being able to handle this quickly,” he says.
People like to utilize their free time Maintain open source code, out of passion, because they love to do so. But, says Plagg, “the expectation that people act out of emotion is part of the problem with open source”.
Large enterprises using products affected by Log4J had no idea where it was being used They had no idea where the vulnerable Java logging tool exploited by Log4J was deployed. “They didn’t even know how to fix it themselves because it was something they took off the shelf,” Plagg says.
He says many companies haven’t taken the time to understand how it actually works, claiming that “they’ve blindly swallowed it”.
Plug added: “I think we need to be more thoughtful about how we use these things and actually understand the technology.” In doing so, he says that enterprise users who deploy such open source technologies will not only have a better understanding of how they are affected by a vulnerability or bug, but they will also be in a better position to fix the problems themselves.
“When you use open source code, you should start training your staff and start contributing to these projects,” he adds.
It is not yet a common practice for companies to financially support open source projects Plug would like to see more companies that provide financial support for such projects using open source
Looking back at open source security issues, Plug doesn’t believe a software security supply chain works for open source. Because maintainers of open source code are not being paid, they are not suppliers, he says. “You don’t have a supply chain.”
By sponsoring projects, or developing the technical knowledge needed to directly support maintainers, enterprise users have a way to reduce risk and protect those mission-critical applications that rely on open source components.