ApacheCon 2022: Supply Chain Security and ML Platforms Take Center Stage


Having attended the ApacheConOpens a new window , the annual convention of the world’s largest open source software (OSS) foundation, Hans Dockter, CEO and founder of Gradle, shares key discussion points and insights from the event. This year’s event took place in person in New Orleans with four days of content covering big data, search, IoT, fintech, community, and more. 

I had the opportunity to give a keynoteOpens a new window on how developer productivity engineering (DPE) benefits open-source communities. It was inspiring to be on the ground for the first in-person ApacheCon since the pandemic. For those who couldn’t join us, here are my key takeaways.

Open Source and Software Supply Chain Security 

The event featured several sessions about open source and securing the software supply chain. For years, open-source foundations have known that it’s in their best interest to help secure the supply chain. Now there’s collaboration and mature discussion about which approaches are best. For instance, there’s a push to employ technologies like blockchain creatively.

Conversations about the Sigstore project, specifically, are on the rise. Sigstore is a The Linux Foundation project, backed by Google, Red Hat, and Purdue University, provides a non-profit service to ease the adoption of the cryptographic signing of open-source packages. It aims to improve the security of the OSS supply chain by providing zero-trust guarantees that open-source packages are genuine. 

Since its release in 2021, Sigstore has seen rapid adoption; this year, it was officially adopted by both the Kubernetes project and GitHub’s npm packages. In the wake of the presidential executive orderOpens a new window to improve supply chain security issued last May, the industry has seen increased attention on the important matter. I expect that to continue. 

See more: The Road to a More Future-ready and Resilient Supply Chain

ML Platforms Are Proliferating Throughout Apache

There were many conversations about Apache Beam, a streaming platform that can create analytics pipelines to train machine learning (ML) models and serves as a platform for ML workflows. The project has really taken off. In fact, at the Beam Summit earlier this year, users from Google, Twitter, Spotify, Adobe, Intuit, LinkedIn, and more discussedOpens a new window the ways in which they’re leveraging the technology. 

From an open-source perspective, Apache Beam’s proliferation is significant because, before its introduction, there were limited options for developers who wanted to leverage free software to develop ML applications. Products like PyBrain and TensorFlow dominated the landscape but didn’t solve all problems for all developers. Apache Beam is highly permissive, meaning it gives people who adopt the software free reign over how they use it. This opens new doors for developers to be involved in ML projects and increases developer choice, a value that is endemic to free software.   

A Corporate-Open Source Collaboration

The days of open-source communities resisting corporate influence and vice versa are long gone.

The open-source community was at odds with the corporate world for a long time, and vice versa. Only ten years ago, Bill Gates declaredOpens a new window that using Linux would destroy the economy. Now Microsoft sellsOpens a new window more Linux in its Azure cloud than its flagship Windows operating system, and almost every business has an open-first policy and a platform dedicated to adopting open source. Slowing this acceptance was the claim that open-source software is not secure. But today, there are sufficient processes in place to ensure that open-source code can be safely adopted and governed within secure corporate networks.

There’s a general assumption that dates back to the roots of the open-source movement that most developers are still “purists” fighting against corporate influences and control. The reality, however, is that most project contributions are sponsored by commercial enterprises like Facebook, Google, IBM, Microsoft and VMware. As a result, open-source developers are simultaneously embedded in the corporate world. The evolution towards this reality started decades ago, but not everyone has been ready to admit it until now. That was the ApacheCon vibe.

I also observed the fusion of interests between open-source developers and corporate IT coming from the other direction (i.e., not just open-source developers becoming comfortable with the corporate IT suits, but IT embracing the open-source development model). Historically, corporate investments to harden and generally improve open-source software for use in mission-critical commercial environments were seen by many as benefiting contributors and competitors equally. This was a de-motivating factor among corporate interests in making open-source contributions. Now it feels more universally accepted that the benefits of making original contributions—including building up expertise in a particular project’s software and some potential time-to-market benefits for products that depend on that software—outweigh the potential risk of losing a competitive edge.

In sum, after seeing the way the two communities came together at ApacheCon this year, it’s clear that we surpassed a milestone: two-way collaboration is now openly accepted and no longer taboo.

Transformation with DPE

DPE is the most transformative movement in software development since Agile and DevOps 

In my keynote, I spoke about the emerging practice of Developer Productivity Engineering (DPE). DPE is a data-driven approach to improving developer productivity and the developer experience. It leverages DPE tools like performance acceleration and failure analytics to improve feedback cycle time and failure rate outcomes. 

Based on the reception I received from my presentation and the number of conversations that ensued, there was a notable buzz about DPE and its importance in improving the experience of open-source developers. For example, DPE encourages more contributions to the codebase by simply making it an easier and more pleasant experience to contribute. It also manages expectations for contributors by giving them the data about the developer experience up front, like how long they will have to wait for a project to build and how many tests it will run. By demonstrating things like build activity and quality analytics, DPE ultimately helps companies feel confident in their adoption of OSS projects. 

Open source has clearly been victorious, and I Iook forward to seeing what it will do with that victory. If ApacheCon is any indication, the coming year will likely involve ongoing corporate collaboration, continued efforts to secure the supply chain and the proliferation of ML and DPE. I left New Orleans inspired by this exciting time in OSS. For open source, the future is now.

Which of the above discussion points resonated with you the most? Tell us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock