The Who, What & Why of Commercial Open Source [On-demand Session]

Can't see the embedded video above? Click here

Highly available self-hosted open source is like a puppy that needs love and care. Hosting an open-source application that is highly available, well-supported, secure, up-to-date, and easy to use requires significant effort and dedicated staff. For many organizations, an out-of-the-box product is a great solution to solve this problem.

But how do you bridge the gap between free, open-source software and commercial open-source products?

We've assembled a panel of experts that have a close relationship with open source to discuss just that during this on-demand session. These panelists offer a SaaS product with easy setup and 24h support or offer proprietary services built on top of open-source software. In this webinar, we will discuss the following:    

• The benefits of working with an active open-source community
• Why are some customers willing to pay for these services?
• Bridging the gap between free, open-source software and commercial open-source products
• Thoughts on the open-source ecosystem and its evolution

Check out the full session recap from Ciara Carey in her blog post here.

Transcript:
(02:41) Hi, I'm Ciara Carey and Welcome to Cloudsmith's monthly webinar on all things devops and supply chain security and today's topic is the who part where and why of commercial software so before I get started with a few housekeeping notes we have prizes so wait till the end to see if you've won um Hillary our very own Hillary is working behind the scenes checking all the platforms that we're streaming on LinkedIn Twitter Youtube and our webinar platform so if you have any questions

(03:25) please post in and she'll she'll hand them over to me we also are going to be running a poll but don't worry that you can't like click the poll thing you can just use your whatever your platform you're watching us on so again our topic is uh the who hot where why of Open Source commercial so open source in general is incredibly positive when a projects like Debian kubernetes postgres backstage Innovation will be painfully slow I don't think anybody wants to reinvent kubernetes again so bringing these

(04:01) Technologies into your Tech stack is free but it's free like a puppy and they need a lot of Loving Care so it requires a lot of engineering experience maintenance and infrastructure and many companies bridge the gap by facilitating The Innovation and transparency that open source brings without the engineering and infrastructure needed to host and maintain the open source so and they often provide that to like software as a service and we have representatives from two such companies EDB and Roadie and that

(04:34) we'll be talking to today so this is a great time to to bring on our two guests and they are Leticia and David okay great to be here well give yourself I'll give you a bit of an instruction so Leticia is the field CTO in EDB she's a postgres expert and she's named the most influential um person in the database Community this year she's a co-founder of postgres women and she's a contributor to postgres and we have David he's the founder of roadie um which is a SAS uh backstage

(05:20) um backstage is a Open Source service catalog that automatically tracks your microservices and Roadie provides this as SAS and it's the easiest way to get backstage so Leticia I have a few questions for you that's okay yeah sure so how did you get you have like nearly 20 years experience I don't want to hate you or anything and um with the postgres community how did you get started um well I remember that day for all my life uh I was coming back from a maternity leave and it was too difficult to address to all the changes that came

(05:59) when I was not there and my boss came into my office and I'm forced to do it nobody will be interested but there is a DBA job often or opening in our company and like two seconds before I was in his office saying I want that job and um the company needed a personal CBA so that's why I wanted to post West first uh of course I learned other engine Oracle SQL server db2 but I'll first learned with passwords and I fell in love with passwords uh oh brilliant and why did you start a postgres women um so that's also a funny story I was at

(06:47) first then in the postgres Devon and there was only one woman presenting for the whole day and I was just sitting near another woman and we were discussing about how shame it was that there was only one woman presenting for the whole day and she said that she had found out the same thing she felt the same way so she decided to do her part and just she was a little afraid but a little excited as a sentence that she will be presenting her first told uh two months after I said wow she's so brave but if she can do it I can do it too and

(07:28) after that we found out that women might need a little help to go on stage because maybe that thing that what they think is not valuable as it is anybody's part of you is valuable so my evil plan for possess women is to get women go to conference torque events so that they can meet people it's very good for their career but also the next step of the evil plan is to put them on stage ah so you bring them in maybe offer them a free lunch and then yeah but that's gonna get me every time and uh David so you're the founder of

(08:13) roadie uh when did Roadie start rolly started about two years ago and before I kicked off Roadie I was a infrastructure product manager at workday which is a large HR technology company and I actually worked on service catalogs and developer portals at workday um so helping to drive adoption of those Technologies inside the company and that was what initially got me interested in the space and helped me understand what kind of business problems that uh software kind of laws could solve yeah and so did the developers love it when

(08:45) you introduced that Roadie and you're like wait a second there was a we built this technology called uh the registry and it wasn't let's say a overnight success it certainly needed a bit of babysitting and uh and needed some help to drive adoption throughout the company but it solved some big challenges there um and eventually it was quite a well-loved product inside the company so at a certain point I kind of saw how effective it was being and I decided I was going to leave workday and start my own company it's something I've always

(09:18) wanted to do ever since I first wrote my line of code about 10 years ago um and so yeah it handed my notice in the first lockdown of the pandemic back in March or April 2020 and took the leap into trying to build something from scratch wow that's so brave like when the when the pandemic starts then you're like Ugh yeah I know what I do yes when you know you know right and um the the even worse the first thing that happened after I handed him I noticed were they to start building a open source sorry to build a proprietary uh

(09:55) software catalog was that and Spotify open source backstage pretty much like the next day and so I had this terrifying moment where I had just quit my job to build something to build a product and Spotify had open source my entire product Vision very nice they took um for a little bit so until you realize that yeah there was almost a scramble to try and get my old job um it it kind of caused me to go and talk to the team on Spotify and try and understand what they were trying to accomplish uh and you know understand

(10:27) their vision and whether or not Roadie could be a part of it although it wasn't called Roadie at that point um but they seemed excited to have a commercial company operating in the space and to help them Drive adoption of Backstage and so it seemed like our Our Stars were aligned in that way yeah cool uh who what where why of Open Source commercial so I thought that the first question is like why why do companies choose EDB a roadie over their open source uh alternatives and I'll give that to Leticia uh while

(11:05) the main reason is for support and SLA because even though the passwords Community is pretty reactive and uh it's very often that dogs are fixed in the next 24 hours there is no guarantee so with the company behind it's easier um even though the company won't be able to push a bug a bug fix into the password Community if the password Community thinks it's not good enough uh it will but what we couldn't do in that case is create a create a fork if the customer really needs it urgently but most of the time we have

(11:48) really we know the the community because we all work together for now a long time and so we discussed together and um normally it works well it's just that that the open source committee does not provide any support and SLA which is mandatory for some companies David and Roadie s is that where do you um where do companies come to you first because I suppose it might be a little bit different Roadie because like companies need databases and they've had them for an awfully long time but maybe they're coming to you before they have a

(12:32) service catalog or uh how do you find it yeah um I'm glad to say that my branding is working and I'm I'm merging with the company um yeah uh yeah so you're right that our our customers are early on their adoption journey of Backstage because it's still a relatively new technology and still relatively uh immature compared to something like postgres and but there's really kind of five reasons why people will choose us and the first one is just that they might be faster getting to production so backstage is

(13:04) kind of complex to set up especially if you don't have uh Native typescript expertise in your team and so you can kind of choose between spending multiple weeks self-hosting which might be the right thing to do but or you can come to rhodium and if you put your mind to it you can get set up in a few hours there's also reduced ongoing maintenance so people don't have to spend their engineering time upgrading backstage every month and you know that just means that people can focus on what they do best or adding value to it in a

(13:33) different way to their company we also I would like to think uh manage better of time and meantime the resolve for backstage issues than most self self-hosted teams so if you imagine you know a devops team who are looking after lots of different tools if there is an incident it can often just take some time just to get up to speed with how to fix the problem inside backstage you might be learning the code base kind of from scratch whereas we're used to running backstage at scale over a large number of different companies

(14:03) we're experts in the code base at this point um and so we just have a better ability to fix issues that happen much more quickly fourth thing I mentioned is just that the knowledge sharing and the support that comes with working with Roadie so we've rolled out backstage now at multiple dozens of companies and we've built up some expertise over time that we can apply to the next customer who comes along so they might be marginally faster than the first customer we work with we have some internal tools that we

(14:31) have rolled out inside these companies as time has gone on and so every customer who comes along it gets that Advantage as well and they probably get adoption faster than they would if they were self-hosting backstage and then the last thing I would just mention is that we um are building proprietary features on top of Backstage so as we have rolled out backstage at many organizations you know as soon as people start realizing what software they have because they've cataloged it in backstage the next question is typically well how do I make

(15:01) sure this stuff is mature or how to make sure it's secure or operable and so they want us to play a role in solving that problem or answering those questions and so that's kind of naturally driven us to adding extra Technologies on top of Backstage to help solve business problems inside those organizations yeah and Leticia that's probably something similar with EDP where you offer features outside of the postgres yes we have a fork of first place which was meant to Felicity to facilitate migration from Oracle so we have a layer

(15:37) of hierarchical compatibility which helps uh not having to rewrite everything you have to make it work and the old version of buzzwords we also provide services of course because both West runs well but you might want High availability you might want backups things like that and designing a backup policy designing a service disruption policies that's not easy it needs to be thought because you don't want to spend too much money you don't want to you don't want to miss something and risk having huge availability

(16:20) availability disruptions things like that so we have Services we also do audits um tuning and yeah we do whatever you might need a run passwords because we have uh pre-packaged services but we can also do custom packages really defined for your special use case for database you have to be like bring a little bit of French so are some of these Services would they be considered sort of consultancy when you're talking about tuning when you talk about like that uh experience of a service catalog is that to be provided

(17:11) as a sir as a consultancy or is it like um as part of the SLA is it is that uh it's about it's part of consultancy SLA is when you have a problem consultancy is to prevent the problems to happen okay yeah that's a nice nice one liner there and what about metrics because I know metrics seems to be a differentiator with these with Enterprise um a kind of a Enterprise products do you guys provide metrics for your customers to let them know how like especially if there's so much around databases is that something that's extra

(17:51) to postgres or um what you what do you think uh the passwords project does only postgres and that's uh and that's a pretty narrow because if you look at other database products like oracles they do a lot of steps that possible doesn't do love for example they have a storage layer passwords will never do that we rely on the operating system for storage um and so sometimes you might want things around it like we have um monitoring system that is designed to first try to alert before it stops because it's pretty hard when password stops on

(18:41) the go like that normally it sends warnings before so we catch this warning but also you will have the nice graphs um bosses like to see like the number of transactions the number of queries the slow queries things like that yes we have a monitor monitoring tool it's close to us and it's called Pam password Central bus manager and what about backstage David is it like because like there's so much metrics around developer productivity I'm sure you offer stuff like that yeah no for sure and both on the the

(19:18) metric side but also product analytics so one of the first questions our customers typically ask is well how do I know if this is being successful inside my organization um everybody wants to answer that question and it's actually typically the same set of product analytics that you need to look at in each different customer um and we spent a bit of time or invested some time in figuring out what those correct metrics to look at are and we share them directly with our customers so it's an example of something that they get out of the box

(19:49) straight away when they use Roadie and but they might have to configure themselves or you know collect the data themselves or analyze the data themselves if they self-host oh cool and let's go to the poll because this sort of around this whole topic of the first question be like so why choose an Enterprise product based on open source over building and running the open source directly so I gave people a few different options why would they choose uh reduced overall cost increase security of your supply chain and that

(20:20) that's actually the highest high availability uh support and slas or I'd prefer to run my open source directly which is not many people want to do um so the increased security of your supply chain that's kind of interesting and do you find that like a big part of your offering is to keep up to date with um uh updating your your dependencies and and making sure your security is that a is that a huge push to um for people to to buy rodie or EDB so yeah for sure I'm uh I'm kind of pleasantly surprised by the answers of

(21:10) the poll there I think you're I like your audience they're singing your chin yeah yeah absolutely these are my people um yeah so so security is is definitely an important reason to use voting so we are diligent on staying up to date uh with the latest backstage releases um in a way that I think most companies that sell files don't necessarily do so and there's multiple parts to that there's firstly tracking and understanding watching what's in every release and these are big chunky releases with lots of different open

(21:44) source pull requests in them and so even that can be a challenge and we have to invest time in that then there's actually performing the upgrades to bring in the patches um and fixes and upgraded libraries and that takes time and sometimes it can go wrong and you know you can cause outages when you're doing upgrades Etc if you're not doing them regularly we're doing them every single month and so we kind of built up a bit of a bit of Automation and some process around that to try and ensure that it doesn't go wrong and so

(22:11) yeah yeah I think you're much likely much more likely to be up to date with the latest backstage releases and features if you're using Road even if you're self-hosting and security kind of comes along naturally with that we also do a dedicated pen testing against our our SAS backstage instances and which some companies may not think to do but yeah we have external third-party third parties try to hack Roadie um and then we use that to guide our security posture oh it is is that part of like some of the

(22:40) like I know your stock too compliant is that part of that or is that just separate kind of a extra it's not um it's not part of sock 2 type 2 as far as I know I might be wrong on that but uh because there are there's hundreds of reels that are part of talk to um which I don't know all off the top of my head but we do have soft 2.

(23:02) 2 and as far as I know pen testing is not part of that it's something extra that we thought was important just because you know we're uh we're engineers at the end of the day and we'll code bugs into the system and we want somebody else verifying um that what we're doing is secure yeah and I'm Leticia I'm sure like staying up to date and secure is a huge part of EDB yes and both ways uh release is one major version per year which is alert and uh at least one minor version per quarter uh so it's certainly

(23:34) a challenge when you choose passwords to keep up to that because uh only five major versions I've maintained meaning if you're in an out of date version and uh security failure is found then you won't be you won't get the patch so that's a problem for our customers we're helping the best we can uh but regarding the security of the supply chain um as a postgres he's a very old project with an old-fashioned way of doing things we don't have a GitHub where we we do have a mirror GitHub but it's not

(24:16) the official GitHub of us guys we um host our own git tool we are our own web interface for or Git You can't do pull requests you have to create your patch with gitbatch and send it in the mailing list so very old-fashioned and the each patch is reviewed solely by all or developers and can't be committed if it's not been reviewed so that the probability is that nasty code being added to postgres is low uh yeah it's like the opposite to npm it's like yes it's sometimes in creating my first
(25:03) patch was dress a documentation patch with a copy past from one page to another and it took six months but oh wow we have a very stable code oh that's really interesting and how I know earlier you talked about how um uh there's a postgres and egb there's a lot of overlap between the two communities um how to like I suppose it would be really hard for another company to come in because they don't have those relationships there are other companies that's the beauty of both ways no company owns both ways and the both

(25:46) quests committee make sure that there was not only one company so uh you have other companies at ADB offering support you can go to possessuel.org there is a support Tab and then you will find a long list of companies that can do support for postgres oh cool how would you um maintain those relationships and those communities like say you have you've decided oh postgres needs this new feature is I is this um difficult to get that included into postgres I suppose you were talking about the process there it is difficult

(26:26) yes but um so the first thing you need to do is just write an email explaining your ID before writing everything because we don't want you to waste some time if people objects to your ID so um first explain your ID and send an email explaining your ID there is another way to do that there's this huge um event well not that huge but it's uh um most popular even for postgres developer in Ottawa in May where we have unconferenced session well you can explain new ideas uh doing some brainstorm with others about how we

(27:10) could solve this problem uh then you we you can everyone can submit topics and after we vote on the topics and we have a six to seven sessions of and Conference where we can discuss ideas and and the other way to do that is having beers yeah so it's always a good way yes and David what about yourself how do um Brody um backstage how do they communicate with the maintainers and the um and your company is that um a happy relationship  yeah the um well the process for contributing to Backstage is slightly simpler I would Hazard against them for

(28:05) postgres I mean obviously postgres is extremely critical infrastructure in many different companies on there it's good that it's um they prioritize stability and backstage and because it's more modern and because it should more it was created more recently it there is a GitHub project there's a Vibrant Community there's a Discord but seven thousand people in it and there is a lot of different ways to talk to the community and we try to contribute every way that we can and I think that there

(28:32) is a good recognition from Spotify who are the main caretakers of the project that they want to build up a commercial ecosystem which is vibrant and allows for lots of different business models to exist because that's how you build a platform that's going to last into the future it's relatively easy to open source something and just kind of strip all the profit from it very quickly but it's not going to become a healthy kind of flower garden where lots of different uh companies can bloom and so yeah they are prioritizing

(29:03) that we're doing our part by contributing as much as we can lots of different ways you know code uh product management ideas I mean we have a direct line of feedback with our customers who are using backstage every single day and so we try and feed as many ideas as we can back to the maintainers so that they can incorporate them into into their thinking there's also just the marketing efforts that we do right we talk a lot about how backstage can be used and what it's good at and um that helps spread awareness and drive

(29:29) adoption and increase the size of the community for everybody cool and you were at a was it the first backstage conference since the pandemic first one ever yeah um was that cute on North America I think three weeks ago um and we were there we co-sponsored and co-hosted it uh with alongside Spotify and VMware um and it was an incredible success like I think we were given guidance for maybe 50 people or 80 people from the cncf and we ended up with something like 200 or 250 people there so it was a really great event and it was just incredible

(30:07) to meet the community in person for the first time yeah it's so nice to meet people in in person like it's it's like there's definitely something that you missed out on over Zoom or yeah so we have a question um what Challenge and this is from fratton what challenges do you see in the coming year in terms of Open Source and what you how do you advise to um to be prepared for that so Leticia I'll start with you sorry to put you on the spot there no no that's right I think that opensus from postgres

(30:44) is different from than open source from a commercial company because model DB for example does a commercial company behind Mario DB so the company has to make money in order for the open source Community to still exist it's not the case with sports race and both ways in simply done with people happy to write good code and give it back to humanity without any purpose of money behind so I don't see any challenge because there is no goal we have tries to encode for the beauty of it and open it opening it

(31:25) that's all so that's no challenge here I think and David do you have any other thoughts on the future of Open Source no I just would agree I would agree in an echo what we did with that I mean the best open source communities are able to survive because people want to participate and because people want to add value uh commercialization I think can act as fuel on the fire and speed things up but it shouldn't be necessary and I think that um I think that's you know I'm pretty enthusiastic and I think the open source

(32:03) communities are going to be in a healthy Place throughout the next years yeah there's a lot of talk I still see um about the security of Open Source but it's more like the realization how soft all software relies on open source so it's like and a lot of the initiatives that I've read about it's not about taking out open source is about trying to understand what what what are you using and to make sure you're up to date it's not um it's not negative about open source it's like no open source is amazing and

(32:38) there's no way we're going to take out 80 of our code base so let's just try to make it secure yeah it's not going away so um I wonder if we have any more questions from the audience is anybody else want to pose that question oh I I just have one for for you guys so both egb and Roadie you guys are off you're contributing to uh open source the whole time is there ever any like um uh tension there like oh am I an open source contributor or am I working for a company and getting paid to do that work

(33:27) uh I never asked myself the question I have goals but I fulfill and any extra free time is available to us yeah I think I mean I think that there's a I'm not sure if tension is the right word for it there's there's there's healthy tension in any kind of uh code base where people are reviewing code and just making sure that the project works for everybody I think that's a good thing um the the important thing to remember is just that like and I think people can sometimes forget this when it comes to

(34:01) open source is that open source is created by humans and um we're all people and it's like it's sometimes very easy to forget that when you're launching a pull request or creating a GitHub issue on an open source project that people are are people they're not there to just work for free and you know provide value to you and so I think it's uh it's best to try and establish some sort of relationship with the maintainers of an open source project or understand how um what the history of the project has

(34:29) been before just firing in your GitHub issue and I think that that kind of keeps things smoothly oiled and and helps everybody work together a little bit better yeah I think that's a lovely sentiment and we have uh one more question um so Angel said that their her friend is just released a python web framework esmerald and she wants to know what would you recommend as open source business model to grow the community [Music] so David I might put that to you soon as you're the founder I I think um I maybe would reverse the question if I

(35:09) could and I wouldn't ask what can you do to grow the community to the point where it can support a business model I think that commercialization is is not is kind of the end result of a healthy uh open source Community that's growing well and so the best way to just grow your community is to support people to add value and help them achieve what their end goals are in as efficient way as possible yeah absolutely I think we'll um ended up there so thanks to everybody that's watching thanks to our wonderful

I could talk to you for much longer but I think you're you're a bit busy um thanks to everybody for watching and oh to let you know next month we have our last webinar of the year on the state of the devops for 2020 where we review uh things that have happened in 2022 and that's on the 15th of December so um hope to see you then so thanks again for coming bye until next time!