Open Source Day 2023
Gli speaker ufficiali!
Abbiamo ricevuto più di 140 candidature da oltre 100 relatori. La votazione della comunità si è svolta su Discord.
Matteo Collina
Co-Founder and CTO at Platformatic, Node.js TSC member, Fastify Lead MaintainerWhy are there no incentives for security in Open Source?
Open Source has both “won” and “lost” at the same time. Every company in the world leverages Open Source Software (OSS) to build products. However, every software is vulnerable, and OSS is no exception. Yet, despite the strong incentive for companies all over the world to discover and fix them, the majority use open source without paying for it. Security scanners allow companies to discover vulnerable OSS they depend upon, but those vulnerabilities should also be fixed. While there are some incentives in discovering security vulnerabilities via bounty programs, there are none to fix them. A typical email to an OSS maintainer is more like a threat: if you do not fix it in the next month or so, I am going to make this public. In Node.js we have experimented with a public bounty program with https://github.com/nodejs/security-wg, and several companies sponsor full-time researchers to discover vulnerabilities. However, the OSS maintainers receive no compensation for their time in fixing the vulnerability. How can we solve this conundrum?
Francesco Corti
Senior Product Manager for Backstage at SpotifyOrganization and challenges (with best practices) behind a successful open-source project
Bringing to success an open-source project is hard, but growing it from an organizational and business point-of-view, organically to the growth of the community, their enthusiasts, and the contributors is an equally interesting challenge for all the companies behind. Growing the maintainers accordingly with the scale of contributions and support, managing the business expectations with the expectations of the open source (and not paying) adopters, growing the product accordingly, those are only some of the topics that every mature Business Open Source organization discusses (on a recurrent basis I would say). In this talk you will learn more about these challenges through practical examples based on the direct experience after having worked directly with several, structured, successful, worldwide, Business Open Source organizations in community-driven projects.
Jason Dellaluce
Open Source Engineer at SysdigMichele Zuccala
Senior Director of Engineering, Runtime Security at SysdigReliable and Cost-effective Cloud Security with Falco
As the modern cloud grows in complexity, container security based on attack prevention and surface reduction become less effective. Most new cloud environments collect activity logs and store them for later inspection, which consumes lots of storage and loses the benefits of runtime visibility, or apply fine-grained runtime control on access and operations, which is more intrusive and brings scalability concerns. Falco, the Cloud Native Runtime Security tool, offers an open source alternative based on non-invasive runtime detection and low resource consumption. Falco is like a security camera that observes all the activity in your system and alerts you whenever suspicious behavior is detected. Historically, Falco was focused on containers and system security by observing data coming from the Linux kernel, but has more recently evolved to also bring real-time telemetry over logs of cloud services. In this talk, you’ll learn the basics of the project and how you can employ it as an open-source all-in-one solution for detecting malicious attacks in a faster and cost-effective manner and for securing your applications and cloud infrastructure.
Alina Dima
Senior Developer Advocate, AWS IoT Ecosystem ServicesEnsuring IoT Application Edge Resilience with the Open Source AWS IoT Device Client
One of the challenges IoT solutions face is ensuring application reliability at Edge and in the Cloud. IoT solution reliability can be impacted by events outside of your control. Examples include: the network provider drops the connection, the application crashes or a technician unplugs and plugs the device back in, power cuts, low battery life. Building resilience in your application is the solution to ensuring reliability, and it is your responsibility, as an engineer, to build resilience in your IoT application. This session will look at application resilience at edge, and using open source tools to achieve this. We will focus on MQTT connection resilience, message delivery, and application runtime resilience.
Rafael Gonzaga
Staff Engineer at NearformMichele Riva
CTO and Co-Founder at OramaSearch, Google GDE, Microsoft MVP, Published Author, International Speaker5 Ways You Could Have Hacked Node.js
All languages and runtimes are or were vulnerable to some kind of threat. We contribute directly to Node.js Security and during the year 2022, we've performed many Security Releases and some of them were really hard to think about. Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, We’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.
Filip Grebowski
Developer Advocate at Permit.ioThis Open Source Tool Turns Building Access Management from Scary to Simple
Broken Access Control is the top vulnerability in the OWASP Top 10 security risk list. Today more than ever, proper configuration and enforcement of access control are critical to modern organizations, as privacy and compliance awareness are at their peak. Yet, building authorization or permissions management is a painful process for developers. This is due to complex and ever-evolving requirements, and lack of knowledge for avoiding common pitfalls. OPAL (Open Policy Administration Layer) is an open-source administration layer for OPA (Open-Policy Agent). OPAL detects changes to both policy and policy data in real-time and pushes live updates to policy engines, making them real-time and event-driven. OPAL uses Git as the source-of-truth for policy, enabling Git Ops workflow for policy delivery and versioning. Today, OPAL is used by thousands of engineers, including developers from Tesla, Zapier, Cisco, and Accenture. In his talk, Filip Grebowski will explain the challenges of managing modern authorization and access control and how these challenges can be solved by using open source tools like OPAL. In the end, he will provide use cases and tips for implementing simple and scalable authorization.
Serena Sensini
Enterprise Architect at Dedalus, author and founder@TheRedCodeOne library a day keeps the doctor away
NLP represents a field with myriad opportunities for real-life use cases: one of the best examples is the healthcare sector, where medical research and patient care can rely on different technologies that can enhance the information that has already been collected. Many companies lease commercial NLP software, but which are the open source alternatives? Let's discover MedSpaCy, a recent library of tools for performing clinical NLP with a real-use case application!
Liran Tal
Director of Developer Advocacy at Snyk, Github StarThe Unexpected Demise of Open Source Libraries
Hello there dear developer building your app on open source dependencies. Oh wait, did you think open source code lives forever? Think again! Did you hear about the maintainer discontinuing a library despite having tens of millions of downloads? What about a maintainer who intentionally introduced code to break the functionality of his package which receives millions of downloads? So, did you ever wonder why dependencies die? Join me on a journey full of humor and horror across real-world incidents to learn how even the mightiest of open source projects got defeated. What can we learn from past incidents on the continuous struggles of open source software sustainability, maintainer burnout, and how it impacts us.
Federico Terzi
Software Architect at AnimaApp, Creator of Espanso.orgChallenges of Cross-Platform Development in Rust: The Espanso Case Study
Building performant cross-platform software is riddled with challenges. In this talk, we’ll discuss the technical journey of Espanso, a popular open-source Rust application, covering the main challenges encountered along the way, along with many useful patterns to solve them (including Rust-specific tips, CI automation, code-signing, distribution, and more)
Federico Paolinelli
Principal Software Engineer at Red HatHow to tame a maintainer
Contributing to Open Source is hard. Too often we submit a pull request without hearing back from the maintainers, wasting our time that could be spent elsewhere. Being a long time open source contributor, and just recently maintaining MetalLB, a fairly popular open source project, I will share the insights and the issues a contributor (and a maintainer) faces when dealing with new contributions. I will provide hints and reasons to maximize the chances to steer the maintainers' attention to our work, to gain their trust and establish a profitful relation with the community behind a project.