Google has laid off many leading lights of the open source world. This will have a profound effect on software supply chain security.
One of the many people fired was Chris DiBona (pictured). Until January 20, he was Google’s director of open source, holding the position since 2004.
Patronage from firms such as Google was key to funding security-critical open source projects — for example, BoringSSL/Tink, Samba and Kubernetes, to name but three. In this week’s Secure Software Blogwatch, will the last to leave please turn off the lights?
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Faces.
Don’t be evil
What’s the craic? Steven J. Vaughan-Nichols asks, “What is Google doing with its open source teams?”:
“Google lives and dies on open source”
As I looked at who was being fired, something struck me. Many of those shown the doors were the best of the best in … open source.
…
For example, Chris DiBona … Jeremy Allison … Cat Allman … and Dave Lester. … These are not the people anyone in their right mind … would want to fire. They are open source movers and shakers. In open source leadership circles, they're people everyone knows.
…
It certainly can't be because Google doesn't need open source expertise. Google lives and dies on open source. … Google would be wisest to stop listening to pushy investors and pay more attention to preserving their real wealth.
How bad a move was that? Matt Asay investigates and analyzes — “Google blew it”:
“Repercussions”
This is an incredibly naive move. I don’t understand it. At all. … Google has made impressive inroads against cloud leader AWS by aggressively open sourcing projects such as TensorFlow and Kubernetes. … Google’s open source strategy [delivered] impressive dividends.
…
That’s why it’s so baffling that the company has laid off … key people who established, and still maintain, the scaffolding upon which all of Google’s open source and, by extension, cloud hopes rest.. … The strategic benefit of open sourcing software like … Kubernetes is that it allows Google to influence industry direction. The same is true for projects Google didn’t start but actively contributes to … such as Envoy, etcd, Knative, Istio, and more.
…
You don’t lay off that much experience without repercussions. … Google needs more open source expertise, not less. … It ends up saving far more than it spends with effective open source policies.
Apparently, they were fired by email. As Elizabeth Spiers opines, firms such as Google “Show What Employers Really Think of Their Workers”:
“Word spreads fast”
Employees who were let go, some of whom had worked for the company for decades, got the news in their inboxes. … As someone who’s managed … hired and fired people … for the past 21 years, I think this approach is not just cruel but unnecessary.
…
Delivering the news with no personal human contact serves only one purpose: Letting managers off the hook. … Look people in the eye. Answer questions. If someone is upset, show some sympathy. Treat people the way we would wish to be treated.
…
And word spreads fast. Future hiring prospects will be reading all about it on Twitter or Glassdoor. … Treating employees like disposable units — who can simply be unsubscribed to — ultimately endangers a company’s own interests.
Really, though? Really. Yet Another Anonymous coward puts it pithily:
If you aren't doing a 1st year business class you think a little beyond the immediate effects. In the next upturn you are going to be competing for people to hire.
If it seems … you are the sort of place that just fires people from a spreadsheet, it might incline the best people to go and work for Apple. The juniors who want to work with them will follow.
But all that open source stuff doesn’t make money. That’s an incredibly short sighted view, says rektide:
“A pretty basic, elementary thing”
I mean, it depends … whether you actually care about the rest of the computing universe. If you are ok just doing your own thing and not caring how the rest of the software universe looks at you, well, ok, yeah.
…
[But] if you want to have some relationships with the rest of the computing universe, this seems like a pretty basic, elementary thing to keep around. Most companies heavily rely on and use open source. … A ton of [Google’s] universe has vast open source underpinnings.
Google hasn’t cared about this for some years, argues u/PistolasAlAmanecer:
“No longer need to pay lip service”
Google was built on open source projects, but the people who made Google great in its infancy aren't there anymore. Once Google hit critical mass … thanks to the strength and royalty-free nature of open source, the value to the shareholders of having employees who want to keep working on (and releasing) open source code dropped significantly.
…
Is it much of a surprise that they're gutting these efforts? They no longer need to pay lip service to supporting open source since they're wealthy enough to just produce proprietary code.
Plenty of other firms support open source. But Robert Grant reminds us of the scale of Google’s work:
[Google has] been vilified a lot, despite in my mind being the most engineering-friendly cloud platform, and doing loads of good stuff like open sourcing VP8, starting Kubernetes, making AlphaFold, making Go, running Android, etc. They're obviously not perfect, but I think this is to be expected based on the commentary they get in the media.
There’s context here. As described by John Naughton — “Why has Alphabet hit the panic button?”:
“ChatGPT”
Over the years, it fumbled quite a few things – Google+, Google Wave, Google Glass, Knol and Google Reader, to name just five. … What enabled the company to get away with that mixture of creativity, fumbling and indirection, obviously, was that it was always rolling in money [from] the mighty cash pump of … surveillance capitalism.
…
Why the panic? Three reasons: … The first is that the tech industry knows there’s a downturn coming and that it massively overrecruited during 2021 and 2022. … Second, the US justice department and eight states have filed a lawsuit against Google alleging that it illegally monopolised the online ad market.
…
But the real reason for panic seems to be … ChatGPT, the free version of which is taking the world by storm. This is worrying enough for Google, given that people are already using it as a kind of search engine. … And that the company is heavily backed by Microsoft. … It’s almost enough to make one want to ask ChatGPT, “Why is Google not releasing a chatbot like you?”
Conversational AI replacing search? rich_sasha doesn’t buy it:
I tried using ChatGPT today … and it was like a smart 7-year-old: Sounded super impressive but wasn't actually correct.
Meanwhile, TheWrongen offers this neat précis:
Google sells ads. Everything else is either a vehicle to collect data for better ad serving, or a pet project that’ll ultimately be killed.
And Finally:
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.