Tracy Miranda is director of open-source at CloudBees and board chair of the Continuous Delivery Foundation, an open-source foundation that runs projects like Jenkins, Spinnaker, and Tecton, and Jenkins X.In this episode of The Business of Cloud Native, host Emily Omier and Tracy discuss the link between open-source and cloud-native, while exploring key considerations that organizations should make when implementing open-source technologies and communities.The conversation covers:

• Tracy’s thoughts on how the relationship between open-source and cloud-native should be described.

• The advantages and disadvantages to an organization using open-source.

• Some of the major risks associated with using open-source, and why companies should approach with caution.

• Why CI/CD is a rising security concern for open-source organizations.Tracy also provides her thoughts on how businesses are handling the CI/CD pipeline today, and where the trend is heading.

• Some of the unresolved challenges related to continuous delivery that currently exist.

• Tracy’s advice for companies that are just starting to develop an open-source contribution strategy.

• How companies should approach topics like open-source strategizing and building open-source communities.

• The common mistakes that individuals and companies make when nurturing open-source communities. Tracy also comments on mistakes that people are making with continuous delivery.

Links

• CloudBees: https://www.cloudbees.com/

• Continuous Delivery Foundation: https://cd.foundation/

• Twitter: https://twitter.com/tracymiranda

Transcript

Emily: Hi everyone. I’m Emily Omier, your host, and my day job is helping companies position themselves in the cloud-native ecosystem so that their product’s value is obvious to end-users. I started this podcast because organizations embark on the cloud naive journey for business reasons, but in general, the industry doesn’t talk about them. Instead, we talk a lot about technical reasons. I’m hoping that with this podcast, we focus more on the business goals and business motivations that lead organizations to adopt cloud-native and Kubernetes. I hope you’ll join me.Emily: Welcome to The Business of Cloud Native. Today, I'm chatting with Tracy Miranda. Tracy, thank you so much for joining me.Tracy: Hi, Emily. Thanks for having me. It's my pleasure.Emily: So, as usual, I just want to start off with having you introduce yourself, both what you do, where you work, but also, like, some details, what does this actually mean? How do you actually spend your day?Tracy: Yeah, so I'm the director of open-source CloudBees, and I'm also the board chair at the Continuous Delivery Foundation, which is an open-source foundation, which is home to projects like Jenkins, and Spinnaker, and Tecton, and Jenkins X. So, basically, I'm a big fan of all things open-source, which in day-to-day means I'm doing anything which is related to building communities. So, either involved with code, or building communities and through conferences, or sometimes just the boring governance stuff around open-source.Emily: What is the boring governance stuff around open-source?Tracy: So, I guess it is just trying to get folks moving in the same direction, and reminding people that it's sometimes more than just code. And whether it's updating a code of conduct, and one of the things we've seen and—okay, I wouldn't call this boring; it's actually taken over a bit in open-source communities, but it's sort of different from the code, but it's the whole terminology updates. We've seen a lot of open-source communities have become more aware about wanting to be better about using terms like ‘master’ and ‘slave’ and move away from that. That being said, it's not that easy, so there's a lot to do in getting people on the same page and ready to move forward even before you can start changing a line of code.Emily: Since the topic of the podcast is cloud-native, obviously, open-source and cloud-native are related. In fact, some people think that cloud-native must be open-source. Where do you fall on that spectrum? How do you think the relationship between open-source and cloud-native should be described?Tracy: Yeah, I think that they're pretty distinct things. So, cloud-native is all about using the Cloud effectively and having technology which takes advantage of modern architectures to give you things like rapid elasticity, or on-demand self-service. And that's distinct from open-source, which is around the licensing, and it's become more about communities, as well. But I think because Kubernetes has been the most successful cloud-native project that is open-source, I guess there's become this very, very strong association which, in my mind, is a very, very good thing because I think open-source communities are really the way to drive innovation very, very quickly across the industry.Emily: And this may seem sort of obvious, but what are some of the advantages and disadvantages to an organization in using open-source?Tracy: Yes. So, I think—well, lots—virtually every company uses open-source, and the first thing people can see as the benefits are just the engineering efficiencies. So, using technologies which, say aren’t core to the business, but then building on top of those and taking advantage of the features rather than dedicating their own engineering resources to developing them. I used to work as a consultant, and I would go from company to company, and usually, they would be adopting open-source when they wanted to get away from an in-house project where the people or person who had written it had left the company. So, I think there's a lot to be said, as well, for sustainability of technology: that communities and open-source communities are really good at sustaining projects over the long term, and therefore kind of the best bet for technology that's going to live on beyond individuals or even companies, acquisitions, or whatever.Emily: Do you think there are any risks to using open-source? I'm even interested in hearing if there are risks that are not real, but that are perceived risks. And then even maybe some risks that people don't think about, but that are in fact, quite real.Tracy: Yes, yeah, no, absolutely there are risks. So, it's wise for companies to approach with caution. I think the risks sort of depend on which side—like, are you looking to just use open-source that someone else has written, or are you contributing something, which might be key to your company, but then you’re saying, “Okay, I'm going to do this in an open way,” which brings us to one of those common perceived myths, that someone, like a cloud provider, is then going to take your open-source software and do a better job of making money around it, so thereby just ruining your entire business model.And I think the other area where we tend to see a lot of dialogue around, is always around open-source security. For a long time, people used to, sort of, make out that this was different from closed source security, somehow. Security through obscurity meant that closed-source was better than open-source, which is clearly not the case. You can have secure open-source software, not secure open-source software. It just really depends on the project and the practices.Emily: And then also, I thought we'd talk a little bit specifically about this CI/CD work that you do. How important is CI/CD, do you think, in the pursuit of being cloud-native?Tracy: Yes, no, I think CI/CD has just risen to the top as one of the key concerns. And I think, part of the reason—when you're doing things in a cloud-native way it means that your systems are very distributed; you don't necessarily know where the services are running, it's typically not on-premise, and suddenly it becomes very important to understand how do you do this integration, and how do you then deliver that software in a way that is both quick, and that is not going to—you can do it in a safe way, so it's not going to break every time you do releases. And I think we're seeing that it really is at the forefront. Like last year, we started the Continuous Delivery Foundation, which is an open-source foundation, and the mission there is to increase the world's capacity to ship software securely and at speed. And the uptake from folks has been really well. Everyone's grappling and trying to figure out, what does CI/CD look like in the Cloud? What does it mean to be cloud-native CI/CD?Emily: And from the perspective of an end-user, what do you think are some of the, still, unresolved challenges related to continuous delivery?Tracy: Yeah, it's very challenging. Everything is changing under enterprise’s feet. And it's not just the tools we're using, is also the skills we expect people to have, the way we organize a team. And traditionally, it's been very, very hard to decommission software or deprecate it, but what we're seeing in the industry now is that everything is changing really rapidly. You take something like Kubernetes and it has a new release, like, every three months and then nine months later, that's deprecated. So, people are having to make changes in enterprise situations at a rate that they just previously didn't come anywhere close to, and that's pretty challenging when you're having to deal with the changing tools, and processes, and people all at the same time, all while keeping your business up and running.Emily: In terms of the whole CI/CD pipeline, do you think most end-users experience that as being mature? Is it sort of figured out, or is it something that they continue to struggle with?Tracy: I think everybody has a CI… certainly CI… many people have sort of cracked, and they've got their systems set up. And then the delivery side, it just, kind of, varies. And I think it depends; we see a lot of folks who are really trying to figure out pipelines and are really trying to figure out what that looks like in a cloud-native world, and they haven't figured out, what does it mean for things to be highly available? What does it mean to be able to scale at any level? So, everybody's got something, but I think we've only just scratched the surface of what's possible with today's technology.Emily: Where do you think it's going in the future?Tracy: Yeah, I think, like in the same way we're having this big shift, everybody's got monoliths, and the problem with the monolith is that you can't do the speed and security at the same time. So, if you think about the key metrics people use today, there’s two on speed, “Which is how quickly can you deploy?” And, “What's your lead time for changes?” And then for the safety, it's, “How long would it take you to restore services, if something went wrong?” And, “What is your change failure rate? How often are things going wrong every time you push code?” So, in the bid to get really good at those metrics, I think people have realized that monoliths cause a lot of problems, and it's much easier to meet these capabilities if you've got microservices are smaller batches of code, each, which do a specific thing, and there's less chance of things falling over when you make changes because there's not all these huge dependencies. Now, however, when you do start having all these different microservices with, let's say, a web of dependencies, things start to get really complicated. So, now you don't have, perhaps, one CI/CD pipeline, you have a pipeline per microservice. And then we start to say, “Okay, what is the definition of the application even? Is it all these microservices? Which version is it?” And then things like configuration management start to enter the picture, especially if you've got dependencies on things, let's say, outside your company, or open-source. So, I think it's a lot for people to grapple with, like, how to truly do microservices, and how the definition of an application is going to evolve. And I think for CI/CD, we can't keep doing what we've done in the sense of traditionally, folks have written a pipeline by hand, and you'd write a pipeline for your monolith. But now you've got all these different microservices. You want to start thinking about how can you have a pipeline auto-generated for them.Emily: I wanted to actually shift and talk more about open-source communities as well since I know that's a large part of what you do. My first question is, what would you say to a company that's starting to think not just about consuming open-source, but developing a strategy to contribute to open-source? What do you advise companies who are just starting that journey?Tracy: Yeah, no, I think for companies, it's a really good thing. I think open-source can give you a lot of strategic advantages, especially if you're coming in strong, and you're looking to be a leader in a space. And if we talk about category creation, you can use open-source almost as a weapon to drive the industry in a specific direction. So, I think what is important for companies is to be very deliberate about this strategy because open-source strategies can be almost counterintuitive, especially to folks who haven't done it before. This idea that you're giving away assets for free, or making them open. So, it's really important to have all the stakeholders in the company on the same page, and really understanding that this is a long-term thing where you'll have these benefits and not something where you start off and you do sort of half-heartedly.Emily: Are there two or three, sort of, primary open-source strategies?Tracy: Yeah, no, I think—[00:13:42 unintelligible] I think you can break it down. So, people would talk about the Red Hat model, which is really hard to reproduce but everything was open-source, and then they have this whole—they layered on top of that with a lot of services, and things. And then there's the open-core model where you're separating an open-source portion of the product, and then you add on a lot of features and things that add value that aren't being produced in the open-source. So, I think there's those, and then the new one that we're starting to see more of is—just looking much more at SaaS platforms. So, you have some open-source code, but your real—where you're making money is by offering it as a service.Emily: And how does that differ for a company whose core business isn't software? So, for example, if you're something like a Home Depot, and almost undoubtedly you use open-source software. If Home Depot wants to start contributing as well, as part of their company strategy, what should they know? What should a company like that think about as strategies?Tracy: Yeah, no, I think that's a great point because we do see a lot of companies contributing, and actually a lot of innovation is coming from companies who use software, but they have a different focus. And I think one good example, as well, is Capital One, who have a lot of open-source they contribute and maintain. And it's different, it's separate from, kind of, the main banking function. So, I think, again, for companies like that, it's just mapping out the strategy, being very deliberate in is there some sort of monetization around this, or is it more—you know, we see a lot of companies who want to do it to be seen as leaders in the field, and to, sort of, share some innovation to be seen as an attractive place, as well, for people to work with, and just to really drive that industry to help the innovation and to help make it a good place to be. So, I think the same things apply there, although maybe the business models allow, perhaps, for a bit more freedom. And we often find in those companies, they will have open-source program offices, which is a dedicated set of people who will map out the strategy and pull the whole company along in the same direction.Emily: Obviously, a big part of open-source is building a community. How do you do this? How do you herd the cats in a way that advances your project? And I'm actually curious, I don't know if you have a perspective on this from both somebody—an individual starting a project, and a company that wants to create a community around a particular project?Tracy: Yeah, no, I think that's a really great question. And people are always attracted to, I think, you want to start out with the big idea: why is your project going to do things better than before, or what's nicer about it? So, I think you have to start with, I guess you'd call it, like, you're [00:16:58 unintelligible] for your open-source project; the reason people are going to be attracted to it, and they're going to come and say, “Actually, I want to be part of this.” Because I think people do want to feel part of something bigger than themselves. They also want to see other people contributing, and everybody pulling their weight, and not necessarily any kind of biases for specific companies. So, the more open you can make it, the more transparent you can be about how things happen, people love to—if they're committing, and folks in open-source do commit fully—they want to know that they're not going to be taken advantage of, that they can do that, and they can really change the way the project is going to—they can feel the change they're going to make. So, I think it's important just to go to those principles of openness and transparency, and to let people participate. I think sometimes having clear ways—like with Jenkins, we saw that originally it really thrived because people could write their plugins, and they could make it their own, and they could share them and show them to their friends. And it's the same idea with GitHub, things that make developers look good as well, while they're contributing to open-source always makes for very, very successful projects.Emily: What do you think are common mistakes that people—individuals or companies make around nurturing the community?Tracy: Yeah, I think the mistakes are always connected to control and wanting to control too much or in a too specific way. And you could almost—I don’t know if this is a good analogy, but it's almost like, I guess, parenting, in a way. You might be tempted to be very regimented and say, “Okay, your child can do this, or they can't do that.” But then you sort of lose out in finding out where could this go? How big could this grow? So, I think it's finding the right level of control so that the project can take on a life of its own and be used in ways that perhaps you couldn't even imagine. I think that's when the real magic happens. But it does take a leap of faith and understanding that you will be able to reap some business benefit out of this if that is your aim as well.Emily: Do you think that that's easier for individuals or for companies to achieve?Tracy: I think it depends on what people are going into it for. And for individuals, I think often it's they want to share their idea with the world or they want to build a reputation, which is very synonymous with doing the project. Having said that, individuals can have the same issues around wanting to control it, but I think there's perhaps a different monetization emphasis which would make it easier.Emily: Actually, I had a similar question related to continuous delivery which is, do you find that there are common mistakes that you see people making?Tracy: Yes. And some of the mistakes, I guess—one of the most common mistakes is a pretty boring one. And I know why it happens, but [laughs] it's just around documentation, to be honest. And it's the, “Okay, we're going to write the code, and then we're not going to necessarily document it or share the way people can either get involved or use a project.” And it's just—documentation is hard. Good documentation is really hard. Things keep changing, and it's boring to go keep updating them. But it's so incredibly important, and some of the most successful open-source projects have always provided that kind of self-service set of docs where people don't have to be asking the same questions over and over again. They really can go off and feel empowered to do things and to do things and not feel like they're getting it wrong or wasting their time, which I think is really important when building community. So, yeah, just write good docs, everybody.Emily: And do you think there's anything else specifically related to how companies approach continuous delivery, that there's something that a lot of them are not doing right?Tracy: With continuous delivery, especially today where everybody's in a really, kind of, tricky situation where they're trying to make this move to using cloud-native technologies because the benefits are so huge, but at the same time, all these technologies are coming very thick and fast, and nobody's sure—people have tried technologies which are now no longer used, so this is a bit of fear of saying, “Okay, is this going to be a safe bet? And at the same time, while I'm trying to decide if that's the right technology to use, I'm having to restructure my teams, and change of habits is really hard, and we've got all these additional environments we're having to deliver software for.” So, it's a huge challenge, and everything has to be done in balance: you have to get the tools, and you have to get the technology, and you have to get the people right. You can't do any one of those and hope it's going to work, you have to do this juggling act within your organization. And that's massively, massively challenging, especially when you are trying to change long-held behaviors and habits people have, and just ask them to do things in a different way.Emily: Do you think technology is more challenging, or people skills organization is more challenging?Tracy: Yeah, I think the thing with technology that is more challenging today is, especially in the CI/CD space, we have a lot of different types of tools. And we don't have standard ways to talk about—like, we don't have standardization of terms, so different things have different meanings to different people. So, you might say ‘a pipeline’ but it might mean—the scope might change depending on who you're talking to. And so it's really hard for people to understand, how do I connect these different tools together? There's very poor interoperability, as well, which is another thing the Continuous Delivery Foundation wants to try and solve. So, I think those are key areas. Security is another one, which makes it really hard when you break things up. And no one's taking responsibility for the interaction between different platforms of different open-source technology written by different people, that becomes really tricky. So, I think we do need solutions at a community level, and we need communities working together closer to tackle this proliferation, and lack of interoperability, and new security concerns that we have to deal with as an industry.Emily: Is there anything else that I didn't think to ask that you'd like to add?Tracy: Yeah, no. I think what we're doing in the Continuous Delivery Foundation, if I can say a little bit about that, it is a relatively new open-source foundation. And I think it's a good place to bring people together where we're trying to tackle these issues. So, things like interoperability, we have an interoperability working group. And one of the first things that happened in that group as people would come together and talk about the different tools, is that we spontaneously realized we needed to define the tools. And there was a page set up where everybody could write down the definition of how their tool—use different terms. You know, is it a step? Or what do you call it in your tool? So, we have this what we call, like, the Rosetta Stone, of CI/CD tools. So, it compares across—whether it's all kinds of Git providers or pipeline orchestration tools, was the different terminology. And I think from there, we're going to look to see how we can standardize as an industry, just to make it simpler for people because I think—I would really hate to be someone new coming into the industry today and trying to figure out where to start, which tool to try out because the amount of noise and confusion is at all-time high levels.Emily: That's absolutely fair. And in fact, speaking of tools, my next question is, what tool do you really rely on? What engineering tool would you not be able to work without?Tracy: Yeah, well, they kind of say for developers, and I think this rings true for me as well, you’re kind of in three places. You’re in, like, GitHub and Slack, and then your development environment which use VS code, and like many people. So, those are, kind of, the three development environments. I think, when I look at CI/CD, and we look at new technology in the space that’s, kind of, gaining quick adoption, there's two projects in CDF which are starting to really resonate. And one is Tekton, which came out of Google, and their Knative serverless platform. But that's looking to have these standardized building blocks for CI/CD pipelines. And then the other one is Jenkins X, which, incidentally, uses the building blocks of Tekton to stitch together a CI/CD experience, if you wish, that pulls in Kubernetes, and Helm, and all those other projects to give a really nice developer experience just generating pipelines for you, so you don't have to write things by hand, and giving you preview environments, and really just trying to take advantage of all the power that cloud-native affords you in delivering software.Emily: And then lastly, how can listeners connect with you or follow you?Tracy: Yeah, no, I think the best place is Twitter. So, find me Twitter at @tracymiranda, and in all the continuous delivery working groups, and the communities we're building there. So, find that on cd.foundation, and, yeah, come join the community. We're having some great conversations in the space.Emily: Well, thank you so much, Tracy, for joining us.Tracy: Yeah, thanks for having me. And yeah, really great conversation and questions.Emily: Thanks for listening. I hope you’ve learned just a little bit more about The Business of Cloud Native. If you’d like to connect with me or learn more about my positioning services, look me up on LinkedIn: I’m Emily Omier—that’s O-M-I-E-R—or visit my website which is emilyomier.com. Thank you, and until next time.Announcer: This has been a HumblePod production. Stay humble.