WEBVTT

00:00:00.000 --> 00:00:02.899
Welcome back to the deep dive. So today we're

00:00:02.899 --> 00:00:05.500
tackling something that is, well, it's pretty

00:00:05.500 --> 00:00:07.980
much the foundational layer of all modern technology.

00:00:08.119 --> 00:00:10.000
We're talking about open source software, you

00:00:10.000 --> 00:00:12.960
know, OSS. And for most of us, especially if

00:00:12.960 --> 00:00:14.619
you're not on a development team, you hear open

00:00:14.619 --> 00:00:17.019
source and you just, you immediately think free.

00:00:17.160 --> 00:00:19.800
Right. Free as in it doesn't cost anything to

00:00:19.800 --> 00:00:22.079
download. But that view is so simplistic and

00:00:22.079 --> 00:00:25.519
it completely ignores the immense economic power

00:00:25.519 --> 00:00:28.980
behind it, the strategic advantages and frankly,

00:00:28.980 --> 00:00:31.480
the critical operational risks involved. OK,

00:00:31.480 --> 00:00:33.320
let's unpack this. We really need to move the

00:00:33.320 --> 00:00:36.759
conversation from thinking of OSS as like a niche

00:00:36.759 --> 00:00:40.020
hobby project to what it actually is. It's a

00:00:40.020 --> 00:00:43.219
global multi -trillion dollar industry and it

00:00:43.219 --> 00:00:45.859
demands an intentional strategy, not just accidental

00:00:45.859 --> 00:00:48.159
adoption. Exactly. So our mission here is to

00:00:48.159 --> 00:00:49.899
give you that strategic framework you need so

00:00:49.899 --> 00:00:52.700
you can really get the benefits of OSS while,

00:00:52.700 --> 00:00:54.340
you know, protecting yourself from the risks.

00:00:54.539 --> 00:00:56.020
And let me just set the stage with something

00:00:56.020 --> 00:00:59.200
I can say with a near certainty. If your company

00:00:59.200 --> 00:01:01.899
develops any kind of software, you're already

00:01:01.899 --> 00:01:04.560
using open source. Oh, for sure. Whether you

00:01:04.560 --> 00:01:06.719
know it or not. Absolutely. It's likely running

00:01:06.719 --> 00:01:09.459
your infrastructure. It's embedded deep inside

00:01:09.459 --> 00:01:11.459
your commercial products. It's in your supply

00:01:11.459 --> 00:01:14.739
chain. The prevalence is just, it's staggering.

00:01:14.879 --> 00:01:17.799
And that's why moving from just passively using

00:01:17.799 --> 00:01:20.819
it to strategically managing it is probably one

00:01:20.819 --> 00:01:22.540
of the most critical decisions a leader can make

00:01:22.540 --> 00:01:24.400
right now. So let's nail down the definition

00:01:24.400 --> 00:01:26.400
first, because the philosophy here is actually,

00:01:26.400 --> 00:01:28.879
I think, pretty profound. It's about capturing

00:01:28.879 --> 00:01:31.400
the world's collective intellectual effort, all

00:01:31.400 --> 00:01:34.340
this creative freedom, but as code. It's brilliant

00:01:34.340 --> 00:01:36.359
people from all over the world collaborating

00:01:36.359 --> 00:01:40.129
to build software that is, by design, open for

00:01:40.129 --> 00:01:42.390
everyone to see, to contribute to, and to use.

00:01:43.310 --> 00:01:45.310
And that transparency is really the key. I mean,

00:01:45.349 --> 00:01:47.750
to be officially called open source, the software

00:01:47.750 --> 00:01:50.409
has to meet several criteria that guarantee that

00:01:50.409 --> 00:01:53.010
freedom. The absolute core principle is that

00:01:53.010 --> 00:01:55.489
the source code has to be available. Anyone using

00:01:55.489 --> 00:01:57.909
it has to be able to look inside. Transparency

00:01:57.909 --> 00:02:01.269
isn't a feature. It's the prerequisite. OK, so

00:02:01.269 --> 00:02:03.489
having the code available is step one. But it's

00:02:03.489 --> 00:02:05.129
the license, right? That's what actually grants

00:02:05.129 --> 00:02:08.129
the rights to do things with it. Precisely. It

00:02:08.129 --> 00:02:11.689
must be free to be redistributed. And crucially,

00:02:11.949 --> 00:02:14.229
you're allowed to create derived work. Meaning

00:02:14.229 --> 00:02:16.669
you can build on top of it. Yes, you can take

00:02:16.669 --> 00:02:19.030
that code, you can modify it, and you can build

00:02:19.030 --> 00:02:21.110
your own innovation on that open foundation.

00:02:21.610 --> 00:02:23.990
But, and this is important, you have to maintain

00:02:23.990 --> 00:02:26.830
the integrity of the original author's source

00:02:26.830 --> 00:02:29.310
code. And our sources are clear this goes way

00:02:29.310 --> 00:02:31.750
beyond just the code itself. It's about a complete

00:02:31.750 --> 00:02:34.210
lack of restriction. It is. The license has to

00:02:34.210 --> 00:02:36.960
be distributed with the code. But it can't discriminate

00:02:36.960 --> 00:02:39.979
against anyone. No discrimination against people,

00:02:40.659 --> 00:02:43.500
groups, fields of work, or even technology. So

00:02:43.500 --> 00:02:45.439
a license couldn't say, you can only use this

00:02:45.439 --> 00:02:48.330
on brand X hardware. Exactly. That would fail

00:02:48.330 --> 00:02:51.050
the definition. Open source grants, quite literally,

00:02:51.430 --> 00:02:53.830
freedom of software. Now, when companies use

00:02:53.830 --> 00:02:55.810
this software, it seems to fall into two main

00:02:55.810 --> 00:02:58.210
buckets. The first one is frameworks and libraries.

00:02:58.330 --> 00:03:00.669
Yeah, think of these like components, Lego bricks

00:03:00.669 --> 00:03:03.110
almost. They're these modular pieces of code

00:03:03.110 --> 00:03:05.669
that do one very specific thing. Maybe it's a

00:03:05.669 --> 00:03:08.409
cryptography library or a really sophisticated

00:03:08.409 --> 00:03:10.289
graphing tool. So it's not the whole application.

00:03:10.710 --> 00:03:13.080
Never. They're always meant to be just one piece

00:03:13.080 --> 00:03:15.139
of something much bigger. And the second category

00:03:15.139 --> 00:03:17.639
is solutions. Solutions are the applications

00:03:17.639 --> 00:03:20.479
themselves. They're standalone. A full chat program,

00:03:20.840 --> 00:03:23.039
a database system. You can use it on its own

00:03:23.039 --> 00:03:25.060
without plugging it into anything else. OK, let's

00:03:25.060 --> 00:03:27.400
talk about scale. Because this is where the conversation

00:03:27.400 --> 00:03:30.199
really shifts from a philosophy about code to

00:03:30.199 --> 00:03:33.000
just massive industrial dependency. I want to

00:03:33.000 --> 00:03:36.699
repeat this number because it's wild. It's estimated

00:03:36.699 --> 00:03:40.300
that 96 % of all software code bases in the world

00:03:40.300 --> 00:03:44.479
use open source components. 96%. And even more

00:03:44.479 --> 00:03:46.860
critical for business, commercial applications.

00:03:47.560 --> 00:03:49.919
The software that companies actually sell can

00:03:49.919 --> 00:03:53.580
be made of up to 99 .9 % open source code. That

00:03:53.580 --> 00:03:57.000
99 .9 % number, it often trips people up. They

00:03:57.000 --> 00:03:58.719
ask, why would a company sell something that's

00:03:58.719 --> 00:04:01.120
almost all free stuff? Right. The answer is all

00:04:01.120 --> 00:04:03.560
about efficiency and focus. And this is where

00:04:03.560 --> 00:04:05.780
that medical device example really clears things

00:04:05.780 --> 00:04:07.840
up. Can you walk us through that again? Of course.

00:04:08.259 --> 00:04:11.400
So let's imagine a super complex proprietary

00:04:11.400 --> 00:04:14.719
medical device. The company's core innovation,

00:04:15.379 --> 00:04:17.680
their secret sauce, their IP, is all centered

00:04:17.680 --> 00:04:21.459
on one critical function. Let's say it's ensuring

00:04:21.459 --> 00:04:24.259
the extremely precise timing and dosage of a

00:04:24.259 --> 00:04:26.779
drug delivery. That's what they spend billions

00:04:26.779 --> 00:04:29.360
on R &D for. That's their unique value. That's

00:04:29.360 --> 00:04:31.199
why a hospital pays a premium for their device.

00:04:31.420 --> 00:04:33.459
Exactly. Now, that same device also needs to

00:04:33.459 --> 00:04:35.180
do other things. It has to connect to the hospital

00:04:35.180 --> 00:04:37.680
network, handle security, respond when someone

00:04:37.680 --> 00:04:40.300
presses a button, draw a graph on a little screen.

00:04:40.360 --> 00:04:42.720
All necessary things, but they're basically generic

00:04:42.720 --> 00:04:45.720
IT problems. They are generic IT problems. Yeah.

00:04:45.740 --> 00:04:47.899
And these problems have been solved and debugged

00:04:47.899 --> 00:04:50.500
and optimized thousands of times over by the

00:04:50.500 --> 00:04:52.699
open source community. So why reinvent the wheel?

00:04:52.990 --> 00:04:55.230
Why would you? Why would that manufacturer spend

00:04:55.230 --> 00:04:58.009
its precious time and R &D budget rewriting a

00:04:58.009 --> 00:05:01.459
networking stack? They just leverage robust,

00:05:01.740 --> 00:05:04.500
well -tested open source for all those adjacent

00:05:04.500 --> 00:05:07.899
needs. So when you see that 99 .9 % figure, it

00:05:07.899 --> 00:05:10.199
just means they were being smart. They focused

00:05:10.199 --> 00:05:13.160
their proprietary effort only on that tiny fraction

00:05:13.160 --> 00:05:16.019
of a percent that was their real market differentiating

00:05:16.019 --> 00:05:18.500
innovation. And the economic impact of this model

00:05:18.500 --> 00:05:21.100
is just, it's colossal. There was a Harvard study

00:05:21.100 --> 00:05:23.240
that tried to put a number on this. They looked

00:05:23.240 --> 00:05:26.120
at the supply side value, so what it would cost

00:05:26.120 --> 00:05:28.199
to actually produce all these common open source.

00:05:28.199 --> 00:05:30.899
libraries, and they put that around $4 billion

00:05:30.899 --> 00:05:33.839
a year. Which is a big number. But the truly

00:05:33.839 --> 00:05:36.139
staggering metric, the one that should make everyone

00:05:36.139 --> 00:05:39.259
sit up, is the demand side value. OK, so this

00:05:39.259 --> 00:05:41.519
is the value that the companies using the software

00:05:41.519 --> 00:05:43.839
get. This is the value they capture. So if you

00:05:43.839 --> 00:05:46.759
calculate what they would have had to pay for

00:05:46.759 --> 00:05:49.139
commercial licenses for their own internal R

00:05:49.139 --> 00:05:51.500
&D to replace all that open source, the value

00:05:51.500 --> 00:05:54.889
delivered is estimated at $8 trillion. $8 trillion.

00:05:55.230 --> 00:05:57.790
That single number just fundamentally changes

00:05:57.790 --> 00:06:00.649
how you have to think about OSS. It's not a free

00:06:00.649 --> 00:06:03.410
gift. It's a foundational piece of the entire

00:06:03.410 --> 00:06:06.209
global economy. And that study had another key

00:06:06.209 --> 00:06:08.689
finding. Large companies would have to spend

00:06:08.689 --> 00:06:11.290
three and a half times more on their software

00:06:11.290 --> 00:06:13.649
development if open source suddenly disappeared.

00:06:13.990 --> 00:06:16.350
Yeah. That's the sheer scale of the leverage

00:06:16.350 --> 00:06:18.170
and productivity we're talking about. Here's

00:06:18.170 --> 00:06:21.189
where it gets really interesting because beyond

00:06:21.189 --> 00:06:24.509
just saving money, there are six key strategic

00:06:24.509 --> 00:06:28.230
reasons for companies to adopt OSS. This is about

00:06:28.230 --> 00:06:30.629
competitive advantage. And the first one is fundamental.

00:06:31.420 --> 00:06:33.939
transparency and trust. Because the code is all

00:06:33.939 --> 00:06:37.139
out in the open if you're, say, a major bank

00:06:37.139 --> 00:06:39.579
or a critical infrastructure operator, you have

00:06:39.579 --> 00:06:41.579
the ability to audit and inspect the code running

00:06:41.579 --> 00:06:43.579
on your most vital systems. You can actually

00:06:43.579 --> 00:06:45.699
check it yourself. You can verify its integrity

00:06:45.699 --> 00:06:48.300
yourself, which means you can make a truly informed

00:06:48.300 --> 00:06:50.060
decision about whether or not to trust it. And

00:06:50.060 --> 00:06:53.100
number two, it massively boosts productivity

00:06:53.100 --> 00:06:56.569
and interoperability. It does, because OSS is

00:06:56.569 --> 00:06:59.230
almost always built on open standards. It just

00:06:59.230 --> 00:07:01.670
naturally promotes interoperability, which is

00:07:01.670 --> 00:07:04.329
the exact opposite of getting locked into one

00:07:04.329 --> 00:07:07.069
specific vendor. Let's dig into that vendor lock

00:07:07.069 --> 00:07:10.129
-in a bit more, which is reason four. With proprietary

00:07:10.129 --> 00:07:12.629
software, you often hear about the friction of

00:07:12.629 --> 00:07:15.829
an MSA. For our listeners, what's an MSA here,

00:07:15.829 --> 00:07:18.189
and how does open source get around that? So

00:07:18.189 --> 00:07:20.910
an MSA is a master service agreement. It's this.

00:07:21.259 --> 00:07:24.540
This huge legal contract you sign with a proprietary

00:07:24.540 --> 00:07:27.500
vendor. It defines everything, support, pricing,

00:07:27.819 --> 00:07:30.819
usage terms, and critically, how hard and expensive

00:07:30.819 --> 00:07:32.939
it is to leave them. The switching costs are

00:07:32.939 --> 00:07:35.279
huge. Immense. The legal and financial hurdles

00:07:35.279 --> 00:07:38.060
to pivot away are just massive. OSS completely

00:07:38.060 --> 00:07:40.420
bypasses all that legal friction. So if I'm using

00:07:40.420 --> 00:07:42.079
an open source graphing library and it's not

00:07:42.079 --> 00:07:44.399
working for me anymore, I can just swap it out

00:07:44.399 --> 00:07:46.220
for another one tomorrow morning without months

00:07:46.220 --> 00:07:48.980
of renegotiating contracts. Exactly. No penalty

00:07:48.980 --> 00:07:51.860
fees, no lawyers. That flexibility is a massive

00:07:51.860 --> 00:07:54.360
strategic advantage. Then there's number three,

00:07:54.620 --> 00:07:57.939
open collaboration. This one is fascinating.

00:07:58.459 --> 00:08:00.720
You see developers from companies that are direct

00:08:00.720 --> 00:08:04.139
market rivals. Think competing cloud providers,

00:08:04.139 --> 00:08:06.819
all working together on core projects that push

00:08:06.819 --> 00:08:09.519
innovation forward for the entire world. It's

00:08:09.519 --> 00:08:11.800
an incredible engine for progress. And moving

00:08:11.800 --> 00:08:14.680
to number five, it's often the fastest way to

00:08:14.680 --> 00:08:16.899
get your hands on emerging technologies. That's

00:08:16.899 --> 00:08:19.149
right. When a hardware company like Intel or

00:08:19.149 --> 00:08:21.949
AMD create some new cutting edge capability,

00:08:22.110 --> 00:08:25.050
let's say in confidential computing, the very

00:08:25.050 --> 00:08:27.310
first libraries and code showing how to use it

00:08:27.310 --> 00:08:29.509
are often released straight into the open source

00:08:29.509 --> 00:08:32.450
community. It allows for super rapid experimentation

00:08:32.450 --> 00:08:34.769
long before the polished proprietary tools are

00:08:34.769 --> 00:08:36.870
even ready. And then finally, number six, the

00:08:36.870 --> 00:08:39.389
obvious one, cost reduction. The software is

00:08:39.389 --> 00:08:41.629
free to download and use, which is a powerful

00:08:41.629 --> 00:08:44.730
alternative to expensive proprietary tools. But.

00:08:44.970 --> 00:08:47.110
And this is the crucial pivot point of our whole

00:08:47.110 --> 00:08:50.669
conversation. This brings us to responsible consumption.

00:08:51.509 --> 00:08:53.769
Just because the code is free and available,

00:08:54.169 --> 00:08:56.129
it doesn't mean it's good. It doesn't mean it's

00:08:56.129 --> 00:09:00.169
robust or secure. Not all open source is created

00:09:00.169 --> 00:09:02.590
equal. And not all of it is enterprise grade.

00:09:02.789 --> 00:09:04.870
Not at all. So we should probably define that

00:09:04.870 --> 00:09:07.470
term. If I'm making a strategic decision, what

00:09:07.470 --> 00:09:10.870
makes a piece of OSS enterprise grade versus,

00:09:10.870 --> 00:09:12.649
you know, just something a hobbyist built in

00:09:12.649 --> 00:09:15.059
their garage? Enterprise grade means it comes

00:09:15.059 --> 00:09:17.200
with the kind of features and institutional support

00:09:17.200 --> 00:09:19.799
you'd expect from proprietary software. So you're

00:09:19.799 --> 00:09:21.779
looking for things like engineering help and

00:09:21.779 --> 00:09:24.879
support, documented and timely security patching,

00:09:25.100 --> 00:09:27.299
a mature feature roadmap with clear timelines,

00:09:28.059 --> 00:09:30.320
and this is maybe the most important, guaranteed

00:09:30.320 --> 00:09:33.759
long -term support or LTS. LTS. So that means

00:09:33.759 --> 00:09:36.740
they'll keep it updated for what? Often five,

00:09:36.740 --> 00:09:39.100
10, even more years. It's a promise of stability

00:09:39.100 --> 00:09:41.950
and access to updates. Okay, so if a company

00:09:41.950 --> 00:09:44.990
hasn't formalized a strategy for this yet, they're

00:09:44.990 --> 00:09:48.529
basically using a critical $8 trillion piece

00:09:48.529 --> 00:09:50.970
of their supply chain without assessing their

00:09:50.970 --> 00:09:54.190
risk. Let's give our listeners the key risk assessment

00:09:54.190 --> 00:09:56.669
questions they need to be asking. The first question

00:09:56.669 --> 00:09:59.639
is purely operational. What are our support requirements?

00:10:00.440 --> 00:10:02.659
If you're using this code in a core business

00:10:02.659 --> 00:10:04.480
function, something that absolutely cannot go

00:10:04.480 --> 00:10:07.860
down, you need enterprise -level support SLAs

00:10:07.860 --> 00:10:11.120
and guaranteed patches. But if it's for an internal

00:10:11.120 --> 00:10:13.639
R &D project? Then you might favor innovation.

00:10:13.759 --> 00:10:15.320
That would be perfectly fine with a community

00:10:15.320 --> 00:10:17.639
best effort model. And that kind of dictates

00:10:17.639 --> 00:10:20.139
the whole stability versus cutting edge trade

00:10:20.139 --> 00:10:22.039
-off. You might use the newest library on a dev

00:10:22.039 --> 00:10:24.200
board, but when that product ships, you have

00:10:24.200 --> 00:10:26.580
to prioritize stability. Exactly. And that leads

00:10:26.580 --> 00:10:29.240
directly into the highest risk area of all, which

00:10:29.240 --> 00:10:32.740
is licensing. The third question has to be, what

00:10:32.740 --> 00:10:35.220
type of license are you OK with, and are you

00:10:35.220 --> 00:10:37.649
100 % certain you are using it correctly? This

00:10:37.649 --> 00:10:39.610
is where the legal risk gets really intense.

00:10:39.750 --> 00:10:41.649
I know there are dozens of licenses, but maybe

00:10:41.649 --> 00:10:43.629
we can talk about the two big families and the

00:10:43.629 --> 00:10:47.029
danger one of them poses. Absolutely. So on one

00:10:47.029 --> 00:10:49.490
side, you have permissive licenses, things like

00:10:49.490 --> 00:10:52.929
MIT or Apache 2 .0. These are generally pretty

00:10:52.929 --> 00:10:55.570
safe for commercial users. They let you use the

00:10:55.570 --> 00:10:58.250
code in your proprietary product without forcing

00:10:58.250 --> 00:11:00.210
you to open source your own work. But then there's

00:11:00.210 --> 00:11:03.789
the other category, the one that creates a significant

00:11:03.789 --> 00:11:05.809
risk for companies that want to keep their own

00:11:05.809 --> 00:11:08.529
code secret. That's the copyleft license family.

00:11:08.850 --> 00:11:11.409
The most famous one is the GPL, the general public

00:11:11.409 --> 00:11:14.350
license. Copyleft licenses are often called viral.

00:11:14.870 --> 00:11:16.409
They have a condition that says if you create

00:11:16.409 --> 00:11:19.029
a derivative work from this code and then you

00:11:19.029 --> 00:11:21.309
distribute it, you might be legally obligated

00:11:21.309 --> 00:11:23.669
to release the source code of your entire derivative

00:11:23.669 --> 00:11:25.629
work. Including your own proprietary code that

00:11:25.629 --> 00:11:28.399
you mixed with it. Yes. all under that same open

00:11:28.399 --> 00:11:31.019
source license. So if you use a copy left library

00:11:31.019 --> 00:11:33.360
the wrong way, you could be legally forced to

00:11:33.360 --> 00:11:35.639
open source your company's secret sauce. The

00:11:35.639 --> 00:11:38.299
very thing you plan to sell. That's a commercial

00:11:38.299 --> 00:11:41.519
catastrophe. Yeah. It is the single biggest legal

00:11:41.519 --> 00:11:45.080
risk in this whole space. The math flips entirely

00:11:45.080 --> 00:11:47.720
when your free library suddenly means you have

00:11:47.720 --> 00:11:50.399
to give away your core IP. You absolutely must

00:11:50.399 --> 00:11:52.720
have your legal team involved to understand the

00:11:52.720 --> 00:11:55.940
precise boundaries of what derived work and distribution

00:11:55.940 --> 00:11:58.500
mean under these licenses. And then there's that

00:11:58.500 --> 00:12:00.960
other risk we touched on, the operational one,

00:12:01.080 --> 00:12:03.179
the abandoned life. Yeah, you build your product,

00:12:03.279 --> 00:12:05.460
the one you're promising to support for 12 years

00:12:05.460 --> 00:12:08.700
on this great piece of OSS. But three years in,

00:12:08.980 --> 00:12:11.700
the main developer gets a new job, moves on,

00:12:11.840 --> 00:12:15.000
and crickets. the project just dies. What happens

00:12:15.000 --> 00:12:16.799
then? Well now you have a critical dependency

00:12:16.799 --> 00:12:19.299
that's not getting any new features and much

00:12:19.299 --> 00:12:21.940
worse, no security patches. So you either have

00:12:21.940 --> 00:12:24.220
to take on the maintenance burden yourself, basically

00:12:24.220 --> 00:12:27.159
funding the project internally, or you have to

00:12:27.159 --> 00:12:29.600
scramble to re -engineer your product with a

00:12:29.600 --> 00:12:32.440
different supported library. It's a huge, tangible

00:12:32.440 --> 00:12:34.879
risk. Okay, so we've laid out the need and the

00:12:34.879 --> 00:12:37.440
risks. Let's get to the action. What are the

00:12:37.440 --> 00:12:39.279
concrete steps a leader should take to start

00:12:39.279 --> 00:12:41.779
moving toward responsible adoption? The single

00:12:41.779 --> 00:12:44.200
most important first step is creating an internal,

00:12:44.500 --> 00:12:46.779
formalized, open source strategy and policy.

00:12:47.600 --> 00:12:50.080
Every single company that develops software needs

00:12:50.080 --> 00:12:53.629
one. and it can't be ambiguous. So what are the,

00:12:53.629 --> 00:12:56.169
say, three non -negotiable things that policy

00:12:56.169 --> 00:12:58.929
has to lay out? First, acceptable license types.

00:12:59.610 --> 00:13:02.009
It has to clearly state if copy left licenses

00:13:02.009 --> 00:13:04.789
are ever allowed, and if so, only in very specific

00:13:04.789 --> 00:13:08.070
cases, like internal only tools, never in a customer

00:13:08.070 --> 00:13:11.379
product. Second, acceptable use cases. Can we

00:13:11.379 --> 00:13:13.960
use this for R &D prototyping or only for final

00:13:13.960 --> 00:13:16.659
products? And third, required support levels.

00:13:17.080 --> 00:13:19.299
When is enterprise support mandatory and when

00:13:19.299 --> 00:13:22.000
is community best effort okay? And I assume you

00:13:22.000 --> 00:13:23.980
absolutely have to bring your legal team in to

00:13:23.980 --> 00:13:25.899
create this. That is mandatory due diligence,

00:13:26.100 --> 00:13:28.440
yes. Your lawyers need to sign off on the acceptable

00:13:28.440 --> 00:13:30.259
license list and what it means for your specific

00:13:30.259 --> 00:13:32.299
business model. And for anyone listening who

00:13:32.299 --> 00:13:34.840
wants a good template, you suggested maybe a

00:13:34.840 --> 00:13:36.960
surprising source. Yeah, look at the public sector.

00:13:37.240 --> 00:13:39.399
The U .S. Center for Medicare and Medicaid Services,

00:13:39.840 --> 00:13:43.620
CMS, developed this incredibly intentional and

00:13:43.620 --> 00:13:46.720
public open source strategy. They detail exactly

00:13:46.720 --> 00:13:50.240
which licenses and in what situations their organization

00:13:50.240 --> 00:13:53.759
can use OSS. It is an excellent structured template

00:13:53.759 --> 00:13:55.799
for how to do this right. OK, so to put this

00:13:55.799 --> 00:13:57.919
into practice today, we've got three immediate

00:13:57.919 --> 00:14:00.120
action items for our listeners. The first, you

00:14:00.120 --> 00:14:02.879
have to identify where you're already using open

00:14:02.879 --> 00:14:04.679
source. Because if you don't have a policy, I

00:14:04.679 --> 00:14:07.820
guarantee you're using it. So mandate the use

00:14:07.820 --> 00:14:10.940
of software composition analysis SCA tools. Get

00:14:10.940 --> 00:14:13.519
a detailed inventory of every single open source

00:14:13.519 --> 00:14:15.519
component and its license in your infrastructure

00:14:15.519 --> 00:14:17.879
and products. You need to know your exposure

00:14:17.879 --> 00:14:20.740
right now. Second, start looking for new opportunities

00:14:20.740 --> 00:14:23.120
where using OSS gives you the biggest bang for

00:14:23.120 --> 00:14:24.840
your buck, whether that's cost savings driving

00:14:24.840 --> 00:14:27.279
innovation or just reducing that future vendor

00:14:27.279 --> 00:14:30.100
lock -in risk. And third, establish that formal

00:14:30.100 --> 00:14:32.600
policy we just talked about. Be intentional.

00:14:33.120 --> 00:14:35.899
Use that policy to guide your path to a truly

00:14:35.899 --> 00:14:38.440
responsible and sustainable adoption model. So

00:14:38.440 --> 00:14:41.179
we started this by calling open source free code

00:14:41.179 --> 00:14:44.259
and we've landed on a multi trillion dollar industry

00:14:44.259 --> 00:14:47.019
that is the engine of modern technology, an engine

00:14:47.019 --> 00:14:50.200
that requires serious, sophisticated strategic

00:14:50.200 --> 00:14:53.220
management. The freedom and transparency it offers

00:14:53.220 --> 00:14:55.980
are, well, they're invaluable, but that intentional

00:14:55.980 --> 00:14:58.139
due diligence around licensing and support is

00:14:58.139 --> 00:15:00.179
the only way to protect your own interests while

00:15:00.179 --> 00:15:02.519
still benefiting from this incredible global

00:15:02.519 --> 00:15:04.659
innovation. So what does this all mean? Well,

00:15:04.659 --> 00:15:06.759
we established that the demand side value, the

00:15:06.759 --> 00:15:08.750
value captured by commercial companies using

00:15:08.750 --> 00:15:12.090
open source is about $8 trillion a year. And

00:15:12.090 --> 00:15:14.230
yet, the developers and communities creating

00:15:14.230 --> 00:15:16.529
that fundamental software often struggle for

00:15:16.529 --> 00:15:18.690
sustainable funding. So here's the thought I'd

00:15:18.690 --> 00:15:21.009
leave you with. Given the immense financial value

00:15:21.009 --> 00:15:22.990
and leverage these major corporations are getting,

00:15:23.429 --> 00:15:25.929
what is the ultimate ethical and maybe even long

00:15:25.929 --> 00:15:28.690
-term business responsibility of those consumers

00:15:28.690 --> 00:15:30.929
to ensure the sustainable funding, the continuous

00:15:30.929 --> 00:15:33.409
security, and the vibrant community activity

00:15:33.409 --> 00:15:35.570
of the very open source projects they are completely

00:15:35.570 --> 00:15:38.710
dependent on for their own profitability? That's

00:15:38.710 --> 00:15:41.029
the strategic challenges worth exploring long

00:15:41.029 --> 00:15:42.450
after this deep dive is over.