Open Source is Critical Infrastructure

author-image

By

 

In this episode of the Open at Intel podcast, host Katherine Druckman chats with Luis Villa, co-founder and general counsel at Tidelift, about everything from supporting open source maintainers to coding with AI. Luis, a former programmer turned attorney, shares stories from his early days of discovering Linux and his contributions to various projects and organizations, including Mozilla and Wikipedia. Katherine and Luis discuss the critical importance of open source software, the challenges faced by maintainers—including burnout—and how Tidelift works toward compensating maintainers. The conversation also explores broader themes about the sustainability of open source projects, the impact of AI on code generation and legal concerns, and the need for a more structured and community-driven approach to long-term project maintenance. 

“We need to be thinking about how we build systems that are generationally robust; that will last for 30, 40, 50, a hundred years, and just finding the next maintainer is not that solution. That's a stopgap measure toward building systems and organizations that can be more robust."

— Luis Villa, co-founder of Tidelift 

 

Katherine Druckman: Hey, Luis Villa from Tidelift. Thank you for joining me. I really appreciate it. Just a spoiler alert, we're going to have a really good conversation because Luis is a long-time open source contributor, and he's seen some stuff, and he has a lot of really good stories. I know this because I've heard some of them, but I look forward to hearing more. So, thank you. And would you please introduce yourself just a little bit? 

Luis Villa: It turns out the way you get good stories is by bouncing around all over open source for a very long time. I'm the co-founder of Tidelift, and as Katherine said, I'm a former programmer turned attorney. I was a comp sci, poly sci double major in the late 90s, and a guy in my dorm had what looked to be a non-working computer. 

There was a little prompt in the upper corner. I'm like, "Oh, no, dude. What happened to your computer?" He’s like, "I installed Linux, it's this operating system made by a bunch of guys on the internet." And I was like, "Whoa, what does it do?" "Well, I can't get it to do anything. I think I'm reinstalling Windows." 

But that planted the seed, and since then I've worked on open source. I was at Lego Robotics, and at Ximian, which was a GNOME startup in the first year of Linux desktop. Went to law school. Since then, I've worked at Mozilla, at Wikipedia, helped represent Google in the Google, Oracle, Java API lawsuits, and in the past seven years have been working at Tidelift, trying to make sure that we can get maintainers paid for the increasingly critical infrastructure work that they do. 

Along the way, I also served on boards of the GNOME Foundation, the Open Source Initiative, and now Creative Commons. It's been a fun ride. 

Challenges in Open Source Sustainability

Katherine Druckman: See, I told you all this was a good story. I wanted to back up and talk a little bit about how we were introduced. So, we were introduced because I've been having this conversation with a lot of people lately about the topic of maintainer burnout. Because it is real, and you said something about the critical infrastructure that is open source software. 

The entire world runs on open source software. And to quote our mutual friend, Jorge Castro, which I do over and over again, and people are probably sick of me, but that's fine because it's a great quote. He says, "If Linux went away tomorrow, there would be zombies." And I think it's true.  

It's such a funny little observation, but it's really true. Everything in the world runs on open source software. There's open source software underlying everything that we do — the way that we communicate, our infrastructure, the way that we travel. I mean, hello, travel disruption, so this is really critical stuff. I feel like we can't overstate the importance of supporting the people that keep it going. 

Anyway, that was just my little spiel as to how we got introduced. But I wondered if you could tell us a little bit more about how Tidelift came about in response to all the things that I just rambled on about. 

Luis Villa: Yeah. Well, it's easy to ramble on about it because it is so huge and it's so explosive. I think you have to go back almost to the dawn of the car or the printing press to see a 25-year span where, not just a technology, but a method of creating and producing that technology, has been revolutionized so thoroughly, and yet at the same time, we're all fish in the water that we swim in. It's actually sometimes hard to talk about. We don't yet have the vocabulary. In less than the span of one normal adult career we went from, this was literally a thing we did in dorm rooms? 

Katherine Druckman: Yes. 

Luis Villa: We went from smuggled around floppy disks to, "No, no, no, you don't understand the entire world economy is based on this." Because you're not exaggerating at all. 

Katherine Druckman: I know. Also, beyond just the world. There's open source software in space, so throwing that out there. 

Luis Villa: I'm sure it's under the sea, it's in mining equipment, it's in all of it, from the smallest to the utterly largest infrastructure things that you can imagine. And that's simultaneously super cool. If you told me 25 years ago that, "When you think that open source is going to win, brace yourself, no, it's really, really going to win." 

I think, probably naively, I would have assumed if you told me that 25 years ago, the idea that it would take over the world economy, but we would not simultaneously figure out how to make this economically sustainable for the people doing it, I think I would have assumed that if you could resuscitate 25-year-old me as one of Jorge's zombies, you'd ask me, and I'd say, "Oh, but of course, we've also figured out how to pay everybody. Right, right?" Amidala meme. 

And we haven't. Don't get me wrong. I sometimes refer to this as the least depressed working class in history because the people who have the skills to be top-notch open source maintainers have the skills and the resumes to get a lot of very good jobs at a lot of very different places. 

You have a pile of opportunities. We don't have it too bad; we can't complain too much. But at the same time, it is very weird that open source powers all this stuff, and we have incredibly elaborate systems in our societies to pay for highways and airports. And all those things are clunky. They're not perfect. If you're a Californian, we can talk. 

Tidelift's Role in Supporting Maintainers

Luis Villa: All Californians can now talk in great detail about the electrical grid and how screwed up our maintenance of the electrical grid is. But nevertheless, there are sophisticated mechanisms for doing this. And if you look at open source, which, as Jorge says, "If we took it all away tomorrow, it is not an exaggeration to say the economy would collapse," and yet there's very little government money. There's no systematic taxation or money seeking out those places where it's necessary. And so Tidelift is an attempt to help do that. We're a for-profit and our customers are large enterprises. We measure what software they're using, and we seek out the maintainers of those pieces of software. 

And we say, "Hey, we don't want to change the basic thing you're doing. The basic thing you're doing is great because companies are using it. The proof is in the pudding. It's already there, but they would like some better metadata. They'd like you to have SBOMs. They'd like you to have a security contact. They'd like you to get up to that last level of professionalism in a way that they know benefits them as enterprises. It's not more fun for you." 

They acknowledge that, and that's why they're willing to pay you to do it. Because I think a lot of this stuff, and not totally unreasonably, has been based on the idea that, "Well, look, maintainers did this for fun, let's just ask them to do one more thing." And at some point, you get the straw that broke the camel's back problems. 

You get maintainers who say, "What do you mean you want me to turn on two-factor authentication for my 150 projects? Forget it. I'm done." And they walk away. 

Or, as we all saw in the XZ stuff, "Hey, I'm tired. I'm burnt out. Sure, you want to help out, random…" 

Katherine Druckman: "Here are the keys—" 

Luis Villa: "... actor person." And you can't and you shouldn't blame these volunteers who did this. They didn't sign up to be a piece of the supply chain, but they are. I get why people push back and they say, "I'm not part of the supply chain." 

It's like, "Well, you might not like being part of the supply chain, you might not have volunteered for that, you might not have signed up for that, but the reality for the people who are using it is you are very much part of the supply chain. And it's time for them to start acting like that and paying you like you're part of the supply chain." 

So, that's where Tidelift comes in. We essentially help large companies make that supply chain more robust by using good old-fashioned capitalism. Look, I have a political philosophy degree. I've read my Marx. I've read all my good old anti-state stuff, but we live in a society where money is required to pay for health insurance, pay for food, and to find time, more than anything else. So, at Tidelift, we think that money is not the entire solution, but it sure doesn't hurt. 

Katherine Druckman: I feel like there are concurrent things happening. While open source is exploding, you have so many of these effectively volunteer-led projects that people rely on, that have one maintainer or two maintainers, and not this massive support system. But at the same time, you have foundations, and you have corporate-sponsored open source projects. 

Take the CNCF, for example, Kubernetes. I'm not worried that that's going anywhere. It’s a well-oiled machine, with tons of contributions and a fantastic governance structure. These two things have happened at the same time, but within any given stack, you can find software at all different support levels. 

You can find things that are incredibly well-supported, but somewhere on the dependency tree, you're also using something that's maybe maintained by the one guy in Nebraska in the XKCD cartoon. So, that's interesting to me. It's a weird mix. 

Luis Villa: Our customers use on average, depending on how you count and various ways of looking at this problem, between four and 5,000 open source packages. And that's okay. That's not the CTO's job to read all the SBOMs and find out what those four to 5,000 are, but there is fundamentally a mismatch there in terms of attention. 

And honestly, this is not a critique of CNCF specifically, but I think the past few years have been a reminder that if the value's not really in the face of the people writing the checks, money can go away real quick. The idea that CNCF is a bulwark that's just always going to be there, I think is actually a dangerous assumption. To give credit where credit is due, the Linux Foundation does a lot of work to translate the abstract value of these big orgs like CNCF into something that check writers at the big corporate sponsors can understand. And if, for some reason, that pipeline breaks down, as we saw with a lot of OSPOs getting axed in the last round of corporate cutting over the past two, three years post-COVID, I don't think we should necessarily take for granted that even these big organizations are permanent. 

This funding and interest ebbs and flows, and it's different for different parts of the stack. I think one of the interesting things that we're all going to have to figure out in upcoming years is how we think about these intermediate parts of the stack. We're doing our thing at Tidelift. 

The fine folks at the Sovereign Tech Fund in Germany are experimenting with more grant-driven projects. Rockefeller and Ford have done interesting work, but we need to be thinking about it. I've obviously been thinking and talking about this stuff for a while. Let me tell you what has changed for me in the past year. 

We've been talking about infrastructure as an analogy since Nadia Eghbal wrote Roads and Bridges. Even before that, we planned for those kinds of things to be long-term projects that could be handed off across organizations. And in open source, we just take for granted, as you were saying, Katherine, that "Many of these thousands of projects are just held together by one person." 

And we've talked a lot for years about, "Oh, how do we find the next maintainer?" I increasingly think that the focus on "the next maintainer" is not the right one. Because these things are going to be in deep space for dozens of years. They're going to be in embedded systems for dozens, hundreds of years. We're not like LibSci or OpenSSL. These are going to be with us well into the sci-fi era. They're going to be in the next space station.  

We need to be thinking about how we build systems that are generationally robust; that will last for 30, 40, 50, a hundred years, and just finding the next maintainer is not that solution. That's a stopgap measure toward building systems and organizations that can be more robust. That's one of the things we're thinking about at Tidelift, because we've been seeing this come up. 

There might be several hundred Python maintainers near each other in a stack. How do we get them talking to each other so that they see themselves as a collective? In the very long run for Tidelift, if we're a hub and spoke system taking in money and just pushing it out to individual Python maintainers, as opposed to getting those Python maintainers working with each other, that's a failure for us. We need to figure out how to get those folks to be deeply in the community and deeply systematizing their work. 

Forget the long term. Forget a hundred years, next month, they want to go on vacation. Right now, literally, most maintainers cannot go on vacation. Or you worry that you end up being the XZ guy who went off on a hike and came back and was like- 

Katherine Druckman: "Oh no." 

Luis Villa: "What happened?" The entire world fell apart. 

Katherine Druckman: I'm really glad you said that because I say this a lot too. I think that cross-pollination among projects and any group of developers and maintainers with mutual interest is so important for this sustainability conversation, and I don't mean that in the environmental sense, but the sustainability of this ecosystem and the sustainability of the projects. 

I completely get your scary observation about foundation-driven projects. It goes back to the original conversation. If the people who are ultimately profiting from these things do not support their creation and maintenance, they fall apart. And you can say that at any level. It can be down to a single maintainer and all the way up to a giant foundation with massive governance and support. 

I think a big part of this conversation about solving some of the critical problems in our community is cross-pollination, getting people to talk to each other. There are so many people working on different solutions for similar problems, and I get that everybody thinks that their solution is the best. But the entire spirit of open source is getting together and collaboratively solving the problems. And I feel like, have we lost a little bit of that? 

Luis Villa: I don't know if we've lost it necessarily, but I remember reading in my dorm room about the meeting where the phrase "open source" was coined. They got together like 20 or 30 people, and that was everybody who mattered. It was like Linus and Larry Wall, because he was the Perl guy, and I don't remember if we know if Guido was there. That might've been too early for Guido, who was the Python guy. 

Katherine Druckman: He was on the cover of a Linux Journal way back in the day. 

Luis Villa: Way back in the day. And that was the thing: you could get everybody that mattered together in one room, and now you can't get everybody together in one conference center or one football stadium. 

Katherine Druckman: That's a good thing. More people matter, and hey, women are allowed at the table now. It's cool. 

Luis Villa: Non-Americans, non-Europeans are allowed at the table now. 

Katherine Druckman: Great. 

Luis Villa: I don't remember if it was my friend who said, "There are guys on the internet putting together an operating system.” 

Katherine Druckman: That's true. It was accurate. 

Luis Villa: We're in a much better place now. But it's different. Look, we are victims of our own success in some ways. I wish more of the older generation would internalize a little bit that we don't get to just sit there and wag our fingers and say, "Well, that's not open source." 

When the number of people involved has gone up by three, four orders of magnitude, you have to re-educate. It's just not enough to sit on your laurels, and that's hard work. It sucks. I wish we could just sit on our laurels, but that's not where we are. It's a great problem to have won, but it does lead to challenges. 

Katherine Druckman: I love it. I have a whole presentation that I start with, "We won. Now what?" Yay. 

Luis Villa: I think it is a great problem to have. I'm on the Creative Commons board these days and we're obviously grappling with AI and what it means for the commons to be scraped so intensively for AI. On the one hand, it's a very frustrating, complex problem. And on the other hand, it's a good opportunity to look back and say, "When Creative Commons started, it was not a given that the web would be a commons." 

Katherine Druckman: Is it a commons now? I don't know if it is. That's our debate. 

Luis Villa: Well, certainly, I think to some extent it was a commons, though in part through neglect because people didn't see how to monetize it. 

I was a co-author on a paper recently where they went back and used Internet Archive to look at terms of service for major websites that are being used in these corpuses for training. And you can see in just the past year all these terms of services changing—you can see the commons being enclosed in real time, because it's not like they wanted it to be scraped earlier. But it wasn't like you could add a term to your terms of service and suddenly a new money spigot would turn on. Now all of a sudden everybody thinks that's the case, and so everybody's adding these terms to their terms of service. 

So, I think it was a commons. Suddenly, we are building fences; we are building gates. We don't know if that's actually going to work. And I say we, not we in Creative Commons, but we as a tech industry, are building all those walls. We don't know if they're going to work, but we're sure going to try to build them. 

I think that's a sad moment. Your listeners may or may not have seen a couple of weeks ago that Reddit changed their robot.txt, so essentially, Google can scrape Reddit, and nobody else can. 

Katherine Druckman: I missed that. That's wild. 

Luis Villa: And we took for granted that, of course, if Google could scrape it, Bing and Internet Archive, and whoever else also could. That's a very real building of a wall. I totally get why Reddit's doing it. I don't want to throw stones at them, but there was a brief moment where we could all just use it all, and now not so much. 

The Future of Open Source and AI

Katherine Druckman: Not so much. That's wild, oh gosh. I feel like we would need multiple episodes because there's so much more to talk about. I feel like this fits into the conversation about maintainers and developers and contributors. You mentioned AI and scraping, and since you have a law degree, I've got to ask what your thoughts are on AI-generated code and how it plays a role in this larger conversation. In a perfect world, these newer tools at our disposal make our lives easier. Perhaps they make it easier to write and maintain and update software, but how do the licensing concerns fit in when you're talking about AI-generated code? 

Luis Villa: I'm going to give the lawyerly answer of, "It's complicated." I think the cool/horrifying part is that this is different from what has come before, and lawyers aren't real good at dealing with technological change. By and large, we're not programmers. We have to reason by analogy, and the analogies in this space are tenuous, conflicting. They're hard. 

Even the most simplified ones are still very complicated. So, more than anything else, I try to counsel developers in this space that genuinely, we don't know. One court could latch onto one analogy, and that analogy could get repeated in a bunch of cases, and we don't know which analogy they’re going to latch onto. And that's going to make a huge difference. We don't know. 

The US and the EU look to be going in very different directions on some of this stuff, so we don't know how that's going to interact between different jurisdictions. There's a lot more uncertainty, which makes it, for a lawyer, super cool. I think a lot of this payment for content is very much a political move to help squelch some of that dissension. 

The last time around that we did this, the most comparable thing was Google Books or Google Image search, both of which generated a lot of litigation. At no point did Google say, "You know what? We should just pay all the book people." Google said, "We're going to have a bookstore. We will direct people to buy more of your books." And that was as far as they went in that direction. 

This time around the leverage is very different. The optics are very different. I keep telling people, "The letter of the law is the same." In some sense in the US, the answer to what should happen with AI is to read the Google Book search case. It's basically the same thing. You're scraping things, you're transforming them. That's it. 

But the thing is that judges understood and liked searching books. Judges are word nerds. It’s part of the job. So I understand the idea of, "Oh, yeah, well, they scanned it, and then they made it searchable, and they capped it at 30 pages. It's easy." 

The vibes were good, as we say these days. With AI, the vibes are bad, the comprehension is bad. 

Katherine Druckman: Code's already hard enough to understand. I mean, let's just call it what it is. Code I wrote myself, if I didn't write some really good comments, a month later, I might not know what it does. Let's be honest. 

Luis Villa: Oh, yeah. Putting aside the legal stuff, look, I last wrote useful code 20, 25 years ago, pre-ChatGPT, Claude, whatever I'm using this week, and I'm writing scripts to do stuff all the time now. It's useful. Would I want to build a startup that way? No. But is it making my life better by helping me pump out some little Python scripts to do little things? 

Katherine Druckman: I have done the same, I admit. 

Luis Villa: It's great. It was great. I think the interesting thing in terms of this whole discussion is I wonder if we're going to find out that code is actually the single best thing to use AI for. 

Katherine Druckman: Oh, that's interesting. 

Luis Villa: Because I have VCs coming to me, saying like, "Well, Copilot's awesome, and that's just generating text. Law is just generating text. Therefore, we're going to have AI for law any day now." 

Katherine Druckman: Oh, wow. I was about to say, "What's the worst?" And I think you already answered it. 

Luis Villa: Well, code is this weird Venn diagram of creativity and logic. It's like a sweet spot of logical structure and creativity and testability. If I want to validate a contract, there's no linting tool. The compiler costs a million dollars, and it costs a million dollars to run and takes several years. 

So, "Well, Copilot generated some bad code, and then I ran the compiler on it, and I realized it was bad, and I fixed it." Law doesn't have that equivalent. A lot of creative stuff, it doesn't even make sense to ask that question. I think a lot of VCs and C-level execs who have a programming background looked at Copilot and were like, "Holy shit, this is amazing," which is genuinely true, really genuinely amazing. 

Also, simultaneously, if you extrapolate from that to other fields, you're going to be in a world of hurt because it's just not good enough to generate something that looks like a contract. Is it actually a contract? Does it make any sense? 

Katherine Druckman: Not yet anyway. Certainly, not yet. 

Luis Villa: For law, at least. And this is not "Lawyers are so smart." It's just the thing we do is weird and validating it is hard, and I'm not sure we really can validate until we design genuinely new, more computable legal structures, and that's going to be the work of decades. 

Optimism and Human Element in Open Source 

Katherine Druckman: Interesting. I feel like I could take up your entire afternoon, and I don't want to do that, but I do want to ask you one last thing, and that is, what are you most optimistic right now about in the open source world? I think optimistic/excited, either one or both, ideally. 

Luis Villa: That's an interesting one. It is really easy to become cynical and embittered about all this. There are just so many cool people doing cool, positive, I-just-want-to-make-the-world-better kind of things. And I think it's important. 

I want to make sure we're going to get so much more government regulation. We're probably going to get some more tax-funded development. We're going to get a lot more big, big tech stuff. I want to make sure those small pieces have a place to flourish and grow. And the good news is there's a lot of them. There's so much fun, cool, nerdy stuff that's deeply human and humane, and figuring out how we nurture that... 

Part of why I'm so excited to be on the Creative Commons board right now is I get to talk to artists and poets, and the lines are blurring there, but they're just still out there being human, and it's awesome. And how we nurture that is going to be a great challenge to spend the back half of my career on, I think. 

Katherine Druckman: Awesome. I, know, I love it. I think, well, one, open source people are the best people. I'm a little biased, but it's kind of true, and I think the most interesting conversations and the best part about all of what we do is the human part, in a weird way. As much as we're all nerdy and we love to spend time in our IDEs and hang out with our screens and our machines, the human part is the really great part. So, I appreciate that you said that. 

Luis Villa: That is so true, Katherine, that it is even true of open lawyers. Part of why I genuinely enjoy open lawyers. 

Katherine Druckman: I know so many great open lawyers, as you say, they're the best lawyers, so that makes sense. The best people, therefore, the best lawyers. 

Luis Villa: To become an open lawyer, especially when the core of that culture formed, took a certain leap of faith: "This goes against everything I was taught in law school, but it seems awesome.” The optimistic person who saw that and thought, "That's cool, I want to learn more about it," as opposed to, "This breaks everything I was taught in law school,” self-selected for a bunch of very cool people, and that is weirdly just as true in lawyering as it is in all the other parts of open. 

Conclusion and Final Thoughts

Katherine Druckman: Oh, fabulous. Well, thank you for joining me, number one. Thank you for the work you're doing. It's so important and thank you for being awesome. 

Luis Villa: Well, I mean, thank you for having me on. 

Katherine Druckman: I would love to do it again. 

Luis Villa: It was fun as always. Yeah, we'll definitely do it again. 

About the Guest

Luis Villa, Co-Founder and General Counsel at Tidelift 

Luis Villa is co-founder and general counsel at Tidelift. Previously he was a top open source lawyer advising clients, from Fortune 50 companies to leading startups, on product development, open source licensing, and other matters. Luis is also an experienced open source community leader with organizations like the Wikimedia Foundation, where he served as deputy general counsel and then led the Foundation’s community engagement team. Before the Wikimedia Foundation, he was with Greenberg Traurig, where he counseled clients such as Google on open source licenses and technology transactions, and Mozilla, where he led the revision of the Mozilla Public License. He has served on the boards at the Open Source Initiative and the GNOME Foundation, and been an invited expert on the Patents and Standards Interest Group of the World Wide Web Consortium and the Legal Working Group of OpenStreetMap. Luis holds a JD from Columbia Law School and studied political science and computer science at Duke University. 

About the Host

Katherine Druckman, Open Source Security Evangelist, Intel  

Katherine Druckman, an Intel open source security evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards. She is a software engineer and content creator with over a decade of experience in engineering, content strategy, product management, user experience, and technology evangelism.