GitHub Satellite 2019 Berlin. The Social Code – It’s Just Dependencies All The Way Down and Up

The keynote at GitHub Satellite 2019 in Berlin last month was a model of crisp story-telling. The comms team did a bang up job. The opening narrative was engaging and emotionally powerful. It asked us to think about our place in the world, our role as collaborators, at a very deep level. It began, as some of the best stories do, at cosmic scale, with a black hole. Not just any black hole, but the black hole at the center of the Messier 87 galaxy.

Doctor Katie Bouman led the team that created the algorithm for Continuous High-resolution Image Reconstruction using Patch priors (CHIRP), and we were honored that she made an appearance at the event. It’s definitely worth watching the official video on that score.

GitHub’s keynote expressed the value of collaboration at scale, particularly the value of telemetry data based on this collaboration. It demonstrated the value of a hosted platform in allowing new approaches to software maintenance and management, for example search and replace (grep and replace) globally, even across different codebases in multiple repos. GitHub has been delivering new features at a furious pace recently, and is finally beginning to significantly leverage it’s incredible data assets based on instrumenting the work of software developers everywhere to create new products and services.  Key themes in the keynote were global interconnectedness, collaboration, sponsorship and security.

What Katie (and a global team) Did

As Doctor Katie Bouman made very clear in her presentation, science is collaborative. Scientific breakthroughs don’t happen in isolation. The image of the black hole was based on the work of scores of people. At a simple level, Bouman said:

“My role has been about combining techniques from astronomy and computer science”

Software isn’t just eating the world, it’s eating the universe. I had been told beforehand that Bouman would feature in the keynote, so I must admit that just for a moment when she appeared on screen I wished she’d been able to make it to Berlin in person. Then this happened.

Anupam Dagarsiriusdagar

The complete team who worked on to capture the first black hole picture on stage during natfriedman keynote at GitHubSatellite

View image on Twitter

233

1:25 PM – May 23, 2019

Twitter Ads info and privacy

34 people are talking about this

We met Andrew Chael, Dr Kazu Akiyama, Sara Issaoun, Dr Lindy Blackburn, Dr CK Chan and Dr Roman Gold. So cool!

Bouman also then thanked all the open source contributors whose work the team had used. GitHub had analysed its data, based on the projects used such as Numpy, to discover that 21,485 people had contributed to software projects that had been used to create the image of the black hole. It’s just contributors all the way down.

image above from this delightful Twitter thread by Tierney Cyren

GitHub had reached out to contributors who in some cases, until that point had no idea they had helped to underpin Chirp. I am pretty sure everyone in the Satellite crowd at that point felt like a small yet important part of a far far bigger whole. I did.

GitHub then announced two new features at this point playing to the contributor insights theme

Community contributors – a maintainer can get to know their extended team by looking at Insights in a repo, which will now provide a list of folks that have contributed to the project’s dependencies. Whose shoulders is the project standing on?

Dependent repositories – a feature which provides some signal about the popularity of a package. “Used by” indicates how many other packages rely on it.

Hygiene, Dependency, Currency

GitHub had made its point about planet scale collaboration. But with so many parties involved, the potential attack surface grows exponentially. That’s a whole new planet scale challenge. The next section of the keynote introduced Shanku Niyogi, GitHub SVP Product, and the key theme for him was security in an age of mass dependencies.

Security at the moment is frankly a bit of a mess. While the package management revolution with tools like NPM and Rubygems has made developers more productive, it also opens up worrying new attack vectors.

Yet another shoe dropped in November 2018 when event-stream a Node.js module with nearly 2M downloads a week was compromised. It was injected with malicious code programmed to steal bitcoins in wallet apps, after the project was taken over by a new maintainer (it was a social engineering attack). The vulnerability specifically targeted a bitcoin walled called Copay, but it could have been general purpose and far far worse. If it could have been worse than means someone will make it general purpose and try the same style of attack again and it will be worse. Our open source software supply chains are out of control. This was a failure of both governance and code.

One reason security is currently such as a mess is human factors, made more complicated by corporate factors. Folks often don’t want to publicly admit their code has a breach, so they can end up in a confrontational stance with people that identify potential breaches, as they look into it and fix the issue. Generally someone that identifies a breach will take it to the maintainer first but state of the art in Common Vulnerabilities and Exposures (CVE) is not good. Bounty programs can help align incentives but the industry needs to establish a standard set of common social and technical protocols to make the vulnerability disclosure discussion easier, with a trusted place to have that conversation.

With that in mind GitHub introduced a tool for maintainers to create security advisories (now in beta), which could begin to shape a standard format over time. Importantly this tool also creates a private space to bring together researchers, maintainers, developers, and security teams before publishing.