On the latest episode of the Open at Intel podcast, host Katherine Druckman is joined by Nithya Ruff, the head of Amazon’s* Open Source Program Office (OSPO). The two discuss how to make the business case for large companies to invest in open source communities and upstream code, the role of OSPOs in improving collective security posture, and what the future of AI looks like for the open source world.
This conversation has been edited and condensed for brevity and clarity.
Katherine Druckman: Please introduce yourself. How do you see your role as a steward of your team and as the person who oversees the way your company gives back to the larger open source community?
Nithya Ruff: I’m the director of the OSPO at Amazon. People tend to think of just AWS*, but we serve all of Amazon. Almost since the beginning of the company, Amazon has built our infrastructure, products, and services on open source, and our customers choose to use our open source platforms for their projects.
My job is threefold. One is to make it easy for Amazon developers and builders to work with open source. We guide them as they navigate compliance, engaging with the community, and on the norms of open source. We also advocate on behalf of open source to help shape government regulations and policy. The second is to make our platform friendly for customers, helping them find the best open source projects as a service hosted on the platform and also making it easy to use from a development perspective. The third is to be a good citizen of the open source community. When you consume open source, you need to own it. Ownership to me means you’re involved in the community, you’re upstreaming changes, you’re making the community better. You can’t just consume open source; you need to leave the community better than you found it.
Katherine Druckman: What does being a good citizen mean to you, especially at such a large organization?
Nithya Ruff: First, you must consume open source wisely. You have to know how to safely bring open source into the company, managing aspects like security, community health, and licenses. Second, you have to understand the responsibilities that come with open source projects. Take ownership of vulnerabilities and changes, especially in the case of big dependencies. Third, be respectful of the open source community. Don’t assume authority as a big company, but come in with the same humility as any other contributor. Understand how to work in harmony with the community. For example, when you’re socializing a change that you want to make, make sure it’s in alignment with where the community is going. Even more importantly, companies working at the scale and production level of Amazon have many valuable lessons to share. It’s important to give back to the community in the form of improved processes or standards that we should adopt upstream, which will then help everyone downstream.
Deciding how Much to Invest in Open Source
Katherine Druckman: In the current climate, many companies are facing tough decisions about resources. I wonder how that’s impacted the way you view things, such as upstream contribution or paying people to write code for open source projects. How have you had to reprioritize and focus on what’s most valuable while still maintaining respect for the community?
Nithya Ruff: Businesses need to justify why they should continue setting aside resources to contribute upstream. My team looks at it through the lens of business continuity. If you have a dependency that’s important to your product or service, you need to set aside resources to work with that community, or else the open source project could go away and so could your product or service that customers have come to rely on. It’s important to listen to what your customers want. Our customers want us to be experts in our services, and they want us to make sure that upstream is running well so our services can run well. Tying it to business outcomes can help make the case for prioritizing resources for upstream work. You have to put it in terms of business value; you can’t use community language and say that it’s the right thing to do or that you want to be a good community partner.
Another tactic is to rank all of your company’s critical dependencies and put them in tiers. Make sure you have a good ownership plan inside the company for the top 50—assign a team or a group to work with the community and ensure you’re giving back. Then try to find a less costly way to support the other components, like donating to their foundations or working with groups like Tidelift* that provide subscriptions to help maintain components. We also give money to GitHub* Sponsors to support components.
Katherine Druckman: Similar to upstream code, companies are having to be very focused on how they contribute to communities. As companies direct their resources, what areas are most valuable?
Nithya Ruff: I focus on governance. How can I participate at the governing board level to direct the project or foundation in the right way? For example, as a member of the Linux Foundation* (LF) board, I get to understand what projects we accept, how we spend our money, and which programs and problems we take on. One of the areas we focus our energy on is educating policymakers. In the last five or six years, the government has been very interested in open source because of security and AI. Policymakers have so many things that they have to care for on their agenda, everything from school and hunger to wars in the Middle East and technology. They can’t keep up with everything. The LF is helping policymakers understand how open source works and in what areas the public and private spaces should work together.
Another big focus is how we make room for open source in AI because the artifacts of AI are so different than software code. We need to work with organizations like Open Source Initiative* to establish standardized definitions of what AI components mean—what is open dataset, what is open model, what are open weights? We need shared definitions so that we can work with confidence like we do with licenses today. My team is very involved in ensuring that the projects we depend on are cared for and secure and making sure Amazon is showing up for the communities. We want communities to know we’re not just consumers of open source; we’re owners and we’re deeply involved.
Katherine Druckman: I’m happy you mentioned security and AI. To me, those are the most important conversations in the open source world right now. How do you see the role of an OSPO in security?
Nithya Ruff: Security has been slowly creeping up on the OSPO, and it’s been front and center for the last few years. It used to be that there were three separate groups: security organizations, the OSPO, and our group called Builder Tools*, which provides workflows and pipelines to help developers build and deploy applications. These organizations didn’t really talk to each other, but open source security has brought us together in a big way. To me, the role of an OSPO is to educate on how open source security works, how continuous vetting (CV) reporting is done, how upstream communities work in terms of sharing CVs and vulnerabilities. But OSPOs also work with foundations such as OpenSSF* to create standards, frameworks, education, and scorecards for security. We can’t touch all the thousands of projects out there, but hopefully through OpenSSF we can create standards for open source producers to use.
The other piece has been working with Builder Tools and our development tool teams to build in proper curation of software from the perspective of security, licenses, and code health, and making sure that we’re capable of creating software bills of materials (SBOMs) and attestations that are needed by the government. We work with the policy team to provide input on open source security in policy documents from NIST*, CISA*, or executive order, weighing in on how we think the government can help secure software supply chains. So we try to work with every player across the supply chain.
Convening the Open Source World Around AI
Katherine Druckman: Aside from security, AI is another big conversation. You can’t go anywhere without talking about AI, even in mainstream, nontech spaces. As we gear up for the future, there’s a lot of pressure to get it right—whatever that even means. It’s exciting, but it’s also a little scary. It feels like we’re on a bullet train and we haven’t finished laying the tracks.
Nithya Ruff: It’s moving so fast. One of the things we’re doing from the OSPO perspective is working with our IP legal team, just as we do for licenses, to help ensure datasets and models are safe for our developers to use. We’re also working with the Open Source Initiative to make sure we have good guidance around what open means in AI.
The good news is that as we identify risks, it feels like players are getting involved to mitigate them. For instance, AWS has a product called CodeWhisperer* that assists with code writing. People were concerned about not knowing what code it was trained on, do we have copyrights to it, and things like that. CodeWhisperer now attributes where the code comes from, so the developer can decide how to use the code and whether they want to ask for other code based on the license. GitHub Copilot* does the same thing. As we discover challenges and risks, vendors are responding quickly to overcome them.
Katherine Druckman: In cases like those, the community response was very agile. We were just talking about attribution and licenses, and the community addressed the questions right away.
Nithya Ruff: That’s right. The OSI is doing a good job getting feedback from AI practitioners and open source geeks like you and me. We in open source are used to the paradigm of copyrights and licenses, but we don’t yet know enough about datasets, weights, and models.
Katherine Druckman: The good news is that the most interesting people in the world are involved in open source. We have many smart people to solve these complex problems.
About the Author
Katherine Druckman, Open Source Evangelist, Intel
Katherine Druckman, an Intel Open Source Evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she’s a longtime champion of open source and open standards.