Soundbite (00:01)
Omkhar: VI, VS Code or Emacs — favorite text editor?
Bec: That’s a trap. In the Rust community we would never ,ever deign to tell anyone what their preference should be. We welcome all preferences in the Rust community.
Omkhar: Oh, well answered!
Bec: (laughter)
Omkhar: Alright!
Omkhar Arasaratnam (00:19)
Welcome to What’s in the SOSS? I’m your host Omkhar Arasaratnam, and with me today we have my good friend Rebecca Rumbul.
Bec Rumbul (00:26)
Thank you very much for having me.
Omkhar Arasaratnam (00:28)
So we’ve known each other for a while, but for our audience, why don’t you introduce yourself, your title, and what is it that you do?
Bec Rumbul (00:36)
Ah, okay, so yeah, as you say, I’m Bec Rumbul, Executive Director and CEO of the Rust Foundation. And what do I do there? Well, I try and keep the wheels on the bus. I try and keep people happy. I try and support all of our wonderful maintainers. And I ask a lot of people for money so that we can keep on doing that.
Omkhar Arasaratnam (00:57)
So I’ve inferred you’re not cutting a lot of code, but as an example, what was your day today? What did you end up doing to give our audience an idea of what the day in the life of a CEO might be?
Bec Rumbul (01:10)
Sure, yep, no, I do not do any coding at all and I don’t recommend anyone ever ask me to try. That’s the surest way to get things to fall apart, I suspect. The great thing about the job is there are very few regular days actually. I get to talk to this wonderful wide spectrum of really just interesting and intelligent individuals. I get to speak to people inside Big Tech who are using Rust, who are thinking of adopting Rust, people that are maintainers and people that have been kind of building the language for years and years and years and are very personally invested in it, finding out from them how we can best support them and how we can make sure that they are able to write wickedly good code securely, for instance.
I obviously have staff, which is great because they are the people that I’m people that do the real work, not me. So I spend a lot of time coordinating with them, trying to figure out what our priorities as a foundation should be. And I have a wonderful board as well, made up of the community and our corporate sponsors who, you know, help to provide strategic direction, oversight, potentials for funding, that kind of thing.
As I said, I’m always on the lookout to fundraise so that we can keep providing this wonderful language to everyone that wants to use it.
Omkhar Arasaratnam (02:28)
You’re also our associate member rep for the OpenSSF. So thank you for those contributions as well. Now, in talking before this and prepping for the podcast, we were discussing your history leading up to your current position. You’ve been at the Rust foundation for just over, what is it, like two-and-a-half years now? What led you to this path? It certainly wasn’t a long history of computer science. It’s quite an interesting past though.
Bec Rumbul (02:57)
I kind of Forrest Gumped my way into this. I’ve never been one of those people with a very straight, very focused career ladder. Before this I did a lot of consulting for the UN, a lot of digital democracy work, a lot of research, looking at how to kind of empower citizens of countries all over the world to hold their politicians to account, to make better laws, to enable parliaments themselves to support that with the politicians that sit inside them.
So I did years of that and I really enjoyed obviously doing the digital aspect and finding new open source tools to help people with that but also working on the democracy side, you know, the kind of consensus-driven, decision-making side, figuring out how that can be done well.
And that was one of the aspects of the job at Rust that really kind of called to me. Yes, okay, technically I’m in the CEO’s seat, but actually, I have very little power. The power is really in the hands of the community, it’s in the hands of the board. There’s an awful lot of people that are involved in helping us to make the best possible decision, not just the one that’s most kind of expedient for me at the time because I’m the boss.
With this amazing new language that was just emerging when I came into the role, and I had this opportunity to nurture this thing that I don’t even think many people realized how important it was going to grow to be. So yeah, playing mum to the Rust programming language as well has been fascinating and a real privilege.
Omkhar Arasaratnam (04:35)
What a very interesting past and what impactful work you’ve done in the past. I’d love to delve into that a little more. Is there one particular aspect of the advocacy work you’ve done previously that you’re really proud of, maybe a little embarrassed by? Let’s give the audience something that some insight to Bec’s world prior to Rust.
Bec Rumbul (04:53)
I did some very random stuff and I did some stuff that was required politically but maybe wasn’t really embedded in the hearts and minds of people that I was working with. So I’m not going to name specific countries, but I have worked with some parliaments in some very authoritarian regimes, shall we say? So, yeah, I’m not going to name countries because I don’t want to upset anyone. But yeah, there were some times where I definitely had some, you know, towing the line, not really wanting to give people the kind of power that genuinely enables people to make democratic decisions.
But that said, I did, you know, I did some amazing work with parliaments in Kenya, in South Africa, in Ghana where they were really invested in digitizing and really invested in trying to empower the local citizenry to help make laws better.
Omkhar Arasaratnam (05:46)
You know, it’s an election year. I’m not going into what that means for us over here in the States. I’m going to leave that aside. Thank you for sharing that though. And you have done some amazing work and it’s really interesting to see how that work has now led you to where you are now. So speaking of where you are now, Rust. I hear it’s going to fix all of our memory safety problems, right?
Bec Rumbul (06:07)
Yeah, of course. We can take the next question now. (Laughs)
Omkhar Arasaratnam (06:09)
Done. Next. I mean, it’s interesting. I think what would be interesting for us to learn is from your perspective, as someone who admittedly isn’t a technologist and somebody that is focused on improving things, making the world a better place, how do you frame the rationale for using Rust and how do you touch on things like memory safety when it comes to the discussions you’re having with your stakeholders?
Bec Rumbul (06:35)
It’s so important to be able to pitch what Rust can do and the kind of memory safety feature at the right level so that people can genuinely understand. It’s really easy to bamboozle people really quickly when you start getting really techie. And whilst I don’t write code, obviously I’ve worked in the area long enough so that I understand how these things work. But I’m hyper-conscious that certainly when you’re dealing with big world people, not just techie, techie people, these things can get very very complex and, you know, you can see people’s eyes glaze over very quickly.
So the way I try and explain memory safety is to kind of tell people about you know some of the big hacks that they’ve heard of and how actually, you know using, different kinds of code that operate in different ways might have prevented some of those things. Not every single one, every big vulnerability is slightly different. But memory safety is this one feature that means that actually it’s really, really difficult to just have like really low-level errors or really sort of small mistakes that are just human errors, they’re not computer errors most of the time, they’re human. So any kind of safety net like a memory-safe language means that that’s just not possible.
Obviously, there are many other potential vulnerabilities out there that memory safety won’t fix. But it was really important to have organizations like Google for instance releasing their research on using Rust where they’ve come out publicly and said actually using breast means that 70% of their vulnerabilities are gone because Rust is memory safe, it’s just automatically clearing those. So in terms of an economic view, not just a security view, that’s a hell of a lot of people that are doing forward-facing code now, not trying to fix something and digging through code, trying to fix something that already exists.
So that’s kind of the way I tend to approach it. It’s not perfect. It’s still an imperfect pitch, but I think because governments are now getting involved in security is suddenly after, you know, so very many years in the wilderness being seen as a bolt-on now it’s being given the attention it needs more people are actually, I think getting up to date on just the theory of memory safety if not the actual ability to code it.
Omkhar Arasaratnam (09:06)
The the angle that you took in terms of expressing the economic benefit as well as that safety net in my mind, I contrast this. We had Christoph Kern from Google on the podcast a few episodes ago, and you may imagine that Christoph had a very computer science point of view. So I love the fact that both of you have brought these, I’ll say, from different perspectives, on the same topic. And it’s very interesting to hear that. Switching gears, where are you seeing interest in adoption of Rust that was surprising? Like who was trying to adopt Rust now that you were just like, huh, I didn’t think about that?
Bec Rumbul (09:47)
I think I’m most surprised and encouraged by how quickly the safety-critical industry has noticed and started to prepare the ground for Rust adoption. Because obviously, you know, safety-critical, it is the most important sort of sector for having really secure, really high quality, high performing software. The fact that that sector has been kind of the first off the blocks in looking at Rust and figuring out how it can be used, I think, was really interesting.
Obviously, again, you know things like speed and performance of Rust appeals to that sector as well, but these are serious people building serious stuff, right? So it’s encouraging that that is a sector that’s looking really hard at this. That said, I love seeing Rust popping up in different places. Obviously, it’s kind of great in terms of Wasm. Rust embedded is growing and growing at the moment. But I love it when someone sort of pops up and says, my company is using this but I’m not allowed to say anything about it publicly. Damn, please talk about it publicly because that gives other people confidence as well. There’s loads of people I’d say that are, you know, loads of CTOs at the moment that are kind of rust curious.
And yeah, we’re having kind of quiet conversations, but they don’t, you know, they just want to dip their toe in at the moment and they’re looking around for other organizations to kind of see what they’re doing. But very few are willing to kind of stick their head up and say, actually, no, we’ve done this and this was good and this was bad and this is what you should think about.
Omkhar Arasaratnam (11:32)
What do you see as the next major challenges for Rust? I mean, it seems like everybody’s all in and even those that are just Rust curious for right now are certainly dipping a toe in the water. Other than, you know, the who’s going to go first mentality? What are the other impediments we have to adopting Rust today?
Bec Rumbul (11:50)
One, Rust notoriously has a steep learning curve. I actually think that that is being flattened. Where we were two, two-and-a-half years ago in terms of teaching Rust is very different to where we are now. And there’s lots and lots of good quality training stuff out there. And large tech organizations are better set up now to migrate whole teams across to Rust. So I think there is still a bit of a hangover from that, but I don’t think it’s as much of a problem as it was before.
I think one of, and what I’ve seen in some conversations, is that because Rust is so new and young, an awful lot of people in positions of responsibility don’t know it. They learned C++ when they were doing their comp sci degree or in the early days or Python, and even though we’re getting an awful lot of people at grassroots level, I do think there’s a reticence among people who are quite a bit higher up and who have to make these huge financial decisions about whether they’re going to invest that heavily in this because, obviously, they just don’t have that kind of personal firsthand experience of it. So I think there’s a little bit of that.
The tech mini-slowdown last year didn’t help anyone, I don’t think. Certainly, if you’re kind of looking at doing iIf the whole sector is feeling a bit kind of sluggish, it’s probably not the time to invest. That said, I do think the momentum is there and I think we’ll be having a very different conversation in a couple of years’ time.
Omkhar Arasaratnam (13:33)
That makes a lot of sense. Alright, Ms. Rumbul, we are going to move into the rapid-fire round. Are you ready?
Bec Rumbul (13:42)
As I’ll ever be.
Omkhar Arasaratnam (13:44)
Some of these, some of these questions may lean a bit technical. I will give you a choice of a set of answers. There’s always the, no, Omkhar, you didn’t get that right. But I think moreover, some of these questions lean very tech heavy. I would like your point of view as to how your community reasons over some of these questions, should you be privy to when they come up.
Bec Rumbul (14:07)
Okay.
Omkhar Arasaratnam (14:08)
Now, the first one is not techy. Spicy or mild food? And I think I know the answer to this.
Bec Rumbul (14:13)
Spicy food. You only live once.
Omkhar Arasaratnam (14:15)
Yes, that’s why we’re friends. That’s why we’re friends. Now here, here come the techie ones. Vi, VS code or Emacs favorite text editor?
Bec Rumbul (14:27)
That’s a trap.
Omkhar Arasaratnam (14:29)
Hahaha!
Bec Rumbul (14:31)
The answer is, in the Rust community, we would never ever deign to tell anyone what their preference should be. We welcome all preferences in the Rust community.
Omkhar Arasaratnam (14:41)
Oh, well answered! All right. Let’s see how adeptly you dodge the next question. Tabs or spaces?
Bec Rumbul (14:50)
Oh, I don’t care. And I know that’s not the right answer. I’m supposed to choose a hill to die on here, but life’s too short. (Laughs)
Omkhar Arasaratnam (15:01)
Life is too short, let’s drink wine?
Bec Rumbul (15:03)
Life’s too short, lets drink wine. And you know, the previous answer also applies. We would never, ever suggest a preference to people. It’s whatever they’re comfortable with.
Omkhar Arasaratnam (15:11)
You know, I recently took some time off personal vacation and I actually went through the Rustlings course. So I will let you know my thoughts once I complete it. Thus far, this old C programmer had to learn some new tricks, but it was very insightful. Closing things out. What advice do you have for somebody entering our field today? And normally the person I’m asking this, they’re normally somebody that spent multiple decades in security or multiple decades in software engineering. I’d like you to answer this question from the perspective of somebody that’s thinking about entering the field as a leader in a code-hosting nonprofit.
Bec Rumbul (15:49)
I think there is room for everyone in open source. That’s the most amazing thing about this kind of community. And there are a lot of different skills that are really needed here. I think I might have been hired because the board was interested in bringing in some skills that don’t, there weren’t too many of those skills in the community because people who have mad coding skills don’t spend all of their time looking at spreadsheets and writing board agendas, right? And chasing people and trying to charm them out with their money.
So I think, you know, my advice is it’s fine, it can be intimidating coming in and speaking with all these people that are so very much smarter than you. But you have things that they don’t. And the whole of open source is desperately in need of a whole kind of range of skills, from project management to administration bureaucracy, to event management, to moderation and community management, all of these things. It’s not just about the code. If it was just about the code, open source wouldn’t work. It’s all about creating that code together in a community of people that are just kind of pulling in the right direction with the same values.
Omkhar Arasaratnam (17:00)
What great advice. Last question for you, Bec. What’s your call to action for our listeners? What would you have them do after listening to this podcast?
Bec Rumbul (17:09)
It’s kind of building on my last point actually, you know, we’re always in need of people to help us do great stuff and to give us opinions that come from different places to where we are. My kind of call to action is get involved — even if you’re not a security professional or, you know, someone that’s going to bang out lines and lines and lines of code for fun of an evening — if you’re really interested in helping a community grow and developing amazing software and securing our shared online world, your skills helping to manage the community or do administrative things or management things are just invaluable. So turn up, join a community, have fun.
Omkhar Arasaratnam (17:48)
Bec Rubmul, thank you so much for joining us on What’s in the SOSS? And all the best in leading the Rust community to newer and greater heights. Thank you for all you do.
Bec Rumbul (17:58)
Thank you.
Announcer (17:59)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at openssf.org/getinvolved. We’ll talk to you next time on What’s in the SOSS?
