What’s in the SOSS? Podcast #15 – Bidding Adieu to Omkhar Arasaratnam

In this episode, CRob chats with Omkhar Arasaratnam, who has served as the general manager of the OpenSSF and was co-host of What’s in the SOSS? As Omkhar moves on to the next chapter of his occupational journey, he reflects on his tenure with the OpenSSF, shares his open source origin story and highlights the achievements of the OpenSSF and the tactics he used to engage different stakeholders.

• Omkhar shares his open source origin story
• 02:14 – Things Omkhar is proud of during his tenure at the OpenSSF
• 04:36 – The challenge of keeping myriad stakeholders engaged
• 07:12 – Areas of open source supply chains that public policymakers and regulators should better understand
• 09:44 – Some challenges ahead for the open source ecosystem
• 14:58 – Omkhar answers CRob’s rapid-fire questions
• 17:57 – Omkhar’s advice for people entering the open source community

• Omkhar Arasaratnam on LinkedIn
• Get involved with OpenSSF

Omkhar Arasaratnam soundbite (00:01)
Finding a way to bring technical knowledge to somebody that may not be as technical or non-technical knowledge and options to those that are deeply technical is definitely an area where I chose to spend a lot of my time. And hopefully to some good effect.  

CRob (00:19)
Hello everybody, I’m CRob. I do security stuff on the internet and I’m also a community leader within the OpenSSF. And one of the cool things I get to do is I get to host “What’s in the SOSS?” the OpenSSF security podcast where we talk to amazing people within the open source ecosystem. And today we have a real treat. My dear friend and pal, Omkhar is here with us. For those of you that don’t know, Omkhar has been with us for the last year and half as the general manager of the Open Source Security Foundation. And today we’re going to talk a little bit about kind of reflecting upon his tenure here with the foundation. Maybe start us off, Omkhar. I don’t know if anyone has officially heard, but could you share with us kind of what your open source origin story was?

Omkhar Arasaratnam (01:04)
Absolutely. It’s a pleasure to be here on this side of the table. I began messing around in open source back in the late 90s. I actually began my career at IBM and very humble beginnings. I began doing tech support. So for all those that have seen the tropes about, you all the best folks start in tech support, I heartily endorse that. Going through the ranks of tech support, IBM was quite focused on ensuring that their PowerPC platform was well supported under Linux. And there was just this nexus of me having time on my hands, me being interested in the subject and dabbling around. So to answer your question, my earliest kind of foray into open source was back in the late 90s. So that’s like 25 years ago. Been a minute.

CRob (01:52)
We will not speak of dates, sir. That will not reflect well on either of us.

Omkhar Arasaratnam (01:56)
Indeed, indeed. I am noticing that in the camera that you guys can’t see, there may be a few grays in my hair that we’ll need to address. (laughter)

CRob (02:06)
Reflecting back on your tenure here within the OpenSSF, what are you most proud of that we’ve achieved over the last year?

Omkhar Arasaratnam (02:14)
That’s a really interesting question. I’ll bifurcate this into the behind the scenes versus what we’ve what we’ve been able to provide kind of outwardly facing. When I joined May 1st, 2023, my goal was to make board meetings boring. I guess the preconditions that we needed to satisfy in order for that to be true included building up trust, building up predictability, building up a cadence and a rigor where people felt like even when they weren’t actively involved in a meeting ,the right thing was being done so I was quite proud that I guess our last board meeting was in August and Seemed pretty boring to me. (laughter) That’s a good thing.

The thing I was most proud of from an outwardly-facing perspective was the work that we did around the technical initiative funding process. So for those that aren’t aware, we have a number of technical initiatives under the OpenSSF, both code hosting as well as specs and documentation and stuff like that. And in conjunction with the TAC and the board, we came up with a way of basically writing grants once a quarter for any of our technical initiatives. And I think that’s a great way of taking and taking the funds that the foundation has and really deploying them to good use. 

We have this really, really daunting task of securing all the open source. And any way that we can find to create these asymmetric opportunities where the amount of effort going in doesn’t necessarily scale linearly with the positive effect coming out, we need to take advantage of them. And, you know, there’s so much goodwill and elbow grease that engineers can put in and eventually we may need to solve funds. So I was really proud of the work that we did. And thank you for the collaboration on that as the lead of the TAC, around putting in the technical initiative funding to support our technical initiatives at the OpenSSF.

CRob (04:16)
I agree. I was very proud of us being able to implement that. Thinking of it, we live in a really complex space. We have a lot of different personas and stakeholders we get to engage with. Could you maybe share with us some of the tactics that you use to help keep these different stakeholders engaged throughout your tenure?

Omkhar Arasaratnam (04:36)
I’ll first self-reflect and say I’m not sure that I did a perfect job at it, but I certainly tried my best constrained by the amount of hours in a day, the amount of, you know, time zones that we have to cross and all that. What I try and anchor on is really trying to find a way to figure out what a win is for each person and, conversely, what they’re most concerned about. And in some cases, a win for one person may not be completely aligned with a win for others and we need to be able to construct our goals in such a way that we’re achieving maximum happiness, which at times may disenfranchise others. But I think with any of these spects of engagement, the best thing — the thing that always rings true — is to have a transparent and clear decision-making process.

And whether you agree with the outcome of the decision or not, nobody feels like they were they were done wrong. Like nobody feels like somebody achieved something through a sleight of hand. And I think by building that trust, that’s most important. I also think that, I mean it seems obvious, but everybody comes with a different background and a different perspective. So when we’re speaking to senior leaders within the government who are very adept at working through their legislative process in order to make stuff happen for citizens, that’s a very different set of skills than somebody that may be an expert in cryptography. 

And being able to find a way to align between the two is is an area I spent a lot of time. And I admit this as a software engineer, right, there are people that are genuinely smart in their own way. Just because you don’t understand data structures and algorithms doesn’t mean that, you know, you’re automatically demoted to the bottom of the stack. Quite the contrary, finding a way to be able to bring technical knowledge to somebody that may not be as technical or non-technical knowledge and options to those that are deeply technical is, is definitely an area where I chose to spend a lot of my time and hopefully to some good effect.

CRob (06:54)
One of the stakeholders we worked a lot with were broadly government bodies. So thinking about that, is there one thing that you wish these global public policymakers and regulators understood better about open source software and open source software supply chains?

Omkhar Arasaratnam (07:12)
Yes, and honestly, think this applies not just to governments, but all of the stakeholders, right, and those stakeholders could be members of the community, it could be government, it could be private corporations, it could be foundations. Everybody needs to figure out what that Rosetta stone is so that we can move forward.

One of the tripping hazards that we had early on — to quote a specific and well-known issue — was with the CRA, the Cyber Resilience Act in Europe. There were some provisions in early drafts which weren’t necessarily best aligned with the open source community. And specifically there were some concerns around how, at least in very early drafts, open source maintainers may have liabilities associated with software defects, or contributors could have liabilities associated with their contributions. And it just didn’t fit the culture of open source.  

And, you know, when push came to shove, there was a point at which when certain executives within the European Commission were asked, well, why didn’t you ask? They said, well, you know, we asked and nobody turned up. And the mediation that needs to occur in order to provide a good outcome is that neither party can kind of sit in their corner with their arms crossed and be like, hey, you meet me, you meet me here. There has to be a meeting in the middle. 

The good news story coming out of this is, I think, through a lot of hard work within the OpenSSF, as well as other foundations, there has been a much more constructive discussion around the CRA. The government, I believe, has understood the best way to engage the community, and the community has also coalesced around certain forums in which they can express their concerns as well as provide an opportunity to provide feedback on how the implementation will go. 

To get back to it, I think this anecdote really provides a clear view of why we need to be able to meet in the middle. And as I said, that extends not only between government and the community, but also foundations in the community, the community and commercial entities, things of that nature. If we can really figure out how to collaborate rather than attempting to conform one party to the other party’s thinking, that’s what really gets us to the best outcome.

CRob (09:36)
It’s a great perspective. Let’s get out our crystal ball. What challenges do you see ahead of the open source ecosystem?

Omkhar Arasaratnam (09:44)
I want to start by acknowledging and fact-dropping. So my good buddy, Frank Nagel over at Harvard Business School produced a study which determined that the supply side of open source, that’s the amount of money that goes into building, sustaining, contributing to open source,is about four, just over $4 billion. That’s a lot of, a lot of money. But the demand side, like the value provided through that investment is about $8.8 trillion with a T. That’s,  I mean, I don’t even know how many commas is in that. I think that’s —

CRob (10:22)
I ran out of fingers. (laughter)

Omkhar Arasaratnam (10:24)
Gonna have to start counting toes soon.  And of course there’s the oft-quoted, study from Sonatype that cites, and like my genuine opinion and I’m not questioning Sonatype’s calculation here, is that this is probably an undercount and that 90% of commercial software contains open source. So putting that together, the curation of open source and ensuring that it is secure isn’t just, an intense desire by a bunch of geeks. It is securing public good. It’s an incredibly important mission and something that we should take very seriously as we gaze into that crystal ball. 

Some of the hurdles that I worry about in the future are, an we used to, we used to talk about this when I worked in corporate, bad people don’t care about your risk acceptances, right? Like they’re not going to be like, oh your record of compliance excluded that system. Okay. I’m not going to append that. That’s just not how things work. 

And I think the analog in open source is less about like a particular control or a particular scope statement or a particular risk acceptance, but more around Balkanization. What I really worry about is that we’ll align into these little fiefdoms — be it in the community, be it in the commercial sector, be it in the public sector, like wherever, we’ll align to these little fiefdoms — and the bad person that’s trying to make a bad thing occur will be able to jump over these walls quite easily and trivially because that Balkanization results in a failure mode that they can exploit. 

I know there’s a lot of pride in open source that comes from meritocracy in that anybody can contribute. Anybody can, make a suggestion, and ultimately it’s up to the maintainers and community whether to accept that. But what i’ve noticed is there’s also the other side of it, which is if we drift too far We get into a scenario Where the project itself becomes Balkanized and is no longer accepting open ideas.

So there’s this balance between having this meritocracy and a healthy culture, and the culture devolving into something that’s unhealthy which causes concerns about safety in terms of people not wanting to contribute and various aspects of the community dwindling. The strength of the open source community is the community. And we produce some of our greatest code through community collaboration based on meritocracy.

I get really uncomfortable and concerned when discussions or debate drift outside of, you know, passionate debate on sides of which the better text editor is and into, you know, things drifting into thought police territory. I think that can be quite a negative. I think the other side of it is, back to the HBS study, order of magnitude difference between investment and the outcome. Y’all need to step up. And by y’all, I mean private sector and public sector. I think there are a lot of good actors within the ecosystem. I think, I’ve seen a lot of great contributions from larger organizations and smaller organizations alike. 

On the public sector side, we have organizations like the Sovereign Tech Fund in Germany. I’d love, as a taxpaying American citizen, to see our government put money behind open source. There has been great progress that has been made through various federal, state and local and tribal organizations within the US. But I would love to see something like the US equivalent of a Sovereign Tech Fund run within our government. I know this is a lofty goal as we record this two months before a presidential election, but I’d love to see that. 

I will state in closing that not all of our problems are financial. Through various OpenSSF programs including the Technical Initiative Funding and Alpha Omega, I can assure you all the problems aren’t technical. But if we can kind of get those out of the way, focusing on some of the gnarlier, non-technical problems start to become a bit easier.

CRob (14:58)
Very nice. Well said, sir. Thank you. Well, let’s move along to the rapid-fire part of the show. (sound effect: “Rapid fire!”) First question. Omkhar, what’s your go-to Linux distro?

Omkhar Arasaratnam (15:11)
I am currently a Debian guy. Although I have a clear Linux install from our good friends at Intel. 

Back in my day, I used to be a Gentoo developer. I used to be a maintainer for the PowerPC64 platform as part of my duties at IBM. So that’ll always hold a place in my heart, and I need the audience to know if you are running Google Chrome OS, that is literally built on Gentoo portage. So you’re using Gentoo in my opinion.

CRob (15:41)
Hahahaha! Very nice. Thinking back across your career, what’s your favorite programming language and why?

Omkhar Arasaratnam (15:48)
Oh, it’s C because that’s where I cut my teeth and I can make all kinds of heinous mistakes in it. Although in my recently-found free time, I, I — Rust community, don’t hate me — I tried picking up Rust, and it’s hard to bend my brain around it. It’s a me problem. It’s not a Rust problem. But I did find for whatever reason, Go to be very intuitive. And I don’t know whether part of it was knowing Pascal in my past, but I just found, like, I picked up Go in a weekend. Rust. we’re, we’re having counseling sessions.

CRob (16:25)
Hahaha! Very nice. Thinking across the amazing, the many things you’ve put in your mouth, what’s your favorite adult beverage?

Omkhar Arasaratnam (16:35)
Oof. I’m going to go with — my preferences around beer are in the extremes. So I like really dark, heavy porters and stouts. And I like right light crisp Pilsner’s and I’m not a big hops fan. The in-between isn’t an area I dwell much in. So looking at the darker side, there is, I think it’s a stout, maybe a porter, called Mexican Cake, which is super dark, super heavy, really sweet and has a habanero back to it. And as a —

CRob (17:10)
What?

Omkhar Arasaratnam (21:43.83)
Yeah, it is, it is great! So that, that is currently top of mind.

(Sound effect: “Oh, that’s spicy!”)

Haha! That’s right. That’s right, it is.

CRob (17:20)
And potentially the most controversial question of all, what’s your favorite open source mascot?

Omkhar Arasaratnam (17:27)
Honk. I mean, without question. Close second is Tux the Penguin.

CRob (17:32)
Nice. Well said, sir. Thank you very much for playing. (Sound effect: “That’s saucy!” )As we wrap up today, I want to thank you for your partnership . It’s been incredible to work alongside you, helping the community and helping our different stakeholders. What advice do you have? If there was an inspired listener out there, how could you encourage them or route them to be able to participate and join this amazing community?

Omkhar Arasaratnam (17:57)
I’ll do you one better. I’ll give you, I’ll give, I’ll give two bits of advice. The first to the community itself. Be welcoming and know your biases. We shouldn’t be increasing hurdles to entry for getting people to participate. Like, the intellectual hazing that sometimes occurs is unnecessary and it leads to really bad outcomes and discourages people. For those that do want to participate, roll up your sleeves and join. 

I mean, to take the OpenSSF community as an example, one of which I know quite well, join the Slack. Join the weekly meetings, show up on the mailing list, participate. There is no judgment. There is no downside. And by engaging in the community, you will get to contribute to making open source more secure for everyone. And we don’t just need software engineers. We need people that are community managers. We need people that are in marketing. We need people that are DevRel, we need everyone. So show up and find out the topic that’s most interesting. 

I’ll say the other thing to bear in mind for those that are looking to participate for the first time, this is largely a homogenous group of volunteers that are only driven by contributing. So if you want to volunteer, don’t show up and be like, hey, we’re can I help? Do a little bit of digging.

See which topic interests you the most. And hey, if you don’t see one, maybe that’s an opportunity to create a new work group or a SIG.

CRob (19:30)
Very nice, thank you. That was some excellent advice. And again, it has been a pleasure. I look forward to catching up with you in the future as you go off on your adventures and start your new journey. Thank you for everything you’ve done for us.

Omkhar Arasaratnam (19:434)
It’s been a pleasure. Thank you for giving me the opportunity to serve the community, and I stand by the sidelines cheering y’all on. I really believe in the mission. can’t wait to see all the great things that y’all are going to accomplish moving forward. (Sound effect: “The SOSS is the boss!”

CRob (19:59)
Thank you, sir. And with that, well, this is a wrap. Have a great day, everybody.

Omkhar Arasaratnam (20:02)
Thanks, you too, CRob.

Announcer (20:04)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF.org/get involved. We’ll talk to you next time on What’s in the SOSS?