Podcast

• 01:42 – Why the Sovereign Tech Fund became the Sovereign Tech Agency
• 03:59 – The ways the Sovereign Tech Agency supports open source infrastructure initiatives
• 04:42 – The four criteria for Sovereign Tech Agency funding: prevalence, relevance, vulnerability and public interest
• 06:51 – Sovereign Tech Agency success stories
• 09:09 Plans for the Sovereign Tech Agency in 2025
• 11:54 – Tara answers CRob’s rapid-fire questions
• 13:54 – Advice to those entering open source development or security field
• 14:55 – Tara’s call to action for listeners

• Tara Tarayikee on Linkedin
• Sovereign Tech Agency homepage
• Apply for Sovereign Tech Fund investment
• Get involved with the OpenSSF
• Subscribe to the OpenSSF newsletter
• Follow the OpenSSF on LinkedIn

Tara Tarakiyee soundbite (00:01)
You can actually hear the relief when we’re talking to maintainers about how can we sort of get this kickstarted? How can we get the ball rolling? Hopefully those maintainers can also show the benefits of investing in security, investing in resilience to people that depend on their software and get them to invest in it as well.

CRob (00:17)
Hello everybody, I’m CRob. I do security stuff on the internet. I’m a community leader and I’m also the chief architect within the Open Source Security Foundation. One of the coolest things I get to do as part of this role is to host “What’s in the SOSS?” podcast, where I talk to interesting people, maintainers, leaders and folks involved with upstream open source security and open source supply chain security.

Today, we have a real treat. We have Tara from the Sovereign Tech Agency, and they are here to talk about the amazing work within the upstream community for the last several years. So maybe could you introduce yourself and explain a little bit about the organization you’re working with?

Tara Tarakiyee (01:00)
Thank you. I work with the Sovereign Tech Agency. We are a GC that’s funded by the German government, specifically through the Ministry of Economy and Climate to essentially strengthen the open source ecosystem, which is our mission. And we do that by investing in the components of our open digital infrastructure that are, I’m sure as you know, like maintained by very few people, but relied upon by millions and millions, what we call the roads and bridges of our digital world.

CRob (01:33)
I like that. That’s nice phrasing. As I mentioned, you all went through a little bit of a rebranding recently. Could you maybe talk about the change for us?

Tara Tarakiyee (01:42)
Yeah. So we had the whole concept that was developed by our co-founders, Fiona Krakenbürger and Adriana Groh to provide like an investment fund to support this critical infrastructure. And that was sort of like our first, let’s say, vehicle of support for projects. But essentially, what we’re trying to do is meet the community where they are, providing what they need. And we know that, sure, investments are good, but support for something as complex as our post-request instruction needs to come in different forms and factors.

So since then, we’ve also introduced two other programs, what was called the Bug Resilience Program, which is now called the Sovereign Tech Resilience, as part of the rebrand, and also our Sovereign Tech Fellowship. We provide services. We work with the vendors in this space who have experience with vulnerability management, with reducing technical debt, with doing code reviews and providing audits, and also with setting up and running bug bounty programs. And we provide those vulnerability management services. to open source projects indirectly. So we pay for it, but the services go to the open source project.

And with the fellowships, we are looking for maintainers who are key people in their communities who support several projects that for them, like, it wouldn’t make sense to apply it through something like the Sovereign Tech Fund. Usually what we do with the Sovereign Tech Fund is these service agreements that are sort of like deliverable based.

With the fellowship, we’re providing like a different way of providing support for maintainers through our fellowship where we support maintainers who are key in their communities by providing either with a board contract or with a six-month fellowship, three-month fellowship.

Those are sort of the sort of a bundle of services that we’re providing and under the banner of the Sovereign Tech Agency. We all have the same mission. We’re still doing the same things. It’s just the name, name change was just to reflect that there’s like a big house now where all these different programs live in.

CRob (03:47)
Makes a lot of sense. Could you maybe just share a little about how the agency kind of executes on this mission? How does someone become aware of these programs and how does someone take advantage of them to participate?

Tara Tarakiyee (03:59)
For the fellowship, we issued a call on our website. Currently, the call is closed for this year as we sort of review through the application that came in. For the Sovereign Tech Fund, we are still accepting ongoing applications on our website. So if you go to sovereign dot tech, you will find our website, and there you can navigate to the apply section where you can learn about our criteria, what we look for in critical infrastructure, open source, and from there it will take you to our application platform.

CRob (04:32)
If one of the programs is open, are there any kind of limits on who can qualify to participate? Does it have to be an EU citizen or can it be anywhere from around the world?

Tara Tarakiyee (04:42)
Anyone in the world can apply as long as you’re maintaining open source critical infrastructure. The way we, it’s hard to define something as open source critical infrastructure, you know? So for us, we take four criteria. So we look at sort of the relevance of your open source project. Is it used in different places, in many places, by many people?

We also look at…sorry, that was prevalence…then relevance, is it used in particular sectors that are particularly important? Like it could be not be used by many people, but if it’s using like the energy sector or aviation or something that’s, like, highly critical, then that’s another factor that of balances that out.

And then we look at vulnerability. So, I mean, it’s not a nice question, but like what would happen if your software component would disappear tomorrow? Would like people panic? Like that’s probably a good sign that it’s infrastructure. But also we balanced the question out also by looking at different aspects of like, why is this not receiving funding?

Because I think that’s a fundamental thing for us. Like we exist to support infrastructure because in general, like those are things that are hard to fund. It’s something, it’s a resource that everyone depends upon, but very few people contribute to. And that’s, that’s sort of like our niche. So that’s also something we look at in vulnerability.

And finally, we do an evaluation, like, is this a software that’s in the public interest? So is it being used in applications where it’s generally good for society? So, based on our evaluation of these four criteria and also look at the activities, like is it more maintenance activities or generally like you want to develop new features? Would you occasionally fund or invest in new features? But that’s only when there’s like a strong sort of public interest argument for it and no one else would fund it. In general, we mostly focus on improving the maintainability and security of those critical software components.

CRob (06:35)
Thinking back, you all have been operating, whether it’s the fund or the agency, for a little over two years. And thinking back over that, are there any particularly interesting success stories or where you felt that the fund or the agency made a real difference?

Tara Tarakiyee (06:51)
I mean, it’s generally nice just to hear the feedback from the different projects. It’s hard for me to name, like, one particular example or pick a favorite. In general, think like, when I look back and see like projects where they struggled for a long time to get the people that depend on them interested in security. Even though, like, it’s a critical dependency for, like, many companies and stuff, but nobody wants to fund like a security team.

People would rather fund new features and, which just like sort of exacerbates the problem. Like it just creates more pressure on the maintainer and creates more technical debt and more potential for things to go wrong. You can actually hear the relief when we’re talking to maintainers about, yeah, like we’re interested in your security plans. Like how can you sort of get this kickstarted? How can we get maybe those other people also interested? Cause again, like it’s such a big lift sometimes and with some software that we can’t do it all on our own.

So we try getting the ball rolling and then hopefully those maintainers can also show the benefits of investing in security, investing in resilience to the people that depend on their software and get them to invest in it as well. I’m also very proud of our investments in, for example, Fortran, where it’s a technology that’s still very important. Like people hear about it and think like, remember it like maybe from their university days or reading about it on Wikipedia, but it’s still there. It’s still lots of code written in it.

I think Fortran developers deserve the ammenities that modern day developers have, like a good package manager having the developer tooling. So I was very proud of our investment there because, again, like, also considering the state of the world right now, Fortran is very vital in climate modeling and us understanding the world around us. So it’s a very critical time for investment in such technology.

CRob (08:50)
Excellent. Yeah, the older languages deserve the same love that the newer ones do. I totally agree. Getting out your crystal ball, it’s towards the end of 2024 here. What’s in the future for the Sovereign Tech Agency in your programs for next year? Any big plans or anything you’re very excited about to get to work on next year?

Tara Tarakiyee (09:09)
So for work, we learned a lot from the past two years. So I think now it’s time for us to also start exploring ways of bringing in more people into the field of open source. I think, like, a common concern is looking at open source technology, like, there are very few maintainers and not so many are able to come in. Like there’s a high barrier for entry. So maybe I think looking at ways of opening up the field and getting more people, because I mean, the door is open, but that doesn’t mean that people automatically come in. Like, people need help to be able to get into open source.

And also we work with some very complicated projects because their infrastructure, because they’re written in sometimes like high-performance languages that are harder to get into. So I don’t want to compare, but like it’s not maybe as easy as, like, web development where sometimes the languages are a bit more accessible and there are already like a plethora of resources existing to help people get into them.

So I think just getting more people through the door, getting more, let’s say communities that don’t have access to the resources to become open source developers, helping get to the door, get them to becoming the maintainers of the future, I would say, is, would be something I would be very interested in working on or a problem to tackle.

With open source, it’s important to consider that interoperability needs standards because that’s how you create sort of like a healthy technology ecosystem. Because you don’t want like sort of a monoculture where like one software becomes a dominant thing and then that just creates lots of issues. So you want to have a variety of implementations around the standard to solve a particular problem. That just creates healthier software.

I think exploring how maintainers interact with standards bodies that exist. Also, you have increasing regulation and standardization coming from governments. And finally, I think there are some not official standard bodies, but bodies that help certain technologies communities or programming languages sort of improve their work that the maintainers know about these, but most people don’t. And I think getting more involved in sort of supporting the work that happens there to create better specifications, move technologies forward and get more maintainers involved in the conversations about the technologies that they’re developing at standard bodies will be another area of interest for us.

CRob (11:42)
Very nice. Yeah, that’s an interesting vision. A docket of things that I think we’ll probably be working on together next year. Well, let’s move on to the rapid-fire part of the interview.

(Musical sound effect: Rapid fire, rapid fire!)

All right, I have a couple quick questions. I want you to just answer right off the top of your head. Spicy or mild food?

Tara Tarakiyee: (12:06)
Spicy, but I have a limit.

(Sound effect: Ooh, that’s spicy!)

CRob (12:12)
Excellent. From your perspective, what’s your favorite open source mascot?

Tara Tarakiyee (12:17)
Oh, I mean, have to give it to Penguin, like Linux Penguin.

CRob (12:22)
Tux! Very nice!

Tara Tarakiyee (12:24)
I do sometimes get jealous of the FreeBSD devil, because it’s slightly cooler.

CRob (12:28)
Absolutely! Thinking back on your career with interacting with open source, what was your first open source project you remember using?

Tara Tarakiyee (12:37)
I mean, the first one I actively used knowing it was open source was Firefox. I wa a big part of the Firefox community early on in university. So I think how I got my start into open source advocacy was by organizing. I think, back then we were throwing these Firefox launch parties in Jordan. And from there, I got into Linux.

CRob (13:02)
That’s awesome. Well, thank you for sharing. As we wind down, do you have any advice that you would want to share to either someone entering the open source development or security field or is currently a maintainer?

Tara Tarakiyee (13:15)
I think it’s important for people to start listening more to maintainers. From my experience, like for the past two years working with maintainers, they know what they want, know where the problems are. There are people who really care about all these critical pieces of infrastructure that we depend upon, and they do have a good sense of what the problems are.

It’s just that I think not that many people listen to them that someone who really cares about software development in a way that’s… I compare it a bit to being an artisan where it’s more about the craft of the software and you just want to create the best software ever and sometimes occasionally they create things that are very important and used in many places. Sometimes not accidentally, sometimes intentionally as well and then, yeah, when it gets to that scale.

I think my advice is also don’t be afraid to say you need help. I think many maintainers feel like they need to do it on their own or think that people don’t care about their issues, but there are people out there who care about giving the adequate support to maintainers and creating communities of care for them. Definitely don’t be afraid. My advice for maintainers is don’t be afraid to ask for help and people do care about the work that you do. And my advice for others is please listen to maintainers. They know what they’re doing.

CRob (14:42)
Excellent. That’s excellent advice. Thank you. And finally, do you have a call to action, whether it’s kind of personal, like you just mentioned about for maintainers or contributors, or kind of around the Sovereign Tech Agency?

Tara Tarakiyee (14:55)
We do see the significant need or the significant under supply of what level of resources we need to put into our digital infrastructure. And there’s a huge gap between how many resources we’re putting in right now compared to what’s actually needed to create like a healthy, vibrant system.

Like, we’re still far off at the moment that, and I don’t think that many people realize that. So my call to action would be, let’s take this problem more seriously. Let’s invest like real resources, solving, like, the very real problems. We can’t wait til the next Log4j to happen and then say, oh my God, this could have been avoided.

I’m sort of also…maybe because like I’ve been working, doing this work for like 15 years now, tired of like that cyclical nature of like something big happens, people start caring. And then two years later, things revert back. Yeah, let’s, let’s try to break that cycle a little and put, like, significant investment that’s more long-term into creating maintainable, like sustainable support systems for our open source infrastructure.

CRob (16:00)
Excellent. Thank you. I appreciate you coming in to share your wisdom and your experiences through the Sovereign Tech Agency. I wish you a great day.

Announcer (16:09)
Like what you’re hearing? Be sure to subscribe to “What’s in the SOSS?” on Spotify, Apple Podcasts, AntennaPod, Pocket Casts or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org slash newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org slash get involved. Thanks for listening, and we’ll talk to you next time on What’s in the SOSS?