Daniil Dubrovkin: "Open source does not mean that it is free and that it does not belong to anyone."
Introducing the sixth issue of a podcast about technology, processes, infrastructure, and people in IT companies. Today, CTOcast is visiting - Daniel Doubrovkine, Technical Director of Artsy and an open source enthusiast.
Listen to the podcast
About our interlocutor:
')
Daniel Dubrovkin graduated from the University of Geneva in Switzerland (1999). Over the years of study, he has created two startups: successful Vestris and less fortunate Xo3. After completing the training, he moved to Seattle (USA). In 1999–2004, he worked at Microsoft, where he worked on NetDocs, MSN projects, and also a billing system. In 2004-2006, he led the development of the Visible Path, and since 2006, he worked for Application Security. Since 2011 he has led development at Artsy.
Member of the New York CTO Club. Engaged in the development of open source solutions.
Alexander Astapenko: There is a stereotype about the incompatibility of open source and the Microsoft brand. True, recently this stereotype is actively breaking down. You worked in the company for several years, how did it happen that after Microsoft you started working on open source products? Or maybe you always dealt with them, even working at Microsoft?
Daniel Dubrovkin: Going to Microsoft, I was an enthusiast of Linux and other open versions, I wrote programs in C, Unix. I was very surprised that the technology used by Microsoft is completely different, closed. I tried to help developers work together by creating shared source projects inside Microsoft, but it all seemed like swimming against the river. It was very difficult to convince people not to rewrite the same thing ten times, but to learn from each other. I always wanted to work in the open, but Microsoft was interested in learning something else: working with large teams and developing projects that are used by millions of people.
Pavel Pavlov: And how much did your approaches find support in Microsoft?
Daniil Dubrovkin: I worked on two projects that were purely mine: one was called CoreXT, the other — BuildTracker. Both are still alive. I tried to write them in the open and wanted other Microsoft developers to participate in the process too. And it worked pretty well. But the company itself actively struggled with the open things that were made inside Microsoft. There were always two sides to the company: people who wanted to work in the open, and people who really did not want to. And it was felt every day, with each new version. There have always been controversies about what should be open and what should not. At this time, in the 2000s, Microsoft as a company was completely closed, even inside.
Pavel Pavlov: Now the trend is changing. Not only Microsoft, but also, for example, Dropbox and Netflix constantly post their projects, that is, it is very difficult to find a company that at least partially did not open their projects. Naturally, core-products will never be laid out, however, there is a trend, and many companies, including Microsoft, are starting to make a large number of projects with open source. What is the reason? Why has the situation changed so much in the last five to ten years?
Daniel Dubrovkin: I think Microsoft realized that without this they are completely uncompetitive: engineers do not want to work with them, because such a closed company, and the same engineers do not want to use Microsoft technologies because of their secrecy. Microsoft was forced to do this. Open source development is not included in the DNA of Microsoft, and I do not believe that the company is changing radically now. I think it was just an answer to pressing questions: the business will go badly further or Microsoft has lost 90% of its developers. How would you not like .NET, but most startups do not write on it.
Many companies work in a completely different way and see open source as an opportunity to learn to cooperate with a large number of people who do not work with you directly. For small companies, this is a significant advantage. For example, at Microsoft I could leave my office, walk down the hall and find experts in anything that could help me with my problem. In a company of ten, this is impossible. Therefore, open source is the answer to this problem. I can find experts in any question on the Internet, but in order for them to listen to me and talk to me, I need to do my own part of this business and put all the code open.
I disagree with the opinion that core projects will not be open source, and I think that they should also be made open. This is only a question of competitiveness, the code itself is worth nothing.
Alexander Astapenko: Relatively speaking, there is some big company with its core product. And you say that it’s profitable for this company to have its Core product open source? Can you give any arguments?
Daniil Dubrovkin: Yes, of course. The most famous example is the Red Hat company, which made open source development 100%. Another example of a company that is smaller and younger is MongoDB. Their development is also completely open. The business of both companies is growing. Red Hat is a huge business and continues to be, and MongoDB is growing very fast.
Already, many companies have proven the fallacy of the idea that in order to make a lot of money, the code must be closed. You just have to make money a little differently, in services, for example.
The code itself has a rather small price. For example, imagine that Microsoft Office would be completely open source. So what? Clients who use these programs do not care that open source is not open source. And for developers, having open source is great, because I can find the problem much faster and maybe I can fix some bugs. I see only the benefits of open source. I think that most companies do not do this, because they are simply afraid, they have too many lawyers.
Alexander Astapenko: You raised an interesting question about security. It has become particularly acute in the last couple of years, when some open source solutions have gained popularity in the media when they have bugs. What do you think about this? Security of open source versions versus security of proprietary solutions?
Daniil Dubrovkin: Microsoft also has enough bugs inside. From the fact that all this goes in closed form, the software does not get any better. Much more important is who writes it, who pays for the code to be written, and who is working to make the code safe. This is much more important than the fact that it is open or closed. The problem of OpenSSL was 90% due to the fact that no one was engaged in this, and not the fact that the code was open.
Alexander Astapenko: Where does the opinion then arise that open source products are not as safe as proprietary products? I do not say that I agree with this opinion. You say that even in OpenSSL, the bug was not due to the fact that the code was open, but because they were not involved. Maybe, if it was a proprietary product with a company, with a hierarchy, with a bunch of managers who would be behind this product, would they be doing better? Or is it also a stereotype?
Daniil Dubrovkin: I think this is a stereotype. For example, I am familiar with Oracle databases from my past work. Application Security had a lot of zero days on napkins written about Oracle databases. And I think that if I now give the terminal to connect to Oracle 10g or 11g, then I will open it without passwords. And the bugs that are in these databases, they sit there for two or three years after some security researcher found them. It seems that everyone feels better because they do not know about these problems. But if one researcher has found, another will also find one that is no longer so good and that will sell these vulnerabilities so that later it would be possible to break down databases of specific companies, Sony, for example, and so on. I do not think that if the code is closed, then it makes us safer from this.
Pavel Pavlov: An interesting situation is obtained. You again mentioned two illustrative examples — Red Hat and MongoDB. These companies are built on a free and open product, but at the same time they run a fairly successful service business and provide either enterprise features or technical support. A huge number of corporate customers with serious decisions and business go to Red Hat, because they trust them and their security. Do you think this is due to the openness of the product? What else can attract such a model?
Daniil Dubrovkin: The price of Red Hat shares in the American market has greatly increased after Oracle made its Unbreakable Linux. It happened quite interesting. Oracle decided that once everyone wants Red Hat Linux, then Oracle will make its version and everyone will want Oracle because they trust. The result was the opposite. Then the stock price of Red Hat, in my opinion, doubled in a few days.
I think that people want to work, buy and pay money to those companies whose interests are the same as those of clients. I will be happy to use MongoDB, because I can always find engineers and I can always look at the code, because my results are important to them. And of course, if we have commercial goals, we are happy to pay money to give us some other features.
Alexander Astapenko: Maybe big companies go for proprietary solutions to cover themselves in case of any failure? For example, we use an open source solution and a critical bug is triggered by one of our clients. If this is a proprietary solution, then we can hide behind contracts with the supplier of this solution. In the case of open source there is no one to hide behind. Yes, the community will quickly fix it, but in the end we will be guilty before the end customer.
Daniil Dubrovkin: This strategy was developed not by programmers, but by lawyers and other people who are engaged in business and who always think about the worst that can happen. I think we need to change the look. You can sue anyone for any reason. And about the fact that large companies want to hide from such opportunities, I think that they just do not want to be responsible for their own work. This is a bad strategy, because they say: “We are not responsible for our product.”
Open source does not mean that you do not own your product and do not stand behind it. You do not say that it is not mine, but common. Open source does not mean at all - the general. Open source does not mean that it is free and that it does not belong to anyone. This means that we are developing our project in the open, and everyone sees what we are doing. MongoDB is a good example. I have not written a single line of code in MongoDB, although I use it.
Pavel Pavlov: One side — people who develop open source products, and the other side — consumer. You studied and worked in Europe, then West Coast, East Coast. Different cultures and companies. What approaches to using open source products and the risks associated with them, did you notice?
Daniil Dubrovkin: When I worked in small companies as the Visible Path, the question of which programs and code to use was not. We always searched for answers in open applications. In larger companies, it was necessary to carry out a rather serious work and explain to people who are not engaged in development, that, anyway, we use a large number of open source solutions. For example, if you write a program in Java, then naturally you will use open source code. The larger the company, the more they do not want to use open source and open their doors, but everything changes very quickly. Now some large companies are beginning to actively shift the development to the open side, because more good engineers want to work on it, the programs are better, we do not rewrite the same thing many times. The next stage is to openly write your own programs, libraries, and so on.
Alexander Astapenko: Eco-friendly software, right?
Daniel Dubrovkin: That's right, software gets older and worse over time, even if you do nothing with it. And every time we move from company to company, we find ourselves in a situation where everything needs to be redone again. And I don't want to do this ever again. I do not want to start from scratch again, but I want to use everything that has already been developed before me by other smart people.
Pavel Pavlov: Speaking of the community and the people who create open source solutions, do you think that attracts them to such projects?
Daniil Dubrovkin: From the very beginning, the first and most important reason for me was the desire to learn something. Every day I see programmers who work on open source projects and who are much stronger than me. I can not always work with such people, sitting next to them in the same company, but through open projects I have the opportunity to talk with them and be on an equal footing.
The second reason is the opportunity to learn how to work with a large number of people whom you do not indicate what to do. Many people see management as a job, where you sit and say: “Today you do it, and tomorrow you do it. And how is it that you didn’t finish what you had to finish yesterday? ”And for novice managers, working in open source projects is a very good school because you write programs with people who do not depend on you. They do everything they want, they work absolutely on a volunteer basis.
Continuation of the text version of the podcast — in the coming days.
Listen to the podcast
About our interlocutor:
')
Daniel Dubrovkin graduated from the University of Geneva in Switzerland (1999). Over the years of study, he has created two startups: successful Vestris and less fortunate Xo3. After completing the training, he moved to Seattle (USA). In 1999–2004, he worked at Microsoft, where he worked on NetDocs, MSN projects, and also a billing system. In 2004-2006, he led the development of the Visible Path, and since 2006, he worked for Application Security. Since 2011 he has led development at Artsy.
Member of the New York CTO Club. Engaged in the development of open source solutions.
Text version of the podcast (1st part)
About open source in large companies
Alexander Astapenko: There is a stereotype about the incompatibility of open source and the Microsoft brand. True, recently this stereotype is actively breaking down. You worked in the company for several years, how did it happen that after Microsoft you started working on open source products? Or maybe you always dealt with them, even working at Microsoft?
Daniel Dubrovkin: Going to Microsoft, I was an enthusiast of Linux and other open versions, I wrote programs in C, Unix. I was very surprised that the technology used by Microsoft is completely different, closed. I tried to help developers work together by creating shared source projects inside Microsoft, but it all seemed like swimming against the river. It was very difficult to convince people not to rewrite the same thing ten times, but to learn from each other. I always wanted to work in the open, but Microsoft was interested in learning something else: working with large teams and developing projects that are used by millions of people.
Pavel Pavlov: And how much did your approaches find support in Microsoft?
Daniil Dubrovkin: I worked on two projects that were purely mine: one was called CoreXT, the other — BuildTracker. Both are still alive. I tried to write them in the open and wanted other Microsoft developers to participate in the process too. And it worked pretty well. But the company itself actively struggled with the open things that were made inside Microsoft. There were always two sides to the company: people who wanted to work in the open, and people who really did not want to. And it was felt every day, with each new version. There have always been controversies about what should be open and what should not. At this time, in the 2000s, Microsoft as a company was completely closed, even inside.
Pavel Pavlov: Now the trend is changing. Not only Microsoft, but also, for example, Dropbox and Netflix constantly post their projects, that is, it is very difficult to find a company that at least partially did not open their projects. Naturally, core-products will never be laid out, however, there is a trend, and many companies, including Microsoft, are starting to make a large number of projects with open source. What is the reason? Why has the situation changed so much in the last five to ten years?
Daniel Dubrovkin: I think Microsoft realized that without this they are completely uncompetitive: engineers do not want to work with them, because such a closed company, and the same engineers do not want to use Microsoft technologies because of their secrecy. Microsoft was forced to do this. Open source development is not included in the DNA of Microsoft, and I do not believe that the company is changing radically now. I think it was just an answer to pressing questions: the business will go badly further or Microsoft has lost 90% of its developers. How would you not like .NET, but most startups do not write on it.
Many companies work in a completely different way and see open source as an opportunity to learn to cooperate with a large number of people who do not work with you directly. For small companies, this is a significant advantage. For example, at Microsoft I could leave my office, walk down the hall and find experts in anything that could help me with my problem. In a company of ten, this is impossible. Therefore, open source is the answer to this problem. I can find experts in any question on the Internet, but in order for them to listen to me and talk to me, I need to do my own part of this business and put all the code open.
I disagree with the opinion that core projects will not be open source, and I think that they should also be made open. This is only a question of competitiveness, the code itself is worth nothing.
Alexander Astapenko: Relatively speaking, there is some big company with its core product. And you say that it’s profitable for this company to have its Core product open source? Can you give any arguments?
Daniil Dubrovkin: Yes, of course. The most famous example is the Red Hat company, which made open source development 100%. Another example of a company that is smaller and younger is MongoDB. Their development is also completely open. The business of both companies is growing. Red Hat is a huge business and continues to be, and MongoDB is growing very fast.
Already, many companies have proven the fallacy of the idea that in order to make a lot of money, the code must be closed. You just have to make money a little differently, in services, for example.
The code itself has a rather small price. For example, imagine that Microsoft Office would be completely open source. So what? Clients who use these programs do not care that open source is not open source. And for developers, having open source is great, because I can find the problem much faster and maybe I can fix some bugs. I see only the benefits of open source. I think that most companies do not do this, because they are simply afraid, they have too many lawyers.
About security
Alexander Astapenko: You raised an interesting question about security. It has become particularly acute in the last couple of years, when some open source solutions have gained popularity in the media when they have bugs. What do you think about this? Security of open source versions versus security of proprietary solutions?
Daniil Dubrovkin: Microsoft also has enough bugs inside. From the fact that all this goes in closed form, the software does not get any better. Much more important is who writes it, who pays for the code to be written, and who is working to make the code safe. This is much more important than the fact that it is open or closed. The problem of OpenSSL was 90% due to the fact that no one was engaged in this, and not the fact that the code was open.
Alexander Astapenko: Where does the opinion then arise that open source products are not as safe as proprietary products? I do not say that I agree with this opinion. You say that even in OpenSSL, the bug was not due to the fact that the code was open, but because they were not involved. Maybe, if it was a proprietary product with a company, with a hierarchy, with a bunch of managers who would be behind this product, would they be doing better? Or is it also a stereotype?
Daniil Dubrovkin: I think this is a stereotype. For example, I am familiar with Oracle databases from my past work. Application Security had a lot of zero days on napkins written about Oracle databases. And I think that if I now give the terminal to connect to Oracle 10g or 11g, then I will open it without passwords. And the bugs that are in these databases, they sit there for two or three years after some security researcher found them. It seems that everyone feels better because they do not know about these problems. But if one researcher has found, another will also find one that is no longer so good and that will sell these vulnerabilities so that later it would be possible to break down databases of specific companies, Sony, for example, and so on. I do not think that if the code is closed, then it makes us safer from this.
Pavel Pavlov: An interesting situation is obtained. You again mentioned two illustrative examples — Red Hat and MongoDB. These companies are built on a free and open product, but at the same time they run a fairly successful service business and provide either enterprise features or technical support. A huge number of corporate customers with serious decisions and business go to Red Hat, because they trust them and their security. Do you think this is due to the openness of the product? What else can attract such a model?
Daniil Dubrovkin: The price of Red Hat shares in the American market has greatly increased after Oracle made its Unbreakable Linux. It happened quite interesting. Oracle decided that once everyone wants Red Hat Linux, then Oracle will make its version and everyone will want Oracle because they trust. The result was the opposite. Then the stock price of Red Hat, in my opinion, doubled in a few days.
I think that people want to work, buy and pay money to those companies whose interests are the same as those of clients. I will be happy to use MongoDB, because I can always find engineers and I can always look at the code, because my results are important to them. And of course, if we have commercial goals, we are happy to pay money to give us some other features.
Alexander Astapenko: Maybe big companies go for proprietary solutions to cover themselves in case of any failure? For example, we use an open source solution and a critical bug is triggered by one of our clients. If this is a proprietary solution, then we can hide behind contracts with the supplier of this solution. In the case of open source there is no one to hide behind. Yes, the community will quickly fix it, but in the end we will be guilty before the end customer.
Daniil Dubrovkin: This strategy was developed not by programmers, but by lawyers and other people who are engaged in business and who always think about the worst that can happen. I think we need to change the look. You can sue anyone for any reason. And about the fact that large companies want to hide from such opportunities, I think that they just do not want to be responsible for their own work. This is a bad strategy, because they say: “We are not responsible for our product.”
Open source does not mean that you do not own your product and do not stand behind it. You do not say that it is not mine, but common. Open source does not mean at all - the general. Open source does not mean that it is free and that it does not belong to anyone. This means that we are developing our project in the open, and everyone sees what we are doing. MongoDB is a good example. I have not written a single line of code in MongoDB, although I use it.
About people and motivation
Pavel Pavlov: One side — people who develop open source products, and the other side — consumer. You studied and worked in Europe, then West Coast, East Coast. Different cultures and companies. What approaches to using open source products and the risks associated with them, did you notice?
Daniil Dubrovkin: When I worked in small companies as the Visible Path, the question of which programs and code to use was not. We always searched for answers in open applications. In larger companies, it was necessary to carry out a rather serious work and explain to people who are not engaged in development, that, anyway, we use a large number of open source solutions. For example, if you write a program in Java, then naturally you will use open source code. The larger the company, the more they do not want to use open source and open their doors, but everything changes very quickly. Now some large companies are beginning to actively shift the development to the open side, because more good engineers want to work on it, the programs are better, we do not rewrite the same thing many times. The next stage is to openly write your own programs, libraries, and so on.
Alexander Astapenko: Eco-friendly software, right?
Daniel Dubrovkin: That's right, software gets older and worse over time, even if you do nothing with it. And every time we move from company to company, we find ourselves in a situation where everything needs to be redone again. And I don't want to do this ever again. I do not want to start from scratch again, but I want to use everything that has already been developed before me by other smart people.
Pavel Pavlov: Speaking of the community and the people who create open source solutions, do you think that attracts them to such projects?
Daniil Dubrovkin: From the very beginning, the first and most important reason for me was the desire to learn something. Every day I see programmers who work on open source projects and who are much stronger than me. I can not always work with such people, sitting next to them in the same company, but through open projects I have the opportunity to talk with them and be on an equal footing.
The second reason is the opportunity to learn how to work with a large number of people whom you do not indicate what to do. Many people see management as a job, where you sit and say: “Today you do it, and tomorrow you do it. And how is it that you didn’t finish what you had to finish yesterday? ”And for novice managers, working in open source projects is a very good school because you write programs with people who do not depend on you. They do everything they want, they work absolutely on a volunteer basis.
Continuation of the text version of the podcast — in the coming days.
Source: https://habr.com/ru/post/254343/
All Articles