In the open source world, Stephen Augustus is everywhere. He’s the head of open source at Cisco. He’s a long-time contributor to Cloud Native Computing Foundation (CNCF) projects. He’s an advocate for project maintainers. He’s a maintainer of initiatives such as the Open Source Security Foundation (OpenSSF) Scorecard and a member of several steering committees and governing boards.
How does he find the time for all this? The trick, he says, is that he’s made himself replaceable. “There are a lot of projects to steward, but helping people steward projects by laying down good processes has been part of the work.”
Applying this insight to the wider community, Augustus is helping projects build open source infrastructure that can scale and be sustained. On this episode of the Open at Intel podcast, listen as host Katherine Druckman and Augustus share why building strong processes and documentation maximizes everyone’s time.
Listen to the full episode here. The following conversation has been edited and condensed for brevity and clarity.
Katherine Druckman: Will you tell us about yourself?
Stephen Augustus: I’ve been the head of open source at Cisco going on three years now. I got the job because I spend a lot of time in open source communities. Kubernetes is my darling. I’ve been involved in Kubernetes for six years and some change. I’m on the Kubernetes Steering Committee. I’m a cochair of Kubernetes Special Interest Group (SIG) Release and a Release Engineering team leader, which means my team is responsible for pushing the button to release Kubernetes every cycle. Outside of that, I’m one of the OpenSSF governing board members alongside Arun [Gupta, vice president and general manager for Open Ecosystem at Intel] and other lovely folks. I’m also a maintainer for the OpenSSF Scorecard, which Intel has recently contributed to.
Katherine Druckman: Speaking of the Scorecard, you give back a tremendous amount of your time to various open source projects and communities. Could you tell us how you got started?
Stephen Augustus: While working at CoreOS, we closed Starbucks as a client. As a customer success engineer, I flew to Seattle to help facilitate Microsoft Azure support for Tectonic, the Kubernetes distribution that CoreOS offered. Some things weren’t working in Terraform, which is the provisioning stack for Tectonic. I spent a lot of time investigating and fixing these things, such as contributions to the load balancer support. I learned HCL, how to build up a module, and how to get some traction to get changes merged. And then I realized some of the changes I needed to make weren’t in Terraform but in Kubernetes. At that point, I started to poke around Kubernetes. I started in SIG Docs, which is the entry point for a lot of contributors. I spent a lot of time building out the functionality in Tectonic, and I got hooked on the community. It got me thinking, “Where else can I go?”
The Key to Building Thriving Communities
Katherine Druckman: Kubernetes is a tremendous success story in recent open source history. What do you attribute that success to, other than good technology?
Stephen Augustus: I gave a keynote last year at All Things Open called “Maintaining the Maintainers,” which was about how maintainers can protect themselves from being overworked. My talk this year, “We Don’t Owe You Anything,” is the inverse of that talk. In Kubernetes, you come to find there’s no such thing as corporate altruism—at the end of the day, we’re all involved in these projects for reasons. You should wear your agenda on your sleeve. People know you’re contributing to open source for a reason, especially if you’re a corporation. Being honest about what that reason is can push you toward having real conversations with the community. Part of Kubernetes’ success is because large companies are invested in its success, such as cloud providers and service providers that ship distributions. That corporate and financial support is one of the base layers of Kubernetes’ success.
On top of that, we layer on great people, processes, policy, and tooling that’s usable outside of our ecosystem. Kubernetes is the first graduated project within the CNCF, and it sets the tone for projects that come behind it. It also sets the tone for the process and policies that we might have on the CNCF level. For instance, the governance shape of CNCF Technical Advisory Group (TAG) Contributor Strategy was inspired by the special interest group for contributor experience within Kubernetes. We’ve built up a lot of patterns over time to see a successful community. Part of it is understanding the needs of the people who are contributing to and consuming the project and being intentional in how we support them.
Katherine Druckman: I love the idea of wearing your agenda on your sleeve. I’d love to talk about how you do that in your current role. How do you decide where to invest your energy and resources, and what areas are you focused on now?
Stephen Augustus: Everyone is focused on software supply chain security and AI. Between corporate interest and the eye that governments have had on open source lately, people seem to be paying attention and listening to what we’re doing. I look at my role in open source through three lenses: contributors, maintainers, and sponsors. How can I help people be more effective at contributing to projects? How can I be more effective in helping groups I’m a part of in maintaining projects? And as head of open source at Cisco, how can I sponsor the right projects at the right times—and be able to sustain Cisco sponsorships? I don’t want it to be hollow action. Aligning internal interests with sustainability efforts for open source projects is a path to success. Looking at how OSPOs should operate, all signs are pointing toward software supply chain security and AI right now.
Katherine Druckman: We all have 24 hours in a day. How do you find time to be involved in so many things throughout the open source world?
Stephen Augustus: It’s important to build toward replacing yourself. If you’re a maintainer of an open source project, you should be building sustainable practices so that you don’t have to be the only one sharing the load. For example, when I started co-chairing SIG Release, I realized we didn’t have much documentation on how we managed our work on enhancements. I started writing down everything team members did and went to work on creating a role handbook for the release team. Then, we went down the list of all the tasks and wrote down exactly what every role did during the release. That enabled us to expand the release team because new people understood what they were walking into and how to execute the role.
Similarly, when I was a co-chair of Kubernetes SIG PM—the team responsible for program, product, and project management—we got to work creating the Kubernetes Enhancement Proposal (KEP) process. This is another artifact that allows people to understand what goes into a project—the timeline, the required resources, the potential breaking changes, and the test suites we need to build into the plan. So you get to a point where you’ve built enough of a process that you don’t need to be in the loop. Everything that you step toward [should raise the question], “How can I get to the point where I don’t need to be involved in this directly?” So really scaling yourself and doing that across multiple projects is how I found the time. There are a lot of projects to steward, but helping people steward projects by laying down good processes has been part of the work.
OpenSSF Scorecard: Making it Easier to Navigate Challenges
Katherine Druckman: Can you tell us why the OpenSSF Scorecard is worth your time?
Stephen Augustus: Every open source program office (OSPO) or review board has a process that defines how code goes from internal to open source. This can include reviews of licenses, community health files, the code of conduct, security policies for reporting vulnerabilities, how dependencies are kept up to date, and branch protection. General repo hygiene is especially important for open source projects because if people can’t understand what a project does, how it works, and who’s going to respond to issues, the open source community won’t contribute to or consume it. I found that Scorecard answers a lot of these questions, and I thought it could be a potential vector to make my job at Cisco easier. At the time, it was essentially just me and the OSPO reviewing outbound contribution requests for a company of 80,000 people. I knew there had to be magic, automation, a tool—something to make the process more sustainable. Scorecard provides a series of checks for some of those things you might look at to determine a project’s viability.
Additionally, you can feed the checks from Scorecard into a GitHub app called All Star, which will open a GitHub issue and ping a repo maintainer until someone addresses it. Learning later on that part of the reason All Star exists is because Google’s OSPO uses it was validating for me. I thought, “Ah, another OSPO with the same problem.” Even more validating was hearing Ryan Ware of Intel give a talk at the Open Source Summit about Intel’s use of Scorecard. It’s very validating to have conversations with folks in OSPOs. If you’re part of an OSPO, you should absolutely join TODO Group if you haven’t already. It fosters informal Chatham House Rule conversations with people who are doing the same work and navigating the same challenges.
Katherine Druckman: I talked on the podcast with Ryan Ware and Brian Russell about Scorecard earlier in the year. It would be interesting to compare where Scorecard sits today vs. six months ago because I suspect things have changed.
To hear more of this conversation and others, subscribe to the Open at Intel podcast:
- openatintel.podbean.com
- Google Podcasts
- Apple Podcasts
- Spotify
- Amazon Music
- Your favorite podcast player (RSS)
About the Author
Katherine Druckman, Open Source Evangelist, Intel
Katherine Druckman, an Intel open source evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she’s a longtime champion of open source and open standards.