We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!
Let the OSS Enterprise Newsletter guide your open source journey! Register here.
Pretty much every tech company under the sun wants to join the open source, whether it’s opening up Facebook for its own internal projects or Microsoft spending over $7 billion to build one of the largest open source platforms. developers to acquire – GitHub.
Spotify is no different. The music streaming giant has made some of its projects open source over the years, such as Backstage, which was recently accepted as an incubation project with the Cloud Native Computing Foundation (CNCF) after two years as an open source project. The company also recently joined the Open Source Security Foundation, opened a dedicated open source program office and is now launching a fund to support independent open source projects.
In short, Spotify is doubling down on its open source efforts.
Open for business
There are many reasons why a company might choose to open source its internal technologies, or contribute to those of other companies or individuals. For starters, it can help to engage the wider software development community and serve as a useful recruiting tool. A company can also contribute resources to community-driven projects where it is a central part of their critical infrastructure, for example to help strengthen security.
Backstage, in turn, is all about building custom “developer portals”, unifying a company’s myriad of tools, services, apps, data, and documents into a single interface through which they can access their cloud providers’ console, issues with Kubernetes solve and find all the documentation they need as part of their day-to-day work.
“The problem Backstage solves is complexity — the kind of mundane complexity that can really startle engineers and their teams, which then slows down your entire organization,” Tyson Singer, head of technology and platforms at Spotify, told VentureBeat. “Backstage as a product and as a platform is really about creating a better experience for engineers – streamlining their workflows, making it easier to share knowledge and getting rid of the cluttered parts of the infrastructure. It empowers them better focus on building business value: innovative products and features.”
Spotify’s Backstage: An Open Source Developer Portal Platform
Today, Backstage is used by dozens of companies spanning retail, gaming, finance, transportation and more, including Netflix, American Airlines, IKEA, Splunk, HP, Expedia, and Peleton. But when all is said and done, what does Spotify get from open-sourcing Backstage? For starters, it gets a better version of Backstage for itself due to the community-driven nature of the project.
“Let’s imagine the counterfactual scenario where we didn’t open source Backstage two years ago, and instead put in the same amount of internal resources as we’ve gotten from the outside community — and based on the massive community involvement to date Admittedly, that would have been a huge investment and difficult to finance – it still wouldn’t be as good a product as it is now,” explains Singer. “A diversity of viewpoints and use cases, from adoption companies such as the world’s largest airline or fast-growing financial startup, individual contributors and third-party software vendors, have enhanced the product, made it more robust and enabled the platform to keep up. with the pace of change taking place both inside and outside a particular company.”
But on top of that, Spotify also indirectly benefits from Backstage being adopted by some of the world’s largest companies, insofar as it ensures that its own product ranks among the de facto “developer portal” tools.
“If we didn’t have open source” [Backstage], we’d be the only ones using Backstage and dependent on it,” Singer continued. “If another open source solution eventually came out, we would have had to migrate to that solution, because the community-fueled innovation overshadowed our ability to keep up.”
To support its ongoing open source efforts, Spotify has joined a host of companies to launch a dedicated open source program agency (OSPO) designed to bring formality and order to all of their open source efforts. , align OSS project goals with key business objectives, manage licensing and compliance issues, and more.
Spotify, in fact, has had some sort of OSPO for the better part of a decade, but it formed more of an informal group of employees who held other full-time positions with the company. Going forward, the company now has a full-time OSPO lead in Per Ploug and is actively looking for other positions.
So until now, Spotify’s open source work has been primarily driven by the “passion and commitment” of the company’s technical teams, Singer said.
“The enthusiasm has always been there and we just had to channel it,” said Singer. “A dedicated OSPO will bring greater clarity to this process for everyone, including what the expectations are and what kind of support can be expected. It ensures that our efforts are properly prioritized and integrated into the way we work. We want to treat it [open source] with the same level of ownership and dedication as we do with our internal applications – creating a formal OSPO allows us to do that.”
Spotify’s OSPO is positioned within the “platform strategy” unit of the company — however, it will ultimately span multiple teams and departments as open source software works with everyone from engineering and security to legal, HR and beyond.
“Tech teams have their areas of expertise, but we want our OSPO to be broad across multiple teams,” said Singer. “The best position to do that is from our ‘platform strategy’ organization, which forms the connective tissue between different R&D teams. It gives the OSPO visibility and independent positioning within that framework. It really shows how intertwined open source is with ways of working, not just in Spotify, but actually in any modern technology company.”
A central part of any OSPO is security – ensuring that every open source element in the company’s tech stack is secure, kept up to date with the latest version and also compliant with the terms of the open source license . So maybe it’s time Spotify recently joined the Open Source Security Foundation (OpenSSF), a pan-industry initiative launched by the Linux Foundation nearly two years ago to strengthen its software supply chain.
With incumbents such as Google, Microsoft and JPMorgan Chase, Spotify is in good company, and the decision to join followed the critical Log4j security bug revealed late last year. The OpenSSF also shows how open source has emerged as the de facto model for business collaboration – everyone benefits from more secure software, so it makes sense for everyone to work together.
“Open source security is a topic that concerns any technology company, or rather any company that relies on software,” says Singer. “We are all dependent on the open source ecosystem, which is why as a tech community we all have a responsibility to improve security where possible. Just like when we co-founded the Mobile Native Foundation with others, we see the problem as a scale: how do you create solutions that can affect not only local problems, but an entire landscape? We believe that participating in foundations – collaborating with other large companies who think daily about the problems and opportunities of scaling up within their own company – makes a lot of sense in finding scalable solutions.”
Show me the money
To further align itself with the open source realm, Spotify today opened the lid on a new fund for “independent” (ie not Kubernetes) open source project managers. The Spotify FOSS Fund starts at €100,000 ($109,000 USD), with the company’s engineers selecting projects they believe will earn the most money, and a separate committee making the final decision. The first tranche of selected projects will be announced sometime in May.
“The idea for Spotify’s FOSS Fund came about by asking ourselves, what can we do to support the quality of the open source code we all depend on?” says Singer. “It is only natural for the bigger tech players to play a role in supporting the open source ecosystem. We use it, we contribute to it, we build projects that others can contribute to and that we depend on – we think it’s important and necessary that we contribute to the success of this community.”
However, $100,000 isn’t a huge amount in the grand scheme of things. In the past year, we’ve seen Google pledge $100 million to support foundations like OpenSSF and commit $1 million to an open source security program from the Linux Foundation. Recently, Google also partnered with Microsoft to fund another security program, the Alpha-Omega Project, at a cost of $5 million.
But it may be unfair to compare supporting foundations and larger projects with smaller “indie” projects that receive no financial support at all. Plus, it’s still too early for the Spotify FOSS Fund, and it’s likely to evolve over time — which could mean a bigger pot.
“The fund starts with $100,000, the key word is ‘start’,” Singer explained. “We are ready and willing to grow the fund, but we are using this initial amount to help us evaluate what kind of impact we can make. Funds will be distributed to ensure administrators have the financial resources to maintain their projects, fix security vulnerabilities, and improve the codebase. We will focus on projects that are independent, actively maintained and relevant to our work here at Spotify.”
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.
This post Spotify dances to the rhythm of open source
was original published at “https://venturebeat.com/2022/04/22/spotify-dances-to-the-beat-of-open-source/”