How'd you like to listen to dot NetRocks with no ads? Easy? Become a patron For just five dollars a month, you get access to a private RSS feed where all the shows have no ads. Twenty dollars a month will get you that and a special dot NetRocks patron mug. Sign up now at Patreon dot dot NetRocks dot com. Hey, Carl and Richard here with your twenty twenty four NDC schedule. We'll be at as many NDC conferences as possible
this year, and you should consider attending no matter what. Ndcoslo is happening June tenth through the fourteenth. Get your tickets at ndcoslo dot com. The Copenhagen Developers Festival happens August twenty sixth through the thirtieth. Tickets at Cphdevfest dot com. Ndcporto is happening October fourteenth through the eighteenth. The early discount ends June fourteenth. Tickets at Ndcporto dot com. We'll see you there, we hope. Hey, guess what this is dot net rocks. I'm Carl Franklin
Campbell and we're still at build. I like it. I like it here too, Man I love this little corner office looking down at the I don't know why we have a view, but we have a view. I'm not complaining. So listeners, just close your eyes and think of a nice Seattle city scape on a perfectly gray and rainy day. Yeah, up close too. So there's like a lot of detailed buildings and stuff. Yeah, very
cool. Yeah. Uh, I feel like I don't see you but five times a year, you know, even though we you know, talk every week. But it's it's really cool. We have this circle of friends that we only see at conferences. Yeah, you know, and I think those
are some of my closest friends. Yeah. Well, we do the same work, right, Like often most of our work is very by ourselves, and so this little club that we're in that does just kind of where it's goodell compare notes, but heck, that's what the show's about too, right exactly, yeah, exactly the time. Damien Brady's here. We'll be talking to him in a minute, but first let's get started with better note framework. Awesome, all right, man, what do you got? All right?
So we had a little party last night for miss Mary Joe Foley MJA was here. Yeah, yeah, she's already flown out this morning. Yeah, yeah, a whole bunch of people. Paul Throatt was there, some rds, some MVPs, some Canadian people in your neck of the woods, and uh, this guy Mayde had thought came and sat down next to us and was telling us about how much he loved dot net. Rocks is from Israel and he said, I have a better no framework for you. I was like, okay, what is it? And he told me that you
are. I went there. It's like, hey, that's you, so shameless from me. You are right there. But it's pretty cool. So if you've used link pad d I you link use link pad I have. So there's a dot dump extension method that you can add to the console similar to link pads called dumpify dumpify you know, uh, you can leave it up to your imagination, but basically, when you call this, you can dump any object in a structured and colorful way into the console, trace debug
events, or your own custom output. So the people who love link pad really missed this feature in dot net console apps. So that's what it's for. It's for those people, Hey, we are thinking of you, my friend. Nice or more to the point, way it is thinking of you somebody's Yeah, but it's very cool. It's an MIT license open source tool. And there's also a video with John Galloway interviewing him and talking about it. Yeah, so go there, know and learn it, love it.
Who's talking to us, Richard, if you can believe it. We have not had Damien on the show since twenty seventeen. That is ridiculous. Yeah, and then on us the very last time. It was actually when we were together in Orlando for I guess it was. It was an IG night. Yeah, that's the only reason I think we'd be in Orlando altogether with the inimitable Donovan Brown. No less. I remember this because it was like it was in the West wing, yeah, of the Ortlanta Convention, which
I think is actually in a different time zone. Like I think we walked for a day and a half to get there. And I remember confusing your names because they're both DP and you know, yeah, two DB's a row. But I did not take a comment off of that show. I took the comment off of a different show we did the same year, in March of twenty seventeen. So there was a time when you did two shows at a year and now it's been seven years, Like, let's have we talk
on run as all the time. It's been a while. This was the Brownfield DevOps show again at DC London. Notice the pattern. There's a pattern Brownfield dumpify. You know, we have a pattern here going right? So this cant Yeah, and then we were talking and so this was the Brownfield DevOps. So it's like, how do we put DevOps into an existing application, try and modernize and get it under better control, especially simply the people
who are doing that are not the ones who built it. Free conversation and we had a bunch of good comments on this show and I just had to pick one and this is from Simon Tims. This is seven years ago. Great episode. Good to hear that more adopted Canadians on the show. You're an adopted Canadian. My company is one of the blips on the internal dashboard that Octopus has because I think you were Octopus then, Yeah, we first met you when you worked for Puss. Yeah, we've been using an octopus
for a while and we've been very pleased direction it's taking. The work done around transient machines has been especially helpful as you run on top of an ever changing number of machines on ALUs. There seems to be a bit of a theme going on about what defines a legacy system. I'd agree that a legacy isn't necessarily bad. It may be working fine. We have some micro services that just haven't been updated in six months because they appear to just work what
a concept. Sometimes software is done. The problem occurs when the tribal knowledge for that piece of code disappears. Ideally, the code is well structured and understandable enough that even if the knowledge is lost, we can rebuild it pretty easily. Avoiding unmaintainable legacy code, in my mind, goes hand in hand with structuring your code well, having tests, and running bills and deployments from time to time even if nothing in the code has changed. M hmm.
That's a fair thought. I mean, we really were talking about people move on and they go into other projects. But honestly, like within a couple of days of me writing code, it's gone. I got whiskey to store in my head like there's only so much space, right, so anybody could be working on it at that point. So I agree, the documentation is one thing, the tests are another, and they fast forward seven years today, you'd just get copilot to write those tests for you as much less,
right, And what does this code do? Certainly it's writing my prs, that's one thing. And I think I said this on the last show. I love using code Pilot to say, hey, take this code and comment it. Yeah, yeah, yeah, everything is well commented Simon. You give us a little nostalgia run plus reminded us of how different the world is now seven years on. So thanks so much for that. A copy of
music Coby is on its way to you. If you'd like a copy music Code by, we're in a comment on the website at dot net rocks dot com or on the social media's. We put every show on Facebook. And if you comment there and I read the show, wasn't you a copy of music Code buy? Yeah? Music to code by good? And uh, you know, we've been on x I still can't get over since it was Twitter, since the old days. Remember what I remember when it was called
Twitter? Uh, And of course we've been on there for years and you can send us a tweet or an ex or whatever the heck you call it. But the cool kids are hanging out. I'm masses on, I'm at Carl Franklin at tech hub dot social, and I'm Rich Campbell at mass it on dot social. Send us a two. That's another way that you can get yourself some music to code by excellent. Uh, let's bring on Damian Brady and he is currently staff developer advocate for gi hub. That's right,
Yeah, what is a staff developer? That's a great question. Yeah, you have a great answer. Yeah, staff developer. It's it's just a level thing that we need, so we do like developer advocate, senior and then staff and then it's probably principal or something. I don't know, I haven't looked that far ahead. And then it's greater puba developer advocates. There's yeah, way more important people. You know what if they just numbered things like you know, level one, level two, level three, then we
actually know where you are in the hierarchy. But why do they come up with these cryptic names. I mean they do number them, they put a dollar sign in front and you can't share that one really? Yeah, yeah, that's the one. Having a good time right now? Do you think we are? Yeah, we're doing well. And you guys invented the best name for a large language model ever. We're calling it co pilot. Yeah, that that tool has been well, the name for the tool is being
adopted by Microsoft. I don't know. I don't know how much you've walked around and to build where we are a little bit. Have you heard? You know, I originally had this idea that I have a drinking game every time you said co pilot first hour you're in the hospital. Yeah, in fact, every two seconds. You know, they're using the word co pilot all over the the keynotes. And there's more than one co pilot, right, so now you build your own co pilots with co Pilot Studio, and
yeah, there's there's so many. I think honestly though, that speaks to how descriptive that name is and how accurately I mean it represents what it's supposed to do. Sure, I mean it's a it's a perfect name in the sense of you know what it means. It also, you know, mitigates legal liability. You're the pilot. But I think GitHub pilot copilot is especially
a good name because it also talks about the source of data. You know what the model was built one and I think it's been very successful because develop first get this like it's just something like I worry about consumers trying to use technology about this far more than I worry about developers, just because we're used to explaining code and having code explained, and we were used to evaluating code
and making assessments on it. I have been talking to a bunches of pms that have had teams now using Copilot for more than a year, and first I talked to the devs, and then after a while started talking to the pms and one of the things they were saying this particular time is that checking behaviors completely changed. Yeah. Yeah, but the one thing they said.
One thing that they said was there are far more reverts, right, but if they don't revert within like the first hour, there's almost no changes after that. And so we were talking about, like, why do you think this is the case? Is I think they're still learning, So they're getting a chunk of code and they don't fully understand it, and then they push it and then it goes to the test pipeline, it gets crucified, and they were it, Yeah, or they do understand the code and make a
few tweaks on it and they push it and it's pretty good. Yeah, and I mean that's the that's the issue and the concerns I guess with these AI tools where there's a there's a legitimate concern that you know, it just
blindly puts something out and you blindly accept it. And it does really this stuff with stack overflow meme, right, And I got to say this again, we really have to differentiate between AI that generates code from repositories or whatever and AI that gives you business advice or you know, it gives you text
or language, right. And I think that the first case is a home run, and it's especially for developers because you know, the compiler has to have its say and you have to get it past the compiler before it'll run. And also you know the stuff about you know, looking against your data and trying to find things that are just black and white. The data is
either there or it's not right. So those things are great, But it's the small language models and the large language models in those things that you either have to trust them completely, yeah, or else what's the point? Yeah? Well, I mean this is part of and I know we'll talk about this in a sect, but part of the direction that the team has been thinking about in terms of how to do more than just be a smart code
completion engine. And the code completion stuff is great. You acceptance acceptance rates. I don't know the official stat but acceptance rates are well over fifty percent. So in some code bases, you know, it's seventy percent of the code is written by co Pilot technically, but that's one part of the tool. But there's a huge amount of work that developers do that is not cutting
code. Right. There's been a bunch of studies and they all kind of differ obviously because it's a bit you know, subjective, but around three quarters of the work that developers do is not writing code. It's interpreting requirements and figuring out where to put the changes and all of that stuff. You do all that pre work so that the coproper becomes easy. Yeah, but it
is the knowing what needs to be done next. But yeah, the architecture, right, would you consult Copilot on how to best create an architecture for your application? There's a little gray area right there. Yeah, absolutely, and it's good. Yeah, it's good at some things, it's not good at other things. I think just repetition of using it. Lets you know what it's good at and what it isn't good at. But it's also the
tool itself. I mean a lot of the discussion I think it build has been around this kind of agent model where you have these lowercase a agent, where it's an agent that's particularly good at a specific task, and the prompts and the meta prompts and the models that are used and the data like the rag patterns and all of that stuff is tuned to answer that question, to help you solve that question. And that's kind of how you and make it
a little less gray, I guess in those areas. But yeah, the tooling is definitely being it's evolving, I guess it's being you know, slowly we're getting closer and closer to these tools that help with some of the other stuff. I'm appreciating that models are getting smaller. That's to me signed that they're actually getting mature, right. You know one of the pushes they had
in the keynote was six times more efficient, one twelfth the costs. Yeah, and it's like, okay, well that's the kind of thing we want you to do. We don't want you to just keep making the model bigger and bigger and bigger, but along with that has to go accuracy. Yeah, and you would presume that those numbers go alongside at least as good, if not better. Well, I don't know. That's one of the problems I have with like to summarize this code. What if it's wrong. It's
wrong. Yeah, that's right, and so you either have to trust it completely or don't use it. And there unless the problem, which is not just for co pilot but for everything. We were talking to Barry O'Reilly and he kind of put his future hat on and saw that someday he thinks we'll be the co pilots. Yeah, that's a good way of putting it. I've had that similar thought where we will be a supervisors amongst like yeah, yeah, but does not make us a copilot. Like I didn't agree with
that on that. Yeah, in the sense that software has no intent, right, it doesn't, you know. I think it would be good at managing a checklist, giving it a parted the data set that was requirements. Then it would go and map those requirements to what was being built and then just bring up like, hey, there's this requirement and I can't find a mapping for this. So it was a kind of a you know, shock
value absolute statement. But if you think about it, you have the people at the top who are driving the AI, and then you may have co pilots to the AI underneath that that that do the checking and do the It might be more of a balance of work right where the AI is doing them,
Yeah, the majority of the actual work. But you're alongside. And I don't know who said this, it might have been you, Richard that you know, don't be afraid of the chances that your job is going to be replaced by and AI are small, but the chances that your job is going to be replaced by another developer that uses AI are obviously there. Yeah, because they're more productive, they're more Productiveyeah. Yeah, I didn't really want to talk about copole all that much, but it's kind of the monster
in the room, like it's unavoidable. And obviously there's new integrations and things with that. But the bigger announcment that came out last month was that I thought that was new forgetthub like that again, gethubs having a good time right now, you're making new things. Yeah, and workspaces to me sort of came out of nowhere. Yeah, it was. So we have a team inside gethub called getthub Next and it's kind of the R and D of getub.
It's like the it's like the concept car department of getthub and they experiment with a bunch of stuff. That's how copilot came to be. That started there and then it you know, it gains kind of product fit and maturity and stuff like that, and then it goes to you know, the products team. But one of the things that been working on is how do we look at that other seventy five percent of the work and how can generate code yeah that isn't coding, yes, and how does generative AI help with that?
And the model they kind of landed on with this thing called copilot workspace or GitHub copilot workspace. So like to run through the scenario, you start with an idea, an issue or just a sentence, like a task something like that. Using that and its knowledge of your code, semantic index of your code base which understands and I'm doing air quotes around the world understands it
knows how that all fits together. It identifies the relevant parts of your code and builds a specification which is the current state of those relevant parts of the code, and then the proposal of what should change there, and then from that it's all completely under your control. So you can change that, you can remove things, you can refine the original task, you can provide more
information. But then when you're ready, you go from that specification to a plan and then it's identifying the files that need to change and how they need to change, and again you can add files to it, you can remove things, you can correct understanding. So it's almost if you had chat GPT
that had the context of your application. Yeah, already known exactly, but the important thing is it kind of goes through the same flow that you would as a developer, and they experimented with a bunch of ways of doing this, right, But that is kind of the way that we work when we
approach a problem. We think about what it looks like now and what it's going to look like in the future, and then what does that mean we need to change and how, and then when you're done, you click on you know, implement these files and it will go and write the changes into
the files for you. Again, completely under control. You can change that code, you can revert it, you can do all that sort of stuff, and then there's there's some other tech around it, like you're being able to do a live preview with a code space underneath it and things like that. But that flow of let's find the places in the code that need to change, identify how they should change, of work, you get a work item in that says hey, we need to update such and such. You're
like, well, where is that in this hour? Yeah, the idea that the tool would just go it's here. I think it should look like this. Ye. So I mean first did it find the right location? And then the second question is this is the correct change? Yeah, and where the team is incredibly conscious that it's not a case of let's just write some natural language description of what needs to change and then magically it just gets
done. You know, there's got to be human guidance in that, like the experts need to be able to look at what it's doing and saying, well that that's clearly not right, or we need to refine it this way, or even the team itself uses it internally. They do a lot of dog fooding. So some of Copilot workspace has been written with workspace, which is kind of a little bit cursive. Yeah, we don't call it dog feeding. By the way, it's drinking your own champagne. That's a little
disgusting. Dog is eating dog food, wasn't Yeah, dog champagne, I don't know. Even worse so drinking your dog's champagne. Drink champagne. I'll propose that asn't anyone. But they've been doing a lot of this stuff internally. Some of the things I use it for is just like ideation, like, hey, what would it look like if we did this, and then it goes through and identifies the changes. You have a look at what it's done and then be like ah, but it does go to an origin of
code every time, right, Yeah, that's yeah. This is not a collaborative tool for writing a menu or you know, it's always code. Yeah. Yeah, So the context and to your point Carl about you know, knowing and trusting that it's doing the right thing. You can go some way to doing that by saying here's the code, and here's the searchability of the code. We've indexed it. So there's some ground code. The whole code milieu of AI is not really a problem. Yes, yeah, so yeah,
they're working on that. That's that's workspace that was kind of announced. It's in technical preview at time of recording, but it was can you can add yourself to the weight list? You can? Yeah? So yeah, so yeah, it should be pretty easy to find that weight list, but we're slowly letting people on and trying to look. I've got a link comment for the show notes, so you can go get on the It has the thing that says join the weight list if you want to take a look at
it. So, I mean, I would argue that get he copilot ten bucks a month is too cheap. Yeah, it's interesting. We get them one one side or them through sixty five is thirty dollars. Yeah, and that and some folks complain about that, although again talking to an organization's maybe we have a run has had on and they're like, these people are worth fifty bucks an hour. Yeah, you see me an hour in a month. There was a there's one of the guys at the booth, Dave Bernison,
you probably know, you know everyone. Dave Bernison did some back of the envelope math about you know, how much you would need to save and developer time to cover that copilot license. And I think he worked out at something like twenty minutes a month at an average develop a salary in the US. Yeah. Yeah, it's ridiculously cheap and the benefits are huge, right, Like, it's just it's crazy to think about with the effects of that
extensive to not use, Yeah, exactly. And then you throw in I mean at some point you're going to workspace is going to be a product, isn't yet, and you're going to charge for that, and same sort of thing, Like I have wasted an hour looking for the right place to make a modification to some code. Yeah, just chasing around, going I'm in the wrong freaking project. Yeah, especially if you have a lot of projects inside your organization. Yea, yeah, how do you find where the right
thing is? Because I've been on dot net. This is a React project that somebody wrote twelve years ago. Like, I don't know if React's been around for twelve years, but I definitely have a twenty year experienced text pervoding though. That's right, tell my resume yep. Oh man, Well, I mean I'm looking forward to spending some time. I got it on here on the early wait list, so we snuck you in. Yeah, I appreciate that. And you know what, I'm going to do. I'm going
to work on the run as site with nice exactly that. And because there's things I need to do and I'm not paying close enough attention to it. So it's like I can sit down for a day, get run As in there and just say, oh, these are the changes I need to make and see what it suggests. You know, that's good to do some real work, and goodness knows, I don't have a real job before, so I have to maintain you know, the run ass sight. That's what I'm
going to do. The enterprisiness of Remember when get hub was not couldn't make money? Yeah, yeah, you know, and I remember that. Yeah, and then it was bought by Microsoft. You're like, ah, good, you know, now they don't have to make money. It's gonna be fine. In fact, they made a bunch of stuff free that they were
trying to charge row before. And now you've got one point eight million subscribers to get hub, I think to get up coipilot copilot, yeah, which I think satcha out at that number, and I'm like ten bucks a month, that's a that's a bit of cash flow. I mean, in the tech giant world, it's nothing like Microsoft rings in what's sixty billion a quarter or something like that. Something absurd, But that's money, it is. And I mean there's that's still only a fraction of the number of people on
GitHub. There's one hundred million people using yeah, maybe two million of amusing coppilts so far. So you just barely touching the potential customer base. But you know, I'm wearing my enterprise hat full on. It's like, there's a bunch of stuff I need from GitHub. Yeah, I want a good bill of materials app Yeah, across a large organization. How many of these applications use log for j please? Ye, Like you can figure that out,
but I've seen people spend days figuring that out. Yeah, the data is there, like we we things like depend a butt as well can which is fantastic. Yeah, I can identify those things and then surface that up to your org level and to your enterprise level as well. If you have the right licensing and and be able to say, well, look of your one hundred projects that you've got, you know, fifty of them are using like have have DEPENDABT problems here, and then you can drill into those and
find them as well. But yeah, there's there's a lot of those enterprise problems that that the teams are working pretty hard on because, yeah, githubs still we talk about being the home for open source, which we are, but the but the enterprise is in your open source. Yeah, and frankly, the enterprise has the money. They have to have money, they're using, they're using a bunch of these libraries and they expecting things from them that
they aren't intrinsic. Yeah, exactly. We had the what was it called the xf scare. You know, they they the bad state actor. Pretty sure it was China that was slipping a back door into a low level compression utility that things like S s H depended on. And only because one meticulous guy at Microsoft noticed a half second or a five millisecond delayed his benchmark and
they didn't let it go. He wasn't looking for bad actors, He just wouldn't why is that slower, and just kept pursuing pursuer because apparently they hit it really well. Well. Also, this guy or this team, it was probably a team, you know, was that when their first check, their first check in of rogue code was where bugs that were easily spottable like and and so they asked him to fix them. He's like, oh,
I'm sorry, I'll fix that. And the next one he put out, this was the one that they were like, hmm, we're going to check that out because it wasn't as obvious. But this They spent years checking code into this project. Yes, like that's a they ingratiated themselves to them, and the project hadn't been updated in like three years or so, so it was like the perfect vector to just slide in and be a hero for a
while, get the confidence, and then boom. Yeah, but the level of expertise and dedication required to do that because and this is where you're talking about the enterprise in open source, like, how do we have confidence that that code is safe? And he told me this, great, you had this great comment. We were talking about this in the bar, which is
the alternative to open source is much worse. Absolutely, yeah, and we forget that now the state actor breaks into your code base because your system starts a secure and modifies your code in an invisible way. But there's more people looking at it, and there's so many Yeah, well was it the log for jay vulnerability? I think that popped up and we noticed that, and you know, secur it all of our stuff. And then because because where I am or the source of this information, you know, if there's a
security vulnerability, we are aware of it and we publish those. Yeah, and it bubbles up to visual Studio. You know, you load a visual Studio project from a GitHub repon and it says, hey, there are vulnerabilities in this in your chain. Yeah. I mean every every company, whether they know it or not, or whether they admit it or not. I guess it is using open source of course to a huge degree, and question
of do they know it? But from that, from that perspective, when trying to build software with a secure supply chain, it's like do I maintain my own copies so that I know when they change and they're and their pristine, And even when I do, the question is and when I pick it up, did I pick it up with a with a hidden back door in it? Like it's it's incredibly hard to know. Like, I think we're still working through the policies that are going to need to say yeah, this
software is fine, this is what you expect. Yeah. I think one of the things that highlights as well is that there's not really as clear a separation between enterprise development and open source development. It's the same people for a start doing that work. But also everything that's being done in the enterprise is dependent on open source people like people donating their time. So when we think any defects, is that more well, companies need to contribute to this project.
Yeah, and we have we have like sponsors and things like that to do it. But yeah, it's a bit it is. You know, I would argue, if you solve the bill of materials problem, you could also solve the sponsor problem. So there is and I realize I'm going out
on a limb here because I don't know the exact details. But you can do an export I think of the projects that you're REPO depends on, and then use that to import into the sponsors that you look we're talking about here, all right, So I no, no, what I mean, that's not what I mean. I mean, AI should be able to figure this stuff out, like it shoul bubbled up to visual Studio that when I have I open up my you know, updates panel in the package manager console and
visual Studio and there's thirteen or fourteen projects there. When I go to update them all blindly, which is what everybody does. Let's face it, right, I want some AI in there to say, you know, hey, maybe this this one right here, I would you know, it's kind of like so what wow, should a great set up there? Well, which I don't think you knew. But one of the things that we announced a little while ago was so get up Advanced security can review the code and says
there's a vulnerability. But we've got this new feature called auto fix where it will look at that vulnerability that's been identified and then say, and autofix is maybe a bit misleading, but it'll say, here's what I think the fix for that should be. And then you can review those changes in a code space or an editor, or you can just say yeah, that's right, that's fine, and then apply or submit a pool request for that change. And that's AI jumping in to say, this thing happened in a pool request
that introduced a vulnerability. Here's a fix for that if you wanted to apply it, or if you want to investigate more. And again, this is where I think AI shines is in the code, you know, in data that's ours and looking at repos and things. This is this is all good stuff. People. There's no reason to be afraid of this stuff, and if you're not using it, you should be afraid. You should be concerned
because you're only missing an opportunity to leave yourself more vulnerable. And with that, we should interrupt for one moment for this very important message, and we're back. It's done at Rocks. I'm Carl Franklin, I'm Richard Campbell, that's Damian Brae. We're built. And by the way, sorry, that's Donovan Brown. And by the way, if you want an ad free feed, just become a patron. Go Toreon dot dot NetRocks dot com. Five bucks a month will get you an ad free feed. Okay, yeah,
I had to say that. Yeah, it's a good idea. Yeah. On the sponsorship side, I think I said this in the show some time ago. It's like, listen, I've worked with enough CFOs. They will cut a check a year. Yep, that's all they're going to do. Give them a number, let them know the money is going to be well spent. They'll cut a check a year. And actually, in an enterprise where they would do that, it's too many projects, Like it's just hard to say, you know, say I cut a check for ten thousand dollars,
who should it go to? Right, And you've got to have a responsible way to say here where our dependencies are, you know, and these projects need to be supported, like, don't cut a check the Microsoft. They're okay, but you know, if you're if you if your productivity comes out of autumn Apple, Jimmy deserves a little taste. Yeah, agreed, And I'll make sure like I'll give you this show notes for this one, but i'll point you with those that because the sponsor program does actually fun to
fIF you up until absolutely. I just wonder how hard it is to make sure you're spending money wisely. Yep, I will. I'll send you some stings. Yeah, no, I'd like to see that. And I can encourage people like you can go pitch us upstairs. But I just know how cfo's minds are. I don't want to be marred into details. If you're telling me this is going to help resolve the issue, which is where dependent
on software we don't control, then I'm interested in supporting it. Do you guys know about the askcap slash BMI model of royalties for musicians in the music business? Nice? Yeah. So these are two agencies. Their job is to collect royalties on behalf of artists and distribute them and they will be taking a cut. Oh totally. And I'm not saying it's the best model because let's face the music business sucks and it's full of corruption. Yes I said
that, don't email me. But basically the idea is that when I register, when I do a copyright, I register with BMI right and or ask cap, and then askap goes onto bars and places that play music, even if it's like Spotify, right, and they these guys have to if they're going to have music, live music piped in music, they have to pay a fee to ask ap and or BMI a couple hundred dollars four hundred dollars a year or something like that. And then those guys, based on whatever
voodoo magic they do to figure out who gets what, distributes royalties. But it's only based on you know, what is the most pop what are the most popular artists and all that stuff, and there's a like a paramid.
I'm not saying this is great, but it does take the how shall I say, the complexity and the guesswork out of it, so you know if if a company that uses open doors while introducing an extortion element, absolutely, Richard, I just don't know that people understand about this model, right, and you know so, so if we try to adapt this for the software world, you if your company uses open source software at all, you would pay an annual fee to some place and then they, based on not a
based on what you use, but just based on the popularity of the most popular open source projects, will distribute checks to those people. Yeah. Yeah,
I don't know that I'd be happy with that. I want to I'm not so sure I would either I want the money to go to the projects that if that guy doesn't get funded and he quits, right, or he's desperate for a maintainer and a state actor comes in as that maintainer, I get screwed, right, And so so that model is like you own a bar, but the only music you play is Bob Marley, right right,
You want to pay all your money to Bob Marley. I have a repertoire of songs, yeah, and you know, and I want to make sure that it goes to those artists. Yeah, yep. So, because we're drilling in on this, I had I had a quick look, while we were While we were talking, it was about March last year, so more
than a year ago. There's an export feature that'll, uh, if you've got to read access to a getub cloud repo, you can export an NTI a compliant s bomb so okay, yeah, in a software bill material software bill of materials. Yeah, and then you can apparently if you have one, you can upload it to the dependency graph and get dependent bot alerts for all of those. But if we're talking about sponsorship as well, that's yeah,
that's a good way of finding out where your dependencies are. I guess we have the added advantage in the software world of knowing exactly what we're using, right, whereas a bar owner isn't going to write down every song that gets played throughout the year. Yeah, and we do have that advantage. But of course, at the enterprise scale, no given developer knows. Yeah, right, and that's literally no given developer. The architects don't know.
The hunting down the wooly corners of software that are being written in your organization becomes a problem. But yeah, well you know there there's a job for AI right there. Okay, as a mini hunted down like rogue share point
instances and sequel server instances. Right, Like the idea that you would actually know all the software that your organized running is hard, well, you know, but it's it's something that an AI could help you with, isn't it, Because this is what you're talking about with the holy crap, you know, the stuff that's being built into windows that you could just say, you know what, when did I look at this? When did I look at
this thing? Or what am I using? Yeah, and I'll go through all my projects and give me a breakdown of all the dependencies that I have. Yeah, it's it's good. But again, I would pay, I know organizations would pay for a nice client on GitHub. That showed me I don't that I don't have to do that Excel work myself. Yeah, that just showed me this is the this is the the are the the dashboard of
dependency that my organization has. Yeah, but then we also you know, now you can go and assess the projects and go who really needs support here and who doesn't? That's true, right, Like, that's that's that's the look I want to have when you go broad scam. I just I don't want us to get to a point where we're big corporate, you know, big companies. So I can't afford the security risk of open source. We're gonna we're going to change yeah, I mean yes, yeah, and just
use onion in tonal. I mean, I can't imagine how much that would slay you down, Yeah, or how much it would cost for that matter. On the other hand, you know, take a look at the price of a of a of a major breach right of you know, it depends on the class of software. Like, you know, there's a great question to answer how much US government stuff is open source right now? Especially the secret you know, on the on the private networks that they have, Like
how careful are they being? And I wonder if this is an arms race that we're going to get better and better tooling to and to identify backdoors that we can't we you know, you don't give up an open society because people are exploiting it. Yeah, you just fight back, and so you know,
don't give up the advantage of open software. Fight back. One of the stories that we did on security this week lately was that it was a It was an article that basically they did some research day the canonical day somebody did some research that said that there are hope that there are ais now that are looking at zero day reports as they come out and then actively exploiting them. So hackers can use AI to the like the second a zero day bug
is reported, go exploit it and take over and right. So now the question is, well, what's the use why? You know, you can't just throw up your hands. You can use AI again, if there's a if there's a tool for use for evil use, there's a tool for good. Yeah, and the good guys generally have more skilled people working faster. Yeah, because they're the good guys. That's the advantage. You know,
if you were really talented, you wouldn't be a bad guy. Well, I mean, that's that's a little bit of an argument for like putting your code in one of the major player's hands. I guess which I mean. I'm here at build, so I don't I'm not going to get kicked out
by saying that. I don't think. But there is even like all of the AI stuff that happened in the keynotes, the point that they made was, yeah, you build your own co pilots, you build your own like tooling like that, But it sits on the platform of like the responsible AI stuff. Microsoft has teams of people working on this, Like there's there's a huge number of people attacking that problem, just the same as the vulnerability problem.
There's a massive number of people just working on that. If you bought it all in house and said you're not going to do anything, you're going to be more vulnerable. We had the same We had the same argument back at the beginning of the cloud absolutely where people were afraid to go to the cloud because they thought it was insecure. And you know, hey, do you sleep at night? Oh you do? Well, these guys don't.
Oh yeah, well, so it speaks to the idea that so we do have an open source exploitation happened that puts a backdoor into a library that a munch of projects depend on. But because they're running in the cloud, it's the actual security guys that noticed from the back door gets utilized. That's right
away, and go hey, that's not right. And now you know so instead of trying to stop everything at the beginning, it's only if it becomes exploited or something goes on that because you and hopefully you know this is part of changing the way we build software that in a manifest of that software, it says, these are the parts we communicate on. This is how this is going to work. And so these exploits go outside of that. You know, they open up a connection for RDP. You're like, that's not
right, that's not how that's supposed to work. Close that and let's have a conversation. It's a bit of humorous, isn't it to think that we can do a better job of securing our machines and our software than a whole international company full of experts that one of what three that exists in the world that can afford to pay the best of the best to work twenty four hours a day hopefully with multiple shifts and all of those resources to come to it.
Like, yeah, of course you count on them. You're paying it for it too. It's not free, like they're not doing all the goodness of the heart. That's their business. Do you think it's a it's a better way to go, and it's not an excuse to give up on open source, but the threat is there, yeah, and ongoing? Oh, I mean I would also argue, you know, why did they target Windows back in the day was the most popular way to do things. Yeah,
why are they targeting open source frien these days? It's the most proper way to do that. By the way, Max and Linux have just as many vulnerabilities nowadays this Windows does. Yeah, because they're popular. They're not popular as popular, Yeah, no question. Well, and watching midnight Blizzard go after Microsoft, Yeah, you know, always a very beneftation of exactly that
same thing. But it's like click, why wouldn't you target them? They got the biggest surface area, huge menver developers, huge number of things, and best opportunity if you do get in. Well, the AI security thing that they talked about today, I was I was waiting for that. I was waiting for some metas service that is looking at the output of your RAG system or whatever it is. Yeah, and you know, smelling for that
doesn't look right. You know, that doesn't smell right? Yeah. Yeah, And I would I would suggest I don't know for sure because I am not in those teams, but I would suggest that Microsoft, for example, has probably been doing a bunch of that stuff for a while. Yeah, but only now they're like letting you have that as a consumer product, I guess, or as a you know, I was a bit surprised when they started talking about the midnight Blizoo attack, like it didn't hurt anybody. Why
are you talking about this you don't have a disclosure requirement. I wonder if they were like literally calling out the Russians, like we know you did this. I also think that part of that was talking to Microsoft internally effectively saying this is our problem and we need to fix this, and so everybody's on board with it, Like seeing it publicly has weight, yeah, and speaking internally that's definitely there's definitely a forefront of the work that's being done right now.
But I think I like that trend. I think of how a thing has happened. Let's tell everyone that it happened, and this is what we did to fix Yeah, yeah, exactly. Anyway, it is interesting times, and it is and it is I think a factor of being successful that you also get to be a target. Yeah, but you know you're also fually aware and we don't even think of it, like the days of the
university student making a worm. They are over right. There are nation states who are actively attacking infrastructure, governments and major companies through software uh and and some of them are doing it for money, and some of them are doing it because the government told them to. And we have to take that seriously, like they're nobody's doing this for fun anymore. It's business, and they're
working hard at it, and you just got to work hard back. And I mean internally all of these companies there are red teams who employed the entire time to start to really try and break the stuff before before, get ahead of get ahead of it. Still, all the security in the world doesn't won't stop an idiot from relying on the output of some rag and believing everything it says a face value and then acting on it and potentially destroyed. Just
don't give the many. Don't give them any privileges you cannot right to Maine submit. Yeah, the second second day keynote wrapped up with a conversation with Julia Lusen and it was it John one of the high security guys, and they were talking about this gamut of security issues and I've had the this Secure Future initiative something like that, and it certainly played into supply chain tax and
all of all of the sets of issues. So you know, one of the things that you notice happened is when when criminals get organized enough the real serious white hat show up and roll them up. And what I really took out of the end of that keynote today was we're paying attention to this. We're all going to get some good tools from this, and by the way, the bad guy are outmatched. Yeah. Yeah, the trip will be that we have to actually pick those tools up and use them for our software.
Well, my friend, it's good to see you. Welcome. We updated Australia. Last time I saw you, I was actually I went to your place. What do I say? Yeah, you did come. You didn't go for a swim though, which I was disappointed about. Didn't know, but it was I guess it was summertime there. You know in Australia, when they say go for a swim, it's like, you know, ten degrees and it's fahrenheit and there's like man o wars in the water and we go swimming naked. We got we got rid of most of those in
a pool. So yeah. Probably growing up in the Pacific Northwest, I was taught very early on if you find yourself in the ocean you've done something wrong. That stuff will kill you. And it's not like sharks or anything. It's cold, you've got a few minutes before you're not coherent enough to get yourself back out of the water. I remember standing putting my feet in the Saint Lawrence River in August when I was a kid, and my bones
freezing like my I could feel my bones were frozen solid. The ocean out front of my place is ten DeGreasy all year round, and in the summertime that's great. It's quick, way to cool down, quick quick. And in any other time, yeah, you're gonna die. Even moneray, I went surfing a monerey on my feet were the only things that weren't covered, and within about five minutes I couldn't stand on the board anymore because I couldn't feel them. They were gone. Now we got surfers at Long Beach in
British Columbia. They wear dry suits. Dude, no kidd, they need them anyway. Well, on that note, Damien, thanks a lot. It's been great talking to you too, and we'll see you next time. I'm dot net Rocks. Dot net Rocks is brought to you by Franklin's Net and produced by Pop Studios, a full service audio, video and post production facility located physically in New London, Connecticut, and of course in the cloud
online at pwop dot com. Visit our website at d O T N E t R O c k s dot com for RSS feeds, downloads, mobile apps, comments, and access to the full archives going back to show number one, recorded in September two thousand and two. And make sure you check out our sponsors. They keep us in business. Now go write some code, See you next time you got a javans Hey