11 O'Clock Tick Tock
It's cold outside, but it gets so hot in here
Tick TOC
In our last episode, we looked at the story of Notary v2, and how the CNCF’s choices around engagement led to a flurry of allegations against the respected companies and engineers who are working on the project.
This week, the TOC held a public discussion on proposals which would change the expectations on CNCF projects in some very important ways.
For example, one of the current criteria for a project to be Graduated is to have "committers from at least two organizations". This bar sounds very low, yet some projects have not met it and have still been allowed to graduate, granted a pass by way of setting up a “steering committee”.
Swings and roundabouts: a new proposal under discussion is that projects should “have a healthy distribution of commit author company/organization diversity, targeting less than 40% contributions from a single company/org”1.
That goal does not make it easy to run a company founded to commercialize or support a CNCF project — I did the math.
Following up on commentary on GitHub issues, two former chairs of the TOC joined the call to voice their concerns. Alexis Richardson, founder of both Weaveworks2 and the CNCF itself, was especially critical of the idea of adding further requirements to projects, citing the challenge of running a small business in an anti-vendor environment, and the burnout that maintainers already feel.
“If I was starting a company, and I was an open source company, I wouldn’t put my project in the Foundation”, Richardson said. “It’s just too much work, and everybody tries really really hard to stop you [from] making money out of it. So why bother?”
“If somebody came to me today and said, ‘I want to be the next Confluent, Kafka, whatever, should I use the CNCF’, I would say ‘do not do that: absolutely no way’”.
I care, but not “attend a meeting at 4am” care, so I wrote up my thoughts afterwards. Decisions and processes that were made when the CNCF had 3 projects and KubeCon was 500 people may not still be appropriate when there are 152 projects and 10,000 attendees.
Did you know the charter of the CNCF doesn’t define project levels, but only the concept of projects being owned by the Foundation? The rest, it delegates to the TOC3. However, the rest of the organization treats projects differently according to these levels, especially in the area of marketing support. I think we need to see these problems addressed holistically, and not just by the technical committee.
Tick Dock-er
Score one for procrastination!
I first drafted this section of the newsletter as “Everyone is angry at Docker4”, but before I got around to sending it, Docker walked their change back. Let us perform some edits.
Last week, Docker announced (by email) that their way of winning the love of all developers no longer includes hosting their container images for freesies. They announced the price of a free account was going to increase to $420 per year5.
Friend of the show Alex Ellis led the charge on the follow-up, even though he moved his projects away from Docker Hub two years ago, when they last bent the developers out of shape.
Hacker News expressed their opinions, as did many users on the relevant GitHub issue.
The proposed replacement, the Docker Sponsored Open-Source program, was called out as being a bad fit for many reasons; first amongst them, the fact that Docker tries really really hard to stop you from making money out of it.
Docker eventually issued a ‘mea culpa’ for their comms, saying “We apologize. We did a terrible job announcing the end of Docker Free Teams.”
The community was still of the opinion that they were doing a terrible job by announcing the end of Docker Free Teams, even though the community should have seen the writing on the wall two years ago, when they last bent the developers out of shape.
Let us now give Alex the victory lap:
Over 105k people read my article and hundreds of people voiced their concerns on both Hacker News and Twitter, following this pressure, Docker Inc reconsidered their decision.
10 days later, they emailed the same group of people - "We’re No Longer Sunsetting the Free Team Plan"
Almost twenty years ago, early in my professional career, a colleague and I used to get lunch at the same nearby noodle place — up to six days per week. That kind of dedication to char kway teow meant we could call Tony (the maître d', if you will) and just tell him if we were dining in or taking away, and lunch would be hot and ready when we got there. It also meant that every day we got a free can of Coke with our meals.
Eventually Tony left, and while the food stayed the same, the free Coke eventually went away. And while the price of a Coke wasn’t the issue6, it was the feeling of it all. If it had been an occasional free gift, that would have been one thing; instead it had become part of the expectation, and that expectation was no longer met.
You are officially judging me now, and that’s OK. The point is I still use this example from a long-closed restaurant as my reasoning for an important life lesson. Never give someone something for free, that you don’t intend to give for free for as long as you are in business. Preferably, write it in stone that if your business is sold, that thing should remain free. Does that give you pause? Then don’t give someone something for free.
Especially don’t cancel your RSS reading service if your users are journalists who are still going to be complaining about it ten years later.
Can Docker not derive enough value from the data from hosting all these containers alone? Maybe egress really does cost what AWS charges. Didn’t BitTorrent Linux distribution mirrors solve this years ago?
I actually believed Docker would ride this one out. Why? Even though we all looked in on Mastodon, by and large, I find our community is still using Twitter, because it’s the place where everybody is. We’re maybe just a little more angry about doing it than we once were.
The music in my ear
Happy 10th birthday to Docker, Inc, by the way, given we’re talking about them. Docker did a couple other things this week: launched Technical Preview 2 of their Wasm integration, and announced a partnership with Hugging Face. They also announced Telepresence for Docker, a thing which they will have to rename7 in short order.
Kubernetes made Reddit go down, and the post mortem will simply reinforce whatever opinions you had going into it.
Oracle has beefed up its Container Engine for Kubernetes, adding “serverless” virtual nodes, lifecycle management for cluster add-ons, and workload identity. Their press release suggests that OKE will undercut other public cloud providers by 50%, and won’t charge different rates depending on what zone the nodes run in8.
Google Distributed Cloud Hosted is now GA. I no longer have access to the secret decoder ring, but I think this is Anthos plus hardware for your datacenter?
Crossplane and Notary released the results of their CNCF-sponsored fuzzing security audits. We’ve long known that securing the code is something the machine is better at than humans; writing the code is next.
A couple of new projects that caught my eye:
otterize/network-mapper, which will draw a pretty graph by sniffing DNS requests between pods
project-copacetic/copacetic, which will patch containers using reports from vulnerability scanners.
The WebAssembly corner
In his Browsertech Digest newsletter, Paul Butler writes about the tug-of-war over server-side WebAssembly, with one side holding onto their JavaScript engines and the other advocating for the WASI system interface. I haven’t delved deep into WebAssembly but was somewhat surprised to learn that “WASI on its own still isn’t powerful enough to do table-stakes things like make an HTTP request.” Butler gives examples of how five different vendors work around this, but it seems that a socket standard in the actual spec is long overdue.
Perhaps this was discussed at the Wasm I/O conference, held last week in Barcelona? News from the event includes that Fermyon’s Spin framework hit 1.0, as did Tetrate’s wazero runtime for Go; and that Dylibso launched with $6.6m in seed funding. BC Gain summarized the event for The New Stack.
If you want an opinionated introduction from someone I trust to have good opinions, Fermyon’s founder Matt Butcher has written a New Stack article outlining why they ‘plucked Wasm from the browser’ and dropped it in the cloud.
The moon is full but there is an incompleteness
Miss waking up to9 the sound of my voice? Apparently Matthias does! Check out the video from a CNCF Webinar I gave last week talking about what I’m up to at ARMO and what’s new in the Kubescape open source project.
I am unreasonably proud of the number of things that came together for this week’s headline, by the way. Listen to this while reading this.
Rest in peace, Gordon Moore; thank you for allowing me to make this joke.
Condolences also to Bihari Baller on Reddit.
Emphasis mine.
A company that commercializes and supports a CNCF project.
It does state that “fast is better than slow”, and “[the] technical community and its decisions shall be transparent”; values which I’m sure the gRPC team are questioning.
“I hear the children crying”
Did they ask Elon Musk to set the price?
It's one can of Coke, Michael. What could it cost, ten dollars?
Because Telepresence is a Linux Foundation trademark, and their rules something something, really really hard, making money?
It also links to a blog post which they may have forgotten to publish?
I had forgotten about, and thus avoided linking to, the goofy music video, which has probably not aged well.
Hoping for another post soon. Miss you hosting the K8s podcast so much.