Swapnil Bhartiya: Hi, this is your host, Swapnil Bhartiya, and we are here at Open Source Summit in Minneapolis. And today we have with us once again Hilary Carter, SVP of Research at the Linux Foundation. Hilary, it’s great to have you back on the show.

Hilary Carter: Thank you. It’s wonderful to be back. Swab.

Swapnil Bhartiya: It is my pleasure to keep talking to you and you folks. You know, you are doing the search in so many different areas. Of course, you’re wearing the 10 years of Zephyr. Your AI is there security, is there open source ROI is there. You folks do so many different things. I will not ask about what is the new research you’re working on, because that’s a big pipeline there. Talk about when you look at all this work that you’re doing, what is the common thread that is binding all these work?

Hilary Carter: That’s an excellent question. In March, Lytics foundation research celebrated five years and in that time in producing more than 100 unique studies on open source dynamics. What really comes through all of that effort and each and every one of the studies, is the unequivocal value of open source collaboration and the role of community in solving pressing challenges. And these challenges are not necessarily specific to technologies themselves. They really relate to human challenges in terms of climate and managing sustainability issues broadly, how we create trust in our business transactions, how we better disseminate information and share data. Like so many challenges beyond code specific challenges. So that’s what really stands out in the body of work that we’ve done and will continue to do, I would say secondarily to community and problem solving is the, is the value of open source on so many different levels. It’s just been super enlightening to now have empirical data that shows the value of open source, not just the software in terms of the code, but the value of being part of an open source community, of contributing upstream, of showing up as a leader in helping support a project in any way that you can, even if you can’t contribute upstream. Being there to run a working group or chair a board is incredibly valuable and there are so many benefits to be gained by that. So that’s, that’s, those are the two things that really stand out to me. Swap in in the course of five years.

Swapnil Bhartiya: That’s an awesome. And of course you are bidding, you know, 10 years of Zephyr. Let’s talk about them because I remember I’ve been covering, I used to work with the Zephyr project as well in past and they, I mean, when I talk to Greg or Linus, are like, hey, this is a tiny, you know, that is, you know, where you cannot run the Linux kernel. Though Greg will argue that you can run Linux anywhere you want. But still, you know, Zephyr created its own space. Talk a bit about the adoption, lifespan, health of the ecosystem. And when you look at this 10 years of Zephyr and of course you cover a lot of other open source projects in the foundation as well, what surprised you the most about this project?

Hilary Carter: Wow. I think the extent to which the Zephyr project represents one of the most robust, steadily growing open source projects that’s now comparable to the Linux kernel in terms of steady growth over a history of 10 years. It’s really incredible. And the extent to which the community plays such a role in creating a secure code code base, a mature open source project, Zephyr has. I think one of the most incredible findings from our report is the extent to which our survey respondents, 69% of them are actually going to increase or significantly increase their use of Zephyr in the future. So that was amazing. It’s come so far in 10 years and yet using more of Zephyr is what really stood out to me as an incredible signal for the project’s health and maturity and well being and how, you know, last year we did a report on which Linux foundation projects were compliant or likely to be compliant in terms of the Cyber Resilience act coming into full effect. And Zephyr was one of those three project communities. And the role of Zephyr’s community leadership, its technical steering committee, it’s leadership by Kate Stewart and the extent to which the Zephyr project is Internetworked, among other security focused project communities at Linux foundation, the OpenSSF adopting SPDX and SBoM since 2021. And that’s really the unique role that Kate has played in building the project and building out an ecosystem that is so much bigger than Zephyr and yet has positively impacted the Zephyr project. That’s been really amazing. It is a culture of security that permeates that project and that has come through the research as well.

Swapnil Bhartiya: And because the case leadership and her own background PDF is a good example. So that was kind of expected from Zephyr. And I mean that project has done incredible. Now if you just talk about embedded space, you know, for a bit, AI is changing the game, you know, it’s going in the edge security, of course you talked about, you know, CRA and you know, the things are getting tighter, you know, and with the whole sovereignty, you know, a lot of Things are talk a bit about. What are you hearing when it comes to embedded word security and the whole geopolitical situation?

Hilary Carter: That’s an interesting question. I think when Zephyr gets some new milestones accomplished in terms of security certifications, I think it’s going to even explode further in the embedded space in new industries where it is not yet showing up. It does exist in health care applications, but security will be game changing. New levels of security certification are poised to. Enable Zephyr to grow in spaces where they haven’t grown before. So I’m not seeing as many threats to the Zephyr project as I am opportunities. I think space is another major domain and an opportunity for Zephyr because at the end of the day, the project does something extremely well, and that is run a system within resource constrained environments. As long as there are resource constrained environments and unique types of hardware needing software designed exclusively for resource constrained environments, I think the Zephyr project is going to weather some of the AI threats incredibly well.

Swapnil Bhartiya: And then of course, you know, what are the alternatives? Right? Yeah, exactly. It is very mature, very secure, very safe. That is in the DNA. So.

Hilary Carter: Absolutely. And what another interesting finding that wasn’t part of the research report, but it was part of Kate’s presentation today where she talked about the fact that more contributors committed to the Zephyr project in the past six months than to other rtos projects in their entire lifetime. So that shows you that, you know, as, as options go, Zephyr is incredibly well positioned to run the embedded IoT.

Swapnil Bhartiya: Of course, also in this geopolitical scenario, open source, you know, it kind of becomes, you know, that the way to go because you really don’t want to get logged in that. And also the space, of course it can be slow at sometimes, but also the pace at which the open source community moves, no company can match that, you know, so this is something, you know. And of course the DNA is there. Now I will talk about security a bit, you know, because this is becoming, no matter where you look at it, is becoming a very interesting, important talk, even for AIs, you know, that, you know, talk a bit about when it comes to open source. People used to believe that open source is secure. No, open source is not secure. It is more secure. It has all the core ingredients needed to make it secure. And in this modern world where AI can go and find bug op security, but security is not going to work, you know, anymore. So you do need to be transparent. And things that have been based on your research, what are you Hearing or seeing when it comes to open source and security?

Hilary Carter: Yeah, great question. We happen to have a study in the field right now that is exploring the impact of or soon to be in the field, rather swap the impact of AI on open source software security. And right now in the design of the study it looking at two different angles. The good side of AI and being able to detect vulnerabilities much faster and the negative side which is exacerbating threats and reintroducing code that should not be reintroduced into pull requests and commits through vibe coding. So it’s both, it’s helpful and it’s been a bit of a nuisance as well.

Swapnil Bhartiya: I mean, I think we have to accept that this is the world we are going to live in. Agentic AI is going to be there. I’m not a coder, but I have coded a lot of tools myself and yes, four or five days later Cloud Codex will find, you know, hey, this is not. We should have done. I’m not a developer so I don’t know. But we cannot just put all the blames on it because we, we know, we keep seeing CVs. You know, as Linus once told me that as long as we are going to write software, bugs will be there because bugs are part of writing software process. Now some of those bugs may become security bugs as well. So there is no way around as long as you’re. Now of course with wipe coding the velocity increases, but then we are hearing a new term called wipe hunting. Now even HR managers, if they see something they can wipe out and find the bug and get it fixed instead of creating a ticket sending it to security teams. I think what is happening is that earlier security was treated as someone else’s problem. Now it is becoming everybody’s problem, which may be a good thing in a way. So this is the world we are going to live in.

Hilary Carter: The chickens have come home to roost on that. And I see, even in research I see the benefits and I see the perils. The benefits are many. It’s been definitely a value add in so many different ways. Helping transcribe a research interview, helping do secondary research, find a bibliography, very, very helpful in terms of speeding up many research processes. Yet at the same time, if you ask certain systems to do basic tasks, you can find yourself overwhelmed with bad data and bad responses and hallucinations, unfortunately. So I’m hopeful that over the course of several years we’ll be able to fix some of the problems and get the best out of AI for all of our purposes. There is absolutely no substitute for research best practices. And that’s true for coding best practices too.

Swapnil Bhartiya: Right? Now, this is a bit of tricky question because I may ask you to disclose about things. How much AI do you folks use to produce some of these research work and if you have used it, how reliable it is? Because we use in container space a lot. We know that it will hallucinate sometime. It will work like a toddler, that you have to keep correcting it, it will keep making mistake. Sometimes the stakes are not that high, so you don’t care. But sometimes the stakes can be high. Now, when you work on the research, it is different because for us, we may have. We talk to you. So we already have authority, content, you know, we. But when you’re doing research work, you’re talking to people. So how much role is AI playing in your research work?

Hilary Carter: Yeah, terrific question. We just came out with an AI disclosure statement that will accompany all of our research reports so that readers can understand where did AI factor into this study? And it’s usually in quite predictable ways. First of all, as I mentioned before, secondary research for doing background research. If we’re doing a basic survey of the literature, that’s where AI has been very, very helpful. Transcribing an interview, a qualitative interview. I’m not yet assigning the qualitative interview process to an agent. That’s an activity that is so valuable on so many levels that I don’t think I would ever assign an agent to do that kind of work. The relationship building is so incredible that comes out of that. And the learning for me personally has been amazing in that process. We use AI to translate surveys, to localize surveys into simplified Chinese and Japanese, for example. And we find still enormous amount of errors in a lot of these AI processes. So we might do a V1 of something with AI but make sure that our team, our translators, our research team, peer review has never been more valuable than today. I will say we can use it to help support writing. To summarize, let’s say we’ve got 300 slides of data, create an executive summary of some of the most important findings, or we’ve got a research report written. Help us write that executive summary. So that’s where it’s been very, very helpful. But it’s still a new. A nuisance, I hate to say it on a lot of levels. It’s an. Oh yeah, it’s a love hate thing right now.

Swapnil Bhartiya: Yeah, How I look at AI is. And I don’t want to offer I am a Writer. I used to be writer. Now I always was a video person. When I was doing my journalism, it was video. But despite being a writer, I want to say that I hate keyboard and I hate writing. Just think about yourself. The amount of very valuable insights you have shared with me in this five minutes. If you had to type them, it would have taken you two to three hours. You know, so type typewriter. And the way our brain process is there’s a big. I’m a gamer. The latency is not working for me. So the way I use AI is to transform that translate immediately into the words that I want to. So instead of wasting time in typing those words, I spend my time in improvising on them, creating variation where I know that it will make mistakes. So it’s more like, you know, when I drive a car, I leave traction control, everything else to computers, but steering wheel will be on my hand, you know, so you know what I mean? So that’s why you have to. So when you talk about research. Yes. Those are high stakes. So you have to pick and choose where you can or cannot go. So I wanted to ask that question. So thank you for actually answering that question as well. Any additional thoughts on that?

Hilary Carter: Good example of a great use of AI for research is even in promotional activities. When we’re creating social posts, when we’re writing a blog. I’ve now set up a gem within Google Gemini to be able to create the length of blog that I need and pull out several key findings from the report. And it’s starting to do that effectively. I also find that if we have to submit a call for papers to an event or some kind of third party promotional activity, even writing a bio. My bio standard is 100 words. AI condensing my bio to 50 words in 10 seconds or 2 seconds is amazing. So character count, word count. Those are marvelous. Marvelous. Use cases of it.

Swapnil Bhartiya: Yeah. I’m a fiction writer, so I also use AI a lot for internal logic.

Hilary Carter: Oh yes.

Swapnil Bhartiya: Which character is there? Which character is there? Their tone, the way I have built character cards. So when you write a scene, because AI ensured that that character will always. Like when you watch movies, Arnold has a different presence than Stallone. But when you read novels, you don’t see any characterization there because everybody is just words. So AI even sometimes people are saying that AI can threaten the right creative people. No, AI never had a girlfriend that left him. AI never had a mom or so all the human experiences that AI will never have. So creative people never have to worry about AI they use it as a tool. Ben Affleck did a very good interview and, and it was amazing the way he talked about these things, that this is a very powerful tool in the right hand and that’s what you’re explaining and that’s how people should look at it. Not a replacement. So in a lot of. I had a discussion with Clyde before you and the whole thing is, you know, that it’s like coexistence, you know, it will, it’s, you know, it’s not going to replace it.

Hilary Carter: For the first time now, we’ve had to add a response option in our surveys. Used to be the hazard in going into the field with the survey was the bottom, the Internet troll looking for surveys and gaming the system in order to get that gift card or to be able to enter that draw and win. Now it’s the bot and the agent and we’re seeing results come in that are clearly the work of agents and the results aren’t great. And so never has human engagement in open source been as important as it is now. Even in my conversations with the new executive director of the Agentic AI foundation, we’re going to do a study among the AIF members. And I said, how many of these folks do you think are going to game the system and have an agent answer the survey? Yeah. And he said he, he will insist very strongly that people answer the survey because it is their points of view, their experiences that matter, their future outlook matters. AI is amazing at looking at the past. Let’s talk about present day realities, human experiences, human decision making, enterprise strategy for the future. That’s where engagement has never been more important. And bringing people’s perspectives, real world perspectives to the table through the research exercise, it’s still really important. And it’s important to the Agentic AI foundation, which is very refreshing to hear.

Swapnil Bhartiya: I was reading something yesterday or day before yesterday that a group of billionaires or even some technologists who created some of those technologies that we got addicted to, they want to now invest in training people with those vocational jobs, you know, plumbing, know all the electrician jobs, and also to shut down your screen and have human interaction. Like when I come to this event, okay, I talk to a lot of folks like throughout the year, you know, four or five interviews a day, thousand of people. But this interaction, nothing can beat, you know, and, and that makes you feel you’re human, who you are. Joy, sadness, sorrow, it comes from people, not from agents. So that’s why I always tell them they are the tool. I’m still the Operator and that is the I think the most exciting and these open source events and actually I was talking to some people here and we have known each other for like 15 years because of these conferences we kind of become friends. So these, this human interaction, nothing can beat and match that. So that is very, very true.

Hilary Carter: My son’s bachelor of music degree has never come in so handy before swap because it hard forced him not that he was not inclined this way anyway but to be present with his fellow musicians, to work on a project together, to show up in real life, to rehearse, to practice and to be accountable and to be a part of something bigger than himself. And those unique human skills are incredible. He’s also into a summer camp and outdoor education where they actively encourage young people to put their phones away to learn how to create in nature, to learn how to work together as a team to solve really interesting non digital challenges together, to build out their emotional quotient. So that’s another finding I guess if you want to go back to your first question and as I reflect on what’s been the most interesting learning experience of conducting research over the course of five years, I’ll add and say the extent to which human beings are at the top of the open source food chain and are at the top of the significance in the global economy today, it has to be about people and

Swapnil Bhartiya: it also brings when you do, I mean of course we sometimes become too critical that open source developers are complaining about wipe coding, injecting so many code but they’re also reflecting the real because they are the people because we don’t get access to the developers what they feel who are working inside company as employees. They don’t have the voice and they don’t voice the voice. But open source community can actually talk about what so we can actually mitigate those problems because this is a real challenge as well. So it further reinforces open source people, they’re always on the top no matter where we are. And luckily with the Agenti AI foundation and all the innovation that is happening here in this space, a lot of open source work is being done now. Companies like Nvidia and all those other. So once again it’s like on the driving seat, right? Not on the back seat. So yeah, I mean I don’t want to talk too much about it but I do feel that, and I’m not saying because I’m biased, but I do feel that Linux foundation has done a very important job that when historians will look back at the whole evolution of technology the way Democratized technology, it made accessible. And it also, like as you said we talked about that Open source has kind of become a universal language. It doesn’t matter what geopolitical war is going on. People can still work together, people can still continue to survive. So this is much more bigger than yes, we do get too much focus on what is happening today. But in larger respect, I think you folks are doing really incredible work in this space.

Hilary Carter: To hear, I’ll comment back to the Zephyr project in terms of where the Zephyr community meets. Yes, it was GitHub first. The second channel was Discord. And that’s natural as a digital platform first to connect a global community, it has to be digital first. That’s how it works. But immediately after that came in person meetups, conferences like Embedded World and Open Source Summit. That’s where the magic happens. Because when you can’t solve it all on GitHub and Discord, the learnings, the relationships, the trust happen in real life.

Swapnil Bhartiya: Now, of course you folks do a lot of work, so I’m not going to once again ask the whole pipeline, but talk about what are the most important work that you folks are doing that folks should look forward to.

Hilary Carter: Wow, that’s well, AI security report I mentioned that one is going to be significant, that one’s going to be big. We’ll look forward to seeing the results of the impact of generative AI on open source software development. The good, the bad, the ugly. We’ll look at trends within industries. We’ll continue to see how open source is reshaping industries like financial services and energy. I’ve got some really exciting energy projects coming up. Energy ROI study coming in September. I’ll focus on that one for a minute. Swap because as you know, earlier this year we published a report on the ROI of open source contribution. Contribution comes in three primary forms, code community contributions and financial contributions. And there was ROI in orders of magnitude for all types of open source contribution, which was really exciting to have the data to back that up. And the data came from both a survey and an economic model that is being developed. But in the process of developing the economic model, not all organizations are equal. And we learned that energy utilities cannot be compared to other, say, technology enterprises because in most jurisdictions they are a monopoly and they have unionized employees and they do not have the same kind of economic factors that other enterprises may have, just cannot be compared apples to apples. So that is driving a whole new ROI study on the energy sector and the significance of open source projects within the energy sector. I’m looking forward to seeing that one come out. That’s coming in September.

Swapnil Bhartiya: Are you folks also doing any work on either the impact of AI or open source in some of those communities? We are still to fully embrace technology or which are a bit behind when it comes to tech innovation.

Hilary Carter: We are launching a worldwide survey at the end of this month and we hope to have as many different regions represented in that effort. It would be wonderful if we had a data set that we could analyze coming from underrepresented regions. The challenge is getting the. Getting the data in order to be able to run a statistically relevant bit of analysis.

Swapnil Bhartiya: That gap is already there, so.

Hilary Carter: That’s right, yeah. Access. I mean, in an ideal world we would have an even representation by population of our survey takers, but it’s predominantly Asia, Europe, North America, even, even Canada, where I’m from is. They’re not contributing to our studies as much as I would like. Gotta change that.

Swapnil Bhartiya: People who need it the most don’t have the access.

Hilary Carter: Well, China as well. Our survey responses, as much as we are trying to distribute them on WeChat through call them ambassadors of different kinds, enterprises, leaders, friends in China who will, who will actively help share a study. We need to do better at reaching the different countries of the world and bring them in, bring those experiences in. So we’re five years in. We’ve got a long way to go.

Swapnil Bhartiya: Hillary, once again, thank you so much for sharing your insights. Actually what you talked about, open source, human and the value of these relationships. You know, since you work on research, so you do actually talk to people, so you have much better data set than a lot of other folks. That is really critical and the role and importance of these conferences, these communities. Once again, thanks for not only being part of the community, but also driving some of this initiative. Once again, thank you and I look forward to chat with you again.

Hilary Carter: Swap. Thank you for the opportunity to share all the work that we’re doing in research and to help me build new relationships through this process and help continue the work that we’re doing.