All episodes
Episode 123 · Dec 17 · Talk

Floor Drees on Building Sustainable Open-Source Ecosystems

Featuring Floor Drees, Head of Education at Tembo.io
Apple Podcasts Google Podcasts Spotify Youtube

Despite the pervasiveness of open-source software, its sustainability is increasingly under threat. While some communities have established robust ownership for distributing and maintaining their software, others, despite their relevance and popularity among enterprises, are lacking adequate support. In this episode, Tembo.io Head of Education Floor Drees explains the need for a more collaborative and sustainable approach to open-source development. She will help us explore the current state of the Postgres ecosystem and the broader open-source community to point out the critical issues that need to be addressed to ensure the future of these vital technologies.

Edited Transcription

A series of notable positions across influential tech companies characterize Floor Drees’ career. From Microsoft to Grafana Labs, and later Aiven, Floor gradually specialized in database technologies. Currently, she is the head of education at Tembo, a developer platform built on Postgres (also known as PostgreSQL) designed as a unified solution to employ data services and build database applications through its over 200 Postgres extensions.

Trusting Postgres extensions

As a reference in the Postgres ecosystem, Tembo provides a trust-worthy interface for employing extensions otherwise scatteredly available. “It is a bit of the Wild Wild West,” Floor says, with “a lot of different extension authors hosting their extensions in very different places.”

The issue of decentralization goes further than a mere inconvenience: Each source implies different hosting and development practices to be understood, adapted, and trusted separately. For organizations considering implementing new extensions, the process is fraught with uncertainty. As Floor notes, companies become “super cautious and anxious to adopt” extensions due to the unclear provenance and reliability of these add-ons.

Unlike ecosystems like RubyGems, which offers transparency and credibility through information about downloads, contributors, and companies involved, Postgres extensions lack a comprehensive trust framework. Floor believes it is “very difficult to understand which are the tools that you can trust, rely on, comfortably put into your stack and forget about to a certain extent.” 

The culprit behind Postgres’ extensions issue is the database’s own development philosophy. Unlike most open-source projects, Postgres adopts a more closed approach to contributions characterized by a steep learning curve. In this sense, contributors need to actively participate in mailing list discussions before proposing and designing changes. As a result, there’s a limited number of merge requests, which undergo rigorous review and are typically incorporated into yearly releases.

In like manner, Postgres does not use Github for contributing, as it “incentivizes sort of drive-by contributions,” says Floor, while demanding reviewing many pull requests. However, she points out that Postgres’ decision implies that “growing your contributor base with new people that might bring new perspectives is going to be harder.”

Moreover, extension creators have a diminished role in comparison with core developers. In Postgres, unlike other projects like Ruby, only those contributing to its core are considered contributors and listed as such on its website. Floor understands this is an unfair perspective, as she believes “extensions, sorting of the tooling, and having a healthy ecosystem is what makes a project grant.” “Not recognizing those types of contributions, I find that unfortunate. That’s the word I’m gonna choose, unfortunate,” she says.

The future of open source: Responsibility, legislation, and community sustainability

Beyond Postgres, the overall open-source ecosystem demands a fundamental reimagining of how its communities collaborate and sustain themselves. At the heart of the issues is the increasingly uneven contributions, marked by a stark disparity between individual developers and massive tech companies. The situation is particularly precarious for smaller contributors. Many extensions are maintained by individual developers, even though they might support critical infrastructure used by major corporations. 

As a way to achieve economic sustainability, open-source projects have started re-licensing their products to various degrees; for example, last year data platform Directus started charging large enterprises for production licenses. Floor is concerned about the disruptive potential of sudden licensing shifts and the “work and costs associated with switching out technology”: “You don’t necessarily see those coming and you need to really quickly find an alternative for potentially a really vital piece of your product to sort of like switch it out.” “Those are mostly larger projects,” she explains, “but also smaller projects too changed their license because they’re just done with bigger companies freeloading on their work.”  Consequently, Floor believes more and more projects will move under the influence of foundations and, to avoid security issues or license changes, “companies will probably look at foundation-backed projects.”

The security concerns behind the sustainability issue have led governments to take notice of it. This year, the European Union’s Cyber Resilience Act (CRA) entered into force over software and hardware manufacturers and retailers to regulate and mandate cybersecurity requirements, such as reporting vulnerabilities, providing software updates, and auditing products.  Floor believes the CRA is an overall step in the right direction that “might force —for lack of a better word— organizations to care a lot more” and feel “an obligation to put more resources” on the software they rely on as “they now have the obligation to go back and contribute their fixes to these projects.” “They can’t just fix it for their customers anymore; that is not allowed,” she concludes.

The bottom line

For learning about Postgres extensions, check Tembo’s extension registry Trunk Visit Floor’s website to learn more about her work. You can follow her on:

X at @DevOpsBarbie.

Bluesky at@floord.bsky.social.

Mastodon at @floord@hachyderm.io.

Leave a Reply

Your email address will not be published. Required fields are marked *

Meet the host

Darko Fabijan

Darko, co-founder of Semaphore, enjoys breaking new ground and exploring tools and ideas that improve developer lives. He enjoys finding the best technical solutions with his engineering team at Semaphore. In his spare time, you’ll find him cooking, hiking and gardening indoors.