1 00:00:00,000 --> 00:00:12,320 Welcome to the NGI Zero podcast where we talk to the people who are building the Next Generation 2 00:00:12,320 --> 00:00:13,320 Internet. 3 00:00:13,320 --> 00:00:14,320 I'm Ronny Lam. 4 00:00:14,320 --> 00:00:16,160 And I'm Tessel Renzenbrink. 5 00:00:16,160 --> 00:00:19,880 We're both from NLnet, a foundation which supports people who are working on a free 6 00:00:19,880 --> 00:00:21,800 and open internet. 7 00:00:21,800 --> 00:00:24,120 Our guest today is Daniel Thompson-Yvetot. 8 00:00:25,120 --> 00:00:32,000 He's the co-founder of Tauri Apps, CEO of CrabNebula and an NGI evangelist. 9 00:00:32,000 --> 00:00:36,120 Daniel is involved in multiple projects that have received NGI Zero funding. 10 00:00:36,120 --> 00:00:42,480 Tauri, a toolkit that helps developers make smaller, faster and more secure desktop applications. 11 00:00:42,480 --> 00:00:46,000 And more recently he's been working on Servo and Verso. 12 00:00:46,000 --> 00:00:51,200 Servo is a browser engine written in Rust and Verso is a new browser initiative built 13 00:00:51,200 --> 00:00:52,200 on top of it. 14 00:00:52,200 --> 00:00:53,200 Hi Daniel. 15 00:00:53,280 --> 00:00:54,280 Nice to have you here. 16 00:00:54,280 --> 00:00:55,280 Hi, yeah, thanks. 17 00:00:55,280 --> 00:00:59,600 It's a pleasure to be speaking with you on the podcast. 18 00:00:59,600 --> 00:01:04,640 I don't think we've seen each other since FOSDEM back in February. 19 00:01:04,640 --> 00:01:06,840 Yes indeed, yeah. 20 00:01:06,840 --> 00:01:10,040 Did we miss anything in our introduction of you? 21 00:01:10,040 --> 00:01:15,000 Oh gosh, I mean, I think there's a lot to unpack there. 22 00:01:15,000 --> 00:01:19,200 So I hope we have enough time to get to it all. 23 00:01:19,200 --> 00:01:24,560 All right, so to introduce you even further, we have devised three short questions which 24 00:01:24,560 --> 00:01:29,520 you can answer with short answers. 25 00:01:29,520 --> 00:01:34,820 The first one is, are you programming rather in silence or with a background noise? 26 00:01:34,820 --> 00:01:46,440 If you consider the background noise of a circulating fan to be useful, then I would. 27 00:01:47,440 --> 00:01:55,760 Although I do have a collection of playlists that a producer friend of mine has been making 28 00:01:55,760 --> 00:02:01,880 for the past 15 years and sometimes I'll go and listen to music as well. 29 00:02:01,880 --> 00:02:09,280 But I find for very concentrated work that silence is the best. 30 00:02:09,280 --> 00:02:11,560 I think a fan is sort of white noise, right? 31 00:02:11,560 --> 00:02:13,960 That probably helps really well concentrating. 32 00:02:14,600 --> 00:02:20,320 Okay, the next one is, we'll get back to that later, but just quickly. 33 00:02:20,320 --> 00:02:26,840 Do you prefer a benevolent dictator for life or interrelatedness? 34 00:02:26,840 --> 00:02:30,160 Interrelatedness every week. 35 00:02:30,160 --> 00:02:36,200 And which web experience did you enjoy more, the one of the 2000s or today's web experience? 36 00:02:36,200 --> 00:02:39,640 Oh gosh, no, I'm going to go back to the 80s. 37 00:02:39,640 --> 00:02:49,200 I really loved feeling like I was in the future by putting our phone, our landline onto a 38 00:02:49,200 --> 00:02:55,480 physical modem, connecting my Commodore 64 to a BBS. 39 00:02:55,480 --> 00:02:59,720 For me, I felt like it was the space age. 40 00:02:59,720 --> 00:03:04,760 I think it's gone downhill since then. 41 00:03:04,760 --> 00:03:06,840 That's a very insightful answer. 42 00:03:06,840 --> 00:03:09,480 Thank you for that. 43 00:03:09,480 --> 00:03:21,240 So talking about your projects, what are the key issues you see with the state of the internet today? 44 00:03:21,240 --> 00:03:22,280 It's not built for us. 45 00:03:22,280 --> 00:03:34,080 I think the biggest issue and why I love NGI's mission so much is that we've kind of grandfathered 46 00:03:34,080 --> 00:03:44,800 into an internet designed for autocrats and corporations such that we are products for them. 47 00:03:44,800 --> 00:03:54,560 And I guess the biggest campaign I'm on today that kind of touches all of the projects I'm involved in 48 00:03:55,360 --> 00:04:03,920 is working toward redefining what it means to have a digital identity. 49 00:04:03,920 --> 00:04:14,040 I don't mean, you know, to log into your bank or to pay your Amazon with your credit card or to even vote if that were possible. 50 00:04:14,200 --> 00:04:26,280 I think that today, more so than ever, we're spending so much of our lives online in forums, 51 00:04:26,280 --> 00:04:33,800 communicating with each other, that our digital identity is almost like a digital presence. 52 00:04:33,800 --> 00:04:44,760 And I don't feel that corporations like Alphabet, Meta, Apple, Microsoft, NVIDIA 53 00:04:47,400 --> 00:04:55,320 are interested in providing us with tools that help us understand ourselves better. 54 00:04:55,320 --> 00:05:02,120 And so I think that that is the biggest problem that we're facing today. 55 00:05:02,120 --> 00:05:10,520 It's the problem of disenfranchisement. It's the problem of facing chilling effects when we speak out. 56 00:05:11,320 --> 00:05:18,440 It's the problem of being doxed. It's the problem of being a customer before you're a person. 57 00:05:18,440 --> 00:05:22,840 I mean, if you go to a government office, you take a number because you're a customer. 58 00:05:23,400 --> 00:05:31,320 And I feel like the way in which the digital has evolved has been, unfortunately, 59 00:05:31,960 --> 00:05:43,480 not what we were promised back in the 90s. I think what it's evolved into is a panopticon of fear and powerlessness. 60 00:05:43,480 --> 00:05:52,360 And I know that open source can and should and must play a part in returning that power to the individual. 61 00:05:53,320 --> 00:05:55,800 And we are even raising our kids into it. 62 00:05:56,840 --> 00:06:04,520 Yeah, we are. I mean, before they know how to walk on the sidewalk, they're already playing video games on iPhones. 63 00:06:06,200 --> 00:06:14,600 Yeah, I mean, well, this is a whole other discussion, I think. But the first word my son said was YouTube. 64 00:06:15,320 --> 00:06:21,960 My daughter went back in 2002. She, well, I guess this was 2004. 65 00:06:22,840 --> 00:06:27,000 One of her first words was Kika, which is the Kinderkanal in Germany. 66 00:06:27,000 --> 00:06:35,560 And because they're on the remote control for the TV, there was a logo that was the logo of the children's channel that she loved watching. 67 00:06:35,560 --> 00:06:41,160 I think that the children adapt very quickly to the surroundings they're given. 68 00:06:41,960 --> 00:06:54,520 And I'm saddened by what's happened to the way in which the digital native generation is grown up understanding that, well, this is the way things are. 69 00:06:54,520 --> 00:06:58,680 And this is how they've always been in my life. So that's what they have to be. 70 00:07:00,680 --> 00:07:08,440 But taking it back to your projects, how does your project contribute to addressing those issues? 71 00:07:08,680 --> 00:07:27,400 Well, I guess if we started with the Tauri project, Tauri began as an experiment to consider what it would mean to build apps, software that respected the individual's computing resources. 72 00:07:28,360 --> 00:07:51,080 It came at a time when, and I think to some extent this still exists, but it came at a time when the Silicon Valley tech bros and VCs and big startups and scale ups and venture funded projects felt like it's all free real estate. 73 00:07:51,240 --> 00:08:01,480 The computer, that's ours to use, and that's how we're going to get customers. And again, it comes back to this notion of the person is the product. 74 00:08:01,480 --> 00:08:13,240 And we felt that why doesn't application have to weigh in at 300, 400, 500 megabytes? Why are applications shipping an entire browser and runtime? 75 00:08:14,040 --> 00:08:32,840 We can do better than that. And I think that the initial experiments are still vastly proven in the Tauri ecosystem because today a very basic application is four megabytes. 76 00:08:32,920 --> 00:08:38,040 And it does everything that a more complicated or heavier weight application would do. 77 00:08:38,040 --> 00:08:57,480 And I think the fallacy of scale that is promoted by large cloud companies and cloud computing in general is, hey, there's enough computing space for everybody. 78 00:08:57,480 --> 00:08:59,480 We'll make more if you need it. You just have to pay us. 79 00:09:00,120 --> 00:09:09,080 The thing is, if your app is only downloaded 100 times, nobody cares how big it is if they stay in the United States. 80 00:09:09,080 --> 00:09:21,240 If your app is downloaded millions of times around the planet, you have to start considering things like people having poor connectivity or having to pay per megabyte. 81 00:09:21,880 --> 00:09:43,400 And if your app is updated regularly, three or four times a month, like good developers want to do, that means that you're incurring an amazingly huge tech, transit, electricity, power, consumption that doesn't need to be there. 82 00:09:43,560 --> 00:10:00,680 And I mean, just back of the envelope calculations show that reducing the download size of your app, if you're a popular application, can have massive impact on your bottom line and also the bottom line of the people using your app. 83 00:10:00,680 --> 00:10:12,680 And I think that what this has led to, this notion of smaller is better, is also the discovery we made along the way that smaller is also more secure. 84 00:10:12,680 --> 00:10:28,360 And more secure means that we are working toward promoting these universal human digital rights of sense and notion of privacy and security on your computing devices. 85 00:10:28,360 --> 00:10:38,360 I think that what's come out of Tauri itself was in the first place, this desire. 86 00:10:39,320 --> 00:10:45,960 And maybe for this one user that doesn't know what Tauri is, can you give a high level overview of Tauri? 87 00:10:46,840 --> 00:11:00,360 Sure. So Tauri is a framework for building applications that use web technologies on the user interface and the Rust programming language on the backend or the core. 88 00:11:01,080 --> 00:11:20,440 And this allows people to do is quickly make a beautiful, engaging interface using technologies they know, like React or Vue.js or Solid.js and create applications that are incredibly small and performant. 89 00:11:20,920 --> 00:11:30,920 Obviously, there's a lot more detail in designing a mobile app, designing a desktop app and shipping those applications. 90 00:11:30,920 --> 00:11:43,960 But we've worked on making the developer experience one that smart people can figure out and beginners can rapidly become proficient in. 91 00:11:44,840 --> 00:11:52,200 So the technology that's used, though, is different on each platform. 92 00:11:52,200 --> 00:11:57,880 And this is sort of the bridge to the Verso and Servo projects. 93 00:11:57,880 --> 00:12:05,080 And that is the operating systems provide what's known as a web view. 94 00:12:05,160 --> 00:12:16,680 You can think of it like a slimmed down web browser like Chrome or Edge or Firefox that allows applications to show web content. 95 00:12:16,680 --> 00:12:20,120 And in Tauri's case, we deliver that web content generally. 96 00:12:22,120 --> 00:12:25,800 The problem arises, though, once you start looking under the hood. 97 00:12:26,440 --> 00:12:39,960 So on on Mac OS, we're using a web view that's based on the Safari browser that gets updated when you update Safari with all of the problems that brings. On Windows 98 00:12:39,960 --> 00:12:51,480 it is the Edge browser's WebView 2 that similarly is controlled by Microsoft and Google to some extent. 99 00:12:52,200 --> 00:13:01,480 And on Linux, we're using a project from Igalia and contributors called WebKit GTK. 100 00:13:02,280 --> 00:13:11,720 And what we end up with is, even with the greatest of intentions, a fractured ecosystem. 101 00:13:12,440 --> 00:13:20,200 Because each of these WebView vendors feels like they're doing what they need to do for their platform. 102 00:13:20,200 --> 00:13:22,040 And we don't have parity. 103 00:13:22,040 --> 00:13:41,640 So one of the first engagements with NGI was a collaboration between the Servo team and the Tauri team to look into what it would take to use Servo, the engine, as a provider of a WebView for Tauri. 104 00:13:42,120 --> 00:13:52,520 Because, as you might know, Servo, the project started from Mozilla years ago, has a Rust basis for the most part. 105 00:13:52,520 --> 00:14:08,040 And since Rust as a programming language is considered to be one of the more secure and memory safe programming languages out there, it just makes sense because, you know, Tauri is written that way, too. 106 00:14:08,040 --> 00:14:10,840 It's it's all in the same context. 107 00:14:11,480 --> 00:14:15,240 And the experiment was actually successful. 108 00:14:15,240 --> 00:14:22,520 We were able to prove a concept and then things get sticky. 109 00:14:25,000 --> 00:14:35,160 Making a WebView on a browser engine makes it hard to test that browser engine. 110 00:14:35,960 --> 00:14:42,360 Technically, you want to have a browser and base the WebView on the browser. 111 00:14:42,360 --> 00:14:51,800 So with the Verso project, we've started using the Servo engine and we are contributing to the Servo engine as well. 112 00:14:51,880 --> 00:15:11,480 But we've started using the Servo engine to, on the one hand, build out the browser and the WebView so that we can own and support the entire stack of what's needed for Tauri Apps. 113 00:15:11,480 --> 00:15:11,960 Right. 114 00:15:12,360 --> 00:15:41,080 It's a massive undertaking, but we feel that the decisions we get to make while building a browser and its associated WebView help us align our community's vision toward what a browser should be without the involvement of corporate interests. 115 00:15:41,080 --> 00:15:49,720 I think that keeping it in a community area, similar to what Ladybird is doing, is going to be important for the project going forward. 116 00:15:51,880 --> 00:16:08,360 So do I understand correctly that if this project continues and reaches that point, which you would like to reach, that you can provide the apps on, say, a Mac or a Windows machine. 117 00:16:09,320 --> 00:16:12,040 Without having to need their web kits. 118 00:16:13,160 --> 00:16:13,640 Correct. 119 00:16:14,600 --> 00:16:15,640 That's absolutely correct. 120 00:16:19,000 --> 00:16:29,240 But that is quite revolutionary because then you get a part of that autonomy back that you discussed in the introduction that got lost. 121 00:16:29,240 --> 00:16:32,040 So really amazing. 122 00:16:33,640 --> 00:16:34,760 It gets deeper, though. 123 00:16:35,240 --> 00:16:58,040 If you follow the W3C and the WTG, what you discover is that while standards are important, they only serve us as people to the extent with which manufacturers agree that a standard is helpful. 124 00:16:58,040 --> 00:17:27,960 I can list dozens of cases of this, but I think the interesting one is to look at how the market adoption, the use of Chrome and Chromium in the industry means that the decision makers of the Chrome and Chromium projects are actually literally in a position to do things like turn off third party cookies. 125 00:17:28,760 --> 00:17:44,520 You can agree with cookies or not, but making a decision for the ecosystem based on an approach that is valuable to a corporation thinks it's really scary. 126 00:17:44,600 --> 00:17:51,480 I mean, in Chrome, did you know that they're already integrating Gemini, the LLM? 127 00:17:52,360 --> 00:17:53,640 Can you opt out of it? 128 00:17:53,720 --> 00:17:58,760 Well, maybe, but also maybe not. 129 00:17:59,320 --> 00:18:00,200 And for how long? 130 00:18:00,920 --> 00:18:02,200 And for how long? 131 00:18:02,440 --> 00:18:18,760 And at what point is it so transparent and expected that the next generation of children, my daughter's children, are going to grow up expecting that there is an agent in every single piece of software that knows them intimately and they have no expectation of privacy? 132 00:18:19,000 --> 00:18:24,520 Is that the kind of world that we want to have enshittyfied for us and for future generations? 133 00:18:25,000 --> 00:18:26,760 I hope not. 134 00:18:26,760 --> 00:18:28,280 And that's what we're working against. 135 00:18:29,800 --> 00:18:30,360 Wow. 136 00:18:30,440 --> 00:18:33,240 This gives me a reminder of the thought police. 137 00:18:33,400 --> 00:18:34,520 But I don't know why. 138 00:18:37,320 --> 00:18:38,200 Double goods, right? 139 00:18:39,000 --> 00:18:39,500 Yeah. 140 00:18:40,140 --> 00:18:59,340 The fact that Tauri is working together with Servo, and it shows that you are really with Tauri, you're really used to or doing a good job in reaching out to a wider ecosystem and collaborating successfully together. 141 00:18:59,500 --> 00:19:10,540 But I get the impression that you, that Tauri, the Tauri team is more generally quite good at reaching out to a much wider ecosystem and collaborating on that. 142 00:19:10,700 --> 00:19:12,860 Can you say some things? 143 00:19:13,180 --> 00:19:14,540 Oh, I have thoughts. 144 00:19:14,540 --> 00:19:44,220 So for the statistics, I don't know when this podcast is going to be presented, but at the time of recording, Tauri has something like 80,000 stars on GitHub, which puts it into the top 100 most starred projects on GitHub and the top 50 software projects on GitHub and number three in the Rust programming. 145 00:19:44,540 --> 00:19:50,060 I think that the reason for this has a couple layers. 146 00:19:50,380 --> 00:19:53,180 For one, we believe in agnosis. 147 00:19:53,180 --> 00:19:57,660 We think that your stack is okay, and we want to help you make better software. 148 00:19:59,180 --> 00:20:11,740 We also have a working group policy that tries really hard to not only stay inclusive, but also accountable. 149 00:20:12,380 --> 00:20:18,780 And this is done through an organization I'm sure you're familiar with, with the Commons Conservancy. 150 00:20:19,660 --> 00:20:37,340 So the Tauri program within the Commons Conservancy is an elected board of directors who exist to make sure that the moral stewardship of the open source project cannot be rug pulled. 151 00:20:37,340 --> 00:20:44,620 The directors are elected by the working group to become a director. 152 00:20:44,620 --> 00:20:48,380 You have to have been in the working group to join the working group. 153 00:20:48,380 --> 00:20:52,860 You have to have committed some code and you have to ask to join. 154 00:20:52,860 --> 00:20:59,500 I think the moment you join, you get right access to all of the repos on GitHub. 155 00:21:00,060 --> 00:21:05,900 And that means as a contributor, you don't have to fork. 156 00:21:05,900 --> 00:21:10,460 You can just branch, which enhances our trust. 157 00:21:10,460 --> 00:21:17,980 However, we still have administrative policies in place such that every pull request needs a reviewer. 158 00:21:18,700 --> 00:21:23,340 And just because it's on the main branch doesn't mean that a release gets cut. 159 00:21:23,900 --> 00:21:33,820 So we have a multi-layered approach toward empowering individuals to participate in the project, 160 00:21:33,820 --> 00:21:46,540 while we also maintain human review and control of the system in a way that is not like the Benevolent Dictator for Life model, 161 00:21:47,260 --> 00:21:55,100 but more in line with a healthy ecosystem that recognizes that sometimes contributors need to take a break. 162 00:21:55,740 --> 00:22:01,900 Sometimes they need to travel the world or get a job or become parents. 163 00:22:01,900 --> 00:22:08,300 And it's the kind of resilience that our team has that actually makes this not only feasible, 164 00:22:08,300 --> 00:22:13,420 but also quite possible for the contributors to join us. 165 00:22:13,420 --> 00:22:22,140 And the topic that sort of grinds me a little bit though, is that I don't know who all is using Tauri. 166 00:22:22,780 --> 00:22:29,340 I think that if we'd taken a slightly different path, if we'd taken the proprietary path, 167 00:22:29,340 --> 00:22:34,300 the license this code based path, we would know exactly who the customers are. 168 00:22:35,180 --> 00:22:42,380 But if you remember what I was saying earlier, I don't believe in open source customers. 169 00:22:42,380 --> 00:22:50,060 I believe in participants. And I believe that it's every participant's right to come forward and say, 170 00:22:50,060 --> 00:22:55,020 yes, we love Tauri, or we're using it this way. 171 00:22:55,020 --> 00:22:59,660 If it's an open source project, then it's right there in the code. 172 00:22:59,660 --> 00:23:04,860 You can go and look at the dependency tree and see that they're using Tauri or Tau or Wry 173 00:23:04,860 --> 00:23:10,540 or any of the other hundred projects that we manage at Tauri organization. 174 00:23:11,500 --> 00:23:27,260 But what grinds me is that for profit projects using Tauri aren't disclosing the fact that they're using Tauri 175 00:23:27,260 --> 00:23:34,300 or in many cases, the hundreds, if not thousands of other open source projects that they are building their success on. 176 00:23:35,260 --> 00:23:42,780 Now, I am not about to go out and start legal battles with people because I don't feel that any of that is productive. 177 00:23:43,420 --> 00:23:48,860 However, this is also something that's going to kind of go away. 178 00:23:49,580 --> 00:23:57,420 Once we have the Cyber Resilience Act, once we have the compliance requirements of maintaining a Software Bill of Materials, 179 00:23:58,060 --> 00:24:13,260 once companies start to realize they need to actually work with the open source communities in order to make sure that the risk they're adopting with using the open source project is not just theirs alone. 180 00:24:13,900 --> 00:24:19,660 I think that we're at a watershed moment for open source and I'm very excited about it. 181 00:24:19,660 --> 00:24:32,140 I'm bullish about the raft of regulations in Europe and how they're actually going to support open source maintainers, creators and companies that make open source. 182 00:24:32,140 --> 00:24:43,580 I think that for too long, it's been this wild west of free real estate and I see those days coming to an end. 183 00:24:44,540 --> 00:25:04,780 That's really interesting. Can you expand a bit on how the Cyber Resilience Act would help make open source more visible as one of the things that you would like to see, but also how it would help maintainers? 184 00:25:05,740 --> 00:25:29,900 Oh gosh, yes. So the Cyber Resilience Act has the task or the goal of enforcing compliance on the manufacturers of products with digital elements that are placed on the European single market in the context of the Blue Guide. 185 00:25:30,540 --> 00:25:45,980 The Blue Guide is basically this several hundred page document that explains what it means to be a manufacturer and create products and what kinds of things you're going to have to do in order to comply with the expectations of the regulator. 186 00:25:46,860 --> 00:26:15,900 So that aside, what the Cyber Resilience Act and its associated Product Liability Directive do is for the first time, they literally classify software as a product, which sounds novel, but basically you have to understand that the Certification European, the CE mark that is placed on every physical object, 187 00:26:15,900 --> 00:26:28,060 with digital elements like your, I don't know, your USB charger, your mouse, your keyboard, your laptop, they all have this little CE mark on there. Software is going to have to carry the same mark as well. 188 00:26:28,460 --> 00:26:43,340 And it's not just software that you're downloading, it's also going to be SAAS offerings, many types of websites, Internet of Things, and the regime expects a couple things. 189 00:26:44,300 --> 00:27:00,780 So the first is that a software product for its lifecycle maintains a Software Bill of Materials, it maintains a user handbook of what they can expect, how they should use the software, etc. 190 00:27:01,340 --> 00:27:08,300 For a minimum of five years, potentially, in some cases, it could be longer if your product is designed to live longer. 191 00:27:09,180 --> 00:27:28,940 And you also have to report to your local cybersecurity center, your NOC, if your software or your product, in this case your product, 192 00:27:29,820 --> 00:27:43,340 successfully attacked by hackers, there's a very stringent reporting period and expectations that you not only tell the public, but that you also tell the regulator. 193 00:27:43,820 --> 00:27:54,140 And this is what's going to happen. In the case of an event, the regulator is going to be, okay, thank you for the report, I want to see your Software Bill of Materials now. 194 00:27:54,700 --> 00:28:20,620 And in the Software Bill of Materials, that doesn't have to be held publicly, but it will be kept transparent for the regulator, they're going to see all of the hundreds and, like I said before, thousands of third party software modules, the majority of which, let's be honest, are open source projects, the majority of those projects are run by small teams of, 195 00:28:20,620 --> 00:28:26,060 I'll just call them maintainers, I'll get back to the term in a second. 196 00:28:27,980 --> 00:28:44,140 And then the liability and risk equations start happening, because if it's not your fault that a third party library was hacked, then is it the third party library's fault? 197 00:28:44,220 --> 00:29:03,340 And how do you mitigate that risk from the beginning? I mean, it's a common trope in the security industry that ain't nobody got time to read through a thousand third party modules, a third of which update themselves every week and stay on top of the security posture of every single third party dependency. 198 00:29:04,060 --> 00:29:22,540 It's actually something that some companies offer as a service, and the utility of that to the side, before it comes to a cyber attack, companies are going to be looking at their risk portfolio and working toward mitigating it. 199 00:29:23,420 --> 00:29:30,140 And one of the best ways to mitigate it is to support the maintainers, they're going to find out that calculation very quickly. 200 00:29:30,620 --> 00:29:51,100 They've been freeloading on the maintenance of open source software for decades, and now they're finally going to have the opportunity to do the right thing, participate in corporate social responsibility, support the people whose work they're instrumentalizing, and doing it in a way that benefits their entity. 201 00:29:53,500 --> 00:30:07,180 I think that that is going to happen. And now you might recognize, earlier I said, placing software or software components on the single market. 202 00:30:07,580 --> 00:30:15,740 Technically, whether you sell it or not, if you're putting it on the market, if you're giving it away, you're still putting it on the market. 203 00:30:16,300 --> 00:30:25,740 And the regulator was challenged by some amazing foundations out there. I'm not going to pick names, except for the Linux Foundation, who we're thankful for their diligence. 204 00:30:26,700 --> 00:30:41,020 But there were others involved, I believe, even at NGI Labs, a friend spent a year in being involved in the discussions around the extent to which open source projects are going to have to comply with the Cyber Resilience Act. 205 00:30:41,900 --> 00:30:58,300 And we got some amazing news. Basically, if you're a drive-by contributor, you just have an itch you want to scratch, and you contribute some kind of fix to some open source project, and you have no financial involvement in the project at all, you're fine. 206 00:30:58,300 --> 00:31:03,580 You're not going to be implicated in any requirements of the Cyber Resilience Act. 207 00:31:03,660 --> 00:31:12,700 Even if you're just a bunch of friends who make this as a side thing, and people aren't getting paid, it's a hobby, you're not going to be required to comply with the Cyber Resilience Act. 208 00:31:12,700 --> 00:31:22,700 And even entities like the Linux Foundation are not going to have to comply with every single one of the requirements of the Cyber Resilience Act. 209 00:31:22,860 --> 00:31:27,820 Because they're going to be classified as open source software stewards. 210 00:31:27,820 --> 00:31:39,820 And a steward is going to be, I think there's a lot of work to be done, 211 00:31:39,820 --> 00:32:01,420 but the expectation is that the steward reports to the regulator how their security posture is maintained, and they have to maintain a best effort. 212 00:32:02,060 --> 00:32:08,060 And then you have commercial open source software companies. 213 00:32:08,060 --> 00:32:12,380 And this is kind of where I think things get a little sticky. 214 00:32:12,380 --> 00:32:23,820 So if you're a company and you make an open source software library available to the public, you are going to have to certify that library with the CE mark. 215 00:32:23,980 --> 00:32:30,700 Which means you're going to have to maintain a register of all of your compliance documentation. 216 00:32:30,700 --> 00:32:41,180 And in some cases, you might even be expected to get a third party auditor to come in to verify compliance. 217 00:32:41,180 --> 00:32:52,060 And that, I think, is the larger risk that I see in the Cyber Resilience Act for open source. 218 00:32:52,140 --> 00:33:15,580 And it might be a double edged sword, because there are many recent examples of corporations changing the license of their key product right before doing a funding round or going public as a way to bolster their valuation. 219 00:33:15,900 --> 00:33:39,580 And I think that companies who have that strategy in mind or are not taking it off the table early on are going to quickly find out that the liability they're going to owe to other people using that software is going to be literally too much for them to manage. 220 00:33:39,740 --> 00:33:46,860 And we're going to see less innovation from corporate contributors to open source. 221 00:33:47,580 --> 00:33:48,140 That was a lot. 222 00:33:50,940 --> 00:33:52,140 Yeah, it was a lot. 223 00:33:52,140 --> 00:33:56,140 And well, I hear two things in what you say. 224 00:33:56,140 --> 00:34:00,380 One is it sounds like you are very happy with the CRA. 225 00:34:01,340 --> 00:34:10,140 But the question I also have is, isn't it hard to be in open source now? 226 00:34:12,940 --> 00:34:14,300 I don't think it's ever been easy. 227 00:34:14,940 --> 00:34:29,420 I think open source attracts a very unique type of person who believes in collaboration, 228 00:34:30,060 --> 00:34:39,660 who believes in the greater good, and who is also in some sense altruistic. 229 00:34:40,620 --> 00:34:57,020 I think that altruists or purported altruists get a bad rap because I think in the modern world, if you don't have healthy self-interest, 230 00:34:57,580 --> 00:35:00,620 it's easy for you to be taken advantage of. 231 00:35:01,100 --> 00:35:16,300 And I think that in the space of open source contributors, there is a tendency for people to land on one side or the other of neurodivergence. 232 00:35:16,540 --> 00:35:34,860 And when you are on that spectrum, it's easy for you to participate in a very, I guess it's not very rare, but it's a type of involvement in open source where you try to keep up with the things that other people are doing and you burn yourself out. 233 00:35:35,100 --> 00:35:39,020 I think the biggest risk to open source maintainership isn't the lack of funding. 234 00:35:39,020 --> 00:35:45,020 I know people are going to yell at me for saying this, but funding is not going to solve the mental health crisis in software engineering. 235 00:35:45,020 --> 00:35:51,020 The only thing that's going to solve that is more compassion, more collaboration, more attention to the people that you spend time with. 236 00:35:51,020 --> 00:35:55,020 Because when you work remotely 237 00:35:55,180 --> 00:35:59,180 on open source 238 00:35:59,180 --> 00:36:03,180 you might not ever 239 00:36:03,180 --> 00:36:07,180 even see 240 00:36:07,180 --> 00:36:11,180 the person 241 00:36:11,180 --> 00:36:15,180 in the real world. 242 00:36:15,180 --> 00:36:19,180 Ever. 243 00:36:19,340 --> 00:36:23,340 The only thing we have to go on are these signals and cues. 244 00:36:23,340 --> 00:36:27,340 And being compassionate is the reason why I think we deserve a chance as humanity. 245 00:36:27,340 --> 00:36:31,340 I think 246 00:36:31,340 --> 00:36:35,340 we can be 247 00:36:35,340 --> 00:36:39,340 compassionate. 248 00:36:39,340 --> 00:36:43,340 I think we can find ways to resolve conflicts. 249 00:36:43,340 --> 00:36:47,340 I'm not saying I'm a pacifist, but I'm also not a warmonger. 250 00:36:47,500 --> 00:36:51,500 And I know this isn't exactly 251 00:36:51,500 --> 00:36:55,500 the answer to the question you were asking. 252 00:36:55,500 --> 00:36:59,500 But there's never been a better time 253 00:36:59,500 --> 00:37:01,500 to get into open source. 254 00:37:01,500 --> 00:37:07,500 There's never been a better time to learn more about people and customs and countries and languages. 255 00:37:07,500 --> 00:37:15,500 I think that if we have a chance as humanity to figure out what this crazy world is doing to us, 256 00:37:15,660 --> 00:37:17,660 then it's by direct engagement. 257 00:37:17,660 --> 00:37:27,660 And I see more directly engaged people in the open source communities than I do in the corporate boards. 258 00:37:27,660 --> 00:37:33,660 Well, yeah, these are all beautiful words. 259 00:37:33,660 --> 00:37:37,660 I think it's really, really nice also for other open source developers to hear this, you know, 260 00:37:37,660 --> 00:37:43,660 that compassion is important, but also that they're really contributing to the world. 261 00:37:43,820 --> 00:37:49,820 So I think it's a really good speech that you just gave. 262 00:37:49,820 --> 00:37:55,820 And I'm still wondering about that one question I asked earlier, 263 00:37:55,820 --> 00:38:05,820 because you say justly that the corporate world has been freeloading on the backs of open source for a really long time. 264 00:38:05,980 --> 00:38:13,980 And you say that you think that we are now at a point where this might change, 265 00:38:13,980 --> 00:38:17,980 where they have to start to acknowledge open source. 266 00:38:17,980 --> 00:38:23,980 And what do you think that will look like? 267 00:38:23,980 --> 00:38:27,980 What will change for open source developers? 268 00:38:27,980 --> 00:38:33,980 I think there's two ways to look at this. 269 00:38:34,140 --> 00:38:44,140 So from the corporate side, your goal is to at all costs reduce risk. 270 00:38:44,140 --> 00:38:50,140 Liability is the worst thing, especially because sometimes it's incalculable. 271 00:38:50,140 --> 00:38:56,140 You might know it exists, but you don't know exactly what the damage it is that it can cause. 272 00:38:56,140 --> 00:39:02,140 And so today, under today's model, if you're a company that's not open source, 273 00:39:02,300 --> 00:39:08,300 if you're a company that's using open source software and you get hacked, 274 00:39:08,300 --> 00:39:16,300 then maybe it was the fault of an improperly coded third party node module, 275 00:39:16,300 --> 00:39:22,300 but it's still your fault. You did not do your due diligence. 276 00:39:22,300 --> 00:39:26,300 You did not. I'm just going to throw this out there. 277 00:39:26,300 --> 00:39:30,300 Ninety nine times out of a hundred. You did not engage with the open source community. 278 00:39:30,460 --> 00:39:34,460 Your dev probably just did a quick Google search or what's hot on Twitter, 279 00:39:34,460 --> 00:39:38,460 and then NPM installed it and went from there. 280 00:39:38,460 --> 00:39:46,460 And there's never been an honest code review inside your product because nobody has time for that. 281 00:39:46,460 --> 00:39:48,460 No time has been made for that. 282 00:39:48,460 --> 00:39:52,460 And so from that perspective, from the perspective of the corporate interest, 283 00:39:52,460 --> 00:39:58,460 what we're going to have to see is an increased cyber resilience budget 284 00:39:58,620 --> 00:40:06,620 where teams are going to be created to analyze and verify continuously, if need be, 285 00:40:06,620 --> 00:40:12,620 the security posture of the company, including its third party modules. 286 00:40:12,620 --> 00:40:14,620 And that is a Herculean task. 287 00:40:14,620 --> 00:40:22,620 And so in order to offload the risk, what those entities can do is they can pay people to take on the risk. 288 00:40:22,620 --> 00:40:26,620 They could pay people to take on the risk. 289 00:40:26,780 --> 00:40:34,780 They could pay an open source team to say, hey, you know, here's a bunch of money. 290 00:40:34,780 --> 00:40:40,780 Please make sure that your code is updated, that your dependencies are up to date, 291 00:40:40,780 --> 00:40:46,780 or they could pay for third party audits of the really integral stuff. 292 00:40:46,780 --> 00:40:49,780 This is going to have an impact on the security industry. 293 00:40:49,940 --> 00:40:57,940 This is going to require the education and training of hundreds of thousands of people to do this. 294 00:40:57,940 --> 00:41:01,940 And yes, of course, there are LLMs for that. 295 00:41:01,940 --> 00:41:07,940 But still, we need a human in the loop to make sure that the LLM did its job right. 296 00:41:07,940 --> 00:41:17,940 I don't think we're going to get out of this quick and dirty by paying a company to investigate our vulnerabilities. 297 00:41:18,100 --> 00:41:24,100 It's something that we still are going to have to do at least for the next five, six years. 298 00:41:24,100 --> 00:41:28,100 I don't think that this is going to change any sooner than that. 299 00:41:28,100 --> 00:41:34,100 And that kind of describes then the position that an open source project is in. 300 00:41:34,100 --> 00:41:42,100 So if we take the model of Tauri, Tauri is a program within the Commons Conservancy that doesn't take money. 301 00:41:42,260 --> 00:41:49,260 We have a donation channel over at the Open Collective where people could donate money. 302 00:41:49,260 --> 00:41:57,260 But we take donations in the strict definition of the term that you don't get anything for a donation. 303 00:41:57,260 --> 00:42:10,260 Which means, conversely, you can't hire the so-called Tauri team to verify the security of your implementation of it. 304 00:42:10,420 --> 00:42:14,420 This has a couple roll-on effects. 305 00:42:14,420 --> 00:42:19,420 Now, because the Tauri project is within a Dutch foundation, 306 00:42:19,420 --> 00:42:28,420 that means that Tauri will be seen, or the organization, will be seen as a steward with limited responsibilities, 307 00:42:28,420 --> 00:42:34,420 but also not the ability to place a CE mark on the Tauri code base. 308 00:42:34,580 --> 00:42:43,580 That means everyone who's doing it is doing it, A, either on good faith, or B, blindly. 309 00:42:43,580 --> 00:42:45,580 And I guess those two are kind of the same. 310 00:42:45,580 --> 00:42:52,580 Unless they, and here's the hook, and this is maybe why I'm excited with this model, 311 00:42:52,580 --> 00:42:58,580 unless there's a company, like in Tauri's case, CrabNebula, that is able to say, 312 00:42:58,740 --> 00:43:06,740 You know what? We actually perform security audits on every pull request leading into a minor release. 313 00:43:06,740 --> 00:43:11,740 We manage the third-party audit at major release. 314 00:43:11,740 --> 00:43:22,740 We even file CWEs and GHSAs when required, because it's in our DNA. 315 00:43:22,740 --> 00:43:25,740 As a company, we support the open source project that way, 316 00:43:25,900 --> 00:43:31,900 and since we do that, we actually could sell you the risk. 317 00:43:31,900 --> 00:43:37,900 We could put a CE mark on Tauri and say, 318 00:43:37,900 --> 00:43:43,900 If you want to have us absorb your risk, well, pay us for the work that we're doing to support Tauri. 319 00:43:43,900 --> 00:43:51,900 And I think that that's kind of the interesting niche, open source collaboration between a foundation 320 00:43:52,060 --> 00:44:02,060 and a for-profit entity that is going to make a lot of sense for companies out there 321 00:44:02,060 --> 00:44:05,060 that are looking to reduce their risk. 322 00:44:05,060 --> 00:44:11,060 Because if the Tauri app gets hacked, the regulator is going to dig through and figure out, 323 00:44:11,060 --> 00:44:13,060 Okay, who is responsible for this? 324 00:44:13,060 --> 00:44:17,060 And if it was Tauri, then it's Tauri's job to fix it. 325 00:44:17,060 --> 00:44:19,060 It's not your job as a consumer. 326 00:44:19,220 --> 00:44:28,220 If you play with this Cyber Resilience Act, I don't know. 327 00:44:28,220 --> 00:44:30,220 I hope I answered your question. 328 00:44:30,220 --> 00:44:38,220 I think that the risks and challenges and opportunities are out there. 329 00:44:38,220 --> 00:44:44,220 I'm kind of content with the way we designed and grew and nurtured our open source community 330 00:44:44,380 --> 00:44:52,380 and built a company to support that community because it seems to me right now 331 00:44:52,380 --> 00:45:00,380 that the way in which the CRA and the PLD are conceived, 332 00:45:00,380 --> 00:45:09,380 they're conceived by morally well-founded companies trying to do the right thing 333 00:45:09,380 --> 00:45:12,380 for the right reasons in the right way. 334 00:45:12,540 --> 00:45:17,540 And I'm not trying to claim this from my perspective. 335 00:45:17,540 --> 00:45:23,540 This is what I'm hearing from our consumers, from the users of Tauri, 336 00:45:23,540 --> 00:45:25,540 from our customers at CrabNebula. 337 00:45:25,540 --> 00:45:28,540 And that is they're proud of us. 338 00:45:28,540 --> 00:45:32,540 And they see us as a role model. 339 00:45:32,540 --> 00:45:37,540 And again, if you're listening to this podcast out there, 340 00:45:37,540 --> 00:45:39,540 I really welcome you to reach out to me. 341 00:45:39,700 --> 00:45:42,700 I'm always happy to learn about open source projects, 342 00:45:42,700 --> 00:45:46,700 whether or not they're using Tauri or Servo or anything. 343 00:45:46,700 --> 00:45:54,700 I just love helping people get off on the right foot or solve tricky problems. 344 00:45:54,700 --> 00:45:56,700 So I'm there for you. 345 00:46:00,700 --> 00:46:02,700 That's amazing. 346 00:46:02,860 --> 00:46:03,860 Yeah. 347 00:46:03,860 --> 00:46:11,860 This is a nice bridge into another subject that we want to touch. 348 00:46:11,860 --> 00:46:17,860 What does it take to make a software company 349 00:46:17,860 --> 00:46:24,860 or an open source product sustainable? 350 00:46:25,020 --> 00:46:33,020 Because, yeah, I mean, once in a while we see nice products, 351 00:46:33,020 --> 00:46:37,020 but then they don't get maintained or, well, whatever. 352 00:46:37,020 --> 00:46:48,020 And hearing from you, it sounds like you have a model to make this sustainable. 353 00:46:48,180 --> 00:46:55,180 I think it, like everything in life, really depends. 354 00:46:55,180 --> 00:46:59,180 So when we built Tauri in the beginning, 355 00:46:59,180 --> 00:47:01,180 we were trying to solve our own problem. 356 00:47:01,180 --> 00:47:10,180 As time went on, we recognized that people consistently bumped into similar problems. 357 00:47:10,180 --> 00:47:17,180 And that is how we designed the niche for CrabNebula. 358 00:47:17,340 --> 00:47:23,340 And that is through the cloud distribution 359 00:47:23,340 --> 00:47:29,340 and managed compliance parts of the things that people hate to do. 360 00:47:29,340 --> 00:47:33,340 Nobody wants to go and get a code signing certificate. 361 00:47:33,340 --> 00:47:40,340 Nobody wants to spend 12 hours debugging CI, 12 hours if you're lucky, sometimes weeks. 362 00:47:40,500 --> 00:47:45,500 And so by reducing the barrier to entry, 363 00:47:45,500 --> 00:47:52,500 we are offering a value added service that many people in the community can, 364 00:47:52,500 --> 00:48:02,500 will and do enjoy such that we are ultimately complementing the vision of Tauri, 365 00:48:02,500 --> 00:48:09,500 which is to make software more accessible and better and more cost efficient 366 00:48:09,660 --> 00:48:12,660 and more energy efficient. 367 00:48:12,660 --> 00:48:23,660 Being able to have a corporate vision that aligns with the open source project is absolutely essential. 368 00:48:23,660 --> 00:48:31,660 I think we were also lucky to raise money as a company 369 00:48:31,660 --> 00:48:38,660 before the interest rates in the US rose to the extent that they have and are stuck at. 370 00:48:38,820 --> 00:48:47,820 I have also an entire talk that I gave at the Merge Conference in Berlin 371 00:48:47,820 --> 00:48:53,820 about designing open source for resilience. 372 00:48:53,820 --> 00:49:00,820 And in the context of that, starting a company isn't something everybody is cut out to do. 373 00:49:00,820 --> 00:49:06,820 Sometimes it's good enough when this is something you just build for a couple friends. 374 00:49:06,980 --> 00:49:17,980 And I guess the thing you have to do is know yourself. 375 00:49:17,980 --> 00:49:24,980 If you don't know who you are as a person, then don't start a company. 376 00:49:24,980 --> 00:49:26,980 Just don't. 377 00:49:26,980 --> 00:49:33,980 If you don't know what open source means, join a project and find out. 378 00:49:34,140 --> 00:49:43,140 If you are in a position to think about your life, 379 00:49:43,140 --> 00:49:50,140 apply for an NGI grant, get some funding, work on a project that's meaningful to you, 380 00:49:50,140 --> 00:49:56,140 and you can always decide later that you want to start a company or not. 381 00:49:56,300 --> 00:50:03,300 I wouldn't ever rush into building a company on the back of open source software. 382 00:50:03,300 --> 00:50:10,300 I think that's a decision that, first of all, you should never take alone. 383 00:50:10,300 --> 00:50:15,300 And second of all, one that needs to have you in the right headspace. 384 00:50:17,300 --> 00:50:25,300 So you're saying the company is more the result of the project rather than the starting point? 385 00:50:25,460 --> 00:50:28,460 Yeah, it really is. 386 00:50:28,460 --> 00:50:33,460 I think if you were to go to the Tauri community and say, 387 00:50:33,460 --> 00:50:37,460 hey, Tauri community, can somebody build me a plugin for Tauri mobile? 388 00:50:37,460 --> 00:50:41,460 The Tauri community would be like, well, how? 389 00:50:41,460 --> 00:50:43,460 We can't write invoices. 390 00:50:43,460 --> 00:50:47,460 We can take donations, but we can't charge you for something. 391 00:50:47,460 --> 00:50:51,460 And furthermore, how do you guarantee the availability of a volunteer? 392 00:50:51,460 --> 00:50:54,460 Like, none of that stuff makes any sense. 393 00:50:54,620 --> 00:50:59,620 And if there is a desire for things like corporate services, 394 00:50:59,620 --> 00:51:06,620 maybe someone in that working group of that open source project should get a tax ID 395 00:51:06,620 --> 00:51:10,620 and freelance and see if there's really a market there. 396 00:51:10,620 --> 00:51:20,620 And I think that a common, actually more common than a lot of us would like to admit, 397 00:51:20,780 --> 00:51:32,780 a common thing is that companies will send an engineer to the Tauri Discord and ask questions, 398 00:51:32,780 --> 00:51:36,780 but then they can't show the code because it's proprietary. 399 00:51:36,780 --> 00:51:44,780 And in that moment where you have an entity like in our case, CrabNebula, 400 00:51:44,940 --> 00:51:50,940 or someone in the working group who's willing to sign NDAs, 401 00:51:50,940 --> 00:51:56,940 you can actually sign an NDA and give a corporate customer the ability to talk to you. 402 00:51:56,940 --> 00:52:02,940 And I just can't emphasize it enough, like getting a bug report 403 00:52:02,940 --> 00:52:06,940 and then not being able to replicate it because OP said, 404 00:52:06,940 --> 00:52:10,940 this is corporate, it's proprietary, I can't share it with you. 405 00:52:11,100 --> 00:52:17,100 That is probably the most demotivating conversation ever, 406 00:52:17,100 --> 00:52:22,100 because someone from the community wants to help someone else from the community, 407 00:52:22,100 --> 00:52:25,100 but that other person from the community who needs the help 408 00:52:25,100 --> 00:52:32,100 isn't in a position to explain what their problem is. 409 00:52:32,100 --> 00:52:36,100 So what you end up doing is you kind of guess and you poke around 410 00:52:36,100 --> 00:52:38,100 and it just wastes everybody's time. 411 00:52:38,260 --> 00:52:46,260 So I think that for engagement with other businesses, 412 00:52:46,260 --> 00:52:52,260 if that's what your path takes you on, then set up a company. 413 00:52:52,260 --> 00:52:59,260 If you're a true and pure altruist who really only wants to do something good, 414 00:52:59,260 --> 00:53:05,260 then quit your job after you get a successful grant through the NGI program 415 00:53:05,420 --> 00:53:08,420 and try that out for a while, see how that feels. 416 00:53:08,420 --> 00:53:12,420 See how it feels to actually, and it's not great for everybody, 417 00:53:12,420 --> 00:53:18,420 but see how it feels for you to take money as a donation 418 00:53:18,420 --> 00:53:21,420 for being a member of the open community. 419 00:53:23,420 --> 00:53:27,420 And then maybe you'll know more about what you want to do with the project afterwards. 420 00:53:27,580 --> 00:53:38,580 Well, this sounds like amazing advice and also this NGI funding 421 00:53:38,580 --> 00:53:47,580 is really helpful to start in becoming an open source developer 422 00:53:47,740 --> 00:53:52,740 and trying to finding out if it is for you indeed. 423 00:53:56,740 --> 00:54:03,740 What advice would you give to people who consider applying for an NGI fund? 424 00:54:07,740 --> 00:54:12,740 You know, last, gosh, I think it was November. 425 00:54:12,900 --> 00:54:20,900 There was an NGI event held in Brussels and we had a workshop at the end of the day 426 00:54:20,900 --> 00:54:28,900 and somebody spoke up and said, how can we tell Europe what's important to us? 427 00:54:29,900 --> 00:54:35,900 And my response, you know, I'm sorry that you folks at NLnet have to hear this 428 00:54:35,900 --> 00:54:40,900 and go through this, but my response is, on the one hand, 429 00:54:41,060 --> 00:54:46,060 my response is apply for more money. 430 00:54:46,060 --> 00:54:53,060 Spend all of their money as fast as possible so that we can prove 431 00:54:53,060 --> 00:54:58,060 that there is a need for open source in Europe, in the world, 432 00:54:58,060 --> 00:55:04,060 that we can show that Europe is a guiding light for community building 433 00:55:04,060 --> 00:55:07,060 and contributing to the commons. 434 00:55:07,220 --> 00:55:15,220 And I guess my advice is to go to the NGI.eu website 435 00:55:15,220 --> 00:55:20,220 and look at the various programs that exist, 436 00:55:20,220 --> 00:55:27,220 be prepared for an application to flow quite easily 437 00:55:27,220 --> 00:55:29,220 as compared to other Horizon projects. 438 00:55:29,220 --> 00:55:36,220 I can confirm that the work involved in applying for a cascade type NGI grant 439 00:55:36,380 --> 00:55:43,380 is much, much lower than a lot of the other grant applications 440 00:55:43,380 --> 00:55:44,380 you might have heard of. 441 00:55:44,380 --> 00:55:51,380 Nevertheless, be prepared for it to last three, four, five months 442 00:55:51,380 --> 00:55:55,380 until you get confirmation of the grant happening. 443 00:55:55,380 --> 00:56:03,380 And whatever you do, don't make decisions for your life 444 00:56:03,540 --> 00:56:07,540 based on the potentiality of getting a grant. 445 00:56:07,540 --> 00:56:11,540 This is coming back to my advice to everybody to maintain your mental health. 446 00:56:11,540 --> 00:56:14,540 Don't think just because you applied for a grant 447 00:56:14,540 --> 00:56:16,540 that you're going to get the grant. 448 00:56:16,540 --> 00:56:18,540 Sometimes you have to do follow-up. 449 00:56:18,540 --> 00:56:20,540 Sometimes you have to be prepared to hear no. 450 00:56:20,540 --> 00:56:28,540 And I think as a final word, this is something that is true 451 00:56:28,540 --> 00:56:30,540 no matter what you're doing. 452 00:56:30,700 --> 00:56:35,700 Imagine that the person reading your application for a grant, 453 00:56:35,700 --> 00:56:40,700 just like reading your application for a CFP at a conference, 454 00:56:40,700 --> 00:56:47,700 just like somebody looking at your CV for a job, 455 00:56:47,700 --> 00:56:51,700 give them as much information as you can. 456 00:56:51,700 --> 00:56:55,700 Make it clear what you want to do, what the impact is, 457 00:56:55,700 --> 00:56:57,700 who you're going to be working with, 458 00:56:57,860 --> 00:57:00,860 how much time you think it's going to take, 459 00:57:00,860 --> 00:57:03,860 what you expect to happen as a follow-on step, 460 00:57:03,860 --> 00:57:06,860 what other communities and organizations 461 00:57:06,860 --> 00:57:09,860 and even funding you'll be working with. 462 00:57:09,860 --> 00:57:12,860 That is some great advice. 463 00:57:12,860 --> 00:57:16,860 And for me, that's the end of the questions. 464 00:57:16,860 --> 00:57:18,860 I don't know about you, Ronny. 465 00:57:18,860 --> 00:57:20,860 It was amazing. 466 00:57:20,860 --> 00:57:24,860 We had a great conversation. 467 00:57:25,020 --> 00:57:32,020 This really was insightful into the Tauri project, 468 00:57:32,020 --> 00:57:39,020 into Servo, and into open source and companies. 469 00:57:39,020 --> 00:57:42,020 I would like to thank you very much for this. 470 00:57:42,020 --> 00:57:45,020 It was my pleasure. Thanks for having me. 471 00:57:45,020 --> 00:57:50,020 Is there anything you would still like to add that we missed maybe? 472 00:57:50,020 --> 00:57:54,020 Don't be afraid to reach out to people in open source. 473 00:57:54,180 --> 00:57:59,180 I think the easiest way to start contributing to open source 474 00:57:59,180 --> 00:58:02,180 is to look at projects you like, 475 00:58:02,180 --> 00:58:05,180 give them a star and help out in the documentation 476 00:58:05,180 --> 00:58:11,180 and get to realize that there's real people behind these projects. 477 00:58:11,180 --> 00:58:15,180 And just remember to be friendly. 478 00:58:15,180 --> 00:58:18,180 I think that's the best advice I can give. 479 00:58:18,180 --> 00:58:21,180 That's good advice to just about anybody. 480 00:58:21,180 --> 00:58:23,180 Remember to be friendly. 481 00:58:23,340 --> 00:58:26,340 Thank you, Daniel, for taking the time to talk to us. 482 00:58:26,340 --> 00:58:28,340 It was really insightful. 483 00:58:28,340 --> 00:58:30,340 It was my pleasure. 484 00:58:30,340 --> 00:58:32,340 Thank you.