Season 2 — Episode 6

As the new normal continues, the evolution of open-source software thrives. Lucy Wyman runs down the evolution and importance of Puppet’s Open Source Stewards on this episode. 

Curious about Puppet Open Source? You can try it for free: 



00:00:20 Demetrius Malbrough Hey, everyone, thanks for joining this episode of Pulling the Strings podcast powered by Puppet. And I'm delighted to be your host. My name is Demetrius Malbrough, principal technical product marketing manager here at Puppet. And I'm really excited today to talk with Lucy Wyman. And Lucy is a software engineer here at Puppet, where she currently works on our open source remote task runner, Bolt. Lucy, how are you today?

00:00:49 Lucy Wyman I'm good, Demetrius. How are you?

00:00:51 Demetrius Malbrough I am doing fantastic. If I was any better, I would be twins. But maybe that's an old dad joke. All right. So let's take it small and let's start off really light here. And let's first start with, I guess, the thriving open source ecosystem here at Puppet, OK, and what does open source mean to you and how has it evolved since you got started here at Puppet several years ago?

00:01:20 Lucy Wyman Yeah. So I feel like these are two really different questions, because open source for me is a lot more than just Puppet. To me, open source is very much like fair and equal access, not just access to code bases to propose changes and collaborate, which I think is really central to the open source philosophy, but also just access to learn from those code bases and the ability for everyone to know what software they're running on their systems. Matthew Garrett actually is a famed Linux firmware developer and security engineer, and he wrote, I think, a really good blog post that sums up the value of open source, free and open source software, called What Free Software Means To Me. Like open source to me is all about equity, but specifically at Puppet, open source has evolved quite a bit, and I won't pretend to know all the nitty gritty details of the Puppet repo itself just since I've never worked directly on it. And I only started at Puppet in the summer of 2015, so five years ago now. But I think that Puppet started out as an open source project and as an overnight success, 10 years in the making, right? And so I think that there came a point where for the Puppet project itself, open source was at first great. Like I think without being open source, I'm not sure Puppet would be nearly as popular as it is. Or, you know, there's a question of whether the company would even exist. But I also think it got to a point where there's just very overwhelming for the maintainers of Puppet. And this happens to a lot of open source projects where it just gets to be an overwhelming amount of activity for the number of maintainers that are on Puppet. And so I think we saw kind of a crest of open source activity, and then especially around modules, like I think there's a ton of open source community activity around those. And then I'll say probably four years ago, probably around when Luke left Puppet, we really kind of saw a little bit of like a down slope in our open source community and open source interactions. I think that's, again, a pretty natural arc that a lot of open source projects follow where it kind of peaks and becomes overwhelming. And then we have to step back a little and say, like, how do we maintain this project going forward and try to balance kind of how we plan Puppet and work with Puppet in the community and how we do it in the company itself. And two years ago, we really saw kind of a revival of wanting to invest in our open source community at Puppet, the company. So that manifested in, as we'll talk about a little later, like the open source stewards being born and us really encouraging, like open sourcing, a couple of other Puppet projects like Bolt and really trying to, like, I don't want to say invest in our open source community, but put more resources from the company into encouraging like module development and forge interactions and try to revitalize.

00:04:39 Demetrius Malbrough So I guess how about let's go back a little bit and maybe do kind of a one on one for a new Pulling the Strings listener and maybe talk a little bit about you mentioned the modules that were placed, that are on the Forge. Can you maybe give a little information about, I guess, how the modules are placed on the Forge and how they fit into the entire picture of the open source ecosystem here at Puppet.

00:05:07 Lucy Wyman Yes. So, I mean, Puppet is many things, but one thing that it is a way of managing resources on machines or systems. And one thing Puppet provides is a domain specific language for helping you manage those resources. And what a module is almost like any other software library. It's a chunk of Puppet code. Someone else has written that you can then reuse to manage these same resources on your systems so that you don't have to rewrite, you know, reinvent the wheel. So, for example, I think one of our most popular modules is the Apache module. So it helps you install, configure, and manage Apache virtual hosts, web services, and modules. So that's an example of a module. And like you said, Demetrius, we have tons of them on the Puppet Forge, which is kind of a centralized location where people can publish their modules. And we actually have, to quote you some numbers off the Forge, we have over 6,000 modules on the Forge with over 2,000 unique community contributions or contributors.

00:06:12 Demetrius Malbrough Wow. Yeah, that's a lot. And just kind of taking those details and that information in, you touched on it just a tad bit earlier around, I guess some of the, like if you're running or if you have a thriving community of open source users and you have to have some type of processes and some type of ethos around making sure that everyone is doing their job and doing it in such a way that it's not offensive, I guess, right? So I guess that takes me to Open Source Stewards. And can you tell me a little bit about what it is, and I guess, what are they responsible for?

00:06:53 Lucy Wyman Yeah. So the Open Source Stewards is a group dedicated to upholding and evolving Puppet's processes and ethos regarding open source software. And so basically what that means is that we are aiming to help open source projects at Puppet, and the contributors who participate in those projects, to be successful building software together. And I can talk a little bit about what that kind of manifests as, but basically we're like the like boots on the ground for, like, helping people in repos, like improve the repositories. So as an example, one of the first efforts that we did a year ago now was making sure that every public repository at Puppet had a code owners file. And what a code owners file is -- GitHub introduced this, I think, pretty shortly before we started this effort, maybe 18 months or 24 months ago -- and the idea is that it's a markdown file at the top of your repos, so like at the at the root of the repo and the file structure, and you can list either individual GitHub users or GitHub teams that will get notified when certain actions happen on the repo. And you can kind of specify other like you can block merging powers on needing a code owner review. It's kind of like a really like role-based access control, almost. But we primarily use it just for notifications. So what that ensures is that whenever someone opens a pull request or opens an issue, someone at Puppet gets notified. And the intention there was to help contributors, like be certain that someone had seen whatever interaction they had just had and make sure that they knew how to contact someone to follow up on. Then you have a user name or a set of users that you know you can ping for answering questions or following up on a pull request, and the code owners -- one kind of misconception we ran into when we were rolling this out was that a lot of people were like, well, I don't own this code or I'm not even like actively developing this. But what we really wanted to make sure was that even if you're like, responsible for the code, you're accountable for it. And you need to have at least someone, you know, be able to, like, get review an issue or review a PR. And for all the repos that no one claimed to be a code owner, we archived.

00:09:27 Demetrius Malbrough Once again, I want to do a one on one for maybe some of our new pulling strings listeners. Some, you may have someone that is new to Puppet. Just kind of sum up, you know, what is a pull requests and what's a repo and things like that. I know it's really elementary but still may be worth mentioning.

00:09:46 Lucy Wyman No, not at all. Like GitHub is very complex and it's always good to go over the basics. So yeah, a repo is a collection of code on GitHub. There's kind of a distinction, actually, I'm reading this really great book by Straight Press called Working in Public that I think defines these really well. So a repository can be part of a project, but a project can span multiple repositories. And so a repo really just like a organized collection of code on GitHub. It belongs to a user and usually has kind of a focused goal or focused use. But there are all kinds of repos. I mean, there are some repos where it's like one 30 line file that color codes the text on your screen. And there is some like I think Google, famously, I don't know if this is true or not, but Google famously had what's called a motto repo, which is where they organized several projects under the same repository, which was obviously a very high touch. I mean, it was literally millions, maybe even billions of lines of code.

00:10:53 Demetrius Malbrough Wow.

00:10:54 Lucy Wyman Yeah. And so...

00:10:55 Demetrius Malbrough That's crazy.

00:10:56 Lucy Wyman Yeah. So repos can look and be really different. And then a pull request is proposing a change to the code base. And so it's also sometimes called a patch, and yeah, you just say, I think some of these lines should change. And usually it comes with like a comment and then maintainers can review and comment on that and merge it or not merge it. Merging it just moves it into kind of the trunk of the code base.

00:11:22 Demetrius Malbrough There you have it, Pulling the Strings listeners, you are all veterans now on gitHub and pull requests and repo, etc.. So thank Lucy for giving you the rundown on that. I guess going back to Open Source Stewards, you know, what are some of the coolest things that you've done with Open Source Stewards, maybe like around the r10K community partnership or some other things that you think probably are considered really cool?

00:11:50 Lucy Wyman Yeah. So we've had two really great efforts to partner with the community on some repos. The first you mentioned is r10K. And that was a really interesting like partnership to manage because it was a repo that Puppet is still very invested in. And like I wouldn't necessarily call it actively working on, but definitely actively maintaining. But the community wanted to drive development of r10K much more quickly than we were able to kind of keep up with the maintainer-ship roles. And so basically what that looked like was laying down kind of, I don't know if I would call it ground rules, but like a guideline for, you know, who can merge what, under what circumstances, and who drives development of the repos. Basically giving a few community members -- Finch, also known as Adrian Thiebaud, and David Hollander -- more license to like merge their own pull requests and develop on r10K. Another really cool project that I will give full credit to Ben Ford for is a product called Dropsonde, which is often non-identifiable telemetry collected from modules and it's publicly available. You can go to the repo, it's And there's links to where you can see the data there. And that's about collecting metrics on modules so that module consumers can get a better idea of how modules are being used.

00:13:28 Demetrius Malbrough Is that just something that management would use? Like wanting to get metrics?

00:13:33 Lucy Wyman No, I think it's much more about like if you find a module on the Forge, it's hard to tell, like, does this actually solve my problem? Which of these like, there's many different, like Apache modules, which is the one that everyone actually uses? And so surfacing this usage data lets you like, identify which module is right for your use case.

00:13:57 Demetrius Malbrough Okay, well, I'm going to switch it up a little bit. Lucy, are you ready?

00:14:01 Lucy Wyman I actually do have one more project that we just completed that I want to talk about. We recently transferred the Beaker repo, so we talked about the r10K community partnership, which is much more like Puppet as the company working together with the community. And we did a similar thing for Beaker, although Puppet has really divested from Beaker and it's, they're not quite plugins, but like related repos, like we have a Beaker-Puppet repo or Beaker host generator. And so we started the process of transferring those to Vox Pupuli, and they are a collective that maintains like Puppet modules, tooling, documentation. They're really fantastic. And they were interested, similar to r10K, they were really interested in driving forward development of Beaker. And so we just wholesale gave them the repo. And that doesn't mean that Puppet is never going to make another PR to Beaker again -- I completely suspect we will, but it just gives Fox like full control over the planning and development cycle of Beaker, and we are in the process right now of transferring several other repos as well. Like I mentioned, Beaker-Puppet, Beaker host generator, Beaker-Hiera, a bunch of others.

00:15:16 Demetrius Malbrough Okay, do we have any others?

00:15:19 Lucy Wyman That's it.

00:15:20 Demetrius Malbrough All right. I was a little excited to move on to this next next comment that I'm gonna make here. So I think everyone's gonna like this because I did a little research, and I found, and maybe it's just been in the news, right, so Black Lives Matter is going on. And it's just, it's a lot going on right now with COVID-19, and it's just an entire big thing that's happening. And I saw that Twitter and JP Morgan are removing master, slave, and blacklist from their code. And Twitter is also dropping the terms as well, including, yes, so blacklist is included. There was a couple of engineers that lobbied for the use of more inclusive programing languages and just wanted to get your opinion and your take on that and maybe some of the things that we're doing here at Puppet to follow along the same lines or if something's different.

00:16:17 Lucy Wyman Yeah, I hope this is obvious, I'm in full support of more inclusive language. There's just really no point in having language that feels exclusive or hints at some really awful things like slavery, I think doesn't really have a place in like our work or in the tech community in general. And so we are doing some similar things here at Puppet, and I guess I do want to make sure that we know that these aren't the only things we're doing at Puppet. Like, I think that language is important, but it's not the only thing that's important. And we are also thinking a lot about our hiring practices. And, you know, where do we recruit candidates from and how do we really encourage and promote diversity at our company and ensure that people of color, you know, feel like they are part of the Puppet community and part of our work here.

00:17:13 Demetrius Malbrough Yeah.

00:17:13 Lucy Wyman So I guess to the language end, we have several similar efforts. We're renaming all of our master branches to main. We're renaming the slave-master terminology in our, like, infrastructure. I think there's a couple others, we're renaming the Puppet master to Puppet server. I think that we, like I said, just really want to make sure that now and going forward, we're using the most inclusive and clear language that we can.

00:17:43 Demetrius Malbrough Thanks for sharing that, because it is definitely a sensitive topic nowadays. And I really appreciate you being open and sharing your thoughts around that and also what Puppet is doing as well. So I appreciate that. And one other question, too, for you, Lucy. Is there anything that you would like for our listeners to know that maybe they didn't know that you feel like sharing around something that you like to do that's related to maybe coding or maybe it's not related to coding? Is there anything?

00:18:18 Lucy Wyman Ooh. Actually, yeah. Right now, I am part of the staff that's running a conference that usually happens in Seattle, but it'll be online this year called the Seattle GNU/Linux Conference or SeaGL. And I guess I hate to use this as a platform to promote other things in my life, but I really think that our listeners might be interested in it. And the conference itself is happening November 13th and 14th, and it's all about free and open source software. It's totally grassroots. And yeah, it's just a really fun community event and we hope it's going to be a great way to connect to the Foss community even during these crazy times. Yeah, if people are interested, all the information is at I've been spending a lot of time helping run it recently, so it's kind of at the forefront of my brain.

00:19:12 Demetrius Malbrough Well, if it's open source, it's definitely worthy of mentioning on Pulling the Strings because we all about open source here, and sharing. So thanks for sharing that. And maybe we'll drop a link in the transcript some way as well. Yeah. Is there also any way that the listeners can maybe get in touch with you or reach out on social media like Twitter or LinkedIn?

00:19:33 Lucy Wyman Yeah, I do have a Twitter that I actually only use for work, so it's pretty boring. I'm a little bit of a shell on Twitter, but it's @theLucyWyman. And then I am also pretty active in our community Slack, which I believe is

00:19:49 Demetrius Malbrough All right. Thank you so much for coming on Pulling the Strings podcast. And until next time, Lucy. We'll make sure we have you on again in the future, alright?

00:19:58 Lucy Wyman Yeah. Thanks so much, Demetrius.