Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog GoCD – GoCD is an on-premise open source continuous delivery server created by ThoughtWorks that lets you automate and streamline your build-test-release cycle for reliable, continuous delivery of your product. Command Line Heroes – A new podcast about the epic true tales of the developers, hackers, and open source rebels revolutionizing the tech landscape from the command line up. Presented by Red Hat. Featuring:Dominic Tarr – Twitter, GitHub, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: The issue that kicked off everything We covered the incident on Changelog News Here’s Dominic’s statement that we reference repeatedly Felix Krause had some on-point commentary on Twitter TideLift says event-stream gets 2 million downloads per week SwiftOnSecurity also chimed in on Twitter Learn more about Project Xanadu We discussed Reproducible Builds with Chris Lamb back in the day Also check out A call for kindness in open source with Brett Cannon Something missing or broken? PRs welcome!

Perry Mitchell joined the show to talk about the importance of password management and his project Buttercup — an open source password manager built around strong encryption and security standards, a beautifully simple interface, and freely available on all major platforms. We talked through encryption, security concerns, building for multiple platforms, Electron and React Native pros and woes, and their future plans to release a hosted sync and team service to sustain and grow Buttercup into a business that’s built around its open source. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog GoCD – GoCD is an on-premise open source continuous delivery server created by ThoughtWorks that lets you automate and streamline your build-test-release cycle for reliable, continuous delivery of your product. Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com. Featuring:Perry Mitchell – Twitter, GitHub, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: Buttercup Have I Been Pwned: Check if your email has been compromised in a data breach Key derivation function on Wikipedia Sallar Kaboli on GitHub Buttercup Roadmap Why I love password managers on Changelog News reproducible-builds.org The Changelog #237: Reproducible Builds and Secure Software with Chris Lamb ownCloud - The leading OpenSource Cloud Collaboration Platform Nextcloud KeePass Password Safe Open Source Password Management Solutions Something missing or broken? PRs welcome!

In this special crossover episode of Founders Talk, Adam talks with Donald Fischer. Donald Fischer and the team at Tidelift are on a mission of making open source work better — for everyone. To pay the maintainers of open source software they are putting a new spin on a highly successful business model that’s a win-win for the maintainers as well as the software teams using the software. In this episode we dig into that backstory and Donald’s journey. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog GoCD – GoCD is an on-premise open source continuous delivery server created by ThoughtWorks that lets you automate and streamline your build-test-release cycle for reliable, continuous delivery of your product. Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com. Featuring:Donald Fischer – Twitter, GitHub, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteShow Notes: There’s over $1M to pay open source maintainers on Tidelift It’s time to pay the maintainers! Tidelift Is React’s development “supported” by Facebook? That depends. Havoc Pennington Jeremy Katz Luis Villa Listen to the original episode. Something missing or broken? PRs welcome!

This week Adam and Jerod talk with Brian Bondy, Co-founder and CTO of Brave. They talked through the beginnings of Brave and how BAT (Basic Attention Token) could be driving the future of how we offer funding and tips to our favorite websites and content creators. Of course, they go deep into the historical and the technical details of the Brave browser and their march to Brave 1.0. The last segment of the show covers how BAT works, how it’s being used, and also their interesting spin on an ad model that respects the user’s privacy. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. DigitalOcean – DigitalOcean is simplicity at scale. Whether your business is running one virtual machine or ten thousand, DigitalOcean gets out of your way so your team can build, deploy, and scale faster and more efficiently. New accounts get $100 in credit to use in your first 60 days. Algolia – Our search partner. Algolia’s full suite search APIs enable teams to develop unique search and discovery experiences across all platforms and devices. We’re using Algolia to power our site search here at Changelog.com. Get started for free and learn more at algolia.com. GoCD – GoCD is an on-premise open source continuous delivery server created by ThoughtWorks that lets you automate and streamline your build-test-release cycle for reliable, continuous delivery of your product. Featuring:Brian Bondy – Twitter, GitHub, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: Brave Browser Browser.html, an experimental Servo browser in HTML Muon, a fork of the Electron framework Request For Commits #11: Funding the Web with Brendan Eich Tracking Protection in Firefox For Privacy and Performance StatCounter Global Stats, Browser Market Share Worldwide BAT (Basic Attention Token) Something missing or broken? PRs welcome!

This week we talk with Manish Jain about Dgraph, graph databases, and licensing and re-licensing woes. Manish is the creator and founder Dgraph and we talked through all the details. We covered what a graph database is, the uses of a graph database, and how and when to choose a graph database over a relational database. We also talked through the hard subject of licensing/re-licensing. In this case, Dgraph has had to change their license a few times to maintain their focus on adoption while respecting the core ideas around what open source really means to developers. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. DigitalOcean – DigitalOcean is simplicity at scale. Whether your business is running one virtual machine or ten thousand, DigitalOcean gets out of your way so your team can build, deploy, and scale faster and more efficiently. New accounts get $100 in credit to use in your first 60 days. Algolia – Our search partner. Algolia’s full suite search APIs enable teams to develop unique search and discovery experiences across all platforms and devices. We’re using Algolia to power our site search here at Changelog.com. Get started for free and learn more at algolia.com. GoCD – GoCD is an on-premise open source continuous delivery server created by ThoughtWorks that lets you automate and streamline your build-test-release cycle for reliable, continuous delivery of your product. Featuring:Manish R Jain – Twitter, GitHub, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: Open Source Licensing & Relicensing · Issue #833 · thechangelog/ping Dgraph — A Distributed, Fast Graph Database Stack Exchange Data Dump : Stack Exchange, Inc. Google Inc. Acquires Metaweb Technologies Inc. | Inc.com Official Google Blog: Deeper understanding with Metaweb Switching Dgraph to a Liberal License - Dgraph Blog The History of the LICENSE.md file of Dgraph Commons Clause License The Open Source Definition | Open Source Initiative It’s not okay to pretend your software is open source | Drew DeVault’s Blog flickrfs - Virtual Filesystem for Flickr Something missing or broken? PRs welcome!

Adam and Jerod talk with Angie Byron, a core contributor and staple of the Drupal community. We haven’t covered Drupal really (sorry about that), but the call with Angie was inspiring! From the background, to the tech, the usage of the software, the communication at all levels of the community — Drupal is doing something SO RIGHT, and we’re happy to celebrate with them as they march on to the “Framlication” beat of their own drum. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog GoCD – GoCD is an on-premise open source continuous delivery server created by ThoughtWorks that lets you automate and streamline your build-test-release cycle for reliable, continuous delivery of your product. Command Line Heroes – A new podcast about the epic true tales of the developers, hackers, and open source rebels revolutionizing the tech landscape from the command line up. Presented by Red Hat. Featuring:Angie Byron – Twitter, GitHub, LinkedIn, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: Dries Buytaert started Drupal in 2001 PHP Nuke used to be the bee’s knees (but not really) 2004: The scream that doomed Howard Dean Acquia employs Angie and other Drupal folks DrupalCon 2019 is in Seattle April 8-12 Gabe Sullice is working on the API first initiative webchick on Drupal.org Differences between full and provisional core committers | Drupal.org Drupal core maintainers | Drupal.org Planet Drupal | Drupal.org News | Drupal.org API-First Initiative | Drupal.org Drupal Association | Drupal.org Something missing or broken? PRs welcome!

Joseph Jacks, the Founder and General Partner of OSS Capital joined the show to share his plans for funding the future generation of commercial open source software based companies. This is a growing landscape of $100M+ revenue companies ~13 years in the making that’s just now getting serious early attention and institutional backing — and we talk through many of those details with Joseph. We cover the whys and hows, why OSS now, deep details around licensing implications, and we speculate the types of open source software that makes sense for the types of investing Joseph and other plan to do. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Hired – Salary and benefits upfront? Yes please. Our listeners get a double hiring bonus of $600! Or, refer a friend and get a check for $1,337 when they accept a job. On Hired companies send you offers with salary, benefits, and even equity upfront. You are in full control of the process. Learn more at hired.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2019. Start your server - head to linode.com/changelog GoCD + Kubernetes – With GoCD running on Kubernetes, you define your build workflow and let GoCD provision and scale build infrastructure on the fly. GoCD installs as a Kubernetes native application. Scale your build infrastructure elastically. Learn more at gocd.org/kubernetes Featuring:Joseph Jacks – Twitter, GitHubAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: The Changelog #310 — Open sourcing the DEV community with Ben Halpern Request for Commits #9 — Open source and licensing with Heather Meeker OSS Capital The $100M+ revenue commercial open source software company index Commons Clause License Open Core - Definition, examples, and tradeoffs FOSSA GNU AGPL (Affero General Public License) Mozilla Public License Version 2.0 Storj Something missing or broken? PRs welcome!

Jerod invites Richard Feldman back on the show to catch up on all things Elm. Did you hear? NoRedInk finally had a production runtime error, the community grew quite a bit (from ‘obscure’ to just ‘niche’), and Elm 0.19 added some killer new features around asset optimization. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Hired – Salary and benefits upfront? Yes please. Our listeners get a double hiring bonus of $600! Or, refer a friend and get a check for $1,337 when they accept a job. On Hired companies send you offers with salary, benefits, and even equity upfront. You are in full control of the process. Learn more at hired.com/changelog. Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog Raygun – Unblock your biggest app performance bottlenecks with Raygun APM. Smarter application performance monitoring (APM) that lets you understand and take action on software issues affecting your customers. Featuring:Richard Feldman – Twitter, GitHubJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: The Changelog #218 was Elm’s first appearance NoRedInk still employs Richard and Evan The Python Paradox by Paul Graham Small Assets without the Headache in Elm 0.19 Elm in Action Elm courses on Frontend Masters Something missing or broken? PRs welcome!

In this special bonus call, Adam and Jerod talk with Allen “Gunner” Gunn about the Sustain Summit. They talk about what it is, the kind of conversations that happen there, issues the open source community are facing right now, and how Sustain stands out from traditional “unconferences.” Sustain 2017 was a big hit, and this year’s event should be even better. Join us! Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Fastly – Our bandwidth partner. Fastly powers fast, secure, and scalable digital experiences. Move beyond your content delivery network to their powerful edge cloud platform. Learn more at fastly.com. Rollbar – We catch our errors before our users do because of Rollbar. Resolve errors in minutes, and deploy your code with confidence. Learn more at rollbar.com/changelog. Linode – Our cloud server of choice. Deploy a fast, efficient, native SSD cloud server for only $5/month. Get 4 months free using the code changelog2018. Start your server - head to linode.com/changelog Featuring:Allen Gunn – TwitterAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: Sustain Summit 2018 | A one-day event for Open Source sustainers Sustain 2017 Report The Changelog #237: Reproducible Builds and Secure Software with Chris Lamb The Changelog BONUS - Sustain Open Source Software with Justin Dorfman Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure / Ford Foundation Something missing or broken? PRs welcome!

Adam and Jerod talk to Brett Cannon, core contributor to Python and a fantastic representative of the Python community. They talked through various details surrounding a talk and blog post he wrote titled “Setting expectations for open source participation” and covered questions like: What is the the purpose of open source? How do you sustain open source? And what’s the goal? They even talked through typical scenarios in open source and how kindness and recognizing that there’s a human on the other end of every action can really go a long way. Join the discussionChangelog++ members support our work, get closer to the metal, and make the ads disappear. Join today!Sponsors:Vettery – Vettery helps you scale your teams by connecting you with highly qualified tech, sales & finance candidates. Download their tech salary report for 2018 with insights from tech hiring activity in New York City, San Francisco, Los Angeles, and Washington D.C. Download at vettery.com/changelog. DigitalOcean – DigitalOcean is simplicity at scale. Whether your business is running one virtual machine or ten thousand, DigitalOcean gets out of your way so your team can build, deploy, and scale faster and more efficiently. New accounts get $100 in credit to use in your first 60 days. Raygun – Unblock your biggest app performance bottlenecks with Raygun APM. Smarter application performance monitoring (APM) that lets you understand and take action on software issues affecting your customers. Algolia – Our search partner. Algolia’s full suite search APIs enable teams to develop unique search and discovery experiences across all platforms and devices. We’re using Algolia to power our site search here at Changelog.com. Get started for free and learn more at algolia.com. Featuring:Brett Cannon – Mastodon, Twitter, GitHub, LinkedIn, WebsiteAdam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, WebsiteJerod Santo – Mastodon, Twitter, GitHub, LinkedInShow Notes: Setting expectations for open source participation Benjamin Bertrand on Twitter: “Very good talk from @brettsky about interaction in open source: https://t.co/yJYfjTYPzZ I’m sure that would make an excellent @changelog episode!” The Changelog #300: Corporate interests in open source and dev culture with Zed Shaw Something missing or broken? PRs welcome!