Once described as "an ancient and powerful open source dragon," Aeva Black is a dot-com veteran, an open source hacker, and a queer and non-binary geek. They work in the Azure Office of the CTO to improve the state of open source software supply chain security, and to support teams working on cloud security and digital privacy. Back in 2012, they launched OpenStack's Bare Metal Cloud program, enabling performance-sensitive cloud native workloads to run without a hypervisor. Aeva currently serves on the Board of the Open Source Initiative, the non-profit which stewards the definition of "open source", and works within several other foundations including the Confidential Computing Consortium and the Cloud Native Computing Foundation. Aeva is a lifelong student of the buddha dharma and an advocate for LGBTQIA+ rights. They served for several years on the Board of the Consent Academy, a Seattle-area educational non-profit, and were recently published in Transcending, an anthology of trans buddhist authors. In this episode we tackle their journey, their open source roots in various projects, software supply chain and so much more!
Once described as "an ancient and powerful open source dragon," Aeva Black is a dot-com veteran, an open source hacker, and a queer and non-binary geek. They work in the Azure Office of the CTO to improve the state of open source software supply chain security, and to support teams working on cloud security and digital privacy. Back in 2012, they launched OpenStack's Bare Metal Cloud program, enabling performance-sensitive cloud native workloads to run without a hypervisor.
Aeva currently serves on the Board of the Open Source Initiative, the non-profit which stewards the definition of "open source", and works within several other foundations including the Confidential Computing Consortium and the Cloud Native Computing Foundation.
Aeva is a lifelong student of the buddha dharma and an advocate for LGBTQIA+ rights. They served for several years on the Board of the Consent Academy, a Seattle-area educational non-profit, and were recently published in Transcending, an anthology of trans buddhist authors.
In this episode we tackle their journey, their open source roots in various projects, software supply chain and so much more!
Timeline Topics
00:00 - Opener/Sponsors
00:14 - Intro to an ancient and powerful open source dragon Aeva Black
00:34 - Aeva's Journey
03:34 - HPE Helion Openstack
06:00 - Ethics and the Code of Conduct
07:36 - Consent as a Tool
09:12 - Burnout and the next phase of Aeva's journey and more importantly their life
16:20 - Securing Open source in the Office of the CTO at Microsoft Azure
17:25 - Software Supply Chain Security from the Open Source dragon (gitbomb)
20:26 - Open Source Initiative
23:13 - Confidential Computing Consortium
25:59 - What is Aeva most proud of?
Episode Links
https://supplychainsecurityconna21.sched.com/
https://confidentialcomputing.io/
Support the show by checking out our sponsors below!
***Teleport***
Teleport allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. You can download Teleport at https://goteleport.com/popcast
***Container Solutions***
Check out WTF is Cloud Native- Hybrid Cloud Native conference on November 4th
Registration is live -https://www.cloud-native-conf.wtf
***Gitlab***
Happy Ten Years to GitLab, the open source project. GitLab is inviting you to celebrate alongside them throughout the year. Learn about GitLab's free community programs and how to contribute at https://about.gitlab.com/community/
***Stormforge***
StormForge’s Kubernetes Performance Testing and Optimization platform is the easiest way to ensure your applications behave the way you want them to, while cutting out unnecessary resources and time spent manually tuning. .
Visit https://stormforge.io/popcast for more details
***COCKROACH LABS***
What if you could build like Big Tech? Use the same powerful infrastructure that they spent engineering centuries building...It’s actually possible now with CockroachDB.
The founders have spent the last eight years creating a cloud-native, distributed SQL database that provides the consistency, ultra-resilience, data locality, and massive scale for modern cloud applications - tech that was once only available to the likes of Google, Facebook and Netflix.
Check them out and get started for free at https://cockroachlabs.com/popcast
***SUSE Rancher Government Services***
SUSE Rancher Government Solutions (RGS) is a leader in Linux and Kubernetes management for federal and U.S. government entities. RGS leverages SUSE’s Linux expertise and Rancher’s Kubernetes excellence to provide secure open source solutions that adhere to federal compliance regulations supporting SAP HANA, HPC, cloud, edge computing and container management
***Cisco***
Check out Cisco's super informative blog https://ciscotechblog.com/
***CIVO***
Civo is an alternative to the big hyperscale cloud providers.
They've launched world's first managed Kubernetes service powered by K3s. With sub 90 second cluster launch times, a simplified Kubernetes experience,and predictable billing, Civo is on a mission to create a better developer experience.
Get $250 free credit to get started. Sign up today at https://civo.com/popcast
***Styra***
Learn how to operationalize Open Policy Agent at scale with Styra: https://hubs.ly/H0Pnkm20
POPCAST SHOW DETAILS (SUBSCRIBE!)
YouTube: https://bit.ly/3xgmmCj
Audio Podcast (Apple, Spotify, and others): http://bit.ly/35MXfte
Follow us on (Twitter): https://twitter.com/PopcastPop
Follow us on (Linkedin): https://www.linkedin.com/company/the-popcast-with-danpop
- This episode of the Popcast is brought to you by these sponsors. Hello everyone and welcome to the Popcast. This is an ancient and powerful Open-source dragon. Open-source hacker, for the Azure office of the CTO, this is Aeva Black. Welcome to the Popcast, Aeva Black.
- Hey, thanks for having me, Dan.
- Glad to have you on.
- So good to be here.
- Yeah, we've been planning this for a while, so it's good that we finally got to do this. So, let's talk about, like your journey and you know how you got started, all the way to where we are now.
- Sure.
- Yeah, I mean, I guess I started tinkering with computers as a kid. My mom worked in a physics department in university, so I had kinda early access to look at software in like the early 90s. And then...
- Where did you grow up?
- I guess that part of my childhood was Southern California. Like Los Angeles, Santa Barbara, that strip. And I got into college at UC Santa Barbara. Physics first and then Comp Sci. And then I got an offer from a startup, so I kind of just dropped out of college. No degree club. And started working in...
- I am right there with you!
- Cool
- Yeah
- So I started working in a dot-com doing like video games and game streaming and media, peer-to-peer media streaming in '99. And that kind of got me started on open-source. Like we were using CVS and TCL TK and...
- What kind of games did you play growing up? I mean, going into the gaming industry, what are your kind of your favorites?
- Back then. You know, one of my, one of my earliest favorites was this, I think it was called 'Solaris 2', on the Apple 2E. I've never been able to find it since then. Other than that, things that I can still find today, like 'Doom and Quake', 'Rocket Launch Arena' was a lot of fun. Really loved 'Unreal', 'Unreal' was sort of my first experience modding a game.
- Yeah, we used to have like, I actually set up like a LAN in my old apartment and used to be joined in the city. All my friends are like, "Oh, we're gonna play Unreal." And we, you know, we had all the mods, you know, we're playing like guys as like the, you know, the 'He-man' characters was the, you know, like the Beast Master and stuff like that. But I literally, was just like hooking up just a bunch of like a switch and a bunch of computers together. And we all played there.
- Yeah.
- It was fun.
- Yeah, totally.
- It's great. And then, so again, we, this whole like gaming thing, the streaming thing, you're like, okay, you know, physics and getting into Comp Sci, but how does this kind of translate into like eventually where we got into like OpenStack and all of that?
- Sure. So I got, I took a break after that start-up, lived in Germany for a while, studied East Asian religions for a while, some on my own, some in college. And then I got back into tech with MySQL in like 2003. We got involved upstream with Masco Community by '05. And you know, so OpenStack actually grew out of the same people who did MySQL. A bunch of the MySQL-ers ended up at RackSpace, doing a project called 'Drizzle'. So I would do Cloud First Database, and I worked with them on that, and then we all pivoted to OpenStack.
- So we have a shared kind of history, right. And, you know, again, as we talked about this, so I used to be at HPE Helion right, and it was funny because like there was, you know, 'Ironic' and there was old 'Nova', 'Neutron', all of those projects. And this was like my first foray out of it, like an investment software company. Like I want to do stuff in the cloud, and so OpenStack was there. And you were like, you know, a tech lead, you're a big, you know, for that, for that thing. Can we talk about kind of that, you know, that, that, that time, yeah?
- Yeah. What, what, I guess I founded 'Ironic'. So let's start with, with an apology to the world for that, like the name is you can blame me for the name and all of the pain that comes with 'Metal Kubed' and everything that uses 'Ironic' these days, I'm sorry. And also you're welcome. And so like, what was the impetus like again, it was like, what was the problem you were trying to solve early on again? It's like, we know where we are now, but like, you know, talk to me about that problem, you were trying to solve early.
- Yeah. The initial seed of, of a whole bunch of work was, Hey, clouds are really good at like automating stuff. Right. You can describe your infrastructure as code, but deploying a cloud itself is this really manual complicated process. What if we could use the same tools to deploy our virtual infrastructure, to actually manage our physical infrastructure? And from that, from that thesis, four of us sort of got together, and divided up the work that would have to happen, and we each picked up a chunk of that. I picked up the hardware automation, how do we make the same capability as a hypervisor, but no hypervisor, using IPMI and Pixie or ILO or iDRAC, or you know, whatever to manage the actual hardware, and lay down an operating system without a hypervisor. And so that's sort of the genesis of the 'Nova Bare Metal Driver', which then spun out of 'Nova' to make 'Ironic' as a top level project. And 'Bifrost' and everything else that came from that.
- That's incredible. Like I said, it's kind of diversion paths and, and seeing like, you know, I think a lot of people tried to try tried the correct things that OpenStack didn't do right in Kubernetes, cause like, okay, we've once bitten twice shy. It was like, let's, let's correct these things and stuff like that. But again, you got to give props to OpenStack for kind of laying the groundwork for a lot of like community engagement to a certain degree that, you know and I know you're, you know, you're kind of which stuff you do with the code of conduct. You're very much into ethics. Can we talk about that? You're starting to look the scope of your career, how ethics played a part in your kind of fraternity?
- Sure part of that. I want to actually take one step back in conversation and say even everything OpenStack did was built on the learnings of the 'Debian' and a bunch of community as in the MySQL community. And those were built on the successes and failures and the foibles of previous communities. So we're, we're all just sort of passing the baton forward to the next generation of projects and leaders. And Kubernetes is no exception where we are today passing on that baton from Kubernetes to the next generation of Open-source projects like 'Watson'. And I don't know what else is cool. You tell me?
- eBPF? Oops
- Yeah yeah yeah that's cool too. So
- I haven't dug into DVB yet, but it looks pretty rad. Yeah so ethics. I guess I did a brief stint two years or so in college studying the Dharma and philosophy and ethics. And I got really, really fascinated by trying to read Seminole texts in the original language. So I learned German to read Kunz and Niche, and I learned Chinese to try and read like 'The Delta Gene' and other works. And I picked up sound script and read some of the old Sutras and that I don't know. Yeah, I love cultures, I love different ways of looking at things and trying to find a commonality to how we all rationalize being human together. And how we experienced that. These days, I'm focusing a lot on consent as a, as a tool socially to structure our interactions.
- So talk to me more about like that the whole consent aspect of it. So like give me a practical example of that.
- Practical example of consent. Okay. So little kids, right. I wasn't taught this very much growing up, but I know parents today, who were friends of mine and teaching their kids, that they have bodily autonomy, the kid should be able to express consent when receiving a hug or a pinch on the cheek, that they can have a boundary, and that where that boundary is, and how to express that safely.
- Got it. Okay. So again, just kind of, for the folks listening, I just wanted to kind of give this the example there. So cause, you know, I understand the concept of consent, and now like having a practical example is good to kind of frame it. So. Go ahead.
- I was going to say I could offer a second one, that's more sort of tangible for tech community, if you want?
- Sure. Go ahead.
- Consent to information sharing. Right. Whether that's with an ad company that's like doing, you know, a tracking pixel on your phone or your browser, you didn't really consent to that. Maybe your consent was co-opted, because you couldn't use the website for your bank without it. Or, you know, doxing online is clearly a violation of consent about where your information is shared.
- Got it. So there you go. There's a lesson today from the ancient and powerful Open-source dragon, Aeva Black. So again, let's continue on your journey and, you know, kind of, kind of get sick of doing the OpenStack thing, kind of wanna know, like where, where we, how we got to the next phase?
- Okay. So, so some burn-out happened. I think I was wearing four hats at HP at that time. IBM offered me what sounded like a sweet gig, go re-tool a bunch of their infrastructure, to use OpenStack. Then they scrapped the whole product six months after I joined, and then I jumped into a start-up, Canadian-based cloud hosting company, running OpenStack for folks all over the world, mostly a small service providers, telecoms. And did that for about two years, and then needed to a real break from tech, some stuff happening in my life, made that timing pretty good. And then things kind of took a turn for, for don't say the worst. I'll say the more challenging, took me about two years to get back into tech. Still doing Open-source, but not OpenStack anymore.
- Got it. And so I kind of want to try to understand that, you know, again, it's, you know, you burnt-out and you were like, look, there's things that are happening with me, but I, you know, want to finally kind of address, you know, so, and that's probably like a really bad, like phrasing for it, but you know what I mean. Like talk to me about like, look there, there's some things that like are not allowing me to be my true self.
- Yeah. So it's, a difficult space to talk about sometimes, because there are, we, we feel expectations, we feel pressure from other people to behave or look, or be a certain way. And as the VP of a company, functionally a CTO, like my job was flying around and talking to customers, representing our tech, managing the engineering staff. My teams were great, but our customers weren't in the US, they were in very different cultures, where it would have been hard enough to be just a woman in that role, and even harder in that role to come out and transition.
- Right.
- And my community here in Seattle was, is, has been mostly fantastic and amazing. They'll try super hard, even when they're like, "I'm not sure what pronouns should I use, how should I address you?" They're trying, but I can't say the same for the whole world. So I needed to find a role that was a little closer to home and more supportive, and Kubernetes is as it's part of, part of that, coming back to tech for me, everyone here has been amazing.
- That's again, it's some of the inclusion, inclusive aspect of what we do in this community. That's what I love about it. And it's also like making the world aware of these types of things like pronouns. Like I said, I've had, when I had Holden on, you know, we talked about that. Right. And it's just like, yeah, I want to get your pronouns right. Yeah I, I want to make a conscious effort to say, "Is it, you know is it they?" Is it, you know, for somebody is it the she, is it he, you know, is it, they? I want people to understand how to do that as well, because like, I've, you know, I didn't know this coming in. Like, I didn't know like how this works, and, and it's just, it's, it's being respectful of somebody, and being respectful of where, you know, where they are and what they, what they, what they've accomplished, and you know, where they, where they want to be with themselves? So I, I think that's just, you know, I, I applaud you for that you know.
- Thanks
- You know, in general,
- [Narrator] CIVO was an alternative to the big hyper-scale cloud providers. They've launched the world's first madge, Kubernetes service, powered exclusively by K3s With sub-90 second cluster launch times. A simplified Kubernetes experience and predictable billing, CIVO is on a mission to create a better developer experience. Get $250 free credit to get started. Sign up today at civocloud.com/popcast. That's civocloud.com/popcast. Go check them out.
- [Narrator] What if you could build like big tech? Use the same powerful infrastructure that they spent engineering centuries building. It's actually possible now with Cockroach DB, the founders have spent the last eight years creating a cloud native distributed sequel database that provides the consistency ultra resilience, data locality and a massive scale for modern cloud applications. Tech that was once only available to the likes of Google, Facebook, and Netflix. Check them out and get started for free at cockroachlabs.com/popcast. That's cockroachlabs.com/popcast. Check them out.
- So let's continue down our tech journey, cause you know, we right.
- Sounds good
- So, so you're like, look, you know, we went to this Canadian kind of a company and they're like, look, I kind of want to do something else, I kind of want to, you know, you, you know, talk to me like you'd had that burn-out and they're like, okay, I'm going to go ahead and read, read all these different, like ancient texts in, in languages, I'm going to kind of get through this step, because it, to me, if I'm looking at this, like as as an outsider kind of looking in, it's like, you really want it to kind of just re-set and go, you know, and kind of just understand your brain more in general to go to this, like yeah, you know what, these are things I want to do with my life. And now I, you know, I'm going to do the things that I want to do. Right?
- I've been really fortunate to have a couple, a couple of breaks from tech, right after my first, after my first job, is when I took like a three year break and studied the Dharma and all of that. And then I guess that was like 2002. Around 2010, I took another break. I had a really sweet consulting gig, that didn't take a lot of time. And I got to that another year and a half studying the Dharma and my bills were taken care of. And then I was burned-out after like seven, eight years of nothing but work. And so I guess that was 2018, had the space to finally go to Defcon, like I've been going to Burning Man for years and that's sort of my reason for never making it to Defcon. So they're always too close together. And I made it to Defcon and met a bunch of awesome folks there, super welcoming and great and smart and now we're good friends. And finally stopped, like stopped putting off admitting that I'd been working in security for a long time. So yeah.
- So, okay. So, so that brings us to the, you know, the Open-source hacker job at Azure, office of the CTO, right.
- Yeah.
- And that's where we are now. So tell me about like what you do there now?
- Try to make Open-source, more secure. Gently nudge products, teams or Open-source projects, or support folks who have ideas that I think will help the ecosystem. I'm kind of having my fingers in a bunch of different places right now, trying to figure all this out and actually have a talk coming up at the Supply Chain Security Conference on this, on the survey of the landscape, because so much work has happening across the industry. It's too much for anybody to be involved in all of it. Hopefully by giving folks a sort of an overview, I can help anyone navigate to where they can find the most value given amount of time they can put in.
- So we'll have a link to that. This'll probably air after the cube con. And so we'll have a link to the software supply chain. And again, you're talking, there's a bunch of talks, which brings me to my next question Software supply chain is probably the hottest topic in everywhere. I mean, you know, it's like a lot of, you know, we know us, we know like some folks from like Google and know some people Microsoft, everyone's, you know, we're in the, you know, the reference architecture talks for a tech securities. We talk about this all the time. You did a great presentation on like 'get bomb' and stuff like that. So talk to me about how does one protect themselves from it, you know, have us, you know, what are some things they can do to have a, a secure software supply chain?
- Oh gosh, I wish I had an easy answer. Everyone right now wishes they had an easy answer. And frankly, there isn't one right now. I know companies are going to, you know call it my crystal ball. People are going to try and sell the easy answer to this, because everybody needs an answer, right. The Biden executive order kind of mandated that we have an answer to this by next year. So everyone's in a rush to get there. I think 'get bomb' closes a really critical piece of that information gap to allow a user, or consumer of Open-source, to understand in detail the entire tree of dependencies. Everything that went into the document, they downloaded or the executable, they downloaded, or you know, whatever Python package they just installed, that Python package has dependencies, and they have dependencies and they have dependencies. And right now none of the tools are really good at walking that whole tree. Some tools do and, and tools are getting better, and I don't know all of them, but that's sort of the angle I'm taking. How do we make that easier for everybody?
- [Announcer] Check out 'What the F is Cloud Native?' virtual conference, November 4th. Join container solutions to see how people, processes and tech make for successful Cloud Native journeys. Check it out.
- [Narrator] This month's popcast sponsor is StormForge. StormForge is Kubernetes performance testing and optimization platform is the easiest way to ensure your applications behave the way you want them to, while cutting out unnecessary resources and time spent manually tuning. In alignment with this, StormForge is asking for your help, reducing the amount of unused cloud resources, making both the financial and environmental impact in the world today. We want you to help make that impact with us. So visit https://stormforge.io/popcast. That's stormforge.io/popcast to learn more about how you can help erase cloud waste and take the cloud waste pledge. While you're there, try out the free tier, the machine learning back service, to start saving resources and getting better performance today.
- And so, you know, one of the things too is, you know, you're also obviously a couple of things as you're in the OSI, it's the Open-source initiative, right?
- Yup
- And so talk to me a little bit about, just for the listeners out there, like what's, what is that, and you know, how they, how to get involved there?
- Yeah. So the Open-source Initiative is the 501 non-profit, that stewards the definition, of what is open-source as a legal term, both for copyright law and for trademark and patent law. What is Open-source? What is not Open-source? And so there are 10 principles that define for any given software license. If it meets these 10 principles, it can be considered an Open-source license. And then part of what the OSI board does, is reveal licenses, when folks propose them, say, "Hey, we'd like this to become an approved, or an OSI approved license that says, "Yes, stamp, that's Open-source." There's a body that, that actually reviews those for proposals to approve or deny them.
- Got it. How long have you been involved in that? And like...
- Just joined.
- Just joined?
- Yeah I like just joined.
- Is this go back to your like, like, like ethics kind of, you know, this is where you kind of wanted to do more from that perspective or?
- A little bit yeah. I mean maybe, maybe you've, you've seen some Twitter chatter on ethics and Open-source. If that, that conversation has been happening for a while and I've been chatting and trying to get in with folks, and I've been, I've been around a couple of different open-source foundations, probably since I joined OpenStack. Around that time. So close to 10 years now. Because I've actually being like, directly involved in one, as of a month ago. So don't ask me too many questions, like I'm, I'm new. Figuring my way out around on the board, and what all we're doing.
- [Announcer] Learn how to operationalize open policy agent at scale with Styra. To get started, go to the link at https://hubs.ly/h0pnkm20
- [Announcer] Teleport allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. You can download Teleport right now at goteleport.com. That's goteleport.com/popcast
- So we'll do like a follow up a year from now. And we'll talk about like, we'll just do it on that. Okay, cool. So we're already lined up another guests. That's how I operate. All right. So, okay. Let's talk about three C cubed, or Confidential Computing Consortium Can like talk to me about that? Cause that's how I kind of, I knew of you on Twitter, we've interacted, but that's where I was like, "Wow, Aeva is awesome." Like this is where, like, I always thought you were awesome, but just seeing you in action, I was like, that is so cool. So let's talk about that.
- Did you come to the, you did come to the Confidential Computing Developer Summit C two DS that I hosted?
- Hm
- Yeah. So that was onto, that was my first time, like putting on an entire conference. It was so much fun. So the, the consortium overall is dedicated to building industry collaboration and Open-source around the protection of data integrity, data confidentiality, and code integrity. Those are the three key properties of confidential computing and doing that in a way that is based on or rooted in hardware that differentiates it from polymorphic encryption, which is all software based. But this is, it's like the next level from using a TPM. Like the key line project uses TPMs to build a root of trust for identity management. It's like the next level of that, actually run all your workload inside an isolated environment, but the host has no access to.
- Got it. How does one to get involved with this?
- The foundation or like using the the tech?
- Either this is for everybody to know how to get involved with these different things.
- If you want to get involved with the Confidential Computing Consortium, we have a Slack instance, a bunch of mailing lists, kind of like the CNCF, it's managed a little differently, but in principle it's the same. It's another Linux foundation, a sub-project. So come on over, join. We'd love to have more folks. In terms of the tech, there's, there isn't a single central product like Kubernetes in the CNCF. There's I think we're at eight. I think we're at eight, might be like six right now, of projects that are part of that foundation, 'Open Enclave', 'Veracruz', 'ACLAM' a couple of, a bunch of others. And so if you want to help, you know, use the code or write some code to jump in the projects, they're all gonna have a different way to contribute. I can't tell you like where to find their Slacks, but.
- So we'll have links to the main sites and the main ways to get it in interact, with these various things. Before I ask my last question, how does somebody find out more about you? Do you have like a website or whatever? That's kind of like the shamelessly plug, which we'll also have in the liner notes of the episode, but.
- Well, we have, you know, a brochure website, like my, my virtual business card, aeva.online. Again, never let me name things. It's great. So let me ask you the last question here. What work are you most proud of Aeva?
- Ooh. Ooh. There's a lot of things that I, I've done that I feel like a good sense of accomplishment for. And I, I think today it's still is 'Ironic', knowing that that has helped universities, and non-profits like CERN Particle Accelerator in Europe, our cancer research centers at universities in the US and Australia, like do really good science for the world with, with, with like a much lower budget, because education is so underfunded these days. I've had folks come up to me at conferences and be like, "We've got all this hardware that was donated to our university and we couldn't use it because it needed, you know, a whole bunch of staff to fix it and run it and manage it, and then we found 'Ironic' and now like three grad students are running this huge cluster doing cancer research." Like my heart just is so happy with that.
- Incredible. Well, my heart is so happy to have had you on the show after so many months of us talking and, and being pals and stuff like that. So I appreciate you being on the show, Aeva Black.
- Thanks so much for having me, Dan