In this episode of Open at Intel with host Katherine Druckman, Defense Unicorn’s Sarah Christoff, who is also lead maintainer of the open source project Porter, discusses her experiences as an open source project maintainer. In the course of their chat, Christoff emphasizes the importance of showing up and making connections within the community and talks about the challenges of being a maintainer, such as not knowing what resources are available and how to prove the adoption and worthiness of a project. She also highlights the value of mentors and forming alliances to get things done and discusses her projects, Porter, and Zarf—which was recently donated to the OpenSSF—and how they address real problems in the developer community. The interview wraps up with Christoff sharing her passion for animal rescue and the importance of community in both open source and animal rescue work.
“As I've become a more senior engineer, I've realized that the best engineers around me, devoid of gender, are quiet and they listen. I've had senior engineers and mentors who aren't grumpy, terse individuals spreading hot takes everywhere, but they listen to the problems and know when to talk. That's a thing I'm still learning…when to let someone let it out and rubber duck you, but also when to step in and be a guiding light—not dictate which direction we should go, but guide that.”— Sarah Christoff
Katherine Druckman: Hey Sarah, thank you for joining me. I won't go into too much about who you are because I want you to introduce yourself, but I will say this, we were introduced because we have a mutual interest in maintainers, open source maintainers, the life of a maintainer, and how it can sometimes be difficult and lead to burnout. I want to talk about what you think about that and how we might address it. But first, I would love it if you could tell us about who you are and what you do in the open source world.
Sarah Christoff: I'm Sarah Christoff. In the open source world, right now I'm the lead maintainer of a project called Porter. You can check that out at Porter.sh—always have to plug your projects, right? I'm currently an interim lead and the app delivery tag. In three months, I will be the actual tech lead, but now we're doing trials. Instead of having someone on app delivery tag, you do a trial first to see if it's what you want, and then you can go full time. For my job, I lead a project called Zarf that was donated to the OpenSSF, a project focusing on air-gapped Kubernetes deployments.
Challenges of Being an Open Source Maintainer
Katherine Druckman: Fabulous. I'm excited to share that. I want to know more about both Porter and Zarf. I should mention in the interest of full disclosure, that I am currently the co-chair of the Marketing Advisory Council for the OpenSSF and by extension, the DevRel group. I'm interested in and biased toward OpenSSF projects, and I'd love to hear more about them. I want to hear your thoughts about your experiences as an open source project maintainer. What's the maintainer life like, and where do you find the most frustration?
Sarah Christoff: The hardest part is not knowing what resources you have. That's something that's learned over time. The more you are known as a person in the community, the more resources are handed to you, whereas if you're a lesser-known person, you have to climb your way up to find those names, to figure out what resources you have, who you can talk to, who are your people that you go to? Jorge at the CNCF was someone who's an icon, right?
Katherine Druckman: Yes. Everybody loves Jorge because he's impressive.
Sarah Christoff: He's amazing. When I became a maintainer, that was a time when I felt pretty isolated. I was thrown into maintainerhood and all alone. I had to run with it. So CNCF knew of me, I knew of them, but we didn't know each other until you go to a KubeCon, and you put a name to a face and you're able to make those good connections. That's been the hardest part. Then the second hardest part, which is every maintainer's problem, is figuring out how to get more maintainers or contributors or steady flow. There are a lot of ebbs and flows that come with projects, especially mine, and figuring out how to deal with those down periods, realizing that in the next three to six months you'll have more contributions, more maintainers than you could wish for, but then again, life happens, and you'll lose a lot of that.
The Human Element in Software Development
Katherine Druckman: Yes, this goes back to something I love to talk about: the human element of software development and engineering. We think in terms of technology, but with technical problems and technical solutions, there's humanity to it. There's a social aspect, which is weird because we're nerds. It's who we are. There's this human element that's under-emphasized. We focus so much on the technology, getting the product out the door, fixing bugs, and everything you need to do for software or infrastructure. There is a sense of isolation, and you need to make those human connections to build your community and your group of people who will help you solve those problems. Tell me about the experience once you made those human connections. How did that help?
Sarah Christoff: For Porter, we were in a state where we needed more maintainers and more help, and I needed to know what it was like to be a maintainer. I became a maintainer one day, on a Monday, and that was it. I was able to go to people within the CNCF, once I knew who they were, and say, hey, you know, whether it's office politics, whether I'm having trouble getting contributors, or trying to understand how to get to the next stage and go from sandbox to incubation…not to throw the sandbox to incubation pipeline under the bus. It is something you have to figure out. There are a couple of docs everywhere.
Luckily, I had people like Amy and Jorge come in and say, I can offer you this program we're trying. I can offer you people to come to your booth. I can offer you a couple of different things. Would this help? Also having those faces that are higher up in the CNCF to say if you're dealing with these types of political issues, we'll come in and we'll help navigate that because I'm a lowly engineer, so I don't manage a lot of the “he said, she said” arguments. A lot of it was around how to prove that your project is getting adoption. How do you prove that your project is worthy to stay within the CNCF and needs more resourcing behind it, and prove that to large corporations that might be adopting that project?
Advice for Aspiring Maintainers
Katherine Druckman: Yes, that's interesting. You say, “lowly developer,” but I don’t think that’s a thing. Developers make the world go around. I love to quote Jorge, by the way, on this one. He specifically says the Linux kernel, but if open source software went away, in the words of Jorge Castro, the next day there would be zombies. And I agree with him. Because we all depend on this stuff. It's important. What advice would you have for somebody who is a lone developer, we’ll say?
You're working on whatever problem you're solving. You've got a project, a fledgling project. How do you get from there to navigating this whole space? I mean in the vaguest sense, but that is how it is. It's this vast and sort of confusing ecosystem. And, like you mentioned, you need a mentor, which is hard to scale. What advice would you have for somebody in your previous position to make those connections and form those alliances that are going to help you get stuff done?
Sarah Christoff: Something that I was told early on in open source, that I sometimes forget, is that you just need to show up. So as much as I was striving at coding, worrying about my project's health around features, and responding to the community, I was doing that pretty much solo. And because of that, that created that isolation factor. No one knew about it because I was spending a hundred percent of my energy on the project and not building the community. Once I started going to TAGs, to SIGs, when you go to Kubernetes Days and even your local Gopher meetup, or whatever your local meetup is…once I started getting out there, I started making those connections. That's when I could ask, can you help me? What do you think about this? I'm having problems with this. How I started my career was I thought Kubernetes was a funny word, a long time ago. It still is.
Katherine Druckman: It is still a funny word.
Sarah Christoff: I was like, what is this wacky thing? I was a tech support agent, so all I knew was WordPress hosting. And, I was like, what is this wacky thing? I ended up going to the Kubernetes Austin meetup and meeting my mentor there and making friends there. To be transparent, I had horrid social anxiety. Before and after meetups, I would cry because I had to talk to people, which is valid. Because of that, I got better with my social anxiety. I also made career-long friends who advocated for me, helped me with Git and how to get rebased, still to this day, and were there for my projects.
Katherine Druckman: That's great. All of that is good advice…that showing up is half the battle. And I would also emphasize, that it doesn't mean you have to travel, go to big events, or spend a lot of money. It means joining calls, sometimes there are easier paths to that. Let's talk about your projects. I would like to hear more about Porter in particular. Let's discuss Porter first because the impression I have is Porter itself is trying to address some hurdles we face as developers.
The Porter Project
Sarah Christoff: Right, I always announced Porter as not a sexy project, but it solves a real problem that mature companies or even startups have, which is you start to collect all these DevOps tools. I have my Terraform, Ansible, and Docker, and then maybe I have Kubernetes or Nomad, and then I'm deploying my actual application onto those schedulers. Gluing all of these pieces together is usually done through a collection of Bash and Python scripts and random things I have laying around.
Katherine Druckman: Poorly documented shell scripts.
Sarah Christoff: Right. Exactly. There's some stuff in one password somewhere that we have to find. And it’s hard. It’s hard for people to maintain. But it's also hard to bring in and onboard new developers into a system that has dispersed information everywhere. What Porter does is it acts as a wrapper for your entire system lifecycle. It runs Terraform and Terraform plan takes the outputs of that and passes it into whatever you want to do next. It takes the weavings of these outputs between applications to set up that system and sets up to wherever you want to deploy your application.
It also does things like it ties into Vault, so it'll pull a credential from Vault, or an Azure LAN as your key base. I used to be an Azure person. But it'll tie into those types of Vault-esque services, pull those credentials down, use them just-in-time, and then throw them away. You don't have to worry about where these credentials are or how to work in the inputs and outputs or parameters of your system. It's supposed to help be the glue that isn't Bash.
Katherine Druckman: That's great. Solving the important but unsexy problems is possibly more important than solving all the ones that get all the attention and the glitter, as I like to say.
The Zarf Project
Katherine Druckman: Tell me about your new OpenSSF donated project.
Sarah Christoff: Right. Zarf comes from Defense Unicorns, which is a DOD contractor that takes money from the government to fund these open source projects to help everyone solve these problems. People wanted an artifact of what they deployed into Kubernetes clusters. This is what it should look like. Here's the state of the world to try and get everything plus the app working together. Similar to Porter in that Porter has an artifact, but in this one, it's focused on air-gapped Kubernetes, which is a huge problem in that space where you need that network connectivity to do any Docker pools. Having everything there in an artifact isolated where you don't need to download anything, was helpful. We're making it so the government can use open source without having to worry about security issues.
Katherine Druckman: That's always a good thing. It is funny you mentioned air-gapped environments. If you're deeply embedded in the security world, you think about things like that, but developers and people in our general orbit don't think about those things necessarily, right? We make assumptions that the entire world is connected, and that is not always the case. That's an interesting problem to solve.
Sarah Christoff: I assume this is also outside the DOD space, in places like Intel or the Microsofts of the world, there are places where there is no connectivity for security reasons. I'm not a security professional, so I'm going to put that out there, but I know that there are reasons why we want nothing to come in from the internet, and this is a way to modernize those areas without having to go through a whole lengthy process of trying to get internet access.
The Importance of Community in Open Source
Katherine Druckman: I wanted to talk about what attracted you to go all in and get involved in open source communities and projects. Open source people are unique in the world. I'd love to know what draws you in, makes you double down and maintain a project, and be that responsible human who keeps the world going.
Sarah Christoff: An effective way to say it is so many of these amazing maintainers and people in the community helped me early on, so I feel like I should give back, right? There are the Karen Chus, there's the Kelseys, there's all of these people, iconic people, Michelles of the world. When I was a lowly tech support person, having women in tech that were iconic was empowering for me. I've told Bridget a million and one times that having seen her and being able to work with her was a dream of mine because she introduced me to Armon and to Mitchell when I worked at HashiCorp. She introduced me to them and said, they're normal people. You could talk to them, and she pulled me out of the HashiConf.
These people, I want to be like them. They're my role models. I want to be the woman in tech who takes the person who's a tech support agent or got their first systems engineering job and introduces them to the scary CTOs and CEOs. Armon and Mitchell are not scary at all by the way, but they were at that time to me and opened those opportunities. I was lucky and my entire career is like that. When I met Nicole Hubbard at the Kubernetes meetup, she worked in open source and was iconic for me because of how much she knew, but also how much time and patience she gave to me to mentor me to learn about Kubernetes and networking.
Women in Tech and Role Models
Katherine Druckman: That's great. At the end of the day, we're all people. Mmm, there are a few who maybe aren't, but for the most part, we’re all pretty much the same. But what you said about finding women in tech who are your role models, to me that's important. You have to see yourself sometimes and the people who you want to emulate. But when I was getting started, there weren't a lot of tech icons who looked like me. They were mostly guys, and they were great. They're great, brilliant people who were leading interesting projects, but they weren't like me. They were different, and it took me a while to take my place, it that makes sense, or to feel like I should take my place, or to take a seat.
I gave a presentation at SCaLE this year, and it was talking about getting up the courage to grab a microphone because it was specifically about podcasting. But a lot of it was as a woman feeling a sense of responsibility to grab the mic. Most tech podcasts, a lot of most presenters at tech conferences, are not women. I think that we need to hear more women's voices. And so that's why I felt, even though it wasn't necessarily a me thing, I didn't identify as…what is a podcaster, anyway? A long time ago I was in tech publishing and to me that was something that the guys I worked with did, and there's nothing wrong with that. They did great work, but anyway, it didn't seem like a me thing, and at one point, I said, “Wait a second, somebody's got to do it. Somebody's got to do it, so why shouldn't it be me? And I'll put my voice out there and hope it goes okay.” But part of that was a sense of responsibility because...
Sarah Christoff: Because there should be more people like us and that don't look like us, but that go on stage and present if they want to. There should be more content that is driven by and geared toward women and diverse individuals in tech. As a tech support engineer, before I believed that women in tech existed, there was me on a floor for tech support and it was all dudes. I would go down to the engineering floor, and most of that was dudes, too. I wanted to be, when I grew up, like this 50-year-old, pretty grumpy and terse sys admin, I was like, that's it. That's the goal.
Katherine Druckman: That's a worthy goal.
Sarah Christoff: As I've become a more senior engineer, I've realized that the best engineers around me, devoid of gender, are quiet and they listen. I've had senior engineers and mentors who aren't grumpy terse individuals spreading hot takes everywhere, but they listen to the problems and know when to talk. That's a thing I'm still learning…is when to let someone let it out and rubber duck you, but also when to step in and be a guiding light—not dictate which direction we should go, but guide that.
I think that's such a cool thing that I've seen. One of the first most prominent women in tech at HashiCorp for me was Megan Marsh, and she was always, that... She watched, she watched and listened, and then she would act. As a junior engineer at that time, I was just actions and anxiety, as are most juniors, so it was amazing to look up to her and see what I wanted to become once I left the tech support job and went to a software engineering company.
Katherine Druckman: Wow. That's pretty astute. Yes, I agree. It is much smarter to pause, listen, absorb, and not be first to talk. You do need to have that awareness. I'm glad you mentioned it because it's not necessarily something I think about and it's not necessarily something I practice. I am aware of it though, and I wish I practiced it better.
Sarah Christoff: It is hard.
Katherine Druckman: There are downsides to being the person who grabs the microphone, right? You think, “I've got to talk.” It's pressure. I can do that. Silence is not allowed. Anyway, tell me what else you've got going on. Are you going to be giving any talks any time soon by any chance that you might want to plug?
Sarah Christoff: I will be. That's such a great question. I know exactly where they are, and I know exactly when I'm giving them. It will be Community Over Code, which is by the Apache Software Foundation, and that will be October 7th in Denver and also—
Katherine Druckman: Okay. Yes.
Sarah Christoff: First time speaking, super excited. I also will be at SOSS Fusion because of Zarf’s donation. We will be going to the OpenSSF conf and then KubeCon. If you want to check out Porter, Porter will have a booth and hopefully some awesome talks and tutorials, but it's up to the KubeCons. But we will be there with a booth with awesome glittery stickers and a bunch of maintainers. It's going to be cool.
Katherine Druckman: I can't wait to talk to them. I will also be at KubeCon. I will not be at the Apache event because I will be at the Grace Hopper celebration.
Sarah Christoff: I thought that was happening then.
Katherine Druckman: It's happening the next day across the country, unfortunately.
Sarah Christoff: Is it not in Houston? I thought they were always in Texas.
Katherine Druckman: It's in Philadelphia, Grace Hopper. It was. I can't remember where we were, it moves around. It's in Philadelphia this year. I hope to be at SOSS Fusion, so we'll see. But, yes, I hope people will check out your talks, if not in person, then online later. I did want to ask two more things.
Sarah Christoff: Yes?
Animal Rescue and Community Building
Katherine Druckman: One, would you like to tell us about animal rescue? Two, is there anything that you wish I had asked and didn't that you would like to talk about?
Sarah Christoff: The second one was much harder than the first one. Yeah, I can talk about Boop. I've always had a huge passion for animals and was opinionated as I talked about listening and guiding. This is the other side of me, opinionated on animal training and how I thought things should be done. To back up my notions and opinions, this is how most animal rescues are started, I found out, was someone had a rough time fostering or was not happy with how the animal welfare community as a whole was running and they decided they were going to make a difference. It is very hard to run an animal rescue.
Katherine Druckman: I can imagine.
Sarah Christoff: I went in, and we were going to do the one dog or animal at a time, rehabilitate, and train. The hardest part, I think, is once you announce yourself as a rescue, you will get inundated with emails, and it is the saddest emails that you have ever seen. There was a time when I was at the vet with one of our Boop dogs, I forget who it was, and as I was at the vet, I get this sad email. It said we found this white pit bull puppy. She's three months old. She was covered in makeup. She's emaciated, and if you don't get here to get her today, by the end of the day, she's going to have to get put down. Not to shade rescues or welfare leagues that put down animals. I understand. It is rough out there. It isn't because the dog isn't good enough. Most people don't want to put down dogs. We are doing the best we can with the funds we have, and it's tight and it's rough, and you're trying to make the most impact. As I drove 14 hours, I sent the photo to my rescue partner and she said, go get that dog. I drove 14 hours to Amarillo, Texas to pick up this dog. I arrived at maybe 10:00 PM. It was the roughest case I've ever seen because she was incredibly emaciated, and you could see she was a white Pitbull colored brown from all the makeup they put on her. I was so mad. She's fine now. I should have started the story with that. Keely is totally fine.
Katherine Druckman: She had a happy ending.
Sarah Christoff: Yes.
Katherine Druckman: That's important with animal stories because otherwise, I'll cry. Okay.
Sarah Christoff: Because you were getting ready. No, Keely is totally fine. One of the great things about Boop was that we focused on trying to give the best care imaginable. Her back femurs were twisted, and she was like a pocket pit bull. She's forty pounds, but Keely doesn't care that her back legs are twisted. She does not notice that. She probably has pain. We were giving her pain shots and medicine to try and help with that. Keely herself, this dog would jump four feet up in the air, and I was so stressed. She ended up getting adopted by a family with another pit bull and a baby, and she runs through the snow and she's happy. She didn't need any surgery on her femurs because it was going to be too hard for her, and she's adapted her own way, and we kept her in physical therapy, but she is fine.
But one thing, to tie it back to the community, is building a dog rescue is all about a community because you can’t do this alone. It is so stressful. You need people to come help you with social media. You need those volunteers, which is similar to the open source community. We're all volunteers, and you need to not be alone because there is so much stress and mental load. I was super lucky to find one of my best friends and a lot of amazing people through building a rescue, and especially when I was new to Colorado, make these friends that I think, through what we've been through, are lifelong.
Katherine Druckman: Yes, that's great. I love that it had a successful conclusion, and I agree with the community aspect.
Sarah Christoff: Yes.
Katherine Druckman: Cool.
Sarah’s Hot Take on Open Source
Sarah Christoff: The last one.
Katherine Druckman: Yes, is there anything else you wanted to mention?
Sarah Christoff: That's a great question. How much time do you have?
Katherine Druckman: As much as you need.
Sarah Christoff: Okay, here’s a hot take that's probably been talked about, but I haven’t heard. On NPR or CPR, Colorado Public Radio, a couple of weeks ago when the XZ attack happened, people started talking about open source software. It was everywhere. This attack happened because someone became a maintainer over time, slowly, and that's how they got them. They talked about reverting from open source to closed source. If you kept everything internal, would this have happened? This is my hot take. The reason this was found was because it was open source.
Katherine Druckman: Yes, absolutely.
Sarah Christoff: I feel like it was talked about a lot, and I've not been on the right channels, but—
Katherine Druckman: There has been a lot. XZ created a lot of content and opinions, yes.
Sarah Christoff: The power of the community has shown someone who likes software, who wanted to dig into this problem, and found it before it got bad. Because there are so many people, open source fosters this community of discovery and curiosity and just vibes, hopefully, good most of the time, but sometimes not so good. Because it fosters that, we are more powerful together, and I think that's the biggest thing. When I felt isolated or alone on Porter, I wasn't putting out great code. I wasn't even probably being nice to people, I'll be honest. But once I went to KubeCon and I saw the community, and I saw the people, and I remembered why we did this, or I started going to the TAGs and I started going to the SIGs, and I saw the other people, that was energizing. I was super happy to go work with my friends who were nice and cool.
Katherine Druckman: I agree, and I agree with what you said about people who love software. I think the person who discovered the XZ hack was a Microsoft engineer, but regardless of whether it's your job or not, it takes a certain type of tenacity to dig in and figure out something very small and something barely noticeable, like, what's this funny, little delay? It takes a passion to dig down and figure out what the problem is. It has nothing to do with whether you're doing your job, or not. It does take a certain type of appreciation for the process. It's a natural curiosity about things you want to uncover, and that's exactly why open source software is awesome.
Sarah Christoff: Right. We drive curiosity.
Katherine Druckman: Thank you so much. This has been wonderful. I've enjoyed this. I'd love to talk again perhaps in the fishbowl at KubeCon.
Sarah Christoff: Yes.
Katherine Druckman: You've been listening to Open at Intel. Be sure to check out more from the Open at Intel podcast at Open.intel.com/podcast and @OpenAtIntel on X. We hope you join us again next time to geek out about open source.
Guest:
Sarah Christoff is a software engineer at Defense Unicorns who loves making complex code more digestible. She is the self-proclaimed founder of the Leslie Lamport fan club. When she's not bug busting, she is running her animal rescue and competing in triathlons. She believes code should be like cats: intelligent, fluffy, and easy to take care of.
About the Host:
Katherine Druckman, an Intel open source security evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards. She is a software engineer and content creator with over a decade of experience in engineering, content strategy, product management, user experience, and technology evangelism.