The Modern .NET Show

S08E07 - Hayden Barnes on .NET NES: Why We Need a New Approach to Open Source Maintenance

Sponsors

Support for this episode of The Modern .NET Show comes from the following sponsors. Please take a moment to learn more about their products and services:

Please also see the full sponsor message(s) in the episode transcription for more details of their products and services, and offers exclusive to listeners of The Modern .NET Show.

Thank you to the sponsors for supporting the show.

Embedded Player

S08E07 - Hayden Barnes on .NET NES: Why We Need a New Approach to Open Source Maintenance
The Modern .NET Show

S08E07 - Hayden Barnes on .NET NES: Why We Need a New Approach to Open Source Maintenance

Supporting The Show

If this episode was interesting or useful to you, please consider supporting the show with one of the above options.

Episode Summary

Hayden Barnes, from HeroDevs, discussed the company’s approach to providing support for various programming frameworks and runtimes, including .NET. He explained that HeroDevs focuses primarily on .NET because it is the show’s niche, but they are rapidly expanding their services to include other technologies such as Angular, Spring, and Apache projects.

Barnes emphasized that open-source software often relies on volunteer developers who work on their own time, which can lead to a lack of understanding from enterprises about the effort and resources required to maintain these projects. He argued that companies need to recognize the value of these contributions and provide fair compensation for the developers’ work.

The conversation turned to the issue of end-of-life software vulnerabilities, where outdated or unsupported technology poses a security risk. Barnes highlighted the importance of having someone like HeroDevs who can provide support for these issues, as enterprises often lack the expertise or resources to patch their own systems. He encouraged listeners to reach out to HeroDevs if they need help with such situations.

HeroDevs has a unique approach to providing “Never Ending Support” (NES) for .NET and other technologies. Barnes discussed how the company’s customers drive their focus areas, and he highlighted some of the popular projects and frameworks that HeroDevs supports. He also emphasized the importance of finding a reliable partner like HeroDevs when dealing with end-of-life software issues.

Episode Transcription

There’s a good chance it’s not gonna flag for you that, you, know your point of sale system is on .NET six and is now vulnerable, you know. So to a certain extent, companies often aren’t even aware and this is something I’ve learned to be in this space. They’re not aware. If they are aware, they know they need to upgrade. They’re not sure, you know, when they’re gonna find the resources, the time, the capital to upgrade.

- Hayden Barnes

Hey everyone, and welcome back to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. I’m your host Jamie Taylor, bringing you conversations with the brightest minds in the .NET ecosystem.

Today, we’re joined by Hayden Barnes to talk about HeroDevs and their Never Ending Support offering; a service where HeroDevs backport security fixes from later versions of dependencies, allowing companies to hold off on upgrading their important dependencies until they are ready to.

In some cases we simply hire the upstream developer or the upstream development team and they can continue to work on new features and the latest versions while maintaining the post-EOL versions and backporting those security updates. In some cases, we hire that library maintainer on contract.

- Hayden Barnes

Along the way, we talked about how the release schedule for .NET (one year per major release, with rolling support for up to 36 months) is a little to agile for some enterprise companies, and how HeroDevs can help. We also talked about how, where possible, HeroDevs actually hire the open source maintainers for packages to do the backporting, feeding funding back into the open source ecosystem.

We also mentioned that this support doesn’t just apply to post-end-of-life for versioned software. We also talk about the very unfortunate position where a developer is suddenly unable to support their work. An example that I bring up is previous guest on the show Jon P Smith, who in 2024 was diagnosed with dementia; meaning that at some point his libraries will need to be passed on to other open source developers. During the recording, I couldn’t remember Jon’s name, and for that I apologise. Jon has a very in depth blog post about the start of his journey with dementia called “ How to update a NuGet library once the author isn’t available.” Please go read his blog post when you have the chance.

So let’s sit back, open up a terminal, type in dotnet new podcast and we’ll dive into the core of Modern .NET.

Jamie : Hayden, welcome to the show. It’s been a long time since we last chatted in person. For everyone’s benefit, we’re recording this late August. And the last time that I had a chance to talk to Hayden in person was March. So it’s been a while. How are you doing?

Hayden : It’s been a minute. It’s been a minute. thanks so much for having me. I’m doing well. How are you?

Jamie : Yeah, I’m good, thanks. I’m good. we’re the end of summer. Over here in in England, we’ve had our requisite five minutes of summer, so it’s now raining, and it will continue to rain until this time next year when we have our five minutes of summer. And that’s about it really.

Hayden : Very nice, very nice.

Jamie : So we are going to be talking about what you and the rest of the team over HeroDevs do, but before we do that. I figured let’s learn a little bit about Hayden, right? Because you have a very interesting journey. You were telling me a little bit about it last time we were chatting together. So I’d be super interested if you’re able to talk a little bit about that.

Hayden : Well, tech is second, maybe technically a third career for me. prior to moving full-time into tech, I was actually a practising attorney. Was always a hobbyist programmer. Taught myself Linux, I think when I was thirteen, you know, back when we used to buy Linux distros and boxes from stores. You know, that came with all nine CDs and interestingly, not doing well in traditional computer science courses. I never considered CS, computer science, as a potential career option. But there I was with my law practice, and I was writing software to automate and improve my law practice processes One of my favourite tools, our local county used a legacy IBM mainframe that required you to Telnet in over a Java 2 applet and instead I wrote a web front end so I could check the status of my cases without you know jumping through all those hoops. But I did some other tooling and what was fascinating is at the time I was on a Mac because I loved the combination of being able to use Word. more mainstream software, but still be able to get access to the command line, which I still love and prefer for most of my tasks.

And then Apple released the MacBook Pro with the butterfly keyboard. And the kinesthetic feeling of technology is something that matters a lot to me. Like how a phone feels in my hand, how a keyboard feels, and I could not stand the butterfly keyboard. So I asked around, did some research and the ThinkPad really good reviews. Gave it a try. Put Ubuntu on it. Worked great out of the box. But I still needed to run some of that mainstream software. So I put Windows on it and I tried out this new thing that had just come out called Windows Subsystem for Linux, WSL. I was instantly hooked. And I was like, “this is perfect. I can run my mainstream apps and have access to my familiar command line tool chains, and you know programs, and development workflows and those kinds of things.” And that’s where I was doing a lot of the work. Developing then programs for initially my law office and then other law offices.

And then over time I started to connect with other individuals in the WSL space. You know, I could go on, but eventually a small community formed and WSL got very popular. WSL2 came out and it became the backbone for a lot of development on Windows, everything from Visual Studio Code to Docker, all leverage WSL now. Along the way, before the major distros were really paying attention to WSL and optimizing for WSL, members of that community, we were sharing hacks, you know, to make WSL 1 great. Get things like Docker running and GUI before we got WSL-G and things like that. And we combined a lot of those hacks into a Debian distro based derivative called Pengwin with a W. Put it on the Microsoft store and ask ten bucks for it. And we’ll come back to this. I talk a lot about open source sustainability and Kind of how I think we need to get back to the idea of users paying for software, even open source software. Particularly if we want the things that we want, not just what enterprise wants.

But I said, you know, “w"e’ll ask ten bucks, we’ll offer support. I’m like 300 people will buy this.” And within months we had sold thousands of copies. And Microsoft invited me to build the Sizzle Reel for the new Windows terminal, which dropped that year, featured Pengwin in the drop-down box, which was awesome. And we started picking up enterprise clients. And eventually I just wound down my law practice and went full time on Pengwin. After that, I got picked up by Canonical. Some of us went to Canonical to work on Ubuntu and WSL and really grow it out. a few folks stayed and still drive Pengwin. I passed on the EDFL title to Carlos. And then yeah, that kind of started my career in tech.

I worked at Canonical for a couple of years, transitioned kind of went from working on WSL which was Linux on Windows to then Windows containers on Linux at Ranger. the Kubernetes distribution, which was bought by SUSE. And then I did a stand in AI. And now I’m back to open source.

Jamie : Wow. That is an incredibly varied background. For sure. I’d be very interested to dive into the AI stuff, but we’ll we’ll leave that for now because that can get… my experience of AI discussions, they get very detailed very quickly.

Hayden : The AI tool that I led developer advocacy for was very cool. It is still available. It is still open source. We were acquired by HPE. HPE has gone in a different direction, but you can still use it. But the ability to scale AI training to tens of thousands of GPUs from a single web interface, dropping in some boilerplate Python was very awesome. And knowing that it runs on cray supercomputers was a was a kick. But yeah, being able to see the AI research and development up close was awesome. It makes me appreciate all the all the AI stuff I get now to you know through GitHub co-pilot.

Jamie : Yeah, yeah. So essentially, right, it’s your fault, right, that I can go to chat GPT and it’ll draw me an image of a panda eating bamboo.

Hayden : Yeah, there’s several models being trained using either Determined AI or one of the core components that it was based on for sure. AI conferences 18 months ago, two years ago, where a trip.

Jamie : I can imagine, yeah, before all of the the snake all people got involved, right?

Hayden : I mean it was just they’re still happening, right? Like the breakthroughs. But for a brief period there and it was weird ‘cause like I was looking at this job opportunity, I’m like, “I’m not super into AI, but I have a feeling this open source AI thing’s about to take off,” and may it.

But there was this brief period there where it was just I want to say like between GPT 2 and 3 era, you know, if we’re gonna use that as a fence post. Then we got, you know, small language models and the number of models and types of models just exploded and there was a new one every week.

Jamie : And and most of the open ones are, shall we say, doing a little bit better in those synthetic benchmarks? than the closed source ones, right?

Hayden : Yeah. I have a lot of fun with the Phi series models from Microsoft. Mostly because a few of them are small enough to actually just embed in an application. You know, enable some internal AI within the application. It’s an exciting, exciting time.

Jamie : Absolutely, absolutely.

So let’s talk about some of the things that were here to talk about about HeroDevs, right? Because I can talk. Okay, so I can’t talk. I’m willing to listen to and I’m happy to listen to anyone talk about AI all day long. And I absolutely love the small language models because they’re super targeted and can do one thing very well. It’s what I call, and I know that a lot of people miss this reference, but the Charles Emerson Winchester’s III way of thinking: “I do one thing at a time. I do it very well and then I move on.” That’s the kind of small language models. I love those. working on trying to get one or two of them running on my phone actually because that would be really cool.

But yes, so we’re we’re gonna talk a little bit about HeroDevs and specifically something that y’all are offering to .NET folks. But I know that it extends a little bit out of that. So I wonder if you can speak to that a little.

Hayden : Yeah. HeroDevs is an open source software security company, and we approach open source software security by providing drop-in replacements for post-end-of-life open source software things like Angular JS, Vue, Bootstrap, Node, and now .NET.

What we realize is that there are a fair number of users, you know, mostly at the enterprise or organizational level, that are resource constrained in terms of migrating large production technical stacks. And you know, that often comes with time to budget, allocate headcount. It could come with downtime. We effectively serve as a life raft that enables them to continue operating on their current tech stack with a high degree of security. You know, CVEs will be patched in an SLA and new updates are made available.

And what I liked about HeroDevs, which I learned before I joined, is that HeroDevs actually takes a range of approaches to how it relates to the upstream projects. So in some cases, we simply hire the upstream developer or the upstream development team, and they can continue to work on new features and the latest versions. While maintaining the post EOL versions and backporting those security updates. In some cases, we hire that library maintainer on contract. We occasionally partner with third-party companies who have expertise in a particular open source software and we add that to our catalog.

But we make it a… it is a top priority that we contribute back to open source. For example, we recently announced a $20 million open source sustainability fund, which you can still apply to because we want to close that gap and ensure the long-term sustainability of open source, down to those libraries that one person maintains in a basement, but everyone relies on.

Jamie : Yeah, just like the there’s that wonderful XKCD, right, of all of the Jenga blocks or something, and it’s like all of your infrastructure. And then there’s one block that everything’s hanging on, which is like and then there’s an arrow pointing to it and it says, “supported by one dude in his basement in Nebraska,” right?

Hayden : Yep, exactly. That that’s what we’re trying to solve while at the same time helping enterprise and large organizations stay secure while they carry out, you know, their kind of life cycle management, their internal development, which frankly often exceeds what upstream open source project support windows are for provide for.

Hero Dev’s definitely got its start in the web front-end framework space. So Angular, Bootstrap, Vue, but as we’ve added more and more to our catalog and and grown as a company. We have begun kind of moving down the stack. And that initially occurred in the Java ecosystem. with Spring, but there has been notable demand for .NET, not just from front-end, but into systems level, you know, end-user facing applications powered by .NET and, .NET 6 had just gone end of life.

So I joined HeroDevs and we’ve built a a .NET team here at HeroDevs with expertise in .NET and had some collaboration with Microsoft. You know, informally. And what we’ve done is effectively forked .NET 6 at the last releases of the runtime, the SDK, ASP. NET. components like Entity Framework,, and others, and we proactively look for CVEs that may be reported on .NET 8 or .NET 9, you know, see if they apply to .NET 6. If they do, we backport those fixes. We also actively seek out our own vulnerabilities in .NET 6 and patch those and we’ve got bug bounties. So if other folks find vulnerabilities; we partner with Hacker One to host those and identify those.

So we are actively building a secure drop-in replacement for .NET 6. with all of the critical CVEs that we’ve identified or have been identified in upstream patched and… you know, we have all the various certifications that an enterprise company, maybe one that’s in a regulated industry or that does business with the government would expect to have, you know, FedRAMP certification, SOCII. We check all the boxes so that those companies can pass their audits.

Jamie : Just to put that in real terms then, so like I said earlier on, we’re recording this tail end of August 2025. And I’m looking at the .NET release lifecycle right now on my screen. And .NET 6 went out of support in November of 2024. So, you know, you guys have been presumably supporting .NET 6 for some of, if not all of that, almost a whole year for everybody who’s been using it, right? So you everybody who’s obviously paying y’all to use it, right?

So what I’m getting at is that, you know, at this point in 2025 we’re around the corner from .NET 10 being released .NET 6 is out of support. You you guys are trying to help with that transition period, right? Let’s say I’m a big enterprise, I’ve got, you know, 200 apps running very indifferent versions of. NET. And now if I don’t contact you guys and get I guess help from you guys, I’ve got to put loads of different extra security hardening around those apps to ensure that those CVEs that I know about, that maybe I don’t know about them all because if you’ve all been digging into the code and looking at the relevant CVEs and patching them for your version. I’m left vulnerable, so I’m having to put lots of extra security hardening and investing in lots and lots of stuff around my app to make it so that the infrastructure around it is secure, to try and stop those CVEs, right? Which I feel like is a little bit more labour intensive and a little bit more financially intensive than getting in touch with you all and saying, “hey, can I have that .NET 6 with all the latest updates, please?”

Hayden : Yeah. Well, just everything you’ve said is a lot more than a lot of enterprise organizations do.

A fair number of enterprise organizations are very reactive and instead of being proactive, they will only migrate when some sort of internal compliance tool and policy, you know, someone in the CISO office or the open source program office says, “you have to migrate now.” That that can happen inside SCA tools.

But if you, you know, you mentioned you work in an enterprise company and there’s 200 plus .NET apps, which is not uncommon. You know, if you have a point of sale app running on you know Windows 10 IoT tablets you’ve deployed, maybe you have some sort of endpoint management tool on that. There’s a good chance it’s not going to flag for you that you know, your point of sale system is on .NET 6 and is now vulnerable. You know, so to a certain extent, companies often aren’t even aware.

And this is something I’ve learned being in this space. They’re not aware. If they are aware, they know they need to upgrade. They’re not sure, you know, when they’re going to find the resources, the time, the capital to upgrade. You know, they haven’t found us yet. And thankfully, there are some enterprise organizations that have teams that are kind of dedicated to rooting these out and identifying not just what gets picked up in scanners, but a holistic picture of their entire tech stack. And those are the companies that are very proactive. We hear from them a lot ‘cause they they’re like, “oh you’ve got. NET, we’ve got .NET problems.” You know, “oh you also have Angular? Yeah, we need Angular. We need this and that."

You know, they they come to us for a number of our our solutions. Well they plan your migrations, which on an enterprise timescale, you often build an application, you want it to run for 10 years. I mean you just you just do. And with the current .NET lifecycle at three years for LTS releases. That’s where .NET NES—NET NEver Ending Support—from HeroDevs, you know, falls in place.

We’ve got it for .NET 6 and then .NET 8 will be rolling out here soon. You know, so customers who are even facing that .NET EOL will be able to go ahead and transition to our version of .NET 8, which will get the same in-support patches as upstream until it goes EOL, and then they can just continue on ours, going forward after that point. So we’re here just to take that that stress, that burden off. But it it does seem to be unique to particular companies who take proactive approaches.

Jamie : Yeah, I think a lot of software devs, software engineers, coders, whichever word you want to use, when they first get into the industry. A lot of folks don’t realize just how long lived the code that you write. You know, how long it’s gonna last. There was something that Richard Campbell once said to me—so Richard Campbell’s one of the guys behind .NET Rocks—and he said, “code which exists is infinitely more valuable than anything in your head.” So therefore, the big bang rewrite that you want is likely never gonna happen, because the code that exists already is already making money. Taking that code out of production and replacing it with something else is infinitely more risky than keeping the code which already exists around.

And, you know, I remember I want to say five years ago, six years ago, I was listening to… Oh gosh, I want to say it was either a .NET Rocks, or like a Syntax FM, or a Stack Overflow podcast or something like that, where one of the hosts was saying at that time, they were assuming that within the next five years all of the React apps that they had written would be rewritten in order to be able to be ported to the latest version. And the the other person that they were talking to was saying, “no, that’s never gonna happen. Because it you know, it already exists and it’s making you money."

And so The the the difficult bit I guess from especially okay so let me dial back and just talk through my thought process here, right? When we are at college, or when we’re in an educational track, right, we are told, “write this code, get it to the point where you pass this class, pass this exam, pass this whatever, and then that code never has to exist ever again.” And that’s how we’re taught, right? That’s how we go through that educational system, whether that’s like a a traditional brick and mortar college, whether that’s a remote thing, whether that’s a coding boot camp, whether that’s watching someone on YouTube and following along. We almost never get taught from day one those important things about, “this code’s gonna live forever.” And if you don’t believe me, folks, go look at how the banking industry works and look go look at how social security works, right? That’s code that was written in the 70s, maybe even the 60s, that still lives now.

Hayden : Yeah. Yeah.

Jamie : And and so replacing the code that’s already running is never gonna happen, but keeping the infrastructure and the the software around it is gonna happen. And it has to happen. And I wonder whether we’re entering so how do I put it? In cybersecurity there’s this idea of shadow IT, right? someone who’s not in the IT group or the development group or whatever has installed something on their computer or has written—more than likely copy pasted a macro from some website or other—is just running on their machine that’s helping them out. But hasn’t gone through vetting or security or whatever. And then one day something in that macro flips and then it starts spreading out viruses and all that kind of nonsense.

But that’s a very clearly defined area of security. And although the keeping things up to date is a very clearly defined area of security, I feel like there’s this gap in, “we’re running on the latest and greatest,” and, “we’re not running on the latest and greatest but we have no idea what we’re running.” Or, “we have the idea of what we’re running, but we have no way of actually upgrading it.” And that’s just kind of scary to me, right?

Hayden : Yeah, it is. One of the things we did at HeroDevs, we recently acquired a company called ZEOLL, Z-E-O-L, which was a end-of-life scanning tool. And we are basically going to be democratizing that and opening that up, making an API. and the tool available to allow enterprise organizations to identify EOL software, or software that’s approaching EOL, in their tech stacks. And then We’re collaborating with endpoint management tools, SCA tools. We’ve even opened discussions with Trivy, which is a popular open source scanning tool, about incorporating some of that data into their scanning tools just to increase the awareness. Because, yeah, you have enterprise that have no idea and then enterprise that have an idea but need a plan; and the ones who find us at HeroDevs are usually very happy. And you know, and it also depends on the product.

Sometimes it and it’s specific products too. Like Product A, customers may just need a year to upgrade. Like it’s not that hard, but it’s hard enough, you know? So you see churn on those licenses because they only needed a year.

And then we have other products, open source projects that we support. And those companies, you know, we provide licensing for up to three years. They they buy a three year license. They’re like, “three year license, and when can we buy another three years?” Like they’re just never moving off that. “It works. It works. We’re not gonna touch it. It works. It just we’re in we’re in healthcare. We’re in insurance. We’re in finance. You know, we’ve got you know so much business with the federal government. We’re impacted by, you know. these EU regulations,” or there’s fairly stringent compliance requirements for enterprise organizations, particularly in the APAC region.

And yeah, I mean, with us they could drop that in. And then not only do they get the security updates, they get the letter of attestation, so they can pass their various compliance. They have intellectual property indemnity, not unlike what you get… That was a big thing that Red Hat offered initially for Red Hat Enterprise Linux was to indemnify customers against IP claims. So you know you’re safe using our software against IP claims.

And yet we aim to provide that valuable service while at the same time, you know, we do things like sponsor the OpenJS Foundation and collaborate and and give back. In fact, we have our we have a internal incentive structure just for employees of the company to contribute back to open source software ourselves individually. So it’s, you know, woven into the fabric of the company, which I really like.

Jamie : Yeah. So that that to me is really, really cool, Because like the thought that I had was: what if I am a company that has bought some software in the past or maybe I paid some intermediary, some agency or some other company to build me some software in the past. And then I’m hearing grumblings about, “well, I was told it was built with .NET.” I’m gonna make something up here, right? “I was told I was built it was built with. NET, or it was built with JavaScript, or it was built with Some I have a laundry list of technologies that were used. I don’t understand what they are, but now I’m hearing grumblings about apps getting hacked or them being insecure,” right? I don’t have developers. I could hire a developer to migrate to the latest version, but I don’t know what I’m doing and I don’t know who I need to hire. But like you said, right, if I can just buy the support of just give me the latest version of the installer for the thing and just keep it running because my business needs to keep running, right? I dislike the name, but like the the software that I use has become the lynchpin of my business. If the software goes down, I don’t have a business.

Hayden : Yeah. I mean you think of Like the travel industry and their mainframes that are still primarily programmed in COBOL. And nothing’s gonna change there because the system works. Yeah. And and it enables you to, you know, on two or three different worldwide providers on these mainframes. You know, you can book a plane ticket, a rental car, and a cruise and link them all. And that can’t have any downtime. Like it’s just never gonna change. They may containerize it, you know, you you may get additional redundancy and things like that, but even if you, you know, want to move your let’s say .NET 6… Let’s see you want to migrate it from Windows to Linux, you know put it in a docker container. I mean that’s all laudable and good, but there may still be barriers migrating to. NET, you know, or or .NET 10. You may have dependency on libraries that you know haven’t been updated for 8 or 10. You may have licensed proprietary libraries that also haven’t been updated, or you don’t want to re-license because it just works as is.

So even in the containerization space, we provide .NET 6 containers as well. So Even if you’re on some modernization path, you know, you can’t you can’t do it all at the same time. Like It’s great you’re containerizing, you know, or moving to the cloud, but some of that software, that airline booking software is still gonna be in COBOL, that .NET 6 microservice you wrote for converting PDFs for the company is still gonna be in .NET 6 for the foreseeable future. Let’s secure it, you know, because .NET 6 has unpatched, you know, privilege escalation vulnerabilities that are just existing in the wild right now. And you know, you don’t want to be the CISO at that company, you know, where that happens.

Jamie : Absolutely.

Hayden : You know, data gets exfiltrated, you know, that’s not a good look.

Jamie : We’re also, unfortunately, to get a little grizzly. We’re at a point where the majority of software devs who started in the .NET ecosystem, in the Nodejs ecosystem, that kind of when that kind of really sort of took off. We’re getting to a point where the developers of those packages are handing those packages off to other people or just stopping development on them; because, for want of a better phrase, they are reaching end of life, right?

I remember not so long back I’m blanking on the person’s name and I feel really horrid for it. But I remember reading a blog post by a .NET dev saying, “I’m preparing all of my new get packages to hand off for someone else to take over because I’m not going to be around for very much longer.” Right. And I’m… the chuckle there wasn’t because of the unfortunate situation that person finds themselves in, but like that’s the new reality, right?

And so like you said, “we may not be able to migrate to the later version of .NET because we’re pinned to this version, or we’re pinned to this version of Node, or we’re pinned to this version of Angular or React or all of these.” By the way, listener, these are all products that HeroDevs support, right? “We’re pinned to these versions of these dependencies because our third party dependencies cannot be upgraded. Because it’s been archived, it’s been it’s been end of life, it’s been handed over."

So it’s not just the underlying runtime and the underlying frameworks that you’re using, it’s those third party packages, right? And so there might be people listening going, “well, just invest the time to migrate. But if the packages you require for your very specific instance, business logic,” whatever, cannot be upgraded, your app is not going to get upgraded, which means you need that that runtime, that framework to stay on that version, but get all of the security updates, right?

Hayden : Yeah. And I’m sure there’s many listeners who are familiar with the economics of enterprise software life cycles, but there may be some who aren’t. But these competing priorities of compliance, you know, you may, like I’ve previously mentioned, a CISO office or an open source program office that enforces some sort of policy to to remediate certain vulnerabilities or keep software up to date. But then you also have these engineering managers and in some cases CTOs and other IT decision makers who have a budget and they have a budget of headcount and they have a budget of money and they have a backlog of demands from leadership that they have to fulfil. They have the pressure of that compliance policy. They have so much money, so many people, and they’re gonna sit down and Do the math.

Literally, in many cases, do the math on, “okay, we have 10 core business applications running on .NET 6. We it’s been EOL. We need to maintain compliance, but I also need to ship these three new features, or products, or tools that leadership has requested. I have these this many you know, internal engineers, I can contract out this much.” And then they sit down and they’re like, “okay, to migrate those those those 10 services. It’s gonna cost us two million dollars.” And that might sound insane to people, but you know, when you look at the headcount and the, sometimes the contracting that occurs, and the opportunity cost, that is a reasonable number for the that number of projects, depending on the complexity.

And then they can contact HeroDevs and based on the number of developers they have and the number of endpoints that .NET 6 is running on. They can just license that drop-in and they can migrate in an afternoon. In some cases,, I don’t even think you need a restart. You just install. And that problem is solved for a fraction of what that initial migration cost. And then all of a sudden you freed up all that headcount, all that budget, and you can balance, you know, you can say, “okay, we’re gonna Keep it on six. Let’s keep it on six for two years and aim for ten. Meanwhile, I can, you know, have this headcount work on this issue. I can have this budget I have for contracting handle this. I can tackle these projects for leadership.” That’s just what happens. And that’s in addition to those apps you just can’t touch.

Jamie : Yeah, and for folks who are listening who have not been through that process, there is a practice in application security that my friend Tanya Janca introduced me to, which is like weighing up the cost-benefit analysis of bringing someone in to upgrade everything versus “what is this worth when we get attacked?” which kind of alludes to what you were talking about there; about the economics of upgrading versus buying support, right?

And it is a case of, “how do we keep this running?” hopefully in a situation, like you were saying, where we don’t even have to reboot, we just install this thing and it just keeps going. We don’t have to worry about it, right? And oh there’s an update. Okay, we’ll install the next version. And it just keeps running. And I think that’s it’s a super important thing that I feel like folks really need to know about is that: you will get to a point in your programming career where you are locked to an out-of-support version of a thing, right? And you need to be prepared. And to be prepared, you need to talk to Hayden.

Hayden : Yeah. You know, in addition to having a lot of fun with Linux and Windows and cross-platform development and, you know, particularly with. NET, which is I just love cross-platform development with. NET, particularly with AI and the Onyx runtime and we could go on. I’m also a huge Unix nerd. And yeah, I talked to a potential customer this past week who still had IRIX workstations. servers powering important business logic. I mean old like SGI systems. And it was cool to nerd out about it, you know, but you will encounter some of these systems that they’ve worked and no one has touched and They’re old and the best thing they can do is air gap them, you know, because there’s not a lot else that they can do.

But yeah, I’ve I’ve certainly worked at bigger tech companies been on the company internet and seen links and URLs and logos for companies that were acquired, you know, ten plus years ago. But that company’s active directory management portal is still in use, even though that company doesn’t exist anymore. It’s like, “oh, we just use that one now.” And it’s like, “cool, I remember them from the 90s.”

Jamie : Yeah, it’s a crazy situation to be in.

So because I did a bad job of asking this and mentioning it properly, right? We’ve been talking specifically about the .NET support that you guys have. But you also support a number of other technologies past their end of lives, which I’d love to ask you about in a minute. But you also, like I just want to go back and just reiterate that you’ll support open source projects too. Right. You had said earlier on about being able to be in a position where you can hire one of the maintainers of some open source projects either directly or on a contract basis to keep the older versions supported, right?

And that is super important because someone somewhere is locked to version two of something, right, for some reason. And they can’t get the stability updates or the security updates. And so I just want to take a moment, and I know obviously people are going to be saying, “but this is cause you know Hayden,” but seriously, the work that you all are doing over at HeroDevs to support the open source developers who are usually working in their off hours on a passion project to try and get something out the door, and are receiving bug reports from users, and then on top of that they’re having to triage, and then release new versions, and then go into work the next day and work on completely different things. So you you guys being able to offer some support in monetary terms to those open source developers. Absolutely amazing and really goes back to that point that you were making earlier about, “maybe we should play pay for software still, even if it’s open source. Maybe we should all just pay for open source software”. And I agree with you completely and I will let you speak in a minute, Hayden, but I just wanna get on my soapbox a minute because I remember my friend Zac saying that, “the enterprise realized about 15 years ago that we don’t actually have to write all of the software. We can just get people to do it in their own time and then glue all of those bits together,” which essentially is what open source became. It wasn’t what it started as, but it would it what it became. And I think we need to move away from that.

Hayden : Yeah. Of course supporting upstream and those individual contributors is huge. And we have a very flexible approach to how we contribute back, either to the communities, to partners, to individual contributors.

But yeah, I’m a firm believer that we should pay for open source because enterprise does pay for open source. And while they in some cases do get some free ride benefit from adopting open source. They’re still paying Canonical, they’re paying Red Hat, they’re paying HeroDevs. And at a meta level, enterprise gets what they want from paying for open source. They get their priorities at the top of the list for, you know, open source projects because they fund them. And as developers, pro-users, administrators, the tools that we use in our day-to-day, in our personal workflows that are open source, if we want our priorities to matter, we’ve got to be willing to pay.

So the HeroDevs approach is one part of the open source sustainability challenge. You know, GitHub sponsors is one part of solving the open source sustainability challenge. The HeroDevs open source sustainability fund is one part of it. It’s going to take multiple different approaches to ensure the long-term sustainability of the open source software we all [use]. And, you know, I’m excited we’re part of it at HeroDevs in the way that we are you know and tackling it the most ethical way we can, which is to take money from enterprise organizations who can’t migrate and give it to developers. And support communities, and help fund future development.

But yeah, like in my day-to-day life, you know, there are open source software programs on the Microsoft Store. Some of those are just copy-paste jobs from some third party, but some of them are sponsored by the upstream project. So I think Krita is one of them. It’s the KDE image editing app they’re in the Microsoft store. I mean you can go download Krita for Windows for free, but on the store I think it’s like 10-20 bucks. But if you go look at their financial disclosures, they’re able to like fund a full-time developer based on just sales from the store. How many hobby open source projects would love to be able to fund an open source project? And it’s just by a couple thousand people pitching in 10, 20 bucks. Like It’s not hard. You know?

Yeah, I think I submitted a bug report on it one time because I was like, “this needs to support Apple live photos or photos taken on iPads and iPhones and things like that.” And yeah, I mean it they fixed it. They got support, they got it done. So I think there is a place for open source and free software to be a fun voluntary hobby activity. And I think that is great. And the people who want to keep it like that, that’s an opinion. I also think there is a place for indie open source development. And if you’re going to write for enterprise, go get GitHub Enterprise. It’s good money, but if you want to write for pro users and developers, and you write something good, pro users and developers. They they need to pay for that.

Jamie : A hundred percent.

And like you said, it doesn’t cost a lot, right? What’s ten bucks? That’s two coffees? Maybe, you know, if you go to one of those places that does all of the fancy schmancy stuff. So if you’re getting yourself a blended coffee drink, I don’t wanna say any any copyrighted names just in case; but if you’re getting yourself two blended coffee drinks a month or even a week, two two blended coffee drinks a week, that’s enough money, that if you know a thousand people do it, that’s enough money to support an open source project of their choosing.

And especially, and I’m gonna get back on my soapbox again, but especially with things like When log4j happened. I don’t even need to say the event that happened with log4j, but when log4j happened and there were enterprises reaching out to the devs behind Log4J saying, “you have to.” You can Google this, folks. The the messages they received were, “you have to fix my system. For free. We expect this to be fixed in the next hour, two hours,” right? And these are primarily open source developers working on their own time on on what is essentially a passion project. They got picked up by a bunch of enterprises that then became enterprise standard software, right? and that’s just not fair.

Hayden : No. No. And those companies probably have internal policy about patching, you know, high severity or critical CVEs. They just don’t understand that that log4j developer doesn’t work for you. You didn’t hire her to do that. You know? So you either need to do that, do it. Or work with a partner like HeroDevs that does patch things like that, you know, and then has whatever, you know, various arrangements with the upstream project to ensure that that no one is no one is left out.

But yeah, I saw some of those messages and I’m like, “I’m glad these companies have compliance policies. I don’t think the people enforcing them understand what they really need to do here.” Yeah.

Jamie : Yeah. And and the worst part about it all was was that there was a patched version already. They just hadn’t upgraded, right? It’s the same with the Equifax hack, right? It’s you haven’t updated updated your stuff. Get it updated. Or indeed, if you can’t update, go see Hayden and his folks, right?

Hayden : Or just unplug the server for a minute.

Jamie : Unplug the server. Wrap it in concrete and throw it into the ocean. That’s what you need.

Hayden : Right.

Jamie : Don’t do that.

You know that moment when a technical concept finally clicks? That's what we're all about here at The Modern .NET Show.

We can stay independent thanks to listeners like you. If you've learned something valuable from the show, please consider joining our Patreon or BuyMeACoffee. You'll find links in the show notes.

We're a listener supported and (at times) ad supported production. So every bit of support that you can give makes a difference.

Thank you.

Jamie : So I kind of railroaded right over the top of you there and made it a “Jamie soapbox moment” and I stopped you from being able to tell all of the people all about all the different frameworks and and runtimes that you are supporting. Because there are quite a few, right? It’s not just .NET. We have focused on .NET primarily because that’s what the show is about. But like there are other things that y’all support, right?

Hayden : Yes. it’s it’s rapidly expanding. We introduce new products every quarter. Angular and AngularJS are, by far, some of the most popular. Spring, Strutz, Bootstrap, View To Node is a relatively recent addition in the last few months, but we have partnered with the Node project. And we’re on the Node website, on their page, in their deprecation notices, “if you still need support for this deprecated version, go to HeroDevs”. That’s an example of one of the one of the partnerships we have. But you know, we’re going further what we call down the trunk, you know, down the stack.

So Spring, which is very much Java stretch as well, but we’re picking up a fair number of Apache projects. Things like Apache Spark, Tapestry, Tomcat is a big one. I actually think Tomcat was how 4chan got taken down recently.

Jamie : It was, yeah.

Hayden : Don’t quote me on that, but I think it was part of the stack that I read about on Hacker News. But Postgres is another one.

So we’re building our catalog, starting with those front end and that expertise in you know, the JavaScript ecosystem building out our knowledge in Python, in .NET, in Java, and more systems level tooling. the Rails, PHP. Almost all of the products that we’ve launched have been requested by customers. That is a huge driver of the areas we choose to focus on. So we actually have a process where we get these requests from customers, many existing customers. We have a very cool logo page, like every company does, of who our customers are. And you know, we scope it and we say, “yeah, we can do that. And you know we have expertise.” And then part of my job is, you know, to ensure that there’s a partnership in place. Or if there’s not a partnership in place to provide that, we find the engineer who’s in charge of it, or we hire an engineer to take it over. So that’s the fun part of my job.

But You know, if generally speaking, if there’s anything in open source where you’re facing down like an EOL deadline or you know piece of UL software that’s vulnerable that your company or organization needs patched, come talk to us. Like, even if we don’t necessarily have the solution right away, we want to hear from you and if there’s enough demand, you know, we’ll we’ll launch i.

Jamie : That sounds awesome. Yeah, because like if I have like you said, if I have an app that’s running on some old out-of-support runtime or some out-of-support framework or whatever, and I have no ability to upgrade. Someone out there must know how to do it and you guys seem to be the people to turn to. So yeah, go go check out HeroDevs, folks.

Hayden : Thank you.

Jamie : Amazing.

Hayden, we are rapidly running out of time and I have really enjoyed our conversation today, and I feel like I have an open source person to talk to, or rather, someone who has similar opinions on open source and people getting paid, that I can talk to in you if they if you don’t mind me saying so. And I feel like I could speak to you about this for hours. But I know you’re a busy person, I’m a busy person, the people are listening are busy people.

So I wonder as we start to wrap up, I wonder could you let the folks know how best to find out about what HeroDevs are doing? Maybe if they want to get in touch with you or just follow you on socials, if you’re on socials, and just say, “hey, Hayden, I heard you on the show. Can you, you know, I I’ve got a great idea.” Or you know, what’s and also what’s the best way to get in touch for, “I need support for this end of life thing.” I’ve asked you loads of stuff there, but hopefully that’s not too much.

Hayden : Yeah, not at all. HeroDevs is herodevs.com. You can also find us on all the socials. Twitter, LinkedIn. We’ve got some very hilarious YouTube content. The marketing team does does a great job. we have a spoof of between two ferns called between two servers, if you’re familiar with Zach Galifianakis, I guess.

You can find me. I’m fairly active on Twitter. I am @unixTerminal. You can also find me on LinkedIn. I’ll accept your request to connect as long as I don’t immediately get a sales request for your B2B SAS after I get it. But happy to connect there as well. And I have a blog. I haven’t blogged recently, but it I’ll mention it, boxofcables.dev where I’ve got some interesting stuff folks might be interested in reading up on some some think pieces, some hacks. Gotta get some new new stuff up there here soon. Would love to know what people are thinking about.

But yeah, you can reach me on the socials. And then you can also just drop me an email. I am hbarnes{at}herodevs{dot}com.

Jamie : Amazing, amazing.

I’ll make sure that all of those links are in the show notes so no one has to dive over their dashboard to get their notepad and scribble things down, just press through onto the show notes; when you’ve pulled over don’t do it while you’re driving. When you’ve pulled over, push through into the show show notes and there’ll be every single link that we talked about today will be listed there; do check those out.

Hayden, like I said earlier on, I’ve had a wonderful time chatting with you today. I feel like I I have a much better understanding of some of the problems out there with relying on effectively free labour for open source and we need to change. That so. Thank you very much.

Hayden : Thank you.

Wrapping Up

Thank you for listening to this episode of The Modern .NET Show with me, Jamie Taylor. I’d like to thank this episode’s guest for graciously sharing their time, expertise, and knowledge.

Be sure to check out the show notes for a bunch of links to some of the stuff that we covered, and full transcription of the interview. The show notes, as always, can be found at the podcast's website, and there will be a link directly to them in your podcatcher.

And don’t forget to spread the word, leave a rating or review on your podcatcher of choice—head over to dotnetcore.show/review for ways to do that—reach out via our contact page, or join our discord server at dotnetcore.show/discord—all of which are linked in the show notes.

But above all, I hope you have a fantastic rest of your day, and I hope that I’ll see you again, next time for more .NET goodness.

I will see you again real soon. See you later folks.

Follow the show

You can find the show on any of these places