Open source low-code platform • New projects:, remor-raw, Hybrid-Net • XZ backdoor shows risks of supply chain attacks • Linux Foundation announces an open source successor to Redis

Welcome to a new edition of Open Pioneers - your weekly update from the forefront of open source. Today, we talk about:

  • Appsmith, an open source low-code platform

  • New open source projects, including an open source alternative to Mixpanel, copy & paste React components for building dashboards, and real-time audio source separation

  • XZ backdoor shows risks of open source supply chain attacks

  • Linux Foundation announces Valkey, an open source successor to Redis

Since last week, we have welcomed 35 new Open Pioneers. 👋 If you like this week's post, it would make my day if you would share it with a friend or colleague.

🔍 Spotlight: Appsmith

appsmith website

Appsmith is an open source low-code platform that enables developers to quickly build and deploy internal tools, dashboards, and workflows. It provides a user-friendly interface and a wide range of pre-built widgets and integrations, allowing developers to focus on the core functionality of their applications rather than spending time on repetitive UI development.

Key features include:

  • Drag-and-Drop UI builder: Appsmith offers a visual interface that allows developers to easily create custom user interfaces by dragging and dropping pre-built widgets, such as tables, forms, charts, and more.

  • Seamless data integrations: Appsmith supports a variety of data sources, including databases, APIs, and cloud services, making it easy to connect and display data within the application.

  • Automation and workflows: Appsmith enables the creation of complex workflows and automations, allowing users to automate repetitive tasks and streamline business processes.

  • Responsive and mobile-friendly: Appsmith-built applications are designed to be responsive and mobile-friendly, ensuring a consistent user experience across different devices.

  • Open source: Appsmith is distributed under the MIT license, allowing developers to self-host the platform and customize it to their specific needs.

Appsmith has gained significant traction in the developer community, with over 30,000 stars on GitHub and a growing user base. The platform is particularly popular among developers building internal tools, as it helps them save time and resources by providing a robust and flexible low-code solution.

Learn more about Appsmith: Website | GitHub | Twitter

🔥 New open source projects started last week

🚨 XZ backdoor shows risks of supply chain attacks

On March 29, 2024, a backdoor was discovered in the popular open source data compression library XZ Utils (versions 5.6.0 and 5.6.1). The backdoor was inserted by a malicious contributor named "Jia Tan" (also known as "JiaT75"), who had gained commit access to the XZ project over the past 1.5 years through a social engineering campaign.

The backdoor allowed remote code execution on systems running the compromised XZ library, with a CVSS score of 10.0 (the highest severity). Fortunately, the compromised versions of XZ had yet to be widely adopted by major Linux distributions, limiting the potential impact. Red Hat, SUSE, Amazon Linux, and Ubuntu were not affected, as they had not integrated the vulnerable versions.

This incident shows the risks of supply chain attacks, where malicious code can be inserted into widely-used open source components. Experts warn that this was a sophisticated, nation-state level attack that could have had massive consequences if not discovered early by a Microsoft engineer, Andres Freund, who noticed an unusual loading time in Debian systems using the XZ library.

One of the most important lessons from this should be that creating trust between contributors is key - especially in projects that are critical to our infrastructure. Another lesson is, of course, that we need better funding for project maintainers to ensure they have the resources to make important projects more secure. Every company that uses open source should ask itself what it can contribute to this.

📣 Linux Foundation announces Valkey, an open source successor to Redis

In last week’s edition, I wrote about Redis changing its open source license.

The Linux Foundation reacted quickly and announced the formation of Valkey, an open source alternative to the popular Redis in-memory data store. Valkey will continue development on Redis 7.2.4 and keep the project available under the open source BSD 3-clause license. Since Redis was founded in 2009, thousands of open source developers have contributed to its growth and success. To continue improving Redis and allow for unfettered distribution, the community created Valkey as an open source high performance key-value store.

Valkey will follow an open governance model at the Linux Foundation, remaining community-driven and welcoming all users and contributors. Major industry players like AWS, Google Cloud, Oracle, Ericsson, and Snap Inc. are supporting Valkey and plan to contribute to the long-term health of the project.

The Valkey repository quickly gained popularity and already has over 6.5k stars as I’m writing this.

📚 More open source content

  • Node.js: The Documentary - An origin story Link

  • Two open source projects with great documentation Link

  • Cloud-native community celebrates Kubernetes’ ‘Linux moment’ and its growing role in enterprise AI Link

  • Worldcoin Foundation open sources core components of the Orb’s Software Link

🤡 Meme of the week

Until next week,

Jonathan (@jonathimer)