(Holloway) Chew Kean Ho’s Story

Love using your Open Source and Source Available software? Well, it is May 2025 which is the Open Source Initiative’s Maintainer Month! Time to give these neglected but critically important folks a shout out of appreciation. Special thanks to Nick Vidal for giving the opportunity of this collaboration.

I’m (Holloway) Chew, Kean Ho – a maintainer stewarding some fun applications, some serious tools, and my own legal licenses since 2023. Herein lies my story about being a growing maintainer.

This article’s writing and artworks are strictly human-created with no Artificial Intelligence’s involvement.

SIDE-NOTE: PDF book is now available for free at: https://doi.org/10.5281/zenodo.15334597

Who Am I

I have been active in software development since 2013 and specialized in control computing engineering with 2 First-Class Honours Degrees of Mechatronics Engineering from both Staffordshire University and Asia Pacific University of Innovation. My works cover projects involving proprietary licenses, source available licenses, and Open Source licenses for both non-commercial and commercial goods.

What’s Open Source To Me

It’s an open commodity of product and processes (analogous to: standardized hammer and nails engineering specifications). The main business objective of Open Source licensing is to make sure everyone can access certain knowledge, product, or processes without any kind of restrictions including monetary restrictions. On the contrary, both Source Available and Proprietary licensing are not free (to change and use) and often associated with monetary charges. Having said that, we need all software licensing types to make the world whole. Source Available licensing and Proprietary licensing main business objective is to make profits. They all need one another to make the world whole.

However, Open Source licenses must not be confused with Source Available licenses. The latter can get into very nasty business repercussions when treated that way. For case study, Despite Meta marketed its Llama product as “Open Source”, its license https://www.llama.com/llama3/license/ is actually a Source Available license where they explicitly stated custom commercial restrictions in §2 instead of the clear freedom offered by Open Source. Using it like any Open Source license without parsing that agreement can allow Meta to pursue litigation easily to stop your commercial pursuit. Always parse the agreement preferably with an attorney.

Therefore, it is important to plan and implement your product with care, achieving the right protection against your business value and yet ensuring non-core software components are declared with the right licenses. Here’s a case study: Google primarily profits from digital advertisement so they have chosen to support various great Open Source products like Android operating system, Chromium/Chrome web browsers in order to let the general public have better digital accessibility freely while they can place advertisement lots for running their business.

How Do I Got Involved

My first job was to get involved directly with Linux Kernel drivers from the get-go. That’s how I started my journey to Linux and Open Source ecosystems. After my career advancements, I decided to go all-in into Linux and now Debian operating system development and have been working in this domain ever since.

Currently, I am collaborating with folks from FireGiant to upgrade my Source Available automation tool. They provide a MSI packaging solution to my tool so that it can seamlessly package any product into a professional installer for Windows operating system without complicated configurations (MSI installer package is known for its notoriously complicated specifications and executions).

Communities Management

Growing Communities

I’m more of the “Laws of Attractions” kind of person for getting people in. If it solves a business problem, it works seamlessly. I don’t actively go around town trying to force people to use it.

My strategy was to set up a friendly environment for people to come in, have some fun, exchange business contacts, etc. closely resembling an evening viking tavern. Folks come in; have some drinks and meals; dance and sing together to the music; scheduling tomorrow’s events together; exchange experiences and stories; and etc. That’s the leadership I want to be in Open Source.

Since I got my own AutomataCI automation tool, I generally prefer working with small teams (e.g. 3-4 max) for very effective communications and end-to-end executions. Wherever there can be automated, it must be automated.

Project Involved

At the moment with FireGiant via My AutomataCI end-to-end automation tools:

Personally, for the general public to enjoy playing My AI Image Upscaler (with no GUI shenanigans):

For legal licensing, I have my own product licenses since year 2024 mainly to have additional new legal coverages (e.g. data privacy & confidentiality) and a mix of terms and clauses from multiple licenses to meet my generic productization needs:

Challenges as Maintainers

Very limited resources (as in both time and money). I have many visionary projects in my backlog but well, I still have to focus on making a living.

My existing communities are good and I love them! I really wish I can provide them the monetary support they need as a reward for making the world a better place.

Message to Contributors

Not all maintainers are jerks, self-indulgent, or egoistic. Please freely speak out when you’re at my “taverns”. You can watch Dreamwork’s “How to Train Your Dragons” to understand those emotions, feelings, and cultures. We’ll click eventually. Try to frame your queries with curiosity and learning: it always works.

Please do not place immediate or deadline bound schedules. Unless you fully fund the entire project (which can be a huge sum), all of us are actually contributing via our free and hobby times.

Sometimes we do attempt to align our commercial goals for funding to get pitched in. Unless we can turn any stone into gold, well, reality strikes hard.

Security Management

Key Security Practices

Anything that can be systematically automated, I’ll do it at any level – No one gets left in the dark be it an intern or juniors; not under my wings.

Security design from start (as early as the first working prototype). In Layman terms, security is a “metal alloy” to be forged from the get-go; not a “Lego” brick composition to be duct taped with.

OWASP https://cheatsheetseries.owasp.org/ and IETF https://datatracker.ietf.org/ are my primary go-to for network security.

Kernel Handbook https://docs.kernel.org/index.html for Linux Kernel.

Debian Handbook https://wiki.debian.org/SecurityManagement & Specs https://www.debian.org/doc/debian-policy/, https://wiki.debian.org/DebianRepository/Format for Debian OS.

Subscribe to every CVE related messaging and mailing list + Gmail filters for inbox auto-organizations. Also subscribe to GitHub CVE Security Advisory or CVE databases.

Comment the Security/Spec reference so the next developer knows where and when it is implemented (searchable using grep -R "[KEYWORD]" /path/to/directory command).

“Function before Design” principle – Keep the product minimally functional for minimizing attack surfaces first before starting to apply fancy aesthetics and display.

Biggest Security Threat to Open Source

Threat No.1 is still the deadly supply chain threat. Primarily, I’m looking at the genuine owners themselves or geo-politics “leaders” https://doi.org/10.5281/zenodo.6815012; not the conventional third-party attacking “hacking” entities. Just 1 simple question: “if GitHub pulls GitLab’s drastic business policy changes (from free to USD5/user/namespace/month) or there is a baseline tariff for network traffic (e.g. from ~USD0.0025/GB egress only to USD2 fees for both ingress and egress), can one mitigate such threat oversight?”; This question alone is suffice to cause enough chaos worldwide. Louis Rossman compiled a lot of toxic business practices for case studying on his YouTube channel https://www.youtube.com/@rossmanngroup/videos.

Threat No.2 is the over reliance on the centralized supply repositories (as in NPM, Python PiP, DockerHub, and Rust’s Cargo, and GitHub). If the Geo-politics of the business unit cuts the supply channels off either altering business policies “after the fact” or unfriendly incomprehensible foreign government policy, the entire operation and progress of any ecosystem (Open Source or otherwise) will be badly stifled.

Threat No.3 is younger generations tech influencers spoke too loudly with their too inexperienced “knowledge”; a misguided information. Specialists that I interacted with rarely speak that loud across the industry. A case study is this Shell guide from Google https://google.github.io/styleguide/shellguide.html which completely decelerates the Shell libraries development. Shell and PowerShell are the best candidates for general-purpose automation since they can run without installing anything; not Python that requires its thick interpreter installation; not Maven with its Java runtime requirement. Another case is its recommended function name (mypackage::my_func() { … }) which is completely not POSIX compatible and only specific to BASH (I believe the writer is lacking POSIX shell experiences and came from a C++ domain). This cost me months of complete libraries rewrite after POSIX realization from cross-running with BSD-based Operating System.

Threat No.4 is the usual resources (funding and etc) shortfall. This is as usual, funding motivates developers to contribute freely. As of this writing, the Open Source Labs (OSL) from Oregon States University is on life-support pleading for funding https://osuosl.org/blog/osl-future/. OSL is currently providing infrastructure hosting for projects such as Drupal, Gentoo Linux, Debian, Fedora, phpBB, OpenID, Buildroot/Busybox, Inkscape, Cinc and many more!

Artificial Intelligence

The Good Side

Large Language Model (LLM) based artificial intelligence (AI) like Claude Sonnet https://claude.ai/new + Deekseek R1 (https://chat.deepseek.com/a/chat/) + Google’s Gemini https://aistudio.google.com/prompts/new_chat seriously speed up the materials searches than conventional manual search engines searches. I’m referring to this process:

  1. Request both AIs to generate a sample or list of some references for manual searches; AND
  2. Analyze their outputs (codes, list, etc); AND
  3. Procure the engineering specifications of the tech; AND
  4. Construct your own referencing on those outputs and reading those specifications

It also works extremely well with crude language translations (e.g. English multiple localized → languages across the continents).

Stable Diffusion based AI made the world a lot more colorful and took over dull image jobs while letting the human artists focus on important artworks (true story).

Google DeepMind’s Udio enables one who has zero experience in music creation but deeply connected to music listening to finally create his/her desirable music (true story).

Convoluted Neural Network (CNN) based NCNN Upscaler finally expands GIMP ability to upscale an image intelligently up to 4x the original per iteration; with different models. Extremely useful for small-sized image archaeological recovery (true story).

CNN-based Text to Speech (coming soon) finally allows Debian OS to speak like human without robotic sounds anymore (true story).

The point: as long as you create your own version by only referencing it, then the AI seriously accelerates; be it Open Source, Source Available, or even Proprietary licenses.

The Bad Side

When people misunderstood LLM internal operating functions and misused it for vibe coding or human replacement (e.g. support services).

Site-note: good luck to those enterprises!

All conventional search engines are completely unusable due to AI generated content poisoning. The era of conventional internet search has come to an end.

It’s hard and impossible to publish anything on the Internet without getting AI companies coldbloodily ripping out without respecting local restrictions (as in robots.txt).

AI Porn flooded my social media unwillingly.

Biometrics (e.g. face, voice, fingerprint, and retinas) are getting deep-faked way too easily – no longer can tell what’s real or not without per-established “Trust on First Use/Meet” and too easy to lose an actual bona-fide identity.

When people think the current LLM (dating 2025) can replace lawyers (coders of the real world) and software developers (coders of the virtual world).

License laundering is still an issue where AI generated content can get as close as the human created version without copyright infringement impact.

My Views

I personally welcome Artificial Intelligence. They seriously empower me by very large magnitudes.

It also reveals our economy and finance’s biggest problems “full automation vs. human needs” which is a world economic problem. This is a main issue everyone is worried about but is currently masked by Artificial Intelligence as a threat. That’s a story for another day.

To The Future

To all New Maintainers

Congrats! People care about your products. Keep up the good work.

To the aspiring folks…

  • Focus on solving a business problem. You’ll attract users without needing to roll out a marketing campaign.
  • Do not underestimate the “one-time” fun app. It can anytime become a popular tool for everyone to use (true story).
  • Always differentiate facts and data from individual opinions. Do not waste too much time on the latter.
  • Engineering specifications and actual documentation are way better than “he says she says” stuff by the influencers.

Epilogue

Thanks for reading thoroughly. Well, we come to an end now.

Don’t give up and stay connected! My blessing to you.

Contact information

YouTube

Independent Research

Digital Product Development

Mastodon Social

BlueSky Social

Telegram Messenger

Reddit Social

Acknowledgements

Special thanks to:

  • Sibert Bronzon (Sweden) – For always pushing me to grow beyond my comfort zones and explore what’s beyond algorithms and control systems.
  • Elvin Ong Boon Leong (Malaysia) – For always being there when I needed it since our first job together.
  • Julian Hübner (Germany) – For helping me co-maintaining the AI-driven NCNN application project on the Windows side of support.
  • Cory Galyna (Germany) – For supporting me all the way throughout my entrepreneurship with her management wisdom.

This article is licensed under Creative Commons Attribution-NoDerivatives 4.0 International License.

Read stories shared by other maintainers.
This story was published under CC BY-SA by the author.