Posts Tagged ‘Open Source’
Introducing Our Keynote Speakers at OCX 2024
As we approach the Open Community Experience (OCX), scheduled to take place from 22-24 October in Mainz, Germany, my anticipation and excitement continues to build. This event marks a new chapter for our community, with a fresh conference format that I believe will bring even more value to all of us. The focus on collocated events is something I’m particularly enthusiastic about, as it allows us to explore a broader range of topics including automotive and Java, while EclipseCon remains at the heart of this experience.
Whether you’re a regular EclipseCon attendee or joining us from one of the many communities that make up our “community of communities,” I look forward to connecting with you. For me, our flagship conference is more than just an event—it’s a yearly highlight where I get to reconnect with old friends, make new ones, and engage in the meaningful conversations that drive our collective work forward.
I’m honoured to be delivering the keynote on “The State of the Eclipse Foundation” this year. I’ll be sharing key updates, our vision for the future, and how we plan to continue driving innovation in the open source space. As we celebrate the Eclipse Foundation’s 20th anniversary, it’s a pivotal moment for us, and I’m excited to take you along on this journey.
But it’s not just me you’ll hear from. We’ve lined up a stellar group of keynote speakers, each bringing their unique expertise and deep expertise in their respective fields. Prepare to be inspired by some of the brightest minds in the industry:
- Haibo Chen from Huawei will deliver an exciting session titled “Empowering a Connected Intelligent World With OpenHarmony and Oniro.” This talk will explore how OpenHarmony and Oniro, both open source initiatives, are driving the connected intelligent future.
- Cédric Dumont, an extreme sports athlete and base-jumping pioneer, will provide the inspirational keynote “Scaling New Heights: Emerging trends in performance and leadership for thriving as a team in disruption.”
- Ruth Ikegah, an Open Source Program Manager, acclaimed speaker, and GitHub Star, will deliver her keynote “From Local Roots to Global Impact: Building an Inclusive Open Source Community in Africa.” Ruth will highlight how inclusivity fuels innovation and growth within the global open source community.
- Yann Lechelle from Probabl will take the stage with “Eyes Wide Open, AIs Wide Open – Or How to Remain in Control in the Age of AI,” exploring the big picture implications of compute, data, and machine learning, and how we can stay competitive while safeguarding the values that make us human.
- Sarah Novotny, a leading voice in open source, who has guided projects like Kubernetes, OpenTelemetry, NGINX, and MySQL, will present “We Build Software in the Open to Build Trust.” She’ll discuss the need for transparent and collaborative open source software development and its profound economic and societal impact.
- Leandro von Werra, from Hugging Face, will offer insights into the future of LLMs for code and how the BigCode project is paving the way for open and responsible AI-driven development at the session “BigCode: Building Open LLMs for Code”.
And that’s just the beginning. OCX 2024 is packed with sessions, workshops, and networking opportunities designed to spark innovation, collaboration, and growth. Whether you’re deeply involved in open source software or just beginning your journey, there’s something here for everyone.
I’m genuinely excited about what we’ll experience together at OCX 2024. This is our chance to come together, share our knowledge, and set the stage for the future of open source development. Don’t miss the opportunity to save by taking advantage of early bird pricing—register before 7 October 2024.
See you there!
Securing the Future of Open Source: Launching the Open Regulatory Compliance Working Group
Today marks an important milestone for the open source community. As open source software continues to drive innovation across industries, ensuring its relevance and compliance with emerging regulations has never been more critical.
To address these challenges, the Eclipse Foundation is proud to announce the formal launch of the Open Regulatory Compliance (ORC) Working Group. This initiative is designed to ensure that open source remains a powerful force for innovation while meeting the increasingly complex regulatory requirements that commercial organisations face globally.
As previously announced, this initiative has garnered the support of the world’s open source foundations, including Apache Software Foundation, Blender Foundation, FreeBSD Foundation, Matrix.org Foundation, NLnet Labs, OpenInfra Foundation, OWASP, PHP Foundation, Python Software Foundation, Ruby Central, and Rust Foundation. We also have the support of numerous civil society organisations, industry organisations, and SMEs including CodeDay, iJUG, Obeo, Open Elements, OpenForum Europe, Open Source Initiative, Payara Services, Scanoss, and Software Heritage. Today we are also announcing that we have the support of European industry heavyweights Bosch, Mercedes-Benz, Nokia, and Siemens.
This diverse collaboration highlights the industry’s shared commitment to navigating regulatory changes together and ensuring that open source continues to thrive as a pillar of modern technology.
Securing the Future of Open Source Innovation
In an era where businesses rely on open source for mission-critical applications, the ORC Working Group is essential to maintaining the competitive advantage that comes from using and contributing to open source software. As regulations evolve, commercial organisations need a clear path to stay compliant while continuing to innovate. The ORC Working Group addresses this need by helping to formalise industry-aligned best practices, helping companies leverage the full potential of open source without the risk of falling behind on new regulations.
Immediate Focus: The European Cyber Resilience Act
Open source is a cornerstone of global digital innovation, and Europe’s regulatory landscape is playing a pivotal role in shaping its future. The ORC Working Group is committed to ensuring that open source remains a vital part of the world economy, and complying with the EU’s Cyber Resilience Act (CRA) is a critical part of this. Through collaboration with European institutions, the working group is working to facilitate compliance with the CRA and similar regulations, helping businesses and developers alike stay ahead of the curve.
Keeping Innovation Compliant and Secure
With the Cyber Resilience Act as a primary focus, the ORC Working Group is looking to make progress in developing cybersecurity process specifications and best practices to support compliance. Liaison status with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) further strengthens the working group.
Get Involved: Shaping the Future of Open Source Compliance
As the open source ecosystem faces unprecedented regulatory challenges, now is the time for all stakeholders — developers, companies, foundations, and regulatory bodies — to come together and ensure that open source innovation remains sustainable and compliant. The Open Regulatory Compliance (ORC) Working Group offers a unique opportunity to actively shape the future of open source by helping define the standards and best practices that will keep it relevant and competitive in the face of evolving global regulations.
We invite anyone involved in the open source community — whether you’re a developer, legal expert, corporate leader, or part of a standards organisation — to join this critical effort. Your participation will not only help safeguard the future of open source, but also ensure that your organisation stays ahead of the regulatory curve.Join the ORC Working Group and the ORC mailing list today to help define the future of open source compliance.
Strengthening Open Source: Latest Updates from the Open Regulatory Compliance Working Group
Earlier this year, a significant group of open source foundations including Apache Software Foundation, Blender Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and the Eclipse Foundation – joined forces to launch an exciting new initiative. This initiative aims to help all open source participants navigate and comply with governmental regulations, ensuring the continued use and advancement of open source through the software supply chain.
This initiative is now taking shape through what is now called the Open Regulatory Compliance Working Group, hosted at the Eclipse Foundation. Since our announcement in April, we’ve been tirelessly bootstrapping this group with incredible support from the community. We’ve also welcomed additional backing from both industry and the open source community, including organisations such as CodeDay, FreeBSD Foundation, iJUG, Matrix.org Foundation, NLnet Labs, Obeo, Open Elements, OpenForum Europe, OpenInfra Foundation, OWASP, Payara Services, and Scanoss.
The Open Regulatory Compliance Working Group is bridging a critical gap between regulatory authorities and the open source ecosystem. By collaborating with relevant authorities and standards organisations, the working group aims to formalise industry best practices so they can be properly referenced in legislation and support the authorities in understanding the peculiarities of the open source ecosystem. This ensures that all open source participants can meet regulatory requirements across jurisdictions and improve software quality and security.
While the Open Regulatory Compliance Working Group is chartered to address compliance with open source-impacting requirements in general, our immediate focus is the European Cyber Resilience Act (CRA), which is on the fast track to implementation. The CRA will come into force soon, followed by a three-year transition period for ironing out implementation details. The agenda for the standardisation process in particular is very tight, as the goal of the European Commission is to have the harmonised standards, for which it issued a draft request on April 17, be available a year in advance to give the industry time for implementation. This leaves us with a very limited time to ensure the unique needs of the open source ecosystem are well understood and properly addressed.
We’re addressing this challenge through a series of parallel work streams:
- Educating the Community: We’re hosting a series of webinars with the European Commission to bring the open source community up to speed on the EU’s legislative process.These sessions are recorded and available online. The first session, “How to read the CRA: Identifying the key parts of the CRA for effective compliance” led by Enzo Ribagnac, Associate Director of European Policy at Eclipse Foundation, is already available. Slides from our second session with Benjamin Bögel, Head of Sector for Product Security and Certification Policy at the European Commission, are also available online, with the full recording coming soon. Our third session on CRA Standards with guest speaker Filipe Jones Mourão, Policy Officer at the European Commission, took place on July 29. A fourth session titled “CRA OSS implementation: Guidelines, attestations and other key documents.” is planned for September 2.
- Building an Information Hub: We are creating a centralised hub to consolidate all relevant CRA information in one easily accessible location. This hub will contain educational information, such as recordings of the webinars we have organised, a glossary of terms, key references, and the very useful flow-chart that Maarten Artsen from NLnet Labs has kindly contributed.
- Collaborating with the European Commission: We’re closely working with the European Commission services to foster understanding of the legislative and standardisation timeline so we can create and deliver the right artefacts at the right time. Following what should be the timeline defined in the Commission’s standardisation request, our immediate focus is on the horizontal standard whose content is defined in Annex I, Part I of the CRA, along with the product-specific, vertical standards outlined in Annexes III and IV.
- Pursuing Formal Liaison Status: We are seeking formal liaison status with European and National Standards Organizations to strengthen our collaboration and impact.
- Formalising Governance: We are structuring the working group so as to allow for the development of specifications through a process recognized by the European Union, as well as gather feedback from relevant authorities on the results working group community work. Stay tuned for a formal announcement in September.
- Regular Updates: We will continue to keep the community informed through regular public calls, with the next one scheduled for Tuesday, August 20 at 2pm CEST.
Join us on this transformative journey as we navigate and shape the future of open source regulatory compliance. For more details and to stay updated, join our mailing list or visit our website.
The Open Source Community is Building Cybersecurity Processes for CRA Compliance
tl;dr – Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing our intention to collaborate on the establishment of common specifications for secure software development based on existing open source best practices.
In an effort to meet the real challenges of cybersecurity in the open source ecosystem, and to demonstrate full cooperation with, and to support the implementation of, the European Union’s Cyber Resilience Act (CRA), Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are announcing an initiative to establish common specifications for secure software development based on open source best practices.
This collaborative effort will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process and a new working group. As Europe’s largest open source foundation, which also supports a robust open specification process, the Eclipse Foundation is a natural home for this effort. Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well. The starting point for this highly technical standardisation effort will be today’s existing security policies and procedures of the respective open source foundations, and similar documents describing best practices. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence.
The reasons for this collaboration extend beyond compliance. In an era where software, particularly open source software, plays an increasingly vital role in modern society, the need for reliability, safety, and security has steadily increased. New regulations, exemplified by the impending CRA, underscore the urgency for secure by design and robust supply chain security standards well before the new regulation comes into force in 2027.
While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation. The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The CRA will lead to numerous standards requests from the Commission to the European Standards Organisations. And these are only the European requirements – additional demands from the US and other regions can be anticipated.
The CRA also creates a new type of economic actor – the “Open Source Software Steward”. It is in this context that we, as open source foundations, want to respond to the challenge of establishing common specifications for secure software development.
This challenge is compounded by the following:
- Today’s global software infrastructure is over 80% open source. The software stack that underpins any product with digital elements is typically built using open source software. As a result, it is fair to say that when we discuss the “software supply chain,” we are primarily, but not exclusively, referring to open source.
- Traditional standards organisations have had limited interactions with open source communities and the broader software/IT industry. To make matters more complicated, their governance models currently do not provide opportunities for open source communities to engage.
- Open source communities have a limited history of dealing with traditional standards organisations. To make matters more complicated, their resource constraints make it difficult for them to engage.
- Standards setting is typically a long process, and time is of the essence.
So while these new cybersecurity standards must be developed with the requirements of open source development processes and communities in mind, there is no clear path on how to do so in the time available. It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises.
Despite these challenges, a foundation for progress exists. The leading open source communities and foundations have for years developed and practised secure software development processes. These are processes that have often defined or set industry best practices around things such as coordinated disclosure, peer review, and release processes. These processes have been documented by each of these communities, albeit sometimes using different terminology and approaches. We hypothesise that the cybersecurity process technical documentation that already exists amongst the open source communities can provide a useful starting point for developing the cybersecurity processes required for regulatory compliance.
We hope that our specifications could inform the formal standardisation processes of at least one of the European Standards Organisations. Given the tight time horizon for implementation of the CRA, we believe that this immediate start will provide a constructive environment to host the technical discussions necessary for the stewards, contributors, and adopters of open source to meet the requirements set forth in these new regulations.
We invite you to join our collaborative effort to create specifications for secure open source development: Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges. To stay updated on this initiative, sign up for our mailing list.
Cyber Resilience Act: Good Intentions and Unintended Consequences
In my previous blog post on the European Cyber Resilience Act (“CRA”), I touched on a topic which I feel warrants additional discussion. Specifically:
Fundamentally, the core of the proposed legislation is to extend the CE Mark regime to all products with digital elements sold in Europe. Our assumption based on the current text is that this process will be applied to open source software made available under open source licenses and provided free of charge, ostensibly under licenses which disclaim any liability or warranty. We are deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe.
First, a mea culpa. In the quote above I stated that “…the proposed legislation is to extend the CE Mark regime to all products with digital elements sold in Europe.” That statement is inaccurate. It should have said “the proposed legislation is to extend the CE Mark regime to all products with digital elements made available in Europe.” That is a critical distinction, as it makes the CRA broadly extra-territorial. In today’s world where most software is downloaded over the internet, “made available” means that the documentation, certification, and liability requirements of the CRA are expected to apply to all software worldwide.
I honestly believe that CRA was developed with the best of intentions. Software has become critically important to our economies and societies, and to date has been a completely unregulated industry. Recent events such as the SolarWinds and Apache Log4j vulnerabilities have shown that there can be very large economic impacts when something goes wrong. The Log4j event showed that open source software components can have a very large impact due to wide usage. Given that, it is a reasonable position that the time has come to implement regulations upon the software industry, and to ensure that open source software is included within the scope of those regulations. I want to stress that I believe that the open source community very much wants to be part of the solution to the industry problems that we all face with respect to supply chain security. The open source community provides extremely high quality software and takes great pride in the value that it provides to society.
However, the CRA legislation (along with the companion revisions to the Product Liability Directive) in its current form will have enormous negative effects on both the open source community and the European economy.
For the purposes of this blog post I am going to ignore for the moment the impact of applying the CE Mark regime to all software all at once, as that would be a long post in its own right. This post will focus on the unintended consequences of applying legal product liability obligations to the open source community and ecosystem. But before doing so, I want to spend a few moments describing what open source software is, and why it is important. If you have a good understanding of that topic, feel free to skip that section.
The Economics of Open Source
Today’s software systems are mind-bogglingly complex. And for most systems, a very large percentage of the overall code base provides zero product differentiating features. For example, any modern system will require code which allows it to connect to the internet to acquire and share data. Open source at its core is a simple licensing model which allows individuals, researchers, academics, and companies to come together to develop and maintain software which can be freely studied, used, modified, and redistributed. The breadth of software which has been developed under this model encompasses every field of human endeavor. But arguably the most common use case is to share the cost of developing and maintaining software which implement non-differentiating technologies used across a broad spectrum of products and applications. To be clear, “non-differentiating technologies” means implementations in software of the types of technologies that many similar applications must implement. Examples include network access, database access, user authentication, and the like. It is impossible to overstate the economic benefits of being able to reuse software in this way. Reuse decreases lifecycle costs, reduces time to market, and mitigates development risk across every type of system which contains software. Which is to say, every single aspect of social and economic activity. That is why it is estimated that most modern software and cyber-physical products contain 80 to 90 percent open source. It is simply not economically viable to write all software yourself while your competitors are building theirs using open source.
But the economic benefits of open source only start there. In fact, there is arguably even greater value in the pace of innovation which is made possible by open source. All developers today start their development off by selecting and assembling open source components to form the basis for their product or application. And they are able to do so without asking permission from any of the providers. This ‘permissionless innovation’ has vastly accelerated the pace at which new products in all fields can be developed and brought to market. When open source was first introduced, it was primarily used to commoditize technologies which were already well understood. Today, open source is used to introduce new technologies, in sectors such as Big Data, Cloud, Edge, AI and software defined vehicle, in order to accelerate adoption and create new market segments.
It is important to remember that open source software is provided at zero cost to the consumer. This completely decouples its value from its sale price. And there are many examples of open source software which are almost immeasurably valuable: Linux, Kubernetes, Apache, and OpenJDK are just a few examples of open source which support multi-billion euro ecosystems.
It is also important to recognize that open source software is a non-rivalrous good. In fact, it is an anti-rivalrous good in that the more a software component is used, the more valuable it becomes. This is incredibly important to understand: the value of a piece of open source software is not determined when it is made available. It becomes valuable (and potentially critical) when it is used. And the more it is used, the more valuable and critical it becomes. As a logging framework, Log4j was not a piece of software which at face value would be expected to be security critical; it became so because it was so broadly used and adopted.
Finally, there is no open source business model. Open source licensing has enabled an incredibly successful collaborative production model for the development of software, but that is decoupled from the commercialization of that software. Obviously, given the massive investments in open source someone must be making money somewhere. And they are. Open source technologies are used in virtually every cyber-physical, software, SaaS, and cloud product on the planet. It is also very widely used in the internal bespoke software applications that run our governments, enterprises, and industrials. When we talk of the open source supply chain, it is important to recognize that what we are discussing is the use by governments and commercial organizations of freely provided software. Unlike any other market that I am aware of, the financial resources available to manage and secure the open source software supply chains are solely available to the consumers, rather than the producers. For this reason, it is important that any compliance burden be placed on the downstream commercial adopters and consumers, rather than the producers of open source.
Unintended Consequences
Which brings me to the risks to Europe’s economy that I see from the CRA. The preamble to the legislation states: “For the whole EU, it is estimated that the initiative could lead to a costs reduction from incidents affecting companies by roughly EUR 180 to 290 billion annually.” On the cost side it states: “For software developers and hardware manufacturers, it will add direct compliance costs for new security requirements, conformity assessment, documentation and reporting obligations, leading to aggregated compliance costs amounting to up to roughly EUR 29 billion.” In other words, spend 29 billion to save 290 billion. The impact assessment further describes that an analysis was done which spurred the decision to extend to legislation to cover all tangible and non-tangible products:
This option would ensure the setting out of specific horizontal cybersecurity requirements for all products with digital elements being placed or made available on the internal market, and would be the only option covering the entire digital supply chain.
As discussed in my previous blog post, the CRA as currently drafted will be extended to cover virtually all open source software. This will legally obligate producers of open source software to the documentation, certification, and liability provisions of the CRA. Let us focus here solely on the liability topic.
The fundamental social contract that underpins open source is that its producers freely provide the software, but accept no liability for your use, and provide no warranties. Every open source license contains “as is”, no liability, and no warranty clauses. I’ve always assumed that this is simple common sense: if I provide you with a working program that you can study, use, modify, and further distribute freely for any purpose, why should I accept any liability for your (mis)use of that program? It is the companies which commercialize the technology and make a business from it who need to accept liability and provide warranties to their paying customers, not the open source projects which they have freely consumed. The CRA fundamentally breaks this understanding by legislating non-avoidable liability obligations to producers of free software.
What might be the consequences of forcing the producers of free and open source software made available in Europe to accept statutory liability for code that they provide? Remembering, of course, that all open source software is both developed and distributed over the internet so “made available in Europe” can arguably apply to it all. And also remembering that enormous amounts of open source software are produced worldwide by projects, communities, and nonprofit foundations which make no money off of their software, and who have always operated under the assumption that their liability obligations were extremely low. Thirdly, it is important to remember that open source software is provided for free. The producers of open source do not receive any revenue from users and adopters in Europe, so the usual market incentives to accept additional regulations to retain access to the European single market do not apply.
So with the caveat that these are all hypothetical scenarios, let’s look at some potential unintended consequences of the CRA’s liability obligations. (Some of these points are also made in Brian Fox’s excellent blog post.)
- A reasonable and rational response would be for non-European producers of open source code to state that its use is not permitted in Europe. If you are not willing to accept statutory liability obligations for something you make available for free, a notice file stating the above would be an obvious reaction. What would this mean to the European companies that build products on platforms such as Linux, Kubernetes, Apache, and OpenJDK? I would assume that the vast majority of their procurement and compliance organizations would conclude that they can no longer use those technologies in their product development. Cutting Europe off from these platforms would have catastrophic consequences.
- European producers of open source will be at a significant disadvantage relative to their international peers. Since they cannot avoid the liability obligations, they will be forced to accept them as part of their operations. For a small project hosted at (say) Github, it would probably be simpler to just terminate the project and pull its source code off of the internet. For a foundation such as the Eclipse Foundation, amongst other things I would expect that we would be forced to procure a very large liability insurance policy to mitigate the exposure of the organization and its directors and officers to potential liabilities. The result would threaten the €65 billion to €95 billion that open source software development contributes to EU GDP, as per the Commission’s own study.
- The CRA extends the liability obligations to distributors of software. In the open source context, some of the most important distributors include the language and platform-specific package distribution sites such as npm, Maven Central, PyPi and the like. None of those sites are in a position to accept liability for the packages they make available. As Brian Fox of Sonatype stated “…the consequence of this would be [Maven] Central, npm, PyPi and countless other repositories being suddenly inaccessible to the European Union.” As Brian is the leader of Maven Central, I am confident he understands what he’s talking about. I cannot stress enough how disruptive it would be to Europe’s business if that should occur.
- The CRA liability obligations could also force European business to stop contributing to open source projects. At the moment, it is generally understood that the risk that contributions to open source may incur a liability to the company is low. The CRA changes that equation and as a result European companies may curtail their open source collaborations. This would be extremely damaging to the innovation economy in Europe, for the reasons described in the economics section above. It also runs counter to a number of European wide strategies such as digital sovereignty which explicitly have major open source components. Initiatives such as GAIX-X, Catena-X, Dataspaces, Digital Twins, and Industrie 4.0 all explicitly rely upon open source collaboration which could be at risk under the CRA.
Europe’s Cyber Resilience Act was developed with the best of intentions. And it is certainly the right time to look at what regulations are appropriate for software generally, and given its importance open source software likely needs to be included in some manner. But the liability obligations imposed by the CRA upon projects, communities, and nonprofit foundations will have negative unintended consequences on Europe’s innovation economy and digital sovereignty initiatives.
Life at Eclipse 