FLOSS Research

It’s that time of year when the board confirms and renews its members. If you’re a full member of OSI you’ll receive a ballot at the end of this week. 

Members of the OSI have an incredible opportunity to oversee and steer the organization, supporting me and the staff in achieving our mission. The Open Source Initiative is quite unique in the open source communities: We are among the very few organizations that elects in an open process 80% of the board choosing from its members base (the board usually appoints two directors, to add expertise and diversity as necessary.) 

After navigating the transition to the new structure in the past two years, the chair of the board Catharina Maracke and the secretary Aeva Black have renewed their interest in serving again. They’ll have to be confirmed by voters among the other candidates Chris Aniszczyk, Duane O’Brien and Jim Jagielski.

Go read their individual pages and ask them questions ASAP: You’ll soon have to decide who to vote for and your choice will shape the next board. It’s important that candidates and voters seriously consider the role of a board member and the time commitment required. Leadership roles and meaningful committee engagement may demand additional time.

 Discuss OSI elections and other topics during OSI’s informal office hours on Fridays. 

Stefano Maffulli
Executive Director, OSI 

Note: If you also represent an Affiliate organization, you’ll receive two ballots and separate instructions to vote for the board member that will take the one seat available for Affiliates.

In this month’s Open Source Initiative’s Newsletter

• Why Open Source should be exempt from Standard-Essential Patents
• ClearlyDefined gets a new community manager with a vision toward the future
• Deep Dive: AI, Fathom III – The Final Report
• Predictions in Open Source: Security, Mature Strategies, COSO, AI/ML
• What’s next for OSI’s website
• Open Source Initiative joins the Digital Public Goods Alliance
• The ultimate list of reactions to the Cyber Resilience Act
• The 2023 State of Open Source Report confirms security as top issue
• The License Review working group asks for community input on its recommendations
• Notable open source news
• New and renewing sponsors announcements

Why Open Source should be exempt from Standard-Essential Patents

With the European Commission soon to offer the Parliament a bill relating to Standard-Essential Patents (SEPs), it is worth taking time to understand exactly why vendors requiring negotiations to use the patents they have embedded in “open” standards is antithetical to Open Source practice. Read more from OSI Standards & EU Policy Director Simon Phipps. 

ClearlyDefined gets a new community manager with a vision toward the future

ClearlyDefined has a new community manager! Nick Vidal has joined the project hosted by the Open Source Initiative (OSI) that helps Open Source projects thrive by putting essential licensing data at teams’ fingertips. Vidal comes with 20 years of experience developing Open Source communities and will lead ClearlyDefined to its next phase.

Deep Dive: AI final report is out!

Read the complete summary of the Deep Dive: AI podcasts and panels. Understand the challenges and opportunities for Open Source communities posed by machine learning.

Predictions in Open Source: Security, Mature Strategies, COSO, AI/ML

OSI Executive Director Stefano Maffulli joined Javier Perez and Rod Cope of Perforce in a webinar entitled Open Source Trends to Watch in 2023 where they reviewed their 2022 predictions and laid out some new ones for 2023.

What’s next for OSI’s website

The Open Source Initiative moved the website on a new platform, a baby step to improving the list of Approved Licenses. This is a weird announcement as weird was the journey that took us to this point. Stefano Maffulli explains how this is just a milestone for more changes to come.

Open Source Initiative joins the Digital Public Goods Alliance

OSI to contribute to Digital Public Goods Alliance’s mission to address world’s most pressing economic challenges by furthering adoption of Open Source software. The announcement was made as part of the opening keynote at the Free and Open Source Developers Meeting (FOSDEM) and celebration of OSI’s 25 year anniversary.

The ultimate list of reactions to the Cyber Resilience Act

The European Commission’s proposed Cyber Resilience Act (CRA) as drafted may harm Open Source, and perhaps all other non-industrial software.

There were 131 responses to the proposed text that the Commission has sent to the Parliament, including one from the Open Source Initiative. Of those, 18 responses – representing a significant proportion of Europe’s software industry – shared OSI’s concerns to some degree. Here are some sample points from the responses.

The 2023 State of Open Source Report confirms security as top issue

For the second year in a row, the Open Source Initiative and OpenLogic by Perforce collaborated to launch a global survey about the use of Open Source software in organizations. We drew hundreds of responses from all over the world, and once again, the results are illustrative of the Open Source space as a whole, including use, adoption, challenges, and the level of investment and maturity in Open Source software.

The License Review working group asks for community input on its recommendations

Some time ago the Open Source Initiative formed a working group to examine and improve the license review process. The OSI has a parallel undertaking investigating how to improve the tooling that will be used for the license review process and also how to best serve the public in the ways we provide information about Open Source licenses. Although the tooling project and the work of the License Review Working Group are intertwined, the conclusions of the License Review Working Group are focused on the requirements and policy that will inform the tooling project, but do not include the tooling project itself.

OSI in the news

• The Open Source Initiative improves its licensing rules. The OSI is making the approval process for new open-source licenses clearer and easier.
• What Is the Cyber Resilience Act and Why It’s Important for Open Source. The Cyber Resilience Act (CRA) is a proposal for a European law that aims to drive the safety and integrity of software of all kinds, and it may harm Open Source.
• Open-source software sees growth across the board. As the use of open-source software (OSS) continues its year-over-year growth, the biggest area for innovation and open-source adoption is now AI.

And a huge shoutout to all of our renewing sponsors!

Maintainer

• Salesforce

Partner

• CrowdSec
• Rocket.Chat

Are you interested in sponsoring or partnering with the OSI? Contact us to find out more about how your organization can promote open source development, communities and software.

This Monday, I was in Brussels to attend a stakeholder workshop for the Digital Market Act (DMA) organized by the European Commission. For those who aren’t familiar with the DMA, it’s a new law that the European Parliament voted on recently and one of its goals is to force interoperability between messaging services by allowing small players the ability to communicate with users from the so-called gatekeepers (e.g., WhatsApp).

I attended this meeting as a representative of KDE and NeoChat. NeoChat is a client for the Matrix protocol (a decentralized and end-to-end encrypted chat protocol). I started developing it with Tobias Fella a few years ago during the covid lockdown.

I learned about this workshop thanks to NLNet, who funded previous work on NeoChat (end-to-end encryption). They put Tobias Fella and me in contact with Jean-Luc Dorel, the program officer for NGI0 for the European Commission. I would never have imagined sitting in a conference room in Brussels, thanks to my contribution to Open Source projects.

I work on NeoChat and other KDE applications as a volunteer in my free time, so I was a minor player at the workshop but it was quite enlightening for me. I expected a room full of lawyers and lobbyists, which was partially true. A considerable amount of attendees were people who were silent during the entire workshop, representing big companies and mostly taking notes.

Fortunately, a few good folks with more technical knowledge were also in the room. With, for example, people from Element/Matrix.org, XMPP, OpenMLS, Open Source Initiative (OSI), NlNet, European Digital Rights (EDRi) and consumer protection associations.

The workshop consisted of three panels. The first was more general, and the latter two more technical.

Panel 1: The Scope, Trade-offs and Potential Challenges of Article 7 of the DMA

This panel was particularly well represented by a consumer protection organization, European Digital Rights, and a university professor, who were all in favor of the DMA and the interoperability component. Simon Phipps started a discussion about whether gatekeepers like Meta should be forced to also interop with small self-hosted XMPP or Matrix instances, or if this would only be about relatively big players. I learned that, unfortunately, while it was once part of the draft of the DMA, social networks are not required to interop. If Elon had bought Twitter earlier, this would have probably been part of the final text too.

From this panel, I particularly appreciated the remarks of Jan Penfrat from the EDRi, who mentioned that this is not a technical or standardization problem, and pointed out that some possible solutions like XMPP or Matrix already exist and have for a long time. There were also some questions left unanswered, like how to force gatekeepers to cooperate, as some people in the audience fear that they would make it needlessly difficult to interoperate.

After this panel, we had a short lunch, and this was the occasion for me to connect a bit with the Matrix, XMPP and NlNet folks in the room.

Panel 2: End-to-End Encryption

This panel had people from both sides of the debate. Paul Rösler, a cryptography researcher, tried to explain how end-to-end encryption works for the non-technical people in the audience, which I think was done quite well. Next, we had Eric Rescorla, the CTO of Mozilla, who also gave some additional insight into end-to-end encryption.

Cisco was also there, and they presented their relative success integrating other platforms with Webex (e.g. Teams and Slack). This ‘interoperability’ between big players is definitively different from the direction of interoperability I want to see. But this is also a good example showing that when two big corporations want to integrate together, there are suddenly no technical difficulties anymore. Cisco is also working on a new messaging standard (which reminds me a bit of xkcd 927) as part of the MIMI working group of the IETF that they have already deployed in production.

Next, it was the turn of Matrix, and Matthew Hodgson, the CEO/CTO at Element showed a live demo of client-side bridging. This is their proposed solution to bridging end-to-end-encrypted messages across protocols without having to unencrypt the content inside a third-party server. This solution would be a temporary solution; ideally, services would converge to an open standard protocol like Matrix, XMPP or something new. He pointed out that Apple was already doing that with iMessage and SMS. I found this particularly clever.

Last, Meta sent a lawyer to represent them. The lawyer was reading a piece of paper in a very blank tone. He spent the entirety of his allocated time telling the commission that interoperability represents a very clear risk for their users who trust Meta to keep their data safe and end-to-end encrypted. He ignored Matthew’s previous demo and told us that bridging would break their encryption. He also envisioned a clear opt-in policy to interoperability so that the users are aware that this will weaken their security, and expressed a clear need for consent popups when interacting with users of other networks. It is quite ironic coming from Meta who, in the context of the GDPR and data protection, was arguing against an opt-in policy and against consent. As someone pointed out in the audience, while Whatsapp is end-to-end-encrypted, this isn’t the case for Messenger and Instagram conversations, which are both also products of Meta. The lawyer quickly dismissed that and explained that he only represented Whatsapp here and couldn’t answer this question for other Meta products. As you might have guessed, the audience wasn’t convinced by these arguments. Still, something to note is that Meta had at least the courage to speak in front of the audience, unlike other big gatekeepers like Microsoft, Apple and Google who were also in the room but didn’t participate at all in the debate.

Panel 3: Abuse Prevention, Identity Management and Discovery

With Meta in the panel again, consent was again a hot subject of discussion. Some argued that each time someone from another server joins a room, each user should consent so this new server can read their messages. This sounds very impractical to me, but I guess the goal is to make interoperability impractical. It also reminds me very much of the GDPR popup, in which privacy-invading services try to optimize using dark patterns so that the users click on the “Allow” button. In this case, users would be prompted to click on the “Don’t connect with this user coming from this untrusted and scary third party server” button.

There was some discussion about whether it was the server’s role to decide if they allow connection from a third-party server or the user’s role. The former would mean that big providers would only allow access to their service for other big providers and block access to small self-hosted instances. The latter would give users a choice. Another topic was the identifier. Someone from the audience pointed out that phone numbers used by Whatsapp, Signal and Telegram are currently not perfect as they are not unique across services and might require some standardization.

In the end, the European Commission tried to summarize all the information shared throughout the day and sounded quite happy that so many technical folks were in the room and active in the conversation.

After the last panels, I went to a bar next to the conference building with a few people from XMPP, EDRi, NlNet and OpenMLS to get beers and Belgian fries.

The nominations for the Open Source Initiative board of elections just closed, March 6th. It’s time for voters to meet the candidates.

The OSI board of directors will renew three of its seats with an open election process among its full individual members and affiliates. We will be holding two elections:

• Individual members will elect two directors
• Affiliate organizations will elect one director

We encourage members to check out the list of Individual and Affiliate Candidates below. Read about their backgrounds and interest in serving on the board.

Each candidate page also features a comments section: OSI members can ask candidates about their plans, hopes, and views for the OSI (don’t endorse candidates there please).

Take advantage of the ability to ask questions as it’s the best way for you to learn about each candidate and what they hope to achieve as board members of the OSI.

Individual candidates:

• Chris Aniszczyk
• Aeva Black
• Jim Jagielski
• Catharina Maracke
• Duane O’Brien

Affiliate candidates:

• Gael Blondelle (proposed by Open Forum Europe)
• Gabriele Columbro (proposed by Linux Foundation)
• Matt Jarvis (proposed by OpenUK)
• Anne-Marie Scott (proposed by Apereo Foundation)

Next steps

Voting opens this Friday, March 10. Individual full members and affiliate representatives will receive a ballot via email with instructions on how to vote. Only individuals who are Full Members at the time voting opens may vote in the Individual election. Only the official representative of the OSI Affiliates may vote in the Affiliate election, one vote per Affiliate. More details on the elections page.

Upcoming 2022 election schedule

• March 10, 2022: Voting opens
• March 20, 2022 (9AM PST): Voting closes and results announced within 5 days
  • if needed: March 28, 2022: close run-off elections, announce results
• April 21, 2022: elected members take seats

With the European Commission soon to offer the Parliament a bill relating to Standard-Essential Patents (SEPs), it is worth taking time to understand exactly why vendors requiring negotiations to use the patents they have embedded in “open” standards is antithetical to Open Source practice.

The value and prosperity generated from Open Source arises from Open Source software licenses seamlessly and frictionlessly permitting anyone to use, modify, and redistribute the software for any purpose including monetization. When SEPs are licensed in such a way that bilateral negotiation with the licensors is a necessary element of software use, Open Source projects must necessarily avoid implementation of the associated standards to the extent that it is possible for them to do so. A requirement for bilateral, after-the-fact patent licensing is by definition not Open Source due to this introduction of licensing friction.

This is not a matter of ideology but of pragmatics. Open Source developer communities operate on the assumption that the intellectual property owners – including both copyright and patent owners – have granted in advance all necessary rights to enjoy the software in any field of use and in any way. SEPs licensed on bilaterally-negotiated terms break this model and thus are naturally avoided. Further, the tendency for such bilateral negotiations to have some form of non-disclosure agreement (NDA) as a prerequisite also prevents many communities wanting to engage with them as unlike companies they do not have the mechanisms or resources to “firewall” NDA terms and thus routinely refuse NDAs.

Not all standards have SEPs, and not all SEPs require licensing on restricted terms. While some standards are encumbered by patents registered by contributors to the standards process, patents are not an essential or inherent aspect of standardization. As I explained for Open Forum Europe, some standards are developed in a sequence of activities that starts from a statement of requirements (“requirements-led”) while others are developed as a harmonization of existing industry implementation (“implementation-led”).

The requirements-led approach leads some standards development organizations (SDOs) to tolerate restricted licensing of included patented technologies due to the long lead-times in research and development investment by standards contributors. Despite this practice leading to barriers to entry in the resulting markets, tolerating SEP monetization appears a compromise that in many cases can be proportionate to the delayed monetization opportunity for participants.  While negotiation-required (FRAND) licensing of these SEPs is desirable for the commercial entities consuming them, the bilateral negotiation with NDA-enforced privacy that results unwittingly erects a barrier to the normal practice of Open Source communities, where both restrictions on mere use and requiring NDAs are anathemic antipatterns. As a consequence, the standards of this kind are unwelcome in Open Source projects.

By contrast, the implementation-led approach frequently arises in circumstances where recovery of R&D costs is already in hand and patent monetization is not a proportionate compromise. As a result, projects developed under an implementation-led approach (such as at OASIS and W3C) frequently opt for the restriction-free (RF) subset of FRAND terms that results in a negotiation-free usage. As a consequence, standards of this kind do not conflict with the realities of Open Source community operation and are widely implemented as Open Source.

The Commission’s activities regulating SEPs and their licensing are a golden opportunity to also harmonize their standards strategy with their Open Source aspirations. In particular, standards organizations should be required to ask contributors at standards-inception whether a negotiation-required or a negotiation-free/royalty-waived subset of FRAND is appropriate for the resulting standard and develop the standard on that basis — with a default to waiving royalties. We wrote to the consultation by the Commission last May to explain.

This does not mean ending SEPs anywhere else, but there is no point tolerating the desire of certain dominant parties at SDOs to try to pretend Open Source can be defined as copyright-only so they can tax implementation outside their legacy domains. Trying to openwash encumbered standards may satisfy the peers of their bubble but it will simply chill progress and proliferate standards outside it as the market works around the obstacle. The only way forward is to respect the 17-year-old settled consensus and embrace OSI’s Open Standards Requirement.

ClearlyDefined has a new community manager! Nick Vidal has joined the project hosted by the Open Source Initiative (OSI) that helps Open Source projects thrive by putting essential licensing data at teams’ fingertips. Vidal comes with 20 years of experience developing Open Source communities and will lead ClearlyDefined to its next phase. He previously served as the director of community and business development at the OSI and director of Americas at the Open Invention Network. Currently he is chair of the outreach committee of the Confidential Computing Consortium from the Linux Foundation.

Vidal joins the project as we celebrate its five year anniversary and the 25th anniversary of OSI. The goal of ClearlyDefined is to bring clarity around licenses and security vulnerabilities to Open Source projects. It provides a mechanism for harvesting available data about Open Source projects using tools such as ScanCode and FOSSology, and facilitates crowd-sourcing the curation of that information when ambiguities or gaps arise.

A lot has changed in the first years of ClearlyDefined, and we’re excited for what the future holds. The ClearlyDefined community has grown to include individuals from organizations such as Microsoft, SAP, Bloomberg, Qualcomm, HERE Technologies, Amazon, nexB, the Eclipse Foundation, and Software Heritage. Together, the community has successfully built a robust software system that is accessible through an open API. The number of definitions in ClearlyDefined has doubled year over year. With a redesigned UI, the data is displayed in a more user-friendly way, making it easier to understand and consume.

Even with all its growth, there’s a lot of room for further improvements as we look ahead to the next five years. Ever since the Log4Shell vulnerability, governments and organizations from around the world have come to realize the essential role Open Source plays in society, given its pervasiveness in the cloud, mobile devices, IoT and critical infrastructure. Clarity around licenses and security vulnerabilities of Open Source projects has become a key concern.

As community manager, Vidal will continue to grow a healthy community of individuals and organizations dedicated to tackling this community-wide concern. Projects ClearlyDefined will be collaborating with include OpenSSF’s Alpha-Omega, Core Infrastructure Initiative, OpenChain, SPDX, FOSSology, OSS Review Toolkit, Automating Compliance Tooling, Sigstore, Supply chain Levels for Software Artifacts (SLSA), Eclipse’s SW360, OWASP’s CycloneDX and OASIS’ Common Security Advisory Framework.

As we celebrate the triumph of Open Source software on its 25th anniversary, at the same time must acknowledge the great responsibility that its pervasiveness entails. Open Source has become a vital component of a working society and there’s a pressing need to bring clarity around licenses and security vulnerabilities to Open Source projects. With contributions from ClearlyDefined and the Open Source community at-large, the future of Open Source is bright and clear.

The community support for ClearlyDefined over the past 5 years has been tremendous. We encourage and invite you to join us at GitHub and follow us on Discord and Twitter.

In the next few weeks, the OSI board of directors will renew three of its seats with an open election process among its full individual members and affiliates. There will be two elections in March, running in parallel:

• The affiliate organizations will elect one director
• Individual members will elect two directors

2023 elections timeline The role of the board of directors

The board of directors is the ultimate authority responsible for the Open Source Initiative as a California public benefit corporation, with 501(c)3 tax-exempt status. The board’s responsibilities include oversight of the organization, approving the budget and supporting the executive director and staff to fulfill its mission. The OSI isn’t a volunteer-run organization anymore and the role of the directors has changed accordingly.

Each director is expected to be a counsel and a guide for staff rather than an active contributor. Directors should guide discussions, support the vision and mission of the organization, and advocate for the OSI. They’re also asked to support the fundraising efforts however they feel comfortable doing.

The board is governed by the bylaws. Each board member is expected to sign the board member agreement. Depending on expertise and availability, directors are expected to serve on the active committees: the license, fundraising, standards and financial committees.

Candidates will be asked to share their ideas on how they’ll contribute to the vision and mission, and the 2023 strategic objectives.

The rules for how OSI runs the elections are published on our website. We’ll communicate more details in the coming weeks: stay tuned for announcements on our social media channels (Fediverse, LinkedIn, Twitter.)

Are you a full individual member of OSI as of February 19th? Go ahead and candidate yourself.

Affiliate organizations will receive instructions via email.