Open Source Initiative

OSI is pleased to announce our 2023 Open Source Initiative License Clinic, an in-person event to be held April 4th in Washington D.C. This one day workshop will cover advanced topics on open source software licenses of interest to the US federal government as well as emerging issues such as the confluence of AI models, licenses and data.  

The workshop is in keeping with the Open Source Initiative’s (OSI) non-profit educational mission and has been created in collaboration with the D.C. legal and technology communities. The small and timely content-rich clinic offers an educational opportunity for attendees as well as an opportunity for the OSI to hear what’s top of mind for government practitioners.

The clinic is designed as a cross-industry, cross-community workshop for legal, contract, acquisition and program professionals who wish to deepen their understanding of open source software licenses, and raise their proficiency to better serve their organizations objectives as well as identify problems which may be unique to the government.  Presenters will include OSI board members (current and emeritus) and federal government practitioners.

Topics include Open Source 201, an Expert Panel Discussion: challenges, successes, best practices, operational policies, resources for federal practitioners; a briefing on the evolution of Supply Bills of Material (SBOM); AI/ML OSS tools, licenses and modern challenges; a primer on alternative license.

 Expert Panelists and Presenters: 

• Deb Bryant, OSI US policy director and board member emeritus
• Pam Chestek, founder Chestek Legal and OSI board director and License Committee chair
• Stefano Maffulli, OSI executive director
• Daniel Risacher, Department of Defense, Office of the CIO
• Luis Villa, co-founder and general counsel at Tidelift and OSI board director emeritus

The clinic is free to attend for OSI Professional Members and those with a .gov or .mil email address. Cost is $250 for general public.

Register now, seats are limited.

This Monday, I was in Brussels to attend a stakeholder workshop for the Digital Market Act (DMA) organized by the European Commission. For those who aren’t familiar with the DMA, it’s a new law that the European Parliament voted on recently and one of its goals is to force interoperability between messaging services by allowing small players the ability to communicate with users from the so-called gatekeepers (e.g., WhatsApp).

I attended this meeting as a representative of KDE and NeoChat. NeoChat is a client for the Matrix protocol (a decentralized and end-to-end encrypted chat protocol). I started developing it with Tobias Fella a few years ago during the covid lockdown.

I learned about this workshop thanks to NLNet, who funded previous work on NeoChat (end-to-end encryption). They put Tobias Fella and me in contact with Jean-Luc Dorel, the program officer for NGI0 for the European Commission. I would never have imagined sitting in a conference room in Brussels, thanks to my contribution to Open Source projects.

I work on NeoChat and other KDE applications as a volunteer in my free time, so I was a minor player at the workshop but it was quite enlightening for me. I expected a room full of lawyers and lobbyists, which was partially true. A considerable amount of attendees were people who were silent during the entire workshop, representing big companies and mostly taking notes.

Fortunately, a few good folks with more technical knowledge were also in the room. With, for example, people from Element/Matrix.org, XMPP, OpenMLS, Open Source Initiative (OSI), NlNet, European Digital Rights (EDRi) and consumer protection associations.

The workshop consisted of three panels. The first was more general, and the latter two more technical.

Panel 1: The Scope, Trade-offs and Potential Challenges of Article 7 of the DMA

This panel was particularly well represented by a consumer protection organization, European Digital Rights, and a university professor, who were all in favor of the DMA and the interoperability component. Simon Phipps started a discussion about whether gatekeepers like Meta should be forced to also interop with small self-hosted XMPP or Matrix instances, or if this would only be about relatively big players. I learned that, unfortunately, while it was once part of the draft of the DMA, social networks are not required to interop. If Elon had bought Twitter earlier, this would have probably been part of the final text too.

From this panel, I particularly appreciated the remarks of Jan Penfrat from the EDRi, who mentioned that this is not a technical or standardization problem, and pointed out that some possible solutions like XMPP or Matrix already exist and have for a long time. There were also some questions left unanswered, like how to force gatekeepers to cooperate, as some people in the audience fear that they would make it needlessly difficult to interoperate.

After this panel, we had a short lunch, and this was the occasion for me to connect a bit with the Matrix, XMPP and NlNet folks in the room.

Panel 2: End-to-End Encryption

This panel had people from both sides of the debate. Paul Rösler, a cryptography researcher, tried to explain how end-to-end encryption works for the non-technical people in the audience, which I think was done quite well. Next, we had Eric Rescorla, the CTO of Mozilla, who also gave some additional insight into end-to-end encryption.

Cisco was also there, and they presented their relative success integrating other platforms with Webex (e.g. Teams and Slack). This ‘interoperability’ between big players is definitively different from the direction of interoperability I want to see. But this is also a good example showing that when two big corporations want to integrate together, there are suddenly no technical difficulties anymore. Cisco is also working on a new messaging standard (which reminds me a bit of xkcd 927) as part of the MIMI working group of the IETF that they have already deployed in production.

Next, it was the turn of Matrix, and Matthew Hodgson, the CEO/CTO at Element showed a live demo of client-side bridging. This is their proposed solution to bridging end-to-end-encrypted messages across protocols without having to unencrypt the content inside a third-party server. This solution would be a temporary solution; ideally, services would converge to an open standard protocol like Matrix, XMPP or something new. He pointed out that Apple was already doing that with iMessage and SMS. I found this particularly clever.

Last, Meta sent a lawyer to represent them. The lawyer was reading a piece of paper in a very blank tone. He spent the entirety of his allocated time telling the commission that interoperability represents a very clear risk for their users who trust Meta to keep their data safe and end-to-end encrypted. He ignored Matthew’s previous demo and told us that bridging would break their encryption. He also envisioned a clear opt-in policy to interoperability so that the users are aware that this will weaken their security, and expressed a clear need for consent popups when interacting with users of other networks. It is quite ironic coming from Meta who, in the context of the GDPR and data protection, was arguing against an opt-in policy and against consent. As someone pointed out in the audience, while Whatsapp is end-to-end-encrypted, this isn’t the case for Messenger and Instagram conversations, which are both also products of Meta. The lawyer quickly dismissed that and explained that he only represented Whatsapp here and couldn’t answer this question for other Meta products. As you might have guessed, the audience wasn’t convinced by these arguments. Still, something to note is that Meta had at least the courage to speak in front of the audience, unlike other big gatekeepers like Microsoft, Apple and Google who were also in the room but didn’t participate at all in the debate.

Panel 3: Abuse Prevention, Identity Management and Discovery

With Meta in the panel again, consent was again a hot subject of discussion. Some argued that each time someone from another server joins a room, each user should consent so this new server can read their messages. This sounds very impractical to me, but I guess the goal is to make interoperability impractical. It also reminds me very much of the GDPR popup, in which privacy-invading services try to optimize using dark patterns so that the users click on the “Allow” button. In this case, users would be prompted to click on the “Don’t connect with this user coming from this untrusted and scary third party server” button.

There was some discussion about whether it was the server’s role to decide if they allow connection from a third-party server or the user’s role. The former would mean that big providers would only allow access to their service for other big providers and block access to small self-hosted instances. The latter would give users a choice. Another topic was the identifier. Someone from the audience pointed out that phone numbers used by Whatsapp, Signal and Telegram are currently not perfect as they are not unique across services and might require some standardization.

In the end, the European Commission tried to summarize all the information shared throughout the day and sounded quite happy that so many technical folks were in the room and active in the conversation.

After the last panels, I went to a bar next to the conference building with a few people from XMPP, EDRi, NlNet and OpenMLS to get beers and Belgian fries.

The nominations for the Open Source Initiative board of elections just closed, March 6th. It’s time for voters to meet the candidates.

The OSI board of directors will renew three of its seats with an open election process among its full individual members and affiliates. We will be holding two elections:

• Individual members will elect two directors
• Affiliate organizations will elect one director

We encourage members to check out the list of Individual and Affiliate Candidates below. Read about their backgrounds and interest in serving on the board.

Each candidate page also features a comments section: OSI members can ask candidates about their plans, hopes, and views for the OSI (don’t endorse candidates there please).

Take advantage of the ability to ask questions as it’s the best way for you to learn about each candidate and what they hope to achieve as board members of the OSI.

Individual candidates:

• Chris Aniszczyk
• Aeva Black
• Jim Jagielski
• Catharina Maracke
• Duane O’Brien

Affiliate candidates:

• Gael Blondelle (proposed by Open Forum Europe)
• Gabriele Columbro (proposed by Linux Foundation)
• Matt Jarvis (proposed by OpenUK)
• Anne-Marie Scott (proposed by Apereo Foundation)

Next steps

Voting opens this Friday, March 10. Individual full members and affiliate representatives will receive a ballot via email with instructions on how to vote. Only individuals who are Full Members at the time voting opens may vote in the Individual election. Only the official representative of the OSI Affiliates may vote in the Affiliate election, one vote per Affiliate. More details on the elections page.

Upcoming 2022 election schedule

• March 10, 2022: Voting opens
• March 20, 2022 (9AM PST): Voting closes and results announced within 5 days
  • if needed: March 28, 2022: close run-off elections, announce results
• April 21, 2022: elected members take seats

With the European Commission soon to offer the Parliament a bill relating to Standard-Essential Patents (SEPs), it is worth taking time to understand exactly why vendors requiring negotiations to use the patents they have embedded in “open” standards is antithetical to Open Source practice.

The value and prosperity generated from Open Source arises from Open Source software licenses seamlessly and frictionlessly permitting anyone to use, modify, and redistribute the software for any purpose including monetization. When SEPs are licensed in such a way that bilateral negotiation with the licensors is a necessary element of software use, Open Source projects must necessarily avoid implementation of the associated standards to the extent that it is possible for them to do so. A requirement for bilateral, after-the-fact patent licensing is by definition not Open Source due to this introduction of licensing friction.

This is not a matter of ideology but of pragmatics. Open Source developer communities operate on the assumption that the intellectual property owners – including both copyright and patent owners – have granted in advance all necessary rights to enjoy the software in any field of use and in any way. SEPs licensed on bilaterally-negotiated terms break this model and thus are naturally avoided. Further, the tendency for such bilateral negotiations to have some form of non-disclosure agreement (NDA) as a prerequisite also prevents many communities wanting to engage with them as unlike companies they do not have the mechanisms or resources to “firewall” NDA terms and thus routinely refuse NDAs.

Not all standards have SEPs, and not all SEPs require licensing on restricted terms. While some standards are encumbered by patents registered by contributors to the standards process, patents are not an essential or inherent aspect of standardization. As I explained for Open Forum Europe, some standards are developed in a sequence of activities that starts from a statement of requirements (“requirements-led”) while others are developed as a harmonization of existing industry implementation (“implementation-led”).

The requirements-led approach leads some standards development organizations (SDOs) to tolerate restricted licensing of included patented technologies due to the long lead-times in research and development investment by standards contributors. Despite this practice leading to barriers to entry in the resulting markets, tolerating SEP monetization appears a compromise that in many cases can be proportionate to the delayed monetization opportunity for participants.  While negotiation-required (FRAND) licensing of these SEPs is desirable for the commercial entities consuming them, the bilateral negotiation with NDA-enforced privacy that results unwittingly erects a barrier to the normal practice of Open Source communities, where both restrictions on mere use and requiring NDAs are anathemic antipatterns. As a consequence, the standards of this kind are unwelcome in Open Source projects.

By contrast, the implementation-led approach frequently arises in circumstances where recovery of R&D costs is already in hand and patent monetization is not a proportionate compromise. As a result, projects developed under an implementation-led approach (such as at OASIS and W3C) frequently opt for the restriction-free (RF) subset of FRAND terms that results in a negotiation-free usage. As a consequence, standards of this kind do not conflict with the realities of Open Source community operation and are widely implemented as Open Source.

The Commission’s activities regulating SEPs and their licensing are a golden opportunity to also harmonize their standards strategy with their Open Source aspirations. In particular, standards organizations should be required to ask contributors at standards-inception whether a negotiation-required or a negotiation-free/royalty-waived subset of FRAND is appropriate for the resulting standard and develop the standard on that basis — with a default to waiving royalties. We wrote to the consultation by the Commission last May to explain.

This does not mean ending SEPs anywhere else, but there is no point tolerating the desire of certain dominant parties at SDOs to try to pretend Open Source can be defined as copyright-only so they can tax implementation outside their legacy domains. Trying to openwash encumbered standards may satisfy the peers of their bubble but it will simply chill progress and proliferate standards outside it as the market works around the obstacle. The only way forward is to respect the 17-year-old settled consensus and embrace OSI’s Open Standards Requirement.

ClearlyDefined has a new community manager! Nick Vidal has joined the project hosted by the Open Source Initiative (OSI) that helps Open Source projects thrive by putting essential licensing data at teams’ fingertips. Vidal comes with 20 years of experience developing Open Source communities and will lead ClearlyDefined to its next phase. He previously served as the director of community and business development at the OSI and director of Americas at the Open Invention Network. Currently he is chair of the outreach committee of the Confidential Computing Consortium from the Linux Foundation.

Vidal joins the project as we celebrate its five year anniversary and the 25th anniversary of OSI. The goal of ClearlyDefined is to bring clarity around licenses and security vulnerabilities to Open Source projects. It provides a mechanism for harvesting available data about Open Source projects using tools such as ScanCode and FOSSology, and facilitates crowd-sourcing the curation of that information when ambiguities or gaps arise.

A lot has changed in the first years of ClearlyDefined, and we’re excited for what the future holds. The ClearlyDefined community has grown to include individuals from organizations such as Microsoft, SAP, Bloomberg, Qualcomm, HERE Technologies, Amazon, nexB, the Eclipse Foundation, and Software Heritage. Together, the community has successfully built a robust software system that is accessible through an open API. The number of definitions in ClearlyDefined has doubled year over year. With a redesigned UI, the data is displayed in a more user-friendly way, making it easier to understand and consume.

Even with all its growth, there’s a lot of room for further improvements as we look ahead to the next five years. Ever since the Log4Shell vulnerability, governments and organizations from around the world have come to realize the essential role Open Source plays in society, given its pervasiveness in the cloud, mobile devices, IoT and critical infrastructure. Clarity around licenses and security vulnerabilities of Open Source projects has become a key concern.

As community manager, Vidal will continue to grow a healthy community of individuals and organizations dedicated to tackling this community-wide concern. Projects ClearlyDefined will be collaborating with include OpenSSF’s Alpha-Omega, Core Infrastructure Initiative, OpenChain, SPDX, FOSSology, OSS Review Toolkit, Automating Compliance Tooling, Sigstore, Supply chain Levels for Software Artifacts (SLSA), Eclipse’s SW360, OWASP’s CycloneDX and OASIS’ Common Security Advisory Framework.

As we celebrate the triumph of Open Source software on its 25th anniversary, at the same time must acknowledge the great responsibility that its pervasiveness entails. Open Source has become a vital component of a working society and there’s a pressing need to bring clarity around licenses and security vulnerabilities to Open Source projects. With contributions from ClearlyDefined and the Open Source community at-large, the future of Open Source is bright and clear.

The community support for ClearlyDefined over the past 5 years has been tremendous. We encourage and invite you to join us at GitHub and follow us on Discord and Twitter.

In the next few weeks, the OSI board of directors will renew three of its seats with an open election process among its full individual members and affiliates. There will be two elections in March, running in parallel:

• The affiliate organizations will elect one director
• Individual members will elect two directors

2023 elections timeline The role of the board of directors

The board of directors is the ultimate authority responsible for the Open Source Initiative as a California public benefit corporation, with 501(c)3 tax-exempt status. The board’s responsibilities include oversight of the organization, approving the budget and supporting the executive director and staff to fulfill its mission. The OSI isn’t a volunteer-run organization anymore and the role of the directors has changed accordingly.

Each director is expected to be a counsel and a guide for staff rather than an active contributor. Directors should guide discussions, support the vision and mission of the organization, and advocate for the OSI. They’re also asked to support the fundraising efforts however they feel comfortable doing.

The board is governed by the bylaws. Each board member is expected to sign the board member agreement. Depending on expertise and availability, directors are expected to serve on the active committees: the license, fundraising, standards and financial committees.

Candidates will be asked to share their ideas on how they’ll contribute to the vision and mission, and the 2023 strategic objectives.

The rules for how OSI runs the elections are published on our website. We’ll communicate more details in the coming weeks: stay tuned for announcements on our social media channels (Fediverse, LinkedIn, Twitter.)

Are you a full individual member of OSI as of February 19th? Go ahead and candidate yourself.

Affiliate organizations will receive instructions via email.

I joined Javier Perez and Rod Cope of Perforce in a webinar entitled Open Source Trends to Watch in 2023 where we reviewed our 2022 predictions and laid out some new ones for 2023. To begin, our recap of last year’s predictions showed that we were on target with the trends we saw. There was:

• Increased demand for Open Source skills, impacted by the economy and the job market
• Greater awareness for Open Source security
• Widespread adoption of containers and Kubernetes
• Heightened awareness and application of ethical AI
• Inner source will no longer be a secret (bringing Open Source model to other areas of the business, making it easier to open source a project later)
• Positive, albeit slow, advancement in diversity and inclusion

Taking the time to review how accurate we were in our 2022 predictions, and reflecting on the trends emerging helps to inform what we see coming and continuing in 2023. The primary predictions we made for 2023 are outlined below.

Open Source security

Global initiatives are being established. In the US, the White House executive order of 2021 generated working groups from top global technologists that came together to create a 10-point plan. Budgets were invested to work this plan and we’ll begin to see results this year. The European commission created the Cyber Resiliency Act which is currently in discussion. China is also taking initiatives toward new security measures in Open Source. We predict that security investments will increase in 2023 and that the state of the economy opens up opportunities for more startups in this field to emerge.

Open Source strategies are maturing

Companies are paying more attention to aspects of their Open Source strategy such as security, licensing, influencing the direction of projects and building expertise within their teams. Maturing strategies are expanding to include the education of department leaders as well as engineers. We also see a huge push for best practices and adoption of Open Source in public administrations. The lack of skills is a gap that needs to be addressed in 2023.

The creation of Chief Open Source Officers

Executive oversight of Open Source initiatives and the related legal, political and licensing factors pertaining to this work is needed. We see the role of COSO emerging as a trend for 2023.

AI/ML in Open Source

Thanks to the explosion of AI and ML, new and surprising conversations are happening around the topics of data, licensing and the deployment of models. OSI has invested a lot in this topic through our AI Deep Dive series. We also see as a result more competition in the hardware space, and Open Source hardware is playing a role.

Lastly, Javier and Rod shared a few of the key findings from Perforce’s State of Open Source Survey:

• Organizations report adopting an Open Source strategy so they can contribute and help impact the direction of projects.
• There is growing adoption of replacements for end-of-lifed CentOS
• OpenSearch usage is increasing to meet ElasticSearch usage

It’s always fun to watch year after year how these predictions turn to trends. Security is still on the top of everyone’s minds, and that is fueling the other predictions such as more focused strategy and oversight within organizations, especially as more novel AI/ML technologies move more mainstream. If you’d like to watch the webinar and hear more about the momentum highlighted in this blog, you can find the recording here.

Webinar panelists:

Javier Perez, Chief Evangelist and Sr. Director of Product Management, Perforce

Rod Cope, CTO, Perforce

Stefano Maffulli, Executive Director, OSI

The Open Source Initiative moved the website on a new platform, a baby step to improving the list of Approved Licenses. This is a weird announcement as weird was the journey that took us to this point. Let me explain how this is just a milestone for more changes to come.

opensource.org is one of few sites on the internet with a high authority. To confirm that a license has been reviewed and approved as respecting the Open Source Definition, other sites like Wikipedia and search engines refer to OSI’s domain as an ultimate source. Besides licenses, also the minutes of board meetings and announcements published on opensource.org are of tremendous historical value for lawyers, developers, policy makers.

Over the years, dozens of volunteers kept adding material to the website: navigation elements, forms, pages, and blog posts without a unified vision nor unified style guides. Over time, like many websites, opensource.org has become confusing and with an aging design.

When I started as executive director of OSI, the first task on my to-do list was to modernize the website. I wanted to streamline the navigation, improve the content, add consistency to the license pages, and make sure that visitors would find new content as well as historical references. I would have not expected to find so many obstacles and new constraints.

Securing the website

As I started asking for quotes and guidance from experts, I discovered that the website was running on a self-hosted virtual machine with a single, wonderful volunteer maintaining the server. Second problem: the website was running on Drupal 7, which is on life support and upgrading to recent Drupal would require a complete rewrite of the website. There was no path to upgrade ‘in place’.

So the project to renew the website expanded its scope: secure the current site from disasters.

The cost of upgrading Drupal and moving to a fully managed installation proved to be unacceptable for our budget. Since going from Drupal 7 to Drupal 10+ required a full site redesign anyway, we asked the WordPress community if they could help.

We received a very generous response from Automattic: they offered their WP VIP team to design a new opensource.org and port the content from Drupal to WordPress. As OSI was running its board election in Q1 2022, the Automattic team gathered requirements and did a quick assessment.

Breaking the project in multiple steps

In Q2 we sketched a project plan that would give us a new opensource.org by the end of Q4 2022, at no cost.

As the development of the new website started, we decided to spin off the blog on WordPress and create a new minisite for the Deep Dive: AI online event, with the intention of merging those back into the main site once on WordPress.

The rough timeline for the website migration Laying the foundation for basic content improvements

Our priority was to sunset the self-hosted Drupal site as quickly as possible with a “lift-and-shift” of the pages to WP. We chose to avoid making radical changes to pages and navigation to speed up the process. We planned only three improvements:

• Lay the foundation for an improved list of licenses that have a similar appearance and the same set of metadata. Currently on Drupal we have a custom node type for “License” but not every license page uses it: some are simply Pages, others are type Blog, resulting in an inconsistent look. The new site has all the licenses in a Custom Post Type with metadata: Category, Version, Release Date, SPDX Identifier, License steward, Approval date, Link to Board minutes, Canonical URL, leaving space to add more details like tags. You can see it in action, with a dedicated search.
• Create workflows to help manage the board elections, simplifying the election process, build a list of current board members, history of candidates and alumni automatically. You can see this in action, too. And once elections start, you’ll see the rest.
• Improve how we keep the board meeting minutes. Board minutes contain a lot of relevant decisions, not only about license approvals. They should be standardized and searchable in the same place where the licenses are kept. You can partially see this in action with the minutes only until 2020. The most recent minutes are in the wiki and will be transferred.

Another unexpected roadblock

We discovered late in the project that we couldn’t take CiviCRM with us on the new hosting provider because its MySQL configuration didn’t have some necessary permissions. We should have found out earlier but we only discovered this in November 2022.

CiviCRM is how we handle membership, donations, newsletters, engagement with sponsors and donors and ultimately it’s the core of how we manage elections.  We faced the hard choice: delay the migration indefinitely in order to find a replacement for CiviCRM or build a workaround. We went for the workaround of running CiviCRM on a separate WordPress managed by DreamHost. We spent December ‘22 and January ‘23 getting members.opensource.org up and running with CiviCRM.

What comes next and how you can help

The content was simply lifted and shifted from Drupal to WordPress and many pages look exactly like that. License pages are missing metadata like its steward, or the SPDX identifier or they just look weird.

We’re looking for volunteers to sift through the board minutes and carefully check that the approved licenses have all the metadata available. We have a small budget to dedicate to this task, too. If you are or know someone who is obsessed with quality and passionate about good record keeping, please reach out.

Also, we know for sure that some pages may not look good and there may be broken links.  In general, if you find any issue on the new website, please file an issue.

At this point we’re enjoying not having to hope the virtual server wouldn’t crash over the weekend or that the old Drupal site would be vandalized. The new website is still a maze to navigate and relevant information is hard to find. We’ll address this in phase 2 of the project: the redesign.

The team at Automattic has been fantastic and we’re grateful for the donation of labor and free hosting. We now have a modern platform upon which we can build the next generation of OSI.

OSI to contribute to Digital Public Goods Alliance’s mission to address world’s most pressing economic challenges by furthering adoption of Open Source software

BRUSSELS – February 4, 2023–Today, the Open Source Initiative (OSI) announced it has joined the Digital Public Goods Alliance (DPGA) as a new member. The DPGA is part of the response to the United Nation’s call to end poverty, protect the planet and improve the lives and prospects of everyone, everywhere.  The announcement was made as part of the opening keynote at the Free and Open Source Developers Meeting (FOSDEM) and celebration of OSI’s 25 year anniversary.

The DPGA is a multi-stakeholder initiative with a mission to accelerate the attainment of the Sustainable Development Goals (SDGs) in low- and middle-income countries by facilitating the discovery, development, use of and investment in digital public goods. Digital public goods are Open Source software, open data, open AI models, open standards and open content that adhere to privacy and other applicable laws and best practices, do no harm by design and help attain SDGs.

“OSI is the leading voice advancing the policies and principles of Open Source globally,” said Stefano Maffulli, executive director of the OSI. “The OSI helps build a world where the freedoms and opportunities of Open Source software can be enjoyed by everyone, regardless of income and resources. The OSI supports institutions and individuals—from governments and corporations to local economies and individuals—working together to create communities of practice in which healthy Open Source ecosystems thrive. OSI’s work in championing software freedom goes hand in hand with DPGA’s mission.”

Lucy Harris, DPGA co-lead stated, “Welcoming the Open Source Initiative is a milestone for the Digital Public Goods Alliance. OSI’s role as steward of the Open Source Definition, and promoter of Open Source community-building, education and advocacy is of vital importance to digital public goods. The Open Source requirement is a cornerstone of the Digital Public Goods Standard, and OSI’s membership is a manifestation of that importance.”

“The DPGA is already making significant progress on aligning, coordinating and advancing the contributions of its many members and stakeholders, and OSI is eager to lend our advocacy and educational efforts to the cause as well,” said Deborah Bryant, US policy director for OSI. “Our licensing clinics for the public sector, our Deep Dive AI education series, and our State of the Source event—all designed as open content—are three initiatives that are perfectly aligned with the DPGA mission and will be included in the 2023 roadmap. We’re grateful for the opportunity to lend OSI’s expertise to DPGA members and leaders as Open Source software remains a critical strategy to the roadmap’s impact in the future.”

OSI’s work aligns with that of the DPGA in many ways, including these three OSI initiatives that will be included as part of the DPGA’s Annual Roadmap for 2023:

1. Open Source License Clinics (Public Sector): OSI will conduct license clinics in 2023 modeled after a successful clinic in 2012 to educate and prototype a replicable program for additional geographies. This will include emerging topics such as the use of data in AI models.
2. “Deep Dive AI” Education Series: AI training models are predominantly licensed as Open Source software; however, the training data is not necessarily open. It is imperative to foster a deeper understanding of how these elements work together, who may benefit and who may not. Last year OSI initiated its Deep Dive AI podcast series and online panel discussions to illuminate these issues. In 2023 OSI will host additional online conversations to drive awareness and understanding of AI, machine learning and deep learning.
3. State of the Source Summit: OSI produces an annual State of the Source Summit, a broad international platform to mark progress in the advancement of the use of Open Source and open collaboration.

To learn more about DPGA, visit https://digitalpublicgoods.net/ or email hello@digitalpublicgoods.net.

To learn more about the news and opinions of the OSI and its stakeholders, visit the OSI blog and sign up to receive the newsletter.

In 2022, we’ve seen a visible acceleration of interest in open source from governments around the world. Partially, this is due to the recognition that the public sector relies on Open Source for innovation and other benefits. At the same time, the tech sector is under pressure to help solve some of the most complex challenges facing society today, and Open Source is playing a role in this. 

This year we’re expecting to see an acceleration of public policy development in several areas that will affect Open Source such as software integrity (SBOMs,  cybersecurity), digital sovereignty (privacy, gatekeeper platforms) and artificial intelligence.

The good thing is that OSI started ramping up its Policy program in the second half of 2022 by retaining US policy expert Deb Bryant. Together with her European counterpart, Simon Phipps, we can tackle the most urgent tasks of 2023: The European Cyber Resiliency Act and its twin regulation in the US, plus a silent threat that will never hit the public eye.

The challenge for OSI is raising enough funds to expand the Policy program with a full time manager position and European press relations. OSI is uniquely positioned to represent the widest interests of the public, given its charitable nature.

If you’re interested in donating for OSI to expand its Policy program to educate US and European policy makers, please donate now.

Discuss this and other topics during OSI’s informal office hours on Fridays. 

Stefano Maffulli
Executive Director, OSI

PS At the end of 2022 we decided to discontinue tracking email open rates. Despite having a very high rate for our email communications, we came to the conclusion that our most valuable audience is unlikely to accept pixels in their email clients anyway. Because that metric is too imprecise, we don’t believe it’s worth tracking. Same fate for click-through rates: those can be counted precisely but they’re annoying and provide us limited value so we’re dropping them.

In this month’s Open Source Initiative Newsletter

• Membership campaign update
• 2022 in numbers
• Hold the date: Open Source License Clinic – April 4, 2023 – Washington DC
• What is the Cyber Resilience Act and why it’s dangerous for Open Source
• Sponsored blog posts
• Meet OSI staff and board members
• New and renewing sponsors announcements

Membership campaign update

Our 2022 membership campaign wrapped up on January 13th and it was a big success! We exceeded our goal of signing up 300 new and renewing members. We also gained a dozen new Professional Members – thank you to everyone who participated. We couldn’t do our work without your support.

Only with a strong and active member base can we continue in our role as the internationally recognized nexus of trust, the foundation for, and authority in open source software.
Governmental agencies rely upon non-profits such as the OSI, neutral in their financial interests and chartered to serve the public good by their very definition to shape public policy.

If you are currently a supporting member, please consider becoming a Professional member. Your $300 contribution helps the OSI defend the public interest in the venues that matter. It also supports our public policy program and staff who can translate and inform our community about crucial issues, like the European AI Act, the US AI Bill of Rights, and cybersecurity legislation.

Support the OSI today – become a Professional Member!

The 2023 State of Open Source Report confirms security as top issue

The Open Source Initiative and OpenLogic by Perforce collaborated to launch a global survey about the use of open source software in organizations. Read more.

Hold the date: April 4, 2023

OSI will conduct its second Open Source License Clinic on April 4, 2023 in Washington DC at the offices of OSI’s pro bono counsel DLA Piper.  As part of fulfilling its non-profit educational mission and in collaboration with the D.C. legal and technology community, a one day workshop will cover advanced topics on Open Source Licensing of interest to the US federal government as well as emerging issues such as the confluence of AI models, licenses and data.

The program is under development. Program moderators at this writing include Deb Bryant, OSI US policy director and board member emeritus; Pam Chestek, founder Chestec Legal and OSI board member and License Committee chair; Stefano Mafulli, OSI Executive Director; Luis Villa, co-founder and general counsel at Tidelift and OSI board member Emeritus.

As OSI members you’re the first to know! More program details will be available, along with registration, in February.  If you have any questions in the meantime please contact deb.bryant@opensource.org.

What is the Cyber Resilience Act and why it’s dangerous for Open Source

The Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software. And it may harm Open Source. The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA including security, privacy and the absence of Critical Vulnerability Events (CVEs). Read the full post.

Sponsored blog posts BigBlueButton provides access to quality education through Open Source

BigBlueButton is an Open Source virtual classroom started in 2007 by OSI sponsor, Blindside Networks. What differentiates BigBlueButton from other web conferencing platforms is that it’s designed for the education market. Read the full post.

Apache Cassandra community looks to the future: Watch for a new release, conference spring 2023

Apache Cassandra, created by Facebook in 2007 and subsequently offered as an Open Source project, is the world’s most scalable database. OSI sponsor DataStax is committed to working with the Open Source community to make Cassandra easier to use, adopt, and extend, building on its decade-plus maturity to solidify its position as the leading database for cloud-native applications. Read the full post.

Meet OSI staff and board members FOSDEM

Stefano Maffulli, Executive Director, Simon Phipps, Director of Standards, Deb Bryant, Director of Policy and many board members will be attending FOSDEM, February 4-5 in Brussels. 

State of Open Con 2023

OSI will have a table at the State of Open Con February 7-8 in London. If you plan to attend, please stop by and say hello! 

EU Open Source Policy Summit

Simon Phipps, Director of Standards, and Deb Bryant, Director of US Policy will be on a panel on February 3rd 2023:” Ducking Friendly Fire: How to Avoid Unintended Consequences to OSS in Lawmaking.”  

Software Heritage

The second annual symposium and summit on Software Heritage will take place on February 7th 2023, at UNESCO headquarters in Paris. Simon Phipps, Director of Standards, will be supporting their work.

SCALE 20x

OSI is looking for volunteers to help represent us by managing our table at SCaLE 20X that is happening Pasadena, CA, March 9-12, 2023. 

If you are planning to attend or would like to attend on OSI’s behalf, please let us know. We would be happy to provide you with a small reimbursement for travel and expenses.

We would be so grateful for your help. Please contact sponsors@opensource.org for more information.

Don’t miss Stefano Maffuli’s talk – Defining an Open Source AI

And a huge shoutout to all of our new and renewing sponsors

Supporter

• Sysdig

Renewing sponsors:
Community

• FindMyElectric 
• DrivenCoffee
• LoadView Testing
• CrossCompute

Partner

• m4ss
• O’Reilly Media
• CrowdSec 

Premier

• Google

Are you interested in sponsoring or partnering with the OSI? Contact us to find out more about how your organization can promote open source development, communities and software

The European Commission’s proposed Cyber Resilience Act (CRA) as drafted may harm Open Source, and perhaps all other non-industrial software.

There were 131 responses to the proposed text that the Commission has sent to the Parliament, including one from the Open Source Initiative. Of those, 18 responses – representing a significant proportion of Europe’s software industry – shared OSI’s concerns to some degree. Here are some sample points from the responses:

Open Source Foundations Open Source Initiative (OSI)

• “We recognise that the European Commission has framed an exception in recital 10 attempting to ensure these provisions do not accidentally impact Open Source software. However, drawing on more than two decades of experience, we at the Open Source Initiative can clearly see that the current text will cause extensive problems for Open Source software.”
• “OSI recommends further work on the Open Source exception to the requirements within the body of the Act to exclude all activities prior to commercial deployment of the software and to clearly ensure that responsibility for CE marks does not rest with any actor who is not a direct commercial beneficiary of deployment. Leaving the text as it is could chill or even prevent availability of globally-maintained open source software in Europe.”

Open Forum Europe (OFE — with OSI, Eclipse, APELL, CNLL, OSBA) 

• “Replacing the current general freedom to publish software with a new system that imposes a set of CRA requirements constitutes a significant disruption to open innovation in Europe. The current formulation of the CRA interferes with almost every software development model other than the case of a single company developing the entire code-base behind closed doors and making periodical releases. This model was common until the late 1990s, but much less so now.”
• “If a security vulnerability is discovered in software used in Europe, the liability and technical requirements of the CRA, in its current form, would place a hurdle in front of anyone in Europe working on a fix.”

The Document Foundation (LibreOffice)

• “On the other hand, the CRA ignores the security risks associated with files created by the software covered by the act itself, which can have even more devastating consequences (according to security expert Kaspersky Labs, in 2018, 70% of all malware worldwide was carried by documents created by the most widely used office suite).”
• “For the purposes of the Cyber Resilience Act, there is a real risk that software based on LibreOffice technology will be considered to be made in the course of a commercial activity, and thus subject to the legislation”

Vrijschrift.org

• “when defining a notion of commercial activity regarding open source software, the CRA provides examples of the creation and/or use of open source software that are typically understood as non-commercial but would fall under this definition of commercial activity”
• “This creates legal uncertainty for developers and is bound to result in a chilling effect on the very ecosystems that have often acted more responsibly, by and large, in dealing with security defects in their software than proprietary actors.”

NLNet Labs (with CZ.NIC, ISC, NetDEF)

• “While we applaud the efforts of the European Commission to enhance the cyber security of products with digital components, we fear that the CRA could create a series of unintended adverse consequences to the security and stability of Open Source Internet Infrastructure Software – and by extension to the Internet.”
• “We feel that the regulation as applied would impose disproportionate regulatory compliance burdens on developers and curators of “critical products” that will strain their existing capacity while failing to enhance the security or stability of this type of software”

Trade Associations Developers Alliance

• “It is important to preserve the incentives for software developers to contribute to open-source projects and to continue to utilize such resources and tools in their work, without the pressure of legal liability.”

RIPE NCC

• “RIPE community members pointed out that the current open-source ecosystem is a complex one in which there is often no clear distinction between commercial and non-commercial products, as product development is an ongoing process that builds upon itself with designs, technologies, standards and code being shared in myriad ways for myriad purposes. This rich interplay and open access are the very features of the open-source ecosystem that allow for innovation — and which strengthen resilience and security.”
• “It is our understanding that the CRA intends to cover any software and hardware product, and its remote data processing solutions, that is connected to the Internet (either logically or physically) and which is placed on the market as an independent product to be distributed for end use. In other words, it is our understanding that software that is connected to the Internet but is not placed on the market as a product with the aim to be distributed to end users — such as, for example, a customer portal — would not fall under the scope of the CRA. However, the proposal is not explicit about this point, and further clarity is therefore needed.”

ITI – Information Technology Industry Council

• “However, it is worth noting that there are many open-source projects that create products that could fall into most categories of critical software products, and open-source software is often incorporated into other products that are sold on the market. This could create uncertainty for open-source developers regarding their obligations related to conformity assessment. Legislators should seek to preserve incentives to develop and maintain open-source software by preventing any possibility that it could be classified as “commercial activity.””

DIGITALEUROPE

• “However, the recital’s broad interpretation of ‘commercial activity’ does not accurately reflect operational best practices, governance and licensing in an OSS context.”

Japan Business Council in Europe (JBCE)

• “There could be a significant imbalance between open-source ventures compared to commercial software counterparts, with open-source ventures developing very widely implemented software components, but often receiving a fraction of the commercial benefit that commercial software ventures would (when also including the same component). Considering that open-source also drives innovation and rapid advancement in almost all areas of critical products, it is necessary to include additional ringfencing around the specific CRA requirements for open-source products, including those used in “commercial activities” to avoid constraining or burdening essential open source activities and ultimately stifling open-source innovation and contribution within the European Union.”

Bitkom

• “Recital 10 excludes open source software that is not used in the course of a commercial activity but does not define the term or give details on how to assess the intended use and/or the determination of the intended use and/or a default category if no determination was done in advance.”

Eco

• “The definitions, while generally sound, are a matter of concern for the developers of open-source software, who see a lack of distinction between open-source software distributed on a not-for-profit basis and commercial software. eco recommends exploring the further implications and harmful effects for the development of open-source software for deployment in the market on a not-for-profit basis.”
• “The definition of “unfinished software” in Article 4(3) is not in line with the current status of product and software development. It specifically contradicts the premises and conditions for the deployment and use of open-source software. eco recommends further exploring the topic so as to avoid unintended detrimental effects on the European software industry.”

Corporations OpenXchange

• “the Act would discriminate against certain types of software and of software makers for which the main motivations are not economic, but that still generate some form of financial return to support the development of their code, and thus cannot be considered “non-commercial”. For example, this includes software developed by universities and public research centres, including some basic applications that make the entire Internet work; software developed by individual developers, mostly in their spare time; software that is meant to increase privacy and freedom of expression, such as encrypted communication apps, decentralized social media and anonymous browsers; and much more. To this regard, the weak exception for non-commercial open-source software is entirely insufficient to solve the issue.”

GitHub

• “However, the scope of “commercial activity” is unclear and risks bringing into scope activities that are not placing a product on the market per se.”
• “[paid] services and general financial support do not change the fact that these open source projects and developers are not placing software onto the market as a paid product.”
• “Annex I requires delivery “without any known exploitable vulnerabilities” but this risks an unobtainable objective, as manufacturers regularly learn of new vulnerabilities and make risk-based assessments on the need to prioritize fixes for timely delivery of product updates. … Similarly, the vulnerability handling requirements outlined in Annex I raise concerns. In particular, the requirement to “remediate vulnerabilities without delay” may undermine established practices of coordinated vulnerability disclosure and risk-based assessments from manufacturers on when to push and how to coordinate security updates”

Huawei

• “As currently drafted – perhaps unintentionally – the text targets  open-source not for profit foundations rather than targeting the organizations that leverage open source for commercial activity.”

Microsoft

• “There is ambiguity resulting from the intersection of OSS with “commercial activity,” both in the context of infrastructure and services provided to open source projects and with regard to activities that open source projects may pursue while building OSS.”
• “the infrastructure and services provided to open source projects should be out of scope, regardless of commercial status.”
• “Commercial services enabling the effective use of OSS, such as technical support and consulting services, should also be out of scope and not bring OSS offerings into scope.”

Sonatype

• “Specifically, various organizations, like Sonatype, maintain and make available FOSS free of charge as a benefit to the FOSS community (including through maintaining publicly accessible projects or repositories), while also charging for optional, ancillary services. The commercial activity qualifier as currently drafted could be read to eliminate the FOSS exemption for these organizations, which would leave them with an unenviable choice: either incur substantial costs and undertake significant effort to comply with the substance of the Regulation in maintaining free FOSS repositories, or shut down the public repositories (either altogether or just to entities originating from the EU).”

Some time ago the Open Source Initiative formed a working group to examine and improve the license review process. The stated purpose of the working group was to:

• Reevaluate the criteria for approving licenses, potentially setting different standards for licenses in use versus new licenses
• Reevaluate the process for considering licenses for approval, including whether the OSI should itself nominate licenses for approval
• Reevaluate the current categories for licenses, including how they are used and their usefulness
• Evaluate whether there should be a process for decertifying licenses, and what the process and standards would be for the process

The OSI has a parallel undertaking investigating how to improve the tooling that will be used for the license review process and also how to best serve the public in the ways we provide information about Open Source licenses. Although the tooling project and the work of the License Review Working Group are intertwined, the below conclusions of the License Review Working Group are focused on the requirements and policy that will inform the tooling project, but do not include the tooling project itself.

The License Review Working Group was originally scoped to discuss the delisting of licenses, but we did not reach the topic. It is a challenging subject because it means that the OSI first needs to learn who is using the licenses that may be considered for delisting and understand what effect it might have on them if their license undergoes a change in status. We therefore eliminated this topic from the mandate of this working group and recommend that it be taken up by a new working group dedicated to this subject alone.

Recommendations of the License Review Working Group for discussion.

Legacy licenses – A “legacy” license is one that has been in use for at least five years by more than twenty projects maintained by different unrelated entities.

New licenses – a “new” license is any license that is not a legacy license.

License submission process

We have received feedback that it is very difficult to navigate the review process because it is not clear the role of the license-review email list and its relationship to the OSI. License submitters do not know how much weight to give to the comments made on license-review. The OSI will provide more explanation for the public on the decision making process and in particular the role of the license-review list participants.

For all licenses, the submission process will:

• Require that the license submitter affirmatively state that the license complies with the Open Source Definition, including specifically affirming it meets OSD 3, 5, 6 and 9 (the points that historically have been more problematic).
• Identify what projects are already using the license, if any.
• Ask for the identity of the license steward, if known. The OSI will try to get in touch with the license steward if the license submitter is not the steward.
• Provide any additional information that the submitter believes would be helpful for license review. For example, approval of the license by Debian, the FSF or the Fedora Project would be relevant to the review process.
• Provide a unique name for the license (preferably including the version number)
• Identify any proposed tags for the license (see below regarding tagging).

For new licenses, the license submitter will also

• Describe what gap not filled by currently existing licenses that the new license will fill.
• Compare it to and contrast it with the most similar OSI-approved license(s).
• Describe any legal review the license has been through, including whether it was drafted by a lawyer.
• Provide examples of others’ potential use of the license to demonstrate that it is not a license that is uniquely usable only by the license submitter.

In both categories, approval of a similar license in the past does not bind the OSI to approval of a newly submitted license.

License approval standards New licenses

In addition to meeting the OSD, the following standards apply to new licenses:

• The license must be reusable, meaning that it can be used by any licensor without changing the terms or having the terms achieve a different result for a different licensor.
• The license does not have terms that structurally put the licensor in a more favored position than any licensee.
• To the extent that any terms are ambiguous, the ambiguity must not have a material effect on the application of the license.
• It must be grammatically and syntactically clear to a speaker of the language of the license.
• Every possible variation of the application of the license must meet the OSD.
• It must be possible to comply with the license on submission. As an example, given the scope of copyleft in the SSPL, it is not a license that anyone currently would be able to comply with.
• The license must fill a gap that currently existing licenses do not fill.

Legacy licenses

The license must meet the OSD. No suggestions for changes to the text of legacy licenses will be considered. The license will be approved, or not, as written. The historical context of the license and the common understanding of its meaning will be considered when deciding whether it can be approved.

License categories

The Working Group has decided that the current categorization system of popular licenses and all approved licenses, adopted to prevent license proliferation, was very beneficial when it was adopted but is no longer needed for the purpose. Rather than continuing the current categorization of licenses, the OSI plans to adopt a tagging system for licenses. These tags will aid third parties in identifying licenses suitable for their use case. The OSI intends to crowdsource volunteers for both creating a list of tags and adding the tags to the licenses and will be seeking volunteers for that task as the next stage of the project.

In order to continue the success of the anti-proliferation work, the License Review Working Group proposes, in addition to tagging, three categories of licenses:

• Rejected. This category is for licenses that have been considered and rejected.
• Approved. This category is for licenses that meet the minimum standard to be an OSI-approved license.
• Preferred. This is conceptually what the category “popular and widely-used or with strong communities” was designed to fill. The intent is that this category will be objectively created from data using adoption metrics and also a quality filter that is tagging-based. For example, a required forum provision in a license is not a disqualifier, but it is disfavored. A license with a required forum provision might not pass the filter.

Work that the OSI will not undertake

The OSI will not recommend licenses, other than categorizing as above, and will not try to provide advice on what licenses should be adopted for any particular use case. It would require resources that the OSI does not have to create and maintain this complex information. It is also an area that generally requires the services of lawyers or open source advisors, who can engage more deeply with projects or companies in order to provide them with advice specific to their needs and desires

To collect feedback on this proposal, we’re going to use annotations on the wiki. You will need to register to leave a comment. Highlight the text, hit CTRL-M, type your comment, save the annotation. More information on Xwiki help. The OSI will keep the discussion open for four months.

For the second year in a row, the Open Source Initiative and OpenLogic by Perforce collaborated to launch a global survey about the use of Open Source software in organizations. We drew hundreds of responses from all over the world, and once again, the results are illustrative of the Open Source space as a whole, including use, adoption, challenges, and the level of investment and maturity in Open Source software. 

The 2023 State of Open Source Report presents key usage, adoption, and trend data that paints a complete picture of Open Source software in organizations today. The report also includes a breakdown of the most important technologies by category, and across demographics and firmographics. 

The world of technology is constantly changing, and it can be hard to stay up to date on the latest software. The report features more than 160 of the most popular Open Source technologies and tools, as well as insights into how organizations are investing in Open Source and the most desirable technologies.  

We encourage you to read sections of interest or the whole report, which covers every major category including Linux distributions, infrastructure software, cloud-native, programming languages and runtimes, frameworks, data technologies, SDLC and build tools, automation and configuration tooling, and of course, CI/CD. 

Some of the key findings: 

• Open Source continues to grow in prominence; 4 in 5 survey respondents, a whopping 80%, indicated that they increased the use of Open Source software in their organizations in the past year, with 41% reporting a “significant” increase.  
• Open Source technologies play an integral role in all types of operations. Respondents listed Linux, Apache HTTP, Git, Node.js, WordPress, Tomcat, Jenkins, PHP, and NGINX as the most business-critical software for their organizations.  
• Container technology and software development lifecycle (SDLC) tools ranked as the most used technologies. Container and container orchestration jumped from 18% to 33% of respondents’ usage, and they also received the highest amount of investment by organizations. 
• Cost reduction is no longer a key reason for Open Source adoption. In the 2022 report, the lack of license cost and overall cost reduction was the second most common reason for using Open Source, but this year it has dropped to ninth place.  
• The top Open Source adoption driver remains access to innovations and the latest technologies, illustrating how users value being on the cutting edge and see this as a competitive advantage. Organizations also choose Open Source due to the ability to contribute to, and influence the direction of, projects.  
• Security is top of mind. Maintaining security policies or compliance is the top support challenge for organizations using Open Source. Over 46% of organizations are performing security scans to identify vulnerabilities. 
• Technical support is needed for installations, upgrades, and configuration issues. Notably, personnel experience and proficiency again this year is highly ranked as a support concern across organizations of all sizes.  
• End-of-life (EOL) Open Source software remains in organizations for a long time. Nearly 12 months after AngularJS became EOL, 15% of organizations are still using it, the exact same percentage we saw in the 2022 report. In larger organizations, it’s up to 20%. As expected with EOL CentOS Linux, there was a decline in usage; it’s now at only 15.14%, while CentOS Stream and Rocky Linux became more widely adopted.  
• 36.79% of organizations contribute to Open Source, which includes contributions to projects or to organizations (code or other activities). This is a 5% increase from last year, so it’s trending in the right direction and is a good sign for many communities. 
• Over 25% of respondents in most industries are generating software bill of materials (SBOMs). Retail, government, banking, insurance, and financial services lead this category with the highest implementation of SBOM generation. 
• OSI’s membership has grown over the last year; 17% of respondents already sponsor OSI. We are encouraged by growing community participation and excited for all upcoming OSI initiatives and events in 2023. 

The 2023 State of Open Source Report clearly demonstrates how many organizations are moving from being merely consumers to engaging with Open Source communities and gaining expertise in full technology stacks. In some cases, they are even becoming leaders — driving and influencing the direction of new projects. Be sure to download the report and stay tuned for more content, analysis, and webinars in the coming weeks and months from OSI and OpenLogic by Perforce! 

The Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software. And it may harm Open Source. The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA including security, privacy and the absence of Critical Vulnerability Events (CVEs).

OSI has submitted the following information to the European Commission’s request for input on its proposed Cyber Resilience Act text.

We recognise that the European Commission has framed an exception in recital 10 attempting to ensure these provisions do not accidentally impact Open Source software. However, drawing on more than two decades of experience, we at the Open Source Initiative can clearly see that the current text will cause extensive problems for Open Source software. The problems arise from ambiguities in the wording and a framing which does not match the way Open Source communities actually function and their participants are motivated.

First, for those distributing software as a community function to confidently rely on the exclusion, this absolutely must be inserted as an article and the “should” must be changed to “shall”.

Second, since the goal is—or should be—to avoid harming Open Source software, which the European Commission is working hard to support, this goal should be stated at the start of the paragraph as the rationale, replacing the introductory wording about avoiding harm to “research and innovation” to avoid over-narrowing the exception.

Thirdly, the reference to “non-commercial” as a qualifier should be substituted. The term “commercial” has always led to legal uncertainty for software and is a term which should not be applied in the context of open source as specific commercial uses of open source projects by some users are frequently disconnected from the motivations and potential compensation of the wider community of maintainers. The software itself is thus independent of its later commercial application.The problem is not the lack of a taxonomy of “commercial”, it is the very act of making “commercial” the qualification rather than, for example, “deployment for trade”. Thus adding a taxonomy of commerciality is not a solution. OSI would be pleased to collaborate over better approaches to qualifying an exception.

To illustrate the concern our community feels, we wish to highlight an analysis by OSI affiliate Eclipse Foundation, based in Brussels. While they note that, with staff and financial resources, they are “in a better position than most” to deal with such requirements, they conclude that “we fear that the obligations set forth by the legislation will cripple the Eclipse Foundation and its community.”

OSI’s recommendation

The Open Source Initiative assumes the Act is not intended to negatively impact the communities that make Open Source software or burden the non-profit foundations that support them.

Therefore OSI recommends further work on the Open Source exception to the requirements within the body of the Act to exclude all activities prior to commercial deployment of the software and to clearly ensure that responsibility for CE marks does not rest with any actor who is not a direct commercial beneficiary of deployment. Leaving the text as it is could chill or even prevent availability of globally-maintained open source software in Europe. We also support the more detailed analysis we have co-signed with Open Forum Europe.

BigBlueButton is an Open Source virtual classroom started in 2007 by OSI sponsor, Blindside Networks. What differentiates...

Apache Cassandra is getting ready for its 5.0 release in spring 2023, together with the Cassandra Summit. Register now.

As I’m closing out my first full year as executive director of the Open Source Initiative, I’m amazed by what our small team has accomplished. I’m proud to end the year with a solid 20% growth in revenue from sponsors and an even more impressive increase of the total number of corporate sponsors, to a whopping 51 up from 36 last year! 

But it’s individual members like you who make a difference. The OSI is a charity organization, which means that we always serve the public interest, not corporate sponsors. 

We’re running an end-of-year campaign: you can donate, join as a supporting member or at a professional level if you can afford to donate more.

Your contributions help strengthen the voice of Open Source communities, bolstering representation by an organization independent of corporate influence and with an international perspective.  

We started the year with the objective of putting OSI back in the spotlight of conversations about Open Source and open standards. The investment paid off, with 17 interviews published in publications ranging from Marketplace, Venturebeat to ZDNet and more.

2023 will be a challenging year, with a lot of legislation in Europe and the U.S. hitting the negotiating tables. We’re already working with our Affiliates on the EU Cyber Resilience Act and the US Securing Open Source Software Act. 

More challenges are on the horizon, with legislation about artificial intelligence on both sides of the Atlantic. Open Source is under similar scrutiny in other parts of the world, too. We coordinate with our Affiliate organizations worldwide to monitor those efforts and support their action locally.

In 2023 we will need your help and support – as well as joining in to celebrate the OSI’s 25th anniversary. 

I hope you enjoy this time of the year, spending time with family and friends.

If you missed our series and have some downtime over the break, be sure to check out: 

• Deep Dive: AI podcast series
• Watch the recordings of the panel sessions

Stefano Maffulli
Executive Director, OSI
Follow me on Mastodon

I’ll be taking a short break, but I’m looking forward to chatting with you during informal office hours on Fridays, starting up again on Fridays in 2023.

In this month’s newsletter:

• Engagement on policy & standards
• How the OSI got to Mastodon
• Open Source software started in academic circles, and AI is not different.
• The Fediverse unlocks a world of composable distributed apps
• You take a survey, OSI gets a donation
• Notable Open Source news
• Thanks to our new and renewing sponsors
• Where to meet OSI staff and board members next

Engagement on policy & standards

Deb Bryant gave a talk on “Formalizing Mentorship for Community Health and Professional Growth” at the Linux Foundation Member Summit in the US in early November. The focus was on strengthening the open ecosystem by supporting contributor growth, reducing project burnout, and providing constructive opportunities for companies to contribute to upstream projects. As an invited speaker, she also attended Justin Colannino and Luis Villa’s popular talk, “Are ML Models the New Open Source Projects?” which discussed software licenses, data in training models, and policy discussions. Security in the software industry was also a hot topic among attendees.

A lot of legislative change is coming in Europe, and OSI has been engaging to advocate for Open Source developers. Simon Phipps represented OSI at the bi-annual General Assembly of ETSI, a wireless standards body. He also participated in a European Commission panel on promoting sustainability of Open Source and spoke at two European conferences about the challenges posed by software patents in formal standards. OSI will continue to engage in January over the Cyber Resilience Act and other topics.

You can follow Deb Bryant and Simon Phipps’ work on US and EU-related policy in brief by subscribing to the OSI public-policy mailing list.

The OSI on Mastodon

We’ve got a new official social media channel for the Open Source Initiative on Mastodon. We’ve been working to get a proper, authenticated home in the Fediverse for several months and hope you’ll join us there! Follow OSI on Mastodon. Read the full story of how OSI got on the Fediverse.

Open Source software started in academic circles and AI is not different

Check out our fourth panel discussion on AI, focusing on how academics are sharing datasets and models: What do they need to be able to replicate experiments and improve on their knowledge? What legal obstacles do they find? What social norms prevent collaboration? Full video and transcript on Voices of Open Source.

The Fediverse unlocks a world of composable distributed apps

There’s more to Mastodon than just replacing Twitter. Read all about it on Simon Phipps’ opinion piece.

Take a survey – Raise $$ for OSI

The team at Uffizzi is running a survey to inform an open report on how the software community is thinking about on-demand Preview Environments.

For each completed survey, they’ll donate $5 to the OSI. The survey is completely anonymous and participation is voluntary. Take the survey now!

OSI in the news

In case you missed it, the OSI was featured in this article:

• An article on Marketplace, about Mastodon and federated social networks, with comments by OSI’s executive director on the challenges to moderation on the Fediverse.

And a huge shoutout to all of our new and renewing sponsors New

• Bright Star Systems – Partner level

Renewing

• Lex Pan Law, LLC
• Cisco Systems

Are you interested in sponsoring or partnering with the OSI? Please see our Sponsorship Prospectus. Contact us to find out more about how your organization can promote open source development, communities and software

Where to meet OSI staff and directors

Conferences are back! Our 2023 travel plans start with:

• FOSDEM, Feb 4-5 in Brussels
• State of Open Con, London, Feb 7-8

The post 2022 is almost over, welcome 2023! first appeared on Voices of Open Source.

There’s more to Mastodon than just replacing Twitter. ActivityPub has the potential to end the reign of monetized surveillance with a switch to user-owned applications.

The post The Fediverse unlocks a world of composable distributed apps first appeared on Voices of Open Source.

Together we can make a difference – become an OSI member today. Only with a strong...

The post Start the holiday season by becoming a member of the Open Source Initiative. first appeared on Voices of Open Source.