The European Commission recently published a public draft of the standards request associated with the Cyber Resilience Act (CRA). Anyone who wants to comment on it has until May 16, after which comments will be considered and a final request to the European Standards Organisations (ESOs) will be issued. This process is all governed by regulation 2012/1025, of which more in a future post.

This development is important for every entity that will have duties under the CRA (“manufacturers” and “software stewards”). Conformance with the harmonised standards that emerge from this process will allow manufacturers to CE-mark their software on the presumption it complies with the requirements of the CRA, without taking further steps.

For those who depend on incorporating or creating open source software, there is an encouraging new development found here. For the first time in a European standards request, there is an express requirement to respect the needs of open source developers and users. Recital 10 tells each standards organisation that

“where relevant, particular account should be given to the needs of the free and open source software community”

and that is made concrete in Article 2 which specifies:

The work programme shall also include the actions to be undertaken to ensure effective participation of relevant stakeholders, such as small and medium enterprises and civil society organisations, including specifically the open source community where relevant

and that requirement is made concrete in article 3 which requires proof that effective participation has been facilitated. The community is going to have to step up to help the ESOs satisfy these requirements – or have corporates masquerading as community do it instead.

Notes, Tags and Mentions

• #Policy #CRA #OpenSource #FreeSoftware #SoftwareFreedom

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

The definition of “open source” in the most recent version (article 2(48)) of the Cyber Resilience Act (CRA) goes beyond the Open Source Definition (OSD) managed by OSI. It says:

“Free and open-source software is understood as software the source code of which is openly shared and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable.”

The addition of “openly shared” was a considered and intentional addition by the co-legislators – they even checked with community members that it did not cause unintended effects before adding it. While open source communities all “openly share” the source code of their projects, the same is not true of some companies, especially those with “open core” business models.

For historical reasons, it is not a requirement either of the OSD or of the FSF's Free Software Definition (FSD) and the most popular open source licenses do not require it. Notably, the GPL does not insist that source code be made public – only that those receiving the binaries must be able to request the corresponding source code and enjoy it however they wish (including making it public).

For most open source projects and their uses, the CRA's extra requirement will make no difference. But it complicates matters for companies that either restrict source availability to paying customers (such as Red Hat) or make little distinction between available and non-available source (such as ForgeRock) or withhold source to certain premium elements.

A similar construct^{1} is used in the AI Act (recital 102) and I anticipate this trend will continue through other future legislation. Personally I welcome this additional impetus to openness.

Notes, Tags and Mentions

• #CRA, #OpenSource, #Policy, #Europe, #FreeSoftware, #SoftwareFreedom
• {1} The mention in the AI Act has a different character to that in the CRA. In the AI Act it is more narrative, restricted to a recital and is a subset of attributes of the license. In this form it actually refers to virtually no OSI-approved licenses. In the CRA the wording part of the formal definition in an Article, so much more impactful, and adds an additional requirement over the basic requirements of licensing.

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

I did ask a few of the speakers this question and they seemed slightly bemused by it. The most stupid answer was someone who should know better saying Europe had spent all its energy on regulation and none of it on innovation – you may guess that was someone from the merger industry!

It's not like Europe has never had big tech. The dominant technologies in mobile phones arose from a European context and I can think of several other examples of world-monopolising technologies which have arisen in Europe in previous generations. I don't think it's overregulation either, although I defer to subject experts on that.

What I do wonder is whether the legacy big tech of the mobile & consumer electronics industries has resulted in the regulatory capture of European standards by the winners of that event, and that has led to the stifling of each new technology wave as it has commenced in Europe. What innovation has happened has then moved elsewhere to avoid the problem, usually by acquisition.

#Notes #Policy #BigTech

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

So people mostly defer to the OSI Open Source Definition, which is not designed for that purpose. This post considers three different ways to consider open source — knowing it when you see it, knowing it by its goals and knowing it by summarising its mechanism — and includes a recital-ready definition of open source for use in legislation that embodies the global consensus of its meaning.

Ultimately software freedom is a matter of personal liberty. Whether you describe it as “open source” or “free software”, the goal is for each individual user of software to be self-sovereign in their software and data. Any definition of open source needs to feed that confidence rather than create uncertainty by empowering control-points and gatekeepers. A precise definition has proved very hard — most attempts require some form of gatekeeper authority that ironically kills stochastic confidence.

The Open Source Definition (OSD) which OSI administers is a clever benchmark for evaluating whether licenses grant open source software freedoms. Rather than define open source precisely, it follows the “know it when you see it” principle and describes the attributes of a license that delivers software freedom. By doing so, it evades many rhetorical games. Community comparison of licenses against the OSD as a benchmark, together with OSI's role facilitating and memorialising rather than gatekeeping, has led to the overwhelming success of open source over the last 25 years.

But sometimes — increasingly often — we need a summary phrase in a recital that defines the mechanism of open source. It's important we offer text that does so in a way that reflects the expectation of the global community of communities who use “open source” as a term-of-art. Locally-sourced “definitions” are frequently incomplete, or focus on licensing as an end rather than a means, or serve the agenda of groups seeking to fragment or even subvert the community.

Ideally we would say that “open source software is software released under an OSI-approved license.” This definition would perfectly encapsulate the global consensus without creating any new “games” to be played. But we have found that governments do not want to make normative references to any organisation they cannot control. OSI is an independent, global, public charity so certainly cannot be controlled!

I believe this phrase expresses almost the same idea without mentioning an organisation:

Open source software is software released under a license that — by broad community consensus — grants all rights necessary to use, adapt, share and monetise the software in any way and for any purpose subject only to conditions that can be reasonably satisfied without negotiation with the licensors.

In spite of all this, I still think it is better to embrace all three lenses — reference the OSD and the community consensus process OSI crystallizes, state the goals and summarise with the summary phrase — if you are able to do so.

Rationales

I'll be pleased to have suggestions that improve this phrase without making it significantly longer or more complex. If you're going to try improving it, here's why I've used each element:

• “under a license” (everything that arises in open source depends on having the rights to do them, so having a license is at the root of software freedom)
• “all rights necessary” (there is no carve out hiding, no unexpected obstacles from IPR)
• “use, adapt, share and monetise” (the heart of the four freedoms – “adapt” suggested to include subsetting and other changes beyond improvement)
• “in any way and for any purpose” (competition is permitted, the author's business is not excluded and uses unrelated to the original intent is allowed. Dropped “Share” as it is implied and allowed both by “use” and “adapt”, and merged “share original” and “share modified” just into “share”)
• “community consensus” (This anchors the definition in an authority without empowering a gatekeeper or normatively referencing a non-EU party. It actually also empowers Debian and Fedora which also have community processes for license approval.)
• “conditions” (not to be confused with restrictions that demand negotiation to waive – all open source licenses are permissive.
• “without negotiation” (since communities can't negotiate terms – this is a superset that includes both “royalty-free” and “no NDA”).
  

Tags, Notes and Mentions

• #OpenSource #Policy
• @osi@opensource.org @EC_OSPO@social.network.europa.eu
• Concerning the validity of copyleft clauses as open source, see my old essay on the subject.

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

The CRA rightly addresses the need for commercial suppliers to protect their customers from exploits and cyber attacks. But by incorrectly assuming that Dirk Riehle's terminology calling single-company projects “commercial open source” means it's possible to use the “commerciality” of an application to distinguish single-company activity from community projects, and by using the concepts of proprietary software to then define boundaries, legislators have exposed the open development of software itself to the regulations rather than just the for-profit use of open source artifacts in the marketplace.

There will be no escape from this for European projects like the Eclipse Foundation, but projects outside Europe — especially smaller projects — may just decide to erect geo-blocks and not deliver their work to European IP addresses. CRA-motivated geo-blocks start with not being able to know what to do without seeking legal advice, and even then being told “maybe” and still left to decide yourself.

One response when I raised this was to say that the European Union is a massive and valuable market and projects would not risk being excluded from it by geo-blocking. But this argument ignores the fact that just because Alice deploys some code profitably in Europe, it doesn't mean Bob in Nebraska will share in the profit even though he wrote it, whether he's in business or not where he lives. Open source licenses do not create a relationship over which financial reward is guaranteed.

Geo-blocks have happened before. Many small global publications block access from the EU rather than resolve legal uncertainties with GDPR, but the risk of CRA-related geoblocks is much more consequential because reading those sites is optional whereas much open source software maintained internationally is woven into the fabric of Europe's infrastructure.

In addition, those avoiding evaluating their GDPR responsibilities (or evading them after evaluating them) are likely to fear compliance will impact the benefit they gain from surveillance advertising, while for open source developers the perceived risk is of being the target of a punitive bureaucracy for failing to complete paperwork that adds nothing to their work.

If the confusion persists, open source projects will need to thoughtfully consider how to proceed. Disentangling dependencies that choose to pragmatically block Europe will be traumatic; should they be forked or substituted? Things could get very messy. Let's hope the co-legislators see sense, finally talk to the open source community and address the issues.

Notes, Tags and Mentions

• #CRA #OpenSource #Europe #Policy
• @EclipseFdn@mastodon.social @dirkriehle@hachyderm.io

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

The European Commission draft of the CRA purported to exclude open source from the scope of the new law throughout community development until it was made available on the market commercially — its author said as much at FOSDEM 2023. This is a good thing as it would be harmful to open source development if merely developing software in the open became subject to regulation — I have written previously about the mistaken use of a proprietary-software frame. However, as drafted the Act has substantial apparent inaccuracies and oversights that would probably lead to regulation of developers pre-market.

Consequently many practitioners have asked those considering the Act to correct these defects. It is proving very challenging, because originally the CRA only applied to physical products with digital elements (like IoT devices, routers and so on), but following the impact assessment (which made a serious error of comprehension with an academic source) the scope was enlarged to include products without physical elements. I regard this as a huge mistake and the origin of the ambiguities which are causing the problems. Unfortunately it appears to be too late to fix, so now we are trying to get an adequate ringfence around the pre-market development cycles of open source by fourth-sector developers.

Some voices have then sought to misrepresent this as an attempt to exclude open source entirely from the regulation even when placed on the market commercially. This meme was already circulating when the draft text was first released (before any advocates I know had even commented). Naming no names, these voices are the kind of “friends of open source” whose agenda is actually to disadvantage it as much as possible. Some parties have then abstracted this misdirection into a general criticism. If you do see anyone asking for open source per se to be excluded rather than just for the development community to be excluded from the scope, please let me know so OSI can intervene.

Notes, Tags and Mentions

• #OpenSource #CRA #Policy #Europe #4thSector
• @osi@opensource.org @dirkriehle@hachyderm.io
• The photo is my own, taken in London at the former Kirkcaldy Testing and Experimenting Works on Stamford Street.

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

Post-industrial society comprises three sectors in the worldview undergirding the European Union:

• The Commercial Sector includes industrial, extractive, service, logistic and administrative companies. They are represented pro se, by industry and trade associations, by consulting and lobbying companies and more.
  
• The Labour Sector includes workers of all kinds – industrial, skilled, research, educational, managerial, entrepreneurial and more. They are represented by trade unions, professional bodies, trade associations and more.
• The Consumer Sector comprises everyone spending their personal wealth at all scales. They are represented by consumer associations, civil society organisations, religious organisations and more.

But the Internet has driven change over the last 50 years from which has arisen the World Wide Web and thence the Open Source movement, which in turn have catalysed many open culture movements in their rainbow mantles. The wave of open has produced many phenomena, good, bad and pending judgement – including the gig economy, open knowledge communities like Wikipedia and the Internet Archive, technology giants like Facebook and Google, open software stacks and supply chains and much, much more.

The roles people play in this open wave do not fit comfortably into the three post-industrial sectors. An individual would be expected predominantly to fall within the consumer sector, with a section of their life represented in the labour sector. But an open source developer can play roles characteristic of a commercial sector player, innovating and creating soft goods (commercial sector) which are assembled (commercial sector) or used (consumer sector) by others. A video streamer may be creating new copyrighted works of great value (commercial sector) that are widely viewed (consumer sector). An author or musician can now create their own compelling brand without becoming an employee of a publisher.

This is the new fourth sector. It comprises individuals, often connected and facilitated by ad-hoc or charitable communities, playing the roles of the commercial, labour and consumer sectors in varying mixes all at the same time. The fourth sector is poorly represented by the entities and roles associated with all three of the other sectors. That's inevitable; each fourth sector role will fuse together an aspect represented and an aspect confronted by any of the entities and roles dedicated to the three traditional sectors. So a consumer association won't advocate well for open source developers because an aspect of their existence is classified as commercial. A streamer won't be well represented by a trade union because they embody both consumer and commercial aspects. And so on.

As a result, existing consultation mechanisms used by legislators are guaranteed to fail. When they try to deal with open source by expressing the understanding they have gained of proprietary software, they will keep causing collateral damage — as we have seen in the Cyber Resilience Act (CRA) and many times previously. The need will increase as regulation tries to control, account for or promote the activities of the fourth sector without consulting it.

One significant reason this has been happening for such a long time already is the lack of a term to use to raise the issue. That's why I am proposing to call this sector of European society the “fourth sector”. It extends well beyond open source, covering any new, citizen-centric economic activity which is hard to have represented with only the existing commercial, labour and consumer lenses. Let's tell the Commission and other governments that it's time to care about the fourth sector, which is the driving force for all the changes they want to embrace — or control.

Notes, Tags & Mentions

• This essay and the thinking behind it about a “meshed society” has been around for quite some time — indeed, I named my consulting company after it in 2013 because it under-girded all my thinking at Sun and before that at IBM! I finally got round to a web search to see if the term “fourth sector” was in use and ... yes it is, in the USA! Defined in a very similar way to the way I have done, although with the focus on only entrepreneurial activity, using the term as a synonym of “for-benefit company” and omitting the dimension of individual and local activity without incorporation. See Building Better and Fourth Sector Group for example. Their concept amazingly omits open source. Time to remedy that.
• Photo is my own, of the edition of Auguste Rodin's “The Burghers of Calais” (“Les Bourgeois de Calais”) exhibited at the Musée Rodin in Paris.
• #CRA #OpenSource #4thSector #Policy #Democracy #Representation #Terminology

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

Proprietary software and the company that places it on the market can usefully be seen as the same target for those creating legislation. The software is constructed in secret, under the control of a single party, and the controlling party is responsible for both funding the work and monetising the result. However, the same cannot be said for open source software, which is created openly by a globally-distributed and unaffiliated community whose relationship with the larger work is “volunteer”. Using terminology associated with the worldview of proprietary software in legislation that affects open source is at best ambiguous and at worst extends consumer regulation to the domain of research and development.

Open source software is an artifact arising from the interactions of a community of contributors with no contractual binding between them beyond the open source license itself, which disclaims all warranties and has no conduit for funds. If there is an open source charity or trade association hosting the community, there will also be only a limited binding to to it and probably none that is a funding conduit. Many communities are unincorporated and don't even have this level of interconnection.

Because of this, those who place the artifact with digital elements on the market must be assumed to have no financial, organisational or indeed morally relevant relationship with any other party involved in the artifact's origination or use. There may be links, but it's best to start from the assumption there will be none because making them is an outside activity with no accommodation in open source licensing.

In many cases (sadly) those placing the artifact on the market have no connection at all with the community, not even at the level where it is appropriate to consider members of the community as suppliers. As one community member wrote:

I am not your supplier. So all your Software Supply Chain ideas? You are not buying from a supplier, you are a raccoon digging through dumpsters for free code.

The software and the community thus need to be considered separately when choosing language that applies regulation affecting open source. Some highlights to note:

• The software is made freely available under an OSI-approved license that ensures its consumer may do anything it wishes without needing any relationship with rights holders.
• The members of the community collaborate for many different reasons, and even when those reasons have commercial intent the commercial intents in play are likely to be unrelated both formally and informally.
• Many community members have a moral/ethical basis for their participation which can sometimes take priority over pragmatic convenience.
• Treating the software and the company placing it on the market as interchangeable is unsafe.
• As a consequence, it is unsafe to assume that because two parties are monetising a piece of open source software, that there is a flow of funds or even a relationship between them. Regulation should only apply to the party triggering the clause in the legislation, unlike with proprietary software where it is reasonable to assume a link.

Notes, Tags & Mentions

• See also “The comprehension error behind the CRA issue“
• The photograph is my own, of the Head of Saint Gereon in front of the Basilica of St. Gereon in Bonn, artist Iskender Yediler.
• #CRA #PLD #Policy #OpenSource #Software

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

By popularising and catalysing the pre-existing concepts from the free software movement, open source has been at the heart of the connected technology revolution for 25 years. Open source licenses grant all the rights necessary for anyone and everyone to use, improve, share and monetise the software powering modern systems and networks, empowering collaboration with many “known others” to create results greater than any could alone. OSI-approved open source licenses are the hidden power behind Linux, Apache, Mozilla, Android and more.

But by granting all the rights necessary to evolve the software powering modern systems and networks, open source also unreservedly grants permission to “unknown others” to repurpose, rehost, reuse and revolutionise. It also allows digital archivists to store, refactor and renew the means of access over the long term.

Availability to the “unknown others” — to society in general, and to our descendants — is crucial to our future. When software stays locked up inside the corporation or institution, when code created by the state with public funds remains secret, it does not add to our collective knowledge and the innovation it embodies is lost to society and when the “owner” moves on. This was the original motivation for previous generations to create temporary intellectual monopolies as an incentive to creators to make their creations public.

As time has passed, those intellectual monopolies have themselves been regarded as property and the knowledge and culture they embody is increasingly withheld from society using that as a pretext. Open source allows that new-found wealth to be “spent” in a new way to stimulate collaboration. Collaboration in community has gone on to amplify innovation and accelerate adoption. It’s thus especially important that software funded with public money finds its way into Software Heritage.

Software Heritage completes the new social contract enabled by open source. It provides the ultimate historical reference for the code behind our culture and comprehensive library of innovation to provide a “mounting block” to the shoulders of the giants before us. We should strive to get all the software that matters into this new Internet Archive for code.

Software is a cultural artifact, a proxy for the law in the lives of every citizen, a tool for control and for freedom depending on the hand that wields it. It is imperative that all software is open for scrutiny and preserved for posterity.

Notes, Tags & Mentions

• Based on my address to UNESCO on the opening of Software Heritage in June 2018.
• Image is my own of a sculpture by Stephane Parain
• #OpenSource #Policy #SoftwareHeritage #Archive #Democracy #Transparency #PublicMoneyPublicCode @swheritage@mstdn.social

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

There's a crucial issue here for open source. EU policy experts say not to worry about CRA compliance because the EU standards bodies will streamline it. But the ESOs are corporate-controlled, patent-loving & expensive to engage. Shouldn't the EU address this if they want open source accommodated?

In Europe, standards requests from the European Commission are handled by bodies which have been designated a European Standardisation Organisation (ESO) under EU law. There are only three of these; CEN, CENELEC and ETSI. None of these standards development organisations are accessible to open source projects per se.

CEN and CENELEC are largely controlled by national standards bodies which in turn are dominated by national industries, while ETSI is a member organisation with high membership fees and largely secret proceedings (although laudably with free specifications) that is directly controlled by its members, predominantly from the telecoms industries but also including the European states. In addition, ETSI celebrates its role as a pioneer and proponent of FRAND licensing, which is fundamentally incompatible with open source communities. As with all de jure standards, participation in each of these standards bodies is expensive, both financially and in time, and engaging in their governance is beyond the scope of small players.

Given this context, when the European Commission requests standards that will be applied for conformity assessment it's not clear how they will take into account the development workflow that applies to open source software. Like the European Commission itself (as I commented recently), Europe's standards bodies have no functional relationships with open source charities and do not consult them.

It is very important to find ways to give a voice to the true community and not just its corporate members. As things currently stand open source will only be considered through the lens of its corporate uses. Since open source is a social movement with software artifacts for which the applications are diverse, paying heed only to the attributes of the software and the needs of the companies consuming it is an inadequate approach. You can't even proxy through small business, let alone multinationals and their lobbyists – many of them are unaware of how communities work and without community understanding, fundamental errors can be made.

As a result, I believe whatever legislation arises from the CRA (and related instruments) needs to specify that standards bodies making related standards must include effective measures to consult and include the open source community. If this doesn't happen, as NLnet Labs explained, “The only alternative left available are the conformity assessment procedures that involve paying for third party process auditors.” And open source developers definitely can't afford that.

Tags & Mentions

#CRA #Standards #OpenSource #FOSS #Policy#4thSector @bert_hubert@fosstodon.org @maarten@techpolicy.social

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.