Published on

Open Source: Current State and Future Hopes

In February this year, I attended three different open-source-related events in Brussels organized by three different parties:

  • Public sector: A workshop organized by the European Commission where I was interested in panels about cybersecurity and examples of how open source is used in the public sector.
  • Think-tank (kinda lobby, but positive one): OpenForum Europe organized EU Open Source Policy Summit, which accommodated politicians, public sector representatives (even United Nations representatives), and software foundations representatives.
  • Volunteers that just love open source: Last but not least was FOSDEM, a huge event with a very long history where I could finally find myself among people with a passion for open source who weren't wearing suits :smiley:

I have to say that it was a very interesting but also intellectually exhausting mix of events. If open source is a part of you, you need to be there every year. I predict that in the future there will be more and more events co-existing around FOSDEM.

tl;dr

Let me summarize the key points of the article in a few bullet points so you do not have to read the entire article:

  • The public sector adopts open source as much as other sectors, but do not have high hopes that it means more and better funding for maintainers.
  • Maintainers have their own event and policymakers have theirs. There is no bridge. Foundations are not a bridge in the discussion.
  • Do you remember Log4j vulnerability from December 2021? I hope you did not count on it changing something around open-source funding, although Log4j is doing great now.
  • The Cyber Resilience Act from European Union will affect whole open source community, even if you are from India or Brazil. People thought GDPR is just EU thing - it wasn't, and the same will be with CRA.
  • Okay, it's not that tragic; there are some funds for maintainers showing up, like The Sovereign Tech Fund from German government or Next Generation Internet from European Commission.
  • There is a light in that long long dark tunnel, and I think it is OSPO (Open Source Program Office) adoption. It is not perfect, but it is a standard that everyone looks at when they start doing serious open source. A standard enables common understanding and better communication.

Yay, Open Source is Cool as It Is for Free

Unfortunately, it looks like people still think that the biggest advantage of open source is that it is free.

"Nothing in life is free; you always pay in the end." – Wayne Static.

Also, Gabriele Columbro (General Manager of the Linux Foundation Europe) said, "We have to go beyond adoption. Public sector open source will thrive when it creates markets and an ecosystem to sustain projects in the long run."

The difference between open source and commercial solutions is that for commercial solutions, you pay now, and open source is like a deferred payment loan. So if you try to convince your audience that open source is cool because it is just a bunch of free tools, you're being dishonest, my friend.

Show the numbers, show how much cheaper it was to use PostgreSQL instead of Oracle - but at the same time, clearly communicate: "to make sure that it is also a good long term investment, we donated 10% of saved costs to the project development."

As usual, I'll blame agile for the current situation. Please prove me wrong. Agile is about speed, and when you are speeding, when you think only a few iterations ahead - you forget about the long term. Can you blame people? Who has time to stop inside an iteration and suddenly start a discussion inside the company about a donation? Only a few individuals.

The open-source advantage is not that it is free; in some cases, it might not even be cheaper. Open source is something that in-house development will never be:

  • The flexibility it gives you in choosing the right solution and working with the community you need.
  • Access to amazing talents that even the best and most expensive recruitment experts will not bring into your organization.
  • Collaboration with people across the industry, the exchange of ideas on a much larger scale, going far beyond your bubble.
  • Speed...yes, I know, sometimes it takes time to merge a PR - but it gets quicker if you become a maintainer, and it is still much quicker than if you would write the whole solution on your own, in-house.
  • The innovation boost! The more diverse, global, and open-minded the community, the better.

And yes, the challenge is that even though we know all the above factors mean that you will also save some money, this fact is very hard to measure. It means it is also super hard to convince people that only understand excel calculations.

Call me an idealist, but I still think that the more open you are, the more honest message you're sending - the closer you are to the principles of open source. Such an approach always wins and pays back.

Public Sector and Open Source

I see a positive change that the public sector starts openly talking about open source adoption. The more people talk about it and the more organizations will adopt OSPO, the better. It will be easier to make a positive change in the approach to funding because OSPO brings a common organization framework.

Open source is used by all, and it is not a surprise that the City of Paris also uses it. The surprise for me is to see so many representatives of the public sector talking about it in open. I love it.

At the workshop organized by the European Commission, I could listen to people representing:

  • Austrian National Bank
  • City of Paris
  • pagopa.it (Italian public company providing payment services for administration)
  • Sambreville city council

Then I learned about:

For me, a guy that is based in Poland, I'm amazed and also jealous. Nothing like this happens at scale in Poland.

This should be a global standard! Why? Because it already is a global standard!

Not only the European Union has OSPO, but also WHO. Additionally later this year, in July, United Nations organizes [symposium called OSPOs for Good(https://www.un.org/techenvoy/content/ospos-good-2024) and its representative openly talks about Global Network of OSPO.

It's not a matter of the question: "if you should set up OSPO in your org." The train is on the way, with good speed, so hop on the wagon. The knowledge is there, just use it :smiley:

We Are Kinda Still in a Silos Structure

The first two events I attended, they were run by the Public Sector and Think Tank - and the first note that I took to summarize these events was:

Too many suits, not many maintainers.

It ain't easy though, I know. Silos are not always intentional. Sometimes the problem is that we speak different languages, we come from different contexts and bubbles that make it hard to communicate and "be on the same page."

Open Forum Europe held discussions involving politicians, EU officials, and representatives from various foundations. What I'm afraid of is that foundations should not be the only voice in the discussion as they are biased. Foundations see the world through the projects they host. In the majority, these are big projects, like Kubernetes, Kafka, or Django.

What about maintainers of smaller projects? What about those that maintain libraries that are not under any foundation? Who will take care of them? Who will listen to their voice?

Events that I attended try to establish a bridge between all these different parties. I just had a feeling that not everyone was invited to walk on that bridge.

Luckily I'm not the only one seeing it. Another great thing about open source community: there is not time to complain, but time to act. FOSDEM is a place that is open to accomodate everyone, and it happened.

Cyber Resilience Act (CRA)

CRA, in short: It defines a set of security-related obligations on developers, like Within 24 hours of being aware of an actively exploited vulnerability, the developer must notify the vulnerability to the European Union Agency for Cybersecurity (ENISA). If you do open source after hours for fun - you're not affected. But if you regularly get donations or any other financial help - it's about you.

A pretty scary initiative from the European Union. Do you remember the Log4j issue I mentioned at the beginning? The first time I heard about CRA I though: instead of helping find a solution to fund open source more efficiently, they decided to just punish people.

"Again? GDPR crap was not enough?" - you might think.

Before you generalize and think that everything that EU does is bad, get familiar with The Interoperable Europe Act and remember to thank the EU in the future when you will be able to send a direct message from your Facebook Messenger account to your friend's Telegram account.

What is true for sure is that the EU did a terrible job trying to come up with a regulation without first consulting the open-source community. No question about it. Many foundations wasted a lot of time trying to bring the whole community together to protest against CRA. Just look at this very nice summary of all different initiatives.

The good thing is that foundations working together with think tanks managed to get into the heads of people behind CRA.

Open source will be treated as a special case. The EU came up with a concept of open source steward. Such an entity would be responsible for providing support for the project and hold legal responsibilities.

Is it the end of the battle? It's just the beginning. This is a pretty fresh topic. The concept was introduced like two months ago. There are still doubts on how the concept will be implemented.

What I observed is that the initial CRA woke up the dragon. Many organizations united and that there might be a chance that such an approach, of working together will become something regular, something official, like for example by formulating The Fourth Sector that represents the open-source community and organizing entire day at FOSDEM to talk about Open Source In The European Legislative Landscape.

Show Me the Money

I personally think that if there is no common understanding, common framework all companies and organizations follow, the funding of open source will always be from the perspective of a kneeling person asking for help. Many don't fight for funding as it is below their dignity.

Getting funds is a difficult process of finding the right person in a given company that has a budget. It takes months, several discussions and even if you get some funds, you need to fight for renewal every year. You depend on good people that even though it is not their responsibility in a given company, they are willing to help you out find the right people. This requires a lot of patience - and where is the time for other works?

The public sector tries to set up some solutions - which is a good thing, but I'm skeptical it will never be done on a proper scale.

Next Generation Internet (NGI)

Next Generation Internet is a European Commission initiative. By the name you can already figure that this is not something that will help all the projects, not even close. It is one of those funds that helps sponsor new projects around a specific topic. Nevertheless, try to follow the program, maybe you'll find someting useful for your project.

The Sovereign Tech Fund (STF)

The Sovereign Tech Fund is a German Government initiative. This is a much better fund, and it is here to stay, at least for 2024. They do some reorg so new applications need to wait until Q2. It has a much wider scope.

I mentioned Log4J few times already. Well something changed there in the project, and it is thanks to STF. It is official now that they got funds to support three experienced developers to work full time on the library as maintainers.

Without going further into details of how the fund works, I think that Log4j support clearly demonstrates the trustworthiness of people behind the STF and their vision. I hope other organizations and governments will follow.

The Hope

The glass is always half full, right?

Funds like STF are nice, but they do not have enough budget to help the entire open source community. Especially since open source is a global initiative, not just European. We need something on a much larger scale.

Wouldn't it be great if all companies and organizations sponsor other projects like Mercedes-Benz does?

We just need this as a standard, not as a unique initiative. And even if it's just cases, there should be a transparent process behind donations and an easy application path.

Open Source Program Office (OSPO) is something that brings hope.

Rambling about OSPO a bit in case you don't know what it is

I might be biased. I'm working in project that maintains standard for Event Driven Architectures. I believe that standards make work easier. Following the path that others already followed and by this, having a common ground, common understanding, and even the vocabulary - make things much easier.

Even though I'm active in open source for like 9 years, I remember how difficult it was at the beginning, especially working in a corporation. Understanding that open source is a completely different realm and trying to understand it by mapping it to what I knew from a corporation side was a long and difficult exercise.

OSPO is the de facto standard that everyone who wants to work with open source in an organized way should follow. It is broadly adopted, and I can't imagine how bigger companies operate in open source without it. Almost everyone uses open source, your company as well.

Before you start questioning my statement, try answering the questions below about your company:

  • Who's making sure you use open source under a license that will not put you at risk of getting sued?
  • Who's delivering an infrastructure for scanning your open source dependencies for vulnerabilities?
  • Who's educating people in your organization on the best strategy to fork open source projects, pushing back to upstream and costs related to doing things differently?

If you do not have an OSPO, it is possible that the answer to all these three questions contains names of different departments and different names that probably do not even know about each other. Good luck with the chaos.

Targeted education and OSPO channel

I have hope because I believe in education. I believe that people do not support open source not because they are lazy, not because they just want to exploit whatever is free.

I think people do not support as much open source as they could because of:

  • They do not understand the problem that they are not even aware of
  • They work in companies and organizations where they have zero influence on processes and any positive change

The right people will help but first they need to be found. Once they are found, then need to be targeted with proper education, proper templates of how to handle things in their orgs, and ready materials that they can use to implement proper processes in their companies.

Imagine the perfect world: Open source maintainer is poked by one of the users, a developer from some big company, that writes "yo, it took me one day to confirm through internal process that you can put logo of our company in your readme as your users. I also asked for adding you on the open source fund payroll. You're doing an amazing job!"

OSPO is the channel for the change. Through wide adoption of OSPO, we gain access to people who are interested in education, want to be educated, and want to support open source.

OSPO ain't perfect though and needs some support. But this is a topic for another article.

I send a huge personal thank you to Jarek Potiuk, a PMC Member of Apache Airflow project, that made me aware of all these different events. I would not be there if not Jarek.

Feel free to reach out to me via email at lpgornicki@gmail.com.