Skip to Main Content
Apache Events The Apache Software Foundation
Apache 20th Anniversary Logo

This was extracted (@ 2024-05-15 21:10) from a list of minutes which have been approved by the Board.
Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

WARNING: these pages may omit some original contents of the minutes.
This is due to changes in the layout of the source minutes over the years. Fixes are being worked on.

Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).

Public Affairs

17 Apr 2024 [Dirk-Willem van Gulik]


- Continued dialoges with policy makers useful and constructive.

 First signs that they are now also getting their arms wrapped around the
 absolutely massive capacity/capability issues.

- Continued dialoges with the normative standards bodies not going as well.
  Nothing but diplomatic pleasantries w.r.t. to the main one, CEN/CENELEC,

 Plus we've now ran systematically through the various options suggested by
 (them/commissions/legal) experts and not many avenues left. With the same
  reported by the other open source stewards (and Simon Phipps warnings us
  that this was going to be the case all along :) ).

 This should now become a concern -- not so much for us; but for CEN/CENELEC
 and the commission. Especially as the needed reform of Regulation 1025 (see
 last report) is going to be too late. So this is mostly their (own) problem
 to fix.

- We announced a collaboration with Eclipse, Python, Rest and a growing list
  of folks. Was received well (and Brian&press-team was lauded). Very likely
  we'll have some solid industry partners there too soon. First versions of
  bylaws/charter in draft. Probably ready for actually doing something useful
  end of spring.

- XZ event triggers questions from policy makers and `what if the CRA would
  already have been in force' speculation.  Sofar all informal.

 This is goodness - as the event showed that the EC/ENISA are not yet in an
 ideal position to work with the key open source stewards during events like
 this (unlike the USA their CISA who is well in tune/connected). We are
 pro-actively keeping the EC/ENISA informed & are trying to get them involved
 long term in this type of event. As long term this makes our open source
 steward/leadership much easier. And ties, trust and organisational-reflexes
 like this take years to forge.

 As for now - our headline reading on CRA & XZ is that these are orthogonal
 issues at best. And that while SBOMs would have been great and good (ENISA)
 contact/reporting can be helpful - this is also a case where the remit of
 industry stops and that of the authorities and intelligence agencies start.

 The analogy I've been experimenting with is that of a civil/chartered
 engineer signing off on a dead-normal bridge; and being liable for that
 bridge collapsing. But universally understood that if it collapses because of
 a terrorist detonating a truck of explosives - that it is then largely out of
 his realm. And with this XZ question we seem to be muddling this.

AI act, SEP, InteropAct, etc

-  Nothing new to report - parliament is now going it its election cycle.

20 Mar 2024 [Dirk-Willem van Gulik]

With the Cyber Resilience Act (CRA) now through final vote
(icons at top of page to select a language - e.g. in English: all
 that now we’re waiting for is the publication in the official journal to
 anchor the various legal `in-effect' dates.  Meanwhile the Product Liability
 Directive (PLD) is proceeding apace. The EU interoperability-act and the
 Artificial Intelligence (AI) act cleared the Parliament March 13
  The Standards Essential Patents Regulation (SEP) also cleared parliament -
  and while not ideal - it is not a disaster for open source either.

With that, the focus for the CRA is now firmly shifted towards implementation.
There are several things going on here in parallel.

First - we’re working with our peers (i.e. well-governed open source
organisations that are likely to meet the not-yet-created definition of an
open source steward) to see of we can take the `good things’ we do today
around security, triage, releases, CVEs and so on - and officially define
these as industry best practice baseline.

So this is nothing new (for us) - but does formalize things like; `triage
vulnerability reports according to risk & fast track if needed', `fix issues',
do not release code with known issues, move a project to the Attic if no longer
maintained, do responsible/coordinated disclosure, etc. And we want to make
these more formal. Using bits from ISO 27001 or ISO 29147 & right-size these
to the open source steward role.

Secondly - we met with various European Commission Directorates' experts
and European Standards Organisations (ESOs) folks face to face in the last
weeks. News here was not overly good - they fully understand the
dichotomy in open source: its role -- I.e of us being something both akin to an
extension/core of the industry; and also akin to citizens/society
organisation where people, rather than companies, build something collectively.
- the other shoe has not quite dropped yet. I.e. that open-source is not just
  another (national) company that can work with (national) interests to do the
  right things in CEN/CENELEC or other ESOs. This is even more important as
  increasingly the ESOs are not standardising fairly value neutral things such
  as how to measure the fire-proofness of a wall in hours or the frequency
  deviation (all measurable with normal objective `kit' such as a stopwatch or
  an oscilloscope) -- but things such as `what is the right way to balance
  privacy v.s. security'.  And this is made worse as there is not much `open'
  to the process of creating 'open standards'.

That said - in a bit of good news - open standards have become a bit more open
-- the wonderful Carl Malamud fought all the way to the European Court of
   Justice to get citizen free/unfettered access to harmonised standards that
   are, essentially, part of the law. (Background - unlike the IETF(RFC) and
   W3C standards that rule the IT world - most ISO, CEN and similar standards
   are behind a paywall).

The other issue of concern is that, for the CRA, the EC expects CENELEC to
deliver. However, the recent effort of CEN/CENELEC to deliver on the Radio
Emission Directive (RED) saw CENELEC (in their own words) deliver late and
with sub-par standard processes and sub-standard quality standards. And they
(fairly) point at the lack of time and lack of volunteers. This despite RED
aligning with their traditional expertise and community. The CRA effort is, I
think, significantly larger than RED. And their community has not yet
attracted the needed people and expertise. And there is less time. Basically -
CENELEC hails from the world of Information Communication Technology; with a
lot of emphasis on that 'C' of Communications. Whereas open source is largely
the world of (generic) IT. I.e. higher on the stack (also from a political &
consumer perspective).

Also f importance here is that the US, at these meetings, indicated that
while it agrees on the CRA outcome, it is not married to the EU Standard
approach. The US will do its own thing and was quite clear that it is perfectly
willing to have the US National Institute for Standards and Technology
(NIST) directly author/create these.

Thirdly - I am talking to the other open source foundations and OFE to see if
we can help our community help itself by including EU companies in our
communities in the various funding rounds that are available to evaluate the
impact of the CRA, to create the tooling needed at Micro-, Small and Medium
Enterprises (SMEs), to evaluate that tooling and so on. This is a bit slow
going. Part of the complexity is that we, as a USA organisation, and a
volunteer organisation are not practically eligible for anything. This is
rather sad - as arguably we'd be in a great position to help our community
help itself if we could work at the aggregate level.

So much for the CRA.

On AI not much to report - for the ASF Michael Wechner is keeping an eye on
this for us. Vote in the parliament just passed - with final language versions
still appearing.
That means it will start to go into full force well before the end of the year
(for high risk) AI.

Similar for the Interoperability Act, which will require the EU to form an
interoperability expert community that includes open source. Not sure if the
ASF has the volunteering capacity in Europe for that.

Product Liability Directive (PLD) - similar situation - probably going to be
voted through by the parliament mid April - and it is therefore likely that it
will not benefit from the better definitions of open source stewards in the CRA.
This will cause noise; especially for our downstream community.

The Standard Essential Patents Regulation went through the European Parliament
much faster than expected. Overall it is in a reasonable state from the ASF
perspective. We currently lack volunteers here to really contribute/help right
the wrongs. But OFE is coordinating good work here from the likes of OSI and
other experts.

Finally - Regulation 1025
that defines how standards are managed & the level of access by industry and
civil society is up for renewal/updating. When it was originally written, free
and open source software was more seen as a business-model/variation of normal
corporate activity. I.e. a special, small, form of commercial activity. And
Information, Communication Technology (ICT) standards something else. With
companies firmly in charge of this field.

Today the situation is almost reversed - with 95% of products with digital
elements being open source that is shared across products. And general
Information Technology (IT, so without the C) far eclipsing ICT. Several of
our peer orgs are trying to get involved and help modernise this. I will try
to see if we can get expert volunteering for this in the ASF - but am
expecting that resource constraints mean that we are leaving this to the
organizations around OFE and the more expert players in our downstream industry.

As for the US - I'll let David report on that.

21 Feb 2024 [Dirk-Willem van Gulik]

CRA & PLD - Informal reports are that the final text of the CRA has been
translated in all languages; and that the legal/linguistic experts have not
flagged issues that require an extra clarification cycle by policy
makers/politicians. However, with the election near and the various
significant global events, the legislation train is said to be stalled.

This makes it likely that the CRA will not make it through the process before
the EU election. This means that we’re looking at Q3 or perhaps Q4 (once a
new parliament and commission have formed) before a formal vote. This also
means that the start some of the implementation funding and standards-processes
may get delayed, which is helpful.

Given this and the elections - it does not seem likely that extra time will
help us improve the (open source) definitions in the PLD. So that means no
changes, which is not ideal. But not a disaster either.

Also of note is the AI act, that now contain a usable exception for open
source. But there are major puzzles: the open source definition is copyright
based, while a lot of key 'IP' of AI is more Database Rights/TRIPS convention
related. And there is a lack of technical understanding at the policy
makers when it comes to things such weights/models, tests, training data and
so on. Michael Wechner has volunteered on the AI act, and is now actively
following that (with coordination on public-affairs-private). I expect OFE to
play the same cross-community coordination/information role for the AI act as it
did for the PLD and CRA.

As is customary, the European Commission and Open Forum Europe arranged for an
'open source week' in the period around FOSDEM, and at FOSDEM, to touch base
with policy makers. With Craig Russell, David Nalley, several ASF
members/committers and me (Dirk) in attendance.

The impact of the CRA and PLD were the main topic at the EU Workshop Open
Source Area for Digital Autonomy, with open source position generally well
represented. And with the point, repeatedly made and generally accepted, that
open source is not just key to innovation; but also the main and only
foundation of the modern (internet) software industry. It was also clear that
the concept of Open Source Steward, even though introduced late in the
legislative process, was fully accepted by all stakeholders and seen as a
lasting solution. I.e. as a 4th economic actor.

Less positive was the repeated insistence by some that the onus to 'fix bad
regulation' is squarely on open source in general, and the industry in
particular; i.e. the expectation us that we as open source communities, actively
follow, and 'meddle' in policy and nascent legislation. And that it is assumed
to be our job to fix what the policy makers throw over the fence. And that
this is part and parcel of a 'responsible open source community' that can be
trusted as 'open source stewards'. And with not much give by the Commission
(which controls the key standards bodies) on ensuring the required level of
access by open source foundations (even though the CRA mandates this).

This workshop also stressed quite a few financial support packages to prepare,
aid and create capacity for CRA and PLD implementation. We’ll discuss these
with our peers, but our (ASF) participation is likely to be extremely limited,
for the simple reason that most require a fully/exclusive EU legal entity and
'paid developers'; so this is more for the SMEs in our community.

The more general EU Open Source Policy Summit more or less matched the EU
Workshop - but with a bit more emphasis on countries outside the EU and USA
(where one should expect the same) and a lot of concern for creating the
capacity and capability required to actually implement this legislation.

At FOSDEM we, as part of the open source community, backed the EU reporting
back to the wider open source community on the process the EC went through
after the EU gave their 2023 plenary talk on software regulation.

Our collective message there has generally been a cautiously positive one; i.e.
not as total a disaster as the original plan was. The role defined in the
legislation for open source stewards is very helpful, but the devil is in the
details of the 40+ international standards that need to be written. With a lot
of emphasis on how hard these standard processes have traditionally been to
participate in.

FOSDEM held a full Sunday 'devroom' spent on the same topic (credits to Open
Forum Europe, NLNet and the Open Source Initiative). Here too, the concerns
around standards came up repeatedly, and with not much give (yet)
by commission/standards representatives.

Some time was given to the European Interoperability Act — which will soon set
minimal levels of interoperability; some of which is most likely only
'practical' if the parties involved use the same (and hence open source)

We’re also exploring if the ASF wants to participate in some of the European
Call for Tenders that ask the market/open source stewards for feedback, And
where the EU provides funding for developing the documentation and
processes that may facilitate the implementation of the CRA.

Given the complexity of our being a US organisation - it may well be that we’re
only passively supportive here — and rely on interested SMEs in Europe that
are part of our downstream community for the actual involvement.

17 Jan 2024 [Dirk-Willem van Gulik]

PLD/CRA situation stable & the good news of the special economic class of
`open source stewards' created for us seems to be solidly locked in for us
now. Some for the product liability directive; in essence it should either
stay as is; or improve with the better definitions of open source. We expect
the CRA to come into force next month; with implementation complete early

With the other more vocal/pro-active foundations having reflected on it in
public - the ASF is now readying a more factual, muted but generally positive
story as a blog post. Planned to be on-line well before FOSDEM.

We plan to sent a questionaire to either all PMCs or all committers (probably
the first) to make a first pass to see where we have the grey (direct to
consumer, Blog Roller, Open Office) & black areas (annex-II; needs to be fit
for `critical software' - e.g. APR, LDAP, SSHD) with regard to their
respective areas. This will help us prepare for the CRA.

All this also means that public policy will need to shift towards the USA
their upcoming software regulation; so I will also prepare a call-to-action on
members@ to see if we can find a volunteer that is more US centric) to replace
me (or if that is too tall an order, offer to do something overlapping).

20 Dec 2023 [Dirk-Willem van Gulik]

The CRA got finalised in a marathon meeting between the countries, parliament
and commission that saw a lot of last-minute changes and an almost complete
reversal with respect to the situation around open source.

The first good thing is that the concept of `open source stewards' was solidly
introduced; whose `products' where placed under a much lighter regimen &
fines. And this is combined with an actual definition of open source and  much
better definition of `commercial' that is not as close to placing things on
the market as before. Also good is that development and supply are no longer
seen as one; but pulled apart. That also gives room for individual developers;
i.e. natural persons, to be shielded for their upstream contributions (these
no longer are under the CRA; i.e. they & SMEs are not `liable' for that - e.g.
when their security fix boomerangs back through the ASF to the EU market).

Unfortunately we do not have the actual, final, text yet as approved; so a
decent analysis will have to wait for a few more weeks. The signing may still
happen this year; but is likely to be early Januari; with it coming into force
20 days later. There is then a 3 year period in which some 40-odd
(international) standards and other details need to be refined before the CRA
has all its `teeth'.

So we've gone from truly bad to possibly quite workable, and if one is
optimistic, to a situation where it may actually improve security.

That said - like similar regulation such as MRR/MRD, the industry will be
impacted; cost increases of about a third are generally expected. I am hopeful
that the ASF, and similar organisations, can help buffer some of that impact
by providing a place for the community to coordinate \& prevent double work.

Most of these implementation processes will be kicked off around FOSDEM, early
Feb, with a series of meetings and workshop. The ASF has expressed that it is
willing to work with its peers (e.g. the Python, Eclipse, etc) to assess
impact and develop best practices.

PLD - proceeding as expected; and has a workable `exceptions' subject to some
more thorough legal analysis (which will aid understanding - it won't make any

However there is now an odd situation; the CRA was way worse than the PLD; but
with the recent CRA changes - it now actually becomes interesting to improve
the PLDs definitions of open source and align these with the CRA. Both to
improve them -and- to make it easier to implement (i.e. no odd issues at the
fringes - as one will always need to implement the superset; both CRA and

Regardless - this still means full, strict, liability will be in place
sometime early next year. These will void our `waivers' to a large extent
downstream from us; i.e. `after' our commercial downstream parties. While a
massive change for the industry - the impact on us appears very limited still.
With a bit of luck we have enough final text in late December to start doing a
proper legal analysis.

Various other acts, including the AI act, got through as well - but these by
and large contain the right sort of foundation/component exceptions that work
for communities such as the ASF that want to collectively work on code or

US & Standards

Nothing to report in this cycle.

15 Nov 2023 [Dirk-Willem van Gulik]


PLD - proceeding as expected; and has a workable `exceptions' subject to some
more thorough legal analysis (which will aid understanding - it won't make any
difference). This means full, strict, liability will be in place sometime
early next year. These will void our `waivers' to a large extent downstream
from us; i.e. `after' our commercial downstream parties. While a massive
change for the industry - the impact on us appears very limited still. With a
bit of luck we have enough final text in December to start doing a proper
legal analysis.

The CRA slowed down somewhat; with a complex, new and ill defined concept
introduced late (Open Source Stewards). It also saw an increasingly wide swath
of large economic EU interests expressing concern about open source. This is
making it much easier for us to directly communicate with the member states /
perm-reps. Likewise - coordination with our peer open source organisations
through Open Forum Europe is generally productive; with conversations with the
right people (Shadows, etc).

Member-states their reaction now appear to shift from an optimistic idea that
the current `place on the market' and `commercial context' variations are
sufficiently well defined to avoid adverse effects on open source to now
stressing that any imperfections w.r.t. open source (foundations) are 'not a
worry' as they 'can be fixed later' (e.g. in the New Legislative Framework).

Neither is likely to be enough/happen. However the slowdown is not as much as
we hoped (i.e. into the Belgium presidency or the elections) -- with this
Friday a meeting on the full text (including the recitals, which is very
unusual) expected.


No changes - and NIST is increasingly engaging with industry (see also report
by Ruth/Security). Given the standstill of progress on the normative standards
organisations in Europe -- this still makes it increasingly likely that it is
ultimately the US that will define the global standards in this area.


No changes over the summer / no new conversations.

18 Oct 2023 [Dirk-Willem van Gulik]


The PLD appears stable and on track - and has a workable `exceptions' subject
to some more thorough legal analysis (which will aid understanding - it won't
make any difference).

The CRA was expected to pop out this month; but Spain (the current president)
tried to chew off more than it could bite (and/or the political world has more
important fires to address) -- so it may slip into the Belgium presidency.
This means delays.

I've sought guidance from our President/VPLegal to engage legal expertise
around the crucial `place it in the market' issues on which the CRA (and the
(in)effectiveness of the opensource special clauses hinges).

So I want to directly engage some legal expertise around a few, ASF specific,
narrow interpretation questions: 1)
confirmation that distributing source code with make/build/rel-notes, version
numbers. etc, i.e. alll that `signal that this code is expected to be used'
meets the current (and not yet final) definitions of placing it into the
market of the Blue Guide/NLF. 2) what the boundary would be if the ASF where
to avoid itself to place a product on the market/have the CRA read on it and
3) the implications for both our EU based committers -and- their employers.

So will get options; put them in front of Roman and for OK by David.

CRA P(review) Week

There is continued discussion on the mailing list about the need for a "louder
action", especially the concept of CRAP Week.

Meanwhile we now seen evidence of the very large, powerful industries waking
up to the reality (last page of
and also see that not having much visible effect (so my last report was too

We're trying to get to consensus - have tried to summarise at :


No changes - and NIST is increasingly engaging with industry. Given the
standstill of progress on the normative standards organisations in Europe --
this makes it increasingly likely that it is ultimately the US that will
define the global standards in this area.


No changes over the summer / no new conversations.

20 Sep 2023 [Dirk-Willem van Gulik]


Over the parliament recess, significant work and various analyses done on the
3(4) versions of the CRA by the open source foundations; coordinated by Open
Forum Europe. Which will lead to outreach to national stakeholders/cabinet
offices and the EU/EC that is coordinated between all of us. With consensus
inside and outside the ASF. This analysis is expected to become public this
week (with earlier versions used by some of our members in talks with NL, DE
and IT). Note that this will be under the OFE banner - we, the ASF, merely
supports their work.

Conversations with DE suggest that the CRA is getting slowed down; with
trialogue completion now expected no earlier than end of October. The PLD
(plain, simple, strict liability for software) is still on schedule for the
end of this year.

The situation around the 3 versions sees some of our large peer organsions
deciding to wait the outcome of the Trialogues before a more
public/public-outcry oriented campaign. Consensus at the ASF (and various
other peer organisations) seems to be that this is too late; as 1) the
regulation has been carved into stone at that point; and you generally assume
a complete reversal. And 2) as the current Council version (which generally
`win's) is not that problematic for a pure volunteer ran organisation like us
(i.e. where the open source organisation does not pay its developers; where
the baord does not tell PMCs what to do).

I am currently looking into engaging some legal expertise around a few, ASF
specific, narrow interpretation questions: 1) confirmation that distributing
source code with make/build/rel-notes, version numbers. etc, i.e. alll that
`signal that this code is expected to be used' meets the current (and not yet
final) definitions of placing it into the market of the Blue Guide/NLF. 2)
what the boundary would be if the ASF where to avoid itself to place a product
on the market/have the CRA read on it and 3) the implications for both our EU
based committers -and- their employers.

CRA P(review) Week

There is discussion on the mailing list about the need for a "louder
action", especially the concept of CRAP Week, but the exact definition of
this, the goals of this action, the impact of said action on the community,
and the required infrastructure resources and timing continue to be
debated.  There is not a consensus that the action would accomplish the
stated goals of attracting attention and getting our community fired up
against the CRA.  Indeed, this could easily alienate our supporters.  If we
are to contemplate this for the future and anticipate the need for this
action of "last resort", it would require Board approvals as it falls
outside the purview of the Public Affairs remit.  Meanwhile we are seeing
large, powerful industries waking up to the reality and the action may not
be needed.


No changes - but NIST is increasingly engaging with industry. Given the lack
of progress on the normative standards organisations in Europe -- this makes
it increasingly likely that it is ultimately the US that will define the
global standards in this area.


There is a Linux Foundation organised Open Source Summit in Bilbao. ASF folks
known to attend have been briefed - but we've postponed/declined to engage
with lawmakers/regulators in prepared meetings & avoided a public appearance.

(Background: Bilbao is in Spain, and Spain is the current president of the EU
 & hence sets agenda/etc for the next months). Instead people attending have
 been given a number of talking points to have ready should they happen to be
 put in a position where they need to respond/have the right opportunity.


No changes over the summer / no new conversations.

16 Aug 2023 [Dirk-Willem van Gulik]


With Europe (Brussels & national capitals) largely shut down over the summer
there is no additional clarity/leaks on which of the 3 versions of the CRA
will prevail. No changes around the status of the PLD (strict liability for
software) — the exemption for `us’ still there. Unfortunately - the current
documents are not yet final enough for proper legal analysis.

Both industry (i.e larger enterprises, SMEs) and wider open source community
(especially those that pay their developers) starting to understand the
 implications. With several highy respected industry consortia briefing in
 line with our interest. Progress at Open Forum Europe to come with a general
 analysis that helps inform the trialogues by describing impact.

Meanwhile - various people in our community have been brainstorming what
possible (public) responses; such as ‘CRAP week (CRA preview week)’ are
appropriate. I think that this this another 1 or 2 weeks to see what the
sentiment is at our peer open source organisations before the ASF needs to
make up its mind. Reality is that the `Council’ version (that generally sets
the tone) is not -that- bad for the ASF.


No changes


There is some discussion on the mailing list as to wether or not be a `good
community shepherd’ and stress to, or inform (e.g. with a very short blog
post), our committers at the ASF that the ASF, at this time, has not
registered itself on the foreign non-profit organisations register of Russia;
and that the ASF, as Delaware Inc entity,  has, at this time, no intention to
analyse the situation or register. This discussion has not yet reached
consensus and is still going on.


Standards (US/EUROPE):

We’re reaching out to organisations that represent nations on the standards
bodies as to make our existence known & offer expertise. Both jointly through
OFE and, hopefully, as the ASF come September (I expect to post a call for
volunteers once we have the details).  There are also several calls going out
for experts to sit on standards bodies that will operationally the CRA/PLDA
- I hope to get a complete list & then pass this on to our community
(committers & members) to find (local) volunteers.

Open Forum Europe

Asking the board for an budget/Ok to sign up to supporting them for 30k/year.
Secondly we decede if we want to be publicly listed on their site as a
supported. My suggestion is that we do that; as it is a win-win for us & the
wider open source community (and we can rescind this any time we want).

There is no paperwork needed. They would need an email confirming this, the
payment made & which logo’s we’d want them to use - and our contacts.

BOARD Action: ok on budget & ok on becoming a supporter.

Open Source Initiative (OSI) - rejoining

Early on and the ASF had some overlap in directors; but we
disengaged at some point. I suggest we re-enage. As there now is an affiliate
agreement ( I am asking for the
board to OK re-enagement subject to an legal OK; with our president as the
person to vote in the OSI board election; our VP of Marketing for the
marketing contact and the VP of public affairs as the contact for their Public
Policy angle.

BOARD Action: yes / no