This was extracted (@ 2024-04-17 21:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
With the Cyber Resilience Act (CRA) now through final vote https://www.europarl.europa.eu/doceo/document/PV-9-2024-03-12-ITM-008-11_EN.html (icons at top of page to select a language - e.g. in English: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf)- all that now we’re waiting for is the publication in the official journal to anchor the various legal `in-effect' dates. Meanwhile the Product Liability Directive (PLD) is proceeding apace. The EU interoperability-act and the Artificial Intelligence (AI) act cleared the Parliament March 13 (https://www.europarl.europa.eu/doceo/document/PV-9-2024-03-13-RCV_EN.html). The Standards Essential Patents Regulation (SEP) also cleared parliament - and while not ideal - it is not a disaster for open source either. With that, the focus for the CRA is now firmly shifted towards implementation. There are several things going on here in parallel. First - we’re working with our peers (i.e. well-governed open source organisations that are likely to meet the not-yet-created definition of an open source steward) to see of we can take the `good things’ we do today around security, triage, releases, CVEs and so on - and officially define these as industry best practice baseline. So this is nothing new (for us) - but does formalize things like; `triage vulnerability reports according to risk & fast track if needed', `fix issues', do not release code with known issues, move a project to the Attic if no longer maintained, do responsible/coordinated disclosure, etc. And we want to make these more formal. Using bits from ISO 27001 or ISO 29147 & right-size these to the open source steward role. Secondly - we met with various European Commission Directorates' experts and European Standards Organisations (ESOs) folks face to face in the last weeks. News here was not overly good - they fully understand the dichotomy in open source: its role -- I.e of us being something both akin to an extension/core of the industry; and also akin to citizens/society organisation where people, rather than companies, build something collectively. - the other shoe has not quite dropped yet. I.e. that open-source is not just another (national) company that can work with (national) interests to do the right things in CEN/CENELEC or other ESOs. This is even more important as increasingly the ESOs are not standardising fairly value neutral things such as how to measure the fire-proofness of a wall in hours or the frequency deviation (all measurable with normal objective `kit' such as a stopwatch or an oscilloscope) -- but things such as `what is the right way to balance privacy v.s. security'. And this is made worse as there is not much `open' to the process of creating 'open standards'. That said - in a bit of good news - open standards have become a bit more open -- the wonderful Carl Malamud fought all the way to the European Court of Justice to get citizen free/unfettered access to harmonised standards that are, essentially, part of the law. (Background - unlike the IETF(RFC) and W3C standards that rule the IT world - most ISO, CEN and similar standards are behind a paywall). https://www.eff.org/press/releases/appeals-court-upholds-publicresourceorgs-right-post-public-laws-and-regulations The other issue of concern is that, for the CRA, the EC expects CENELEC to deliver. However, the recent effort of CEN/CENELEC to deliver on the Radio Emission Directive (RED) saw CENELEC (in their own words) deliver late and with sub-par standard processes and sub-standard quality standards. And they (fairly) point at the lack of time and lack of volunteers. This despite RED aligning with their traditional expertise and community. The CRA effort is, I think, significantly larger than RED. And their community has not yet attracted the needed people and expertise. And there is less time. Basically - CENELEC hails from the world of Information Communication Technology; with a lot of emphasis on that 'C' of Communications. Whereas open source is largely the world of (generic) IT. I.e. higher on the stack (also from a political & consumer perspective). Also f importance here is that the US, at these meetings, indicated that while it agrees on the CRA outcome, it is not married to the EU Standard approach. The US will do its own thing and was quite clear that it is perfectly willing to have the US National Institute for Standards and Technology (NIST) directly author/create these. Thirdly - I am talking to the other open source foundations and OFE to see if we can help our community help itself by including EU companies in our communities in the various funding rounds that are available to evaluate the impact of the CRA, to create the tooling needed at Micro-, Small and Medium Enterprises (SMEs), to evaluate that tooling and so on. This is a bit slow going. Part of the complexity is that we, as a USA organisation, and a volunteer organisation are not practically eligible for anything. This is rather sad - as arguably we'd be in a great position to help our community help itself if we could work at the aggregate level. So much for the CRA. On AI not much to report - for the ASF Michael Wechner is keeping an eye on this for us. Vote in the parliament just passed - with final language versions still appearing. https://www.europarl.europa.eu/doceo/document/PV-9-2024-03-13-RCV_EN.html That means it will start to go into full force well before the end of the year (for high risk) AI. Similar for the Interoperability Act, which will require the EU to form an interoperability expert community that includes open source. Not sure if the ASF has the volunteering capacity in Europe for that. Product Liability Directive (PLD) - similar situation - probably going to be voted through by the parliament mid April - and it is therefore likely that it will not benefit from the better definitions of open source stewards in the CRA. This will cause noise; especially for our downstream community. The Standard Essential Patents Regulation went through the European Parliament much faster than expected. Overall it is in a reasonable state from the ASF perspective. We currently lack volunteers here to really contribute/help right the wrongs. But OFE is coordinating good work here from the likes of OSI and other experts. Finally - Regulation 1025 https://eur-lex.europa.eu/eli/reg/2012/1025/oj that defines how standards are managed & the level of access by industry and civil society is up for renewal/updating. When it was originally written, free and open source software was more seen as a business-model/variation of normal corporate activity. I.e. a special, small, form of commercial activity. And Information, Communication Technology (ICT) standards something else. With companies firmly in charge of this field. Today the situation is almost reversed - with 95% of products with digital elements being open source that is shared across products. And general Information Technology (IT, so without the C) far eclipsing ICT. Several of our peer orgs are trying to get involved and help modernise this. I will try to see if we can get expert volunteering for this in the ASF - but am expecting that resource constraints mean that we are leaving this to the organizations around OFE and the more expert players in our downstream industry. As for the US - I'll let David report on that.
CRA & PLD - Informal reports are that the final text of the CRA has been translated in all languages; and that the legal/linguistic experts have not flagged issues that require an extra clarification cycle by policy makers/politicians. However, with the election near and the various significant global events, the legislation train is said to be stalled. This makes it likely that the CRA will not make it through the process before the EU election. This means that we’re looking at Q3 or perhaps Q4 (once a new parliament and commission have formed) before a formal vote. This also means that the start some of the implementation funding and standards-processes may get delayed, which is helpful. Given this and the elections - it does not seem likely that extra time will help us improve the (open source) definitions in the PLD. So that means no changes, which is not ideal. But not a disaster either. Also of note is the AI act, that now contain a usable exception for open source. But there are major puzzles: the open source definition is copyright based, while a lot of key 'IP' of AI is more Database Rights/TRIPS convention related. And there is a lack of technical understanding at the policy makers when it comes to things such weights/models, tests, training data and so on. Michael Wechner has volunteered on the AI act, and is now actively following that (with coordination on public-affairs-private). I expect OFE to play the same cross-community coordination/information role for the AI act as it did for the PLD and CRA. As is customary, the European Commission and Open Forum Europe arranged for an 'open source week' in the period around FOSDEM, and at FOSDEM, to touch base with policy makers. With Craig Russell, David Nalley, several ASF members/committers and me (Dirk) in attendance. The impact of the CRA and PLD were the main topic at the EU Workshop Open Source Area for Digital Autonomy, with open source position generally well represented. And with the point, repeatedly made and generally accepted, that open source is not just key to innovation; but also the main and only foundation of the modern (internet) software industry. It was also clear that the concept of Open Source Steward, even though introduced late in the legislative process, was fully accepted by all stakeholders and seen as a lasting solution. I.e. as a 4th economic actor. Less positive was the repeated insistence by some that the onus to 'fix bad regulation' is squarely on open source in general, and the industry in particular; i.e. the expectation us that we as open source communities, actively follow, and 'meddle' in policy and nascent legislation. And that it is assumed to be our job to fix what the policy makers throw over the fence. And that this is part and parcel of a 'responsible open source community' that can be trusted as 'open source stewards'. And with not much give by the Commission (which controls the key standards bodies) on ensuring the required level of access by open source foundations (even though the CRA mandates this). This workshop also stressed quite a few financial support packages to prepare, aid and create capacity for CRA and PLD implementation. We’ll discuss these with our peers, but our (ASF) participation is likely to be extremely limited, for the simple reason that most require a fully/exclusive EU legal entity and 'paid developers'; so this is more for the SMEs in our community. The more general EU Open Source Policy Summit more or less matched the EU Workshop - but with a bit more emphasis on countries outside the EU and USA (where one should expect the same) and a lot of concern for creating the capacity and capability required to actually implement this legislation. At FOSDEM we, as part of the open source community, backed the EU reporting back to the wider open source community on the process the EC went through after the EU gave their 2023 plenary talk on software regulation. Our collective message there has generally been a cautiously positive one; i.e. not as total a disaster as the original plan was. The role defined in the legislation for open source stewards is very helpful, but the devil is in the details of the 40+ international standards that need to be written. With a lot of emphasis on how hard these standard processes have traditionally been to participate in. FOSDEM held a full Sunday 'devroom' spent on the same topic (credits to Open Forum Europe, NLNet and the Open Source Initiative). Here too, the concerns around standards came up repeatedly, and with not much give (yet) by commission/standards representatives. Some time was given to the European Interoperability Act — which will soon set minimal levels of interoperability; some of which is most likely only 'practical' if the parties involved use the same (and hence open source) software. We’re also exploring if the ASF wants to participate in some of the European Call for Tenders that ask the market/open source stewards for feedback, And where the EU provides funding for developing the documentation and processes that may facilitate the implementation of the CRA. Given the complexity of our being a US organisation - it may well be that we’re only passively supportive here — and rely on interested SMEs in Europe that are part of our downstream community for the actual involvement.
PLD/CRA situation stable & the good news of the special economic class of `open source stewards' created for us seems to be solidly locked in for us now. Some for the product liability directive; in essence it should either stay as is; or improve with the better definitions of open source. We expect the CRA to come into force next month; with implementation complete early 2027. With the other more vocal/pro-active foundations having reflected on it in public - the ASF is now readying a more factual, muted but generally positive story as a blog post. Planned to be on-line well before FOSDEM. We plan to sent a questionaire to either all PMCs or all committers (probably the first) to make a first pass to see where we have the grey (direct to consumer, Blog Roller, Open Office) & black areas (annex-II; needs to be fit for `critical software' - e.g. APR, LDAP, SSHD) with regard to their respective areas. This will help us prepare for the CRA. All this also means that public policy will need to shift towards the USA their upcoming software regulation; so I will also prepare a call-to-action on members@ to see if we can find a volunteer that is more US centric) to replace me (or if that is too tall an order, offer to do something overlapping).
The CRA got finalised in a marathon meeting between the countries, parliament and commission that saw a lot of last-minute changes and an almost complete reversal with respect to the situation around open source. The first good thing is that the concept of `open source stewards' was solidly introduced; whose `products' where placed under a much lighter regimen & fines. And this is combined with an actual definition of open source and much better definition of `commercial' that is not as close to placing things on the market as before. Also good is that development and supply are no longer seen as one; but pulled apart. That also gives room for individual developers; i.e. natural persons, to be shielded for their upstream contributions (these no longer are under the CRA; i.e. they & SMEs are not `liable' for that - e.g. when their security fix boomerangs back through the ASF to the EU market). Unfortunately we do not have the actual, final, text yet as approved; so a decent analysis will have to wait for a few more weeks. The signing may still happen this year; but is likely to be early Januari; with it coming into force 20 days later. There is then a 3 year period in which some 40-odd (international) standards and other details need to be refined before the CRA has all its `teeth'. So we've gone from truly bad to possibly quite workable, and if one is optimistic, to a situation where it may actually improve security. That said - like similar regulation such as MRR/MRD, the industry will be impacted; cost increases of about a third are generally expected. I am hopeful that the ASF, and similar organisations, can help buffer some of that impact by providing a place for the community to coordinate \& prevent double work. Most of these implementation processes will be kicked off around FOSDEM, early Feb, with a series of meetings and workshop. The ASF has expressed that it is willing to work with its peers (e.g. the Python, Eclipse, etc) to assess impact and develop best practices. PLD - proceeding as expected; and has a workable `exceptions' subject to some more thorough legal analysis (which will aid understanding - it won't make any difference). However there is now an odd situation; the CRA was way worse than the PLD; but with the recent CRA changes - it now actually becomes interesting to improve the PLDs definitions of open source and align these with the CRA. Both to improve them -and- to make it easier to implement (i.e. no odd issues at the fringes - as one will always need to implement the superset; both CRA and PLD). Regardless - this still means full, strict, liability will be in place sometime early next year. These will void our `waivers' to a large extent downstream from us; i.e. `after' our commercial downstream parties. While a massive change for the industry - the impact on us appears very limited still. With a bit of luck we have enough final text in late December to start doing a proper legal analysis. Various other acts, including the AI act, got through as well - but these by and large contain the right sort of foundation/component exceptions that work for communities such as the ASF that want to collectively work on code or models. US & Standards Nothing to report in this cycle.
Europe ====== PLD - proceeding as expected; and has a workable `exceptions' subject to some more thorough legal analysis (which will aid understanding - it won't make any difference). This means full, strict, liability will be in place sometime early next year. These will void our `waivers' to a large extent downstream from us; i.e. `after' our commercial downstream parties. While a massive change for the industry - the impact on us appears very limited still. With a bit of luck we have enough final text in December to start doing a proper legal analysis. The CRA slowed down somewhat; with a complex, new and ill defined concept introduced late (Open Source Stewards). It also saw an increasingly wide swath of large economic EU interests expressing concern about open source. This is making it much easier for us to directly communicate with the member states / perm-reps. Likewise - coordination with our peer open source organisations through Open Forum Europe is generally productive; with conversations with the right people (Shadows, etc). Member-states their reaction now appear to shift from an optimistic idea that the current `place on the market' and `commercial context' variations are sufficiently well defined to avoid adverse effects on open source to now stressing that any imperfections w.r.t. open source (foundations) are 'not a worry' as they 'can be fixed later' (e.g. in the New Legislative Framework). Neither is likely to be enough/happen. However the slowdown is not as much as we hoped (i.e. into the Belgium presidency or the elections) -- with this Friday a meeting on the full text (including the recitals, which is very unusual) expected. USA === No changes - and NIST is increasingly engaging with industry (see also report by Ruth/Security). Given the standstill of progress on the normative standards organisations in Europe -- this still makes it increasingly likely that it is ultimately the US that will define the global standards in this area. Standards ========= No changes over the summer / no new conversations.
Europe ====== The PLD appears stable and on track - and has a workable `exceptions' subject to some more thorough legal analysis (which will aid understanding - it won't make any difference). The CRA was expected to pop out this month; but Spain (the current president) tried to chew off more than it could bite (and/or the political world has more important fires to address) -- so it may slip into the Belgium presidency. This means delays. I've sought guidance from our President/VPLegal to engage legal expertise around the crucial `place it in the market' issues on which the CRA (and the (in)effectiveness of the opensource special clauses hinges). So I want to directly engage some legal expertise around a few, ASF specific, narrow interpretation questions: 1) confirmation that distributing source code with make/build/rel-notes, version numbers. etc, i.e. alll that `signal that this code is expected to be used' meets the current (and not yet final) definitions of placing it into the market of the Blue Guide/NLF. 2) what the boundary would be if the ASF where to avoid itself to place a product on the market/have the CRA read on it and 3) the implications for both our EU based committers -and- their employers. So will get options; put them in front of Roman and for OK by David. CRA P(review) Week ================== There is continued discussion on the mailing list about the need for a "louder action", especially the concept of CRAP Week. Meanwhile we now seen evidence of the very large, powerful industries waking up to the reality (last page of https://cdn.digitaleurope.org/uploads/2023/09/DIGITALEUROPE_Building-a-strong-foundation-for-the-CRA_key-considerations-for-trilogues.pdf)-- and also see that not having much visible effect (so my last report was too optimistic). We're trying to get to consensus - have tried to summarise at : https://lists.apache.org/thread/510dftsqsw8mvq5g0m3hfm8nfrgxpds3 USA === No changes - and NIST is increasingly engaging with industry. Given the standstill of progress on the normative standards organisations in Europe -- this makes it increasingly likely that it is ultimately the US that will define the global standards in this area. Standards ========= No changes over the summer / no new conversations.
Europe ====== Over the parliament recess, significant work and various analyses done on the 3(4) versions of the CRA by the open source foundations; coordinated by Open Forum Europe. Which will lead to outreach to national stakeholders/cabinet offices and the EU/EC that is coordinated between all of us. With consensus inside and outside the ASF. This analysis is expected to become public this week (with earlier versions used by some of our members in talks with NL, DE and IT). Note that this will be under the OFE banner - we, the ASF, merely supports their work. Conversations with DE suggest that the CRA is getting slowed down; with trialogue completion now expected no earlier than end of October. The PLD (plain, simple, strict liability for software) is still on schedule for the end of this year. The situation around the 3 versions sees some of our large peer organsions deciding to wait the outcome of the Trialogues before a more public/public-outcry oriented campaign. Consensus at the ASF (and various other peer organisations) seems to be that this is too late; as 1) the regulation has been carved into stone at that point; and you generally assume a complete reversal. And 2) as the current Council version (which generally `win's) is not that problematic for a pure volunteer ran organisation like us (i.e. where the open source organisation does not pay its developers; where the baord does not tell PMCs what to do). I am currently looking into engaging some legal expertise around a few, ASF specific, narrow interpretation questions: 1) confirmation that distributing source code with make/build/rel-notes, version numbers. etc, i.e. alll that `signal that this code is expected to be used' meets the current (and not yet final) definitions of placing it into the market of the Blue Guide/NLF. 2) what the boundary would be if the ASF where to avoid itself to place a product on the market/have the CRA read on it and 3) the implications for both our EU based committers -and- their employers. CRA P(review) Week ================== There is discussion on the mailing list about the need for a "louder action", especially the concept of CRAP Week, but the exact definition of this, the goals of this action, the impact of said action on the community, and the required infrastructure resources and timing continue to be debated. There is not a consensus that the action would accomplish the stated goals of attracting attention and getting our community fired up against the CRA. Indeed, this could easily alienate our supporters. If we are to contemplate this for the future and anticipate the need for this action of "last resort", it would require Board approvals as it falls outside the purview of the Public Affairs remit. Meanwhile we are seeing large, powerful industries waking up to the reality and the action may not be needed. USA === No changes - but NIST is increasingly engaging with industry. Given the lack of progress on the normative standards organisations in Europe -- this makes it increasingly likely that it is ultimately the US that will define the global standards in this area. International ============= There is a Linux Foundation organised Open Source Summit in Bilbao. ASF folks known to attend have been briefed - but we've postponed/declined to engage with lawmakers/regulators in prepared meetings & avoided a public appearance. (Background: Bilbao is in Spain, and Spain is the current president of the EU & hence sets agenda/etc for the next months). Instead people attending have been given a number of talking points to have ready should they happen to be put in a position where they need to respond/have the right opportunity. Standards ========= No changes over the summer / no new conversations.
Europe ====== With Europe (Brussels & national capitals) largely shut down over the summer there is no additional clarity/leaks on which of the 3 versions of the CRA will prevail. No changes around the status of the PLD (strict liability for software) — the exemption for `us’ still there. Unfortunately - the current documents are not yet final enough for proper legal analysis. Both industry (i.e larger enterprises, SMEs) and wider open source community (especially those that pay their developers) starting to understand the implications. With several highy respected industry consortia briefing in line with our interest. Progress at Open Forum Europe to come with a general analysis that helps inform the trialogues by describing impact. Meanwhile - various people in our community have been brainstorming what possible (public) responses; such as ‘CRAP week (CRA preview week)’ are appropriate. I think that this this another 1 or 2 weeks to see what the sentiment is at our peer open source organisations before the ASF needs to make up its mind. Reality is that the `Council’ version (that generally sets the tone) is not -that- bad for the ASF. USA === No changes Russia ====== There is some discussion on the mailing list as to wether or not be a `good community shepherd’ and stress to, or inform (e.g. with a very short blog post), our committers at the ASF that the ASF, at this time, has not registered itself on the foreign non-profit organisations register of Russia; and that the ASF, as Delaware Inc entity, has, at this time, no intention to analyse the situation or register. This discussion has not yet reached consensus and is still going on. Background: https://russia.postsen.com/business/372099/Under-the-new-law-developers-of-unregistered-open-source-software-can-be-prosecuted-under-the-Criminal-Code-of-the-Russian-Federation.html Standards (US/EUROPE): ====================== We’re reaching out to organisations that represent nations on the standards bodies as to make our existence known & offer expertise. Both jointly through OFE and, hopefully, as the ASF come September (I expect to post a call for volunteers once we have the details). There are also several calls going out for experts to sit on standards bodies that will operationally the CRA/PLDA (e.g. https://www.sbs-sme.eu/sites/default/files/Open%20call%20for%20experts%20-%20for%202024%20.pdf) - I hope to get a complete list & then pass this on to our community (committers & members) to find (local) volunteers. Open Forum Europe ================= Asking the board for an budget/Ok to sign up to supporting them for 30k/year. Secondly we decede if we want to be publicly listed on their site as a supported. My suggestion is that we do that; as it is a win-win for us & the wider open source community (and we can rescind this any time we want). There is no paperwork needed. They would need an email confirming this, the payment made & which logo’s we’d want them to use - and our contacts. BOARD Action: ok on budget & ok on becoming a supporter. Open Source Initiative (OSI) - rejoining ======================================== Early on opensource.org and the ASF had some overlap in directors; but we disengaged at some point. I suggest we re-enage. As there now is an affiliate agreement (https://opensource.org/affiliateAgreement/) I am asking for the board to OK re-enagement subject to an legal OK; with our president as the person to vote in the OSI board election; our VP of Marketing for the marketing contact and the VP of public affairs as the contact for their Public Policy angle. BOARD Action: yes / no