This was extracted (@ 2025-04-16 22:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
CRA:
First definitions are starting to appear & with formal feedback
requested:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14449-Technical-description-of-important-and-critical-products-with-digital-elements_en
In general - more things are getting fixed than getting broken. So we'll
work with the Open Regulatory Working group (i.e. our peer foundations)
on a response.
First doubt in CENELEC community about meeting April deadlines. Also
appears that they are also unable to get volunteers from the CENELEC
community.
Open Source people participating (the ASF needs more!) suggest that
things are going into the right direction; with sensible pointers to ISO
29147 and ISO 30111; that are already understood.
For the SBOMs, word on the street is that they are looking at the
CISA/NTIA requirements; so no surprises expected there.
As expected - composition is a source of disagreement (the EC seems to
push ideas of certification being in essence, `transitive'; e.g. as in
`trust is transitive' -- which does not work well in the land of
security).
ETSI:
The work on the vertical standarts (So specifically for things like
PKI, software that does authentication, etc) has now begon.
The open source community does need to get more people into this
process. But the good news here is that ETSI is a lot more
accommodating and pro-active than CENELEC. And they seem to have
really taken this regulatory need to `consult with the open source
community' to heart.
ORC:
Open Regulatory Compliance Working Group - nicely picking up the right
things/progress & sufficiently low barrier/open
(https://github.com/orcwg)
USA:
Waiting for the waters to calm before trying to even make sense of
that. Pretty much all contacts we had are either gone or too busy with
other stuff.
We'll probably need to consider having a native ASA volunteer as a VP of
PubAffairs USA over there; as the alignment of the US with the other power
blocks is gone.
Slightly more concerning is that we're seeing, or hearing of, historic
information flows becoming stilted.
UN:
There is rough consensus that endorsing the United Nations Open
Source Principles:
https://unite.un.org/news/osi-first-endorse-united-nations-open-source-principles
is a good thing and furthers the general good the ASF tries do to in the
world. And unlike the previous 'compact' in which one becomes part of an
agreement - these principles just call for endorsement.
Unless I hear a loud Nay from the board - I'll work with our President, VP of
Legal and VP of Marketing to go through the details and then, if it still
makes sense, make this happen.
Per request of Criag - as a link so he can edit it easier: https://docs.google.com/document/d/1x4clsd2MnNFIQopGGSz__zdQtwGUG5jsvONt7jVzyIE/edit?tab=t.0 Open Source / Policy Week Brussels - The ASF, with a bunch of our open source peers, met face to face with ENISA/CISA in the days before FOSDEM. Meeting positive; starting to build understanding and convey how security is handled in the IT industry in general and in open source in particular. Arnoud, Lars, Mark, Jarek and I represented the ASF. With Eclipse, OpenSSF, Python, Rust, OWASP, etc present. We only covered a fraction of the agenda - so will see if we can do another cycle to actually cover some of the agenda; it appeared there was appetite for this / was found useful. Ideally I’d like to get to a situation where the next edition is hosted by CISA (perhaps colocated with a large event in the US). And, slightly longer term, I would like to see if we can also gently ask the Chinese and other equivalents of CISA/ENISA if they want to be involved/host this on some rotating basis. - This was followed by the Open Source Academy Award; a new thing. Which is an attempt to give open source some of the instruments that fields such as science have to more easily integrate into polite society. Organised by OFE and supported by the EC, the hope here is that this can become something akin the various Royal Academies of Sciences or the Académie Française. Well attended. Well received. - Open Source Policy day was held on Friday - very well attended; with clearly every year a larger group of key policy/decision makers. Ruth represented the ASF on stage in one of the panels. - Good set of F2F workshops around the CRA; hosted by the Open Regulatory Working Group. Well organised. With a solid/near complete attendance of all main open source and a lot of the relevant industry players present. Very positive - the community as a whole is now well beyond the point of upset, anger or inactivity. Instead the event quickly turned into a real workshop with real work being done. Main place is https://github.com/orcwg - and increasingly using the tools and habits of open source. Also - focus is now clearly shifting from politics to practical implementation and technology. We can use a bit more ASF voice (and I should communicate a bit more publicly now to those who only know about the CRA/PLD from HN and slashdot) - but no concerns/going into the right direction. Ill timed OFAC list concerns voiced by LF - LF publicly expressed concerns about its ability to interact with people and entities on the OFAC list. Which was easily/generally misunderstood or misread as a very generic `lawyers now suddenly say that we as open source people cannot work with our Russian peers’. Forgoing the specifics of LF, the way it finances/interacts and so on. With people jumping to conclusions and assuming it is a `new disastrous thing’. Worked with Ruth/Roman to be in a position to explain the situation from an ASF perspective & had to emphasise to various policy makers that there are large differences between our type of open source and other, more commercial/contractor-ran open source. But mostly repeat that while the ASF of course will adhere to US law and regulation and that we have taken things as the OFAC list, Export Administration Regulation, Denied parties list and embargoed destination serious for over 25 years. And that this is nothing new, etc, etc for us. - FOSDEM - good show by all involved; special policy room on the CRA. Not seen the output of the interactive sessions yet - but engagement was positive and pro-active. If we are not careful :grin: Open Source may end up pushing the security/resiliance aspect of the CRA harder than the policy makers intended. - Meeting of most open source foundations F2F on the CRA and the AI act; under OFE chatham house rules. Was helpful to prepare of the CRA Expertmeeting (a formal body of the EC in which the ASF has a seat to help with the details/guidance of the CRA as it is implemented). The situation for non-affiliated open source contributors shapes up in the right direction (i.e. the CRA impacts the downstream; not them so much). But my main concern is still with both budding, new, not yet formalised open source (much like the ‘Apache Group’ was for 5+ years), and peers, such as for example in the Linux distribution space; who are too ill defined. So lets hope that we can use the CRA-Expert meeting to get some formal guidance/fixes for this. Also clear from this meeting - and the statements made earlier at the ORC workgroup - is that open source participation in the normative standards organisation is still a complete no-go area. These organisation are not moving one inch. I’ll be posting about a `hack’ the EU has dreamt up to work around this (basically grants of 5, 10 and 30k euro/year for private individuals) & associated call to action early March. But this too falls well short. So the ORC work at Eclipse and the work of people, like Lars & other people at companies that have access, in our community become crucial. Attended by Craig (both) and me (just CRA). CRA Expert meeting First meeting; ASF present as one of the 3 organisations representing open source. Quite a good and productive meetings as things go. Public minutes expected at the beginning of next week. USA - well :) let’s not wait with bated breath. We may turn purple. But would hope that at some point work on the various open source policies goes back to normal scheduled programming.
USA US seems to be in a bit of a transition phase - with key people a bit distracted; so nothing to report here. Comments were submitted for DARS-2024-0034-0001 https://www.regulations.gov/document/DARS-2024-0034-0001 with compliments to Henri and everyone else that worked on that. The short of it is that we tried to help explain/define open source better. EU CRA, PLD, DSA, NIS2, DORA, etc; the impact/actual creation of regulatory bodies & its funding seems a bit delayed (with [1] often referenced). For NIS2 (which is ahead of the CRA) - there is now the first guidance open for suggestions[2]. We will see the same for the CRA next year. Main item this month will be the CRA expert meeting (of which the ASF, with its peers Eclipse and LF) is part. There is some talk about the software liability v.s AI liability directive; with the move to the right of the parliament possibly narrowing scope down further. ORWGC Open Regulatory Working Group at Eclipse -- actual useful work is starting there; with sufficient (IETF/Apache style) openness/accessibility to anyone. While at the same time having enough structure/goverance to keep this useful/suitable to inform policy & PAS processes. My hope is that we can get enough of a decent FAQ[4] or 1-half pager by the time of FOSDEM to allay the first order concerns of open source developers. And as a minor tidbit - the FSFE has been given the right to intervene in the Apple court case at the EU court of justice. 1: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14168-White-Paper-How-to-master-Europes-digital-infrastructure-needs?_en 2: https://www.enisa.europa.eu/news/asking-for-your-feedback-enisa-technical-guidance-for-the-cybersecurity-measures-of-the-nis2-implementing-act 3: https://edri.org/our-work/free-software-foundation-europe-intervenes-in-landmark-apple-vs-european-commission-case/ 4: https://github.com/orcwg/cra-hub/blob/main/faq.md -- but look at the PRs/branches
- The Cyber Resilience Act (CRA) was published in the EU Official Journal on November 20, 2024 as 'EU 2024/2847' - the gazetteer/hansard in which laws get published. That means it came into effect on the 11th of December 2024; the requirements with regard to processes and notified bodies apply from 11th of June 2026; and the whole act coming into effect on the 11th of December 2027. The expected `panic' is materialising; but nowhere near as bad as we once feared. We probably should do some sort of blog post again. - The ASF application for the CRA Expert Group was accepted[1]. Final lineup is quite balanced; with some strong technical individuals such as Prof. Praneel and with more open source considerate representation than expected (Eclipse, OpenSSF, Stackable, DE tech fund, Digital SME Alliance) but still nowhere near reflective of the relative market share/CRA impact of actually deployed software in Europe. - Eclipse finally dotted most legal i&t's on the ORC-WG. We're not quite there yet - as the SIGs are not yet created. - Meanwhile - there is a lot of good work going on in the OWASP community around SBOMs; and I am hoping the ORC-WG and this work will simply align - one for the code; the other for the standards and best practices. - While most of the ESOs (normative standards bodies) are still not responding to us - we are slowly seeing more open source aligned parties becoming members. In this light - Pjotr is volunteering to liaise with ECMA; and after discussion on public-affairs@ - I'd like to request the appointment per below resolution. - We attended the LF workshop in Amsterdam on the CRA. OpenSSF@LF announced that they are creating a ORC-WG competing effort called the "Global Policy WG" with 3 SIGs: (Standards, Awareness en Tooling). Which is goodness - more focus and more volunteers is needed. That said - there was considerable annoyance in the wider community present about this lack of cohesion or collaboration. LF however contents that this effort is very much focused on implementing the CRA within their own organisation - and stresses that the mission is very narrow and limtied. This is however not quite in line with the mission as stated on https://github.com/ossf/wg-globalcyberpolicy/. - The wider open source community is picking up new US regulation that requires federal (eg. software) suppliers to disclose/track any foreign nationals involved: https://www.federalregister.gov/documents/2024/11/15/2024-26058/defense-federal-acquisition-regulation-supplement-disclosure-of-information-regarding-foreign and the relatively late addition of 'Section 239.7X03' that should exempt open source. There appears to be a lot of concern if this covers what we call open source; with the impact of the definition[2] getting debated. - Ruth and I are trying to see if we can get some boots on the ground in Washington. - There is an increasing awareness of the various open standards relevant regulation (like the USA financial stability act, the EU interop act, etc) and its interaction with open source and regulation. For a good introduction - see: https://opensource.org/blog/standards-and-the-presumption-of-conformity which is worth a read; as that directly impacts us -- there is no easier way to be interoperable that by using the same software - and netwerk effects/less friction always wins from the written standards). 1: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=3967&fromMembers=true 2: Open source software means software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of such software (section 1655, Pub. L. 115-232). https://www.govinfo.gov/content/pkg/PLAW-115publ232/pdf/PLAW-115publ232.pdf
Not much change w.r.t. to public policy. Minor points:
- Open regulatory working group is bootstrapping its governance/oversight and
is now public (https://orcwg.org). As a reminder - this is our industry and
industry peers - and expected to deliver a writeup on industry
best/consensus practices as a baseline for the CRA and input for the
standards processes.
At least Brian Fox and I should nominate ourselves. Hoping I find a 3rd ASF
person.
- Various process delays around the official publications (i.e. the formal
gazetteer or hansard in which laws/acts are made formal); none projected to
matter much (to us/open source).
- Polish EU presidency: We now have two ASF polish members (Jarek,
Piotr) providing on-the-ground expertise and insights as
representatives of the open source community as part of the OFE
Capital Event Series.
- Various formal standards processes are getting underway - with (barely but)
enough open source voices present. The board is stacked against non-national
aligned interests though. And the US (NIST, etc) is not yet active. The
various IP issues have resurfaced.
- The review of 1024 (meta rules on how standards are made internationally) is
not going well. In effect, there is little or no self-reflection.
Both by the industry/old incumbent telco's of old -and- by the regulators.
This is not helping with much with the much needed modernisation & making it
suitable for an age in which software, rather than voltages & capacitance on
ethernet pins, is the topic. And completely ignores the elephant in the room
- that 90% of the internet/software originates & innovates as open source -
not as a proprietary single company interest.
The impact on us is basically that efforts like the open regulatory working
group get all the more important.
- Various expert committees are getting filled in order to prepare the
compliance/regulator side of the CRA, AI, et.al. ASF members have applied -
no yes/no's yet.
A report was expected, but not received
A report was expected, but not received
* General Purpose Artificial Intelligence AI act is now in force - the devil is in the details. And these details matter a lot - as the act was written in a hurry and is technically unclear/unimplementable. So that means a lot of cycles with invited experts and so on in the next months. Am trying to see if there are members that are willing to participate as such experts in this process - with call to action on members@ (two folks piped up sofar). * CRA, PLD, etc. No changes or new activity until parliament starts. Issues with the European (normative (==law making)) standards organisations (ESOs) seem to be coming to a head due to perceived/reported in-activity (or described as ineffectiveness by the powers that be) by CENELEC. No real impact on us short/mid-term - just makes the open-regulatory WG @ eclipse work more important. But if this becomes a long term issue - then we should consider if we want to also encourage the right things in the US and Azia w.r.t. to the International (normative) standards organisations (ISOs). * China Willem and I met with the Director of the Open Source and Software Security Department at the Chinese Academy of Information and Communications Technology (CAICT). They are an expertise centre / scientific research institute directly under the Ministry of Industry and Information Technology (MIIT). Together with their peer, China Electronics Standardization Institute (CESI, also under MIT), they are the two key strategic and regulatory entities in that region - and also the nexus for any work at ISO, ITU, CENELEC, etc. Generally a good meeting - and important to make sure we keep an open channel here. Several steps defined (and I am behind on this).
1) CRA and open standards. Final publication of actual law expected mid September. Focus can safely be put on standards. Eclipse (Known as the Open Regulatory Compliance Working Group <open-regulatory-compliance@eclipse.org> — fully open) going well. There appears to be some movement on the CENELEC side; including accepting non European liaisons/experts. I’ll keep an eye on this - we may want to apply. 2) David on a panel at the United Nations OSPO++ due (Secretary General; tech envoy); Ruth, Brian and Sander attending. 3) Willem Jiang and I should meet with the director of open source at the China Academy of Information and Communications Technology. The main purpose is to long term develop the same sort of informal relations between our local Apache community - mimicking how we can talk, or get informally consulted, by the European Commission and the likes of CISA and NIST in the US. This is a long term thing, with this a first baby step. And planned the day before CoC Asia. 4) Of all the big pieces of legislation - the AI act is still not finished/stable. PLD and the others - no changes. 5) With regard to 1025 (the rules for how the industry & open source can (or cannot as it is right now) are required to be involved in industry standards that are being rewritten) — the OFE letter appears to go the right direction; no need for us to push this or be very visible or anything.
First - was lovely to meet so many people in Bratislava & hear so many well considered, varied and valuable thoughts from people over how we as the ASF need to deal with regulation (or how we should ignore it). Most valuable. 1)CRA and open standards. Good and bad news. The good news is that he joint effort of the open source community at Eclipse (Known as the Open Regulatory Compliance Working Group mailto:open-regulatory-compliance@eclipse.org — fully open) is (finally!) off to a good start. With broad participation. And we saw an EU representative present at the last meeting - with the offer of EU to sort of act as an AMA when needed. The bad news is that despite a lot of push-pull - there is no movement on the CENELEC side. 2) The followup on the 2023 Geneva 'open source congress' is being planned in China, with Open Atom as the local organizer. After consulting with various people - the ASF is going to keep some distance for this year. The main two reasons both relate to trust and control. The first issue here is that when we prepared for the 2023 event, we got the very strong personal assurances from LF their SVP Research that was organising it — that any concerns of this being the start of a congress in the sense of a (chartered) UN style/treaty organisation were unwarranted. And that we should not read anything symbolic into the fact that it was in Geneva. That was laughable even. And we got strong assurances that there would not really be any closing statement or meaningful reports, other than a simple writeup for the participants. We since know that this is not quite how this played out - the report (https://www.linuxfoundation.org/research/2023-open-source-congress - in Chinese and English) was externally focused & exactly positions this event to become eactly such an organisation. Stressing the symbolism of Geneva, etc. etc. The second issue is that the set-up appears to give us both insufficient control over the reporting from the event and insufficient control on who we can have attend this event. Which is important - as, like in Geneva, the majority of those present are not open source organisations. But organisations that want to tell/control what open source should do. So we are going to keep a bit of distance here for now. 3) Of all the big pieces of legislation - the AI act is still not finished/stable. PLD and the others - no changes. 4) With regard to 1025 (the rules for how the industry & open source can (or cannot as it is right now) are required to be involved in industry standards that are being rewritten) — OFE is taking a lead there. But on the ASF side we’re having a lack of Human Resources to follow this. Which is a shame - but not fatal; as OSI and OFE are doing the right things here. I have some leads from Bratislava that I need to follow up on. Finally - much more longer term - I am hoping to start working with Willem Ning Jiang and the Chinese community to see if we can get our community there prepared for much the same conversations that we are now having in Europe and with CISA in the USA.
Short report this month: CRA: Some of the EU foundations are in the process of joining CEN/CENELEC as liaisons in order to be part of the standards process. OFE may be able to act coordinating. Ongoing attempts to figure out how to we as the ASF can do this. Discussing this with the OWASP foundation (also USA HQ) and exploring general collaboration in the context of the standards work coordinated by Eclipse. AI Act: Appears to be workable for the ASF - devil is in the details. The work at OSI (https:// opensource.org/deepdive/drafts/the-open-source-ai-definition-draft-v-0-0-3#) seems to be in sync and not yielding anything overly controversial. Personally I am a bit surprised at how easy the open source community is willing to let ‘go’ of the supplemental data — even those from the Free side of the world. (Michel - anything you want to add?) PLD, RCE/CER/DORA, etc: No change/nothing to report. XZ event: We informally encouraged ENISA to discuss coordination and their roles/channels in the CRA context (vis.a vi CISA in the USA) ; so that during the next event - the ASF can focus on triage & fixes. CIRCIA USA: "Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting" - to report certain things within 72 hours to a USA regulator. Request for feedback/comments. Not yet fully digested impact - main concern may be extra-territorial overlap (like the CRA, DSA, etc in Europe). Which makes it very important for the likes of CISA/ENISA etc to get integrated early in the routine responses of the informal open source security cabal. Standardisation Effort: Been quiet due to key staff on holidays. Expecting an announcement with quite a few more large open source organisations and open source security efforts joining. Likewise for the right leading EU industry players. But this is slow going - as this is strategic enough to require significant approval/review inside those enterprises. Expect we can start on the Steward part sometime late May.
CRA/PLD - Continued dialoges with policy makers useful and constructive. First signs that they are now also getting their arms wrapped around the absolutely massive capacity/capability issues. - Continued dialoges with the normative standards bodies not going as well. Nothing but diplomatic pleasantries w.r.t. to the main one, CEN/CENELEC, sofar. Plus we've now ran systematically through the various options suggested by (them/commissions/legal) experts and not many avenues left. With the same reported by the other open source stewards (and Simon Phipps warnings us that this was going to be the case all along :) ). This should now become a concern -- not so much for us; but for CEN/CENELEC and the commission. Especially as the needed reform of Regulation 1025 (see last report) is going to be too late. So this is mostly their (own) problem to fix. - We announced a collaboration with Eclipse, Python, Rest and a growing list of folks. Was received well (and Brian&press-team was lauded). Very likely we'll have some solid industry partners there too soon. First versions of bylaws/charter in draft. Probably ready for actually doing something useful end of spring. - XZ event triggers questions from policy makers and `what if the CRA would already have been in force' speculation. Sofar all informal. This is goodness - as the event showed that the EC/ENISA are not yet in an ideal position to work with the key open source stewards during events like this (unlike the USA their CISA who is well in tune/connected). We are pro-actively keeping the EC/ENISA informed & are trying to get them involved long term in this type of event. As long term this makes our open source steward/leadership much easier. And ties, trust and organisational-reflexes like this take years to forge. As for now - our headline reading on CRA & XZ is that these are orthogonal issues at best. And that while SBOMs would have been great and good (ENISA) contact/reporting can be helpful - this is also a case where the remit of industry stops and that of the authorities and intelligence agencies start. The analogy I've been experimenting with is that of a civil/chartered engineer signing off on a dead-normal bridge; and being liable for that bridge collapsing. But universally understood that if it collapses because of a terrorist detonating a truck of explosives - that it is then largely out of his realm. And with this XZ question we seem to be muddling this. AI act, SEP, InteropAct, etc - Nothing new to report - parliament is now going it its election cycle.
With the Cyber Resilience Act (CRA) now through final vote https://www.europarl.europa.eu/doceo/document/PV-9-2024-03-12-ITM-008-11_EN.html (icons at top of page to select a language - e.g. in English: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.pdf)- all that now we’re waiting for is the publication in the official journal to anchor the various legal `in-effect' dates. Meanwhile the Product Liability Directive (PLD) is proceeding apace. The EU interoperability-act and the Artificial Intelligence (AI) act cleared the Parliament March 13 (https://www.europarl.europa.eu/doceo/document/PV-9-2024-03-13-RCV_EN.html). The Standards Essential Patents Regulation (SEP) also cleared parliament - and while not ideal - it is not a disaster for open source either. With that, the focus for the CRA is now firmly shifted towards implementation. There are several things going on here in parallel. First - we’re working with our peers (i.e. well-governed open source organisations that are likely to meet the not-yet-created definition of an open source steward) to see of we can take the `good things’ we do today around security, triage, releases, CVEs and so on - and officially define these as industry best practice baseline. So this is nothing new (for us) - but does formalize things like; `triage vulnerability reports according to risk & fast track if needed', `fix issues', do not release code with known issues, move a project to the Attic if no longer maintained, do responsible/coordinated disclosure, etc. And we want to make these more formal. Using bits from ISO 27001 or ISO 29147 & right-size these to the open source steward role. Secondly - we met with various European Commission Directorates' experts and European Standards Organisations (ESOs) folks face to face in the last weeks. News here was not overly good - they fully understand the dichotomy in open source: its role -- I.e of us being something both akin to an extension/core of the industry; and also akin to citizens/society organisation where people, rather than companies, build something collectively. - the other shoe has not quite dropped yet. I.e. that open-source is not just another (national) company that can work with (national) interests to do the right things in CEN/CENELEC or other ESOs. This is even more important as increasingly the ESOs are not standardising fairly value neutral things such as how to measure the fire-proofness of a wall in hours or the frequency deviation (all measurable with normal objective `kit' such as a stopwatch or an oscilloscope) -- but things such as `what is the right way to balance privacy v.s. security'. And this is made worse as there is not much `open' to the process of creating 'open standards'. That said - in a bit of good news - open standards have become a bit more open -- the wonderful Carl Malamud fought all the way to the European Court of Justice to get citizen free/unfettered access to harmonised standards that are, essentially, part of the law. (Background - unlike the IETF(RFC) and W3C standards that rule the IT world - most ISO, CEN and similar standards are behind a paywall). https://www.eff.org/press/releases/appeals-court-upholds-publicresourceorgs-right-post-public-laws-and-regulations The other issue of concern is that, for the CRA, the EC expects CENELEC to deliver. However, the recent effort of CEN/CENELEC to deliver on the Radio Emission Directive (RED) saw CENELEC (in their own words) deliver late and with sub-par standard processes and sub-standard quality standards. And they (fairly) point at the lack of time and lack of volunteers. This despite RED aligning with their traditional expertise and community. The CRA effort is, I think, significantly larger than RED. And their community has not yet attracted the needed people and expertise. And there is less time. Basically - CENELEC hails from the world of Information Communication Technology; with a lot of emphasis on that 'C' of Communications. Whereas open source is largely the world of (generic) IT. I.e. higher on the stack (also from a political & consumer perspective). Also f importance here is that the US, at these meetings, indicated that while it agrees on the CRA outcome, it is not married to the EU Standard approach. The US will do its own thing and was quite clear that it is perfectly willing to have the US National Institute for Standards and Technology (NIST) directly author/create these. Thirdly - I am talking to the other open source foundations and OFE to see if we can help our community help itself by including EU companies in our communities in the various funding rounds that are available to evaluate the impact of the CRA, to create the tooling needed at Micro-, Small and Medium Enterprises (SMEs), to evaluate that tooling and so on. This is a bit slow going. Part of the complexity is that we, as a USA organisation, and a volunteer organisation are not practically eligible for anything. This is rather sad - as arguably we'd be in a great position to help our community help itself if we could work at the aggregate level. So much for the CRA. On AI not much to report - for the ASF Michael Wechner is keeping an eye on this for us. Vote in the parliament just passed - with final language versions still appearing. https://www.europarl.europa.eu/doceo/document/PV-9-2024-03-13-RCV_EN.html That means it will start to go into full force well before the end of the year (for high risk) AI. Similar for the Interoperability Act, which will require the EU to form an interoperability expert community that includes open source. Not sure if the ASF has the volunteering capacity in Europe for that. Product Liability Directive (PLD) - similar situation - probably going to be voted through by the parliament mid April - and it is therefore likely that it will not benefit from the better definitions of open source stewards in the CRA. This will cause noise; especially for our downstream community. The Standard Essential Patents Regulation went through the European Parliament much faster than expected. Overall it is in a reasonable state from the ASF perspective. We currently lack volunteers here to really contribute/help right the wrongs. But OFE is coordinating good work here from the likes of OSI and other experts. Finally - Regulation 1025 https://eur-lex.europa.eu/eli/reg/2012/1025/oj that defines how standards are managed & the level of access by industry and civil society is up for renewal/updating. When it was originally written, free and open source software was more seen as a business-model/variation of normal corporate activity. I.e. a special, small, form of commercial activity. And Information, Communication Technology (ICT) standards something else. With companies firmly in charge of this field. Today the situation is almost reversed - with 95% of products with digital elements being open source that is shared across products. And general Information Technology (IT, so without the C) far eclipsing ICT. Several of our peer orgs are trying to get involved and help modernise this. I will try to see if we can get expert volunteering for this in the ASF - but am expecting that resource constraints mean that we are leaving this to the organizations around OFE and the more expert players in our downstream industry. As for the US - I'll let David report on that.
CRA & PLD - Informal reports are that the final text of the CRA has been translated in all languages; and that the legal/linguistic experts have not flagged issues that require an extra clarification cycle by policy makers/politicians. However, with the election near and the various significant global events, the legislation train is said to be stalled. This makes it likely that the CRA will not make it through the process before the EU election. This means that we’re looking at Q3 or perhaps Q4 (once a new parliament and commission have formed) before a formal vote. This also means that the start some of the implementation funding and standards-processes may get delayed, which is helpful. Given this and the elections - it does not seem likely that extra time will help us improve the (open source) definitions in the PLD. So that means no changes, which is not ideal. But not a disaster either. Also of note is the AI act, that now contain a usable exception for open source. But there are major puzzles: the open source definition is copyright based, while a lot of key 'IP' of AI is more Database Rights/TRIPS convention related. And there is a lack of technical understanding at the policy makers when it comes to things such weights/models, tests, training data and so on. Michael Wechner has volunteered on the AI act, and is now actively following that (with coordination on public-affairs-private). I expect OFE to play the same cross-community coordination/information role for the AI act as it did for the PLD and CRA. As is customary, the European Commission and Open Forum Europe arranged for an 'open source week' in the period around FOSDEM, and at FOSDEM, to touch base with policy makers. With Craig Russell, David Nalley, several ASF members/committers and me (Dirk) in attendance. The impact of the CRA and PLD were the main topic at the EU Workshop Open Source Area for Digital Autonomy, with open source position generally well represented. And with the point, repeatedly made and generally accepted, that open source is not just key to innovation; but also the main and only foundation of the modern (internet) software industry. It was also clear that the concept of Open Source Steward, even though introduced late in the legislative process, was fully accepted by all stakeholders and seen as a lasting solution. I.e. as a 4th economic actor. Less positive was the repeated insistence by some that the onus to 'fix bad regulation' is squarely on open source in general, and the industry in particular; i.e. the expectation us that we as open source communities, actively follow, and 'meddle' in policy and nascent legislation. And that it is assumed to be our job to fix what the policy makers throw over the fence. And that this is part and parcel of a 'responsible open source community' that can be trusted as 'open source stewards'. And with not much give by the Commission (which controls the key standards bodies) on ensuring the required level of access by open source foundations (even though the CRA mandates this). This workshop also stressed quite a few financial support packages to prepare, aid and create capacity for CRA and PLD implementation. We’ll discuss these with our peers, but our (ASF) participation is likely to be extremely limited, for the simple reason that most require a fully/exclusive EU legal entity and 'paid developers'; so this is more for the SMEs in our community. The more general EU Open Source Policy Summit more or less matched the EU Workshop - but with a bit more emphasis on countries outside the EU and USA (where one should expect the same) and a lot of concern for creating the capacity and capability required to actually implement this legislation. At FOSDEM we, as part of the open source community, backed the EU reporting back to the wider open source community on the process the EC went through after the EU gave their 2023 plenary talk on software regulation. Our collective message there has generally been a cautiously positive one; i.e. not as total a disaster as the original plan was. The role defined in the legislation for open source stewards is very helpful, but the devil is in the details of the 40+ international standards that need to be written. With a lot of emphasis on how hard these standard processes have traditionally been to participate in. FOSDEM held a full Sunday 'devroom' spent on the same topic (credits to Open Forum Europe, NLNet and the Open Source Initiative). Here too, the concerns around standards came up repeatedly, and with not much give (yet) by commission/standards representatives. Some time was given to the European Interoperability Act — which will soon set minimal levels of interoperability; some of which is most likely only 'practical' if the parties involved use the same (and hence open source) software. We’re also exploring if the ASF wants to participate in some of the European Call for Tenders that ask the market/open source stewards for feedback, And where the EU provides funding for developing the documentation and processes that may facilitate the implementation of the CRA. Given the complexity of our being a US organisation - it may well be that we’re only passively supportive here — and rely on interested SMEs in Europe that are part of our downstream community for the actual involvement.
PLD/CRA situation stable & the good news of the special economic class of `open source stewards' created for us seems to be solidly locked in for us now. Some for the product liability directive; in essence it should either stay as is; or improve with the better definitions of open source. We expect the CRA to come into force next month; with implementation complete early 2027. With the other more vocal/pro-active foundations having reflected on it in public - the ASF is now readying a more factual, muted but generally positive story as a blog post. Planned to be on-line well before FOSDEM. We plan to sent a questionaire to either all PMCs or all committers (probably the first) to make a first pass to see where we have the grey (direct to consumer, Blog Roller, Open Office) & black areas (annex-II; needs to be fit for `critical software' - e.g. APR, LDAP, SSHD) with regard to their respective areas. This will help us prepare for the CRA. All this also means that public policy will need to shift towards the USA their upcoming software regulation; so I will also prepare a call-to-action on members@ to see if we can find a volunteer that is more US centric) to replace me (or if that is too tall an order, offer to do something overlapping).
The CRA got finalised in a marathon meeting between the countries, parliament and commission that saw a lot of last-minute changes and an almost complete reversal with respect to the situation around open source. The first good thing is that the concept of `open source stewards' was solidly introduced; whose `products' where placed under a much lighter regimen & fines. And this is combined with an actual definition of open source and much better definition of `commercial' that is not as close to placing things on the market as before. Also good is that development and supply are no longer seen as one; but pulled apart. That also gives room for individual developers; i.e. natural persons, to be shielded for their upstream contributions (these no longer are under the CRA; i.e. they & SMEs are not `liable' for that - e.g. when their security fix boomerangs back through the ASF to the EU market). Unfortunately we do not have the actual, final, text yet as approved; so a decent analysis will have to wait for a few more weeks. The signing may still happen this year; but is likely to be early Januari; with it coming into force 20 days later. There is then a 3 year period in which some 40-odd (international) standards and other details need to be refined before the CRA has all its `teeth'. So we've gone from truly bad to possibly quite workable, and if one is optimistic, to a situation where it may actually improve security. That said - like similar regulation such as MRR/MRD, the industry will be impacted; cost increases of about a third are generally expected. I am hopeful that the ASF, and similar organisations, can help buffer some of that impact by providing a place for the community to coordinate \& prevent double work. Most of these implementation processes will be kicked off around FOSDEM, early Feb, with a series of meetings and workshop. The ASF has expressed that it is willing to work with its peers (e.g. the Python, Eclipse, etc) to assess impact and develop best practices. PLD - proceeding as expected; and has a workable `exceptions' subject to some more thorough legal analysis (which will aid understanding - it won't make any difference). However there is now an odd situation; the CRA was way worse than the PLD; but with the recent CRA changes - it now actually becomes interesting to improve the PLDs definitions of open source and align these with the CRA. Both to improve them -and- to make it easier to implement (i.e. no odd issues at the fringes - as one will always need to implement the superset; both CRA and PLD). Regardless - this still means full, strict, liability will be in place sometime early next year. These will void our `waivers' to a large extent downstream from us; i.e. `after' our commercial downstream parties. While a massive change for the industry - the impact on us appears very limited still. With a bit of luck we have enough final text in late December to start doing a proper legal analysis. Various other acts, including the AI act, got through as well - but these by and large contain the right sort of foundation/component exceptions that work for communities such as the ASF that want to collectively work on code or models. US & Standards Nothing to report in this cycle.
Europe ====== PLD - proceeding as expected; and has a workable `exceptions' subject to some more thorough legal analysis (which will aid understanding - it won't make any difference). This means full, strict, liability will be in place sometime early next year. These will void our `waivers' to a large extent downstream from us; i.e. `after' our commercial downstream parties. While a massive change for the industry - the impact on us appears very limited still. With a bit of luck we have enough final text in December to start doing a proper legal analysis. The CRA slowed down somewhat; with a complex, new and ill defined concept introduced late (Open Source Stewards). It also saw an increasingly wide swath of large economic EU interests expressing concern about open source. This is making it much easier for us to directly communicate with the member states / perm-reps. Likewise - coordination with our peer open source organisations through Open Forum Europe is generally productive; with conversations with the right people (Shadows, etc). Member-states their reaction now appear to shift from an optimistic idea that the current `place on the market' and `commercial context' variations are sufficiently well defined to avoid adverse effects on open source to now stressing that any imperfections w.r.t. open source (foundations) are 'not a worry' as they 'can be fixed later' (e.g. in the New Legislative Framework). Neither is likely to be enough/happen. However the slowdown is not as much as we hoped (i.e. into the Belgium presidency or the elections) -- with this Friday a meeting on the full text (including the recitals, which is very unusual) expected. USA === No changes - and NIST is increasingly engaging with industry (see also report by Ruth/Security). Given the standstill of progress on the normative standards organisations in Europe -- this still makes it increasingly likely that it is ultimately the US that will define the global standards in this area. Standards ========= No changes over the summer / no new conversations.
Europe ====== The PLD appears stable and on track - and has a workable `exceptions' subject to some more thorough legal analysis (which will aid understanding - it won't make any difference). The CRA was expected to pop out this month; but Spain (the current president) tried to chew off more than it could bite (and/or the political world has more important fires to address) -- so it may slip into the Belgium presidency. This means delays. I've sought guidance from our President/VPLegal to engage legal expertise around the crucial `place it in the market' issues on which the CRA (and the (in)effectiveness of the opensource special clauses hinges). So I want to directly engage some legal expertise around a few, ASF specific, narrow interpretation questions: 1) confirmation that distributing source code with make/build/rel-notes, version numbers. etc, i.e. alll that `signal that this code is expected to be used' meets the current (and not yet final) definitions of placing it into the market of the Blue Guide/NLF. 2) what the boundary would be if the ASF where to avoid itself to place a product on the market/have the CRA read on it and 3) the implications for both our EU based committers -and- their employers. So will get options; put them in front of Roman and for OK by David. CRA P(review) Week ================== There is continued discussion on the mailing list about the need for a "louder action", especially the concept of CRAP Week. Meanwhile we now seen evidence of the very large, powerful industries waking up to the reality (last page of https://cdn.digitaleurope.org/uploads/2023/09/DIGITALEUROPE_Building-a-strong-foundation-for-the-CRA_key-considerations-for-trilogues.pdf)-- and also see that not having much visible effect (so my last report was too optimistic). We're trying to get to consensus - have tried to summarise at : https://lists.apache.org/thread/510dftsqsw8mvq5g0m3hfm8nfrgxpds3 USA === No changes - and NIST is increasingly engaging with industry. Given the standstill of progress on the normative standards organisations in Europe -- this makes it increasingly likely that it is ultimately the US that will define the global standards in this area. Standards ========= No changes over the summer / no new conversations.
Europe ====== Over the parliament recess, significant work and various analyses done on the 3(4) versions of the CRA by the open source foundations; coordinated by Open Forum Europe. Which will lead to outreach to national stakeholders/cabinet offices and the EU/EC that is coordinated between all of us. With consensus inside and outside the ASF. This analysis is expected to become public this week (with earlier versions used by some of our members in talks with NL, DE and IT). Note that this will be under the OFE banner - we, the ASF, merely supports their work. Conversations with DE suggest that the CRA is getting slowed down; with trialogue completion now expected no earlier than end of October. The PLD (plain, simple, strict liability for software) is still on schedule for the end of this year. The situation around the 3 versions sees some of our large peer organsions deciding to wait the outcome of the Trialogues before a more public/public-outcry oriented campaign. Consensus at the ASF (and various other peer organisations) seems to be that this is too late; as 1) the regulation has been carved into stone at that point; and you generally assume a complete reversal. And 2) as the current Council version (which generally `win's) is not that problematic for a pure volunteer ran organisation like us (i.e. where the open source organisation does not pay its developers; where the baord does not tell PMCs what to do). I am currently looking into engaging some legal expertise around a few, ASF specific, narrow interpretation questions: 1) confirmation that distributing source code with make/build/rel-notes, version numbers. etc, i.e. alll that `signal that this code is expected to be used' meets the current (and not yet final) definitions of placing it into the market of the Blue Guide/NLF. 2) what the boundary would be if the ASF where to avoid itself to place a product on the market/have the CRA read on it and 3) the implications for both our EU based committers -and- their employers. CRA P(review) Week ================== There is discussion on the mailing list about the need for a "louder action", especially the concept of CRAP Week, but the exact definition of this, the goals of this action, the impact of said action on the community, and the required infrastructure resources and timing continue to be debated. There is not a consensus that the action would accomplish the stated goals of attracting attention and getting our community fired up against the CRA. Indeed, this could easily alienate our supporters. If we are to contemplate this for the future and anticipate the need for this action of "last resort", it would require Board approvals as it falls outside the purview of the Public Affairs remit. Meanwhile we are seeing large, powerful industries waking up to the reality and the action may not be needed. USA === No changes - but NIST is increasingly engaging with industry. Given the lack of progress on the normative standards organisations in Europe -- this makes it increasingly likely that it is ultimately the US that will define the global standards in this area. International ============= There is a Linux Foundation organised Open Source Summit in Bilbao. ASF folks known to attend have been briefed - but we've postponed/declined to engage with lawmakers/regulators in prepared meetings & avoided a public appearance. (Background: Bilbao is in Spain, and Spain is the current president of the EU & hence sets agenda/etc for the next months). Instead people attending have been given a number of talking points to have ready should they happen to be put in a position where they need to respond/have the right opportunity. Standards ========= No changes over the summer / no new conversations.
Europe ====== With Europe (Brussels & national capitals) largely shut down over the summer there is no additional clarity/leaks on which of the 3 versions of the CRA will prevail. No changes around the status of the PLD (strict liability for software) — the exemption for `us’ still there. Unfortunately - the current documents are not yet final enough for proper legal analysis. Both industry (i.e larger enterprises, SMEs) and wider open source community (especially those that pay their developers) starting to understand the implications. With several highy respected industry consortia briefing in line with our interest. Progress at Open Forum Europe to come with a general analysis that helps inform the trialogues by describing impact. Meanwhile - various people in our community have been brainstorming what possible (public) responses; such as ‘CRAP week (CRA preview week)’ are appropriate. I think that this this another 1 or 2 weeks to see what the sentiment is at our peer open source organisations before the ASF needs to make up its mind. Reality is that the `Council’ version (that generally sets the tone) is not -that- bad for the ASF. USA === No changes Russia ====== There is some discussion on the mailing list as to wether or not be a `good community shepherd’ and stress to, or inform (e.g. with a very short blog post), our committers at the ASF that the ASF, at this time, has not registered itself on the foreign non-profit organisations register of Russia; and that the ASF, as Delaware Inc entity, has, at this time, no intention to analyse the situation or register. This discussion has not yet reached consensus and is still going on. Background: https://russia.postsen.com/business/372099/Under-the-new-law-developers-of-unregistered-open-source-software-can-be-prosecuted-under-the-Criminal-Code-of-the-Russian-Federation.html Standards (US/EUROPE): ====================== We’re reaching out to organisations that represent nations on the standards bodies as to make our existence known & offer expertise. Both jointly through OFE and, hopefully, as the ASF come September (I expect to post a call for volunteers once we have the details). There are also several calls going out for experts to sit on standards bodies that will operationally the CRA/PLDA (e.g. https://www.sbs-sme.eu/sites/default/files/Open%20call%20for%20experts%20-%20for%202024%20.pdf) - I hope to get a complete list & then pass this on to our community (committers & members) to find (local) volunteers. Open Forum Europe ================= Asking the board for an budget/Ok to sign up to supporting them for 30k/year. Secondly we decede if we want to be publicly listed on their site as a supported. My suggestion is that we do that; as it is a win-win for us & the wider open source community (and we can rescind this any time we want). There is no paperwork needed. They would need an email confirming this, the payment made & which logo’s we’d want them to use - and our contacts. BOARD Action: ok on budget & ok on becoming a supporter. Open Source Initiative (OSI) - rejoining ======================================== Early on opensource.org and the ASF had some overlap in directors; but we disengaged at some point. I suggest we re-enage. As there now is an affiliate agreement (https://opensource.org/affiliateAgreement/) I am asking for the board to OK re-enagement subject to an legal OK; with our president as the person to vote in the OSI board election; our VP of Marketing for the marketing contact and the VP of public affairs as the contact for their Public Policy angle. BOARD Action: yes / no