 So hey, everyone, welcome to OspoCon Europe. It's great to be here. Anna and I have the kind of opportunity of welcoming you to the event this time around. We've been doing these for a while and it's very excited to see everyone face to face. It's been a little bit long. So we'll introduce ourselves first. So, Anna? Yeah. Hi, everyone. My name is Anna. I'm the to-do program manager. And well, a little bit of myself, formerly I was in another cafeteria. So what the analytics firm? And in there, I get a lot of knowledge on Ospo and inner source metrics and community health. And then now, one part of my time is making sure to grow and nurture the community to the group and help Ospo's advance in their Ospo journeys and build with the community guides, reports and other tooling to run successful open source program offices. Two years ago, I finished my master in data science, focused on measuring the diverse success on open source projects. And I've also involved in other communities like chaos, inner source commons, open chain, several collective and several space. Thank you. Do a quick little intro before we go to Ospo news. So, you know, Chris Anizic had the fun job of helping build out and running the Ospo at Twitter a while ago. Currently, I serve as CTO of the Cloud Native Computing Foundation, which I helped start about seven years ago now. And I'm involved in a lot of the bootstrapping of open source foundations within the Linux Foundation. I'm a co-founder of the Tutu Group and OspoCon. And it's great to kind of see folks caring more about the professionalization of open source programs. You know, some of us who have been here for, you know, a while, like Nithya, the room, it's a, we've seen this evolve over the years. And it's kind of great to see more and more companies having open source offices and just professionalizing the practice across the industry. So, first off, Anna and I want to thank the OspoCon Europe Program Committee. You know, Chris, Steven, you know, Libby, Joseph, Jordan, you know, Don, Anna, David, Cornelis were instrumental in helping us formalize a great program that we have for the next few days here. So, thank you. If there's any folks in here that are interested in participating next time, let us know. We're always happy to kind of grow folks on the program committee side. So, we'll do this quick little, you know, presentation about the value of Ospo's. We'll talk a little bit about updates from the Tutu Group and some latest Ospo news, and there's a little mascot. So, I don't have to explain this to hopefully folks in this room, but in general, most modern software that has developed these days is based on open source, you know, projects and technology. You know, every open source summit you go to, it's always like new foundation around climate, new foundation around, you know, this thing. Every industry, everything that we're essentially touching on a daily basis has software being embedded in it, and more and more that is becoming, you know, open source. The challenge, you know, is not all open source are necessarily equal, you know, some projects may be a little bit more secure, more modern, more mature than others, and I think the role of an Ospo and an organization is to basically, you know, what are the risks for you when you potentially use open source incorrectly? You know, do you use a library that, you know, you may not comply with the license because your developers accidentally dragged into a build or a product because that's just the way it works. Developers are inherently lazy and just use what they could find. So, a lot of common issues out there around, oh, ensuring that we're, you know, making sure we're compliant and preventing those types of situations. Also, the question asks, what is the cost if your organization does this poorly or incorrectly? If you have open source that is not secure and you're using it, does that put your organization as a risk? We've had some huge incidents recently in industry with, you know, Logforge definitely caused all sorts of issues, but, you know, they're more the classic Ospo issues of, you know, you ship a GPL library in a mobile app that you didn't intend to, you know, dealing with those consequences and there's been a lot of court cases and other kind of ramifications here. So, these are just questions to kind of think about, you know, for your organization. And this is like not really a new concept. I always tell people, you know, a long time ago in the industry, the security, you know, security offices out there were formed in a reaction to people getting hacked, you know, people running into issues and having like their businesses basically severely penalized for that. So, the role of the CISO was created, you know, a little over 25 years ago and now we see almost every organization in this world having a basic CISO or security, you know, center of competence. The same thing is happening with open source in my perspective, where open source now has become literally so pervasive, the formalization of an Ospo and open source kind of officer is happening throughout. So, the Tudor Group maintains this little Ospo definition, which essentially just, you know, tells you what the role of an Ospo is. Here are some of the things we focused on. It's kind of a community-based things that we created, but essentially an Ospo is very simple. It's really just the center of competency in your organization to handle, you know, open source operations. So, it's basically it. A lot of companies do it differently. You know, sometimes Ospos live in engineering departments. Sometimes they live in legal departments. There's kind of no one formula for this, but you know, this is something we maintain to kind of help grow the craft, you know, overall. You know, the other thing that kind of Ann and I, you know, talk about a bit, and I've talked with a lot of folks, is literally, you know, you can't, adopting a strategic posture on open source is no longer optional. You have to have it. Like, all the stuff that your company or organizations are building on, it depends on open source. You have to truly think about, you know, what business value you're getting, what organizations you need to support, and so on. Things continue to kind of, you know, hum along. Within a to-do group, we helped essentially, you know, build a couple models of how you could kind of think about this, but you know, a lot of times when you're starting your kind of Ospo, you're basically moving from, you know, a lot of companies have some folks in their organization that care about open source. Maybe it's an engineer or whatever. You know, program manager, and you know, these are very haphazard, kind of ad hoc efforts. Starting an Ospo or a formal Ospo is basically moving this to a more strategic position that's funded in your organization, that is properly staffed, and pretty much delineates what clear business value and strategy that your organization gets from using open source. Ospo's always kind of help educate and fuse open source culture throughout the organization out there, and you know, generally help accelerate the adoption of open source software, which is the default, you know, these days. So we came up with this little, you know, model of how kind of Ospo's get formed. You kind of have the early stage zero of just like, we're just using open source, and we may have no idea what we're actually consuming, which is very common. And then there's kind of other stages that go along from, you know, formalizing, you know, legal education and compliance efforts to more community outreach and engagement to actually leadership and, you know, producing open source software that you're collaborating, you know, with peers in industry. So, you know, lots of different things, and you know, we have a lot of these resources online of what Ospo's do, you know, a lot of people ask, but every Ospo's gonna be a little bit different based on kind of what your needs are for an organization. There's not one clear way to do this. Like, you could learn from a lot of different Ospo's, but it's always gonna be a little bit unique for your organization of what you actually kind of need and what you wanna prioritize. So with that, you know, coming up in time is I'm gonna go hand it off to Anna to talk a little bit about latest Ospo news from the Tudu Group and some of the new stuff that we've come up with. Thank you so much. Yeah, so over the past months, the Tudu community has been working on new resources, some great initiatives and programs together. And today, I just wanted to give you some updates on what has been happening in the Tudu and the Ospo news so far. So the first announcement is that today, we are launching the results from the past open source program office survey results. And it's already in the Tudu blog, so people can go there, download the report in PDF, and also check the main cave findings that we have found. These are some of them. I just wanted to highlight two of them. The first one is around Ospo's success. So this year, from all the respondents that had an Ospo, 80% said their organization's programs have a really positive impact on software practices. So we are seeing like clear results on what is to build an Ospo in some organizations. Also, we're seeing that more than ever, we're seeing how success is being measured. So organizations are investing also in measured success by the volume of contributors and contributors coming for outside organizations. We're seeing some constraints. We've tried to segment also across different regions like what is the Ospo adoption in Europe? What is the Ospo adoption in Asia Pacific? And for instance, in Asia Pacific, we are seeing a big barrier to Ospo's that is time and resource constraints. 49% said that was one of the main reasons of not having an Ospo. So as I said, you can see the dive into these insights and cave findings in the report with Just Launch. And also, now that we are Ospo in Europe, I just wanted to highlight this finding we had from European organizations that 44% of European organizations said they never required or hired developers to work on open source projects. So that is a big issue in terms of open source mentorship and training among organizations in Europe. I don't have the answer of how can we fix this? I would love to hear your input on that. But maybe an Ospo that is this place where the organization can rely on and this vehicle where they can translate the open source language and infuse this to the whole organizations might be a potential solution to this issue of open source mentorship and training. The next new is that, well, I'm sure some of you have heard about the Tudor guides. I know some Ospo's already knew about how to use it for building Ospo. So there is a new Tudor guide for Outbone open source and we hope it's already also in the Tudor group.org. And it also, there is a link where people can add their feedback and keep growing this guide and create the version .2. So community feedback is more than welcome. And finally, we've been started a new series in person round tables and workshops called OspoLogy.Live Sweden. The first one is hosted by Ospo at Ericsson and this is a collaborative effort to organize with all the open source communities that are helping the Ospo movement. XPDX, Tudor group, Chaos, Open SSF and Open Chain. Also, I've dropped you the link to RSVP. The registration is now open and that will be in October. And finally, just to remind you that we are just starting the Tudor steering committee nominations for next year. First of all, big shout out to the current Tudor steering committee. They made my life way much easier. They've been great steering committee. And there, if you go to the Tudor groups last governance GitHub repo, you will find everything about the Tudor steering committee, responsibilities, what they do and how this is selected and the application form will close September 13th to become one of the candidates. And I think I don't have too many times so this is gonna be really quick. We're an open community of Ospo practicing us that willing to create knowledge, collaborate on best practices, tools and other ways to run successful open source program offices or similar open source initiative if you don't call it an Ospo. We are now more than 1,800 community participants and active and we are also supported by more than 80 general members or organizations, well-known organizations were wild having an Ospo in place. And in a nutshell, we provide Ospo guidance and support in terms of tooling, network spaces, training, research and education. And since I don't have time, I'm just passing. Yeah, so you can go to tudorgroup.org slash guides and communities and everything I'm sharing here, you're gonna find it for sure in order to advance in your Ospo journey. So thank you so much and welcome to OspoCon. Maybe a little bit on Ospo Live as well. The first one is gonna be in Sweden but we're actually organizing them all across in Europe. So the next one is gonna be in the Netherlands with our friends of Alexander and I'm already working on organizing them well in Germany and in the UK and actually since last night, probably France as well. So if you are interested in hosting an OspoLogy live work session on your premises, just reach out to Anna and me. It's really the ideas basically that we're gonna have OspoLogy live sessions on a 9 to 220 day cascade in all various countries making it easy for people to attend the event because it's like a nice and low cost which is also helpful with COVID but it's really an in-depth knowledge sharing. Okay, let's start mind mapping. You wanna do? All right. So Anna and I are gonna take a little bit about the OspoL mind map that we have had to do. I think this is not necessary. You can go introduce yourself. All right, so I'll introduce myself. So my name is Thomas Thienberg and I was formerly at here at Technologies. Now I'm at E-Pam since April and I basically help organizations with all things regarding open source. Literally I help companies that are just starting to build an OspoL tool. OspoL is the companies that have like an OspoL for 10 years. I'm involved in a lot of communities. People always get confusing, but yeah. So yeah, I work on the software build material, SPDX, so I lead the security profile including vulnerabilities in S-bombs. I work on the tooling on ORT, so that's basically how you can automate your open source policy. I work first to working to do. I do work in Open Chain, Lily. I just simply said I'd run my OspoL the open source way. So wherever possible, I basically go out to the communities and work with them as I progress basically in my OspoL because really there is, in my way, doing it the open source way is the way to run your OspoL. It's good for your company. It's good for the people involved and it's good for the community. Yeah, so this is gonna be the index we will be following today. So the first question is, okay, why creating an OspoL mind map? Like how everything started here, right? So as some of you know, there are a lot of OspoL benefits. People and organizations are now jumping into how to build an OspoL and let's build an OspoL because they've seen it's beneficial for the culture because it helps to break the cultural gap between traditional software development practices and the requirements for open source development nowadays. It also is education. So can improve technical mentorship and also training across all different teams in our organization. It can also have the two automation of tools and it improves continuity. So many OspoLs maybe they start and suddenly because they are unable to find the value and share the value of the organization, they just disappear. So sorry, I said an OspoL, an open source initiative. So an OspoL that is a centralized place to catalyze these open source efforts might be a way to improve this continuity. So let's see it's from moving as we said in the keynote from opensource.hoc to strategic decision making projects. But when people are starting their Ospo journey when organizations decides to give the fundings to build an OspoL or similar opensource initiatives, there are many questions. And some of the key questions that I've heard over the past years is, what roles and responsibilities does an Ospo have? Because it's really difficult to navigate since they're really, they have so many different, they have to pivot and so many different angles. It's kind of difficult because Ospos are diverse and they are multidisciplinary and they're responsible of multiple tasks related to open source. So in order to try to have the community with this big issue, I initially think about, okay, how can we break down the big picture of all the things an Ospo could do? So initially, I started a really early version of the Ospo mind map. I think I don't even call it a version that was mainly to understand better all the different Ospo tasks and behaviors and roles in the ecosystem. And I just saw it on LinkedIn and Twitter and suddenly a lot of people started to give me feedback and saying, we really need that as a project where people can collaborate and have it open sourced in a transparent way because this is something really valuable and can help a lot the Ospo community. So once I heard that, I created a GitHub discussion in the Ospo forum to request create a new rebel to work together on an Ospo mind map. So it was actually quite funny that so I hadn't missed the initial announcements, but I said, I'm on the to-do-go string committee and basically the mind map came up and I was like, hang on, hang on. I have been working on my own mind map. It's a little bit bigger than I will do. It's really where open source touches every bit in the organization from security to procurement. And I had built this big mind map and I was using it basically to explain to people like, okay, these are kind of the roles and responsibilities. So then I was like, hang on, I have this thing. We already have this in to do. Why just not contribute and emerge them. And so my work basically was based on my own experiences and work that basically Ibrahim had done for many, many years. So I was literally taking all kinds of links from the research papers, taking bits out of that and I was just looking like, okay, how can I just make a new mind map and make it easy for people to understand what the roles are responsible for in OSPROs. So yeah, once I found the one point all, I was like, well, let me make a pool work best. And then really, as you can see, well, I opened it. Then of course, other OSPROs, so Gregor Lee, Joseph, they also were like, hang on, I also know some things. We can make this better. So then basically as a community, we basically came together and basically we worked on it till we came to the 2.0 release. So yeah, and this is really the nice thing about how we're working to do basically again, you contribute back, others are like, oh, hang on, did you think about this? Did you think about it? And together we basically create something that we all can use. So the major update has been from 1.0 to 2.0 is that we more clearly define the OSPRO responsibilities. Because basically we had it in 1.0 clearly, but it's like, no, no, no, there are actually more things in OSPRO. So to be clear, it's not that we're saying an OSPRO should do everything here. Every OSPRO is different. It's just these are the things that an OSPRO could do. And these help you kind of like structure and communicate, for instance, to your management, like what have you done. So I think about this is how you can use the mind. So in your own organization, and I've been using it in E-Pen as well, this is what I use to basically, to talk to people that have no clue about open source or basically our technical know about open source, but want to understand what value does an OSPRO bring. So exactly by using the mind map, I can select these are all the topics that we work on. We already have this, this, and this. I also use it actually between organizations. And there's always like, okay, so what do you do in OSPRO? Every organization has their own little language. They call things differently. So I talk to a lot of my clients and they have a particular structure. And then I use the mind map to basically say like, okay, so how do you oversee compliance? And then they just draw the line, okay, we have these people here do zero. So we get a common language, but that's also happening in the community. So again, I work on many different communities. I talk to open and open as a staff. I work a lot of the security people and they don't necessarily understand what an OSPRO does. But then I use the mind map and say like, look, this is how we do, this is how it's going. So it helps to kind of create a common language between even open source communities on what to do. Cause again, you have to understand not everybody knows what an open source program office does and how it works together. So that's kind of how you can use the mind map. Let's show the thing in action. So let's, so I said the idea is you can go to the URL above. So it's a my map.doctordogroup.org and you basically get the division of four blocks so that the roles, behaviors, the size and the responsibilities. Maybe let's start with the roles. So here you see again, all the things an OSPRO could do. It said it's from project management to licensing. I said, remember the stages in the previous presentation on where people are? This kind of follows exactly the same. Again, we've worked on aligning all of the stuff and so this is what, the next thing you can look at what is the behavior? Again, you have OSPROs that really work on industry collaboration and that's the sole thing they do. The compliance bit is done somewhere else. You have OSPROs that do it also on like technology strategies. So you really have different things then and well, people that have been longer in to do notice we have on and off discussion. Okay, how big should my OSPRO be? Do I have? We have people that have an OSPRO that are one men armies. We have people that have an OSPRO that's well the largest that I know is about 30 plus people. So really it really depends. And finally as we said the overview of the responsibilities, you can click basically on every bit so and I would say pick one and you can see for instance like hey, how are we gonna work with, how do we basically promote more option work? Well, you can set up educational programs and then you can click it out again and then you see like hey, good hygiene. So this is how it works. And there's also links in the on the printer so you can actually click to the material. So it really helps you guide and navigate to all of the materials that are out there. Okay, so we will also like to give you some guidance on how to contribute to this project because this is open source and the Tudor community is already keep working on the next version. So for this, we will need to introduce you the tool. The tool we are using is called Markmap. So it's kind of friendly format to ease community contributions because it's just simply Markdown. You don't need really to learn, have coding skills to contribute to that. You just need to know Markdown and it develops this nice and beautiful Markmaps, mind maps. The project, by the way, it's also open source project. I think it was GPL, the license. So, and then on top of that, there is the project structure. So it has a content folder that includes the mind map as Markdown file and is where people can add their contributions and their additions to the Markmap. There is an image folder where it contains the vector image that is rendered from the Markdown file and then the interactive mind map. And there is additional info folder that contains like how this is started, like the story we have served. And there's also some useful links that you will be able to find in the slides in case you're interested to contribute. And the workflow to contribute is pretty as many open source projects. So you send a PR with requested changes to the Markdown file and maintain a review as apology, maintain a review as the PR. We can approve it and merge it or request changes. If we approve it, this is not something that we need to automate. So if people knows if there are contributions on how to automate this process of once the Markdown is done, automatically the HTML is rendered and updated, but right now we have to do it manually. So the same maintainer generates the HTML Markmap, make changes to the HTML file and the changes will be visible as at ospo-mainmap-to-the-group.org. So as I said, we welcome new contributors to contribute to this and other resources. If you go to to-the-group.org-slash-community, you will get a nice onboarding list to get started into to-the-community. Also we have a calendar where you will be able to see all the different meetings we have over the month. And one of them is workday activities. And usually we have for EMEA and APAC and AMOR time zones. So usually in there is when people focus gathers together and work on the mindmap next version, some of the common version. So you're welcome to join anytime. And this ospo-mainmap is part of a rapport at the to-the-group called ospo-logy. So ospo-logy is a mix of all together for ospo. So if someone that are starting, willing to start their ospo or thinking about how to build an ospo and start in their advancing in their ospo journey, they can go to ospo-logy and there they will find several resources. They will find networking spaces, like community meetings, ospo use case with ospo-logy, thanks to ospo-logy webinars, the ospo-mainmap to know about the ospo-responsibilities and behavior that an ospo can adopt. They can ask questions in the ospo forum that are the ospo-logy github discussions and join to ospo news that gives overview of what has been going on in the ospo verse over the past month. You want to talk about this? Okay. So yeah, why I have slides. So actually is that we're, Anna and I are organizing all social life. And fun enough, we, social life for the people that don't know it, it's a two-day workshop event. One day's presentation, the second day is kind of a unconference style where we have like, we work together on the challenges of those perhaps. So in these sessions, we're actually going to use the ospo-mainmap to guide the discussions. So we can use it to cluster all the various topics that people want to talk about it. So we can basically say like, oh, there's a group that wants to see about overseeing compliance. There is a group that wants to talk strategy. So this is again, we're using the things that we develop in our own workshop. Because again, again, it helps to facilitate conversations between people. That's it. If you want to learn more about to do, you can find an upper station, all of the social media links, all the links to the post. Do we have still some time for questions? Let's say that they develop a certain inner project and they would like to make it an open source. They can go on with several other related questions of how to make the... Okay, so I'm going to repeat the question for the audience that is online. So you are asking how to convince the organizations to build an OSPO and how to see open source, how to convince your boss to start engaging in open source and not just consuming it but contribute back. Okay, so there are a lot of different benefits. So first of all, I think we mentioned in the keynote and it's open source is everywhere right now. And even though you're not taking care of consuming it, of contributing back, your consuming or your developers are consuming open source. And if you're doing that without any thinking of, okay, I'm just taking it and not giving back, that can take potential risk, security risk and big damage for the organizations. So there are many approaches to justify the value of contributing back to open source. But I think this is for private organizations the most key one, like the highlighting the security vulnerabilities of not contributing back to open source. Also it can drive innovation. So you are using open source but maybe if you contribute back and you engage in the community, you can start getting into the community and maybe part of, you can have voice in the ecosystem. So that can also accelerate innovation and if you really invest in hospital talent and open source talent and have maintainers and people in this open source community, you can, the organizations can even reduce cost. So there are so many different benefits. And the next step of just not using, just not about contributing to open source but having a dedicated team is that if you really care or if the organizations really seize this risk and really cares of open source, the organizations will be putting efforts on that to be investing. If not, they are not caring about that. That is not serious. So NOSPO is that way to, it's when organizations goes and says, okay, it's time for me to invest on it to have a dedicated team or a dedicated time of a group of people working on that because this is serious because if not, I'm gonna be behind. I'm gonna get behind, my competitors are gonna go ahead because they will be engaging in open source and I try to understand how to do smart open source and you're gonna get behind. So that is a big issue usually for when you talk with many bus managers. So to add what Anna said, I actually get the question on a regular basis. If you wanna get some hard facts, I actually haven't built tooling that you can run over your entire company's code repository and show you exactly how much open source you're using and it's fully 100% open source. It will show you exactly which open source you're using which license you have, it's not as good enough. So don't expect like deep commercial grade that tooling that you normally have to pay 100,000 to a million bucks for. But basically it's the same tooling that basically developed under also under the to do group by several German automotive ausposts that were basically like, okay, we see this question over and over. Yes, we have the materials that you can use to make a nice power presentation and you can quote industry numbers at that like 80 to 90% of the stack. But now we can have also have tooling that you can run. So you just need to have some compute power that you can use and then you can scan literally, I've did it for my own company. We scan 19,000 code repositories and we just show the balls like, hey, this is all the open source you're using. We actually used it to hone our open source strategy. So then we knew like, okay, from these are the most built tools that are mostly used. So these are the most loose languages. So we can then focus, okay, this is where we as a company should invest in. These are the communities important to us. And hopefully soon ish, we will also be able to figure out like, where are the weak spots in our infrastructure? So where are the packages with we call dependency robustness? So where in my stack are the packages where the community can actually use some help? The German government is currently forming one. I'm also, and I'm also talking to the Dutch government since I'm being in Dutch. So in the Netherlands, it's currently that several of the ministries are forming a hospital. It's not that the central one, but at least for instance, like the interior ministry, they're working hard to find our spots. It's in government things are always a little bit more complicated, but you are seeing now that they recognize the importance of open source and then now basically should change again. But don't anything the government also think cities like the city of Amsterdam actually has an Ospo. City of Paris also has an Ospo. The French genre Marie also has an Ospo. So it's a little bit every layers in the public sector basically. You see basically Ospo's propaganda. Yes, corporations were first to it, that they have more of them. But again, also in the public sector, they see the value of having an Ospo. And I will say also that I've seen a lot of working progress Ospo's or even organizations that from the public sector, that they don't feel confident of calling it an Ospo yet. So they call it open source center of excellence or they don't even want to call it anything. We have, in fact, we have into the group an Ospo landscape. If you search Ospo landscape, you will see an overview of all the Ospo adopters that in a public way, they say we have an Ospo. Because as I said, I know a lot of Ospo's that they are there, but they don't want to start the brand or they don't feel confident to see it. And there's also Ospo's, so there has been, at least in Europe from, I'm from Spain, by the way. So in the public sector in education, I've seen earlier states Ospo's that they don't call it an Ospo in universities and they have been there for over the past decade, but they didn't call it an Ospo. They've been there silenced. So I hope that now that we have this common definition of the Ospo, more organizations that initially they started to do something similar to that, align on common definition and characteristics and we have like better alignment with this because they have been this heightened open source initiative somewhere and there's a lot more to discover. But yeah, so this is also why, one of the reasons for me also when I was working on creation of Ospo's life. So this is the nice thing like because we're now going to do local European events, the people that normally don't come to a conference like this, because it's local, literally, some European countries are bigger than others, but they said I had a discussion in the Netherlands like, okay, if we do it in Amsterdam, the furthest away is like three and a half hours by train. The train ticket costs maybe 40 bucks. That's something that you can easily, so what we want to do is we want to get, by how organizations watch life, also get people that don't call Ospo, give them a forum to basically said, well, they can just go to, oh, hey, I'm actually working on this. There's now an event that's like in the next city over, can I have the train ticket to just go there? So again, going to conferences, maybe not affordable for everybody, but having it locally. So it's again, it's small sized, locally, but in depth non-sharing. So what we do is we basically bring, sort of for the first one in Sweden, where David E. Wheeler from Open SSF is coming in, Shane from Open Chain is coming in. So we're literally bringing people that those people will normally never see, because they won't necessarily, but then into the same room. And the idea is to basically help them shape their Ospo. So just not, again, they use their public material, but there's lots of things that you learn by talking to your other Ospos. Although the idea is to basically, it's under Chatham House rules, so you can probably openly speak and talk with others that also work on Ospo. And then in all the European countries, we hope to get this all kicked off to basically have people work together. And then hopefully we'll have, say, a Dutch Ospo community. We have a French Ospo community. We have a Spanish Ospo community. And so who knows, maybe in a couple of years, this room will be too big because we have so many Ospos that, yeah, we'll need to hire a football stadium. Hopefully that's where we're going for. So that's why I said, we're really trying to build this up and basically get the knowledge sharing, get the knowledge coming. For the people that worry, we're starting in Europe. We already have a quest to do it also in India and also in the US. So, but let us first let Anna and I first get to Europeans come on going and then we'll start doing the other continents. Yeah, so we have Ospo cases studies in the website. And also we have every single month, we launch ospo-logy webinars where we invite Ospo leaders across different regions and sectors to talk about Ospo experiences like maybe they develop a new tooling or a new initiative or they serve their Ospo journey. So that is available in the Ospo-logy YouTube channel. Ospo-logy, yeah, Ospo-logy YouTube channel and also in the Tudor website at tudorgroup.org slash guides, yeah, slash guides and there you will see all the different resources. And of course the Ospo landscape where you will find like an overview of the Ospo ecosystem. Any, yeah. So the question is all the companies are doing basically license clearance, clearing the same open source packages because hey, everybody uses them also. Can we not build a common pipeline where we do this work? Actually, yes. Actually, I'm already building it. It's already being done in the German car industry where basically we share this information. We have the tooling already. We will also publish, we have already some but there will be more. I'm about to push about 5,000 clearance results that I have from my previous company that we cleaned up. So what we're now doing is we're giving new Ospos. So the topic of compliance is usually for a lot of us was the first topic. And a lot of them people are either buying a tool and then they're not happy and that's because there's basically there's gap in commercial, there's gaps in open source. But a lot of the people are like compliance is very, very complex. So we said like, okay, I would love to have people more contributing but compliance basically pulls down a lot of Ospos. It's so complicated they can be assumed for like years. So we said like, well, let's fix this. So we open source the tooling, we open source the data and we're also giving you the reference policies. So we're giving you the open source policies that you can use to build upon. Basically giving you a full, everything that you need to basically do compliance out of the box for your developers. And but again, that doesn't solve the problem of doing license clearance. Because again, there's literally millions of open source packages with unclear license. So I have, I'm actually a confiner of another project called Clearly Defined. We, the number starts there says that about depending on the ecosystem it's up to 40% of all open source packages in an ecosystem were unclearly licensed. We need to fix this. Our way to fix this was like, no, no, no, we're not going to be as companies maintain a database and we're going to share this. We're going to do this for the things that were released. We want to fix things upstream. So that's why the tooling that I'm a co-developer one, it's fully open source. The idea is basically that we give this to the community. And we haven't already our first success. So the Eclipse Foundation is going to adopt OSSFDUKIT or ORT and they're going to use it to check all Eclipse packages. That's the idea. And then they will produce S-bombs. And they will also contribute back to the project sharing the clearance data. It's really like I said, I remember being in an open chain meeting a few years back and basically in the room, I think it was like 90% of the people were all doing the same clearance for the same open source packages. Like it doesn't make sense. Literally, let's, let's, we are not competing on licensed clearance unless you're a vendor. We're not competing. It's just cost for us. It's just something that we need to do. That's why let's share. I do know it takes a lot of time and a lot of convincing for people to say like, yeah, are you actually clear this? But again, we don't share companies' opinions about licenses. We just share the facts that they, MIT is applicable to this license. And the nice thing is it's open source. So we already had one case. There was a package where it was unclear what the license was. Because it was open source, I literally just reached out to Red Hat and say like, hey, your guys contribute there. It's unclear what the licensing is. And he was like, oh yeah, I can find this out. Here you have the main, like some really random main list where it's like, oh yeah, here you can see we actually mean this. And then the original contributor, who still was working for Red Hat, actually contributed back and say like, this license actually means this. So we then also had the full provenance. Like normally as an Ospo, trying to figure out what the developer meant, what are things, it takes many, many hours. Doing this the open source way is for me the way, because again, it's the open source community fixing things upstream. And it has some other benefits when we roll out this tooling again. The problem was for me always, corporations are using commercial tooling, they figure things out, they clear things up, but they usually don't fix it upstream. So then the next corporation has to do exactly the same clearance. So this is why I'm very grateful that we're cleaning this up. And there's also other related space. So the free software foundation in Europe has something called reuse. And that's a specification that you can use as a developer to clearly indicate like with an SPX license identifier, this is the license applicable with the code. So instead of saying like writing it out and people write all kinds of things there, my favorite sentence in clearance is, MIT is compatible with GPL. Yeah, Scanner doesn't understand that. All those Scanners sees is GPL. And a lot of my clients say GPL, big, big no, no. That means that every time a developer writes that in their source code, this Scanner will flag it. A better way would be to just add a code to say that SPX license identifier MIT, it's human readable and it's machine readable and it's instantly clear. So in the Linux foundation, there are big efforts. For instance, the Linux kernel has a lot of now SPX license, so it's just very clear that if you use the Linux kernel and you have to do clearance for that, you can literally now much more easier to figure out what the license was because we're talking about thousands of source file, now proper SPX license IDs have been added to clarify exactly what was the licensing for this file. Any final questions? So let me repeat the question for online. So does the Todo Group have some guidance about S-Bomb tooling, basically, right? It's not under the Todo Group, we are linking to it. So again, this is why we collaborate with all the other groups. So most of the work in the S-Bomb Worker Group, this is actually happening in SPX because that's the ISO standard for S-Bomb and in Open Chain, it's compliance problem. So again, as to do, we don't wanna have everything on the there. If there are already existing communities that are doing great work, we'll just link to them and basically say, here you can find them. Well, we will work on a S-Bomb Todo Group and what we have materials by like. Like I said, hey, the actual details of those things are over there. If you, how you can use this in an OSPO setting, that will be on the Todo Group, right? Because that's really where the OSPO context, where we say like, hey, this is how you could use it in an OSPO. Yeah, and I just wanted to add that part of, one of the missions we've been working with the string committee has been how to build this cross-community collaboration across other communities. For instance, we recently joined Open SSF to work on how to give guidance on OSPOS on how to build more open source secure projects and having this guidance targeted to OSPO and focus it on an organizations that are building an OSPO. So this is a clear example of how can we collaborate with other communities because OSPOS are being everywhere. And as we said, there's a lot of responsibilities that deals with legal, with compliance, but also with community building, with assessing the metrics strategy to measure the success. That is, for instance, measuring community health, chaos does a great work as well. So all this, it's useful information and it's already there, it's already in the communities. The main, the key part of this is how can we collaborate and share knowledge? Even within, I know it's everything about open source, but sometimes it's difficult to connect and to communicate even within all the open source communities and peers. So I think also one of the main reasons of building this apology life as Thomas was sharing is to put everyone together into a single room and build common tooling and build common resources. Yes? Okay, thank you so much. Just for the online audience, they were saying that they have been using this as per mind map to dive into all the responsibilities and formalize better all the different responsibilities and select which ones are relevant for the organizations based on their organizations goals, I guess. And thank you so much for all the community to keep this project alive and keep contributing to it. And yes, one last stop, okay. We can talk, I mean, we will be around. Thank you so much.