 Hello everyone and welcome to our panel for our FOSDM legal and policy dev room on compliance. This has become somewhat of a staple for our dev room. We're doing it, of course, remote this year because of the pandemic, but we have a couple of great panelists that are going to dig in today to discuss the issues of doing GPL compliance with a focus on what happens for the customers, the users, the individuals who get devices. How do we assure that they have the source code they're supposed to get under copy left licenses that works and we're going to talk about it from a number of different perspectives from folks all over the industry. I have joining us today. First of all, John Sullivan, the executive director of the Free Software Foundation. We have Davide Ricci, the director of open source technology center at Huawei. We have Eilish Nilonigan, also known as Pidge, who is the CEO and CTO of Togan Labs and the chief architect of Network Grade Linux. And coming to us from the legal side, we have Miriam Belhausen, who's a lawyer at Bird and Bird and focuses on copyright law. So to get started, I would like to start with asking John a question because John, you worked for and are the principal person at the organization that started the whole idea that software freedom was an important issue way back in 1985. And we're really the first to talk about why it's important. So can you tell us a little bit about why the issues of compliance with copyright, the copy left licenses fit so directly and importantly with the issues of the compliance requirements, the details in those licenses that companies and redistributors have to follow? Sure. And thanks for having me on the panel today, I'm looking forward to the rest of this discussion. I think it's a very special thing about Free Software that it is designed to have both fully commercial and non-commercial purposes. And so we let the FSF view this as a social movement, for sure, with the ethical foundation and an ethical mission. But these chances to talk together with the people that are using the software commercially and have experience doing that and hearing their experiences, this is a really important part of that. So the primary copy left license, I think that we have in mind is the GNU general public license. And that has a very simple requirement in its face that you have to share when you distribute a program to another person. You have to share the source code, which is what, you know, you as a programmer with the programmers that you hire actually use to modify the program and create the program, the human readable code. And the reason that that's a requirement is because a binary program, it's not particularly useful other than for purposes of being able to run it or hand it off to somebody else. So they can run it too. If you wanted to understand anything much about how the program works or you want to be able to make changes to it, you have to have the source code for that. And you know, that's the whole reason for free software or its existence is so that users are in control of the devices that they have, the software powered devices that they have, rather than those devices being in control of them. And if you can't inspect the program that's running on your laptop or your phone or in your car, then you can't actually know what it's doing other than trusting the company that gave you that software, you know, trusting that they're telling the truth. Same point of example is unfortunately where that doesn't pan out. And then second of all, even once you understand it, if you want to be able to, you know, make a change to it, you also need the source code for that. And I think the closing key thing here is just that these rights aren't just for programmers. You know, anybody if they have the source code can go to a programmer and ask them to make a change for them, just like you can get your car repaired in a mechanic or have someone else fix the HVAC system in your house. So, but you can't do that unless you have the rights to the source code and the freedom to take it to other people and ask them to do things. And Pidge, that's why I want to come to you here because one of the focuses of your work is, as I understand it, is to help people and help those who build these devices, which are these days a lot more complicated where they were when these licenses first came out to actually make that software build and work correctly and create these compliant source releases that are required under these licenses. Can you talk a little bit about what you're seeing in your work and trying to help your clients get that source code right? And what the challenges are that they face with regard to the interaction between the details of that software and its source code and their compliance requirements. Right. So, a little background here, when people do a lot of software compliance work, they're doing it around one chunk of software. I'm doing an entire firmware blobs, so entire Linux stacks. And it's complicated because you just, it's not, I need to know what software is on it and what the licenses are. You also end up needing to know how it's built and how it's all tied together. So, with a lot of my clients, it's, initially, why do we need this? And then, you know, can't we just throw out the metadata and just have it that way and not actually provide the source code? They can get the source code from extremes. That conversation, so there's a period of buy-in, initially, and then the complicated work happens, which is going through each and every bit, figuring out, you know, which source package is using, you know, because one bit of source code or one package may have multiple things that come out of it with various different licenses. So, for example, I don't know, I use this all the time, puzzle. Puzzle may have puzzle, puzzle dev, puzzle docs, and they're all going to have very different licenses. So, it's understanding everything from nuts and bolts all the way from initial build system all the way to how everything's built to how everything's deployed. So, there's a lot of teaching developers, things that they'll shall not do, like static compilations of close-r software against GPL code, which we have to have that conversation, and software developers are clever, and they go, well, what if we do a shim layer and, no, no, no, no, no, no, no, just stop trying to get around that. So, there's a lot of education on the corporate side that I end up having to do to teach developers how to do this, how to do this correctly, and how to do compliance activities afterwards. Does that answer your question? Yeah, it does, and I want to go to Davide now, because what you're doing is you're looking from inside a company and trying to build up and answer these questions so that your employees know how to do this correctly, how to incorporate free and open-source software into your products. Why don't you tell us a little bit about how you design that strategy from inside a company to make sure that you're getting that final source release at the end, as Pitch says, is looking at the entire firmware blob and making sure you have what's required for the entire firmware, not just one part. So, first of all, I've done this a couple of times. I've done it at Windriver, and I've learned at the Intel OTC school up in Portland, and then I'm not doing this a well way. So, first thing that you had to do is just do it first. Even before you start building codes, you know that you're going to be using open-source software when you build an operating system. So, first thing that you had to think is, how do I ensure the compliance, right, how do I do it incrementally? So, over time, I mean initially it was a lot of guests and let's figure it out, you know, work. Right now we have good standards that are coming out of, for instance, Linux Foundation with the Open Chain standard, which is really industry-oriented. Free Software Foundation is helping us a lot, especially in Europe, helping Huawei to actually do it, right? But, you know, it's about, as I said, if you want to go with Open Chain, it's about creating a policy. Funding the policy. So, essentially, you got to make sure that it's funded. There's people to actually follow the policy. Training individuals, so that developers, managers, they know what the processes are, is what their roles is. So, at the end of the day, everybody knows the dues and the don'ts. And then when you start building that build of material that tells you, hey, in this device, there's this software, these are the licenses, this is the manifest, these are the author, this is the license that we think the software has. Oh, and by the way, hey, IP analysts, can you go look, because some licenses are not clear, at the end of the chain, you have the best possible accuracy when it comes to the build of material. There's no 100% accuracy. Business is about, you know, risk and gain. But as a general manager, I don't want to go to market with a big unknown. So, at the end of the day, is the most accurate build of material that gets me through. And if there's a red flag that is flagged by, you know, for me by the team, you take a risk-based decision. But that's pretty much the process you follow. Yeah, and so you identified risk, and that brings me to want to ask Miriam about that question of risk. Because ultimately, the reason, if there were no requirements in any of the open source and free software licenses that we have, particularly the copy left ones, no one would worry about any of these questions that Davide is talking about. So Miriam, what do you see? We're so many years now into adoption of open source and free software in companies. When you talk to your clients, what is their legal concern? What is their fear? And on the other side of it, are they able to see it convert that legal risk into let's make things better for our customers? Like, where do you see that divide happening in the clients that you're talking to? Yeah, happy to answer that. And also, thank you for having me on this. So, to be honest, I think there's a big difference between different types of companies and the risks or the issues that they see. So there are, let's say, companies that have been in the software business for a very long time and they've been working developing with software. They are really knowledgeable already. They know what they're doing, maybe kind of like Huawei. And as Davide just said, they are looking into this. They are working on strategies. They are looking at the software that they're using. They are looking at it from the beginning. And they have very specific questions. And they generally also already know how they would handle certain risks. And then on the other end of the spectrum, you have more, let's call them, traditional companies coming into the software space that have maybe just built whatever device. Let's say a fridge for years and now all of the sudden the fridge is smart and uses a lot more software and they are working with a lot more software. And that's really not their core business so far. And they tend to be looking at the software development and the risks they assume open-source software has from a totally different perspective. So with these types of companies, you would still hear questions like, well, how can we even use open-source software? There's a copy left in there and all of that is a really big risk. So you kind of have to find out where do they stand, how far along in this development are they, how much have they looked into this, what type of developers are they working with, how knowledgeable are they and how much are they pushing, are there maybe differences in the different areas they are working in. But that's a big spectrum, I would say. And so I want to connect that up with to ask John because when you talk about the risk reward and analyzing that I think from the activist side, you probably look at this a little bit differently. So the reward I would guess to the activist and they really have an activist too so I know this is true that the reward is that with copy lefted software being in these devices it means software freedom for people to get the devices with the source code correctly, but of course the risk is the risk of non-compliance and in your world that means software users don't get freedom. So when you look at this, how do you reconcile all that question of risk and help to educate and explain to people that the risk is really a reward because your customers get software freedom? Yeah and I think that it's important for anybody distributing particularly software to understand that this dynamic is what gave them that software to begin with. And so the risk of non-compliance, you know, on one end an important part of it is that you're not respecting your users, your customers, anybody that's receiving the software from you, but you're also sort of in a long-term way undermining your own business model because this collaboration model is what created the software that you're using and that you're able to ship with your products and if you're not doing that properly then you're not enabling possible participation by other people you're not enabling bug reports you're not enabling the entire culture that created this that you're able to use. But yeah it is, for us it's more than just I think the rest from a very short focus, the company perspective is possibly being sued or having to go through a complicated legal conversation with somebody and that is certainly a risk that people should worry about and one of the things that we do is enforcement at the FSF that can do software that we hope copyright over. But really, you know, we want everybody to participate in this process and treat these this process as something that benefits them and creates a level playing field where no competitor of yours is getting an advantage either by skipping out on some of the requirements here. So I want to go back to Pidge because that interesting thing about the competitor issues, one of the important things about free software and copyright in particular is it assures that everybody's on equal footing. So Pidge, when you're looking at this as from an embedded side of building these firmwares and checking the compliance of the firmwares and checking they build what concerns do you have as you're doing the analysis to sort of get to the conclusion of well does the source code really work and are we putting something out there that can actually be collaborated over as far as a technological solution versus just kind of meets the bare minimum of the requirements which might not necessarily inspire that kind of collaboration. Can you talk a little bit about how that divide gets handled when you're doing this kind of work both as an upstream and for a client who's asking those questions. So I'm going to plug the project that I work on, Yachter project I have to because when I wrote the initial pass through the license compliance stuff and when I was told to write that I was told to go talk to the lawyers about this and I'm like screw that I'm going to go talk to Bradley because he's one doing license compliance. You remember the conversation I'm sure and I went and talked to the lawyers and then I talked to Bradley and then I was like, oh okay this is what he's looking at. So from my perspective the outputs that Yachter project gives should also be able to be inputs as well so that people can do this and it makes sense from an embedded perspective because you know if you look at where embedded is going like if your refrigerator is embedded you know refrigerators last what 10 years I don't want to be maintaining firmware for 10 years I want the community to go out and do it. So from my perspective it goes there's compliance at the top of the stack but it goes all the way down to the bottom of the build system and ensuring that the things that come out of the top of the stack are able for the community to go take those and regenerate them all from scratch now there are folks that do not like doing that and I tell them to suck it up because you know it makes no sense not to do that. So that brings me back to a couple of things that Davide was saying so there is this and you know I always promise I'll ask a few hard questions so this may be a hard one so but you mentioned a lot of these initiatives in your initial comments there that are out there we're related to bill of materials and trying to get just the list of licenses which I think everybody would agree is the first step you have to do one of the concerns and I'll show a little bit of my bias here I've had is that it's kind of what Pidge is saying is that that's a necessary but not sufficient thing to really get a compliance source code software build so can you talk a little bit Davide how you're treating this inside of a company when you're looking out there to say well okay we do need to get that bill of materials together but then we have to get a source release that actually works and that our customers can rebuild and reinstall the software onto our devices in the field which I think we all agree is a technologically challenging thing to do how are you looking at that and addressing that when so much of the compliance focus is just on that initial step and sometimes misses that later step I think those are complementary matters and you know it's hard to just draw a line right and I think it kind of goes back to a couple of things number one why a company is in open source right so I think unless you're really 1970s software company that still believes that you know the value is in the software itself I think most of the software companies today has moved past the idea that you monetize the software itself and it's about monetizing what's on top through value at services etc etc so in that perspective software becomes the vehicle to you know value at services monetization so I mean you don't want to take any risks I mean you want to be complying until the very end of it because you actually won't meet people to use more and more and more of the software that you contribute because by using that that becomes the vehicle for you for an upsell right so when the business comes into the picture now you understand that that's not a cost like screw it you got to suck it up no it's not a cost it's actually a value you want to do that right and then as you started doing that it's kind of natural that you're going to try to drive efficiency into the process of this it's called compliance envelope so that from the very beginning to the very end things are you know that are added onto that have a piece of information right so that this compliance envelope can traverse right so so I think you know in general you know it's seen as an obstacle or a cost and I'll tell you something different right or something more it's a cost if the organization is not mature enough to have figure out what is the business model on top of the code and the source code itself but the moment that the organization is mature enough to figure out the business the path to money then being compliant adds up and helps you actually monetizing and making business I'll tell you this is the last thing you can see the maturity of your organization by this question organization that is getting mature but it's not quite there the typical thing is can I just use phosology and it's like kind of if this is about your accuracy then maybe it gets you 20% of the way how about the red flags in the Christmas tree then now you're going to have to go fix to make sure that the accuracy is high enough right and then oh I need to staff a team yes you need to staff a team because that's kind of important right so you want to suck it up you're going to suck it up properly so get a team on board because that's what you had to do to ensure that compliance and the accuracy across the board I think I'm going to spend the next five years paraphrasing Davide to say the mature companies should believe software freedom is part of their business model so I know that's not exactly what you said but you're sort of hinting at that and I really like that you can quote me you can quote me on that you can quote me on that that's wonderful I got to quote you on that for sure so Miriam I want to come back to you following up on something that Pidge said that I really like to hear you comment on there has been this divide going back to when my career began in the 90s so it predates even heavy discussions of false compliance of engineers want to do what they want to do and get the product working and lawyers just get in their way and lawyers give them instructions that don't make any sense how are you looking at how we're going to do this going forward in the next generation to get lawyers and engineers to talk together as equals who are working together on a team to do the right thing rather than being at odds with each other right how do you see that fitting into the future of compliance I think one part of the solution to that might be to actually get lawyers to understand the technical backgrounds or at least understand the developers that they are talking to there are some good projects even at university where they start to teach lawyers at least basics on development and software development and they at least have to pick that up but I don't know if that's happening everywhere and enough but I think that's one part of the solution so that you can actually understand what everyone is saying that you're talking to the other thing I think is again maybe a solution for lawyers they should start offering solutions and not just saying what doesn't work and kind of trying to get them to find but to get to a solution together maybe and at least I often find that when you explain the background and why some things are an issue or are a risk or whatever court ruled on it differently developers tend to understand that because they think really structured and in that regard very similarly to lawyers so you get to a point where you can kind of get rid of the issues and focus on how you can move forward I think rather quickly actually if you start at a point where you understand each other I definitely agree with that so John I want to turn back to you a question I think one of the things that we've tried to do in the activism world is that kind of connection you were talking about about why companies should really see it as their benefit to give software freedom to their users and I so often see and I'm sure we've all seen this where going back to Davide's point of the mature company the less mature companies don't get this yet so how do you see the rewards and requirements of the license like how what would you say to a company that's not mature that Davide is referring to what would you say to them John about like to get them to stop focusing on just like meeting the bare minimum of the requirements and actually engaging in software freedom in a way that would benefit their company it's a question I mean I think part of it is to companies are often concerned about reputation and I think that's definitely one part of the approach is to discuss that and the fact that this software constructed through sharing really is a community and it's in the company's interest to be a good citizen within that community and that that will have benefits to them both depending on what business sector they're in of course but different kinds of benefits to them one of which being if they do make a mistake there will be a lot of community goodwill there knowing that it was a mistake and plenty of people including the free software foundation willing to help advise them on how to do things properly as opposed to just filing a lawsuit and I think so that the reputation and that kind of good citizen aspect is important would also point to examples of where new and exciting things have been done as a result of the software being distributed to users and probably you've written about the things that have happened with the router firmware from that source code having to be released since it was built on another GPL code and that lets you knew your software that could be used by companies and put in their products and shipped and then of course we want companies to be socially responsible and I think that is a first of argument in today's world especially and it's talking to companies about how do your employees care about this your customers care about this you as a hopefully human being that desires to be ethical in this world should care about this and try to approach it from that standpoint as well so I think there's all of those the reputation the practical benefits and the ethical, socially responsible reasons to talk about yeah so I want to go to Pidge then because Pidge one of the things that I feel I feel and you can confirm or deny if this is if I've got this right but I feel like when I look at what you're trying to do you're basically trying to get the details right for what John is talking about so and by that I mean I see the kind of work you're doing is saying well yeah I want to make companies be socially responsible do the right thing with compliance but I want to make it straightforward easy and design well for their engineers like build that connection that Miriam was talking about between the engineers and the lawyers understanding what needs to be done and make it as part of a rote task like doing good testing on your software and doing other engineering and software development practices so can you talk a little bit and remember that the FOSDA audience is pretty advanced so if you can get a little bit in detail of how do you see we do that as a technical matter so that when you so that some day when you start from Yachto if I started from Yachto the thing on the other end is going to be that compliance source release and Yachto is going to give it to me or whatever project it is that would give it to me so I'll give you an example of some of the last people we worked with for the past couple of years and we were doing compliance work with them every release and they were doing like you know scrum sprints so it was like once every three weeks every release for multiple machine firmware all of that and I I'm going to defend FOSOLOGY here it got all of that got generated thrown up on the FOSOLOGY site using the metal license tools layer and someone went through and someone who was familiar enough with the build system went through and did that work and we found issues like you know because it wasn't a one-off compliance thing okay yeah we're done we're release done we don't have to do this again it was a continuous auditing of the entire process and not just auditing did we go through and create a manifest it was did we go through create a manifest did we go through createable materials you are all the metadata in the which is the scripts that control compilation out there not just for GPL stuff but for MIT for BSD for all of it did we ensure that anything that was code embargoed because it was close source license not make it out as well which is important you know because there is close source stuff on this and also how much GPL3 is on that because embedded developer well not embedded developers embedded manufacturers don't necessarily like GPL3 because they have difficulty with some of the things that they're trying to do a box that's locked down so you know there was this entire process that we had to go through and we went through it once every three weeks and it was continuous so when we start talking about compliance and thinking about compliance we have to stop thinking about it as this one-off thing that we do in thinking about it as a continuous integration continuous test continuous audit and continuous testing of the stuff that comes out at the end is this usable for the end user is this something that's useful and what happens if Bradley comes knocking on our door you know and these are things that we also have to start thinking about what we were doing with this client of ours so Davide you're often in the position of being inside the company who would be a client to something like this and I want to pick up on something you were saying about the mature company we'll see that this is valuable one of the things that we haven't really seen yet because we've seen so much like we're talking about so much effort going into the build material stuff we've got Pidge sort of doing the this you know your base firmware that you start from aids compliance that Pidge was just talking about but where do you think when do you think a company like Huawei can get to the point where it doesn't just want to participate in firmware and Linux like the full upstream which I know it does but wants to be participating in things like let's make a entire firmware that everybody is collaborating on instead of each company doing their own firmware and then that would mean of course less you know going back in and trying to get that firmware into compliance if everybody's using that same firmware base how do you think we can get there and can we even get there or is this divide between upstream and final build going to continue to be so wide now I think it's going to I think it's going to go on and and it's about deep fragmenting and deep fragmenting and deep fragmenting and deep fragmenting if I take the auto project and I've been lucky enough to be one of the founding father back in 2010 when I was at one river right so that's how I know our friend here and it was about creating one common set of technologies and tools for deep fragmenting the embedded device industry meaning that it didn't reinvent the wheel it didn't recreate the Linux kernel bash Apache boa whatever that is it didn't reinvent big bake but it creates an ecosystem sandbox where partners with the same goal in mind you know shared that effort so that each and every one of them could benefit in the end right and so that is this broad now that goes to wow matter of fact my team is responsible for launching in Europe open harmony which is the Huawei led open source initiative to create an operating system that powers consumer devices now if this is yacht so consumer devices this right so it's not the entire industry but it's this so we are using a leverage in big bake the auto LTS but now we also need to support smaller devices they use effort that's another project right so now we get together consumer companies device maker just like Huawei Samsung LG just making names up right just to give an example Bosch Siemens LG Sony etc etc and now you're deep fragmenting the consumer device industry meaning that you're not create something called open harmony right but it's an open source play with those company reuse yacht so tailor it to consumer devices and deep fragment that industry and they all participate in that open source project in the compliance activity that you know we just mentioned so far and at that point once you have consumer companies just working together right to the fragment the industry it's very easy because consumer companies are B2C so they serve the end consumer and you are at the end of the chain right so I think we're going to proceed by deep fragmenting and deep fragmenting and deep fragmenting and so long as this compliance envelope traverses this deep fragmentation effort you will see participation but deep fragmenting has to be there as a business goal right if there's no business goal in deep fragmenting then participation is now going to be possible that makes sense to me I want to go back to Miriam now because when I continue to hear all of everybody else here talk I want to sort of see what the lawyers are saying because one of the things I've noticed is the lawyers are actually end up being on the front lines of this because the first time they realize they have a compliance problem I'm going to make a comparison to GDPR which of course we in the US where I'm based have to comply with because we give services to Europeans and while even for an organization like the one I work for where we really care about the goals of GDPR it's still a pain to comply with GDPR it's still work to be done and every once in a while I'm like oh man we really have to do our website that while GDPR says we have to so Miriam I want to ask you how much I'm not going to make you say percentages but give us a sense of what companies where Davide is trying to say they ought to be in trying to build these firmwares or are companies coming to still coming to look at open source and free software and saying darn it's annoying thing I have to comply with and I'd rather not have to do why do I have to do it what's the majority of what you're seeing and what do you tell them to move them from one side of that to the other again as I said before for you know what risks do they see I think the spectrum just as wide on that area so I've had clients say yeah we are now facing enforcement and actually we knew we had a problem there we should have fixed it we just didn't have the manpower to do it or we had to focus on GDPR on whatever else and we had to put our teams there that's kind of the middle and then you have on like the upper end of the spectrum you have companies coming in saying we know there's open source software we know we are not using it as much yet but we know we're getting there we're actually getting into the software business now as well and we want to comply just for the sake of complying because we think it's the right thing to do and we want to focus on that and then on the other end of the spectrum you still have a few companies that are really troubled by the idea or don't understand the reasoning behind it but they usually get to a point where they say well it does make sense and I think we have to comply rather quickly but again it depends certainly on the companies they're talking to I have to say I'm impressed how it has changed over the last years it has gotten a lot better and a lot easier to sell compliance and to sell that they have to work on compliance most of them are really already at a point where they know they have to fix whatever issues they have and they just need to find a solution so I'm certainly glad to hear that things are changing I tend to be an eternal pessimist and think that it's not going to get better but I also want to throw the same question to John John do you feel like at the and consumer level people who get these devices do you feel that we're getting to a point or moving towards a point where people feel empowered like they do in the wireless router market because most of the wireless routers you can install an alternative firmware that's completely free software I know from my work that doesn't exist in any other sub-industry do you see it moving in that direction is Davide's dream getting there is Miriam right that the companies are moving or do we have a lot more work to do and if so what's that work John I think we have a lot more work to do I think that I agree that there is much more widespread awareness you can tell we're not in Brussels in January because I have the sun in my face but there's much more widespread awareness of free software and what it is and much greater willingness to use it and engage with it I think that I do see the problem from a end user perspective is that there are so many other forces now pushing towards locking down devices for different reasons and also just so many more kinds of devices so it's now not just can you rebuild the software on your laptop or your desktop or even your router but your phone you know if you have an iPhone which has free software on it you can't really install your own you can technically apply and be a developer and install some of your own software but there's no way to have a marketplace for free software on that device because it's prohibited and so there's a lot of other pressures working against user freedom and that's one degree where we have a lot of work to do we have a certification program respects your freedom where we're trying to promote businesses that do embrace fully 100% the notion that all the software on a device should be free when it comes to compliance it's you know I do worry a bit about the kind of it's good enough our approach is good enough we check enough of the boxes that we're going to reduce our risk and that's what we're aiming for I would like to definitely see more adoption of the actual values behind all this and just more understanding that most of these compliance challenges arise because of the common because of the attempt to combine proprietary software and free software so I would encourage people to push the envelope in the other direction as opposed to trying to see how much proprietary software you can get away with distributing alongside free software with the free software you know push it in the other direction and see how much of your software you can distribute as free as a solution to the compliance challenges makes them a lot easier and so the risk is saying this is all Pidge's job to solve like I do want to ask Pidge like how like how do you do that process with like a client when a client comes to you and they're having embedded firmware and it's a mess and you're trying to tell them switch the software back to do this are you able to get through to them to the other side where there is advantages and change them into that mature company that we've been talking about get them to care about the end user installing it or do they just come to you and say fix my problem so I don't have to think about it again and I don't want are they telling you help us lock down your device are you having to push back with your clients about that Yes and no I think that what a lot of the people that I have talked to they understand that either this is the right thing to do not necessarily for moral or ethical reasons but for entirely selfish reasons you see this kind of in in like some of the EU things with Gaia X where they want privacy and open firmware all the way down to the chip level because they don't necessarily trust closed binaries closed bobs on the chip you don't trust that so I think that from a lot of folks you know it's coming from either a I never want to get that email from Bradley or I never want to do this where I get kind of called out for using open source software in my products and not doing it so like most of the folks that are there aren't fighting us like the ones that I'm dealing with but no all asterisks that those are the folks who are coming to me already so it's the ones that are coming to folks that are the ones that we worry about right they're the ones who either don't think that they have a problem or don't know that they have a problem so the ones that I talk to are already on board so so I mean that brings me over to Davide and probably ask the hardest question that just has to be asked because Huawei is not a company that's known for its transparency it's had some trouble with that it's been accused of spying it's been accused of doing things in the firmware that we in the free software world have always argued well if your software is free software we can check and verify do you think that's going to be an argument going forward inside your company to say if you do this and allow the users to rebuild and reinstall the firmwares on Huawei devices I would argue that it gives you a great answer to the problems the Huawei has faced but I'd like to give you the opportunity to kind of address that and how do you connect up the transparency and other issues that Huawei has struggled with the freedom that is inherent in FOSS as you become a mature FOSS adopting organization I think the answer is all in right so it's Huawei in first person Huawei can be considered a person, a juridical person has been particularly hit by services being pulled off or pulled away for the nature of known free services so if a player in the industry feels that by using known free software then your business is going to be impacted then let's use free software, let's use open software not only that if by using and by doing free software and participating in the community as an active open source citizen now all of the bad marketing that I'm getting it's going to go away because I contribute first I participate second now all of the sudden I'm using technology that everybody uses and contributing technology to the world I'm not vendor locked in anymore my brand in terms of transparency protection of IP etc etc just gains value I mean all in in essence that's the reason why my group was created in essence that's why after years and years and years of career in open source in many companies in the US in Europe Huawei came to me and said listen we're all in in here the open source technology center in Europe and be all in when it comes to open source because it's good for us is strategic it's good for the world so let's go for it right so I'm saying selfishly selfishly open source is really good is the strategy is the real strategy okay well we're coming towards the end of the session and so so to make sure that everybody gets a chance to say what they want to say I want to go through and give everybody a minute or so to say whatever something I didn't ask as moderator that you really want to make sure we covered what you wanted to bring up and I've been keeping track of people have seen me looking over to their side about time Miriam's had the least amount of time to speak so I'm going to start with Miriam is there anything you wanted to say about false compliance that we didn't get to yeah one point I had been meaning to make before when you were asking John and Pidge actually I think one thing that one development that I really like is that companies are looking a lot more into contributing back and getting engaged into open source software projects not only using but also looking at the other side I think for many companies that's still a bit harder to look into that and to figure out you know where do I get engaged what makes sense where do I put my teams what do I look at but it's happening a lot more and at least we do get a lot more questions around that and I think that's a good development in this space thank you so John do you have anything that we didn't cover that you wanted to make sure was brought up yeah I think that you know we're talking about compliance and in particular with copy left and I know that a lot of people are talking about sustainability right now when it comes to the free software that they depend on you know learning that the projects they depend on are maybe only maintained actively by a couple of people and are in a kind of precarious situation and I just want to emphasize how important we think copy left is to sustainability you know copy left is the thing that ensures that free software will be getting more free software as opposed to you know more submissive licenses that put software out there that can then just be used to get proprietary software to market quicker and that really undermines the sustainability of the whole system that businesses are being built on so that was one thing I wanted to make sure was out there and I just wanted to just offer our help at the FSF and we do our best to maintain good kind of best practice documentation which helps establish community norms and make all this a lot clearer for people and we do a lot of kind of unsung work for improving licensing hygiene and the projects that we notice we even did a little bit with big blue button actually that helped them clean up a few things with their licenses so you know we're here to help and you can always contact us at licensing.fsf.org and I just want to encourage everybody to as far as you can push the envelope as far as you can you know don't lock down the device even if you think you might be able to get away with it embrace the idea that people can do creative things with your products that will then probably benefit you in the long run as well as well as just being a socially responsible thing to do and I can't help but jump in to say that free software builds for devices make the devices life last longer and it's fewer devices ending up in landfills which is another type of sustainability problem and I want to go to Jen ask if there's anything you wanted to add to it I didn't ask or something about cost compliance you wanted to tell everybody? No but I do want to second that in that if you are using open source and building a business on open source it means absolutely no sense from a business perspective to starve open source so if you are using a lot of open source and not contributing back either financially or patches welcome start doing that now because you know it is a business sense thing it just makes business sense that on top of that if I'm relying on things that from a security perspective that there's three people who work on the project and only one of them is getting paid to work on the project that's an issue and as open source we need to get the larger utilizers of open source to start contributing back more and more Davide anything you wanted to make sure we covered that I didn't ask about? No I think you asked all the hard questions you gave me a chance to reply so it's great so I'm just going to compliment what was just said when it comes to contributing open source software it's so business and ecosystems are created for ecosystems created for business reasons I mean companies get together because there's a business sense but because there's a business sense mature organization measure the number or the efficiency of a project in terms of decreasing contributions or increasing contribution meaning if I'm the first to start a project and I get a second partner, third partner, fourth partner and contributing 70% 80% over time I want to see that going down I want to see that evenly distributed because if it's not evenly distributed A, I'm the bolio ecosystem it's not open I'm dominant it's not good for marketing and it's not efficient for me so back to mature organization it's about contribution it's about being all in and it's about sharing this burden together of contributing together and building something together so that's how businesses think if they're mature enough Thank you all so much for being here I'm going to go round roundabout with everybody one last time and just give you a chance to say any URL or project that you want to promote to have people to look for further information I'll start with Miriam, anything you want to promote or ask people to take a look at We actually had to have at least one time someone saying you are mute now Sorry about that Sorry now I have to think there is actually a GDPR project that is open source I think it's the French the French authority that's putting out a lot of open source software around GDPR compliance so maybe plug them because I think it's a good idea to to do that John is there anything you want to give a URL or something to promote for folks to take a look at Oh he's on mute now too Second time Yeah I think maybe just we will actually have an announcement shortly about a continuing legal education series online to go with our conference neighbor planet in March and that's one place where we try to help lawyers especially from corporations advance their skills in this area and also get to spend some time talking with each other if we're going to do an online version of that shortly just watch fsf.org for more information Did anything you want to promote as we wrap up Yachter project as always because I have to but also I'm working on a new project called Network Grade Linux it's going to be announced in a few weeks but it will look for that coming out soon And David you get the last word anything you want to promote that you're working on that you want folks to take a look at Yachter project, Zephyr project Linus Foundation, Eclipse Foundation Free Software Foundation, Open Harmony You guys have funded FOSDEM and that's it you guys keep up the good work this is going somewhere I want to thank all our panelists for doing this difficult difficult remote panel and we're so glad that you joined us and we hope that next year in Brussels we'll all be together and be able to go out to dinner after our panel then Thank you all for being here Thanks Brad Thank you Brad Goodbye guys, it was a pleasure