 Thank you so much for joining this panel session so of course that the topic I hope that you have seen my lighting talk is about the European Union Cyber Resilient Act and we are super lucky to have three of the Fairy experience people here First of all we have the executive director of the Python Software Foundation Nickerson and We have a Kieran Sorry Kieran O'Reard in yes of the The senior policy advisor of the open forum Europe and Janice LiDAR who is the founder of the Python package Authority and also the in the PSF board and also he's a very experienced maintainer. So thank you so much for our panelists Thank you should we also say Chuck Ting-Ho who is here as a PSF board member and for any old volunteer and Python enthusiast Yes, I'm a Python enthusiast. I'll take that to Python Sorry, so yeah, like you can see we are very relaxed here I think what we are what we will do today is that I will start some questions to ask our panelists about The Cyber Resilient Act. I know that you all have a lot of concern about it. We open the floor after some Questions if you still have more questions, you want to ask come to the mic in the middle here Then you can ask a panelist questions If there's not even enough we would have a actually Open space that we would have a more like not formal and conference discussion There will be more like, you know kind of sitting in circle and chatting kind of format. So What does that do? I want to ask the first question. So For people who don't know the Cyber Resilient Act So why do we care about this? What is it about and how can it affect the community? Especially the Python one. I feel strongly that you should start Okay, I'm elected by circumstance So the CRI is the latest legal problem that has been proposed for free and opens our software So we've had software patents and then we've had copyright directors then we've had patent courts and then we've had platform regulations and we've had a new copyright directive again and We always worked on these different things and we built up different amounts of expertise in these topics and then suddenly the cyber resilience And it's all about creating liabilities or obligations And it was difficult to find who's going to work on this because when you ask who's the copyright expert There is somebody attached to that and who's the patents expert when you ask who's the Regulation expert or who's the liability expert. It's just a shrug of shoulders. So we In open form Europe, we've been working on this since last year since early last year The Commission put out a call for input. We responded to that Then the Commission published the actual text in September and we were initially quite surprised. We didn't really expect it to be so Invasive or so difficult to comply with and when we saw the text We just we thought it was a ridiculous idea that you could put all these obligations because what they said was they said if you're supplying software then you have to Complete 26 different obligations. For example, you have to confirm that the software has security in mind during the development stage You have to confirm that there are zero known exploitable vulnerabilities You have to confirm that there's a way to contact the users if you find a security bug so that you can inform them you have to You have to agree to provide five years of security updates for the software And so when we saw all these obligations, we thought you know all the different types of people who write for an open-source software We thought there's no way you can apply this Everyone is going to hate this legislation. We're going to build a big coalition. We're going to get rid of this thing Then we looked around to make this coalition. We looked at our usual allies People like small businesses and privacy organizations digital rights, and we found that they loved it They thought wow free cybersecurity. This is going to be great Who's left working on all this who's going to fund it all that's you know, it's all these Non-profits and foundations and SMEs and and diverse communities. So the the problem Began with the idea that they got some product liability led regulations and they transposed that Change everything to software and said this is gonna that we're gonna do the same thing This is the first you know Thing that they've made it incompatible with free and open-source software The second was the idea that they thought that they could put all the responsibilities and the person who knows the software the best the distributor Because they thought that the developer and the distributor is usually the same person and for proprietary software That's true for free software. That's almost never true so this is why we have this text now which would place an absurd number of obligations on free software developers contributors projects foundations non-profits SMEs and We are trying to change small parts of this text to To fix our problems because there's so many people in favor of the text that we can't make big changes and This is the latest problem. So this is the situation. We're now there's many different versions of the text It's difficult to say exactly what the CRA does because there's the council works on it and the parliament works and the Commission works on it Then the other their opinions change from month to month But in general the idea is to put regulations on anyone who who publishes or supplies Software and so this this would be a first software was always considered to be like literature it was a freedom of expression a right to publish was just a generality and This is for the first time now Publishing software will be you can publish software if you comply with these 26 things and so this is a it's a new Legislative problem. It's being rushed through the legislative process or trying to fix it while it's moving at 90 miles an hour, but We're making progress. Well, and I think particularly for the Python community The problem is that the legislation doesn't make a good distinction between someone who sells a commercial product as a Distributor and someone who provides a huge packaging index for instance For people to download stuff free of cost and so there's not a good distinction between public repositories of code that might eventually end up in somebody else's commercial product and Someone who is just providing software as a commercial product and that's like we're like for the PSS interests Like what we've been focusing on a lot of there are some other things that we don't love But the the repository is probably top of mind for PSF There's I mean we even if we could get out of our obligation as a you know Are now weirdly imposed obligation for other people's products as the maintainer of our repository We also don't really want to pass that Liability on to like individual maintainers and small projects and hobbyists and be like oh, hey the PSF isn't gonna cover your liability We want you as an individual contributor to do that. So we don't love that either So those are like kind of the two categories of things I think it's also worth noting that some of the ways that the laws organized don't even really do a great job of encouraging The kind of security that it does promise. So that's also not great. I Just wanted to add to that, you know looking from the maintainer side And of course I do have also the perspective from the PSF like which cares about community health They're growing something and catering to only all users of Python There's also like this and I'm just looking at this crowd here Like how many people of you are doing this like you're doing Python as a hobby or started out as hobbyists Can I raise my hand? Okay, so this is the thing that that's how I started as well And I always feel like how can my hobby suddenly become this highly regulated thing from a from a government body that I Really really far removed from and it's I think a really really tricky thing And honestly it moves to the PSF in particular, but many other like businesses that are using Python to figure out a way to To work with us to be honest That's that I also wanted to like with my like the on it from a technical perspective I also want to recognize we do need some way to kind of handle cybersecurity threats like I think that's out of the question nobody wants to Carry that pager if a bank is broken in or something like this bad example, but my point is I Do think that is like a problem that we if we are not actively working towards a solution It will be basically not solve itself. It's literally our job as a community to figure it out Anyways, thanks Yeah, so I So it's kind of like very important thing that like the CRA would affect us But it has been actually when I look at like the the document is actually has been going on for a while So what's the what's the stage right now? What can we do and like so? What's the latest update? Maybe Kiran can tell us again So we had two votes this week the but okay I'll explain very briefly the legislative process the Commission writes the legislative proposals Behind closed doors in theory with nobody interacting with them They do ask for input and then they take this inside behind closed doors again and read the input They publish the first draft the proposal they give it to the Parliament Which is 705 MEPs that are directly elected and they give it to the Council Which is a representative of each of the governments of the 27 member states These so the Parliament and the Council then in parallel work on how they think it should be improved and once they've finished improving the text they get back together and the Commission rejoins and this is the three of them sit down. It's called the trilogues and then they try and make a compromise which Matches somewhat all three texts So we've just finished the phase now where the Parliament and the Council were working on their texts that they've now adopted their texts There's a tiny chance that the Parliament could come back into the system, but it's unlikely But so at this stage we we still have to try to work with whoever from each of these three institutions will then go into the trilogue negotiations and Whatever the good parts of their text are we hope that they'll stand firm and make sure that they stay in there And then the parts that we never really liked anyway, we'll try and make sure that well You know you can let that one drop in negotiations if need be So we there's still a bit of work to do on the CRA at the same time If you turn that into kind of a meta question The CRA is the thing that the journalists are talking about at the moment But at the same time there's the product liability directive, which is almost the same thing except that it says if your Software causes harm you are liable even if you haven't committed any fault for example negligence And this is happening with the delay of about one or two months. Okay, so it's a little bit later At the same time after this the AI act is almost finished and they're already working on the AI liability directive So this is going to be more of the same more liability and obligations We also have a child safety online Act which we thought we worried was going to ban end-to-end encryption because they're going to try and scan all the platforms And then now we see that the people who are actually standing up for end-to-end encryption are proposing other things for example age verification if you want to access dangerous software such as chat software Which could be used for grooming And how would this age verification requirement affect a software repository for example pythons or debuins or whoever else and This geo blocking is on is being discussed. I haven't even looked into the content of that one. There are so many different things and We are able to work on the CRA now very effectively because we started in December and So there is work still to be done the CRA, but also as a community We need to be more involved in the general work of what's happening now on AI liability So when the journalists are talking about it in eight months time, we're already working on it I would add that One thing we like to do in the US where I live is borrow legislation from Europe because it means we don't have to do as much work I guess and then Run it through a filter of our own people that don't understand software and then try and pass that in the US So yeah, so if you don't live in Europe, there will still be a very irritating detailed legislation to deal with Plus there there was already some Legislating executive orders in US related to the supply chain security. Oh, yeah, we already have some terrible it's kind of a Perfect storm kind of Yeah, when they first started doing free software like we didn't have to really care about policy because we didn't have enough politicians That understood software enough to even try to regulate it And now they've gotten a little bit of the way there and decided they should be regulating it, but Yeah, there's still no understand it So one thing that I found interesting while Studying how the US is handling is that they have a standard body like the nests doing this and they are actually asking and going out to the Technology scene. So what are your best practice before we codify something that is just incredibly hard to You know to make happen for regular engineers or software engineers They basically sit down wrote down, you know What is expected including including vulnerability? Vulnerability reports and like things that we already are very often do anyways So that's where for example, I feel like we could kind of as as a software engineering community could say well How do we find that similar body of standardization in the EU so that we can tell early enough Like hey, this is what we're already doing. Why not just put this into regulation So it is actually practical and doable instead of You know, it's so painful to implement then later Yeah, so I can see that in the audience. There's already some like questions coming up. So maybe we can That's one of the audience asked the questions hi The basis or the goal of the the CRA is to hold Vendors accountable for security in their software Personally, I think that is that is a good thing. Do you agree with that? Oh, yeah, for sure. Um, I think we just where we Where we diverge is what constitutes a vendor of software so And that's where the CRA is really muddying the lines and sort of what karen talked about where in proprietary software the The creator of the software and the person who is receiving money from a consumer is the same entity And that's just not the case with open source And in fact, like you don't have to tell anyone that you've used their software and put it in a product I so so, uh, if I understand correctly in the in the current draft, there is a exception For uh for free and open source non-commercial software that they So so but that's the thing, right? So, um, there is there is this big gray area of what What constitutes free so free and open source software and where does it become commercial? At the same time, you're talking about okay, is it developers versus distributors, which is also not a good Which is also a gray area sometimes. So where in your opinion is the Should should that line be at what point should you be held accountable and what point should you be just like, um, Considered free open source software Can I answer this from the maintainer side because I want to say that, uh, I think none none of us as private People like that work on software should be liable for five years to patch security vulnerabilities It's just I think it's not practical, frankly And I think it would kind of stimulate the whole effort of free and open source ecosystem as such as It essentially my fear is that it would prevent new generations of maintainers and software engineers to enter our ecosystem And which is by the way, uh, like basically preventing Job the job market to provide people as well. Like it's it's I think it's a Like shooting yourself in the foot kind of this scenario Well, and it also it also makes it a lot easier for like Five to seven companies to be in charge of all software that gets written And if you want to work on software and get paid for it, you have to join with those companies Like that's not a good outcome for anyone. I would add also that I think the um, the language about what constitutes commercial is pretty Muddy and in some places possibly contradictory in some of the current drafts. So, uh, Some of it it's like, oh if you have contributors that work at a company where they get paid Which definitely includes the python programming language And then there's some other language about if you get recurring donations And so I'll tell you right now as a person in charge of a nonprofit like I would I like that The donations are recurring as opposed to haphazard But they're not guaranteed and they don't get to tell us what to do So like that is another place that sort of hits right at the kind of Organization that the psf is and how we provide python, right? So so at the same time Um, you also don't want to um, uh, sorry by the way for, um, uh, at the same time You also don't want, uh, for example a vendor that doesn't want to be held accountable Like, okay. Well now I just published my software on github and um, now I'm all Free and open source software. So everything is fine. I don't have to do any of this This liability accountability, right? So the publishing of the software is the wrong place to Attach liability the sale of a product is probably the correct place And I think uh, I think probably everyone agrees that if you are selling a product It shouldn't be junk It shouldn't show all your information to the whole internet at some surprise interval from After you buy it to the end of life I don't think anyone disagrees on that. It's the publishing is the wrong place to place liability Just I would add that I wouldn't say that the vendor should be liable across the board because there's also the thing The people have touched on already It's this developer chain idea that you don't get to be A red hat without having first gone through the the 90s And the thing is like when you think about a software project and an sme develops a small package And they could do a serial on that and the sme gets bigger and the software gets bigger and it kind of that kind of matches But that's not the way free software businesses work like the the linux kernel will start in 1991 uh by 1997 I I can't remember it was two million three million lines of code at that point red hat hired alan cox to start working on the kernel And I haven't read the history of red hat, but I presume they must have been selling their their canoe linux distribution at the time so the thing is I I don't think that Like red hat would have started off as a startup or an sme And would it be reasonable for them to say? If you want to distribute a complete canoe linux operating system You have to do a cora audit of the entire thing And so nowadays if somebody wanted like you know for You know nowadays maybe a red hat or a suzer or you know, I don't know who else can can do this Maybe they can do it But the smaller distros who aim to become that size someday It's very difficult for them to come along because I now believe I think the kernel is 26 million lines of code And the kernel is something like three percent of an actual canoe linux distribution when you add all the not just the operating system But all the archived software with it So the idea of telling a startup that if they want to produce a customized distribution and sell it They're going to have to do a cora audit on a few hundred million lines of code That's also not uh, not going to help grow the free software business ecosystem, which we also need to to flourish All right next question Yeah, hi, so My question is a bit applied I guess so there's a regulation. There's just the practicality of actually enforcing it and um I'm having this example of like gtpr came a while back And as far as I know as I know the regulator actually went after the big tech giants And everybody else is not really being regulated So is there anything known already about how this will actually be applied to just hobby developers? I mean So in some sense when legislation is draft like We kind of know nothing about how it will be attempted to be implemented There is a process where each country will make some kind of plan I think Well, they won't have to implement the legislation because there's a regulations Or it applies immediately to all the countries in the EU when it comes into force in three years time But yeah, so I I think the actual way it will affect the market will be in stages because The the obligations are so enormous that on day one Like people will have to make a decision. Do I turn off downloads to the EU? I don't think people are going to do that Or do I just keep whistling along and pretend that I think I'm exempt from this? And so that that'll work for a lot of individuals a lot of projects Maybe some foundations the public sector. I think would be the first Quadrants that that will they're there the risk adverse and squeaky clean And so I think they'll be the ones who will be the first ones to get very nervous about Contributing upstream which we've been trying to get them to do for 10 years And we're finally making progress in this and now somebody's going to come along and say well Now you have to clear with your boss and make sure you know that they Clear that you can send this code upstream and that you know, you've checked whether it gives you any obligations So we're going to have that and then the next Group of people who are going to pay attention to the CRA will be the budget maintainers because then they're going to realize Hey, I've been growing my community and I've got this this great diverse large contributor base But I don't have a contractual relationship with any of these people I don't have the authority to tell any of these people, you know, make sure you're doing your security audits And so projects are going to get nervous then about accepting third-party code and so I think we're going to have a reduction of the number of contributors per project And yeah, this is going to lead to a lot less diversity Which is very unfortunate because the diversity in free and open source software is how we get our resilience How we make sure that one company dying dies the seven other companies who are also involved or you know If we fall out with that country over there Then you know, we can throw our nose at them anyway because we already have some experts in our own region And so that that's um, yeah, it's gonna it's gonna come in bit by bit All right, thanks All right next question Hi well, uh, I think that One of the actual tasks is well, uh, very problematic On our side our communities Has not a clear vision of what we want or how we would shape A regulation to improve cybersecurity And I think that this is this is one issue Again, one I think the CRA is flawed There are some points, uh, that should be taken into account. I think that In general, it is true that Benders of product vendors tend to Underestimate Or not invest that they don't invest enough in Improving the security of softwares and Another point that is considered By the general audience Is that when you get Your phone, whatever the product Is open source or or not for example the operating system Somebody considers the fact that The operating system is provided as is Not a choice of the user But a choice of the vendor In in the sense that okay, I give you the phone you you're paying the phone Whatever you find on on this on this phone the software. I'll provide you as is so If there flows The the software Create issues Well, you are buying it as is so it's not my fault and one of the consideration the impact assessment made The impact assessment for the CRA made was that There is a little investment in providing a continuous security on devices With embedded software And on the other side There are huge gains Made by Companies large companies providing Those devices so I agree that The main flow of The CRA is the one is the one that it considers manufacturers every software Developer and this is not correct Uh, probably if they had restricted The The area of application of the regulation It would have been Surely better on the other side When uh, sorry, I don't remember your name or choc or yannis or karen Yannis Okay, when it's all okay in in the usa there is the nist that asks for Assessments and makes checks actually In the european commission There are studies. There are agencies This does not guarantee that Low makers Actually read All the impact assessment. In fact, the impact assessment for the CRA has a focus on large market actors And it warns about Migrant enterprises, but these have not been considered in the Proposal they have did I have read so the point is not what? Or the capacity of uh, these institutions to create Impact assessment studies But the problem is How low makers Are capable to understand the those Impact assessment and another issue that should be considered that sorry. We'll be okay One question one question on me. Okay. We can discuss later as well. Yeah Yeah, I would say uh on your first point I don't think you'll find anyone on this stage that is opposed to a fully free software phone If you want to build that especially if you want to build it in python. I'd love to see it On your more recent point that uh, it is annoying that lawmakers don't understand how software gets made But still get to legislate it Again, I don't think anyone disagrees on that Should we be doing more education? I think Cure and you're sort of advocating that we should be sort of regular You know participants in these conversations On legislation around software because this is just going to keep coming. So I don't know if you want to add to that Yeah, it's something we still need to get more organized on and this is something that In the last few weeks, we've had a few people contact us and say, you know, we've heard about the cra What can we do and I've had developers and I've had companies and I've had Even somebody who a private individual wants to finance something and you know, what can we do? It's very difficult at that stage to Get the person up to speed and to To find something, you know, we don't really have a mentoring program. It's uh, like if you want to do policy It's very much faker till you make it. It's uh, you know learn by doing if you want to use a nicer word But uh, there's there's a small number of people who are doing this And there's no spare capacity to then, you know, work on on boarding more people the week before the vote So this is something we have to be thinking about You know 12 months beforehand five years before and 10 years beforehand. We have to have a vision like the reason A badly crafted text like the cra appears is because somebody didn't understand the situation two years ago or three years ago and Deb mentioned the the thing about Recurring obligate recurring donations being a problem like this is every non-profit to be stable What you look for is recurring obligate recurring donations But the other the piece of text I love is that there's an exemption in one of the texts For nonprofits who make occasional supply of software. I don't know whose software servers are online occasionally here Yeah, we're going to turn pi pi off on Wednesdays Alternate Wednesdays just to keep it Who writes this, you know, so this this is the thing we have to work on education And it's it's a long-term thing We have to we have to just keep on repeating the same message again and again and then eventually Sometimes something does click and there are a few people in the parliament Be they elected or be they the assistance of the elected people who do understand these things and they're they're really helpful And we work with them and we have to and the only reason they can work with us is because they have a relationship with us And they can trust us to To be a partner on this and this is something that you you work on and you build up over time And that's we we just need to get more organized and and bigger With my p.s. Have a board head on I want to say what I'm hearing is this is a matter of Sustainability basically we need to build that policy work into our mission statement for the for the foundation Continuously putting funds or people behind it or at least support those that are doing the work essentially That seems to be not going away, you know as I said earlier. I think protecting the python ecosystem is already in our mission Then this would be one way that we now have to do it that we didn't know about a couple years ago. Exactly So next question. Hi, um, so I was just looking at I'm an open source maintainer Um, I was just looking at the license which is a bs2 bsd2 license On my open source software and it says, you know, this is provided as is, you know I'm not I'm not liable for anything that might happen to you if you use it. I'm just wondering If this does go through in its current form like What's going to happen to all those licenses do we have to come up with new licenses? Are they just unenforceable? Like what what's even going on with that? I mean in general you can't Uh, take a piece of legislation and then write a carve out for yourself So the I think the way that they'll interact is that the legislation will overrule the license Unfortunately in europe Which is messy because they're intended to be global licenses Uh, yeah, I don't know if you want to add to that No, that's that's it. Yeah, that's Large homes contract. Yeah, nobody. Yeah. So it's it's yeah, like you I couldn't say like, oh, it's illegal to steal stuff And like oh, I wrote a license where I can steal stuff Yeah Because when I make it ridiculous if it comes more clear, I guess this Or like maybe selling a car with no safety features And then you get the purchaser to sign a statement saying but I wanted it that way Yeah Thanks I suppose I had a couple of questions, but my second was actually going to be very much related to the previous question I take it indemnity clauses wouldn't do anything for us, but Um But just I suppose one little issue I mean if vendors are supposed to be liable for providing security updates of five five years If we imagine say commercial providers such as mobile phone providers What about the possibility they just set up some small company that they just kill after they don't want to support it anymore And there's no one left to support it It sounds like I mean how how would they act in force? in the case where the Vendor was shut down That's assuming it's on in bad faith and even in good faith where someone just goes out of business because they can't run it anymore What then Usually that gets covered by the legal system in general This is We we had this discussion as well with you know various software licenses and usually a judge will see through any phony attempts to Just put all your obligations in a company and and if it happens to die My obligations disappear. So that's that's usually in the legal system more generally Yeah, it could happen in a good faith way But it's it's rare. This isn't going to be the major issue of the CRE Hi, um, just a quick point, you know from what we've all been talking about and what Um One gentleman did just mention was the fact that there was like You guys have not had a chance to be able to get up to speed of a lot this stuff because you've just been pretty much Side-swiped with this thing, you know, it wasn't what you put your original information in the the point I'm making is Do you think it's a point that? There's I mean a python software foundation might actually As you were saying about This is all news to us and we don't have people that We mentor to be able to Do regulation stuff legal regulation. Do you think that might be a a thrust for the ps It already has So we're now founding member of the open policy alliance which does some similar but not quite overlapping work in the US on policy and that's organized by the open source initiative So that is a body of a community driven like charitable organizations that create software Coming together and listening for uh legislation that we have to pay attention to in the us It's coming and then we'll be discussing in common and then making statements about parts that we're worried about et cetera et cetera so Yeah, so and that was just that was in between when oh if you started working on this era and today So that was just announced like two weeks ago Yeah, so uh and I will say uh, you know publicly so you can hold me to it We're gonna keep participating in the open forum europe conversations because I think that's really important I think the work you're doing is great and the way that you stepped up on this issue that Seemingly no one was in charge of before last year Has been really good and it's done a really great job of convening people and driving the process of you know, kind of synthesizing community input from free and open source software and making that like, you know Digestible for legislators. So so we're going to be continuing to participate in those conversations Hi, and thanks for all this work that you're doing um back to the licensing stuff What about when you sign the and you contribute to a project where you have to sign a A contributor licensing agreement Where you give up Obviously or terry kelly everything Yeah, so I mean that kind of gets back to the other point of like so I don't want Pi PI to be on the hook for liability for every product that includes some piece of Code that got incorporated from like a free download But I also don't want to pass it along via like a contributor licensing agreement to the People who are providing code for free either. So like we could do that, but it seems pretty Terrible of a solution to me to Like the psf has some hope of maybe like figuring out like what to do about these things but a Individual contributor has like it's just like take the package down That's your best like you provided several hundreds of hours of work for free And you're not getting paid for it. Like you would just take the package down. So Um, yeah, so I don't think we'll be passing that liability along via cla Hi, thank you for everything you guys are doing. Um, my question has to do with Kind of how we have labor laws today and it was you know an effect of going on strike Do I mean right now it's great to talk and keep the dialogue open But if it does fall on deaf ears, perhaps seeing what it would actually be like, uh, you're up with out access to all this open source software I have an opinion on this because again, I think I have I truly believe that the the Activists like nature of the open free and open source ecosystem. I think that's a key element to it Like as I said, like that's what it's what's at threat. That's actually a threat here Um, and as with any other struggles societal level, I think it is it moves us to then consider other options Absolutely agree. I think we if we are not heard or if there's like like really unnecessary Regulations put on us. I think it's appropriate to think about it then yes Well, and if it comes down to Taking pipi down entirely or taking it down for europe if that's what is on the table like I hope that's not what ends up on the table. But yeah, I mean that would be not a good not a good day for anyone I think no, that would be a terrible day. Um, yeah, and when you discuss some other terrible things like, oh, you know, could we Um, you know change the license on everything on the package index and python to say it's not for commercial use Sure, but it wouldn't be open source anymore So that's also like would not be a good solution Imagine having a pipi just for europe But no other software is allowed on it. Like I think that's really really there are many many different Bad ideas going on here. I think what we should focus on first is try to kind of get in a dialogue though Right, I think let's find out whether we can actually make a dent there. And I think that's tricky as we know But then I think that the trick is to continuously Be like up to date and you know continuously kind of reflect on what's going on there There are many many people involved with this process and it's really even those that are working in the field It's hard to stay afloat. Yeah Yeah, so I mean Yeah, as you said the upshot of the legislation is that doesn't leave us with a lot of great options at their current State of the text and the current thinking on how that would be implemented. So Yeah, so I have a question. Um, so I know that like well people who are like more involved and more aware of this Maybe like people who are maintainer or contributors. What about like normal open source? Software users like what effect would have on them for this regulation because they're well, maybe they're not writing They're like writing the code in the software, but they're using it but What in fact like maybe not directly but indirectly what what will happen to them Well, if as we were talking about the this legislation creates a chilling effect on You know small or like less affiliated contributors Then the richness of software that is offered the robustness like the Place like having it be resilient enough to have been tried in a bunch of different places by different Actors and is is going to be diminished And if we keep seeing legislation that makes it impossible For small businesses individuals, hobbyists, academics to participate in the creation of software We're going to end up in one of those terrible dystopian novels where like three companies control everything And you just have to work for them or you know starve in the desert with cyber coyotes or something That's way down the road probably not in the five year just fyi There's also some strange effects like for example if a company is Marketing a certain piece of hardware outside of the EU And they're providing software updates But they haven't marketed it in the EU then they won't be doing a cra update or cra audit or cra compliance procedure And so if somebody Is outside the EU and they buy a device and then they come back into the EU They'll find they're no longer receiving software updates And so the software they're using will just accumulate software Security vulnerabilities And they will be forced to use this outdated Insecure version of the software because of the cra So we this this also shows the the level Or the The approach that was taken in terms of How do we improve security of software? Well, we write a law saying that software should be secure Yeah I mean I find that like Incredible because it you know it kind of puts the whole thing on its head, right? We as software developers by our own like we don't want to carry the pager and don't want to be liable a situation We do care about that software security. We do care about best practices in this But if we basically are forced and then accidentally create this Area like an EU where this is not Uh, they're continuously maintained. Like it's just such a horrible idea and honestly like the Uh for end users, I may my guess is that because of this scenario it would then prevent maybe more choice like you know, I think we all know the the uh, this innovation cycle like Each new project kind of Creates a new idea in the larger community kind of creating and like this cycle of like Someone else might want to do it differently and I think that's what I'm afraid of that suddenly we are having this You know a chilling effect and effectively stopping like great innovation python. Um, that's that's super scary for me Yeah question. I'm just wondering if uh, there's an option on the table to have it opt in so People could essentially Get accredited for a piece of software to say I'm following You know, I'm complying with these regulations so you can It comes with a greater degree of support Is that is that something that anyone's talking about? Um, I think the in some ways that is already done Like if you think about like as a software engineer on the CICD Patterns where you basically have a proven process of reproducibility how you create the software ship it And then basically verify that what is actually used by the user is what it's what is expected That's I think that's one of those best practices that has already been done for years and years um Whether that there should be kind of a batch of approval Like yes, I've done I've gone through the icd or something like that And I find that a little bit weird frankly because it means that it would imply that we have an ever Like running lists of things that we have to achieve to just do the things that we did basically Like without that approval before it's uh In other words, I see all those uh best practices something of an engineering Problem like something we should strive for as an engineering engineering craft kind of instead of Forcing this on a through a regulatory process Yeah, and I was gonna say I think also like we're kind of working on uh You know raising up the standard of best practice for security that's available to projects that want that Like we just hired Seth Larson to work on a whole security audit of c python and pi pi and make recommendations And some of the things that are on the table there are Helping community members that want to make software that's more secure do that But the one size fits all thing just doesn't make that much sense like five years of support for like Oh, I made this thing that organizes my wine cellar for fun You know have at it is doesn't really make so much sense like One another example that I think just want to highlight one of the items in the list That is on the table was reporting security vulnerabilities within 24 hours to a standard body to a to a eu Institution to be able to mitigate it instead of having following the best practice of responsible disclosure And having to fix basically before you tell the public about it stuff like that That's like just not practical frankly not 24 hours is barely our response time Generally at the psf because I like people to be able to not work on saturdays and sundays exactly so there's actually The idea of making it optional was something we discussed in january february And we discussed this with some of the policy makers and they just said no no we want everything um But it's unfortunate because there's actually some really great models that could Emerge if it was optional You could have an optional in a blended kind of way For example, you could say if you do all these compliance activities Then you get this stamp that you can put on your your product And then you could also say and governments can only use software that is certified And companies over a certain size can only use software the certified companies that are categorized as very large platforms Uh, you know who are processing a certain volume of personal data, for example They can only use software and then you'd find that Well, first off the government's to be much smarter by writing the law because they'd have to live with it But also you'd find that the the biggest companies then it would be in their interest to to finance The the securing of all this free software Which they should be doing because they're using it and in general they're contributing but not proportionate to their size I just want to say that that that is something that essentially is the sustainability problem of open source after all, right? Like if if it's hard for free like hobbyists and small Small groups of people or projects to kind of keep the lights on to cater to the security needs there That's that's the same thing as now kind of finding new people Basically recruit others from the community to continue to maintenance. It's in other words You know, yes, it's great if big companies kind of put money on it and kind of Starting to to help with maintenance maintenance like such as c python itself as as we know But if basically it's done sometimes this exact same Structure is then applied to like just a five people team doing their thing on the free time. That's that's just so weird I don't understand that My question is like do you think that there is a way for us to kind of like have a conversation about these different types of groups of users and and like how can we kind of make it in a How can we influence the conversation recognizing that the incredible diversity of makers and users in the open source ecosystem? Sorry for asking question Yeah, I think this is something we looked into a few months ago, but one of the problems is just You know, it just so happens that there are elections next year in may for the parliament And then there's going to be a new commission at the same time And so all the politicians once it comes to january, I said they're in election mode. They're not going to be thinking about legislation anymore So at the moment there's a big rush to get every single file that's half finished a bit finished to get all these things done So that you know for practical reasons so that doesn't span over into the next register But also so you can take credit for the bit of work that has been done and so the thing is in in some Periods this might be possible. We can go down to the fundamentals and start on your education on the the real core issues But for the cra Unfortunately, we we had to You know deal with it as the deadlines are just getting closer and closer and closer and chance of delay was very low So this is something that we we are working on already To try and inform the policy makers who will make the next legislature So we're we're getting ready certain efforts that we'll do before next may in the hope that We can be ready to educate then the the coming legislature and But yeah, this is just it's an ongoing process and sometimes we have a little bit more time to do it right now We've got a little bit less time to do it Karen are there what's the There's the mailing list for people to stay up to date on this stuff with OFE the community one there is A few mailiness at this stage the like one of the issues of policy and this is quite different to free software development general like in general free software development it's you know Published early published often do everything out in the open maximum transparency You know anyone could submit a pull request and you can accept or not And you know this maximum openness works very well for software development In policy unfortunately because we have to deal with like we receive documents. You know that we shouldn't Have received or that we were not allowed Share with other people and so there are things that we receive and we can't put on a public list and then we have you know You know an internal list forms and then once that gets to a certain size then all of a sudden You know all this particular documents hyper sensitive and so I'll give this to my you know the five people who turned up to the last event And so there's always these little different layers these different rings of of people who are working on a project once you get into policy So actually then there's another reason why it's difficult for somebody to come along a week before the vote and say Hey, you know show me the latest document. I want to comment on it And you really have to build up your work on the relationship with the policy makers But also with each other and and getting to know what everyone is good at and their their flaws and and you know What you can trust them with and so this also takes time So this is something we have a public list the fast community list on openform Europe.org that anyone can join Then you know we have a cra list and we have other informal lists that have joined informed And there are other lists also being made and deprecated. It's you know, it's a constantly evolving kind of thing But you know people They do get in contact do join the the public list. For example, we have a public call It's usually once a month. We're having an extra call now on monday about the cra just with all the updates So if you join that list and you get the calendar invites and then you can join these these online video calls This is yeah, this is the best way we've found at least so far to grow And yet keep it in a manageable size But you know, we also we have to grow the the community in general I know there's another foundation in brussels who is who's also going to be They're going to have a policy person soon We are also expanding and Openform Europe is a think tank. You know, we don't have members, but we do have supporters We we provide certain services and so you know, we we try and grow this but we also we try and grow it in a a way that builds on relationships we have with the people we're going to work with so Yeah, people we hope you will join the public list And and then the more involved you get you know, you end up getting on more and more lists and Hopefully you can that's a good thing Cool. Yeah, and you said I think before earlier in one of our conversations that We wanted to see more small businesses and It's hard because people working at small businesses like small nonprofits are also really really busy But if you are if you work at a small python business in europe and you care about this stuff You should sign up for that mailing list I was about to ask for the call for action I think there's already some very good suggestions But is there any other thoughts that is like as a You know python community member What can I do if I really do care about not just crm it be in the future there are other policies What I think we talked about pld We talked about the ai one and then secretly weirdly the child protection act turned out to have a lot of weird You know trap traps in it I don't have traps the right word to use on a child protection act Anyway, yeah, so there is more legislation coming So as as cure noted like the week before the vote is unfortunately not the best time to get involved But uh, you have lots more time on some of these upcoming pieces of legislation Yeah, I'm looking for that mailing list on your website and I cannot find it right now. Where can I find it? Is it in the participate page? Maybe There's no I can't see it participate I'll I'll memorize the website for the next conference. All right. Thanks, but if you if you google You know site colon open form europe.org Uh fast dash community I guess it'll pop up. Okay. Thanks. Or you could share it with the euro python tag on mastodon and twitter later Yeah, I can help you publish it if you give it to me. Yeah Is there because like we are actually Close to the end So one last question and then we have we can move on to the um open space if there are more discussions You mentioned a pessimistic world where three companies are basically, you know, developing software Yeah, I think a wise person once said follow the money and you can often find answers Um, is it really just the european commission or government officials that are pushing this agenda? Or are there also like businesses that would like to see something like this? Hmm I don't think so many of the businesses that are supporting pieces in the cri that are counter to free and open source software I've stood up to declare themselves so much um There I do think I really do think the thrust of the you know design here is Oh, these poor consumers because there's more consumers than there are developers We should we should pass a nice law for them And and that's really been the thrust. I I don't think it is like a you know born supremacy kind of level of uh conspiracy to like Create this world with just three companies and cyber wolves. I I really do think it is a lot of like unfortunate lack of understanding of how open source gets done Um, but if you want to share any thoughts on who you think is truly behind this feel free You really want me to tell you? If you're allowed, are you allowed? Or is this part of the inner circle? So I'll just pretend I didn't understand the question. I'll talk about what I want to talk about Now No, you see the thing is The texts we look at sometimes we look at them and we think okay these were written by somebody who hasn't You know really understood our industry the way we understand and of course, you know That that would be very difficult and then all of a sudden we get a really specific example and uh, you know from these same policy makers and uh, and them are thinking well How did the person write that text come up with this, you know hyper specific, you know and quite technical example So, you know, sometimes you do wonder like who is whispering this in their ears However, you know, this is the sort of thing you might think of after work But it's not all that useful actually, you know when you're writing a letter when you're so what you really have to focus on is Education and building relationships with you with the policy makers. They have to see us as a trusted partner They have to understand Where we're coming from that, you know, we have european innovation european jobs european business in mind They have to you Believe that and they have to so we have to be transparent and we have to explain our motivations And the better we can do that Then if you know in theory these, you know examples are being whispered to them by a certain company Then they would be better in a better situation to to then critique what they're hearing So this is that we we just have to keep working on relationships and education That's way better than sharing conspiracy theories Okay, I think there's time to wrap up this panel session Again, if you have more questions and like more burning desire to express your opinion We can move to the open space and then we can have more discussion not just like asking questions But maybe we can all just sit together and discuss more about your concern and about these regulations and things like that But thank you so much for our panelists. Thank you Okay, so I would give back the stage to the volunteers and to the next session. Thank you