 the second part of the day with the presentation by Justin Yu. Justin will be talking about inner source transformation, how Microsoft internally develops products and services. Enjoy the session and Justin, take it away. Hello everyone. Thanks for joining my session. So for over the next 25 minutes, I'm going to share how Microsoft the inner source culture and how it has changed the internal software development process. And please accept my apology in advance because I got the ankle injured, so I'd like to take a seat. OK. And if time allows, I will share my personal experience about transferring my open source projects to Microsoft. So let me introduce myself. I'm Justin from Microsoft as a principal cloud advocate. And these are my social media. So if you follow me on either on LinkedIn or GitHub, then you will be getting a lot of the open source, a lot of the news about the Microsoft open source cloud native and so on. And let's begin with this chart. So what does this chart look like? What does this chart look like? Oh, yeah. Yeah, everyone knows that. So that's right. So it's a share price history of Microsoft for over the last 35 years. So as you can see, it's not been very trading until 2014 or 2015, right? But from that year, from the 2015, something has happened to Microsoft. So what do you think it was? So what has made this kind of dramatic change, which is eight times higher than 10 years ago? Because the share price doesn't lie. So we can say that there must be something has changed within Microsoft for over the last 10 years. Now, we can bring up many reasons to explain that. But I think that the changes of the software development process have fundamentally transformed the organizational culture. So throughout this session, I'd like to share how the inner-source approach has transformed the internal Microsoft software development process. Then I'd like to share my personal experience as an open-source project maintainer to get supported by the engineers from Microsoft. So all of us here know that how important the open-source ecosystem is. And how open-source culture is. So let's start discussion with this. So whenever you are contributing any open-source project, you see these things all the time, right? So what sort of changes they have made? And what are the intentions of the change? And what kind of decision-making process they have do? And who would take care of those changes, right? We can see these things every time because it's just there. So what does this really mean to us? It's all about transparency, right? So we can't hide anything related to the code changes, except the recent xjet and the thing. But anyway, so it's not possible to hide those discussions at all. So if you want to, you can browse anything about the change through the code change history and code review and so on. So this is the real differentiator of an open-source project. And this is the unique factor of the open-source project. And how can we get this transparency? It's because an open-source project requires the collaborations between members. And in other words, throughout the open-source project, we work together with all members. And this working together itself is also open. Therefore, it has become a unique open-source culture. It looks like an ideal world. So many organizations tried to integrate this open-source culture with their organizational culture. But the most organizations met resistance, for example. People say within the organization, they would say, why should we open our source code? Because it's our intellectual property. So why should I open that? I think that's reasonable resistance and that's understandable. And this kind of friction is expected. But it's kind of based on misunderstandings about adapting open-source culture into our organization stuff. So have you heard of this name, Tim O'Reilly? So that's correct. That's that O'Reilly. So the founder of O'Reilly Media, Safari Books, and so on. So in year 2000, through his email conversation, so he introduced the concept of the inner-source. He brought the open-source style collaboration to the software development industry. But at that time, many companies have already adopted similar approaches to their organizations. So they ran the internal software development process that mimicked the open-source project. In other words, they only borrowed the concept of the open-source project. But that didn't work well because of that kind of resistance. So therefore, the companies adopting those inner-source approach, they actually should have understood about they don't have an obligation to follow the open-source licensing model, like GPL or MIT or whatsoever. In other words, even if their product looked like an open-source project, so they don't have to use the open-source licensing models nor open their organization source code because they are all the intellectual property. Instead, all they need to do is to introduce their open-source culture into their companies and blend this kind of concept into their organizational culture. That's what O'Reilly suggested in his email conversation as inner-source. So what are those open-source culture, by the way? I mentioned these attributes earlier. So these are the ones belong to the open-source cultures. And by achieving these factors, companies will become more transparent and accountable and collaborative. And let's take a look at this example. You might have seen this picture, this illustration, talking about the organization culture of each big tech company. So it was drawn by one of Google's employees on his personal website. And there is a Microsoft. And like the Amazon, where is it? Amazon, Google, Facebook, Apple, and Oracle, and Microsoft. So I'm not going to say anything about the other companies because I have never worked that before. But it caught my attention about Microsoft, what Microsoft used to be back in the day before I joined Microsoft. So everything was top-down. And from the leadership to individual engineers. And each team compete with each other. They even hurt each other. Their collaboration was kind of less than ideal. And transparency between teams was lower than expected. So of course, there must have been some level of collaborations, but that's not in ideal ways. So back in 2014, when Satya becomes the CEO of Microsoft, he told all the engineers in Microsoft like that, let's take an open source project concept for an internal product development process. In other words, any engineer at Microsoft should be able to see the project owned by other teams and even contribute to them at any time. Therefore, all the product development process have adopted this inner-source concept. So they don't have to open their code base to the public because they are all intellectual properties. But they started following the open-source project cultures. And even more, nowadays, many of those products are running as open-source project bases. So those projects now have got huge community base and grow together. And there are many organizations on GitHub. So GitHub has many of the GitHub organizations. And this is one example. So Microsoft hosts the open-source project. This GitHub.com slash Microsoft is one of them. So more than 6,000 projects are running as open-source project. Regardless, they are big or small. And more than 4,000 engineers are involved into this one GitHub organization. Another one. This is another example of GitHub organization run by Microsoft called Azure. So GitHub.com slash Azure. So it hosts more than 2,000 open-source projects. And more than 2,000 engineers have contributed to those open-source projects. And I'm one of them. Let's take a look at this screenshot as well. So it's about Dundant Aspire, which is the container orchestration engine of building cloud-native applications. This is just an example of how Microsoft open-source is their product and communicate with developer communities, not just with employees. So through these issues and PRs, Microsoft shows off a certain feature as a preview or as a part of ongoing maintenance. Then I try to try their feature and give feedback by raising issues or PRs. So from there, both Microsoft and communities start discussion for those improvements. And while Dundant Aspire remains an open-source project, there are other projects that use the same concept or approach, which we call InnoSource. So this documentation project is just an example. So mainly, these documents are maintained by employees. But all the discussions and collaborations are made with this open-source way, which we call InnoSource. So by doing so, anyone can see the discussion how Microsoft delivers their content on learn.microsoft.com. And this is another example, how Microsoft actively uses the InnoSource approach. So instead of doing those discussions on the internal discussion tool like Microsoft Teams, they do all the code reviews and discussions directly on the GitHub repository, which makes those discussions more transparent. You know, these are not just the product or services that I got involved as an engineer. These are like AMD. I'm involved. I participated in those discussions or those projects as an end user perspective or external collaborator perspective. But the concepts are different. I got to influence them with my suggestions and ideas. And even my suggestions and ideas got accepted by the product team. And also, they influenced me with the way I work in those collaborative environments. So how was it possible? Because the product team shares their directions and shows how quickly adapt the community feedback to their product and service improvement. So it's not just about starting to use GitHub repository. The real changes I felt since I joined Microsoft in 2019 are listening to others as colleagues or companions. Respecting others like companions, instead of treating them as competitors. So we all realize that we grow together by helping each other. That's the most fundamental changes by adapting this open source culture as InnoSource culture. So for over the last 10 years, Microsoft has transformed their development culture to the InnoSource. Throughout this journey, Microsoft has learned many things. And one of the learnings is key learnings is sustainability. The open source ecosystem should be healthier enough. Otherwise, the entire software development ecosystem will go bad. So what was the cause that Microsoft changes their mind? Was it because of this RTS declaration in 2014? So let's go back to 20 years ago, which is year 2001. The former CEO Steve Balmore even told that Linux is a cancer, right? But now in 2020, Microsoft has admitted they were wrong about the open source because they found that they learned a lot and they found that how this open source culture has transformed their internal development process. Therefore, from the year 2020, Microsoft started running this website called Open at Microsoft. And in there, we declare community resources like code of conduct, license sharing policies for community contributors, and third party license compliance policies and open source project guidelines. So if you want to see more about the Microsoft approaches to open source, please visit this URL, aka.ms slash open at Microsoft. And even more proactively to support the open source ecosystem, Microsoft has been running the force fund program since 2020. So every month, any employees who have contributed to open source project are eligible to vote to the nominated open source project. Then the project that got the most votes will receive the $10,000 US dollars for a year. So let's move on to my personal experience about Microsoft InnoCess. I've got a few open source projects personally running and one of them was transferred to Microsoft official product. So this is as a function project. It started as an open source project since 2016 and it has become one of the most popular serverless product of Azure cloud landscape. However, until late 2018, it delayed the supporting open API integration which was de facto standard for like an API integration area. So there were a lot of requests to support that feature from the developer communities. But the product team didn't make a commitment when this feature would be available. So I started this project in late 2018 to fill the gap on Azure Functions Service. So this is also an open source project. It initially started my personal end toy project but it was rebranded in 2021 and has become an official Microsoft product. So what this extension does is that it automatically generate the open API document on the fly. And because of this extension, the Azure Functions API will have more improved discoverability by other applications, which is a really important feature in the service integration area and cloud native application development area. Because my extension got a lot of attention from the developer community, the product team and I started discussion for migration in 2020. And finally we completed those transfer in 2021. And right after that migration, it was introduced at build conference as a key component for the service integration. Now this extension marks nearly 8.5 million downloads in total. And this extension is even used for semantic kernel, which is Microsoft's most popular AI agent SDK, which is equivalent to the length chain. No, the breaking is enough. So what's the point of key takeaways while migrating this open source project to Microsoft? In terms of the inner source project, in a source point of view, there are some differences on the open source project policies between individual and organization. On open source project run by individuals have some level of freedom, but less structured. On the other hand, open source project run by organizations has less freedom, but highly structured, right? Both have goods and bad. So I don't say I wouldn't judge which is better for now. What about the sustainability perspective? So one of the most concerns using an open source project run by a few individual is sustainability. So if that open source project is no longer maintained, what will happen? In fact, I've got several open source projects solely run by myself. So if I am busy because of the work, those projects are not maintained for a while until I got some spare time. However, if that project is backed by a team of several people, then there are people other than myself, so these sort of concerns go away. And this is one of the benefits using inner source approach which is integrate ability. So I can easily integrate the features with internal features by getting support from our the product engineers. So if I am from outside, it won't be easier to integrate with these kind of the features with other product and services because of the numerous regions. Another one, this was one of my key learnings. Sometimes a breaking change would be inevitable at some stage, right? And if we meet this situation, we must choose either dropping backward compatibility or keeping it compatible. Because other functions is a platform service is really important to keep the backward compatibility at some stage. Personally, I learned a lot about this backward compatibility like when to support, by when to support, from when to drop, what to drop, what to keep, how to let developers know and so on. So these learnings are based on the organization culture and it was dissolved into our inner source culture. Yeah, so that concludes my talk today. So throughout this session, I discussed how Microsoft adopted the inner source approach to draw their recent innovation. And my personal learnings from that inner source culture to build an internal product and transfer from Opsos to the official product. Yep, that's it from me. Any questions? Right, thanks for listening. So do we have any question from the audience? Okay. That's really good question. So if, as long as it's an open source project, yeah, so if it is an inner source project, that's an internal project, right? And we are running this, that inner source project as an open source way. That doesn't mean we are open that project to the public because they are all the internal Microsoft employees. That depends, that depends because I showed you before, like I'm the, I'm not part of their team, but I contribute them every time. Almost, whenever I use, I found something that I raise an issue and I put, I can change some code base or something like that. Then they review it and if they, is the direction of what they are thinking, they merge it. If it's something different, they ask me to re-write the code or reject based on the discussion, something like that. So it really depends, yeah. I have no idea, I don't have that number, yeah. Thank you for that. Oh yeah, the next one. Yeah, yeah, yeah, yeah. Okay. Thank you. Okay, thanks a lot for coming to the session. I'm Sachin Bhakar, I work for an energy company and I'll be talking about inner source. So Justin, sometime back shared a lot of insights about inner source, but I will be giving more of, let's say, a high level overview in the most simplest form. It's a 15 minute session, so there won't be any deep insights, but just a high level. Okay. So yeah, I have the simplest agenda. We'll start with what is inner source, we'll move to why, and then we'll figure out the how. The how is the difficult part, so we're just gonna see it from a high level overview and just food for thought. How is the food for thought part? So what is inner source? So inner source is, you can say that it's more of a younger sibling of open source, came into existence at a much later point of time, it walks on the same path, it follows most of the same way of open collaboration, open communication, the qualities achieved through a separation of contribution. So it's just, I mean, Justin just said a lot of things, but few of the things that I'm going to repeat is that a lot of collaboration is going to happen within the company, it will imitate how open source cultures drive in the open source ecosystem and we are just going to replicate all that. So inner source is nothing fancy, it's just whatever is happening in the open ecosystem, we are going to replicate the same within our company. So the code will not go out. So that's why there is no requirement of license, there is no requirement of CLA's, all those legal obligations are not required. And that's why inner source can actually accelerate development, can actually improve developer experience. And I'm going to talk a lot about in the how, in the why part. So yeah, I mean, it's 10 years, it came 10 years later. The guidelines are just not really in place for most of the companies. So most of the developers, what they want to do is that they want to publish the code and put into production and get done with it. Documentation is something where developers will shy away from it. So as long as the code is not well documented, others will not be able to contribute to it, others will not be able to understand it and they will just not be able to realize the power of that particular code. There are different inner source principles, the practices that will also lack. And the last part is inner source rarely get support from management, high level middle level management, because they don't see the value. And that's why it's really important to realize the how part. Okay, so now we'll talk about the why part. So most of the companies, and I would say high level management will always listen to consultants or the consultancy companies. So Ate has been talking about it a lot. And as you can see, just follow the, it doesn't look green, but so the green part, this is a Garter hype cycle for software engineering year 2022 and 23. And what they're saying is that inner source is the innovation trigger for software development. And it's really at the beginning of it and it will not take you for the next five years, at least not for the five years. And this is really, I would say, an innovative element for any kind of development project. This is, this one's from McKinsey, another consulting company. They are doing a lot of work in helping other technology companies how they can include their developer experience. So McKinsey is not calling it inner source, McKinsey is calling it as developer experience. And so as you can see this particular chart, developer is in the center of this particular developer experience. So what McKinsey is actually trying to do is that they have realized that inner source is built around the developer, around the requirements of the developer and that's our main subject. It will require reusing existing capabilities, existing code. The developer experience program needs to be evangelized. Everyone should be made aware of it that there exists a certain kind of inner source or developer experience program. There should be a dedicated team for it who's promoting it, who is managing it because without that management, without I would say deciding a flow of developer experience, it will not really work out. And yeah, the last one is decentralization of code contribution. So anyone should be able to contribute it. So if the code is open to anyone, so I mean, those who have worked in large MNCs, you'll realize that most of the code repositories they are kept as private within the team. It is not made available for other people who are not part of the team. And that reduces any kind of contribution that it can get. So that's why it's really important to open the repository at least for all the internal teams. Documentation is the next step. And from there on any kind of conversation that is happening on, as Justin just showed, is that all the conversations were happening on the GitHub page. So anyone who's coming to see the code who has seen the documentation can just follow the conversation and can contribute. So these are the five things that will happen if a company is aiming for developer experience for a good inner source program. It will attract talent, primarily because all the talented individuals wants to do is that they want to work on multiple problems. They just don't want to stick to one project. They don't want to stick to one problem statement. They want to work on different problem statements and want to contribute on different projects also. They will be consistent in quality. So yeah, security and compliance has been mentioned by McKinsey because the code is all internal. So one need not need to be worried about license, whether it's Apache, whether it's GPF, because it's all internal, it's all proprietary. Again, here comes the tricky part in the third statement is that if let's just say if it's a joint venture and the GitHub code company A and B, then there can be certain licensing obligations because in joint venture, there will be an IP agreement which will decide that how the IP will be owned by the two companies. So it can get tricky in case of joint venture, but if it's just one company, it's a solid program. Okay, so the why part should make all the engineers or I would say all the high level management executives should feel like this kid. They should get excited. They should see that, okay, now we have realized the importance of it. How can we actually do it? How can we actually implement it? I would say this is the most important slide of my presentation because this actually talks about how one can implement in a source. So there will be a vision, there will be a strategy and there will be a roadmap on it. So vision will give us, I would say, the highest level of overview why we are doing a certain thing. So we want to leverage code reusability. We want to make sure that no engineer can write a line of code that has already been written within the company. So the code reusability should be maximized. Developer experience should be improved. So no one wants to redo the work. No one wants to reinvent the wheel. If I would say if a project is already available within a company, it should be made available for other teams, other projects. It should be a part of code strategy. So I agree that it will be implemented by engineers but until it doesn't come from a top-down approach, until it's not evangelized by leaders it will really not be a successful part because every engineering team, they listen to their line managers and their line manager listens to or to their skip level managers. So if they are promoting an Innersource program, if they are saying that, okay, you have to document it, you have to make all your repositories open to other engineers, it will be done. So again, in the beginning it will require a push from an upper level management, but later on it can become part of a culture and then it will just happen on its own that it's just going at a very steady pace. The last point is that it will attract talent because any talented developer will get to work on different kind of, different set of problems and that's what they want to do. They just don't want to stick to one problem, stick to one project. Strategy will further, I would say, narrow down the vision to a more, I would say, solid action items. So one of the key feature that is required to implement an Innersource program is to have an Innersource team. So it can be one individual, it can be 10, 15 individual, it will depend on the size of the company. There should be an alignment between research and development, legal and business function. So again, this will be part of the first few conversations that will happen when the Innersource program is introduced, but later on they need not to be in the loop. It's just, it will be just be a conversation between different engineering teams. And the last one is for a, to implement the vision, which will be a part of the strategy is to have frameworks. So it's required to have certain kind of documentation processes is, so again, it can be part of every team's KRA that as soon as they develop the, they create a new repository, it should be public, I mean, at least for internally visible for all the people and the documentation should be in well shape. There was one talk before the lunch, which was about how to make people excited about FOSS. And this, I can't recall the name of the speaker, but he actually compared a FOSS project with the movie title and it actually made sense. Is that when we see a trailer of a movie, we get excited, we get excited because it is, they're telling a story in a way that it will, it will make you excited about the project. In a similar way, all the projects that are created internally, they need to be well documented. There should be, I would say, something to make people excited. And the last one, which is the roadmap, which is like the grass root action items, is that there should be a tool or a dashboard to discover code. Now let's say the in-app source program is in place, teams are actually using it. And if one of the engineer wants to find a project or wants to find a code, how he can do so. I mean, of course, GitHub repositories will let them do so, but if there is a dashboard, if there is a tool in place in action that can actually help them. So this will require further, I would say, next level of automation, where code will be labeled, projects will be labeled with their functions, what the project will do, so that it will be easy for any developer to discover that particular code. The next one is code should be available, which I have been talking about from the beginning, is that no developer should, no project team should keep their code as private. And the last two are, the basics is like if the documentation is well in place, it will be easy to participate for any of the engineer. So what exactly is we are doing here is that we're just making a project accessible to all the engineers within the company. So yeah, I mean, this was, I would say, my session. I tried to keep it very simple, considering the 15-minute slot, there was no point of going into the deep down strategies, but I would be happy to answer if there are any questions. If not, then I think I can keep that. Okay, thanks a lot. So the next presentation is guides, the General and Universal Image Data Evaluation System, a proposal of the emotional assessment platform using random images. Our speaker is Professor Yu Nio. Thank you very much. Thank you for your introduction. Thank you for coming to my session, and I'm very honored to be here in Hanoi. So I'd like to present the guides, the General and Universal Image Data Evaluation System, a kind of emotional assessment platform we developed. Before starting my talk, let me introduce myself briefly. I'm Jun Iyo from Chuo University, Japan. I'm a professor, and also I'm a board member of OSS Association Japan. And before I work for Chuo University, I used to work for Mitsubishi Research Institute, and my major is studies on the interaction between human and computers, human machine interface. Let me start the introduction of our system guides. As you know, not only digital, but also analog images can strong power to convey information with those visual photographs and drawing, painting and so on, enhance daily encounters, convey information and emotions. Therefore, recognize the impact of specific images is very important, and disgusting them from the other image is valuable activities for various applications like marketing, investigation, product design. Of course, for academic research, we conduct it. But the evaluation of the creative expression is a little bit complicated challenge. So therefore, we decided to create such a kind of emotional assessment platform. This is the background of our research. We inspired by outstanding emotional research assessment of emojis conducted by Kuchuzawa and their colleagues, 2022, they conducted some researches of emojis. As you can see, these emojis are analyzed by two, like x-axis is valence and the y-axis is a ruler. Valence means the lyacryphus, valence indicates what emojis you like or if you don't like these emojis, you score the lower valence. And if you like these, if you feel these emojis happy, you mentioned those emojis have high valence. On the other hand, a ruler is a kind of matrix of feeling or the strongness of the impact. That means the high-arouser emojis, strong impact gives the strong impact and we lower-arouser emojis are less powerful to convey some information. So inspired by the studies we conducted, we implemented a prototype of understanding user response to movie posters like this. That system shows six movie posters from a set of hundred movie posters and the participants to survey participants can evaluate their impression by two metrics using these sliders here. This is one of the result of our previous research. You can see high-arouser and lower, I'm sorry, high valence and low-arouser, you cannot see any movie posters. The valence and arouser on the movie posters have several core relations, weak core relations, but as mentioned previously, it's very interesting thing we found that there are no posters who give low-arouser score and high-valence score. That is very impressive result of our previous research. Based on those findings, we enlarged the system titled guides, guides done for general and the universal image evaluation system to accommodate image by incorporating other means to rate the features tailored for those experiments. That means we can create some other experiment rather than movie posters. This session provides a simple overview of the system and emphasizing its capabilities. And I'd like to introduce some planned experimental use case. This is overview of the system. When the participants access the guide server, some list appears like this, this project list have an example project, another sample project and distinction between blah, blah, blah. So if you are a registered user, you can create your own project like this, but participants of survey, we don't require to log in, that means research is open to public. As I mentioned, the system requires user account to create your own research project, but access to the evaluation page doesn't require the login process, that means they are open to public. The evaluation process consists of these four steps. The first step is showing informed consent information and then the system provides introduction to the survey. And the main part is the evaluation process. After that, the results are coming up to the resulting page. Here is the screenshot of providing consent information consent information description like here. Of course, if you are a registered user, you can freely design this message. Also, the response message can configure as you like. If the participant of survey check this checkbox, the start button appears and clicking this start button to proceed by clicking this start button can proceed the survey to the next page. This is the second page. Second page shows the introduction to the assessment. Also, the start evaluation button clicking this button to click this button, proceed the assessment to the evaluation page. The evaluation page is like this. Just like the assessment of movie posters, six images already, previous six images appears, accompanied with two sliders like this. The survey participants can evaluate the impression of each image. Of course, the evaluation scale can be configured by survey owners. These scales ranging from minus 1.0 to plus 1.0, minus 1.0, it means the negative value and the 1.0 is a positive value. After clicking submit button, upon submitting the evaluation, the resulting page appears like this. Resulting page has a scatter plot like this. Red icons show, red icons, I'm sorry, blue icons, blue icons, blue icons implies your choice. That means if you score this on this image, as in, oops, I cannot find this. If you score this image, score here, your choice is coming here. And this image for your choice here and so on. On the other hand, red icons are average of the other user's choice. So you can compare your result and the other's choice. This is the results are compared in a scatter plot. Next I'd like to talk about the administrative functions. As I mentioned, GUIDE is the versatile platform for emotionally assessing user responses to image. Resist that user can create their own experiment. We have some configurable elements like this. Main configurable element is also, of course, target image. And descriptions is also configured as you like, including informed consent message. Of course, the informed consent message can be configured. In addition to the main metrics, like Valence and Arusa, you can configure some other metrics, like this or something like that. In order to create your own experiment, the system requires you to register your account. After the restoration, the portal page appears the project includes a title, description, and description of the information consent and two measurement titles. In addition, the project encompasses a collection of resources, but the system doesn't host their own data. That means you have to put some image themselves on the other platform. This system can only host the URLs. This is a project portal. This screenshot shows just after my, just after I logged in with my own account, user June use my page like here and there you can see there are three projects like this. Of course, you can create a new project by clicking this button and if you like, you can edit the project or discard it. This icon means the launching the survey. If you click the edit icon, project editor comes up like this. So you can configure the name of the project like this or description, consent information, message, and it's a title of two measurement, a user or variance. These words can be changed, can be modified. Image data is like this. You can see several URLs of the target image. Project editor, you can configure some projects by project editor. Project editor can provide description metrics and the rest of image data. Project designer must prepare the image data to be investigated elsewhere, where elsewhere as I mentioned previously. In addition, I'd like to emphasize that putting an image URL is some burden task because if you analyze more than a hundred data, you have to put in the URLs one by one. This is a little bit complicated and burden data, a burden task. So the system allows that the image URL can be configured collectively using an Excel file. If you note the image URL in the Excel file, you can put such files to the system. The system can configure such URLs at one time. Of course, this is an event of open source force. So our guide system is provided as open source software and the source code is hosted by GitHub. If you can use our system, clicking this here and download and configure to your server, this system is using Ruby 3.2.2 and Rails 7.0.8 and Bandra 2.4.15 and SQLite database. For the front end, Bootstrap, jQuery and jQuery UI are used in our system. Configuration, please consult with import.rb in detail. Installation is very simple. You can easily implement guide system on your server by following these three steps, just three steps. Get Chrome from GitHub and Bandra Update and start the server with Rails server commands. Well, do I have time to demonstrate? Five to seven minutes. Okay, this is the assessment page. This is open to public and this doesn't need log in, so an example project and I'd like to check okay to consent form and the start assessment. So some description appears here and I'd like to click start evaluation. So you can never read these six images. If you feel this image gives me high arousal and low valence, low arousal and low valence, high arousal and high valence, low arousal, blah, blah, blah, like this and submit it. So the result comes up like this. Okay, this is a simple demonstration. Let's go back to the explanation. Okay, let me conclude my talk. This session introduced the system for the emotional evaluation system entitled guides. Guides stands for general and universal image data evaluation system and it's a reason in the research focusing of user response to movie posters. The novel system guides allows registered user to create your own experimental project using an open evaluation processes, comprising information content, introduction, evaluation and the result page. The final issue is feature work. We research team now planning to conduct several experiments like this. Sensitivity evaluation to distinguish between human-created image and machine-created image, machine-generated image, that means as you know, AI-generated image, for example, stable diffusion something like that. So we have to figure out whether we can figure out such images or not. Or the other student is considering to evaluate fashion item for fashion ability and like abilities, focusing on understanding preference across different age groups. These are very interesting project. Okay, that's it, thank you for your attention. Firstly, I would like to apologize to English speaker here. I would like to present my slide by Vietnamese for better understanding for other people. So sorry. Chắc hẳn là mọi người đều nghe nói tại vì từ hai hôm nay chúng ta nói rất nhiều đến câu chuyện phần nguyên quân mở, công nghệ mở và tương đối nhiều các thứ lại thứ mở khác nhau. Thì ở đây, chúng ta phải nhớ là cái cộng đồng phần nguyên quân mở Việt Nam đã hình thành và triển được hơn 20 năm nay rồi. Và mình ở đây, mình cũng đã có gần 30 năm làm việc trong những thứ hỗ động này về các thứ mở. Thì mình muốn chia sẻ với các bạn một bài rất là bây dịch, mặc dù rất là bây dịch, nhưng mà mình nghĩ là luôn luôn cần cho tất cả đặc biệt là các bạn trẻ, các bạn sinh viên là về cái hệ thống dế phép mở, open licensing. Tại vì phần nguyên quân mở thì mình nhấn mạnh một cái điểm đầu tiên để mọi người lưu ý là gọi là phần nguyên quân mở, gọi là những cái hứa công nghệ mở nói chung thì không phải là cái gì thích làm gì làm, mở, không có nghĩa là thích làm gì làm, mà mở nó có những hệ thống, quy tắc, nó chỉ khác. Các cái thứ quần đóng là nó hướng đến câu chuyện là mở cho mọi người. Nhưng mà nó có những cái quy tắc mà khi chúng ta sử dụng một quần mở để chúng ta sây dựng những cái hệ thống, những cái sản phẩm chúng ta, hoặc là công nghệ mở, thiết kế mở, rồi rất nhiều cái thứ mở khác, tới các bạn sẽ được tiếp cận, thì nó đều có cái quy tắc chung hết. Ở đây, tôi chỉ muốn tập trung vào cái thứ đầu tiên và cái thứ rất là sơ khai có từ nhiều chục năm nay đấy là phần nguyên mở đã. Còn những cái thứ liên quan đến các thứ mở khác nữa, thì các bạn chắc là còn phải tìm hiểu nhiều nữa các bạn. Nếu các bạn muốn tìm hiểu chuyên sâu về khoa mở, tài nguyên giống mở, thì ở đây có anh Lê Trung nghĩa là một người rất là nghiên cứu rất là chuyên sâu về các câu chuyện về mở. Nói chung, anh có một cái block riêng về nguồn mở, về tất cả những thứ mở, Open Science, Open Educational Resources. Tất cả những câu chuyện đấy là chúng ta sẽ tìm hiểu dần trong cái bài hôm nay tôi muốn đi qua dân hành thôi. Thế nhất là các hệ thống về giấy phép mở. Quán điểm về thế giới của nguồn mở thì thôi chắc là vì trong khuôn khổ là cái cái sự kiện này tôi chỉ có bài nói 15 phút và tôi cũng vừa giấy thiệu các hệ thống về giấy phép tay lỡ mở và mình quan. Quán điểm thì phân nguồn mở có rất nhiều quán điểm nổi tiếng, nhưng mà chúng ta có 10 quán điểm mà nổi tiếng nhất tôi chia sẻ trong bài của tôi thì tôi sẽ cố gắng lứt qua nhanh thôi và bạn có thể xem lại cái bài này trong kỷ yếu của nổi tiếng. Thế con, các hệ thống về giấy phép mở thì các phân nguồn mở có giấy phép nhưng giấy phép của nó hướng đến những câu chuyện là là mở và giấy phép, hệ thống giấy phép của nguồn mở thì nó chia thành 2 cái nhóm mà được 2 tổ chức lớn trên thế giới họ họ đồng ý đấy là Free Solution and Open Source Initiative hầu hết các giấy phép chính như thế giới đều được 2 cái tổ chức áp rút cả còn 1 số giấy phép thì chỉ được FS hoặc là 1 số giấy phép chỉ được OSI áp rút thôi nhưng mà hầu hết là đều được cả 2 tổ chức áp rút cả thì những giấy phép đấy là được 2 tổ chức này bảo vệ trên khắp thế giới và nếu các bạn làm 1 cái phân nguồn mở các bạn quyết định là phát hành theo 1 giấy phép do thì các luật sư của Free Solution sẽ đứng ra bảo vệ cho những phân nguồn mở các bạn để những cái cá nhân khác những cái tổ chức này là không thể vi phạm cái giấy phép đấy của các bạn ngược lại là các bạn nhìn thấy 1 cái phân nguồn mở mà nó đã được phát hành giữa 1 giấy phép của các tổ chức này đưa ra thì các bạn cũng sẽ cần phải đọc và tôn thủ theo cái giấy phép đấy nếu các bạn nói đến 1 số loại giấy phép tôi sẽ nói dần từng gái bí dụ như cái loại giấy phép mà các bạn nghe nhiều nhất là cái GBL này đúng không GBL General Public License chắc là nếu như nguyên cứu và nguồn mở thì đây là 1 trong giấy phép mà phổ biến nhất 1 trong những cái phổ biến nhất bây giờ yêu cầu là người sử dụng là cấm cũng được làm việc A cấm cũng được làm việc B cấm cũng được làm việc C thì giấy phép 1 nguồn mở nó làm ngược lại trong nên nó sẽ khi cho phép 1 người sử dụng được làm những cái gì và yêu cầu là người sử dụng là và ngay cả người phát triển khi mà đã phát hành 1 nguồn mở theo cái giấy phép đấy người sử dụng là được gbl là được 4 cái quyền tự do tự do sử dụng khi bạn thấy 1 cái phần mềm nó được phát hành theo giấy phép gbl yên tâm là các bạn lấy dụng mái chảy cấm mình nói được ghi là tự do sử dụng tự do phân phối cầm cái phần mềm copy cho người khác nếu như phần mềm sử dụng quyền thì không được ghi thế mua 1 phần mềm sử dụng trong giấy phép nó ghi là các bạn không được ghi cho ai cả thậm chí còn strictly đến đoạn là các bạn chỉ được dùng trong 1 cái máy tinh đấy đâu nếu mà máy bên cạnh các bạn mua cái máy khác có thể các bạn phải mua 1 phim bảng mỡ chứ không hề là được dùng không được phân bối cái thứ 3 là tự do sử dụng các bạn nhìn thấy 1 cái phần mềm được phát hành theo giấy phép gbl yên tâm là các bạn lấy không ai hạn chế các bạn quyền sửa nó và cuối cùng là tự do phân bối lại bản sửa đổi nhé sửa xong rồi các bạn có thể phát cho người khác được phát cái bản origin rồi nhưng mà phát luôn cả bản sửa đổi được thoải mái thì tất cả những quyền tự do là giấy phép mở nó sẽ quy định những cái chuyện là các bạn được làm gì chứ không phải là quy định cấm các bạn làm gì tất nhiên hệ thống giấy phép mở như tôi vừa có trên slide có khoảng 7-10 loại giấy phép mà được FreeSock Variation hoặc là OpenShot Initiative Upgroup thì nó là 1 cái mơ rất dài ròng và câu chuyện chúng ta chỉ cần nhớ 1 vài loại giấy phép chính và chúng ta khi làm chúng ta có thể làm theo giấy phép đấy tôi có 1 vài anh bạn ngoài kia ồ, thì các anh là Olyovic các anh nghĩ phát hành giấy phép của anh theo giấy phép là AGBL là 1 cái thứ còn mở hơn cả cái AGBL này luôn AGBL là Afro cái đấy nó còn yêu cầu 1 cái thứ là nếu các bạn mà đã mang cái phần mềm các bạn Billion Cloud thì nó cũng phải là mở đấy, tôi chỉ nói đến mở thôi nhé miễn phí như kiểu là có 1 cái Libia trong tay uống là câu chuyện khác hẳn nhé Free trong cái thuật FreeSock Variation nó là tự do chứ phải FreeSock Variation là phần mềm miễn phí nhé ok vừa rồi tôi nói đến GPL thì bây giờ chúng ta phải nói đến 1 cái giấy phép khác GPL là đại diện cho cái giấy phép mạnh còn đại diện cho 1 cái dòng giấy phép khác là giấy phép dễ dãi là giấy phép BSD hoặc là MIT thì cái giấy phép này nó như này, tức là nó nó trao quyền tự do đến cho lập trình viên còn giấy phép trao dòng mạnh trao quyền tự do đến cho người dụng trao quyền tự do là lập trình viên nghĩa sao 1 trong những cái phần mềm nổi tiếng nhất được dùng dộng dãi nhất theo giấy phép BSD các bạn biết có thể trong hồng này các bạn sẽ đang dùng iOS iOS là phát triển dựa trên 1 cái phần mềm mà theo giấy phép BSD gốc của nó là 1 cái phần mềm theo giấy phép BSD và nó trao quyền cho người lập trình viên khi bạn thấy 1 cái phần mềm để khoát hành theo giấy phép BSD bạn có quyền cầm 1 cái phần mềm bạn sửa thoải mái đóng lại bạn không mở nữa thế nhưng mà giấy phép BSD nó yêu cầu là bạn phải công nhận là tôi dựa trên cái phần mềm gốc là gì, tên dắt gốc là gì thì giấy phép này dễ dại nó trao quyền cho lập trình viên nhưng không có nghĩa là nó hoàn toàn muốn làm gì làm nếu bạn đã sửa 1 mềm thì bạn phải ghi công tác giả tác giả nó chỉ cần mỗi ghi công nó không cần giữ cái gì cả thì iOS là được dựa trên 1 số thứ NetBSD VDBSD 1 số phần mềm có tên dựa đây giấy phép mạnh có 1 kiểu bạn có thể phân vối 1 mềm của chính bạn giấy phép này là ai quyết định là người tác giả đầu tiên của cái mềm đấy ví dụ tôi viết rồng cốt đầu tiên tôi bảo là cái phần mềm của tôi tên là tốn nhạc hạn tôi bảo là tôi sẽ phát hạn phần mềm tốn ví dụ GBL đấy tôi là người quyết định ai là người tác giả phần mềm gốc đầu tiên thì người quyết định là sẽ phát hành phần mềm theo giấy phép nào và tất cả những người sau đấy thì có tên dựa theo thôi nếu các bạn thấy phần mềm của tôi tốt các bạn muốn sử dụng nó thì các bạn phải đọc giấy phép mà tôi đang đưa ra GBL hay BSD hay MIT hay bất kỳ điều gì mà tôi đưa ra thì các bạn tên dựa theo nó các bạn sẽ được dùng của bạn không tên dựa theo nó là tôi sẽ tước quyền của bạn hết trong giấy phép của tôi sẽ ghi là nếu các bạn không tên dựa theo giấy phép này thì các bạn tự động bị tước hết tất cả quyền nhóm giấy phép thì tôi có quyền tuyên bố là tôi phát hành phần mềm của tôi dưới 2,3,2,5 giấy phép khi tôi nói tác giả chính tôi muốn làm gì làm thì tôi có thể đưa license hoặc stripper license thì có thể mix nhiều giấy phép với nhau thế thì ở đây tôi chia sẻ các bạn thêm 1 cái nước ớt để cho các bạn hình dung là trong câu chuyện phần mềm ngôn mở ở trên đời thì nó có cái 1 cái quan trọng đấy là tác liệu mở khi bạn mà có trong tay 1 cái tác liệu trong tay các bạn phải đọc xem là người ta cho phép các bạn làm cái gì trên đấy thì nó có 1 cái thứ các bạn nhìn vào đây các bạn cầm cái tác liệu để tôi sử dụng như thế nào là nó được quy định trong giấy phép phát hành đúng cái slide này thế thì trong giấy phép Creative Commons nó chia thành thành các câu độ khác nhau từ hạn chế rất ít muốn làm gì làm ở public domain này đến hạn chế nhiều nhất online reserve như kiểu mấy ông sửa được quyền dưới là 1 giả ai giả thì trong đấy nó có hoặc là tôi yêu cầu các bạn là vừa ghi công lại vừa phải phải xe cho mọi người giống như tôi, giống như bản gốc tôi yêu cầu là vừa ghi công mà lại vừa là không được đem đi kinh doanh đem nội dung này của tôi đi kinh doanh vừa ghi công, vừa không được kinh doanh lại vừa sale live là nó có 6 các độ khác nhau thì khi tôi là người biết da đầu tiên cái nội dung này tôi có quyền là tôi sẽ biết nội dung này dưới cái giấy phép nào thế nhưng mà nếu tôi là người đi lấy thực tế mà nói tôi lấy rất nhiều nội dung này của các siêu nhân trên đời dưới không phải tôi tự nghĩ ra được hết thì trong đấy sẽ có 1 siêu nhân mà tôi vừa giấy được đầu tiên là anh nghĩ anh nghĩ có rất nhiều nội dung này và khi mà anh nghĩ đã yêu cầu là CC3SA rồi thì cái tài liệu này của tôi là anh nghĩ anh sẽ tức ngay cái quyền của tôi lập tức tại thời điểm bây giờ tất cả những cái câu chuyện này các bạn cũng tắm lại khi các bạn tiếp cận với cả phần mềm dung mở này tài liệu mở này tài nguyên giống mở này khoa hộng mở này có nghệ mở này thích cái mở vào hâm và lăng rất nhiều thứ mở trên đời này mở vào cái phần mề này bây giờ là xu hướng chung thì các bạn luôn luôn sẽ kèm theo 1 cái tài sản mở đấy thì nó kèm theo 1 cái bộ giấy phép đi kèm tuyên bố là người cầm cái tài sản mở đấy được quyền làm những gì khi các bạn sử dụng phần nguyên mở để các bạn phát triển sản mở của mình cố gắng là các bạn tân thủ được đúng cái quy định mà tác giả gốc người ta yêu cầu còn khi các bạn là tác giả gốc các bạn được viết 1 cái phần mềm từ những sòng cốt đầu tiên thì các bạn tự do là các bạn quy định xem là cái sản phẩm đấy các bạn là theo dế phép nào, phát hành cho dế phép nào để cho cả thế giới được dùng như nào phải má các bạn là tác giả gốc đầu tiên khi mà mình là tác giả gốc đầu tiên mình tự quy định của mình thì tôi cũng rất là khuyên khích các bạn hãy phát hành theo dế phát mở tại vì trải nghiệm của tôi hơn 20 năm nay khi đi làm tất cả các thứ trên đời về IT thì tôi thấy nếu làm theo phức mát mở thì những cái đóng gốc của mình có thể mới đầu mình bật lên chỉ là mà hạt cắt thôi các bạn English maker là được nói tiếng Việt và rất mong là chia sẻ tiếp rất nhiều các cái chủ đề này với các bạn sinh viên và những người đang làm trong ngành IT tờ xin hết ạ thật ra là nó không hẳn có 1 cái live show nào cái nhất tại vì mình phải đi theo người ta để mình làm mình có 2 lợi chọn 1 là mình lấy 1 giá nguồn mở ra làm ra mình có 1 giá nguồn mở mới thế thì cái thứ ghét nhất của anh ấy nó là cái thứ mà nó lại nửa nạc nửa mỡ ví dụ nhé anh lấy ví dụ luôn anh đi anh tham gia vào 1 cái giá nguồn mở tên là Zimbra từ những ngày đầu tiên 2004 thì hồi đấy nó là cái live show này không được FSF OSI upgroup trong nên nó quy định nhiều thứ sau đấy thì cái dự án này nó sợ quá, nó bị nhiều người đẩy chai và đối quá rồi nó phải dẹp cái live show live show này nó quay sang live show ZBL và khi nó chuyển vát là bao nhiêu người đồng góp vào lao vào đông đủ còn lúc trước là sau đấy thì nó lại xoay xoay xoay thì dần dần nói chung cộng đồng thế giới nó nhanh ví dụ như là MySQL định đóng vát là MariaDB mọc ra ngay liberal office lại mọc ra show open office thậm chí bây giờ có only office ở ngoài kia ví dụ thế rất nhiều chứ nguồn mở nó nó là 1 cái thứ mà sít ban mở nguồn mở là cái căn mệnh uống thư bởi vì nó ghi căn nhanh quá, nó đẻ ra nhanh quá nếu như ông đóng ở chỗ này thì nó phòi ra chỗ khác và không thể cản được cái dòng chảy và không thể cản được cái của kênh mạng nguồn mở bây giờ thực tế mà nói nguồn mở đã everywhere không cần phải bàn, cơ chuyện là có lưng được nguồn mở hay không sít bay mọi người hết sợ rồi thank you very much hi everyone welcome to my talk for FOSS Asia Summit 2024 and today I'll be talking about the primer on open source licensing before I start I would like to introduce myself I'm Shubhendra and I work as a developer advocate at cash repayments cash repayments is India's one of the leading payments and api banking company and I'm also a Mosulay repents data when I help local tech communities and local tech communities to contribute to Mosulay and open source and I have been a get up campus expert I also curate the newsletter for open source called OSS by dot dev so today I'm going to talk about why choose an open source license why do we use a license and what is the value of that and what are open source licenses what they are what do they mean and what impact they have on open source project and finally how to choose the right open source license so the right is in double quotes there because it is not going to be same for everybody now the caveat of all of this is that I am not a lawyer and why mentioning this is important because intellectual property has a intellectual property is a big deal and the license that you choose for a project has a big impact on that so the information that I am going to give you while it is going to be informative and helpful for choosing a project so if you are ever in a legal dispute you can't just talk about this one guy you met at force asia told you about this it's just not going to fly out so I am not a lawyer I am just a helpful developer to all other developers now the other important statement I want to make to set this presentation all up is that code is art and I don't mean it because I am a developer who writes code and loves staring at the algorithms I mean it from the legal perspective all the code you write is considered as a creative work it's the same thing as writing a book, producing a song or producing a painting so when you write a piece of code it's considered as an artistic piece of work and and this is important to know because just like you produce a song or write a book you own on it what's known as copyright so the same thing is with all the code that you write as soon as you write the line of code you are the copyright owner you are the sole owner of that property well what is copyright it actually goes back to the saying that you are the owner and only you have the right to produce the copies and distribute the copies of your work so in terms of software what this means is that let's say you write the code and the moment you write the code it's yours so you have the copyright and you are the sole owner so you have the right to say to person A and B to use your code in their project in whatever means they want to do but person A can't go to people and give away your code for using or distributing it they will have to come back to you and because you are the copyright owner of your work so copyright protects your legal right to control who can distribute and alter your software now that's great and it may be useful in some cases but in other cases in the world today it may not be useful because what copyright also does as it comes with limitations so such as when you write code it is automatically copyrighted only you get to define how it is going to be used so let's say for the sake of this presentation you wrote a software for GPS navigation and what if that software could be used for autonomous vehicles and what if it could be applied to rocket ships that could self land like spaces spacex if you are not thinking of these use cases while writing your software then you are probably not helping solving these problems and it's going to be used for only one thing that you are going to define it for also when your code is copyrighted only you get to add improvements to it so again we have a software for GPS navigation and let's say you want to add a GUI on top of it and you can make improvements or you can add more code to it because you are the copyright holder but let's say someone else were to come along and say hey I was using this software and I think this will be a great improvement to your software they really can't contribute to it that's unfortunate because you are the copyright owner of your work and the code that they will write they will be the copyright owner of their code so there is this whole gray area so if you put their copyrighted code in your copyrighted code then who wants the copyright so that's how legal disputes happen so with this idea of being copyrighted code or using it or making it open source I always go back to this one question as developers we need to ask for ourselves like why do we write software most of you are going to agree with what I am going to say now so we came up with an idea that there is a problem in the world and we want to fix it or make it better so we write software as developers to fix the world's problem and that's great but we only have so much insight into the world and the problem that they have so by open sourcing our software we make our software available to the world they can contribute or improve it so we can say that hey I produced this software which is fixing this problem or improving it and after making it open source the rest of the world can say oh yeah this is how you can improve it so it actually allows us to build the software that changes the world and opens it up to everybody now I want to talk a little bit about what open source means so there is this idea that open source means software is free no just because you open source your software doesn't mean it has to be given away for free then you can open source your software and still make money out of it tons of companies do it open source means inviting others to contribute to your code and improve on it and this is why I will get into why we should use open source licenses that you can protect your intellectual property and which is the creative work or code that you write now let's talk about the licenses in general licenses comes with the rights and obligations rights are the things that a person is allowed to do and obligations are the things that person should follow while using your software now what is open source license open source license basically dictates the terms and conditions that comes with the use of open source software basically the rights and obligations it serves as a legal agreement between the author of the open source and the user of the open source software so author makes the open source software available with certain guidelines that the user must follow but what if I don't apply an open source license in that case whoever contributes to your project be it code content or graphics whether it is a minor contribution that contributor becomes the exclusive copyright holder of their work and nobody can use or modify their code or content and that nobody includes you and open source license should allow the software to be freely used, modified or distributed by establishing certain guidelines and these guidelines are rights and obligations and if it is not there then it's not really open source so there's this misunderstanding among new developers that if they just release their project on github then it becomes open source, no github gives us an option to like make our project public or private but just simply releasing your project publicly on github is not same as licensing your project if you want others to use modify, distribute or contribute to your project then you should include a right license in your project so there are a lot of licenses available and these are the most commonly used licenses that are used by popular open source projects if you are starting from the blankscape MIT it's hard to go wrong with the MIT license so it's very short easy to understand and allows anyone to do anything with the project as long as they are keeping the copy of license and your copyright notice so if you use MIT you are also allowed to change the license in future if you ever need to do Apache 2.0 and GPLv3 are the other popular licenses but there are other options to choose from you can find the full text of this licenses and instructions how to use them on choosealicense.com so till now we have these licenses for code but what if the creative content is not code but graphics or a video so there is this organization called Creative Commons they provide a suit of licenses for such creative work YouTube, Wikipedia, Wikimedia Bimeo they use licenses from Creative Commons so Creative Commons also provide a license chooser you can visit this website and choose a license for your creative work if it's not code so to conclude if you ever need to make your project an open source you will need to add an open source license on your project luckily there is an organization called open source initiative and they have been around since 1998 all they do is like evaluate open source licenses and approve or deny them there are around 200 open source licenses and 100 of them are approved by open source initiative so you can check them out at opensource.org slash licenses now finally I can't for your project but I can definitely tell you the guidelines that you can follow to select the right license for your open source project first and foremost use the license approved by OSI open source initiative second read the license before you use it so this can be a hard one because they are all the licenses are written in and none of us are lawyers so there's a fun website called tldrlegal.com you can just visit that website select a license and all the licenses terms and condition are written in basic English terms so you can quickly have a glance at what that license provides and most important thing do not change your license once released and this is for as per version of your software let's say you released version 1 of your software with some big license and then in future you want to choose you want to have more control over your license or software then you decide to change the license then you cannot do it on version 1 of your software you need to release another version maybe v2 and then only you can change the license on it and this is why because when you open source your software it is assumed that someone has already already copied or made some changes to your project that has initial license on it so with that it ends I hope you enjoyed my talk and feel free to ask any questions if you have any related to open source or open source licensing and you guys can visit my website at tldrlegal.com anyone has any questions? okay yeah I found a lot of projects on github that have like copy left license so I want to ask what is the difference between the copy right license and the copy left license that's a good question open source licenses are basically divided into two permissive and copy left so copy left basically arrived from the copyright like it's the opposite of copyright so what permissive licenses does allows the user of your software to use whatever license they want like let's say you create a software with MIT license right I want to use another license on my project that is the fourth of your project so I can use if I'm like you're using permissive license but if you're using copy left license is on your project I can't use there are certain guidelines that I have to follow including the license that you have already put up on your project so it's I mean you'll have to go into deep like what are the differences between copy left and permissive but that's the difference between them thank you thank you very much so our next presenter actually it's not on the agenda but our next presenter is Dan and then we'll be talking like from Python to Golang right that's it okay so if you are interested in the topic feel free to stay Nero hi guys Daniel here so I mentioned about why in universities often Python is taught and then there are better opportunities here for something maybe that can be used in production all right so Python has like a history since about 2000 and one of the kind of key things is it's been like widely used it's available for easy download and of course comes installed in most distros so it is of course very widely used also it's well documented one of the key things is like it's actually has excellent documentation meaning that it's easy to understand and of course employ it's of course fairly easy to use there are a few ways of doing things which actually makes things really really easy understanding of course and using it unlike Perl by example it's also a memory safe language so there isn't any security issues with like using data after being freed so has like a bunch of benefits to it also there are some issues as well with that so it's in production at large scale it often has like large memory usage so that leads to like out of memory crashing on your like hosting or any containers also it's not so efficient with a CPU usage mainly because it's JIT compiled and so it's kind of doing like very quick a compilation step so it can't be as heavily optimized also many of you probably also experience issues with versioning dependencies this of course is like a kind of major problem these days one solution is to have either a Python environment which is like a kind of copy of all libraries or some vendors ship the whole Python release as well mainly for like ensuring no issues or compatibility problems also so it's types are inferred at runtime you can change like any type of any variable that of course creates problems with compilation and also verification so there are some problems which that introduces making it kind of easier so I'd say that Python is like an excellent learning tool but also in production say in cloud services it could be like a bad choice how do we therefore we define an excellent choice so what goals do we have which help us navigate which choice which language is an excellent choice so I'd say there are like five areas here we have of course developers here so also perhaps people who would use the APIs languages and other language mechanisms of course is it well documented are there any possible security issues also support from the actual language itself so of course some languages have less support than others also going forward is there any API guarantees so in like say 10 years if you compile your will it compile so these are some of these elements which we should evaluate for a certain language fortunately one of the more recent languages Golang that's now about 12 years old it actually has a lot of these benefits what I'll do is I'll run through some examples so you can see fairly easily what you can do with Golang I'd say that it's also designed with like a network like cloud connectivity and like repos and APIs in mind okay so how do you run things in parallel in Golang so as you can see this operator here called go is you can actually add that in front of a function call and then it'll actually run separate from any code execution here so in program order you'd see that hello is called before worlds of course we'd expect hello worlds as the output but then when you actually run it it's of course in the reverse because hello is called in parallel with like worlds and actually so executes later on so what you can do is you can scan the qr code and then you can also run the code yourself so these are like routines are called go routines they actually are like scheduled on to be like a processor cause so it's like a kind of very efficient means of like scheduling thousands or up to like millions of like small functions or calls that could be useful like say for like a processing like requests or like work units at scale okay next up we have how do you use the modules and go actually all you have to do is reference the actual repo here so you'll in this example you'll just simply mention this package called like go figure on github and then then you can actually use this directly in the code and so here what we do here is we then instantiate like a kind of object called go figure and then we are like passing strings here and then we call the function on that print so when you build this with the command go builds or go run it'll fetch that package and also any packages that one uses as well so it's like very efficient very easy so when you go run main.go you will have the output once again you can scan the qr code and then you can see the actual example so it's very very simple actually with of course this you can actually you can build big projects very fast okay so you have some code that you want to test now obviously unit tests are very important it's also very easy overlooking like adding tests as you actually write code so in this case we're looking at like factorials here so factorial is the sum of all integers from the value that you pass so how can we add a test for this so you simply add a file with underscore test so fix there and then you have a prefix here test before the function and then what you can do is simply type go test and it'll compile this unit test here and execute all unit tests in this case the test runs all good but then actually finds that the value we expect is not correct and that's because we should be including the last the top value in the loop should be less than or equals to so actually really useful you can have hundreds of tests they can run either in series or in parallel you can annotate them okay so say you want to fetch a resource from the internet so this in fact illustrates some of the power of go so in this case we want to fetch a kind of joke string from an API what we do is we have this HTTPS link here and then simply this code actually is very simple it will generate a HTTP request a HTTP get of course it performs all the handshaking with SSL so everything is checked and secure and then it will pass the JSON into a struct here defined which has the JSON elements at that point it then here what we do this struct here actually has like two elements so we can actually define a function based on that struct so it's kind of like OOP it's kind of like a class almost and then you can literally just call print on that struct and it will then call this function here so yeah we of course run this with one command and then it fetches the object the JSON passes it and prints it out so actually very very efficient something else here worth noting is you can return multiple arguments so in C you can only return one it's really painful if you're writing more complex code here there isn't any limit also it's worth noting that here we haven't defined any classes or any object orientation so it's implied by having a function here which takes a point to a struct so it makes very efficient for writing code so how do you interop with libraries that are already existing that's actually like really important as an example you have maybe a database library you want to use it in Go actually very easy you add a comment actually this should be commented sorry sorry here in like here may not go you add a comment for the header file and then import this C Go library at that point then you can just call C.hello in this case and then it will call this this function here compiled in this code so actually great I have a time for here anyway so the important thing here is you can integrate it with existing libraries very easily so you can also use it in old projects unlike newer projects equally easily this is something which are like many languages like Python it's always been a little bit harder and here is a list of all like many of the features in the language so just a quick tour of them so if you want to install like a tool or like binary you can actually just type install and then the path to like GitHub and then at the end latest or a version string like which is tagged in Git and then it'll fetch it it will then compile it and any dependencies and then it'll be installed into your like app-indirectory very very easily it supports fuzzing so very important for security so you can you can actually automatically fuzz your functions and of course find any any edge cases corner cases which may crash your code of course earlier we showed unit testing it also all your adepts are built in into the binary so what you ship is everything self-contained no additional files no versioning and then you can then you can capture the shower of that and then verify that is the complete binary with all the depths so easier to handle also say if you want to compile on like ARM or something like that you can just add the prefix go arch equals ARM64 or one of the other architectures and you can easily cross-compile some other notable things here is any unused variables or like type mismatches will fail compilation that's good because it will it will save you time later and it'll reduce the technical debt actually the rest I think you can research yourselves and it's actually very rich set of features here so in summary I think Python is very good it's a very easy entry point into programming but then I think those skills may not be useful in production at scale so there could be other opportunities go along certainly is one of them many are like large projects now use that and also are like many cloud services like grab for example all that all the infra is written in go there are some some issues here also so I'd say that yeah Python's versioning can be a problem so it has like definitely limits but then also there they actually have a lot of support there of course I like go is there only 12 years old so has much fewer projects out there but is moving fast other opportunities could be rest but then rest is also like very recent as well also changing and an evolving of the time but problem is it's actually quite complex so maybe something which is harder teaching a university and maybe it isn't as productive perhaps so I'd say it's an excellent it's definitely worthwhile looking into go thank you any questions so I want to introduce myself first so I come from Java background so you know that in Java we have like a lot of libraries a lot of dependencies right and I want to ask your opinions about biggest limitations in go ecosystem that you like found out so far in your coding adventures yeah so he asked if what are the biggest limitations in the go community or like go generally what are the biggest limitations compared say with Java I'd say that go is only 12 years old so it isn't as mature and so there are fewer projects out there than in Java or like Python but then it's moving fast so in like further like five or like 10 years there'll be a lot of traction a lot of like much bigger ecosystem it's actually growing rapidly so it's worth it's definitely worth evaluating it's also maybe lighter ways I think than Java and it might be also like somewhat faster I think in execution speed is that answering the question so I mean that do you encounter any problem in finding for example a library in go that is like not working or like much your expectation kind of that so do you have that kind of experience when developing in go yeah so the question is any issues that you found using go actually in practice, answer is yes what you find is as I say there may be projects which or like libraries which are out there which do exactly what you need so sometimes you have to modify existing ones or you have to kind of write your own like say impact probably there are libraries for everything so on the other hand though it's very very easy to then compose projects with other libraries so you can reuse code like super efficiently in go and so I think that's changing and there is definitely a lot more support than there used to be any more questions okay thank you thank you all for joining the session the next presentation will be at four so we have like ten more minutes go okay hello again everyone so our next presenter is Roland Turner Roland will be talking about open source communities as reminder men, better FOSCO existence with hyperscalers thank you alright that'll do alright good afternoon this is a talk that I decided to do last year after this happened it's like yet another VC funded company has hired all of the developers for an open source project and then suddenly switched to a non open source license this has happened a number of times it happened again last month with Rediff it's like okay surely there's a point where we can make this mistake again and again and again what inspired me to talk about it however was reading the license that HashiCorp used they did something I didn't expect and hadn't seen before firstly the basic grant license was for non production use so this is a typical you can still have access to the source but you're not allowed to use it in any commercially useful or economically useful way source available, not open source secondly they thought it was interesting they were fairly specific about what you can use in a production as long as you're not competing with HashiCorp's paid version of the licensed work it's a reasonably narrow exclusion it's narrower for example than MongoDB used several years ago and I thought okay not terrible, not great not open source but they're doing the right thing they later revised it and they went one step further and did something I've never seen before and that was said that whether or not the thing is competitive is determined at the point where you took the license not how HashiCorp's business changed later for corporations who are embodying this into some sort of product a database engine typically this is one of the major risk areas for the don't compete with us licenses of the kind that elastic and MongoDB have used that what you're agreeing is to not do something that's competitive with the grantor but you don't know what how the grantor's business will evolve over the next several years so what HashiCorp did in the revised version of their license was also said if our business changes after you take the code and we're there for indirect competition that's fine your license is still valid you don't get licenses for newer versions but you don't suddenly lose the right to use the code that you've embedded just because we changed our business this is pretty impressive it's not open source if you're looking for a way to sort of do the minimum damage possible they're fairly good choices but then I noticed something else that wasn't mentioned in their press release this is actually coming come from MariaDB but they used it as is and it's that there's a fallback option built into the license this is not optional this is not a promise about something they'll do in the future it's a perfected grant today that says that you get full rights under some of the license in this case MPL2 which is four dates from the date of the release it's not if we make a lease or if we get around to it it's a complete grant already as a risk management measure for a company that might be looking to embed this into some other product this is also important this means that if HashiCorp as an organisation fails which anything up to 90% of VC funded companies do then it's not often you end up with the work where no one sees it again it automatically falls back into open source several years into the future that might be a long period of time but four years into the future is better than never I noticed however when I saw this hang on I've seen this before this idea comes up in a completely separate area of law that's unrelated to copyright and that's estate law it's used typically if someone comes in a lot of money and wants to look after their family members without anything spoiling them so instead of handing the nieces and nephews a pile of cash instead buy them a house and provide them with a life interest they can't spend it they can't mortgage it to lenders because after they die it then goes to some other named party this has been used in estate law for centuries as part of stabilising family fortunes so it's quite a well-tested area of law I was thinking about explaining how this works but when I got into detail it's complicated, tedious and doesn't actually teach us very much other than to say that it is a well understood approach and so it's turning up in open source licensing is interesting the other thing that I discovered after proposing the talk was that the Creative Commons group had already looked at this several years ago their brief is a bit different they're not interested in software authors of books or lyrics for songs or performances of songs they were typically looking at much longer terms 14 years for one project they built and they were especially interested in what happens when the author dies so it's not quite the same problem as the business software license solves in particular they were looking at three different in this case one about a license that springs into effect one that springs into effect after a work has recouped it's creating this is like the street to perform a protocol but saying we'll publish the work I have a flat battery and then we'll publish it on an open license once we've made enough money and then finally the idea that I'm talking about which is a fixed period of time the problem that Creative Commons picked up for two of the three cases that they were studying is that these require an organisation they require someone to keep track of whether or not the person's alive that's not as easy as it sounds for a global project and certainly evaluating whether the costs have been recouped and therefore triggering the transition to open requires okay so yes the important issue is that the Creative Commons study they were interested in all three use cases and so the fact that this third use case happens not to need an organisation to hang around as trustee or escrow or some similar role or an interesting observation but not critical to their study their study said we need these and that turned out to be a problem they did build such a program but it had very little uptake and so what I would point out is that between open source companies you don't need this the fact that the grants are automatic has been a really important part of how these licensing processes work and so I'd suggest that with respect to remainder type arrangements we should be sticking here not building independence upon a trustee or an escrow agent the idea is not completely new ghost script almost from the outset has been on a basis of we'll do our commercial licenses and then a year later for the same code GPL that was largely to keep a promise to Stalman apparently and so I would say some journals allow you to publish on an access basis so long as you give them a 12 month embargo first in different shapes this comes up in different places and for much the same reason that people who are to invest design or engineering work are looking for ways to earn a return on that work and so one of the ways is at least a period of exclusivity rather than perpetual exclusivity it is a compromise and it absolutely isn't hey we should build all open source projects this way we should not this is about improving the ability for open source projects to survive a particular kind of damage and that's the risk of a VC acquiring them and then collapsing not what we would want to see in a healthy project the effects on free software and open source are slightly different although they're aligned certainly the commercial releases don't respect user freedom so even if you've got this sort of delayed license option you're nonetheless out there selling a commercial version that is non-freedom respecting so it's clearly a very uncomfortable model for free software communities and it discourages the formation of a healthy free software community around the project because you know it was called a serial abandonware model you're just receiving the next version and the next version is difficult to maintain a healthy project but it provides a failsafe and this is the one that keeps burning us is that projects get eaten and then the organization collapses so it has some value open source similar what it does do fundamentally is prevent collaboration with competitors which is unfortunate because that's exactly what the open source initiative was set up to do that if you've got a bunch of people in large corporations who are working on infrastructure that doesn't affect customer buying decisions there's no problem cooperating with programmers working in other organizations even competitors on your database layers or your other infrastructure this gets in the way of that discourages the healthy community forming as for the free software provides the same failsafe and for business use for businesses we're embedding components it's a material risk mitigation I've seen situations where we've had to pull out of a bid because we were aligned for a bit of software we were stuck with an arrangement like this without the the release of open source so it's a risk reduction measure for businesses that want to incorporate open source components into a larger project one of the issues here and where I think the the VCs in particular keep tripping over themselves is not understanding where their crown jewels are you've got to know what it is that you are selling to your customers if you're a bank what your customers care about is when they stick their card in the machine cash comes out they don't care what database you use they don't care what languages you use what operating system, what hosting provider does the cash come out of the machine however so this first split is your engineering choices which affect customer purchase decisions you never want to put that code in the hands of your competitors it is positively harmful to put code that has that characteristic into open source on the other hand all your other engineering choices don't affect customer purchase decisions they do affect the health of the organization these are what Amazon calls un-differentiated heavy lifting they're the stuff where you've got to spend engineering resource to make useful product but how you do it does not affect your customers choices so what the argument I make here is that in general you should never consider putting this stuff in open source and if you set out to do it because you've heard there are open sources fantastic and you want to paint everything open source you're setting yourself up for disaster keep it separate but if you absolutely can't well I'll get to that right so any South Park fans in the room none at all I won't explain this typical broken business plan do something that seems related to making money do we're not sure what and in then in phase 3 profit in South Park the underpants known as the stealing underpants you know it's the same idea profit for VCs 10 to 30% of the time but fail anywhere up to 90% so what's popular make everything fast because that gets the developers to come work for us and make a cloud service because that's how everyone makes money nowadays okay but hang on oh my god Amazon, Microsoft and Google are now competing with us quick throw open source over overboard this is the pattern the reaction that keeps happening and it keeps happening because this is a broken business model it was a joke in South Park not supposed to build companies this way so it will take time to get this to sink in with VCs but what I'm getting at here is it makes sense for VCs to know where the crown jewels are know what it is that's custom differentiating but also avoid competing with the foster communities that created your crown jewels don't get into that situation in the first place make sure the thing you're selling is not the thing that the open source community created in the first place they need to be separate in the case of MariaDB which is where the business source license that HashiCorp used came from it's max scale they've produced a mechanism with a proxy essentially to allow much much larger scale for MariaDB than was possible before and that component is under the business source license whereas MariaDB proper is under GNU GPL so to keep separate what you give away and what you sell but also don't compete with the hyperscalers no VC funded company is in a position to compete with Amazon, Google and Microsoft it's nuts, you can't do it you'll do a lot of damage before you crash but you are going to fail anyway so wipe that by all means hire a foster project team but again make your money selling the corporate specific bits don't try to sell the thing that was free before and this is where the licensing thing comes up and why I think it's a good idea if you absolutely must compete with hyperscalers because you are certain you have some compelling reason for doing so at least think about the remainder of the foster communities the VC's know they're going to fail most of the time so there's no downside in putting a two line entry in your license that says and four years later it's available under GNU GPL because who cares if they haven't made a profit by then their work is meaningless they don't lose anything by making the grant I haven't yet worked out how to shop this round of VC's but I've spent time with advising startups maybe for the hyperscalers don't be evil hopefully everyone recognizes that as google slogan google please be google but the same with the other guys please remember where your components came from and support the health of the communities that those components came from now to be fair they're learning how after the whole debacle with elastic Amazon finally picked up hosting a project to run the open source version of elastic Microsoft is doing little pieces there's certainly major contributors to Postgres I don't know about GCP but I assume Google is doing similar things so it is happening but it's we are having to learn what the OSI was found to do 20 years ago we're now having to learn to do with much much big corporations and so it's a work in progress developers choose full software you can think about with the latest features the situation that I got into with Mongo it actually didn't matter that we were running a free year old version for our application it was not publicly exposed so the security what thing wasn't a concern we were not using any of the new features we were perfectly happy to keep working with the old open source version so that's certainly one option if you can't prefer projects with a full first remainder interest like what's in the cloud I can give you two examples at the moment that was all a bit quicker than planned questions nobody understood a thing I said or I've covered the topic perfectly and there are no questions remaining please I have a question but I can hear your sound because it's a little bit noisy but your topic is related to license some open source project such as the latest recently changes their license but some Korean developers or other countries developers says why they change the license but if you have an opinion or other idea choice please tell me your opinion so to the first half this is why that we go out and do the we're making everything first in a cloud service and then wait for the cloud Amazon has turned up it's why it happens and it's going to keep happening because the business of Amazon or AWS Azure and GCP is providing services specifically for developers the un-differentiated heavy lifting that's interesting for open source projects is also Amazon's slogan so there's an issue there and it will keep happening and so the solution that I'm proposing this is the business source license from MariaDB in addition to limiting the use up front it also says four years after the release it's available under MPL this is not perfect we would like it available from day one but okay, if EC is in there making money fine please protect us from your likely failure by embedding in the license grant that comes into place in four years not I promise I will open source it in four years but this is already in the license for HashiCorp but these words are already in the license they're already effective they won't give you rights for four years but they're already effective it's not perfect but it's better than loss this might be slightly unfair and if it is don't worry don't answer it the cyber resilience act is a new piece of law in Europe which we're all just starting to work out and one of the things it does is give a new definition to open source free and open source software that's never been used before you cut me off back again that definition says that the software has to be developed and they open to be free and open source so I think this will have a problem with that I don't know I am looking forward to studying the CRA I haven't done so yet looking forward to it because it's to my mind an overdue involvement by regulators in addressing the harms that an enormous amount of abusive behaviour is causing yes a lot of the open source communities are in arms about it but the I think it's a desirable effect a desirable outcome that regulators are getting involved yes there's going to be some mistakes it's a redefining open source sure but like the the the upstream rules from ITAR that limit the trade in arms define public domain in a way that we would find around the peculiar public domain for trade in arms regulations includes all open source against before the idea that regulators write definitions for things that are different to what we understand them to mean to answer your specific question but I won't know until I've had a chance to have a look at it do we risk having at least for EU organizations this strategy invalidated maybe I know there was a great deal of him that developed so I can't give you a go down to today but it's one of the characteristics of regulatory involvement is that it is different in different jurisdictions and so there will be wrinkles it won't be uniform and that's just part of the game one yeah so this has been an ongoing ever since I guess Elasticsearch did the first thing then recently Matrix did it with there and all of them had similar concerns that not only do they have to compete with the cloud services the cloud services do not offer any funding or donation like they make tons of profit but so element the parent of Matrix they said that 95% of our contributors come from ourselves and all the other services use it but they do not contribute back so is there any middle ground like I don't think if you know it but have they ever tried coming up with a profit sharing solution or is there any place where all of them I think it's a terrible idea and completely incompatible with free or open source what the thing that you're driving at is a sort of quid pro quo kind of thinking this is hey I did this awesome thing because I felt that by making it public I would get back good stuff that's not how either mechanism works free software is about protecting the freedoms of individuals open source software is an efficient means of collaboration but it's strictly voluntary is absolutely intended and expected that there will be actors who will take the code use it internally make changes and not share those changes and that gives rise to the affair of licenses which is a BPL and a GPL is the there's a non quid pro quo thing going on there well that's fine but that's got nothing to do with open source software so the broad answer is no and I don't think there should be I think that would be quite damaging is it a double S or a file license of the let's say GPL let's say that if you use reuse that you have to make your offering completely open source as well because then like are the intentions usually that let's say you have postures which I guess works as a foundation but then elastic search is started as an organization then it turned into a company and then they started selling their own software so when contributing are there like then places where contributors can agree that I would want to work on the force like I'm okay with it being forced but I'm not okay with them selling the same thing that's a much more complicated problem to have an upfront solution for I think it's worth bearing in mind and this gets missed that the terms what's happening under the how she got license and others is that there are two separate license grants and that you're receiving on either one or the other or the three or more in the ghost case there are three grants and you are designing this licensee which one you're taking it under and so you're sort of binding yourself onto a particular course if you then change your mind then you bear the costs what anybody else if you do a different stream and if it costs means you've got to pay fees or share code or change your agreements that's the deal that's the cost that you incurred by making that choice but it's worth understanding when there's multiple grants you are choosing one of them it's then it's your right to choose but also your cost I hope that answers your question alright time alright I think maybe one more I have a question as far as as far as I know open source friends license policies are not like well protected in Vietnam by the law so do you have any like advice for maintainers or leaders of the developer teams to prevent them from the court sealer I haven't studied the jurisprudence in Vietnam my understanding is that Vietnam is a signatory the burn convention so there is certainly a course of action that is to say overseas licenseeers who are harmed have standing so they should be able to use the Vietnamese courts to resolve disputes but I don't know what the current state is if the situation is that the courts aren't sorry the courts are disregarding the corporate law consequences of open source licensing that probably means action with your legislators if the situation is just ambiguous because no one's ever taken a case all the way through a judgement then the usual solution is to find a model plaintiff find someone who's been harmed but is plausible on the stand and so that when they're brought in front of a court the court doesn't have reason to rule against them this is used all over the world in multiple jurisdictions to bring trailblazing jurisprudence to bear you start with a plaintiff who is sort of has clean hands is plausible isn't shonky because if you start with a plaintiff who isn't then the court is like well why is it my problem to help you it's the question is whether it's that the law isn't clear or that the courts haven't dealt with it that's two different strategies thank you very much so our next presentation will be cold like hair dryers new import rules for software in Europe the presenter is Vittoria a lot of time for questions anyway so this is actually a presentation about the cyber resilience sector that was mentioned before so well let's start from who I am so I am I am working from OpenExchange which is a German open source software company we make email in DNS software you might know if you use linux.devcode which is the most widely used IMAP server or PowerDNS which is a very common DNS resolver so we are an open core company thinking of the business models 90% of what we do is fully free software and we sell 10% of extensions which are closed to pay for everything and personally I've been involved in this kind of internet governance stuff for like 25 years now so I'm an old guy so before coming to the cyber resilience sector I mean explaining why you should care about a piece of European regulation while in Vietnam or in Asia in general we have to understand that the approach that Europe has to internet regulation which is an approach of let's say the third way between the US and China so from the European perspective Europe has sort of lost the race in the internet industry because most of the big tech companies are Americans there's very few very big internet companies in Europe maybe Spotify, Booking which is Dutch but it's owned by Americans so the feeling is that it's out of Europe lost the train and now has a problem a big problem in terms of economy and also in terms of national security independence and so the only way that Europe has to address this problem is to make laws, regulation this is a European specialty the approach is to try to obtain what is called in Europe digital sovereignty which is a mix of a number of a lot of things but it basically means to be self-sufficient and not depend on other countries even if friendly or not friendly it doesn't care but other countries for basic internet services like the ones we use every day because all of our society and economy depends on internet services and so promoter, I mean local alternatives try to build European alternatives and this includes open source so there's a big push on open source by European authorities because it's seen as a way to promote the growth of alternatives to the big tech companies but also there's a meta economy basically of course all these cloud services that are bought from European companies they are bought from American suppliers or from Chinese for example hardware suppliers or from other countries somewhere else it's a loss in tax revenue and so this is also there's a loss in tax revenue and so this is a loss of money as well and this is why Europe is really trying to build some kind of independence and so this is why the approach of Europe is global so the only thing that Europe can say is that we as Europe are a very big economy so of course it's divided in 27 smaller economies and countries but if you put the whole of the European Union together it's almost similar to China in terms of the size it's actually slightly bigger so it's like the second economy in the world and so the approach by the European authorities is anyone in the world will want to sell products in Europe and so they will have to accept whatever laws we make, whatever rules we want to be enabled to sell in Europe otherwise we will start to find them and you might heard if you listen, I mean recently Europe has fined Apple for several billion euros or dollars for a number of privacy issues and competition issues so we'll start to ask the money, find them and in the worst case we will prevent them from entering the European market and since everybody cares about the European market of course we are pretty sure that everybody will comply with the laws and so this is a so-called Brussels effect because in fact this is what happens, usually Europe starts with some laws you might have heard about the GDPR which is the privacy regulation because then it starts to become a model for the rest of the world and the global internal platforms have to comply with the European regulation and so they change their products and often they end up changing their products also in other countries and so the other countries also follow the same model as Europe for example in terms of privacy regulation and so I mean given the success of the GDPR and now in the last few years we've seen several new laws coming from Europe just approved last year also the digital market sector about competition and others are about content regulation and a number of things so this is the background for the talk which is about code-like hair-liers as you will see or the cyber-resilient sector so if you ever work for a company that sends products to Europe to European customers or European wholesalers you know the CE mark so any kind of hardware piece even appliances from hair-liers of course but also mobile phones to be sold in Europe needs to have the CE mark I mean I have a Xiaomi phone my Xiaomi phone has a label with the CE mark otherwise I wouldn't have been able to buy it in Europe and so traditionally even if you have a Chinese or an Asian supplier this mark which means that you have to follow a set of specifications for the safety the electrical safety the physical safety and also the electronic behavior of the problem and in some cases you have to get a certification from a third party in other cases you just have to follow the rules and then you say okay I follow the rules so I can get the CE mark so for example if you take the hair-lier this is a hair-lier made in China and there's a CE mark that shows that it complies so what happens now the European authorities were worried mostly by log4j we all know but in general by the fact that software is now everywhere and so bugs, vulnerabilities can really bring down the society can stop the internet from working and can stop companies they can stop hospitals and so they want more secure software and so the great idea that people in Brazil said why don't we ask software makers to put the CE mark on software as well which is of course not so clear how can you put a CE mark on a piece of software a set of code lines but this is what in the law so they made this new piece of law which applies to products with digital elements which is basically any object that has hardware and or software so it's an IoT device with some hardware and some software but also just software and so it includes also the cloud part so as long as it is connected to the internet it's the cloud server part so the code that runs on the server and this of course was a problem for the open source community so this came out the first draft of this law came out about 18 months ago and it was a shock for the open source community like us but also like the foundations and everybody that cares about the open source movement in Europe because it's the first time that someone tries to regulate the way you make the code and to tell you how you make your code secure and to maybe give you punishment if you don't follow certain practices and at the beginning we were like no we don't want to be regulated, you cannot regulate code I mean open source is produced collaboratively by people all around the world how can you check what they do how can you put stamps so do I have to certify get the CE mark on every new version, every new release every new line of code that they put in the repository this can never work and also there are arguments about free speech traditionally software is seen as a form of free speech in the US in Europe and so you should not be able to prevent someone from publishing software and basically there was this discussion in which the European authorities kept saying yes but people will just do whatever we want because they need to sell their software in Europe and we would reply that open source is not always a commercial product people don't sell it in general they would like to close down the repositories to Europe and make the software unavailable rather than spend money and energy to comply with bureaucracy to certify the security of the code but in the end the feedback was that it's really time for the software industry to become professional this includes the open source industry so it's actually an objective of the European commission to have less hobbyist projects and more companies around open schools and this was said very clearly and companies have to take reliability have to follow by the rules and the whole of the software world has to become professional whatever that means so we work for one year with the European authorities I mean trying to convince them to change the draft I mean it's a complex process I want to enter into the details but in the end after one year on negotiation we got into this thing which I will now explain and basically it's an algorithm that we made from the text of the final text of the law to decide whether you are or are not affected by this regulation if you are making open source software so basically there's a couple of situations the most common one is that you will be a manufacturer of software so if you make the code so if you are the entity that owns the code like a company that runs the project or even a non-profit entity that runs the project but you control the development the main maintainer or controlling the commits and you make money out of it and this is very broad it's not just selling the software it's also selling services around the software it's also accepting donations around the software especially if you maybe something of the domain that remains to you so you don't just pay costs but you maybe get some sort of salary from the donations you receive and then you are a subject to this law even if you are basically a non-profit even if you are an individual but as long as the software has some kind of commercial use so if you use the products as we said the products that have some digital elements and if you are considered a manufacturer so you meet these conditions you will have to follow the best practices that are said in the law which include we will also get into this but basically it's about following very basic I'd say cybersecurity practices that we should follow anyway so it's nothing really new and provide the security patches throughout the life cycle of the software so keep fixing the vulnerabilities when they are found and report the breaches to the European authorities which was also a subject of contention because not everyone likes to report vulnerabilities to a government but in the end this is part of the obligation and if you do all of these you can get the CE mark and so you can basically distribute the software in Europe then there's another case if you are not a manufacturer but you are an open source software steward and this is a special role that was created basically for the big foundations like Apache foundation, Eclipse foundation these are entities that don't write the code themselves but they host the projects so they say we don't write the code we cannot be responsible for the code but still they host it and so they got a smaller set of liabilities like checking what the projects do and making sure that they follow the practices and cooperating with the authorities if there's a vulnerability and so on and this applies basically to entities physical entities not people that host projects that are not manufacturers but host projects that may be used in products in commercial products and basically support the development of projects and otherwise if you don't meet these requirements you're not affected by the law so if you're just a random developer that is contributing code to other people's projects then you're fine you don't need to worry it's basically the owner of the project that will have to comply with the law or if you don't make money anyway so if the project is completely for free there is no automation, no collection no services, nothing then of course you're out of scope or if you're just supporting stuff as an individual or if your project has no commercial interest meaning that it's not used in any product that is sold anywhere in Europe but you know the problem is that when you make a project and put it online you never know who is going to use it so if someone takes it and puts it into a commercial product in Europe then you are responsible and this is part of the problem and this is part of why you should care so let's say you are recognized as a code manufacturer an open source code manufacturer then this is what you have to do I mean this is very short there will be pages and pages and pages written on what you have to do which is basically never ship with any known vulnerability by the way the first draft of the law said never ship with any vulnerability and it's really impossible to do and even here I mean we managed to get the word known and some clauses like well if it's really necessary maybe you can ship with something minor if you need to push out a major fix or something like that and so you have provide secure configurations that authenticate in a secure way so no more default username admin default password admin and these kind of things track the upstream vulnerabilities of all the libraries you use and disclose the vulnerabilities with care but disclose them as soon as possible and so do you need a certification so one of the concerns was as an open source project especially the community one I don't have a lot of money so do I have to pay some company to get the code and release a certificate that the code is secure and the answer fortunately is generally no there is just one case in which you have to get a third party to assess your code and do an audit which is if you make this kind of security based product so if you make smart cards or I mean hardware security stuff encryption stuff then you might have to get a third party certificate to get the CE mark otherwise you just have to write a document and maybe send it to your friends and say that you followed all the best practices that are required by the law and so in practice which practices do you have to follow because it's easy to say I have to check all the code for vulnerabilities but in practice what you have to do especially if you have to prove that you did it it's very important to be sure of exactly what you have to do and this is going to be the work of the next one or two years and that will be basically European standardization bodies to sense and elect or others that will provide standards I mean like several I mean dozens of pages of guides of what you have to do depending on which kind of software and what you do so this is still to be done and the community in Brussels is organizing to be part of the process and make sure that what comes out of this is actually reasonable and if you rather have other parties especially this is especially true of like IOT staff or devices then it's the important that has to do this so you might also find someone who is buying your product here and importing it in Europe and then it's their responsibility to check the CMARC, validate the code and be responsible for everything into the law and also the integrators may be responsible so there was a question by the Debian community like okay we have a small shop that takes a laptop and installs Debian and downloads packages who is responsible for making sure that the packages are okay, are not vulnerable and in that case the PC shop is responsible according to the European authorities because they are integrating other products and so they have to check package by package that the package is certified or at least is meeting the requirements of the law and so this is also something that is not so nice when I mean of course fortunately this is not already in place, I mean the text is now approved so we have the law is finally approved there's still a couple of validation phases but in the end it will enter into force by the end of this year and then there's I mean depending on which section of the law there's like two or three years for compliance so in the end this is something that will have to be done in place by 2026 27 not immediately but still you have to start thinking of this and also the US government now is starting to think of the same topic and so they are also starting to think of something maybe lighter than this with less obligations because the US has usually much lighter regulation but it might be that also to bring your software into the US you will have to comply with these kind of things and so what I wanted to do here is just to give you a heads up and a very brief introduction where they explain that this is coming and if you're interested in working on global projects or distributing your products globally then you have to take care about this. Thank you and I think we have time for a couple of questions I was wondering about Debian in particular actually I did speak to one point about GDPR and it was a difficult discussion does Debian intend to comply or are they planning to do your knowledge or are they planning to sort of make some of this problem I know if you are inside the Debian community there was a discussion and there was also a call for a vote on a statement that was very very negative like we will stop distributing Debian in Europe if you approve this vote now there are helping discussions so we brought people from Debian in front of the people from the European Commission to talk to each other and it might be that in the end in the implementation phase so when the actual standards are defined for what you have to do I mean we will try to find ways that make it easier for this kind of project to survive so it's unknown I think it will depend on the implementation that we don't know yet yeah I think this is quite helpful my question is how the EU and the US I mean how the US can respond to this the series of act in the time frame well the US was more vocal in general I mean not specifically about this law but about all the other laws like the digital markets I mean all this new wave of laws they tried to stop them they said you're trying to let's say maybe not officially don't what mean they're not official position of the US government but the reaction in general but the American industry was like you were not good enough to build your own big tech companies and now you want to block us because you don't know how to compete so it was seen as a matter of competition which is only in part I think then of course there were discussions and I think more or less now they're okay so the US is fine with this kind of new regulations about China I don't really know I mean there was no official reaction that I know of by the Chinese government so no idea if there were private talks could be I think that in general you know the Chinese makers are used at the CEMAR for the physical stuff so it might be that they will just consider this as one more thing they need to do to export to Europe and it's fine. Any other question? Okay, thanks a lot thank you all. Good to be here with you all can you all hear me okay because I know when I was listening it was quite difficult I'm just going to shut this up. How many of you are software developers or engineers? Okay business people a few business people some of you are both lawyers ah okay okay so I haven't been a lawyer for a few years I'm going to start by saying that so let's see how we get on I'm going to talk to you a little bit today about open source and what lies ahead in doing that I'm going to pick up on some of the topics that the last two speakers covered and I'm going to do a lot of stuff in a short space of time at a high level so if we've got time at the end I'm happy to talk to you more about any of the specific topics or follow up with me afterwards so I got into open source 16 years ago I was a lawyer and I joined a company some of you will know Canonical I've seen a few Ubuntu t-shirts and I know that the Ubuntu operating system is very popular here and I worked on that through Canonical for about five years I left Canonical and I worked in a law firm for a couple of years and then in what year is this? 2019-20 I joined Open UK as a CEO and effectively a founder because we've completely reinvented what Open UK is so I do a number of different things as well as my job like most people in open source I've got a number of hats and I have been on different advisory boards one of my favourites was with the UN I have a couple of government appointments where I sit on UK boards one of them is the Open Standards Advisory Board and we've sort of seen over the last few years the rise of open source which I'm going to talk about so you'll see my name as CEO of Open UK on lists like this which is very much about the status of open source more than it really is about me and how things are changing in the UK and some of you will know this book was published in 2022 it's the worst thing I've ever done it was or it is 640 pages long and I've had to read it four times every word from start to finish to get the edit right and last week I was in Shenzhen I was Nadia's guest in Shenzhen and attending a really interesting Ospo conference there and I met 20 people and there are over 30 who are translating that book into Mandarin it's a huge task that they're undertaking and we're hoping that it will be ready in October it was super interesting to meet all these different people and to hear all their complaints about how hard it was to translate it it made me feel better about how hard it was to edit it and there's 26 different authors some of them joined me to launch it at all things open a couple of years ago quite a few women as you'll see and that QR code if you want to copy will take you through to my website where you'll find it for free and it's available open access feel free to share that with anybody but you've got 26 experts who really know what they're talking about and of course I spend a lot of my life travelling the world talking to people at conferences now there's actually two of us in the room today from Open UK my board chairman Andrew Wafa is also here so thank you very much for coming all this way to just check up on my talk Andrew and you'll see that Open UK is a very unique organisation there are other country organisations but they're not quite the same and we started with UK leadership in open technology and you'll see it's not open source software and it's very specifically not open source software because we want to cover all the opens so software hardware data and increasingly we're talking about standards about AI the last speaker talked about the standards needed for the cyber resilience act so we're looking at those standards and we're looking at the different shades of openness and that's something we see increasingly with AI and we're a really big organisation in that we have lots and lots of people involved but almost everybody is a volunteer so we have three members of staff and everybody else works on different projects within the organisation and we have lots of different sponsors who have contributed to our funding some of them also giving us benefits in kind which have allowed us to evolve as an organisation and to start to organise our conferences and we work on open technology we do it collaboratively globally but we do that on three pillars so we do community, legal and policy and learning and by community we bring together the community in the UK we do it through things like awards through honours where we celebrate the achievements of the people in the open source communities the open technology communities in the UK we do it through law and policy and what we do is give a voice to that community in the UK and we influence law and policy so we respond to laws as they're going through Parliament where we have opportunity and we also try to set the policy agenda and we do that by suggesting things we had COP26 the UN climate change conference and we had one of the biggest events there in the fringe with about 200 people right at the end of lockdown after Covid in this amazing venue talking about sustainability and we delivered a blueprint there on data centres and making them open tech and making them more sustainable by opening them up and we have since then produced and these aren't about creating code they're about bringing awareness to it and showing how sustainability can be improved we started reporting in 2021 and you can see our different reports online they're all creative commons and open for you to use and we started last summer talking about AI and I will talk to you a bit about AI because it's really important to the future of open source and talk to you about different aspects of it but it's a topic that I've avoided and I've avoided AI in the same ways I've tried to avoid security because you really have to understand what you're talking about in these spaces and there are lots of people with opinions on them who are not deep experts and that's all a bit worrying because you really, really have to get it some of you were in the room earlier when Divya was talking and she obviously knows about security in depth there's a technical expert who knows a lot about security so I won't generally talk about it but with AI, last year we got to a stage where we had no choice and as an open source, open technology community we had to start to respond so you can see our first two reports on that QR code and this year is an important year in Europe it's an important year in the US and in the UK because we have an election in each country and our governments will change and that will impact open source hugely but we are proposing to our government to the political parties and our asks that we have so that's important from a policy perspective and these are the three key asks that we have and then our third thing is about learning and development, about skills so we bring the community together we use their voice to influence law and policy and then we try and build skills and if you look at our little circle with the orange, the green and the blue it's meant to represent the community the influence and law and policy and then the skills development and one arrow leads into the other forever and we did a kids camp that's quite well known if you're interested in it, it uses a micro bit and there's two camps 10 lessons each the second one, I'm really proud I'm proud of both, but the second one I'm really proud of we were the runner up in the GNOME community challenge with it and it teaches the open source definition which we'll come to in just a minute we also have these training sessions again, freely available if anybody's interested in learning more about business and they have a number of different founders who talk about all the different things you need to know about running a business in the open the things that make it different so please take the assets and use them and in everything we do we try to create a sense of belonging and make space for everybody who wants to be in there I know one or two of you in the room were speakers this year we have open con and we're in our third year in 2025 4th and 5th of February in London and I hope we'll see many of you there and we'll have more and more international delegates almost 40% of our attendees this year came from all around the world and it's a really good opportunity to get together after 4th term so the real stuff I'm meant to be talking to you about the future of open source so what is open source I've noticed quite a few talks today about open AI where they've talked about open source and they haven't actually said what they mean about it and I think increasingly what open source means is becoming important to us and that's not because I'm a boring ex lawyer although I am a boring ex lawyer it's because we have to understand what open source is to have an opinion on it to be able to say something should be covered in a law or that we are doing an open source business or we're not and this is the open source definition which I think was 25 years old last year and you'll see there are 10 different definitions now I often joke that we should recite them together because we all work in open source but the reality is nobody in this room maybe Anne could actually because Anne was quoting some of it to me earlier and obviously nobody in this room could tell you what the 10 definitions are and for me I have two favorite definitions five and six and they're my favorites because I think they are at the heart of what open source is and that's that anybody can use it for any purpose obviously you have to comply with the license and do whatever the license requires that could be attributing the author it could be making source code available depending on what license it is but at the heart they all have this same requirement that anybody can use the code you don't have to worry about who you are or where in the world you are and you can use it for any purpose so you don't have to think each time you use it can I use it you just know that you can and that allows a free flow and a movement of open source software that we don't see in any other kind of licensing so back in 2008 when I joined Canonical we were trying to get people to use open source and it was really, really hard we were knocking on doors trying to get it adopted in companies and they were saying no and the people who were saying no were the risk professionals the lawyers like you and me the accountants and the procurement people were just going into companies but that's changed the synopsis report last year said that 96% of code bases have open source dependencies and 76% of code in those code bases was open source so how do you go in 16 years from it being so difficult to it being the norm open sources what we all use in our infrastructure today how does that happen well we see digitalization and we see that over a 10 year period but we particularly see it through lockdown and Covid so any organizations that hadn't digitalized already suddenly did and what we see is when you have a digital environment that it's defined by software and what that means is that engineers and developers many of you in this room suddenly have more power in companies you have a higher status in companies than you used to and we also see something Git become really well used and it changes how we get our code now back at Canonical we had Launchpad but the one that you will all know is GitHub you probably know GitLab as well and the way that code is distributed so these engineers with their new found power are able to go and take code bring it into their organizations and use it and they do that without having to go through the boring lawyers, accountants and procurement people so suddenly they bypass and they fill their companies with open source and it changes where the risk sits in their company most companies don't realize that yet but importantly it allows for the adoption of open source now some of you will know this gentleman Steve Walley is a good friend of mine and he was giving a keynote in 2018 in Edinburgh and Steve talks about Microsoft when I first got involved in open source Microsoft was public enemy number one every joke that I knew about open source the punchline was Microsoft and today Microsoft according to GitHub we're having a battery change Microsoft today is the number one company in the world in terms of contributions to open source so how do you go from a company that was the punchline of every joke to being the biggest contributor in the world but what Steve would tell you is that Microsoft has been on a journey and that journey involves three major factors the first one is that every engineer every developer who has learned to code and the last decade, two decades they use open source they recycle they reuse they don't reinvent they don't create things from scratch so that's how they want to work and if you want to hire them and remember the market is suddenly much more competitive because of that digitalization people want engineers so you have to allow them to do open source the second thing he'll tell you is that some of the best innovation was open source and is open source so their customers come to them and ask for specific technology that is only available as open source packages open source products and then the third thing and I know we already heard from Roland about cloud and hyperscalers is that Microsoft runs a cloud business you probably noticed that and if you want to run an organization like Microsoft Azure you have to use open source and it's no good if you're in business just to use it you have to engage with it you have to contribute into the community if you want to have influence if you want to be part of the ecosystem if you want your staff to learn skills so Steve would tell you that Microsoft's journey was based on those three things and those three things are I think the basis of every company's journey and it's not just every company it's also the public sector it's also governments and in the UK we've had an open source first policy for 12 years I think we were the first country in the world to have it but we see that journey increase so open source is one but is it sustainable and I think that's the big question for everybody you could reframe that question you could say open source is one but what has it won has it won a war it won a battle who knows and what we see is an increase in businesses around open source as the adoption has got higher and higher we see business usage increase because it builds our infrastructure today and this report on my slides if you want to go and follow up you'll find the articles and things there but this report was actually done in 2008 and it's the first report that I'm aware of on business models and open source and it has eight business models and they haven't actually changed some of the names are a bit different now but the actual what the models are hasn't really changed and what it says in that report is that open source is not a business model so whatever you use open source for that's up to you if you want to build a business around it if you want to release your business software that's up to you but you will not make money you will not run a business just because it's open source you have to have a business model which is a separate thing and you have to think through if I'm going to open source my code what does that mean and I used to when I worked in a law firm I used to say to people what if what if someone else takes your code and use it and they actually understand that that's what open source is what if somebody else takes it and makes money from it and you could see that it's mostly they weren't too sure about that and then I would say what if somebody else takes it and makes an awful lot of money out of it and mostly they then didn't decide to open source the code so although I really believed in open source I was putting a lot of people off by telling them what the reality of open source is that it's not a business model that you have to have a business model and that was in 2008 I was working in law firm in 2013 and 14 so if we fast forward a few years we see I think 2021 elastic and I know Roland talked to you about the changes in licensing and we see elastics founder Shay Bannon with this headline and Shayne's a long term open source contributor who really understands it but maybe hadn't thought through the business model maybe had other reasons for why elastic decided to change but elastic moved away from open source moved away from that open source definition moved away from an OSI approved license and moved to the SSPL the server side public license which is not approved and wouldn't be approved by the OSI because it doesn't meet the definition I think the the thing that everybody was upset about here is it says doubling down on open so if you read that what it makes you think is that oh they're going really open source when actually they're moving away they're moving to a proprietary model and then we see last year in August has she core which is one of everybody's or what's one of everybody's favorite open source companies moving away from open source as well to the BSL another non open source approved license a few years ago we saw redis move to something called the Commons clause it's not a different license it's a clause that you add to an open source license but of course as soon as you add anything else the license isn't approved anymore and what that means is that it's not an open source license so they did that for a little while and now just a couple of weeks ago open source is the fact that we've got companies that are building a model around open source software that maybe don't have a business model or have a business model that makes a lot of money and in some of these cases they're making a lot of money but maybe they're not making enough money for their investors or their funders so whatever the reason what we're seeing is these single vendor companies in particular moving away so I think we're going to see a couple of things happen because of this we're going to see business models shift we're going to see people looking into whether it's viable for them to open source the code to think more about the business models when they're setting up a company but I think we're also going to see a shift in how users choose open source because there is definitely a vulnerability there is a risk if you're using software that has a single vendor on they might move away from it we saw MongoDB's CEO use the term bait and switch you know when you go fishing and you have bait to catch a fish but what he was suggesting is that open source is a marketing tool and you use it as bait and then later when you want to make money you switch away once you've hooked your users so I think whatever your thoughts on whether this is right or wrong this is happening we're going to listen to our future of open source Victoria was talking about the cyber resilience act I think it's a huge problem I think it is likely to cause a lot of destruction in Europe into the digital economy I suspect a lot of companies a lot of small companies a lot of individuals as they create code will have two options they'll either have to put their code in a foundation so it becomes a steward and captured by the steward or they will block their code going into the EU because they won't be able to take the risk and I think what that may mean is that big company system integrators the fidgets of this world will take that code and integrate it and take on the liability as the first distributor because the small companies won't be willing to do it and I suspect it could hugely backfire on the EU who want to be the next Silicon Valley because if you're making it harder and harder for people to create businesses and to scale businesses then I don't think that's going to be the way to make your area the next bay area and not only do we have the cyber resilience act which is tough we've got the product liability directive coming down the line and in the UK we're still at consultation stage so we haven't quite got laws now why am I telling you about these laws again is it backed because I'm a boring ex lawyer no why do you think suddenly governments are interested why are all these people making laws about open source so that in fact open source suddenly it is hugely successful suddenly it's the basis of every enterprises infrastructure suddenly it's the basis of our national infrastructures and our national critical infrastructure so of course it's something that's important of course it's something that governments want to see regulation around I think they're taking the wrong approach I think we should be looking at the end user because the end user chooses what they use and if they don't know what they're using they ought to know what they're using and liability to me should not sit with the companies it should sit with the end user and if you think about it companies are already regulated in certain sectors so things like mobile healthcare finance heavily regulated and the regulation for those is different from the regulation or general economy we also have issues with maintainers maintainers who are overworked who are creating code that is used to huge value by companies who may not be making very much money themselves out of the code and only last week we saw a real problem with a backdoor being put into a piece of software intentionally a malicious act in a piece of software and we see geopolitical shift wars Brexit all of this has an impact on the future of open source but I think probably the single biggest thing that's happening just now is AI and you've seen lots today these are the two reports I mentioned I was forced to start to talk about it last year and to think about it I will tell you again and again I'm not an AI expert but I do know a bit about open and what we're seeing is two or three different problems from AI for open source I think the first one is not knowing about licensing for the future the second one is maintainers likely to have to deal with more and more contributions coming from AI so submissions where they have to work out if that's AI generated or not whether or not they want to deal with them and that the possibility they're going to have an awful lot more and then we have this thing I've already mentioned to you the myths about open source and what it means and understanding the definition and people saying something's open source that isn't so last year almost a year ago we saw GTP4 come out an AI shift we saw Elon saying that it really was meant to be open in the first place and we saw Google reacting to Lama being shared last February and Lama was shared by Facebook and it was shared for research it wasn't shared on an open source license it wasn't approved it wasn't meant to be used beyond research and what we saw was it was leaked and lots of governments want to know how it was leaked and we don't have a conclusion about that as of yet but what we do know is that when it was leaked we suddenly saw a massive increase in innovation and AI and that innovation increase came from the open communities last July we saw Lama 2 being shared and we saw it shared on a license called the Lama Community License which is not open source but Open UK decided to be one of its partners and to back that and it's obviously quite a controversial decision and it's one that my whole board took because Lama's license Lama 2's license isn't an open source license however it's an open license and we felt it was important because it was going in the right direction and as you move through the last 12 months and you see more and more open source we felt it was good to have something that was moving us forwards because when we saw GROC being released a couple of weeks ago with an open source Apache 2.0 licensed model and weights we don't think we would have got to that so quickly if we hadn't seen those stepping stones and we would like to see more and more of it being truly open sourced but you also as many of the speakers have told you through this conference have to deal with open data so in the UK we again haven't regulated yet but we have had a summit that brought many international countries together in the UK to look at the risks and we've seen the G7 bring the Hiroshima process and a code of conduct forward and as your other speakers this afternoon have told you we've seen the first AI law in the world in Europe it has four categories that are covered by the Act and that AI Act has one that applies to the highest risk that applies to open source but it has the exemptions for open source software so of course we have to understand what open source software means or how do we know that the exemptions will work or apply to our AI but it is very complex and we're back to these problems with regulators and we're back to the problem of regulators needing to engage with open source and trying to work out what it means and trying to understand it and we see the risks understood of closed source proprietary software and we see the risks that are associated with open source software and open AI being something that governments are struggling to understand and we really need more organizations like Open UK talking to the governments and helping to explain to the governments and the regulators what open source is and how it works back in February at State of OpenCon Open UK's conference we saw Bruce Perrin's talking about the future of open source and what Bruce suggested was that separate to open source there's likely to be a new category of software and there's likely to be a new structure for that and I have to say that I tend to agree maybe not with exactly how that will manifest itself how that will play out with Bruce and I agree with Bruce that we're going to see something different I think open source will stay in all of our lives and it will be something that is strong but as we see more and more challenges from regulators more and more companies trying to work out how to use open source and to build businesses around it I think we'll see this licensing term this licensing category that Roland was talking to you about earlier becomes something that gets a name and gets recognized and I think it's important that as an open source movement we get behind that and work with it because if we don't it's still going to be confusion about what's open source and what isn't so to make the future of open source strong we need to see this other category of open software made clear so I did say to you I was going to try and get through an awful lot in a short space of time but all of these different things impact that future if you have any questions or you want to talk about any of those topics more with me I'm happy to and thank you very much all of you for staying so late enjoy the rest of your conference thank you this was the last presentation for today now we have the event dinner so for all the speakers I think that the bus is waiting outside please hurry