 Good afternoon everybody. I'm well done for surviving this far and most importantly welcome to our panel on open-source software funding My name is Kaylin Osborn. I'm a researcher at the Linux Foundation and a PhD candidate in social data science at the University of Oxford Before I introduce our incredible panel. I just want to do some housekeeping and say some introductory words It's firstly on housekeeping. This is the shortest panel of the day and we have 30 minutes So well our time management skills are gonna be tested, but I think we can do it And yes, so some introductory words quickly. I think I I'm probably preaching to the choir when I say open-source software funding or funding is Crucially important to the sustainability of open-source software But the question of who should be doing something about it and how or how not are not straightforward questions So we're hopefully will dig into these questions during this 30-minute panel Just to kind of set the scene of the kind of ecosystem of open-source software as Deborah mentioned this morning log4j really mobilized governments about a year ago because it shed light on the The consequences of an under-investment on open-source software maintenance So just one example of this is the White House meetings last year which resulted in the open SSF mobilization plan Which Brian will tell us more about today Of course, it's not just security that governments care about Today we heard a lot about digital sovereignty also digital public goods Was an interest in supporting digital public goods that led the US government to set up the open tech fund and As Paul Keller remarks in his proposal for a European public digital infrastructure fund to the mouthful This inspired models in Germany with a sovereign tech fund as European Commission With the next generation internet initiative and I'm more recently in France with the digital commons initiative So we're lucky to have Jean-Luc with us today who will tell us more about the NGI at the Commission Of course, it's not just governments, but many nonprofits are involved as well We have Rebecca Rumble from the Russ Foundation They're developing initiative approaches to community grants and we also have Emmy today who will tell us about what invest in open infrastructure is doing and Also, we have philanthropies Investing a lot with the future is a media network just as examples and today we have Govind who'll tell us more about what the Amidio network is doing and also finally, we know that the private sector has been playing a crucial role and Paula wonder if you have your bell ready But as we've already heard many times today The European Commission led a study which found that in 2018 Companies based in the EU invested about 1 billion euros in open-source software Which led to an estimated impact positive impact of 95 billion or up to 95 million euros. So Clearly open source launch. There's a lot of developments in open-source software funding. It's important lots of players are involved But yeah, who's doing what and how they should be doing it We're not doing it doing it and what how should we we should proceed going forward is going to be The topic of discussion today. So without further ado, I'll pass over to our amazing panel I'll invite them to introduce themselves while their organizations are doing and to share some thoughts on a first Provocation, which is why should why should Europe care about open-source software funding? So Jean-Luc Hello, good afternoon. I work for the European Commission so the executive branch of the European Union and among other many responsibility the European Commission is responsible for the implementation of the Union budget. So It's a multi-annual framework seven years one trillion euros and in this budget there is a research program called or ism and We I mean the next generation unit and my with my colleagues We are responsible for implementing a part of it, which is called next generation internet So I guess that's the thing. I'm glad to share today with you You want me to elaborate on why we are doing or we do it next? Yes, please. Okay So next generation internet. This is In few words, it's it's a program that is In four years of existence now, so we have 800 projects. We have mobilized 80 million euro of budget and we still have 25 million for 23 24 open for a contribution and We are focusing on technologies that will drive the internet towards More inclusion more openness more decentralization more privacy and more trust That's the narrative we push and We have a lot of projects initially it was a 80% of open source now it's mandatory open source so we move a little bit from encouraging to mandatory open source and and Open source is very is a vast Number of things we are not going to fund for instance things that are Well funded for instance from foundations or some business model that are Very sustainable. So we are going to focus on those comments internet commands That will that will be used like building blocks For this internet that I mentioned And I can give you few example later Thanks. Yeah, I'm Govind. I work with the Omeria network The Omeria network is a philanthropy organization Which reimagines critical systems and we've deployed over two billion dollars in the service of better markets better inclusion and Our focus areas are responsible technology Reimagining capitalism and our cultures of belonging The reason I think why we are interested in open source and some of our examples is I think our Conscious belief is that technology should be in the service of society and there's an inherent breakdown of trust today in society and Open source historically has allowed us to think about these issues where people participate and collaborate in very non-traditional ways But your decoupling property rights from the value created So this is a way to really decentralize the internet. I think away from getting into conversations about web 3 but sticking with how open source has Evolved It is one of the most important investments that we can make today in our societies Why should Europe care? I think Or some of our examples, I think we have four examples. One of them is we invest in informing policy An example would be an investment in Atlantic Council and open forum Europe to think about policy more deliberately Convening funding we have set up a five hundred million dollar fund an anchor of five hundred million dollar fund to think about deliberate open source implementation and Enhancing and building communities like the open source technology improvement fund here who work at non-security audits So it's a combination of different factors And providing funding and networks to these institutions Why should Europe care? I think every technological revolution is accompanied by a financial revolution without Financial way to buy cars. We wouldn't have had so many cars on the road without Billions of dollars of venture capital. We wouldn't have so much consumer and enterprise technology Today, so I think we need new ways and Europe historically has been very good at a regulating be thinking about institutions But if you take the other two things that impact ecosystems, which are incentives and infrastructure It's imperative that Europe which sits at the center of safeguards and good technological development leads the way in thinking about the financial Revolution in addition to the technological and regulatory revolution Thank you Hi, my name is Emmy Tang. I'm the engagement lead at invested open infrastructure Our mission at invest in open infrastructure or IOIs the name suggests is to increase and accelerate investment in open infrastructure So we do this in a couple of ways. We conduct research To increase our shared level of understanding of the funding landscape. So questions like, you know, what's getting funded? What's not getting funded? Who's funding? What and where are there, you know trends and gaps that we can see? And we use that research to produce strategic recommendations and guidance for key decision makers We also knowing that some of the knowing about some of the constraints and issues with the way that some of the funding mechanisms that are in place have convene key stakeholders to try and pilot and test out some new ways to Fund open infrastructure. So for example, what about participatory budgeting or how can a vendor reciprocity model work, right? And beyond that, we're also launching a fund ourselves with looking at launching early to mid 2024 So in terms of why Europe should care, I think this morning, there's a lot of eloquent speakers who spoke about trust and We at IOI have built an evidence base that Substantiates, you know, that open in particular in terms of having, you know, robust community governance and transparency In the ways that we're working really help promotes trust and encourages stakeholders Participation and so which I think we can all agree that that's crucial for Not only governments, but also corporates in these days and ages. Thank you Hi So I'm Brian Bellendorf. I'm general manager of the open source security foundation It's an organization embedded inside the Linux foundation, but with its own membership its own budget its own remit And we're interestingly both an organization that recruits funds and also disperses them But but it has an operational element to what we do probably the bigger part of what we do is operational But we do disperse some funds in some interesting ways as well Our reason for existence is this recognition that software has often been an out or security has often been an afterthought when it comes to open source software and there's a lots of Default biases and assumptions that even we as open source developers have had about trust in the software supply chain trust that you know after solar winds after You know weaknesses and open SSL that became very pervade caused a lot of downstream kind of thrash In in the open-source world We kind of realized you needed to to think more about how to push security upstream and how to get a better set of Tools and processes and standards together it actually came out of a bunch of different conferences and the like about open-source security that Discovered everyone had these collections of little projects and ideas and if we just put them under one roof and get everyone talking to each Other, maybe we'd have something interesting and so we are this kind of motley assortment of everything from Software such as the sick store software project, which is about signing of artifacts through the software supply chain Sick store is also kind of a service. It's a way to look up whether signatures are valid And even kind of a quasi specification, too. There's a couple of different implementations in different languages There's another project called security scorecards and actually a whole set of things we do which are about trying to objectively measure risk in an open-source projects like what's the likelihood that there are undiscovered undiscovered vulnerabilities in the code that could come and be a problem later I and Other work that we do that is about education. How do we help trained developers to? Recognize common anti-patterns when it comes to security things like parsing untrusted user input Or particularly for format strings and you know, how do we train them to? Look for those in their own code and try to avoid them What we've discovered is that if you can measure risk if you can talk about processes that can systematically work them out You might have a path to raising the floor for security across software across the not just the open-source software Landscape but really frankly the entirety of the of the software industry given that by different studies something like 70 to 90 percent Software sitting inside of any end product is pre-existing open-source code So I was some of the more exciting things that we've done. I think I have come from What we have a project called alpha Omega, which has raised seven and a half million dollars to go and target two very complementary activities one Going out and trying to scan saw the top ten thousand open-source projects to systematically look for New vulnerabilities that look like things that we've discovered before things that haven't been resolved yet Even though they've been widely known as as issues out there and proactively issue pull requests to go and fix those And we've got that infrastructure standing up now We've already discovered a bunch of CVE's and they're starting to report that The complementary side to that is the alpha side, which you could really think of as capacity building amongst other open-source Foundations in how they work how they deal with security issues and so we've dispersed Roughly on average four hundred thousand dollar grants to Python to rust to jQuery to node And to one more I'm blanking on That no clips. Sorry I to try and help resource security teams I help them resource adoption of different security practices and I use the term capacity building very much intentionally Because I think of it like the kind of capacity building that development organizations or governments often do when they look at What does it take to systematically go and up level a how how a country feeds its people or how a nation state? Manages its its democracy or or other types of capacities, right? Because we're eager to help uplift the entire industry and kind of project by project and move on to additional projects and fund those So we've just we've raised a dispersed a bunch of money to do this work I should I should also note, you know, we had this inflection point about a year ago right after log for J Where a whole bunch of people started to ask us? It's nice that you've got these cute projects But what would it take to actually close and solve some of the issues that are out there, right? What would it take and this is not a perhaps a fair question, but to prevent the next log for shell type of vulnerability and And just dialing down on that for a bit. I log for log for shell the vulnerabilities that Led to the log for shell breach had you hired a third-party code reviewer? I'll go out on a limb and say what have been a fifty that the hundred thousand dollar project to hire Ostef for example, I don't know if any of you have hopefully all of you have heard of Ostef Ostef is an amazing organization that front-ends Third-party code review work and does a lot of other things a mere Montessori sitting here in this fancy pinstripe suit I will tell you all about it But you know basically you can go to them and say we'd like to do an audit of this software project This package how much will it cost he'll go and talk to a bunch of different orgs come back with a quote And then may oversee this process that makes sure that it actually solves this for open source communities So for 50 or 100 grand I would wager We could have found those issues and proactively remediated them through a Coordinated vulnerability disclosure process and kind of avoided the billions of dollars We don't even know how much disruption resulted from the log for a shell incident that happened over a year ago And all everyone's ruined winter holidays I can't tell you what the next log for shell is but I could give you a list from As some of the projects we've done we have a way of looking at one of the most critical projects out there Here's the list of 200 projects that probably have about a 1% chance of Having the next log for shell level breach through a combination of how critical are they and and what what are the risk scores that We get from all these studies we can do so let's do third-party code reviews of them, right? What's 100 grand times 200 projects? It's 20 million dollars, right? That's a lot of more money even a hundred grand even 50 grand is more money than anyone open source project tends to have in its Back pocket to apply to something like this But it's it's pocket change for a lot of governments not to say it's not it's completely non-trivial Like you have to go and justify and show value But this is the kind of scale that we need to muster if we want to try to solve some of these security issues at scale That and and address them entirely not just you know throw rocks at it and hope to have an impact But it's also not billions of dollars. It's not trillions of dollars to solve this problem And so at this point about a year ago We developed a plan something that we called the the security mobilization plan that looked at ten different kind of angles to These challenges to securing open-source software in the software supply chain Funding of third-party code reviews was one of them funding a Assert an emergency response team for the next under resourced open-source team that finds a bug and doesn't know How to manage a disclosure process is another I mean there's I can I can go on it on a board folks I thought when we put this together it would be again billions of dollars to actually have this kind of impact It's a hundred and fifty million dollars, which again is bigger than my budget bigger than most Organizations budgets in the open-source lens of the world But but a completely tractable amount especially if as companies and as governments around the world We work together to address this so so we're really eager to figure out How do we help this collective? Recognition of the need to make this proactive investment in security hardening and and and the not just the creation of digital public goods But making them safe making them consumable making them the kinds of things that we can build critical infrastructure on top of Great. Thank you, Brian. I've had clear answers to why Europe should care and we're just yeah at the halfway point or just over it so To make the most of the remaining 13 minutes, I think we should focus on two questions, which is going forward Who should be doing what who should be mobilized and how should they be doing it or how should they not be doing it by that? I mean what funding models would you recommend? Cooperation that needs to happen so on so perhaps we can start with you John Luke since you are working at the European Commission Yeah, sure no problem. So on the who I guess everybody that has money is welcome So it's a very simple answer We at Commission we will for sure invest we have invested the as I mentioned in the next generation internet We are going to invest in a next work program. We have open course So for instance, we have a fund that is a with a 27 million euro open And then we will we'll invest also in in pilots of 14 million euros now the question how is very interesting one and and We at Commission we realize that we are not very well not necessarily well adapted to Target the open source communities Because we have you know very heavy process and it's it's not necessarily the best approach So the way we work we work with in the two steps. We give money to intermediaries that in turn give money to Open sources and the people developing the comments. That's what Is the term we are starting to use So it's it's today. They are open course for Precisely innovators and there is a deadline in two months just to be practical and we are going to to have projects that are going to improve the internet in the in the sense that I mentioned and as example, we have Existing community projects or take the GC big blue button We are working with the solid community the Fediverse community. We have 20 projects Open hardware is also very important. We have a risk 5 projects which is from from Malo Linux Foundation. We have open power. Also, we are working on the Value chain from design to electrical level. So there are software there and and we try to Make sure this is open open for students to democratize the process of moving from the design to the To the layout to the to the open hardware. That's for example wire guard was also funded by NGI and We have a lot of projects in relation to Distributed decentralized infrastructure. So the common denominator is openness for sure is a better privacy. We want to have an internet that is Protecting privacy trust is is another key world. So I guess that's the how we are going to to work. Yes Thank you I think I have Brian spoke about the risk But I also want to talk about like the opportunity that it presents Europe and many other Geographies right see you has a GDP of 17 trillion dollars and The cost to cost the cost to start a company a decade ago was maybe 10 million and today the cost to start a company is literally 100th of that it's because of this open source infrastructure. So we have to also frame this in the context of innovation What can happen in the next 20 30 years? How much money can be added? I think oh if he came up with this amount of a hundred billion dollars is added to GDP right and So we should get the industry to contribute back an example of that is a fund we set up with open technology fund Which is a collaboration between the github octa Philanthropy our sentiment futures and the federal government. So you can experiment with new funding models And get industry to collaborate and contribute back Tax breaks is an excellent way Second is I think European Philanthropy should think more actively about de-risking some of this stuff for industry and the government and Take an active participation in thinking about digital commons and open source Third I think it's definitely government right and if you set up like a European digital infrastructure fund 100 million 500 million just like the sovereign tech fund in Germany. It's not a lot of capital to think about the next billions of dollars that can be added to the overall GDP and finally I think one thing one idea I've been playing around with is Just like a social impact bond can we have an open source or a digital infrastructure bond where governments and philanthropies guaranteed on a result Actually do intermediation of this fund right like a bond. It's like a simple bond structure Someone pays for it and if it is successfully remediated over a three to five year period governments Actually pay for results instead of paying in anticipation of impact Thank you. Go ahead. I mean would you like to share some thoughts? Yeah, I think I'm gonna talk a little bit more on metal level about the how to fund right. I think well First thing is that I think there needs to be definitely more coordination and transparency in terms of how Funders are working got to walk the talk when we fund open source, right? So I mean we see that If anyone's tried to dig into kind of funding data and analyze funding trends You know that this data is actually really really hard to analyze and obtain because it's just all over the place and Not every single actually a lot of open source projects don't declare how much they've got when for what time kind of timescale and that sort of thing So Without this kind of data is really hard to figure out how to coordinate between different funding efforts and you know The the flip side the downside of that is when you have for example A certain funder coming into a certain space with a huge amount of investment What we've seen is it could potentially drive away other smaller funders that were initially kind of funding that space safely and Then that's not an issue the issue is you know when there is for example a change in strategic priority in terms of that particular funder We see that this space of open infrastructure is then left very very vulnerable and so I think With more data with more research in this area and with what with funders will flee working more transparently We can actually have more coordination and avoid those single points of failure and really work to us You know a more coordinated action to Collective efforts to fund fund this space So one of my favorite things from the last year is that you know It's not a free software isn't necessarily free as in speech or free as in beer. It's free as in puppy And I think what's what's always driven a kind of the value exchange and the the energy of the creation of open-source software has been The the use value that comes from it from the individuals and the companies really receiving it working with it and Recognizing this kind of implicit Obligation to contribute back if you're fixing a bug don't keep that bug fixed to yourself Contributed upstream right if you have an idea for a feature, you know You could write it all yourself and contribute upstream Sure, but you might also find other people willing to help you to do that, right? And so this implicit like I got it for free, but I should take some responsibility for my own kind of like use of it and Pay it forward, right? I mean, that's a very socialist term I would I would be called a socialist in the US if I put it in those terms, right? Not not positively, but it's actually really a positive thing in my opinion, right this proactive pay it forward Kind of cycle that we've developed an open source And so I think the the first thing and that's this is always powered open-source development even since Rishabh Iyer Ghosh at the European open-source observatory He was was doing some of the first econometric work in open source in like the late 90s and and based on surveys and other data Concluded it wasn't charity. It wasn't you know research dollars It was actually the use value coming from open source that drove so many Contributors to that so that Figuring out how to how to keep that engine going is critical I think to making sure how do we not, you know strangle the goose that laid the golden egg, right? Like that's that's the first thing the second of course though is that there are some institutions That have perhaps been a bit more of a free rider on this stuff than others So the cloud companies the technology companies the folks who are close to the bone on some of this stuff They do recognize that need to pay it forward There's other organizations that are just now waking up to the need to have ospos for example, right? Ospos at large companies that are retailers or automotive firms. Thank you very much to to continental who's here and and I mean Mercedes and others I'll do this as well So these kind of end-user companies and increasingly smaller companies recognize that even if before they hadn't thought of themselves as a Software development operation they use this stuff They should you know invest in it like a puppy take care of it like a puppy And then and then also pay it forward and if government only government is a massive user of open source code And if they only invested back upstream into it proportionate to their use of it the way that happens in the rest of industry They would be a huge contributor to open source and what we've seen is that there are in the United States and a lot of other countries policies against government Employees contributing upstream against government contractors who are typically paid by the hour You know contributing upstream so we need to look at some of those policies And I think if we just made some minor changes We'd see a lot of of that kind of funding and that resulting work come in but then finally Let's look at are there systematic improvements that can be made particularly around security Which all of us all of us want somebody else to pay for security work We want to be able to take it You know we want to be able to take it for granted right we should be able to take it for granted The fact though is sometimes there's large expenses like a third-party audit Sometimes there's the kind of expense that goes into paying for things like Validating signatures on your upstream dependencies that don't create an immediate benefit for you So they're not quite a feature But they're in the long-term benefit for your users and in resiliency against the kinds of attacks that we all hope We don't ever become the subject of right so for that kind of investment Foundations are an appropriate way to try to coordinate some of this and pool some of this interest in this effort But I also think that's a role for governments to play There's an economist named Mariana Mazzucato who has been doing a lot to try to understand the value of public goods Public infrastructure and the resulting economic impact that can come from I mean bridges and highways But digital public goods as well and I think if we had a sober analysis of the economic value being created by improvements into open-source code and then carved out a 1% of that value as a as a pay it forward or pay it upstream type of thing We would we would we would be able to tackle some of these systemic issues I think we see with security and open-source code, but but in other places where open-source needs that kind of investment Thank you, Brian Disconscious of time we have two minutes left. I have a few more questions I wanted to ask but I'll just conclude with one last question Which is I'll like to hear from all of you very quickly one thing that you're optimistic about Enter in terms of open-source software funding okay, so Open source is becoming extremely important There are many factor for that and some of us discuss that so I X I'm optimistic about Notably the involvement of governments. There are many reasons for that. There is an economic argument OFE and front of her did a study recently that shows that investing in open source brings an increase of GDP an increase of jobs and Startups, so there is an economic argument. There is a strategic argument because open source is everywhere lock 4g was Revealing for that and it rings a bell for a lot of decision-makers and it's also somehow a geopolitical question There was a study from the French Institute of International Relations that explore the logic of regions Russia China and the US with with very interesting top-down policies the The BEMOL or the the concern is that When a government enter in this world, which is very bottom-up grassroots There may be a mismatch, so we have to be careful Top-down policies do not always fully align with the bottom up That's one of the the message and lesson we we we got so it's important to design policies that are Exploring the potential of open source, but at the same time leave the freedom and leave the Decentralization aspect of and it's not it's not easy. I mentioned we use intermediaries because Commission we are not Fully equipped but at the moment that we have the instrument It makes sense to start reflecting on a more strategic way. Should we have in Europe and open? an open source operating system for Devices from some smartphone should we have a browser in Europe? Yes. No, should we think about? Hardware in Europe, but all this question can only come when I believe we have the instrument to address The community because it's a leverage effect that is for us very important and if we Put ourself in in few years from now. I believe the seed we are putting with this amount of money I mentioned which are not the big with all their contributors with philanthropics with Partners we we can have in few years from now the the building blocks a trusted building blocks open that will Allow business model to flourish and that will allow also Users who have a more trusted experience with the internet We have to keep in mind the evolution of AI the intelligent bots so brains that will work for us Multiverse that will give an immersive experience as it's close to reality and the web three that will allow transaction almost Immediate so that this combination can be very powerful But at the same time we have to have the trusting tools that will allow us to to do more. Thank you Okay, we're at time. So let's just hear very very quickly from the rest of the panel Maybe one of you two sentences. What are you optimistic about governed? I'm seeing a lot of momentum around legislation and Capital convening in both the US and Europe and the fact that there are so many people sitting here at 5 30 p.m Listening to us. It's very hopeful. Great Any yeah likewise I'm I'm because of this panel. I think I'm optimistic in this conference as well I think there's a genuine willingness of all of us coming together to understand What incentives there are for all of us to be in this room and those who are not in this room as well to bring more People into the conversation and I think that's you know, the first step to better Coordination and collaboration I'm very optimistic about the government's outside of Europe and America not to say I'm not optimistic with the ones that are In but the ones outside Singapore Korea Japan in South America a lot of them are recognized in the need to invest in this Systematically and recognize the role. It's already playing in their own economies Thank you. I Won't sum up in the interest of time. So please join me in thanking our amazing panelists for the panel