 Hi, this is your host up to Bhartya and we are here at open source summit in Bilbao, Spain And today we have with us once again Mike Dolan senior vice president and GM of projects at the Linux Foundation Mike is good to have you on the show again. Let's be here as well. And today there are so many things to talk about Actually, but let's just talk about two major announcements or two major things One was the announcement about the open tofu a nice name there and second is also the whole cyber Resiliency Act I had a discussion with gab yesterday because this is kind of a concern for the community as well So I would like you to pick which topic you want to start with. Let's start with the CRA, I guess So first of all, let's explain to I mean you have a legal background So just talk about let's talk about what it is and why the open source community is a bit concerned about it I mean, so the CRA doesn't require illegal background to understand what it's doing, you know It's out there. Everybody can read it. I think any Developer who reads this would say but that doesn't work That's not how this works and yet it's intentionally trying to regulate open source for better security I they had good intentions the intention was well if we fix all the security issues up at the open source project level Then everybody downstream will have a perfectly secure code base that comes through the system, but unfortunately, that's not how it works I mean anybody who's worked on open source knows that people take modules or bits or pieces There's different configuration challenges that can raise security issues And there's a lot that goes into a product decision-making process where you decide how to use a specific upstream open source project And the challenges that developers in the upstream open open source projects are not going to know Exactly how downstream users might be using their code base at the end of the day I mean, Linus is a great engineer. He knows a lot about security He runs one of the most secure open source projects on the planet But if somebody goes and takes the links kernel and puts in to do a nuclear submarine He's not somebody who's doing functional safety testing or anything like that for that type of use case but the CRA puts requirements on the developers at the upstream level who maybe also don't have You know the access to resources that they need to do certain things for say nuclear submarine testing So, you know the challenges you have a new regulation coming along It was well-intentioned in terms of improving software security in Europe Unfortunately the construct at which they went about it was to place liability on the upstream developers And there we have an issue because developers are coming to an open source project Giving a value exchange of here is some code that I have or my company is willing to contribute And so either a company or developers contributing code for free for anybody else in the world to use it They're only asked us that you use it under the open source license and pretty much every open source license says this is as is I'm not making any representation that it's good for what you're going to use it for Which in many cases they don't know what somebody else is going to use it for and so if they're not If they can make that value exchange and they can say here take it. Let's work on this together But I can't be liable for whatever you do with it And the CRA upends that whole Structure upon which open collaboration has just thrived over the last couple decades Which is kind of ironic because Europe actually is a kind of hub for a lot of grassroots open source development I mean the kernel came from here You know the whole mysql, you know, he's also finished That also came from a lot of other projects came there a lot of open source developers They scratch their own age They create something just because they needed to solve their own problem. They are not, you know now Amazon everybody is using their code base, but that's not how they started So it's kind of conflict with the whole idea of open source, you know, I agree so now the challenge is that Are you I mean What are the solutions? Is it that you folks are going to work with the developers to enable them and provide them with resources? Or to work with the public sector to better understand how open source works? What is the solution? Well, we've been trying to work with the public sector and it's not just the Linux foundation the eclipse foundation a number Apache software foundation a number of the open source foundations that everybody knows OSI others have been providing feedback directly to the european commission when they were drafting the CRA And when there was an opportunity for them to take Input from the open source community I think the challenge is that the open source ecosystem were not usually at the table around regulations And we were not consulted at the outset. They came up with their first drafts, and then they wanted to defend them and You know, that's part of their regulatory process And i'm sure they get pushed back on every regulation they try to pass But when we look at the impact of this it's on all software in europe because Very little software today is not built using some open source componentry And so it is a very high impact type of regulation Some of the terms of this regulation are just probably impossible for many people to comply with Being able to ship code with no known vulnerabilities or whether it's you know having to report to anissa any software vulnerability first Sometimes before the fix is available I mean what open source developer wants to go and tell all their users Hey, there's a massive vulnerability coming and uh, we don't have a fix yet. Sorry No, that's not how the open source community works. They're actively addressing these security issues in the upstream projects They want to publish a fix And then make sure everybody has a chance to update because what is the point of telling people that there's an issue if There there's no fix yet. It's the The The commission who came up with cra. Are they like confusing vendors with develop open source developer because these are the kind of responsibility There are vendors who are supplied as you said the code for a nuclear submarine. That's their responsibility Not the response to be all of upstream when uh, we can't code writer in the feedback We got from them. They are very much focused on companies. They think that companies Control open source projects in a way that they can just dictate. Here's another security process You have to go through in order to comply with the cra which works for you know, one of the organizations They reached out to apparently was the mozilla foundation Well mozilla has a very different model for most open source projects all of or most of the developers work for mozilla corporation And there is a mozilla foundation, but at the heart they have a core engineering team That can build engineering practices in place But most open source projects are not run like mozilla. They don't have the funding of mozilla They don't have those resources and so the challenge is how does a community where maybe somebody's doing it? Maybe they work for a company. Maybe they have the company's blessing Maybe they're doing it on their own time But there's a lot of developers are out there who are not doing this with a You know billion dollar companies Seal of approval behind them and all the resources they need to implement security practices So that is a massive challenge for the cra Which is what it is putting on the upstream developer community is something where We're already dealing with overstressed maintainers and maintainers who are having You know needs where as their projects grow and get adopted. They have more and more stresses And to throw this type of regulation on their laps and say you're also responsible for this is just It's offensive to some as you said, you know, you folks are also working with other foundation, you know, you were Can you just give us a quick, you know that what you have achieved so far or what you're working on or what you see might be Kind to to end this, you know, kind of deadlock there I mean with the other foundations, we've had a good collaboration We work with open forum europe and a number of organizations To get some common messaging so that we're not looking like we're fragmented in our communications Either at the commission or parliament or any others. And so we've been doing that I think at this point now we're out talking to the companies that are major economic Factors for the european union and helping them understand why this is an issue And I think a big challenge that we ran into is that In the companies when the cra was being proposed It went through their regulatory and policy Contacts They didn't know about the open source implications. They didn't understand this is an open source issue And there wasn't really like always an open source group that they had to go consult And so for many of the companies we've been talking to this is the first time the open source group Is dealing with the public policy group And so there wasn't natural internal connections about this where they could help elevate the concerns But when we do get to somebody at like a cto level, it's immediately obvious to them what the issues are And so they get fired up and now we're trying to figure out How do we channel, you know, their energy and their comments back into the process? But at this point they've been pushing the process as fast as they can and so it's really hard to Take the time to slow things down to say hey What this should this look like and how can we adjust it to be appropriate? Thanks for talking about that Hopefully this issues will be resolved in a given time. Otherwise going to a big crisis Now let's talk about another topic which is open tofu So talk a bit about the whole like idea behind open tofu because I have not seen linux foundation No getting involved, but this is also critical to the larger community because there are a lot of projects that the community relies on So someone has to take, you know a step there. So talk about the whole idea behind open tofu Yeah, the idea behind open tofu tofu is simple You have a platform technology that has been disseminated for years out throughout the ecosystem Has been built into other products and solutions Many of our open source projects have dependencies on it And it's not necessarily the thing that everybody Wants or needs to pay for it was just a solution that was available at the time Under an appropriate license for adopting into your dependency tree and so a number of companies open source projects developers started relying on terraform as their option for you know infrastructures code and so It became pervasive in many ways Because of the license if the license had been a business source license at the beginning None of these organizations or open source projects would have adopted it like they did They would have treated it like the commercial product that that license aligns to and so In that case We have a lot of developers who are angry about this situation. They're angry They're they you know made a decision to take a pen Dependency on this project and then now their executive chain is having to deal with the ramifications of that And it puts in pressure on them internally So there's a number of people who are looking for an outlet and you know the time classic, you know Model that you know allows users of open source license software to Shape their own course is the ability to fork And we have dealt with some forks before like no j s had you know some forks and Others in our in our ecosystem that we've worked with have had forks over time But um, this is a unique situation. We're dealing with we have venture capital backed companies who own the code base Who are able to re-license in such a way that they can sew a field With all of these instances and then come back years later change the terms on that license and make this now a different value exchange than what everybody else was expecting and Some companies may be fine with that Some developers may be okay with that But there's a lot who aren't and so it was no surprise to us that you know right away They announced open tf.org Which eventually became open tofu and so open tofu is now A place where people who do want to have a say in where this technology goes in the future and Do so under a reasonable open source license can come together and work on it together We have been seeing this disturbing trend But with the with the creation of open tofu, you know It's also sending a message that that message is not I see for the corporate the creators But for the user community that you don't have because we tend to forget that we are serving the consumers consumers who are using these Open source code base to the solution companies Those are the I mean that's what we are serving So talk a bit about first of all how worried you are about this trend of companies changing the license at the same time With this creation, are you also sending out a message that no the community will be taken care of to take your question in reverse order I think the community has spoken you have end users like alliance who was on stage today talking about You know open tofu and their plans and the end users are coming forward and saying this is not what we expected This is not the value exchange we signed up for when we took a dependency on this And we're going to go into a different direction And I think that is a natural response in terms of You know where this you know all starts are a trend I think we've seen a trend of this out of the venture capital community mostly Um, and that's where a lot of these business source licenses and others Started was how do we you know get to the next level of revenue growth? And it's one thing to be a couple hundred million dollar a year company Maybe they want to be a billion dollar company and by changing the terms we can suddenly juice the revenues for a little bit I don't know if that will long term work out for them. Um, I wish all the companies who do this the best I'm not I don't I'm not antagonistic towards them But they shouldn't be surprised when they change the value equation with their end users and developer communities That they may not go along with that and that may not be what they signed up for And so what we'll see is we'll see you know options out there on the market And I've never seen it be bad for options to exist if you want to go with an open source licensed option Here's your path if you want to go with the commercially supported option that you know, it follows the original path You know, there's another path there. So I I'm not sure how this will play out. Um, you know, certainly we've seen This play out in other ecosystems, but I think each one plays out differently another aspect of this situation is that The promise of the open source license that users started using this under Is something that's known to them And I think one of the risks is if we let organizations start to Change the meaning of open source And the companies who have made this switch have built their companies calling them open source companies open source products open source this and that in their marketing It's in their materials. They're at open source conferences saying the same Now they're not suddenly open source anymore and how do we deal with that and make sure that we retain the core definition of what is open source and not let that get uh muddled And I think osi has been doing a great job holding the line on that and I don't expect any difference from there from them on that position, but There are reasons why decades ago people said this is what open and free software is And these are the definitions that we're going to follow And it's not something that should change every year based on some company's revenue cycle Since we are talking about open source and sometimes you know the Term open source or open doesn't actually mean open that and that I'm heading to AI generative AI, you know And you folks, you know, I was talking gab you are making some announcement here as well in terms of you know the So talk a bit about what work we can expect from Linux foundation in the context of AI Genitive AI and open source the Linux foundation. We are not the ones who create projects. We're not the innovators out there There's developers. There's data scientists who are Truly pushing the envelope on what we can do from an innovation perspective And from the Linux foundation what we expect is that We've already been in discussion with a number of them They are building communities around these AI generative AI models Whether they be large language models or even specialized models or foundational models And I think the moment that they want to collaborate at scale is when they generally come talk to us And there their issue is we need to put some governance around how we're making decisions around this and It's getting to be too big We need to figure out how to structure things appropriately and that's generally where we get involved We're also a neutral home where maybe one company started a model But maybe they Perceive that they're limited in the growth and adoption of that model because it's owned by one company And so I think the same drivers of what drives open source projects to come to a foundation Will be value propositions for generative AI communities Um, it may not be that we need to be the home to own all of the data or all of you know Some aspect of it, but there is a collaborative element going on, you know There's a project that we're talking to right now. They have 1500 people on their discord channel This is a big collaboration for them and they need to figure out. How do we support and sustain that and by the way That's just in a year What's it going to look like next year the year after in terms of the scale of these communities? And the ability to support everything that needs to get done I'd say the third aspect of why they're talking to us is we have a lot of developers and data scientists Who are hungry for access to gpu resources? GPU resources are going to take companies or financial funding that you know are sustainable And they're looking at how can we potentially provide access to gpu resources is another option We are here once again in you know, europe It's been last year livings foundation europe was announced Dublin So talk a bit about you know in this one year How much progress you folks have made up before I talk to gab as well But I want to hear from your perspective also because there are a lot of local problems CRA is one example that you folks can solve at the same time a lot of grassroots open source development happens in europe So talk about you know the yeah, I think linux foundation europe has been a tremendous Prove point that open collaboration is truly permeating society What what linux foundation europe? member companies are working on are issues that are Specific to europe and that are challenges that europe is trying to work through And what it has done is it's brought collective People's who are from different industries in many cases wallets and payments and you know Telecommunications you know things that may have some open source elements to them already But um at a strategic level we're never you know designed for that And now we've got regional specific open source challenges that they want to work on And so it's a great opportunity to bring people together and work on those issues We did not anticipate the CRA So linux foundation europe did not was not set up to do policy work or you know any sort of Elements like that, but it was there in the time to be able to assist And so it's a good opportunity for a number of those community members who are in europe to get together Talk about what the issues are with the CRA figure out What is the best path forward and it provides a forum for them to do that when I look at your left euro Europe, you know the public sector is very much active in the open source. So I was on gamble so that you know getting involved with the public sector is going to be one of the cruel You know work that you folks do here So so can you also talk about the involvement engagement? I'm not talking about CRA But in general because there are a lot of policies that are an option of open source You know in some cases they have the whole join-up is there europe is there A lot of work is going on in the open source space in europe one of the surprising things is that open source in europe have been kind of synonymous in terms of software and it has been always a strong A european commission and the european union have been strong proponents of open source solutions It levels the playing field it gives everybody, you know the ability to create their own solutions And it enables the small and medium enterprise ecosystem What is surprising about the CRA is that none of the people who know about open source were consulted in the process And so a software regulation Was developed without Input from the people in the european union who actually know about how open source and software developed and built Who could have shaped this into something that would have been more more impactful We also engage with other countries and their leadership and their governments and We get asked questions. Um, but they approach things very differently. So in the united states, they're looking at software security software supply chain security They've done executive orders and everything else In the same way that the european union is at, you know strategic level trying to help bring better security to open source and to software The united states approached it very differently because they brought the experts in open source and software to the table And asked them how can we best affect the change we want and took their feedback and built programs Structures based on input from the experts in the field In europe we have it completely reversed where policy regulatory people who are used to assigning liability Industries every single day went and did it the way they do it in other industries or other contexts But it just doesn't work for open source software because this is not single company derived It's collaboratively built. It's not just companies building it. You have academics developers individuals You know a very large ecosystem involved in the creation of this public good that is available to everyone But it's available under the open source terms since we are talking about the contrast the way The policy makers in the europe versus, you know, us works to talk about the recent You know work that you folks did with the the government what the u.s. government has done is engaged people in the field in the industry who are Doing the actual work and their goal is to better learn how they can support a process that leads to a better security outcome And so years ago they started talking to people in the field in in some of our projects about things like software bill materials And they got the idea of oh spdx. This is how we have transparency of what software is coming through the supply chain and That was the lead up of years of learning and education and meetings and showing up in our communities To understand how to Software bills and material work. How would we potentially put this into effect for our government's procurement of software And using the government as a way to help disseminate the practice of doing software bill materials And so this is a years long investment that they have made. Um, it has survived administrations It is something that I think you know is a way That is effective because the regulations they're coming out with are not Any less impactful. It's that they're more targeted to what actually works Mike once again, thank you so much for taking time out sitting down with me and talk about these topics And I would love to chat with you again. Thank you. Yeah, thanks for having me. I appreciate