 So we're here at the Next Cloud Conference. You might hear a little background noise of bees buzzing around. And I'm here at Simon Phipps. Simon, you gave a really, really interesting keynote. If you had to introduce yourself to the listeners and those watching, how would you do that? What would you say? So I'm currently training to be a grandfather. And I'm doing that from a base of having worked in the technology industry for nearly 50 years. And most recently, the last 15 years, I've been involved extensively with the Open Source Initiative as its president and now as one of its staff. And prior to that, I worked for big evil technology companies. And I've previously worked on helping to start IBM's Java business. And I was some microsystems chief open source officer. So I open sourced Java and Solaris and arranged other things before Oracle, all the company, and changed things. One of the exciting things about where I've been working over all these years is you never know what's going to be consequential. It all just seems like a job. And so it always seems weird for people to be grateful for anything because I just went into work and did work. Well, you need to have a view of the world that you are adhering to. So most of what I've done over the last 25 years or so, I've been convinced that humanity as a whole needs to have sovereignty over its actions and it's the information about itself. And that people need to be self-sovereign in software and in data. And so I've tended to do things that lead to greater agency and self-sovereignty for individuals. And I've tended to avoid things that diminish self-sovereignty and agency for people. And by doing that, it's kind of accidentally led me into things that have been more consequential. Now, we've celebrated some of your successes in those areas, but would you consider that you've had success or that you've achieved the goals and the dreams that you've hoped to because you're still working at this? And so is it that there are new problems or that the problem is just so massive that it takes generations, perhaps? Well, so I've done quite a few things that I'm pleased to have been involved in. I think that getting Java started was a good thing. I think that getting Java open source was an even better thing. I think that helping OSI transform from being a very minimalistic, self-bored, propelled organization into being a member organization was a good thing to have done. At the moment, I'm mostly working on public policy for OSI. And that was a new departure in many ways. It started in 2017 as a result of being invited to an ITU meeting in Seattle. And I realized there was a massive problem, both with the way that some legacy corporations were attempting to manipulate the market, and also in the way that legislators were responding to that attempt at manipulation. And so gradually, that has become almost everything that I do is to work on understanding who is trying to exert influence, how they're trying to do it, and how we can maintain the agency and self-sovereignty of individuals over their devices in the midst of all that. Well, I'm curious to dive in a little bit more about that influence and how it is shaped in certain ways. Your talk that you gave, your keynote, talked a lot about problematic legislation and a host of seemingly unknown problems with the approach. Could you give us maybe a quick tour of that? OK, so the European Commission over the last few years has decided to embark on what it describes as its digital agenda. And as a result of that, has put significant amounts of new legislation onto the books. And at the moment, we are swimming in a river of draft legislation, which is working through the legislative process. Quite a lot of that involves software and digital devices. And the way that it's been framed means that it doesn't really understand the collateral impacts that it's having on open source software. There isn't any malice involved by the legislators. There might be some suspicious briefing going on from one or two parties. But on the whole, it's simply a matter of the parties not being aware of the entire universe of open source software. And so in the talk today, I suggested that's because of the view that they have of the world, that they see the world as corporations making things, labor forces staffing those corporations, and then citizens being consumers of their products. And open source is much more complex than that. Individuals within open source play multiple roles. They can be the party funding. They can be the party implementing. They can be adapting someone else's work. They can be distributing somebody else's work. They can be using somebody else's work. And a single individual may play multiple of those roles. And the legislators don't really have any view of the world that allows them to deal with that what I term the fourth sector. So the first three sectors are economic or corporate. They are the labor and workforce. And they are civil society and citizens. And then the fourth sector is the commons-based peer production and the individuals who engage in it globally. And the commission doesn't really have any understanding that that world even exists. And consequently, as they've been framing all this legislation, they haven't consulted anyone from that world. And so as a consequence, they've naturally accidentally harmed that world in the way they've framed the legislation. Because it's an unknowing blind spot that there's no intention there, but of course there is. And I would imagine software is not the only place where those blind spots can show up. I think it's very likely that there's other blind spots in there. And it isn't a complete blind spot. So the gentleman who wrote the Cyber Resilience Act, for example, was quite well aware that open source software existed. And he believed that he had protected it. So he actually came to FOSDEM this year and stood up at the front and told the audience of FOSDEM that the Cyber Resilience Act and the Product Liability Directive have exempt open source. And he stood in front of people and said that. And then when you read the act, you discover, well, they sort of do, but they don't. Because the way that he understood open source software was he believed you could distinguish between commercial and non-commercial open source, which is absolutely not the case. Open source does not have any inherent commerciality or lack of it. It is something that can be used in the conduct of commerce and all open source can be used in the conduct of commerce. So the software itself doesn't have any inherent commerciality or lack of commerciality. And so that very framing is what's led to the collateral damage in the CRA. And so assuming the CRA passes exactly how it is, what kind of collateral damage would you see or are you worried about, really? There's really two classes of collateral damage from it that I'm worried about. One of them is of the developers in a community like NextCloud being treated as if they are the commercial party placing the software on the market and consequently becoming responsible for all of the certification, the audit documentation that is associated with putting a CE mark on the software, which is putting a CE mark on the software is a very reasonable mechanism for the CRA to use, but it should only be the responsibility of compensated commercial parties. It should not be associated with, the commerciality is an attribute of the party placing it on the market, not of the software being placed on the market. And so I think that will be one impact is plausibly developers will become responsible for the integrity of the software that's being placed on the market. Second problem is that the bill requires developers to report exploitable vulnerabilities to the national authorities in their country. And so this would require NextCloud developers who are resident in Germany to report any defects that they discover to the German cyber security authority. And I can see that being something that would be very cautious about doing because in open source development typically you don't tell anybody when you detect a vulnerability until you've fixed it. And so having some party that you legally must tell will go against everybody's instincts and practices. And the best results for everyone. It kind of undermines decades of disclosing vulnerabilities and working with them. So it's just another example of the complexity of building software as massive communities collaborating together. Have you seen that kind of way of building software change from when, for instance, you started being involved? And today I would imagine it's even more complex. Can you explore that a little? I can try. So I think that open source has gone through. So open source is actually 25 years old this year and the concept of free software is 40 years old this year. I think actually this weekend it's 40 years old. And in the earliest years of free software and open source software it was very much an individual endeavor. You expected the people involved to be using the software they're working on. You expected all the people involved to be people like that who are collaborating over software. And as open source software has become more and more a part of the way software is developed more and more people that are involved are being paid to work on it directly. And some projects are arising which are the fruits of a single company. And that leads to a different dynamic in communities. As I look across the open source community I can see examples of all of those epochs of open source still current and active. And so it's much harder today to make a single statement that's true about the open source community than it was say in 2004 when it was you were fairly clear when you talked about an open source community that you were talking about individuals basically involved in a private endeavor. The examples that weren't that were things like MySQL but pretty much everything else was individuals working on it for their own personal reasons. Sometimes they were commercial reasons sometimes they were personal interest reasons but it was quite unusual then to have large corporations with large bodies of programmers who were only doing it because they were being paid to do it as a day job. And so that brings me to the question how do you feel about that change? How it's been adopted more so by business? Is that a good thing? Do you see that as beneficial for society in general? I think it's a very mixed blessing. I remember about six years ago being with some of the earliest individuals involved in the free software movement saying how much they regretted that corporations had got involved in free software and how they wish they could go back and not have that happen. I tend to believe that simply having software under free and open source software licenses is an inherent good. And so I do feel that having companies involved is probably a net good for society as a whole. I feel that the things we should be striving for now are not just about the software. I think we need to be striving to have a society where individuals maintain their agency. And I think that is the biggest problem we face at the moment is agency being removed from individuals both by corporate surveillance and also by government action. I think agency is the biggest problem and I think agency is the big deal. I also think that people's self-sovereignty over software is a very important thing. And I don't think that actually free software and open source software automatically gives you either of those things. But it can. It's necessary but not sufficient I think is the way to put it. So what would you package with it than to attempt to solve some of those issues? So one of the... At a purely mechanical level I think that making sure that the ownership of software copyright is distributed is a great source of good. So I'm a strong opponent these days of copyright assignment. I don't think any software developer should sign a copyright assignment agreement if they can possibly avoid it. And I also think that people should avoid signing broad copyright licensing agreements like the Apache CLA. Certainly an Apache licensed project that is in corporate ownership you should never sign the CLA because you're just giving your labour to somebody else to exploit. I think that distributed ownership tends to lead to better outcomes than concentrated ownership. But I think that we're very much at a turning point at the moment because of AI. I think that statistical models and large language models are leading us to a place where I don't think we know what is sufficient to guarantee the self-sovereignty of people in their devices or the agency of individuals over their personal information and the decisions they make in their lives. I think that's one of the things OSI is doing at the moment is we're running a process to investigate what an open AI would actually look like and what we mean by open source AI because it's not a defined term at the moment. It's something that sounds good and people are hiding behind it in their marketing activities but in terms of what it really means we're very keen to define that and I want to see that being defined in terms of agency and self-sovereignty. Given your experience how long do you think it will take to come up with that definition to a point where it's usable and effective? I think OSI's process has been running all year and I think there's a good chance that we'll have a draft of a description of what leads to a self-sovereignty agency protecting AI sometime in the maybe in the second quarter of 2024. We've got to the point where we're running workshops for people who think they know what the answer is and we're going to listen to lots of people's expression of what the answer is and get those people to come together and begin to draft a statement of what an open source AI would look like and mean. Fascinating. Thank you for exploring that. You mentioned the next cloud community earlier and some of the potential issues that some of this legislation might introduce for something like the next cloud community. I'm curious for you, why is next cloud important in this regard? You seem to enjoy the fact that next cloud has been doing some of these activities with fighting against Microsoft a little bit. But why are you a fan of next cloud? Why is it important in this realm that you really think is super important for society generally? Next cloud plays an important role because it is a genuinely open source platform on which it's possible to deliver open source solutions to individuals who are retaining their agency and self-sovereignty. The problem that you face with cloud solutions is running cloud solutions turns out to be complex and to be something that requires resources on a scale that individuals typically can't muster. And so solutions like next cloud and I think there's a couple of others out there as well are really important because they provide a platform where individuals can enjoy their agency over what's happening, not find themselves surveyed by corporate controllers of the platform, have the liberty to install applications that are themselves open source applications that allow them to extend the scope of their agency and self-sovereignty into collaborative document authoring, into messaging on Activity Pub Mastodon style networks on photo collection editing. Without next cloud all of those things would happen in somebody's own space. And next cloud means you actually can engage in those activities. So fairly uniquely amongst open source projects not only does it itself give you agency and self-sovereignty but it also gives you the freedom to have that software freedom in other domains, in photo archiving, in document editing and a whole raft of things. You've got a huge range of applications that can run inside next cloud. Lovely. And you mentioned during your keynote that there are about 70 or so colleagues you're working with having jitsy conversations with on a monthly basis. But you also suggested that it might be important to have those kind of representatives in each large open source business that can contribute in a way. Can you explore that idea a little bit more for us? Okay. So the way the open source community has responded to the Cyber Resilience Act is by self-organising on principles of segmentation. So rather than everybody trying to do the same work taking a little piece of the work and as it were eating the elephant by making carpaccio and that has resulted in us forming a very effective organisation which is an ad hoc organisation. It's not incorporated it's not even got a constant membership it's very fluid and it's meant that we've been able to go visit the co-legislators and offer them not lobbying in the interests of companies but rather education about the good or the potential harm that they might be doing and that's worked because as you just said there's around about 70 organisations that have got someone with the time to attend a call once a month to make sure that they're aware of what's going on and to chip in in some way. I don't know if you know the story of stone soup so they're able to put their fragments of vegetable or meat into the stone soup and so we've been making stone soup around the CRA and going forward we're going to more and more need to have activities that are making stone soup to correct the overreach or the errors in other legislation such as the AI Act or the AI Liability Act and in order to do that one of the things that has to happen is open source communities need to join representative organisations so obviously I'm from OSI so I would like your community to become an OSI affiliate or your company to become an OSI sponsor because that will then allow me to include you in my activity that I'm doing on policy work if you don't like OSI for some reason Free Software Foundation Europe also has an excellent policy work they have a strong and experienced staff and we coordinate with them to make sure that we're not conflicted with each other so we're able to extend the range that we're doing in Germany there's the open source business alliance, businesses based in German speaking countries should join the open source business alliance and strengthen its voice it's just done some very effective lobbying there's a European scale organisation called Open Forum Europe that you can join or join as a community member in joining in with any of those a pool of chefs making stone soup and provide a valuable workforce to make sure that the fourth sector the people who play multiple roles individually at scale are able to affect legislation so let's imagine for a moment that all of these efforts succeed that we get legislation that does represent more accurately the way that open source software is produced and our communities and the way that they function how do you make sure that down the road the decisions that are made procurement I don't know within government how does that how do you make sure that it's all working the way that's intended in writing versus what's happening on the ground so that is challenging and the public procurement part has traditionally been a big problem for open source because there are several countries in Europe that have open first policies on public procurement and I won't name any particular countries but some of those countries it has had absolutely no effect whatsoever in some countries it has had a limited effect there is a piece of legislation that is in the digital agenda raft called the interoperable Europe Act which I believe is likely to make a very positive contribution by instead of mandating open first procurement what it does is it mandates cross border interoperability and practically cross border interoperability is much more easily achieved by either using or forming open source communities so that there is shared code and I think that it's possible that the interoperable Europe Act is going to make a big difference to public procurement by incenting organizations to do it not because it will save them money and not because it will somehow give them sovereignty over their software because most public authorities don't want sovereignty over their software they want to outsource it but instead it will give them a motivation because they will to be compliant with the interoperable Europe Act they will need to be interoperable across borders and the only real way to coordinate that you can't tell your commercial outsourcer you want to do that the only way to do it is to use a common community of code with the other countries in Europe so I think that's going to make a I hope that's going to make a big difference FSFE are working on that act they have a full time member of staff trying to make sure that interoperable Europe Act does good things that's amazing are there other organizations that you think are important in this regard um it probably wouldn't be right to try and make a comprehensive list because there's quite a lot of organizations involved I think that's actually a good thing isn't it I'm routinely working at the moment with I'm routinely working at the moment with NL Net Labs I routinely work with Eclipse Foundation I routinely work with some folk from French free software organizations I routinely collaborate with FSFE all of those organizations are doing essential work but there are more than that there's about 20 people that attend our weekly meetings and I can't even begin to remember where they're all from I'm curious from your perspective because you've been in the game for a few years now I mean the likes of Microsoft and Google for instance really embrace open source how does that make you feel does it worry you where does it lead us do we need to change something there so I'm really very happy about the way that's happened with Microsoft Microsoft did actually use open source long before they made commitments to it the commitments they made to it were essential for their Azure cloud product to embrace and accommodate open source and the rest of the corporation didn't necessarily all run along behind happily I think they've now reached a stage where the attitude of GitHub is much more representative of Microsoft and I don't generally regard Microsoft as one of our most pressing problems generally they're a solution to problems these days Google is completely based on consuming open source software they've done pretty good work in supporting open source projects there are other companies I'm far more concerned about than Google search hours it's the companies that are involved in the telecom sector who are dependent on standard essential patents for their revenues and are facing a world where the things that they're working with are much more from a world where patents are not tolerated and there is a growing tension between those companies and the open source world as they realize they're going to need to use software and if they need to use software they can use open source software and yet open source licenses make it impossible for them to operate their rent seeking standard essential patent model and so I'm much more concerned about their actions both behind the scenes and in public than I am by the actions of the usual suspects it's interesting in many ways because you come to open source events and people are very worried about Microsoft and Google and honestly they're not the companies I worry about anymore I'm much more concerned about the telecom sector and the consumer electronics sector fascinating and so do you see there's a lot of enthusiasm around asking hard questions to the typical the big five that are typically asked about here do you see those hard questions also being asked of these telecom services and others that are sort of hiding in the shadows no I haven't really seen people treating them with the concern that they deserve so far and I would like to see a lot more difficult questions asked when those companies claim to be fans of open source because while I have my questions about GitHub and would prefer a decentralized model and while there are pockets of Microsoft's business that's still concerned I'm much more concerned about handset manufacturers and network equipment manufacturers and particularly the patent holders from the institutes whose codecs and other software artifacts they're implementing those are the companies that concern me much more because I think that they to protect their revenue streams they need to extend their patent monetization activities into the software realm and they're not at all welcome here the idea of one of those companies coming and seeking royalties from next cloud community members is positively anathemic and it is a little bit of a surprise I don't see them being asked more hard questions and it is a little bit of a surprise that I don't hear any of the names of those companies being mentioned when we talk about companies of concern to the community really fascinating is there any other concept or idea that you'd like to share with us today so during the keynote I talked about a couple of concepts one of them I talked about the meshed society which is a concept that I've been very interested in for about 15 years now that's the concept of this layer of society where people are engaged in peer production where they're engaged in one-on-one interaction at scale and I think that concept is a concept I'd like to see more people exploring and being concrete about and I've talked here about the fourth sector about the people who make up that meshed society and their need for representation those are the two main concepts that we've been talking about here today Lovely, well thank you for sharing your insights I'm curious this is a next cloud conference you're part of this community what would you say to others who are thinking of coming to the next cloud conference This is a great crowd of people who are very engaging and engaged and I think the people would discover that they were at home here if they were to come along to the conference next year just looking around you probably can't see it very well in the video but we're in a slightly grungy warehouse which appears to be a maker space for 3D for absolutely enormous 3D printers and laser CNC's and things and I want to come play here out of hours really so if this is where you're holding the conference next year maybe you could arrange for a maker evening as well Sounds like a great idea Well Simon thank you for joining us for sharing your insights and just having conversations with all of us we really appreciate it Thank you for inviting me, it's been a pleasure to come along