 Thank you everyone for having us here. I hope you're enjoying the summit as much as I do and as much as we do Today we have a very diverse panel and I think all the panelists for for joining us today I guess we will start by a little one of introduction given the diversity of the panel So let's start with the other end of the stage If you want to introduce yourself Adriana Thank you. Hello everyone. My name is Adriana grow. I'm the co-founder of the sovereign tech fund in Germany Is that enough or should I give my little speech now? No, that's so can you talk a little bit about the organization? You're representing today. So what is your? Expertise in the domain or your interest in the open source security. Okay. Here comes my little speech. I think I'm Maybe a little bit the odd one out My background is not in tech or security Although I'm running a tech fund. My background is in public policy and governance so I started from the question who gets to decide the future and how do we shape it? And that led me to open source software. I think in this audience people may be able to trace My line of thinking from that end to this end In other cases I need to explain it, but of course and also listening to what Thomas just said How we develop design and use technology has a massive impact on our future our economy our society and with the sovereign tech fund we want to Given digital update, I'd say to how we think about the foundations of how our society works We want to invest in open digital based technologies with the sovereign tech fund that means digital infrastructures protocols libraries standards Software that developers use to develop software Because that's what innovation Services products also what we can do as Administration or a society relies on and it's not in the best shape Right now. It's communities that take care of it mostly. It's some companies investing And we believe that it's also a job where we should invest public money in the public's interest To make sure it works. Thank you Um So much for now, I'd say over to you. Thank you. Thank you. Thank you for having me here. It's been her pick I'm running the cyber security policy and resilience program at the German tech policy think tank stiftung Neue verantwortung and I I really hope I don't waste your time. I'm super new to the field of open source So bear with me and call me out if something's wrong that I'm saying We're coming from especially cyber security policy background and even more niche From what is the government's role in that and in that regard? We just launched last year a project Which is hopefully why I'm here to figure out better What if any could be the government's role in fostering IT security of open-source software and even more Detailed if you want we're looking at creating a blueprint and the blueprints were mentioned earlier and one of the panels for for national governments European government and others of how you can design an open-source program office, which is one Government let government coordinated whatever and more focused on IT security So of course we want to look at the Ospo model that has been established And we want to dig down on how that can look like if we get it more to the operational level and more to the security level and how we can integrate it virtually vertically and horizontally into the architecture of cybersecurity architecture of the different governments and how it can Support policy interventions and how it can help make regulation and policies less bad and More understanding of the open-source ecosystem and how it is married to the cyber security ecosystem Hello everybody, my name is Gio Kunz. I'm working in the open-source program office of Ericsson and My colleagues and I therefore are responsible for setting the policies and strategies That like in terms of how we work with open-source software and how we act in the open-source ecosystem I'm however a developer my background. So I've been Active in various open-source initiatives and forums and projects over the last 10 years and Very recently I focused more on the security aspects following the open SSF for Linux foundation projects focusing specifically on securing the open-source ecosystem and Obviously my interest here in this conversation is that well like from and from an Ericsson perspective obviously our products are build to build or End up in critical infrastructure as such securities has always been of Let's say a great importance to us and From that perspective I as a developer and as an Ericsson representative Very much welcome the initiatives that we see here at least the intentions of really now putting money and Things into practice to improve open-source security Terms of regulation, of course, I'm really happy to be part of the conversations because I think there's some quirks that still need to be sorted out, but it's good to have those conversations and I'm really looking forward to this panel and Talking to you later on Thank You Yoke So I'm Stefan of the Kiroli I go by Zach By day I'm a professor of computer science at the Polytechnic Institute of Paris and I teach and do research in cybersecurity and Software engineering by night. I do not fight crime, but I'm a developer. I'm a geek I've been a debion developer for 15 years. I've been involved in the open-source initiative and More relevant for for this panel today. I'm co-founder and CTO of the software heritage project And what we do at software heritage is that we are a non-profit initiative in which what we try to do is to collect Archive for future generations and make it available for everyone all the source code we can find. We have already archived more than 200 million projects and Everyone can actually navigate and find their projects that have disappeared from their original hosting site retrieve them and analyze them for their own reasons My interest for our conversation today is that I think there is an Important discussion to be had about where information about vulnerabilities of open-source software are located where they are stored and What can we do to make them more easily accessible for everyone that actually wants to build services to improve the security of All the software that exists in the market Hi, I'm Rebecca Rumble. I'm the CEO of the Rust Foundation So I'm I'm here because Rust is very sexy right now And you know, it's playing a really big part in a lot of the security conversations that are coming up now I'm really interested to hear what other people have to say And I'm also here to advocate for the role of foundations In in trying to find good security solutions for the common good I think it's really really important to have lots of stakeholders in this conversation And I think that foundations have a crucial role So yeah, I'm obviously going to be advocating very strongly for that But it's really nice actually to hear that there were other people here that are new to the space I came in this morning. This is my first time at this at this conference And it's really nice to see that it's the first time for other people as well There's there's new faces here. So it's nice not to be the only one And I think it's great that open source is influenced and it's It's prominence in the policy world now is getting so much attention. So this is really exciting for me Thank you. So I guess I'll say a word about me I'm head of security at the Eclipse Foundation. So the Eclipse Foundation is a European open source software foundation Our vision is to be the best in class in implementing the best practices in Supply chain security open source software supply chain security we We actually help our project improve the security posture of their supply chain and that's how I came in here to talk about the all the best practices So before talking about that we We are talking about open source security, but how exactly does does it actually differ from Standard or regular software security? Is it anything special or can it be? Treated just like regular software. So maybe it's like you want to enter that So that's actually a very good question because it's kind of polluting the discussion about the security of open source software So we need to avoid being falling in the trap of it is an open source specific problem So software security is a problem for all the software which is out there and we're in a society where there is more and more Software everywhere in our lives The reason why we are talking about specifically the security of open source software is that is because there is so much of it in all the Devices so there are a number of studies that they've shown that essentially every single IT product on the market be pure software or Mixed software and hardware contains some bits and pieces of open source software So naturally given there is so much of the software out there People are talking about its security But if anything given if all other parameters are the same open source software is actually more secure than the equivalent Proprietary software thanks to its inspectability so people can analyze it and And actually find security issues that help developers fix them So this is actually a good feature of open source software The other good feature of open source software is that its license terms allows everyone to freely copy reuse and Integrate them in in your product provided you respect licensing terms Of course and that makes it possible to a use at the very very large scale open source software and basically free and open source software is winning and The price to pay for this victory to some extent is that we need to you know worry more about the security of The software developing than we were used to do when open source software was entirely niche in the market And that's very good point Rebekah. Do you want to add to that? Yeah, I think trying to make a distinction is Kind of irrelevant, you know the security and software is security and software and as everyone has kind of said here today, you know Even commercial products are built up of various bits of of open source So it's really you know the key is how can we kind of bake these things in in the development stage for open source? Developers and maintainers rather than trying kind of bought security on at a later date It that has very much been the case historically, you know security hasn't really been baked into Learning in computer science courses. It's not really been seen as part like a natural part of the process or part of the process That's kind of automated. So it's easy so we end up with you know Components or products that are built of all these different things and then someone tries to bolt on security at the end Which is you know, it doesn't really work very well So we need a new way of approaching it and distracting ourselves by trying to define Whether it's different or not. I think it's yeah, it's just a distraction Yeah, so it's definitely an industry wide issue So then if security of open source software is not very different from security of software non-open source software Why is there such Discussion around the regulation that are coming that doesn't treat Open source software in a specific way if the security of open source is not different And so then what are the risks actually for open source if we treat open source the same way as non-open source software Maybe you want to talk about it Yeah I'd like to first mention one more aspect to the To add on to the to the prior discussion one more Very interesting point that kind of again is in line with showing that there's not much of a difference What we want to have between open source and Non-open source software what we want to have at the end of the day are secure systems, right? And of course that starts with developing the software that will end up in those systems But there are additional aspects that many of those of you who are involved in the security domain Community are aware of and that's like how do you operate a system? How do you configure a system right this this? Comes on top and is it completely? Irrespective of whether or not the software is open or closed and this I think is also where Regulation or this needs to be taken into account by regulation as well that it's more than just Has the software when built in a certain fashion or does it does this artifact? Fulfill a certain quality mark. It's like how is it used? How does it integrate into a bigger into your bigger picture? But then of course as you asked the why is open source so well so much in focus right now Well, I guess it's part of the reasons that like one and a half years ago We've seen one very famous example of open-source software Vulnerability in there which kind of again goes back to what I just said is somewhere between a configuration issue and the design flaw caused a lot of headache in the community and Out of that, I think the very good initiatives that were the good intentions that we see kind of started to emerge that we want to Now focus on open source software and securing it and the openness of open source software provides the Not just the benefit of being able to inspect it But I think it also comes with the what creates the responsibility for everybody using it that One can proactively or should proactively work with the open source community to improve that Their security posture and this again is one of those specific Properties of open source software that makes it so so great because it can also Spread the load now again across the industry to Work on improving this common good that open source software has become Thank you, then maybe as a newcomer to the open source Ecosystem so you may have a comment about that how can policy improve the security of open source software how does it differ from Regular cyber security Yeah, I think I think it has to find its role in the sense that We have seen regulation and not only like legislation but also policies in general Which are targeting or taking to account the tech sector Especially if it pertains to cyber security Which is just plainly bad and and I don't believe that most of them are designed that way because of lobbyist efforts And they are just accidentally bad because those that make the laws Do not have an intrinsic knowledge of what they are regulating because it's a complex issue, right? and then what what we end up with is something like in this specific term now the cyber resilience act and Martin Mentioned that earlier and I think also the eclipse put out a statement on that why that's a problem So we have two complex fields cyber security where we often get it wrong in the first instance when we look at policies and regulations and then we we bring that together with the open source ecosystem, which is also Extremely complex as far as I understand it right now, and if we bring them together There's a huge room for making mistakes if you want to regulate it So it looks very heavy-handed sometimes, but it might just be accidents because those that are designing it and those They are consulting they don't understand the complexity and what it actually means so We we have to We have to inform policy makers better And they have to take our advice and how to design the regulation and they have to better understand the ecosystem That's why I'm come back to the point of the open source program offices because if I have that then I should go there I should ask is that what I'm doing for the specific thing that you're doing which is open source Good bad or not and how can we change it and I shouldn't go then say the good bad They say no, it's not great and then I go away and keep it that way anyway, right? I mean then I don't need that So I have to be open to heed the advice But first I have to create that point where I can go and it can ask okay guys Well, you're not you're not lobbying for anything You're just there to tell us if that's gonna be really bad because we want to we want to have more security and we all agree on that But we don't want to stifle innovation and so we have to figure out something that works We cannot say well this open source. So there's no regulation touching it We don't you know, we want to make it more secure, but not with regulation or policy They should just do what they're doing and we hope it gets better But at the end of the day We also don't want to just over-regulate it and then we don't have innovation anymore The people who are doing it are afraid that they get sued in the call of law and they did okay We're not gonna provide stuff to the European Union anymore. It's too complicated. The regulation is stupid So so we have to find a sweet spot there and that starts with creating awareness not only but also having expertise and understanding somehow the complexity of these fields That's right. Thank you So we were talking about regulations so actually in Europe we also Talking about digital sovereignty and the will of the European Union to reach digital sovereignty would Improving the security of open source software a way to Gain the digital sovereignty. So maybe Adriana with the sovereign tech firm. You may have a say about that Yes, I have so many thoughts coming from your discussion But let me focus on this point first because it's really important for for us to Explain a little how we understand digital sovereignty on one in the earlier panels. We also heard if that framework of digital sovereignty means Putting up a border a digital border around Europe then that's not what we mean And also not what we want The term is I think disputed especially also in the US when we talk to partners in the US and we say digital sovereignty. They're like And then we say Actually, it's about choice and it's not about saying those are the bad ones and those are the good ones It's about making sure that everyone is in a position where you can act and that means you need to Make sure that you have no strong single dependency where whoever it is a Single actor could just decide for you and you have no say and this is why we want to Invest in an open-source ecosystem in community in many actors. So you have a vibrant Ecosystem where everyone can make choices you you have Innovation but you also have security so It's about individual choice for us first and foremost But of course, it's also about choices for companies and governments to extend it to that level as well But it's not about us against them It's not about protectionism and it's not about putting up borders in the internet. No And if we understand digital sovereignty as strengthening the foundation in open source Then I think this is also a push for security and I guess this is also why I'm on this panel here because if we talk about regulation and policies And about how open source is more secure than proprietary software we talk about theory Because in the end it always comes down to the people, right? And we need to put the people in a place where they can Act so we need the maintainers the security researchers. We need people finding Security flaws. We need people fixing them We need people who have Capabilities to learn to exchange and for this I think it's crucial that we understand that we need more support also sustainability in the field and Coming back to what I said in the beginning. I think this should not just be up To private money and to the free time of people doing it out of passion This should also be something that we understand as a public's job to make sure it's there because we all rely on it And I think it's a really good idea to invest some public money Into this and not just money. We need the money To incentivize developments, you know more diverse in the field more new people coming in More open-source strategies between private actors and communities that are on eye level more Capacity building on the administration side All of this has nothing to do with just giving money somebody all of this is structural change But we can fund structural change or we try to it's not easy, but we're learning so Yeah, that would be my take on your question. Thank you What would be the role of foundations? Probably in this digital serenity Environment with the rest foundation provide what would the fund earth foundation provide in such an environment and such a goal So I'm in complete agreement with with pretty much everything you said there And I think you know plurality is one of our biggest strengths in open-source You know the sheer number of choice the sheer availability of different views different perspectives different experiences And different sources of funding, you know having a patchwork Of support makes makes our software much stronger You know proprietary software tends to be quite brittle in a way because it is only narrowly supported In terms of what foundations can do, you know, I am I Have been frustrated in the past by governments not just in in tech but in in terms of all kinds of policy areas there is a Tendency that oh we can leave it to the market to solve this problem Or we'll just leave the market to its own devices and they will you know Everything will be fine This always leads to gaps whether you're looking at countries where health care is privatized or education or all sorts of things You end up with huge gaps That people and services fall between and you have Non-profits or volunteers picking up the slack. We simply cannot afford to allow corporations in tech to to monopolize Security and our approach to securing the digital world They have an enormous enormously important part to play and we're very lucky at the brush foundation to have the support of a lot of big tech organizations But we can't leave it to them to decide okay Don't worry guys. We'll take care of the security over here and that company will take care of security over there between us It'll probably be okay That that's not okay. We don't know what's going on inside of those organizations because security is notoriously secure subject Disclosed is a difficult even amongst trust trusted people So, you know, you need foundations you need nonprofit actors neutral actors who don't have shareholders to answer to To be able to say do you know what for the common good? We're going to invest in this These these are initiatives that will help secure things better Investing in education and good security awareness in in computer science courses. These are things that are gonna help So, yeah, I think Where foundations come in where companies can't and where government governments can't is actually being able to say look We work with the maintainers. We have the maintainers on our board of directors. We work with them every day We know exactly where the pain points are and actually we can direct that funding in a way that is not Going to result in profit for one company or a distortion of the market in some way We're here to make sure that that the ecosystem is a good safe secure and fun place for everyone that wants to be involved Thank you So securing the open source is also securing the access of the source code to the source code because it's the main data Behind open source. So how how do you what do you propose with the the sort of heritage project? So I think we are all aligned on the fact that digital sovereignty is not about borders And that's very good point. I mean I'm glad to hear that we are in alignment, but it also means not being falls in the way we approach the Security of the open source of play chain And so when it comes to what can we do to secure an independent access to information that are relevant for the Open source of play chain. There are a couple of elements that they want to raise here So there are two types of data which are essentially needed and useful for improving the state of open source security The basic kind of data the first kind of data is indeed source code. So we need to have access to the source code actually quite a number of Vulnerabilities in the open source of play chain in the past were related to the lack of availability of access to specific Components or components that used to be available on some package manager repository Disappeared and that actually ended up breaking builds for a lot of people around the world so as it happens if you look at that let's say the geopolitical angle of Modern software development platforms you will notice that a lot of those platforms are operated by actors which are not located in Europe if you think of the the main player in Collaborative software developers located in the US you have other players located in Australia And also a lot of the package manager repository are actually operated by for-profit companies Which are not European companies? So it's fine there for now offering their services to everyone in the world and they're giving access to European entities to those data But it's better to cover our basis So essentially the first things in terms of digital sovereignty about access to open source code is making sure we have an Independent access to that source code if something happens and for whatever reason We can leave lose access to that information in the future. So on this specific point We are sort of heritage are archiving all the source code we can find essentially everywhere in the world and we're a European based initiative so the main copy of the archive is in France but we have a number of mirrors that are being populated in other member state in Europe So that's the first answer and of course these are just copies that are located in Europe They are not copies only for Europeans to they are open for everyone in the world, but they are in Europe So as a first line of service, they are available to every European citizen or entity So that's the first type of data guaranteeing access to the source code itself Which is needed to build products or also to analyze them to find and to fix vulnerabilities the second type of data which which matters a lot for Improving the the security of open source software is access to vulnerability information. So the CVE databases all the Databases out there that offers information like this specific version of an open source component is known or has been reported to be Affected by this vulnerability. This other version later on fixes the issue So this information is available open data right now But again is for the most part curated and distributed and made available by entities, which are not European entities So I think that the one of the next priorities strategic priorities for you in this respect is making sure that this information is replicated is copied and Cross-reference with all we know about open source software So of course, I think it's something where a software edges can play a role But more generally we need to think as a at an independent access to vulnerability information about all the pieces of open source code that are out there Thank you like so, yeah We think about the data the source code and the NVD databases and so on but what we see also for instance from the Expandation point of view is that digital signature is taking more and more importance in the security Securization and securing the supply chain of software and We see some projects some initiative about providing digital signature services of mine that are as easy as to use as let's let's encrypt functions to get web certificate very very easily, but it's all run and Operated by non-European companies. So probably having a similar infrastructure in Europe would be a way to Gain a bit more of serenity So great. Thank you. Thank you My next question would be a bit more like a closing question is what would be the next step so for all the The stakeholders so what would be the next step for the EU parliament or EU government? The the communities and the open source of communities and also the industries we have a view on that Of course and for me, it's that we understand digital infrastructure like roads and bridges to be part of our Digital common good that we need to sustain as the public and so we have Something like the sovereign tech fund but bigger and better at European level and we make sure that our digital Open ecosystem stays open secure accessible participatory as a foundation for our democracy and companies as well then any What's the big next step for the industry for the the communities? I think I stick with my talking points about the government's role in it and Be it the the European Government that has already created an Ospo or the national government that started doing it we need we need a point in in the government that that have both understanding of open source ecosystem and cyber security and Both all parties need to know that this point exists and how to approach it Two sides to that if I'm a government agency planning some regulation or just some policy Maybe I should know that I go to that place and I listen to these people because they know what to do right and then I take it back and then I include it and on the other point if I'm for example a security researcher and I find A buck in an open source software and I don't want to track down who the maintainer or who can talk to I should maybe also have the option Of having a government contact point where if I just don't want to keep it to myself And I don't have time to figure it out I just drop the bug there and I know that they take care of it that it gets put in a coordinated vulnerability disclosure process and Whoever is responsible will get the information and can actually fix it So this the single point of contact for improving Security in open source software must exist and we must be aware of it And it must be a very very low threshold to contact that Single point of contact because otherwise it's not just it's not good to just have it It needs to be approachable and we need to be aware of it And I think that's that's where we need to go at least from from the government's perspective I think that's where we need to go and as an offer to the entire audience I'm really super open is why I came here to get your ideas on it What kind of what kind of function it should be what policy interventions that can do and and what you see the government actually National governments the European Parliament actually doing in in that term and you can also tell me you don't see a road for them That's also fine with me, but that's why I'm here for Thank you John Yes, I am I very much agree with what This one just said Point number one really in order to create regulation that has the right impact It's important to understand the the workings of open source of the workings of security So yes, I would also recommend exactly the same starting and facilitating these conversations with The industry with but also the the development community then in terms of Regulation another thing. I would honestly like really wearing my my developers open source developers had I would really like to see that as was stated in the previous keynote that Will find a good definition that removes The open source ecosystem is such as much as possible from any regulatory burdens and instead Put it on the on the companies right that that's where it belongs as Representative of one commercial entity here and say yeah, well, we'll take responsibility for the products anyway So this is what should be regulated In combination with creating the incentives again for the commercial players to Again go out there and try to improve the baseline security of the open source ecosystem But those two things need to play together, but I'm a little bit concerned that Putting too much burden on the communities will stifle innovation. We've mentioned all of that it will I think have a detrimental Effect and this is not where we really want to go. Let's let's take the right organizations Take care of the responsibility then the Yes, I already mentioned it Organizations should step up the game in terms of investing in in the sustainability of the open source ecosystem or Try to understand how they can become a more valuable member so that sustainability is not as the sustainability of the open source ecosystem is not as strained as it currently is we We already know that there is issues. There are issues like maintain a burnout that that is really a thing so It cannot be that either regulation or Commercial organizations take this push to board security and kind of translate that into more requirements on the developers So again, that needs to come from the industry as well And I think this is not just added cost from a European market perspective learning how to become Proactive Collaborative and value-adding member of the overall open source software ecosystem Well, you gain competence. You know how to work with these things It makes it easier for you for your R&D organizations to maintain the software that you're building, right? so their their benefits there as well, and I think that needs to be realized across the market and I think then we have we are on a good track Thank you Thank you. So what would be the big big next step for the yeah So I want to propose this thought experiment to the people in the audience So try to imagine if you are a developer in your day-to-day job if you're not a developer talk to developer that work with you or for you and Try to imagine go through your day and every time you use a service So something which is not running on your computer Try to check where that service is located and who is operating that and what is their business model? And then try to imagine imagine a word in which not necessarily all of that is European and completely open in its data in software But where at least you have an option to choose something else Which is not that specific service, but it's another service implemented completely with open source software Operating only on open data and ask yourself and ask your peers what it will take For us for the open source community to get from where we are right now To that place in which in where you have those options And I think that's the the kind of mindset we need to have for you know the next ten years to improve the current sales of affairs and But to your point if we do that as a side effect We will indeed increase the you know the the community in Europe and the business in Europe that works in in this kind of On these kind of topics. That's just my concluding remark and proposal for an exercise for all of us Thanks for the exercise Rebecca any It's like the creeping death. I'm lost when it's why I've got to think of something original to say I'm gonna I'm probably gonna say similar things to everyone else. I want I want two things specifically I want harmonization of regulation, you know open sources global and I cannot be dealing with US regulations that say one thing and EU regulations say another thing and UK regulations say another thing and That's only just you know three areas. We're not even going into Asia So we really need at least some harmonization Even if everyone's kind of going in the same direction and it's on the same scale, that's okay But what we really really can't deal with is different, you know different territories going off in different directions It'll be utterly wretched for everyone and it will totally stifle innovation linked to that What I really really want to see and what I'm really looking forward to to one of the later panels is Sustainable funding for this work to be done. I'm fine with regulation I think regulation is a great prompt to make people think about things meaningfully and I think we should be doing that But you got to pay for it, you know Open source has been done for free for for too long anyway The the burden needs to fall on Companies on on people who benefit to actually pay for this work because it's not going to do itself And if you want good safe secure Products then you know put your hand in your pocket and make sure that those things are funded sustainably not oh Here's some money for like 12 months You know great. We've sold security in 12 months that that's fine then no it needs to be an ongoing thing security has to keep Happening we need to keep doing it properly. It needs to be properly funded and it needs to be baked into the regulations Thank you So, yeah, I would I agree with everything what I would add is do not put the burden of security on the shoulders of developers It's definitely not something that they have time or they want to do We need to sustainize open source to be able to have services and be able to help developers Think about security and do security, but without taking too much of that time thank you very much to all the panelists today and I'll leave you with Paula for the rest of the day. Thank you very much