 For now, join me in welcoming our next speaker, Simon Fifth. Simon is a computer scientist. He's a web and open source advocate who likes to write about key topics around free and open source software. And today, Simon is here to discuss how legislators frequently overlook and fail to consult with the important fourth sector, which plays a vital role in the digital world. So let's get started with this enlightening talk. Simon on stage. Well, good afternoon. It's lovely to be here in Berlin. I haven't been in Berlin for four years for some reason. And it is just the same as last time, it seems. So I'm going to talk to you about something which is not related to any specific piece of technology. And so this is your opportunity, if you want to, to have that deep nap that you need after all of those carbohydrates that you have just eaten. But if you, like me, have dosed up on Club Mate, then do join me on a little discussion about representation in legislation. Now, the first thing I have to tell you is that it's the 25th anniversary of the start of the open source movement. And so this is like the party tour. It's also, I think this weekend, the 40th anniversary of the start of the free software movement, of which the open source movement is an expression. So here's what we're going to talk about. The movement that we're all a part of is getting quite old now. I started working in it 24 years ago. And my hair was darker at that time. And I was thinner than I am now. And so quite a lot's changed. So I'm going to talk to you about that. I'm going to talk to you about a concept called the Mesh Society that leads on to talking about something called the fourth sector of society. I'm going to tell you what your political representatives in Brussels are up to at the moment. And that may interest you. And I'm going to suggest to you that what they're doing at the moment is going to cause collateral damage that may affect each of the people in the room if we don't take some action about it. OK, so now you can start sleeping. And we'll go into that talk. First of all, I'm going to give you the briefest possible of histories of open source software just to kind of get us started. In the beginning was the nerd. The nerd had code. And the code was open to all. And then corporations thought that creating artificial scarcity was a cool way to get rich and began to take away the source code. Some guy worked out how to stop that from happening. And thus was born digital self-sovereignty. Digital self-sovereignty is the phrase that I prefer to use so that I don't have to say free software, open source or software freedom, and then have an hour-long conversation with somebody who prefers using one of the other words. Because it turns out that we are a single movement. What divides us is really minimal. The main difference between the two main wings of our movement is that one prefers to focus on the objective, and one prefers to focus on the means. And that is really the root of all of the arguments. But you can discuss that with me maybe over coffee later. So open source is 25 years old. As the internet became ubiquitous, open source took the ideas from free software and pushed the idea into the mainstream by having a focus on using software freedom rather than just seeking the objective of software freedom. And so that's 40 years for the idea and then 25 years of practical mainstream. And the result is that the open source movement is now 25 years old. It's now old enough to buy drinks even in America. And that is everybody's definition of mature. And so we have tended to see that as things become mature, they become subject to regulation. So here's your first quiz. What's going to happen next? Yes, we are now beginning to see that software per se is about to get regulated. And with it, open source is about to get regulated. Exactly how we have got over 70 years into the software era without substantial regulation for liability in software is really very hard to fathom. I don't understand how we have got to here without having somebody regulate us in a significant way. But it's finally happening. Here's an overview of just what I am attempting to follow at the moment in the European scene. You might have heard about the Cyber Resilience Act up here. The Cyber Resilience Act seeks to make software that is made available on the market to the public, have a CE mark. And the CE mark certifies that the party putting the software on the market is not releasing known vulnerabilities and has processes that deal with emerging vulnerabilities. And there are some other things in there that are even more concerning about disclosing discovered vulnerabilities to the public authorities. And so a big group of people has gathered to try and make sure that the Cyber Resilience Act doesn't accidentally cause damage. Along with it, there's the Product Liability Directive. We already have a Product Liability Directive in Europe. So this is the update. And this PLD update extends public liability to software. So the Cyber Resilience Act makes you subject to market regulation by the market surveillance authorities, that's by your government, who will check that you are not doing anything harmful. The PLD makes you liable for damages to members of the general public who might be harmed by you failing to fix a vulnerability that then leads them into a place of harm. You can imagine that things could go wrong if the PLD frames open source software the wrong way. And then we've just seen the Digital Markets Act come out. That's going to force the gatekeeper companies like Apple and Microsoft and Google to open up to interoperability. So I think the DMA is a fantastic opportunity for NextCloud because it means that there will be a legal requirement that the software that controls the market at the moment interoperate with the elements within NextCloud. There is then the AI Act and a corresponding liability directive that goes with it. There is the Interoperable Europe Act, which makes European administrations have to buy software that interoperates across borders in Europe. So for example, you should be able, if you live in Germany, but you work in Poland, you should be able to pay your income taxes that should they become necessary in Poland using a German system. Or you should be able to tax vehicles from Poland that are driven in Germany. Or you should be able to get identity documentation that works in both countries equally. And so the Interoperable Europe Act is in play at the moment. There is a new standard essential patent regulation coming, which I believe is a great opportunity for the open source software movement to finally discover what traps have been laid for us in open standards, so-called open standards. That's a different talk, though. There's the Data Act. And then just this week, I received notification of a standards policy consultation opening, which means there's gonna be another directive coming probably in the spring about this. And this is just what I am covering for the open source initiative. There are more than this. And the reason all these have come along is because there is the EU digital agenda has decided that the European Union is now critically dependent on digital products. And there needs to be a raft of regulation that protect consumers and that arbitrate between players in the market. Particularly where products have consumer safety concerns, the European Union is extremely keen to extend product liability to those products. Open source software is remarkably consequential in Europe. The EU's own numbers say that it comprises perhaps 80% of all software. GitLab came up with a bigger number. GitHub says it's 99% of all software. That the number is somewhere up there at the top of the scale. And the EU's survey says that it drove in 2021, it drove 100 billion euros of gross domestic product. So this is a very economically consequential thing. And as a consequence, it's gonna get regulated. So then the question is, how is it gonna get regulated? Is it going to be informed regulation? Or is it going to be collateral damage? Which is it going to be? And well, I think it's going to be collateral damage. As things stand at the moment, I think it'll be collateral damage. This is actually about positive unintended consequences. This picture tells you that just because something is a sacred cow, it doesn't mean you can't put it to good use. So collateral damage. The regulation that's emerging today is not sufficiently informed. And it is not sufficiently intentional with regard to open source software. I have been to meet the authors of the regulations that I'm interested in, the CRA and the PLD in Brussels. And I must say it is a delightful experience. I've worked on legislation both in Washington and in the UK. And in both of those places, I have never been able to identify who wrote the piece of law I was talking about. It has been just delivered on tablets of stone from a cloud somewhere, the old kind of cloud. But with each of those pieces of legislation, there is a person who wrote it. So in the case of the Cyber Resilience Act, it's a guy called Benjamin Burgle. He is, if most of your age, he is super hyper-educated. He is utterly charming. He is very approachable. He is very, very well-educated on the topic of software. He programs a little. He has some systems at home that he puts open source software on. So he's aware that it exists. He does not, however, have a sufficient grasp of open source software to have framed the CRA in a way that doesn't cause us collateral damage. And so even though the people are approachable, charming, teachable, and educated, we are still suffering from harm. And then there's another problem happening. So many years ago, we fought something called the Software Patent Directive in 2005. And we did that by going and having protest marches in Brussels and by somebody putting flatable boats in the river in Strasbourg with banners on the top. And we had a letter-writing campaign to MEPs. And none of that works anymore because the European Parliament now has a streamlined process that allocates from each political bloc a shadow rapporteur with a staff of two to three people. And that small group of people work on the legislation so that when you write to your local member of the European Parliament, they simply refer you to the person from their political party who is on the team in Brussels. And you can have very little impact with the letter-writing campaign because all that happens is your MEP sends the letters to this single person in Brussels who then sends you back a standard answer. In order to influence legislation in Brussels today, what you have to do is form relationships with the legislators. You have to provide them with expert information and you have to check their work regularly for introduced issues. It's very hands-on and it requires people who work on it all the time. And then we have an additional problem because we've got a lot of corporations who tell us that they're our friends. Those corporations, some of them, say things like that they've spent a billion dollars on open source. And others say that all of their products are based on open source and that they have a whole division that does open source. There are ways in which if you look in the right way, those things are mostly true. But it turns out that it is not their words that matter. It is their actions that matter. So let me give you an example of the actions our friends do. So there's a company called Ericsson in Europe. Ericsson is a board member of the Linux Foundation. They are a board member of the Eclipse Foundation. Their US operation almost exclusively works on open source software and they have a general manager who's got a great pedigree from HP who is a thoroughly decent guy. However, in 2019, the European Commission was asking for public information on horizontal relationships. That's the relationships between competitors that can rise to the level of being anti-competitive. And so this is what's called antitrust. Antitrust is where players in the market use their power in segment A to illegally gain power in unrelated segment B. That's antitrust. And Frank has been trying to deal with it in the area around NextCloud, nobly for quite some time. So Ericsson wrote about the rules for horizontal relationships and they did their public consultation. You can read it on the commission website. That link there will take you to the consultation and then they sent a letter with their comments, a 14 page letter, which you can also find on that link. And in that 14 page letter, they said Ericsson wishes to direct the commission's attention to what it perceives as a significant gap in the horizontal guidelines in that they do not cover the development of open source software. Ericsson submits that this issue could best be addressed by extending the scope of section seven of the horizontal guidelines to open source development. Now section seven of the guidelines lists the behaviors that are considered anti-competitive and require comprehensive regulation. So our friends Ericsson, who are on the board of the Linux Foundation and the board of Eclipse and will stand up at a conference you attend next year and tell you how much they're committed to open source, also asked the European Commission to regulate it to death because it was a mechanism for anti-competitive behavior. So we can't leave this to the corporate friends that we have. We can't trust them to go and represent us and all of those instruments I was showing you have direct indirect or collateral impacts on development, maintenance and use of open source software by individuals, communities and companies. That raft of legislation when it finally comes into force and comes into effect, which is two separate dates, when it finally comes into effect in about two years time, it's gonna have significant impact on everything that all of you do. And it turns out that open source communities were not consulted in any way before this legislation was promulgated. They did go and consult small and medium enterprises because they recognized that they were poor at getting input from SMEs. So the commission expressly went and visited SMEs to get their opinions and solicited input from them. But they did nothing to approach the Free Software Foundation Europe, the Eclipse Foundation, Open Forum Europe, April in France, the OSBA in Germany, OSI globally, they did nothing, they didn't approach any of us. We first found out about the CRA when it was sent to parliament for approval. That was the first time we heard about it. And as I said earlier, this is very serious because the timeline of legislation has got a lot shorter. The CRA was sent to parliament in January this year and it will be law by December this year. That we no longer have 18 month or two year cycles in which we can engage. The cycle time is getting shorter because the parliament has made its processes much more efficient. Now, to understand why they didn't ask us, we have to consider an informal model for society. I actually think that the current European Union is very well designed for civil society in a post-war era. I think that it does an excellent job on transparency, on inclusivity, on considering national needs within the overall scope of the Union. I'm a massive fan of Europe, which is why I was pissed as hell that my government withdrew from it. There is an implicit assumption in the European Union's approach to the world that only companies make things. They believe that companies make things completely, privately and for profit. And all of their thinking and consultation mechanisms looks for people who do those things. And there is an implicit assumption that citizens consume things. They consume things using the money they earn working for the companies that make things. And so those consumers need protecting. And so companies need consulting and citizens need protecting. And that's the model that the commission uses when it goes out and seeks information. It believes that the economy has centralized production, that it has distribution chains that are controlled by the producers and that there are natural control points in those supply chains where monetization occurs. And consequently, all of its thinking, all of its consultation around the regulations tracks those things. They look for the centralized production, they look for the supply chains, they look for the control points, and they arbitrate them. And that leads to a model for society that looks like this. It leads to a centralized fund-create-deliver function and then consumers at the outside. And that leads to consultation happening with companies and workers when there's new regulation. And it leads to a desire to protect citizens from whatever these two are doing. And that's kind of problematic because we're now in a meshed society. We have global fourth sector peers. So I'm introducing that phrase fourth sector. It was coined by several people at the same time because it seemed to fit the circumstances well. We're in a society that has commons-based peer production globally. It works over global networks. So national boundaries don't affect what is happening. NextCloud has contributors from huge numbers of countries. NextCloud, I expect, although I haven't checked, has got contributors from countries that aren't entitled to do business with us. And as a consequence, open source is already quite impacted by the geopolitical environment. Open source tends to avoid or absorb control points. So when there are patents in standards, it tends to avoid those standards. When there are attempts to enforce copyright, it uses licenses that absorb the control point and turn it into a vehicle for openness. And that leads to a structure like this. These orange ovals are individuals and individuals play multiple roles in society. They're people who fund and use and adapt and study software. They're not playing just one role. They're not just consumers of the software. They may well be contributors to the software. They may well be using a crowdfunding mechanism to help fund the software. I have used crowdfunding both to execute projects and also to support other people's projects. And many of us are in this, in fact, I'd suggest all of us are in this position of playing multiple roles within society. Now, they didn't ask any of us about the Cyber Resilience Act. They didn't write to Frank and say, Frank, you're running one of the most significant projects in Europe. What's your opinion on the Cyber Resilience Act? And they've definitely got Frank's address because he writes to them often enough. The legislative process is mistuned for the modern era. Legislators have no expertise per se. What they do is they act as arbitrators amongst experts. They seek expertise from the market and they then adjudicate and arbitrate between the expertise that's been given to them. The experts involved are coming from the owners of the control points in the centralized production. And because of that, they never invite experts from the fourth sector. Before I forgot to mention, that's the fourth sector. You are the fourth sector. There is the commercial sector, there is the labor sector, there are citizens in the consumer sector and there is the fourth sector of people who have multiple roles within society that they execute at scale by being numerous. So the fourth sector is largely unrepresentative and I don't believe a better arbitration process by the European Commission will fix that. I don't believe that giving them a list of all the people who today they should have consulted about the CRA and getting them to consult you is gonna fix anything. Because it just becomes a game. It just results in building more legacy representation from what should have been represented this year. It doesn't, there's no mechanism for representing what's coming next. And I believe that ultimately, the only solution for this will be radical reform. And unfortunately, that is not on anybody's agenda. The malaise in Europe that is leading to populism across the union is also focused on the post-industrial centralized production model. And it is going to take a reform of that to settle this problem along with a whole load of others. Meanwhile, those of us who make up the fourth sector need to get active and start engaging. Unfortunately, the free software community has some additional problems. We have what I call life of Brian syndrome. That is to say, I don't know if you've noticed this effect, the more we agree about, the more vigorously we disagree about the things we disagree about. And we end up having heated arguments about things that are very, very narrowly scoped. And forget that actually 98% of everything else we agree about. We have that tendency as a community. And also, we're very diverse. We consist of public charities, of trade associations like the Linux Foundation. There are many unincorporated associations like the Debian Project, which has no legal entity behind it. Its trademarks are owned by three umbrella organizations, including software in the public interest. Many projects are fascinating mixtures of charity, incorporation, and unincorporated association. And there are one or two projects which are rigidly in the control of an individual. Exactly how you draw representation from that rich mix is very problematic. So can it be done? Well, yes, I believe it can be done. I think we can be represented in the legislative process. In 2005, we did exactly that around the Software Patent Directive. And we were surprisingly effective. The work that we all did on that resulted in the Software Patent Directive being completely abandoned by the European Parliament, much to everybody's surprise, actually on the day of the vote. And so, that is what encourages us to keep on working right up until the last minute because last time we did this, it was the last minute when the change happened. Times have changed, though, and we need to have more hands-on, more direct engagement with the legislators. The European legislative process has three parties involved. It has the European Commission, who is a civil service that write the draft. It has the European Parliament, which is the elected legislators who take the input from the European Commission and review it across all 600-plus MEPs to work out what it ought to say. And then there is the Council of Ministers, which has got the governments of all of the European countries who look at the same input document and work out what they would like the bill to say. And then they all get together at the end of the process in something called a trilog, where they each bring their version of the document on the table and they build a compromise that reflects the accepted position of all of the parties. I believe it is the most open and representative legislative process in the world. I think it is absolutely fantastic. And I think if ever you hear anyone criticising it, you need to ask them why. Yes, it has faults. Everything has faults. But this is pretty much the state of the art in legislation, in my view. So what we have to do is we have to engage with that mechanism. And we've done that around the CRA. Around the CRA, we have formed a monthly group that meets to discuss public policy. That's done under the auspices of Open Forum Europe. It's open to all open source organisations. And so there's about 70 people who get on a JITSI call to have a conversation about the current legislation that I said. By the way, if anyone ever tells you that JITSI doesn't scale, they are people who are lying to you. JITSI does scale. It scales beautifully. It's just that people get locked into what they're used to. And I have a blog post about that if you're interested. So what we've done is we've segmented the CRA. So I only work for OSI 33% of the time. I'm an independent consultant, which is the modern way of saying retired. And so I work a third of my time for OSI on public policy. And so I have focused on definition issues. What does open source mean? And I've visited lots of legislators to have a one hour conversation with them about what open source means and who the open source community is. Eclipse has been much more worried about some of the more detailed liability considerations. And so their representative has been focused on those. The Apache Software Foundation has now appointed a VP of public policy, Doug Villum-Vangulik. And Doug Villum is going and doing all of the insider politicking through his previous connections as CTO of the BBC and as an active part of the Dutch government's open source activities. We've drawn those people together and they're each working on a segment rather than on the same things. They coordinate amongst themselves. And then we've got other people who are joining in there and they're being mentored by those existing experts. So we're growing the group of people who can go and engage. And we also peer review all the public statements. So you might have seen a number of public statements about the CRA. All of those were shared on open source collaborative tools before they were published. So all of the organizations involved saw them even if they weren't signatures. And there were no surprises. We had a unified position, which is why you've seen very little of the usual sniping across the community at other organizations positions in this particular area. There's been a tiny amount of it, but very little. And we're very inclusive in this. We assume that if you're willing to waste an hour a month or more on this topic that you're probably acting in good faith. It is a little bit trust and verify. We do make sure that you aren't actually one of the bad guys. We do have a few people who I'm a bit suspicious of from certain corporations joining the calls saying they're from communities. But we're living with it, it's working. And the result of this has been that the CRA is now being thoroughly covered and I'm now moving on to the product liability directive. So you can join in with this. Now that doesn't mean maybe you don't need a new hobby. I find I've got enough hobbies myself. I have grandchildren. I have a house to keep maintained. I don't really need a new hobby. So you might not as well, but you will want to make sure that the communities that you engage with have joined in with OSI as an affiliate. We have about 80 affiliates now and we work with those affiliates directly on public policy. And the same thing is also happening at FSFE. So FSFE has expanded its public policy team. They now I think have five people working on public policy. They're doing a fine job on the interoperable Europe Act, for example. And we coordinate with them and make sure that we're not overlapping or competing with each other. So you can get involved. You can be your community's contact point for open letter sign on. That'll mean when one of us writes a letter to the commission, we'll send you an email to say, hey, could you check this to make sure it's okay and would your organization like to sign it too? You can join us on the monthly call and chip in and see what the current findings on legislation are. If you do have time, if your job would allow you to spend more than 25% of your time on public policy work, then please get in touch with me and I will talk to you about how you can do that, how you can get more engaged. If you don't like OSI, I will introduce you to the people at FSFE who work on it. If you don't like FSFE, I will introduce you to the people at FFI who do it. We'll make sure that you find a place where you can contribute. So I have to say I am moderately hopeful at the moment. I think that it's likely that the result of all this collective activity is going to result in representation for open source, but it isn't a done deal. We do need to get more people engaged in the process because I'm anticipating that the flow of legislative instruments is going to grow, become greater. And we need to get people from the fourth sector to engage so that we can build a virtual first sector organization to go and engage with the commission until they reform their processes. When they reform their processes, of course everything will be fine, but until then we need to work together and recognize that we have far more that unites us than divides us and we have great tools to use while we do the work. Thank you very much for your time. Thank you. Thanks a lot, Simon, for a very passionate and knowledgeable speech that you have given us to all of our community developers today. So now it's time for a quick Q&A session. So anyone has questions? I see the first hand already. Thank you. I mean, I don't think I'm the only one who has a lot of critique on the EU in general, but two things that you also talked about is, for example, lobbyism, which is deeply anti-democratic, and the second thing would be that there are no directly democratic structures within that to be able to actually participate. But what I want to ask is my theoretical background, what I work with is the Division of Society in three sectors, and that would be politics. Economics and civic society. Do you feel that the open source realm is not part of the civic society, or what do you...? No, I don't believe it is part of civil society because I believe that a lot of the motivation for engaging in open source is part of the economic environment as well. And I think that that's really the division that I was highlighting as the three sectors. I believe there is a fourth sector where people play the roles of those other three sectors, and they play all of those roles, not on the scale of individuals, but there are people who are involved in open source projects whose coding and whose innovation is affecting billions of people. They are operating, they are making things at the scale of a major economic operator. And consequently, the consideration of them needs to be the same consideration that you would give to another entity that's operating in the economic realm. And yet, the people who are doing that work are of a scale that a government would consider them to be individuals, or consider them to be a small civil society collective. My experience is that when you treat open sources as a civil society matter, it basically is put into the category of something to be protected. And by protected, I typically mean it's something that has to be protected from ever finding out what's going on. And that hasn't been a good thing. But what is usually meant by civic society is not just citizens, but non-profits, organizations, and all of that. So I'm a member of, so for OSI, I represent OSI at Etsy, which is one of the De Jure standards organizations in Europe. And Etsy has got a legal requirement that it must consult what are called annex three organizations, which are the civil society organizations. And the civil society organizations that forget the most voice are organizations like B.E.U.C. Buick, which is a consumer rights organization. That consumer rights organization tends to treat open sources harmful. They tend to treat it as a source of risk for tools for pedophiles, as a source of risk for hacking of home devices. So they're very much supporting the CRA and the things that put restrictions on open source. And so although you can consider open source to be part of civil society, and I do, I think I do agree with that, what it results in in the legislative flow is the people who are representing you don't represent you, because they actually believe that the work that many people here do is harmful to citizens. And they're very, they are of all the groups that I've ever tried to persuade, they're the hardest to persuade that that's not so. And so I find when I'm dealing with these annex three organizations at Etsy, they're not on my side. And that's part of the reason why I'm talking about a fourth sector, because I don't believe that we fit into that. Although we do obviously fit into that third sector, we're not represented by those that represent the third sector in the legislative process. So. Thank you. Thank you very much for the presentation. So I understand that those legislations could be harmful for the old fourth sector and the open source. Could you give concrete examples of how this legislation could be harmful? I don't know, maybe how it could be, yeah, harmful to projects like NextCloud or to individuals contributing. I'll have a go. So I'm not an expert in how the NextCloud project and community are structured, but there's two things the CRA is going to do that are consequential, I think, to NextCloud. One of them is that it will require that if NextCloud is considered to put the NextCloud software on the market, which is a technical term defined in the legislation, then the entity placing it on the market, which will almost certainly be frank, will be responsible for putting a CE mark on NextCloud. And to put a CE mark on NextCloud, the project will need to adopt processes that control risk, that prevent out-of-date versions being available to the general public. So it will become very difficult for people to get, somebody who's now running Windows 7, and I think more about LibreOffice myself, because that's the project that I've been involved in, someone who wants the Windows 7 version of LibreOffice isn't going to be able to download it anymore because all of the CVEs that are fixed in that, in the latest version, will result in it becoming a dangerous, almost munitions grade risk. So that's one of them. The second thing that will happen is that NextCloud will need to report any exploitable vulnerabilities to the government in the country where they reside. So you'll need to report it to the organization that handles cyber engagement in Germany, and you have to document it in sufficient detail for them to assess the risk to the general public and then take their direction about how to respond and tell people about it. And I believe both of those things will be extremely burdensome to the NextCloud community. I don't know if Frank agreed. Yeah, sorry, Simon, don't want to hijack your presentation. Thanks a lot for that, by the way. Now, I may quickly can give a more concrete example. So the Cyber Resilience Act means that, as described, that once you put something into the market, then you have certain responsibilities and you also need to do certain things, which is as described tubally, the case for a company. The thing is that, under the current text, everybody who is publishing some open source, publish it. Yeah, don't understand it. Yeah, yeah. He would be good for it. So everybody who is putting any open source on the internet is then suddenly considered a company who has all these legal requirements. So if our community, if some person writes NextCloud app and puts it on GitHub, then this person has to do all the things that are required by the CRA, which is like being liable for it, like managing the risk also has to pay like significant fees if something goes wrong. So basically it means that no individual actually can publish any open source software anymore because they're suddenly like treated as a company. So it's a very concrete risk for us. Yeah. No, because there's a, so the question was that doesn't GitHub then put on the market and the answer is no because there is an exception for repositories. And so GitHub is not responsible for putting it on the market. Yeah, so this would basically kill like the open source community. I don't hear anything. It's, it is a vehicle of market regulation. So it's, it's, it will become a mandatory requirement for product to put placed on the market in Europe. And you won't be able to, so you know how all open source licenses have in big capital letters at the end, we're not responsible for how you harm yourself with this. It says it in more words. That is, that's completely redundant under the CRA. You are totally responsible for all the harm that you just caused to a consumer. Doesn't matter what the license says. Yeah, so everybody would just write a small script or a small application, put it like somewhere on the internet and then someone else like using it and it's, it's harm because it might have a bug or security problem like years later than you personally responsible for that. And it's obviously means that this would kill the open source community. And one other thing to add and then I leave this back to you and sorry, it's also about the interesting point that the commission doesn't really seem to want to have any input from the open source people. So there was supposed to be a hearing in Brussels like Monday next week, I was, I was invited and it's canceled now. And no one knows why it's canceled and if there will be another opportunity. So they're clearly not interested in getting any, anything from open source people. I mean, they is a very big, very, they is doing a lot of work there. So we've got some people want more input than others in that process. And of course it's human beings involved. People have different approaches. We do have a question over here. So open source is perceived as being a threat and if so, did this emerge with the rise of AI or how so? No, open source for most of these people open source is not regarded. And most of the impacts of the CRAR, Benjamin did a fantastic job understanding open source and his understanding of open source is, it was about where my understanding of open source was when I had been working on it for about four years. You know, he's done a great job. He's assimilated it very well, but he hasn't really understood how code is made how it flows around communities. He doesn't really understand where he's going to cause impact. So there is an exception in the CRA in Recital 10 that says that none of this applies to open source software. And, but it doesn't actually say that. What it says is that it doesn't apply to open source software that is non-commercial. And anybody who's been talking about open source and free software for any length of time will do an immediate face palm at that point because that's the worst possible way of determining whether something is in scope. And we have repeatedly said that to the authors of the CRA and they tell us, no, that's what the blue guide which is the framework guide for EU legislation uses the word commercial and so they want to use the word commercial too. The biggest fix that I would do is probably to do with that word commercial. I have written a blog post recently on the ISI website about that if you want to see roughly where the thinking has got to. Tingting, thank you first of all for this talk. Very, very great. I have this question about stewardship, right? And the role of companies in this, right? So working at NextCloud, I see a lot of good things happening that we're trying to achieve. So I'm kind of wondering and I was somewhat feeling that it was missing in your story, what can an open source company do in this matter? So what can an open source company do? I think that Frank does a tremendous job for you, just so you know. Frank is very visible. Yeah. So NextCloud is very visible and very active. And the result of that is that NextCloud does tend to get mentioned as an example and does tend to get invited to meetings which then get canceled. So I think actually at the moment NextCloud is probably doing the things that you should do. The one more thing, if you're of sufficient scale as an open source company, having a member of the staff who can spend 25% of their time is very valuable. And there's a few companies that have done that. So we do hear from some companies in France who have got, it's typically the founder who comes and does the engagement. So I think you can do that. I also think that, I don't know where the NextCloud is already a member of OSBA. So there's the open source business alliance here in Germany. I think that any open source company in Germany should be a member of OSBA. OSBA last week did some extremely effective lobbying on your behalf with the German government delegation to the CRA negotiations that I think is actually gonna result in a big improvement for the CRA, Miriam Seyforth, and people went along and did that. So I think that's the second thing that you can do. I think the third thing that you can do is to document positive examples. Because one of the challenges that we have is finding case studies that we can give to. So we went to talk to Benjamin early in this process in March, and he said, well, have you got some case studies that would help me understand the harm that the CRA will do? And the answer is no, we really haven't got them. And we could really do with that person who's got 25% of their time documenting a one page story of how you see the CRA at the moment, the harm that it's going to do. And each time a piece of legislation comes on the radar at OSBA to do the same thing. Because actually having documentation that I can take and go and put on Omar's desk on Monday and say, well, you say that open source is accepted, but look, this is what NextCloud say. They say that yes, it's accepted, but not sufficiently. And Omar is amazingly grateful for those things because he wants to do things that are good for your company. You know, there's no one out to get you. And when you equip them with the evidence, they respond positively to the evidence and they do change the legislation to remove the accidental harm. We have run into a few cases where the harm is intentional. So we did run into some people at the commission who told us that they want the community to spend the money on the cyber resilience so that SMEs integrating it for sale in Europe don't have to make the investment to do the work themselves. And we... And we did ask them who they thought was doing that, because we don't know anyone who's doing that and why are they trying to make life easier for them? And shouldn't those be the people who are investing to make it happen anyway? But so yes, so please document, engage, be visible, be positive would be the things. Okay, so this seems to be a really ill advised directive and it seems like companies are trying to drag down open source to their level and then beat them with money. But my question still is like the point of security and misuse is still there. Do you have maybe an idea for an alternative to address those issues more? Yes, we do. So when the Cyber Resilience Act came out, we did a four column chart of each clause that affected open source and we proposed alternative language and the parliament rapporteur adopted the majority of our suggestions. And so the parliament draft actually does have a lot of protections that are in there. Unfortunately, last month, somebody then introduced a whole load of new language that undid all that improvement that we did. And we're not quite sure where it came from but there's places I suspect it came from every time it happens. Some companies with an M or an E or something at the beginning of their name. So we can, I do think we can improve the CRA and fix the issues in it. The wall we ran up against was discovering co-legislators who actually wanted to achieve the effect that we perceived as negative. And to fix that, and we try to understand why do they want to do this thing where they're pushing all the responsibility down into the community? And it's based on an incorrect perception of how open source engages with the European economy and fixing it involves a good deal more education than we have time to do before it goes into trilogs. Trilogs start, were supposed to start tomorrow. And that was the reason that your meeting got canceled because the trilog was brought forward to tomorrow. And I think it's now fallen back again. So you might get another invitation. In the case of the PLD, the PLD is pretty good. The version of the commission that Omar came up within the commission, it has got different, the language has got a different structure to it. It has slightly different concepts that they're using. And as a result, the collateral damage is much less from PLD. And in addition, we've been talking with both the commission and the author and also with the rapporteur and they've been very responsive to the input that we've made. So I'm actually fairly happy about the PLD. And honestly, that's the thing that really affects NextCloud as the PLD. Because there is a risk that NextCloud will receive market regulation actions over compliance with the CRA, it's far more likely that you'll have consumers seeking compensation for data loss under the PLD. And the PLD is being structured so that that's much less likely to happen. So I'm fairly positive about the PLD. And then all the same open source language things are all showing up in the AI Act and the AI Liability Directive as well. And they were written by someone different and they're all slightly different. And we're all having to go through all of the language again. And actually, that's the point we've run out of resources. We haven't got anybody to work on that at the moment. Hi, sorry to hear you again. It's my last question, I promise. But did you, like using lobby control or something, one of those information sources, is there a possibility to find out what happened in the meantime? So the lobbyist tracker is very, very good. And we can see who's been in. We can't see what the meeting, you can't see who went in. It just gives you the name of the organization being represented. And it doesn't tell you the subject of the meeting. So you can't really find out what happened. And so you then have to get a, you can't ask the commission representatives directly what was discussed because that would be a breach of confidentiality. So there is a certain amount of divination that you're doing to kind of work out where the lay lines are and what was going on. I've got a reasonable idea that a lot of the negative pushback that we had came from the consumer rights organizations. That's where we think a lot of it came from. In the deep past, you and I had fun with the CLA problems. People are signing their rights to companies. Project Harmony, yes. One of the many things called Project Harmony. They're all evil. Anything called Harmony is maligned, just in case you're interested. But one of the sort of fig leafs for assigning all your rights to an organization was that they would quote, protect you. And given the inevitable harm that seems to be coming here and my dislike for CLA is, do you see any kind of form of protecting individual contributors whereby the company would take the liability in truth rather than actually as a fig leaf for their contributors? So I honestly haven't investigated whether that's feasible. I kind of think it's profoundly unlikely. All things considered. But I do think the best way of getting rid, the best thing we can do is to get rid of copyright assignment though and not assign copyright to anybody including the Free Software Foundation. But keep the copyright yourself and just use the open source license and give people software freedom. That was a commercial on behalf of the people who hate copyright assignment society. But I think it's worth investigating whether there's ways of putting a blanket of protection over the community. But it's another cost. Has Collabra got the budget to buy liability insurance for all of the LibreOffice contributors? And would you anyway? Because the code that community includes your competitors. So as soon as you start protecting the LibreOffice community, you're also protecting Allotropia and you're also protecting Red Hat and you're also protecting some other companies. So I think that's a complicated subject. But it may be that you and Frank both want to buy public liability insurance and offer a blanket to your communities. You know, that may be something you want to do. I would be surprised if you had the budget for it. But maybe you will, I don't know. Because you're both such lovely people, you know. Oh. So I, I'll just put this up on. So I'm very happy to take questions. All the contact points are on some slide or other. That slide there, I particularly like emails and direct messages on Mastodon. Those both make me happy. I am less excited about other forms of communication, particularly if they are synchronous. Those are definitely not preferred synchronous communications. So do feel free to ask questions. I'll try and engage as positive possible. I'm afraid I only speak English reliably. I speak several other languages sufficiently to get myself into deep, deep, deep trouble when somebody replies to me. But none enough to be able to have a dialogue with you. And I apologize for my inadequacy. Thank you. Thank you, Simon.