 Welcome, everyone. This talk is called Open Source Under Attack. It's presented by Chris Anicek, Michael Chung, and Max Sills. Cool, everyone. Okay. You hear me? I hear myself. I understand this. So, you know, my name is Chris Anicek. You know, I've had the fun, I don't know, I'm getting a little feedback, but hopefully that stops testing, testing. Good. All right. So, my name is Chris Anicek. I've had the fun opportunity of working in Open Source for probably the last 20 years as a, you know, maintainer to starting an Open Source company before it was cool to now working at a non-profit foundation. And, you know, over the years, Open Source has grown, been extremely successful, and, you know, with my position here, you know, and some colleagues, we're going to talk a little bit about how, you know, the kind of world has changed and how we could protect Open Source as it is currently under attack by some bad actors out there. And I'm speaking with colleagues, you know, Michael Chung and Max Sills, which are two, let's call them corporate Open Source lawyers that work for the advertising industrial complex. I don't hold that against them. I still think they do great things for Open Source, but we'll kind of get started and kind of kick things off to Max here. Thanks, Chris. I'm Max Sills. So we wanted to start this presentation. Oh, I'm going to stand right here. Okay. We wanted to start this presentation more theoretical, give kind of like a high level overview of what the problems are. Open Source regulation and Open Source attack can be very emotional. They're highly charged topics. But I think some of the problems going on in Open Source are actually very similar to problems going on in tons of other domains. So it can kind of be instructive to see how these problems just operate. And here's the fundamental structure that we have. Open Source software is a shared public good, like trees or water. And this is really how we want you to think about it to situate our talk. So it's something that everyone kind of shares and consumes, but it's also something that we have to take care of. And so there's two kind of concepts that we want to talk about. One is the public commons or this public shared good of software. And then the other is ways to regulate it. So if you look at the GPL, I think a lot of people have a lot of different feelings about the GPL. But fundamentally what it did was it was an early economic solution to this commons problem. There were people who wanted to create a commons of public software and it was a system, it was a technique to make sure that people gave back. Kind of like if you're going to cut down a tree to build a house, make sure you plant another tree. And when FOSS was in its early days, no one really analyzed this too deeply or identified any problems with it because the production and consumption were kind of in equilibrium. And there wasn't so much money riding on open source. So yeah, commons is an unregulated shared good. The thing about commons, and I'm sure a lot of people have heard of the concept of a tragedy of the commons, as the economic incentives to exploit the commons grow, more people will exploit them. That's just basic. If you can make a dollar of fish by fishing in shared waters, okay, that's pretty interesting. If you can start all of a sudden, if you make $1,000 of fish, and no one is stopping you from fishing besides your own kind of like ethical principles, corporations and other entities which are sometimes legally required to try to maximize shareholder value, like our entire global legal system is going to be set up to incentivize this behavior. The thing I want you to think about is like, okay, this is a problem. We have this public commons that we depend on a lot and it's started to become really profitable to overfish these waters. So how do we regulate? So there's two types of things we're going to focus on and later we're going to talk about some proposals we have. But up until now, this concept of open source branding has been an effective self-regulating mechanism to prevent overfishing, if you want, of the commons. Because it's been used as an identifier, people understand what that means, but it's become way too lucrative to lie. And so the best analogy we have here is greenwashing, right? I think we should think about this in an ecological sense. The same way that we need to protect the climate, we need to protect the environment because it's a shared resource that we all depend on, greenwashing is when businesses for their own profit divert resources that would otherwise have gone to improving the climate, improving the environment by branding themselves as eco-friendly. And you can't do that, it's illegal. I think open washing and also offering a piece of software under one license, but later changing it's the same exact thing. Because what you're doing is you're inducing market participants to invest time, money, energy into what they think is a public commons, but really you're pulling the rug out from under them. So a great example of this is the recent VW issue. So the FTC in the United States is pursuing a $15 billion action against VW. That's serious money. But I want to think also about our own personal investments in contributing to open source and kind of what that means. So with that I'm going to pass it off to Michael, but we really help you situate this talk in this framework. Thanks Max. Hey folks, my name is Michael Chang and in this section I will talk, we're going to define very specifically what we mean when we say that open source is under attack or the commons is being eroded. So whether in the form of open core as a business model or the new and misleading licenses that come out of open core, the essential issue is always the same, which is proprietary licenses, proprietary software, masquerading or pretending to be open source. And that creates confusion. And it is this confusion about what is safe to use, open source versus what is not safe to use in my project or my product, proprietary software or source available software. It is this confusion that erodes trust. Psychologically what happens is when I use something that I think is safe and then later turns out not to be safe, I lose faith in my ability to identify safe, to differentiate safe from unsafe, and I'm much less likely to use the safe thing going forward. And this confusion directly gets at or directly erodes the rationale and why we do open source and the things that make open source compelling. We do open source because it's efficient. It's often the most practical, most effective way to do development. And to the extent that I'm spending time trying to figure out whether the license, whether the component is safe to use or not safe to use, that's less time I'm spending doing the actual development. And up to a certain point it then becomes, open source becomes that much less efficient for me to use to a point where it becomes indistinguishable from proprietary software. We do open source because it engenders a sense of community. That sense of community is built on a foundation of shared values, shared goals, and most importantly shared rules of engagement. Nothing destroys trust in the community faster than introducing participants that look and talk and feel like members of the community, but in actuality bring an entirely contradictory set of rules of engagement to how they deal with the community and how they deal with one another. An example of this is of course when a community member makes a poll request, sends a poll request to an open core repository. That poll request is refused or rejected for one reason or another. And then sometime later the same feature and sometimes the same code appears in the closed stack of the open core company, which they then sell for money. Now it's entirely possible that they were going to come up with that feature anyway, it was entirely possible that that was probably on their roadmap, but in some cases the timing is very suspect. And all of this sort of starts with open core and open core is the decision to build a business on top of a formula. This formula involves the combination of part of your product, part of your technology stack will be made open, will be made available free on open source terms, and then another part of your technology stack will be closed or proprietary, which you then sell for money. Critical to this business analysis is the judgment that a certain percentage or a certain proportion of open versus a certain proportion of closed will generate revenue for you. It's an assumption that it will generate revenue, it will stand the test of time, and it will create a viable business for you going into the future. That's the assumption, that's the business model, those are the assumptions made about the business model by these open core companies. Of course that assumption is part of a larger set of assumptions about what they can protect, what they can't protect, but it manifests itself in the case of a proportion of open versus closed. Of course inevitably things change, markets move away from companies, markets move away from certain products, markets evolve, or sometimes the founders of these companies just get the business model wrong. They made the wrong decision as to what proportion is open and what proportion is closed, and what did they do in that situation? What they do is they inevitably decide to make the open part of their stack, open part of their product, they decide to make that closed, and they decide to pick a proprietary license. This activity, this, while potentially technically allowed under the terms of the contributor license agreement, also erodes trust because it upsets expectations of users and contributors who invested on the basis of part of the stack being open and now the entire stack is now closed or proprietary. What is worse about this is that the way that open core companies have sometimes sort of presented the relicensing is one of blaming everyone but themselves. They talk about, they blame public cloud providers, they blame the open source license, there's lots of people to blame, but in actuality, in many cases, the market has moved away from them, in many cases maybe they just made the wrong decision about the proportion of open versus closed. To add insult to injury, the names of the licenses that they've used when relicensing, names like public commons community in the context of open source development where developers spend seconds, looking at the license.txt file. There's no other reason to use these terms except to create confusion that a license is safe to use. And then when folks find out later that it's not safe to use further erodes trust, further erodes goodwill in the community. This is not a new phenomenon. This started, of course, with the shared source initiative back in 2001 and perhaps earlier, which former OSI president called an insurgent term that distracts and dilutes the open source message by using similar sounding terms and offering similar sounding promises. At the end of the day, the more time you spend trying to understand the license, the more time, the closer we all come to a proprietary world, right, where lawyers are everywhere, there's this dystopian post-apothec future where trust is lost, low efficiency, there's low efficiency in open source, at which point, for many users, you might as well just go proprietary. Free software will live on, it always will, but the pool of potential converts will shrink because after having been soured on the promise on the problems of the open core. And on that very cheerful note, I will now hand it to my colleague, Chris, who will talk about why this is happening. You hear me? Testing, testing. All right, back. So, you know, Michael did a good job explaining about some of the attacks going on. I think there's a lot more than just purely the open core crowd that is trying to steer open source licensing into interesting directions, but part of the reasons these attacks are happening is because, fundamentally, the world has changed, especially in the last decade when it comes to open source. I started my career, you know, in an environment where the great Satan of, you know, the time was, you know, Microsoft, right? Open source was evil, you know, I spent probably 10 years of my career fighting against their, you know, .NET ecosystem and all the proprietary hell that is going on, but now, you know, especially if you talk to someone who maybe didn't grow up in that time or experienced that time, it's like Microsoft is great, you know? VS Code is the jam. It makes my life super easy, right? So, you know, the attitudes and the companies involved have completely shifted how they're doing business and how they're interacting with communities, so times have changed. In terms of the percentage of companies that are actually running open source software themselves has changed an incredible amount in the last decade. You know, in just 2010, you know, some data from some of the, you know, the Black Ducks, the compliance industrial complex companies of the world basically hit that, you know, hey, about 39%, you know, these companies were using open source at that time. Now, you know, if you, whether you go through data from like GitHub, Black Duck, it's hard to find no organization on the planet that does not have some form of open source dependency out there from a company perspective. We're also changing how we build products. A long time ago, the majority of products, maybe not a long time ago, the majority of products were mostly built on a proprietary core. Now, we've moved to a model where the majority of what is happening in product development is basically building a thin veneer of proprietary code based on mostly open source components that you stitch together and improve on and so on. So, you know, the change here is even in a short amount of time, open source has essentially infiltrated, you know, product development and now comprises the majority of what is done and built in a proprietary product. We have also moved to, you know, traditionally now a more permissive comments. The rise of more companies depending on using open source have favored a more permissive approach and you've seen this change market in the last, you know, five to ten years that more and more, you know, new software that has developed and more new ecosystems like the JavaScript, the cloud ecosystem, they're all faving more permissive approaches and that has led to more increased sharing and development across corporations which is another market change in how the world has changed. There's also the crazy problem that with all this spread and use of open source from, you know, cars, fridges, you know, things that we all depend on, there's a huge issue now potentially even securing the commons. And even the last few years, the number of issues that are found in products and, you know, companies, you know, getting fined is increasing. So this is another market change of how much open source has become pervasive and critical for companies and products out there. The other big change that is going on is when I started my career, I remembered there was a very kind of niche set of companies out there that were doing open source. Yeah, I'd like your Cygnus folks, Red Hat. There were very few companies that were focused on purely open source development. What has happened over time, open source has entered new markets. So there are products out there from CRM solutions to office suites to databases. There's more and more, you know, open source being built to, you know, basically build businesses. And part of these businesses are essentially, you know, just like in any other kind of capitalist market is they are being funded by investors, venture capitalists and so on. And this is essentially big money now. You know, we've had tons of companies either get bought, you know, or IPO in the last few years in the open source space. Red Hat, arguably the largest, you know, software acquisition in the world, just not even counting as it was the largest software acquisition recently. And so if you kind of look at the data, there's this kind of fun little spreadsheet out there called the OSS.cash, which basically goes and tries to give a list of all the companies that are essentially, let's call them commercial open source companies and, you know, what their respective valuations are, how much money they're potentially making and so on. And this has become essentially what was, you know, almost less than a billion dollars a decade ago to 140 billion today and only continuing to grow. And so what happens is when you have these companies that are essentially raising money and investing, you know, money from venture capitalists, they expect returns, you know, just like any other investment people put money in and they expect, you know, typical VC-sized returns. What's actually happening now is there's a lot of concerns from, you know, these folks that are investing in these companies that my return may actually not get what I expect. Maybe there'll be some type of failure associated with this because, you know, maybe, you know, people could copy, you know, my code with that contributing back or the clouds are strip mining my stuff and not contributing back. What's actually interesting is if you kind of think about this, it's, you know, for me it's really difficult to maybe name one company that has, you know, failed in this, in kind of, you know, from a cloud, you know, overtaking the business or something. The only recent company I didn't really think of is Docker has kind of floundered and I think that's less for open source reasons but more from, you know, business, you know, business decisions of failing to actually deliver a good solid, you know, business. But, you know, if you see us look at this, we threw 250 million in this and this company basically was sold for scraps. Not good for me. Another interesting behavior that's been happening is certain venture capitalists out there, you know, have been directly attacking organizations out there like the OSI and have basically said that, look, you know, this whole open core source available thing is happening because there's been a lack of leadership from industry associations such as the OSI and so, you know, they're accusing the OSI of making commercial open source less viable. That, to me, is a little bit insane because, you know, they're essentially coming from a perspective where they're punching down to a much smaller organization and if you look at, you know, the last, you know, decade or almost 20 plus years, you know, that OSI has been around, open source has been pretty successful for, you know, their leadership in this thing but this is an attack that is going on and, you know, obviously there are things that could be improved and, you know, we'll talk a little bit about this in, you know, the next couple of slides but this is something that is directly, you know, happening of them going after open source organizations such as the OSI. One crazy thing that has also been happening with kind of this rise of source available licenses, it's caused some very interesting, weird dynamics kind of in kind of the cloud space and commercial space so one of my recent favorites is, you know, Elastic and Amazon have been in this little spat and, you know, Elastic basically, you know, did the typical open core thing, we're going to play around with licenses. Amazon obviously got a little bit upset, they don't want to be beholden to this particular, you know, vendor and they viewed them as basically keeping features away from their customers and forcing people to kind of only, you know, go through them for said feature, so what did they decide to do? Just like in open source, you could quote, quote, potentially fork, I know Amazon doesn't want to say that they fork the code base, that's not their intention, but they're essentially doing is like, look, we got a lot of customers that depend on Elastic and our goal is to make a distribution that is fully open, there's no open core shenanigans and we're just going to, you know, develop enhancements in there with everyone else, everyone's invited. That's been one weird side effect where you now have, you know, fairly well-funded cloud providers making these open core related companies to potentially the cleaners by offering fully open versions of things. Another interesting thing is even within the open core companies themselves, there has been a ton of competition amongst them where I, you know, a little bit, kind of laugh at this where, you know, let's say a couple database companies or other open core companies are basically now comparing themselves that like, I am more open than my other, you know, open core fellow companies. So like, you know, Ugubite recently, you know, not so long ago now, it's like, we're going fully 100% open source for basically our enterprise features, our core, and yes, we're going to have our proprietary management stuff, but that's cool. You know, they're open with that. They're not going to go down this kind of, you know, open core washing route and that's kind of an interesting trend that I'm seeing more and more happen. Another example is our friends at Chef recently decided to go, you know what? We're just going to go 100, we're going to go red hat style. 100%, you know, everything open will charge people for an enterprise distribution and so on, but, you know, we're not going to do open core. Who needs it? We're going to go fully, fully open. If red hat can do it, why not us? Other interesting trend that's been happening is someone who kind of spends a little bit too much time in, you know, dealing with cloud providers and that kind of side of the market is there's kind of been this, this meme going around that cloud providers are strip mining open source. They're not giving anything back and what I think the source available and kind of open core movement has done is actually kind of forced the cloud providers to reevaluate things a little bit where they have started to now offer, you know, revenue sharing agreements. They're contributing more and more back to open source. Microsoft and Google are some of the largest open source contributors out there. You know, even our friends, you know, other organizations are starting to get their act together, but this is a market change in the last year or two, you know, that's happening. So these are just some, you know, suggestions and ideas of basically, you know, the world has changed in open source. It is no longer an individual niche business thing. It is basically powering all our lives and businesses all over the world and we're going to talk a little bit about some solutions and ideas based on our kind of experience that we kind of want to offer to the audience. So I'm going to go hand it back to Max to discuss some potential ideas how we could protect the commons and open source. Hi. Hello. Hi. Trying to get the energy up. 9am talks. Honestly. So we're going to talk about solutions right now, but let's just do a quick summary, quick overview. It's just capitalism. Part of it is capitalism. People are going to try different business models, right, and they're going to try to advertise smaller and smaller distinctions between their product offerings and their licenses to see what consumers are interested in and the really good business models will be successful and the bad business models will die. So in a sense, why should you care? You should care when so yeah, so people are going to try to make money off software development and they're going to call it whatever they can to make money, but what we should we should care when it starts to hurt everyone. That's the thing that should cause an alarm is not just one company experimenting with open core, this, but close that. What should concern you is when the aggregate behavior of all the people start to make it really difficult to understand what licenses mean anymore. And I think another concerning thing is if we go back to the origins when we were talking about the GPL the commons consumption used to be small enough that little organizations filled with people who loved free and open source were enough, but there's just so much money and so much aggregate bad behavior that we have a true tragedy of the commons. And so there's a couple solutions that I think we should start thinking about. The first we should really talk about is government regulation. Because we don't just have regular market dynamics anymore. What we have is a potential market failure. We're just letting people buy and sell things to each other has not been effective because we're diluting the idea of open source making it more difficult for people to understand what software they can use, what software they can't. I've been really impressed because we've been talking to some European regulators they're very open to technology. They understand how technology is developing. The open source community needs to enter into a dialogue with regulators. Because what we don't want to happen is the market failure gets worse, it gets worse, it gets worse and then all of a sudden regulations happen that just complicate the situation even more. We need an open and productive dialogue so that some of these things are defined. The two traditional ways of protecting the comments. One, you have trademark protection where there's a law designed to protect against consumer confusion. You have a source identifier. People know that this means this and that means that. The second thing that government regulation can do though is pass laws and investigate deceptive advertising. Pass laws and investigate open washing because it's one thing for capitalism. People are going to try their thing, it works, it doesn't work. But it's another when their behavior puts in jeopardy the thing that we all love. So unfair competition and deceptive trade practices. Another thing that I think we should consider, we're going to talk about this a little bit more shortly, is a lot of people have been thinking about the open core versus open source or any innovations and licenses. That's very scary. The thing we don't want is license proliferation. But what if there was a different perspective? If you go back to how we're trying to frame the theoretical model behind this, if we're just trying to protect the comments so that we can speak to something that we can share, maybe it's less about saying that a certain business model is bad, open core is bad and new license is bad. And instead it's about creating more clear guardrails for the consuming public. So if we had certification marks, if we had more industry associations, open core should have its own industry group. It should file its own certification mark and one of the recommendations we're making to is that the OSI consider not just branding and labeling what are acceptable OSD licenses, but also kind of branch out. Because the biggest value that the OSI provides right now and under another volunteer led industry groups is by helping the market figure out what is what. That is really the truest value that they're providing. So that's kind of the public regulatory solutions. Now I'm going to pass to Michael for more specific recommendations. Thanks, Max. So for 20 years the OSI has been at the forefront of defending open source through its curation of the OSI approved license list. One need not look very far or one only need to look at the day to day, week to week activities of the OSI talk list to see the product of their work. For every license that we hear about that's proprietary license, source available, et cetera, et cetera, every weird license that we hear about there are dozens, perhaps even more strange licenses, licenses that are harmful to the community that the OSI spares us from dealing with. And for that I think we all owe the OSI a huge magnitude and the value that they've contributed to the open source community is immeasurable. And with that one of the reasons, one of the things that we think about in thinking about how to attack or how to solve this problem is we like to think of the OSI as the master branch from which there is not a need to fork. And I think we want to be very clear about what we say when we say we mean we think the OSI is the master branch because Max has talked about a couple of solutions, Chris will talk about a couple more solutions, but we don't want you to get the idea that we want a bunch of other forks or a bunch of other people or organizations taking up the mission of defending open source. What we would prefer is for the OSI to be at the heart of all of this to either take action themselves or direct or coordinate actions among multiple groups. The reason for this is obvious, right? It's not helpful to fork anything and more importantly if you have multiple different organizations interested parties taking up the same cause it creates tension and tension that could otherwise be put towards advancing our mission. Taking that master branch analogy one step further one could make the argument that open core is the first fork of the vision of open source, right? Shared by the community, shared by the OSI and potentially more may come. Open source as Max and Chris have mentioned is principally used to be individually driven, developer driven activity. It is the type of stakeholders since that have come up or now consume use and contribute open source are now much more diverse, right? There are other organizations there are corporations, there are governments lots more different types of stakeholders are now interested in open source and as we know when stakeholders do not feel that they have a voice or they feel they have been neglected or ignored for some reason they won't inevitably fork. That is not to say that had we or had anyone given the open core people a seat at the table that they would have done anything differently, right? They might have done the exact same thing anyway, right? But I think given the challenges of the mission an opportunity for outreach an opportunity for conversation should never be missed. One thing that was particularly interesting about one of Chris's slides where he talked about the race to the top among open core providers of racing to the top of who is more open, right? You'll notice that one of the the you know in that chart they had like check boxes and X marks over what was open versus what was closed, right? And the SSPL was defined as a closed source thing, right? That was undoubtedly the work of the OSI, right? And it's just one of the ways in which the OSI can have an outside impact on these markets. And so there's a couple of ideas that we had. These are not new ideas. We thought it would be helpful to put them all in one place. But as Max mentioned, to control the narrative or create a counter narrative by calling out source available, calling out proprietary, calling out unclear licenses, creating reports that discuss all of these and so that when folks come out with proprietary licenses or source available licenses, there's a counter narrative to act. And not just reports but also active intervention. Max mentioned a certification program. It could be OSI approved or it could be any name that closely attributes the source of origin as the OSI, right? And through certification, there are other things we can do. We can use certification to build and communicate and possibly moderate other norms associated with the community. And in that sense it's kind of like driver's education, right? We can use education to use training as a path to redemption for violators. Now I'm going to hand it to Chris who's going to talk about some more solutions. That ridiculous picture that Michael had with the OSI defending a spell reminds me of Josh Simmons on Twitter defending things in many ways. But the OSI essentially is it's a wonderful organization but as I mentioned, times have changed, right? There's a lot more corporations, governments involved in open source and for a lot of people may not realize this OSI is essentially primarily run by volunteers, right? You know, they're elected to the board there's some staff but it is primarily a volunteer activity and kind of one of our suggestions out there is for the OSI to move away from this model of volunteerism and instead accelerate activities that help increase a more diverse set of stakeholders that are now building businesses on open source and also do activities that could accelerate more funding and actually get people that have full-time responsibility in defending open source given how critical things are. Other ideas that we've been talking around how to protect the commons in open source is you know humans write campaign to their pros and cons, I'm a supporter they have their own issues but public shaming works in some ways so they have this thing called the Corporate Equality Index which they basically put out and it basically has companies that are listed what are you doing to essentially improve the rights of the LGBT community and so on and essentially ranks everyone and essentially provides people in outlet to see how folks are doing oh if my company is not doing well maybe it's going to give me ammunition to fight that but these types of things actually do work and help change the narrative and conversation and have companies support some type of causes we could potentially create a new index for what it means to be a good corporate open source citizen and try to get companies to behave in better ways by having a public index and these type of sustainable certification indexes happen for all different types of organizations there's things for buildings, lead there's b-corps who are kind of hipping in now so this is kind of an idea to see if we can kind of get organizations out there to do more to kind of sustain the open source commons you know I'm a strong believer that more transparency and data out there could shift behaviors I found an interesting report that just came out probably like a week ago was there was a company in our studio they became a b-corporation and as part of that they have to kind of report what things they're doing to kind of support social good type things and in their report they're basically here's all the work we're doing to contribute to these open source projects here how others are doing it and they just have a bunch of data they all have little boxes that say hey here's how much money we've given to open source organizations out there that we depend on and so on so that's a huge contribution in more like public reports I think can shift behavior one big movement out there that you know has really was kickstarted about 30 years ago was the whole CSR corporate sustainability social responsibility initiatives and almost every large Fortune 500 company out there has some type of team or group working on corporate sustainability they produce these ridiculous building green data centers, yada, yada, yada. What's interesting is if you look at these reports, lots of great things about environment and being better citizens to how their supply chains are managed, nothing unopened source, absolutely nothing. This needs to change. I don't know how to do it, but it's something that's been eating away at me that this is something that is part of our commons now and needs to be included in these types of initiatives. So given that we're running a little bit at a time and have about five minutes of questions, I just kinda wanna wrap things up and discuss our final points. As I mentioned, open source has changed incredibly in the last decade. It has moved away from a kind of niche business, more individual hobbyist thing, to big business, big government. It is everywhere, fridges, TVs. Don't know why it's in microwave, but it is absolutely everywhere. And what's happened is some of these organizations that have existed in the past, I don't think have fully adapted to this new method of working in dependency out there because with all this big business and organizations out there, they're twisting things and attacking things and we should do our best to go fund organizations that are doing the best to protect and potentially shift how they essentially operate potentially. The other thing to kind of end on is there won't be one organization or solution out there that is gonna solve this problem completely. Just like there are tons of organizations out there that are tackling corporate sustainability, environmental problems, we will have multiple organizations to do this and we should not feel that we need to overborden one organization. I think the OSI has done a fantastic job and I encourage everyone in this room to individually and even get your company to contribute as much as possible, but us as corporate or let's call ourselves open source citizens I think have to have the initiative to realize that times have changed and we need to do something because there is a lot of folks now that are interested in potentially twisting this for their benefit and if we don't kind of work together we're gonna end up in a situation where open source may not be as powerful and efficient as it has been in the past. So we're gonna wrap it up for a little bit of questions unless my colleagues have any other points they wanna end on but I wanna thank everyone in this room for getting up early Sunday at 9 a.m. at Fosdham is a very rough time for people. People are probably still a delirium but hopefully you enjoyed it and if you have any ideas on how we can improve this we'd love to entertain some conversation and entertain some questions. So thank you, we have about five minutes. Looks like Pat. Okay. I saw Pam for a second. There's a hand over here, let's start on this side. Sorry. Thank you for bringing attention to these very tricky issues. Some of the solutions that you mentioned are defending open source branding, preventing greenwashing, having an open source index, certification. But there's a loophole. There's a vulnerability. There's a risk, a countermeasure we can anticipate and that is those that don't really care about free and open source software will move the goalposts, will change the meaning of the words open source so that source available advocates will claim that that's what open source is, that the index will become JD power, it will become a pay-to-play definition. What do we do? Thanks, Tom. I'll start it. The question was that there's a vulnerability in the suggestions that we're proposing here because people will move the goalposts. The definition of open source people are incentivized to change and twist until it no longer describes the freedoms that we're all used to. I think that's right. I think that's going to happen and I actually think that we're putting too much weight and too much emphasis on the OSI and community organizations because there's just too much money at stake to lie and there's no way that a small little initiative like the OSI can by itself without other interventions defend against that. What we need is to give more money, give more resources to the OSI so that they can accomplish their mission of labeling and making clear what is open source. So we're going to attack it from that angle but really there's probably like regulatory or deceptive trade practices. There really needs to be probably a regulatory governmental intervention here because the economics are just off to put everything on the OSI. Yeah, I think it's also, it's really a question of execution and how many fronts you open up of attack. And so one thing that I've noticed is that there are, you know, within my organization there are groups of developers with varying levels of open source literacy, right? And those developers with high levels of literacy will come out strongly against certain practices, right? Either in the community or within the company, right? And I think for these folks, one of another lever we could leverage is that we could poison the well for them, right? By really looking hard at making it, you know, questionable for a developer to work for something. I want to make sure there's time for other questions. So we can't, Pat, oh, sorry. Okay, cool. It seems we don't have any more time. I would ask you to organize a room today here in the first time so we can join and discuss solutions. I was just going to suggest about certification that we, that you think about things about sustainability and revenue sharing, certifications which are important for procurement in public and private companies when you have an audit about those things, then you can go on to those companies asking, do you buy things that have these certifications? Like we have with products which are sustainable, which for instance, on coffee and other stuff. Yeah, unfortunately that was our last point. We have to end due to time. Get rid of applause for our speakers. Can we make an exception for Pam? We are over time, unfortunately. We have to set up for the next talk. Yeah, thank you very much. I'm just, I'm on the board of the Open Source Initiative. My name's Pam Chastick. I'm on the board of the Open Source Initiative. So I just have, I want to thank you so incredibly much for this talk. It was really wonderful, very thoughtful. This is a couple, like two quick points to make. One is because the Open Source Initiative is a charitable organization, it's a charitable nonprofit, there are issues in how we manage money from corporate donations. So just to sort of put that on the table. The other is there is a logo that says OSI approved that we ask everybody to use. So one of the things that you're pointing out is that the solution is available and we would very much appreciate if people did use that logo to indicate they're using an approved license and that would be, that would go a great distance to help. Thank you. Thank you, Pam. All right, thank you everyone.