 Hi, this is your host up in Bhartiya and welcome to another episode of the stock today We have with us Anna Hammerson ecosystem manager at the Linux Foundation research and I scared to have you back on the show This time remotely not in person, but it's still great. Yeah, thanks. Thanks for having me Yeah, and today's topic is research report on open source Congress 2023 talk a bit about a Bit about the report the background and what is open source Congress as we Know as individuals in the open source community open source is about more than just software it's about an entire model of work and collaboration and it's those models of work that allow for the kind of innovation we see in the space and the the use we see in the space and So the community as a whole is is working on these in these kind of innovative spaces But is also facing some at times unprecedented challenges You know anyone in the space knows we're facing always cyber security challenges As we saw in the conference and as individuals are seeing there is higher regulatory scrutiny we're also facing issues with techno nationalism and Digital sovereignty where these tensions between different geographies make that free flow of knowledge and software difficult And then of course as we're all talking about we're seeing risks and ethics around ethical issues around artificial intelligence and so a Few there are calls from our community to bring leaders together in this space to You know as the report is titled to stand together on these common issues and whether or not you're in the healthcare industry You're in financial services. You're in Canada, you know, you're in you're in China or Any kind of cultural social structures? We do need to bring ourselves together to address them collaboratively and so in July of this past year 2023 53 open-source leaders came together In Geneva in Switzerland and the mandate was to identify what these shared values are and also what the shared priorities are around these challenges To build relationships amongst these foundations and organizations and then come up with a plan for how to sustain the diversity and resilience of the open-source space so the objectives were to discuss these critical challenges explore pathways and then Establishing channels for discussion as earlier you're talking about some geopolitical tensions that are going on there Of course, there are a lot of tensions Which are purely political sometimes there are trade embargoes also there so And there are like conflict between Nations political parties, but there's a lot of collaboration that goes on with people So when you like since you're also like involved with a lot of Linux Foundation project you talk to a lot of folks and With this con congress, you know, what are some of the issues that you felt were like They're like like only on the surface Hey, you know what that can be deal with and then you saw there are some issues Which are very very core critical because when they are trade embargoes you actually cannot even interact with those Countries or those industries. So what are some really serious issues that? Came across when you know your teams or you know the links foundation was working on this report Yeah, so I guess in terms of the techno nationalism piece we had individuals who We we we had some findings around the fact that there were groups that felt even coming together in a specific In a specific location was difficult, you know, where do we go? If is it political to meet up in Geneva or in North America or somewhere in Asia and so As as is quoted in the report, you know, it's even the location of the meeting can be difficult and so From from our findings it felt like this was kind of a newer issue that that wasn't happening, you know Maybe 10 20 years ago And so I think even that that tension there is difficult to manage and of course the point of the congress is to rise above those issues and You know as a as a neutral body that is meant to be, you know Not any sort of political leaning the Linux foundation and these other Foundations that also are are neutral in this space You know, the idea is for us to rise above that that tension and to also Promote the fact that that this collaboration is more important than these kind of regional tensions But definitely has been an issue in in even as I said even setting up a location for this And so Geneva was chosen as it represents kind of a neutrality in this space But yeah, even even a location was difficult if I asked you to kind of summarize What are some of the key findings of this report? Yeah, so the as I mentioned earlier the the meeting was set around these kind of core challenges in the space and so one of those, you know is is open source software security You know with open source there's an absence of a central authority to ensure disclosure and Responsibility around vulnerabilities and and hacking and so That represents an issue in and of itself and then there's also as we've seen in our other research There's a lack of cybersecurity professionals with little bandwidth to actually manage that foundational security piece and so some solutions that the group came up with was you know focusing on training and tooling and We actually have a research report that we're we're looking at around security education For developers, but training and tooling came up. How to attract new talent, especially talent that is diverse And then also can we work with schools and other institutions to develop stronger curriculum around security? There's also the the age-old story about how do we compensate maintainers, especially when it comes to that really foundational security piece and then finally the concept of security by default and designing around foundational security principles that just make the software stronger from the GECO The second challenge what that was discussed was was around regulation and so the you know, the EU has come out with a lot of a lot of policy and the states as well, but the there was a focus in the report around GDPR The Digital Markets Act the AI the AI act and of course the CRA, which I believe you've touched on in other interviews with Hillary But this this there's a sentiment that these these policies could be and have already impacted the open-source community and and also our Participants of the Congress felt that the open-source community is not actually engaging enough in this policy space And so not only is is is policy being created that does not Reflect our perspectives because we're less engaged, but also our contributions at a socio-economic level are less understood and so some solutions around that were the You know the foundations have to acquire the skills to engage in this kind of policy work You know, it's not a developer work It's you know, it's you know nuanced understanding of how institutions create policy legal acumen communicating complex technological concepts advocacy public speaking so Making sure that the foundations have those tools to to communicate with policy makers and then How do we actually engage? actively in Policies and proposing new policies around these issues of cybersecurity AI privacy, etc The third finding was that or the third kind of core issue we discussed was This geopolitical tension and so how do we maintain that free flow of knowledge and technology? When we're talking about techno nationalism and digital sovereignty And so also the issue of when we when we are in a more digital sovereign space This typically increases the amount of regulations Which increases the cost of compliance, you know, we see that in Canada in the healthcare space where we have 13 different jurisdictions with 13 different privacy policies and so as a result data stewards are are risk averse because they don't understand all of the different Regulations in place for for data privacy in the different provinces or are less familiar with different provinces. So Some solutions around this where you know, it's difficult to come to actual solutions around something like a geopolitical tension but always Foundations can always champion open-source software and the fact that digital sovereignty Has actually been embraced Sorry, digital sovereign sovereignty has embraced open-source software, which removes that dependence on proprietary technology You know avoiding situations where those political considerations really dominate the technical considerations and who can participate and who can't And as I said earlier just remaining politically neutral and transparent when managing community contributions And then of course that piece around around increasing diversity in the space and so investing in there is a comment about investing in translation capabilities for project comms and embedding stronger codes of conduct the last element, which is a big one is is was the artificial intelligence concerns and so That focused on the definition of open when it comes to AI, you know We have a really strong definition of open when it comes to software, but as we've seen and has been written about You know this that that definition doesn't flow seamlessly into a definition for artificial intelligence You know, we have we have models that as we as we've seen in the report and at the Congress the the more Transparent they are it's actually a trade-off with performance and so That explainability and transparency is a really key element of understanding how we get to an outcome using artificial intelligence And what the inputs were but as was discussed at the Congress The more explainable sometimes the the the weaker the performance of the AI tool and so again not a ton of really Well solutions were difficult to come to in this space, but There was definitely championing of more open AI and You know, we that ability to kind of approach AI in a transparent way and safeguard human rights and and put in checks and balances for for bias looking at the importance and rule of public sector especially with the Linux Foundation Europe Are there any departments division or Dedicated foundations with the Linux Foundation, which are focused purely on You know public engine, but when I say public sector, you know government in DC Or do you feel that you know different foundations can't deal with that at their own level? I just you know, it's a kind of higher level question where you feel that you know As you said earlier that at the Congress we realized that we do need more engagement of open source community with government But having a concentrated effort might, you know have more results Versus fragmented distributed first. Yeah. Yeah, I'm glad you asked that that was actually one of the Conversations that came out of the Congress and so the first half of the day was what are the challenges? What are the issues? What are maybe some solutions and then the second half of the day or the later part of the day was a discussion around okay? We're seeing a theme of collaboration absolutely across all of these areas How do we actually? Initiate that kind of collaboration and the kind of work that we need to see to have all of these parties come together And so I think the the Linux Foundation and other foundations You know, they do a lot of work to kind of provide that neutral home for for initiatives and projects and data and software and hardware, but we Were we're stronger as You know as a united front of different foundations and and as you say we have the Linux Foundation Europe We have Linux Foundation Japan, but there are other foundations in this space that that can that are willing and are interested in supporting this kind of Larger global collaboration and so in that latter half of the of this of the Congress there were two solutions that were thrown around about how to bring about this type of global collaboration and so one was a more kind of formal body around the Collaboration they were calling it a kind of global secretariat something like the UN for open source and so there were some pros to that where the formalization of that kind of body allows that to be someone's entire kind of job and purpose and things may move a bit faster than other solutions, but of course that need for resources and You know the limited bandwidth that already exists at open source foundations makes that makes that a Potentially a challenging solution to actually adopt and implement And then the other solution was more lightweight and that was to create a peer-to-peer network of different open source foundation leaders to to meet on a kind of regular a regular basis and to discuss these issues and and I think particularly when it comes to the policy space, you know how to Working on building relationships with with policymakers I think the beauty of a foundation at least like the Linux Foundation Which is what I'm most familiar with is that we are a group of people that often have that kind of communications and In a kind of more nuanced maybe more nuanced legal understanding because that is what we were founded for was to provide legal expertise And legal support a community building support, you know program management support And so we may already have a lot of those skills that are needed for engaging with policymakers And so I think bringing bringing our might together with other foundations As the Congress just suggested either in a more formal way or a more informal lightweight way Would really help with this these issues that we we came up with at the Congress When we talk about, you know, this importance of international Collaboration we kind of tend to forget that open source is an international idea either way The kernel was developed in you know, Finland in Europe and most of the work is done in Europe A lot of AI work is being done in China, Asia, different countries So the whole open source and open source is less about code. It is actually about collaboration Code is the easy part, you know, the most important part is people and collaborations so During that discussion During the Congress or you know, when you're looking at this report Did it ever come up with hey, you know what, you know, why this international collaboration is so important? Or it is taken for granted that yes, open source is an international concept and idea is the the the the political boundaries Doesn't shouldn't exist when it comes to open source. Yeah It's a good. It's a good question. I think the the the collaboration piece is of course As I've mentioned before it's kind of the foundation of what open source is We find that across our research that collaboration is key to to pushing the space forward But I think to your point of is international taken for granted. I actually think it's maybe more the At least what was found in the report is that there's there's a western Centricism to the work that that goes on in the open source community You know, um, English is the language we use to you know to communicate in these communities um, and there's um, definitely more of a focus on Western north, maybe even a focus primarily on North American Organizations and companies which is in part why we're seeing more digital sovereignty and Techno nationalism in these different areas such as in Europe where there's a desire to be less dependent on American companies But I think that international piece is is really important because it also opens the door for you know, if we become a more internationally focused group then that leaves room for Maybe a more diverse developer pool You know as as a woman in tech. I always say, you know, if I see a woman somewhere I know that that's a Place that I can go as well And so it's not always needs to be that case But I think the more representation we have in these spaces and and the last kind of western centric they become the more we can attract diversity of thought and diversity of development, which is crucial to building these softwares and also to You know to build out that To bring these softwares together that are maybe being produced more in in china or in europe But to kind of make them more global. So yeah, I think it's a really important point of Internationals not necessarily taken for granted in the open source community As you earlier talking about, you know, that a lot of you know, European or other countries they don't want to rely on, you know, American companies for their code bit and I think that's where open source comes To play because you don't have to rely on a company you rely on an open source project and that's actually Makes it even more important for a neutral place like Linux foundation because now because the Code base even if it is open source if it is owned by a company That you're still, you know, kind of tied to that company But if the code is owned by a neutral foundation like Linux foundation or Kubernetes a good example I mean you folks have tons of projects. So that actually creates a very even playing field It doesn't really matter whether you in Japan, China, Asia, Africa, Europe You can collaborate you can leverage that code base. So open source is the global language when it comes to writing software As we saw in the report, they're the digital sovereignty component of not wanting to be reliant on a specific Company or even an entire region of software development Um, you know, it makes open source a really valid and useful response to that to that concern And and the Congress the individuals at the come at the Congress were supportive of digital sovereignty Absolutely just how do we kind of Um massage or or Use digital sovereignty for Still engaging the open source community and supporting, you know Data privacy and all of these issues that come with the desire for data sovereignty But to not close off that that flow of You know of software and knowledge and I think One really interesting important piece that we always see in our research and I've spoken to you about before with our micro grids Paper for example, but the that this interoperability piece And so that also comes into play in this idea of of sovereignty and even a sovereignty over Proprietary solution or company and you know, we've we've seen that in more energy work We had a meeting with nrcan the other day a canadian Department and we were talking about the issue of building out a software or an infrastructure That's reliant on one piece of proprietary code That where the company may you know go out of business or stop developing that and then you're you're kind of stuck And we see that in in healthcare as where as well where if you buy a piece of proprietary software And then that software gets you know off the shelf and then that software no longer is developed and and that that company no longer exists your entire data is exists in this kind of maybe this Infrastructure that no longer really exists or works and and I was reading an article about the that issue in the AI in an AI capacity where You know you have these off the shelf AI models where if they go away at some point Then all that data that was used to train all that healthcare data that was is patient data Just no longer not even that it no longer exists It's just no longer useful or that you have to kind of start from scratch and so Getting back to your the concept of sovereignty if if we implement open source tools It leaves so much more room for that kind of modular interoperable approach that doesn't leave us reliant on one piece Or one company Which is important across any industry Can you also talk about you know as you're a little explaining they know that there are some challenges They're figuring out how to have a better collaboration with the public sector And open source what role do you see that you know LF research can play there because you folks Not only get a lot of insight, but also you give it back, you know the lessons learned, you know What are the I mean even solutions can come out of that so talk about the rule of No, these kind of research and reports. Yeah, so the I think the the great part about having an organization like the next foundation research is that we can attend events like the congress and You know record what happens and write it down in a in a digestible You know actionable way and so that's what we did this time We've done it with other roundtables and other sessions And so not only do we produce primary data survey data interview data, but we can also You know go to events like this and use Chatham house rule to to produce Findings that that make what happened at the congress not just kind of discussion but also Discussion kind of written down on on paper to to use For individuals that that either were there weren't there to bring it bring those points across I think research generally is a really important aspect of Particularly when we're looking at that regulatory piece We work with a group called penta and they produce research for us around the role of of Or the the understanding of open source and a linux foundation in the european and american policy space And one of their findings is that the linux foundation When it's when when those policy makers know who we are or know what open sources We're well respected and our research is very well respected And that plays a really important role in policy making when you have individuals that You know policy makers are not experts necessarily in what they're creating policy around and so We can provide research like you know this congress report in a briefing memo or as a full report and they can Then use that research to to educate themselves on what open source is and that is as we talked about earlier That's a huge piece of this regulatory puzzle is how do we get policy makers more engaged in what open source is and so kind of this full circle of Doing this research to figure out policy issues to then write the research and use it in the policy space I think it's a really nice Full full circle moment for our linux foundation research. So yeah And I thank you so much for taking time out today and talk about this Report actually you share some great insight in what's going on in this world So and and the rule and importance of open source linux foundation and linux foundation research there Thanks for all those great insights and I would love to talk to you again. Thank you. Thank you Thank you so much for having me