 All right, yes, I'll go ahead and get started. Hi, everybody, welcome. I'm very excited to get this first joint community meeting webinar session going because I think it's really the first time in my knowledge that we are getting Joomla and WordPress and Type O3 and Drupal all together to do a presentation, all four of us, which is absolutely incredible. So I'm, first of all, really excited to be doing that, even though it's a very serious topic. It's an exciting beginning. So thank you, first of all, to Tim and Josiah and Mathias and Neil for participating in all of this as in representing your projects and collaborating on this initiative. So today we are going to be talking about the Cyber Resilience Act. You may have seen the open letter that our communities put out regarding the Cyber Resilience Act and how it might affect us on some of the issues that we see. So this webinar is intended just to go a little bit more in detail and explain more clearly how it might affect our projects, how it might affect our communities and so on. So just to get us started, that's not it. How did this happen? Sometimes Google Slides doesn't like me. There we go. So just to kick this off, these are four of the five people who will be speaking today. We have myself, my name is Crystal Dionisopoulos. I'm the president of Open Source Matters, which is the organization that supports the Jumel project. We have Tim Doyle, who is representing Drupal Association. Mathias Bolt-Lesniak, and I really hope I said that right from the type of three association. And Josefa Hayden Chimposi. Chimposi, yep. Close, I was close. From the WordPress project. And we also have Kieran from Open Forum Europe to help us get through the nitty gritty of the Cyber Resilience Act. So thank you all for joining us and for speaking. This is just a quick agenda. We are going to talk a little bit about our different projects, why we are working together, what is the Cyber Resilience Act, why it matters and what's coming up next and how you can get involved. So I'm going to go ahead and hand it off to Tim so he can introduce the Drupal project. Thank you, Crystal. Yes, I'm Tim Doyle. I'm the CEO of the Drupal Association. And many of you know Drupal, but if not, we're an open source CMS, about 20 years old. The Drupal Association is a U.S. not for profit that seeks to support Drupal the project and Drupal the community globally. We have, I would say in the tens of thousands of members and most recently have been recognized as a digital public good. Our existing security measures, we go through this because this is fundamental to the rule. We have a Drupal security team which is made up of 30 of our members around the globe. They follow a discrete process when issues are flagged or resolving them. And they use a standardized risk assessment which is based on a NIST framework. So we have a pretty robust security apparatus that monitors issues and addresses them discreetly. That's Drupal, let me turn it over. Next slide, I'm gonna turn it over. I think back to you, Crystal. Why does this keep happening? I'm sorry. That's okay. There we go. Okay, so the JUMLA project is forked from MAMBO in 2005 which this year is 18 years ago. JUMLA is going to be turning 18 in a couple of weeks actually. So we're excited about that. You might wonder what JUMLA means. It's an anglicized version of a Swahili word and also has similar words in many other languages that means basically altogether or as a whole because the whole reason that JUMLA started is open source matters. The project we were forked from was basically going close source and the community did not like that. So JUMLA was born and open source matters as the organization that supports it was founded at the same time as a nonprofit organization in the United States. We are completely volunteer run. No one is paid to contribute to the project unless they're doing so privately. There are no staff for open source matters and we are still thriving after all this time. JUMLA 5 is going to be released this October. As far as our existing security measures go we are a registered certified numbering authority for common vulnerabilities. So we really care about being transparent. We also maintain public list of vulnerable third party extensions. So even if there's a third party component that someone has installed and we are aware that there's something wrong we let our users know. We have the JUMLA security strike team which is dedicated to security with very robust reporting and disclosure processes so that we can make sure that our process is secure and transparent as much as we can. And we also have built-in support for multi-factor authentication to log in and password list login which is helpful to increase security CMS itself. So that's JUMLA and I am going to pass it off to type 03. Oh my gosh, again, really? Right to the- There we go. Questions instead. Questions, yeah, I introduce myself. I'm just assuming everyone knows everything. We're good. All right, go ahead. So Matias Bortlesnik, I am a board member of the type of three association and the type of three is what we call an enterprise any size CMS which means we have enterprise features but anyone can use them. And the type of three was started as a project by a Dane called Casper back in 1997 that's when he started writing the first lines of code and the initial release was in 1998 and that's 25 years ago and I'm sitting here another day before our developer days start and I'm actually wearing a T-shirt with the 25 year Jubilee on it. And the interesting thing with type of three I guess is that after a while Casper pulled out of our project he basically gave it to the community and the type of three association was founded in 2004 as an organization that should own the trademark of type of three and coordinate and fund the long-term development of the CMS. And today we have around about a thousand members and the type of three association in 2016 decided to find a subsidiary company and well it's called type of three GMBH because it's in Germany and it's a service company that provides services to agencies it doesn't make websites or compete with agencies in any way but it helps with marketing and the certifications and also our extended long-term support plans. And we released the version 12 earlier this year which will be supported until 2029 which we're kind of proud of and that's actually one of our existing security measures is that we have security patches for three years and then another paid three years with extended long-term support. We have a security team that is funded by the type of three association and that handles everything that has to do with security reports both for the core and for extensions and we also have detailed security guidelines and our documentation and we also have a bug bounty program. So if you go looking for bugs you might actually get some money for that. So then we're on to WordPress Josepha. Hello my friends. So WordPress has also reached a milestone this year. As many of us know we have been celebrating our 20th birthday all year long and we will continue to do it because what use is a party for just one day? We've worked eight, not 18 years ago, 20 years ago in May from B2 Cafe Log and like every other project in here we have a foundation. Ours is a registered 501c3 in the United States but it has no paid staff and it actually is just there mostly to own and operate our trademark and do a bit of DEIB investment. It does not actually run the project as much as it feels like it should. The project as a whole is hosting its second women non-binary and trans-led release that starts like a week from today. And so we're very excited about it. As far as our security measures go we currently research and patch our releases as far back as 3.7 which is 99.98% of the installations that we are aware of is a lot of installations. But we also train and educate about security best practices through our event series and also through the group of security researchers that work and kind of contribute with us. We have a bug bounty program that scales through the course of the release and we have ethical disclosure requirements with those as well. We partner with two third party entities in our community that are CNA registered and we host also an open communication channel with our hosting partners. So if they find things that are alarming they can tell us if we find things that we are about to need to patch we can tell them and just minimize the strike zone as much as possible. So those are all of our projects before we move on I want to just welcome everybody who joined since we started and before we get further into the heart of this conversation about the EU's upcoming Cyber Resilience Act I did want to just stop and note what Crystal has already mentioned and what we have been seeing over in the chat here that this is something that's really special happening here. Today we have leaders either named or elected from four major open source CMSs that account together for almost half of the sites that we find on the web. And while our softwares are by certain definitions competitors, there are various things that we will always agree on. Let's see, let's yeah. So there are the basic facts of things that we agree on. We all agree on the importance of defending the GPL license we agree on the ease of using PHP as our base language we agree that our communities are sacred and worth every bit of investment we can make. And we all have been agreeing on this for like 25 years between 18 and 25 years forever and ever. But there are also some philosophical things that we agree on. We beyond the four freedoms we all of course agree on the four freedoms of open source but we all function in a not-for-profit capacity which means that we are reliant on corporate contributions to sustain us. And as we get into the definitions in the CRA you'll understand why that is important for us to call out. We are also all volunteer driven. And finally, even though we all know that our frameworks can power excellent enterprise solutions we also see that our software is equalizers like all of our software are equalizers for small businesses and solopreneurs across the world. And because of those commonalities we are working together today as champions for open source on the web and for freedom on the web as well. And also for the continued success of our communities. So why is open source collaboration important? And this is really the first cross community meeting of Drupal Jomla type of three at WordPress. So that is, I mean, if you're here today you can tell your children about it and they can tell their children about it and all of that. But it is something special. I don't think you would find this in other communities that we can really get together on this level. But truly what we see very often still is that people see our CMSs as competitors and maybe they have sort of a sideways glance and they look at the other one and they say, oh no, we keep away from those or something happens over somewhere else. And we talk it down. We're very good in the open source community option of talking up our own projects but talking down other projects. And however, we are really open source counted for example the dependencies of the Drupal core and the type of three core and looked at what they had in common and actually 66% of the Drupal core dependencies are the same as type of three has. So there is really a connection between our different CMSs on a deeper level. Of course we have different approaches to things but I think we can all learn from each other. And when we haggle about who's actually best of the CMSs, I think there's one really important thing that we very often forget. And next slide please. And that is that's looming above us that very often talk about open source as one thing. If something goes wrong, it's one open source project. It doesn't have to be one of ours but they can point at them and they can say, well, you see that happens in open source. And that's not true. We all know that security issues for example can happen anywhere but we're actually open about them. We talk about them, we collaborate about them. A security fix in one system can be ported to other systems as well. And that means that when we work with open source we have to work as one. Next slide please. And that means that when we talk to clients and sell our CMSs, there are actually three levels that we can work on. And I think the first and most important choice that we have to focus on for our clients is actually that they choose open source. I think we're bringing ourselves into very, very difficult competitive situation if we try to compete with, I think the really important choice that has to be made first by every client is that they choose open source because there are so many inherent benefits in just choosing open source. Then the next choice when a client has chosen open source is of course to look at what platforms there are in open source and finding the best platform. And in the end, and I think that's really where the strong competition is happening is really choosing the agent, choosing the people with the best expertise to create the solution that is right for the client. And I think we can all agree about there is nothing good about a client going to open source and choosing the wrong platform or finding lack of expertise. So those are all things that we can collaborate on and get better at. Next slide. Totally agree. Thank you. The next part is going to be about the Cyber Resilience Act. So I'm going to hand this off to Kiran. Thanks. So just to briefly introduce myself. First, I'm very honored to be at this momentous occasion. This is very, I'm very lucky to be here. My name is Kiran. I'm working in Brussels now for 20 years, mostly on free software open source policy. I worked as a software developer before that. And then when a certain software patents regulation came up, I moved to Brussels and once I got into policy, I stayed. I'm working now for Openform Europe, who also has been working in Brussels for 20 years. And we weren't working together for most of that time, but we're working together now. And so in general, we work on policy topics and we work on the very long-term side of things, trying to make sure that we get the people in the Parliament Commission Council to understand these topics so that when they write something in the future, it will be of good quality. That doesn't always happen, though. And so the topic for today is this Cyber Resilient Act. I'm not going to go into nerdy, legal details, except for the first 30 seconds. So just if anyone wants to follow along, reading different parts of the text. In general, what the Cyber Resilient Act does is it changes the concept of software being treated like literature, where you have the freedom to publish, is a general freedom. And it changes that into software can be published if, and then we have to fulfill a list of obligations and take on a list of responsibilities if you want to publish software. So this is created in the article five, and then the obligations are an obligation to produce documentation. There is an annex with obligations for what you do before you publish the software. So you have to review it and make sure it has zero exploitable vulnerabilities, for example, and obligations that you have to do after you publish the software, for example, provide five years of security updates and have a way to contact the users if necessary. So that's the legal text I won't mention any more articles. So what happens is the people who wrote the law seem to have had an idea that software developed by a group of software developers, usually a company, and then when they decide to make a release, they pass the software on, possibly selling it to the users. And so it's a very simple model based on proprietary software where you have the distributor and the developers is the same entity. And it's a unified entity and it makes releases based on a product plan. The way this doesn't then work with free and open source software is that we have a collection of developers who all put their software into a project and the project is then downloaded by a bunch of people who will distribute and then people, users get it from the distributor. So this is much more complex then because the obligations of the Cyber Resilience Act are triggered by supplying the software. And so then the first questions are when a developer uploads the new module they've written to the project, have they supplied the module and do they have all these obligations just for having contributed to the project? So all this is hidden behind the walls in a proprietary model but because we do everything out in the open because we give transparency and we allow collaboration and competition we end up getting extra worries about obligations. So the second error is that the obligations are put on the supplier with the thinking that the supplier of the person who knows the software the best and this was probably thought because if you look at the proprietary model supplier is the developer because you have both entities are working under the same employer. So but in free and open source software the supplier is rarely the developer and is almost never the developer of the entire software package. So for us this becomes a lot more difficult and then we have multiple companies and entities distributed in the software and so once they have CRA applications we have to worry about how many times does a CRA audit and how many times the obligations have to be fulfilled because if we have 40 different companies in an ecosystem then where a proprietary piece of software might need one CRA audit do we need to do 40? We also tend to have more frequent releases as well that's just an additional complication. So the reason this is very serious is because the consequences for free and open source software are likely to be first off that people were worried about contributing to projects and this could be individuals just worrying in general what their obligations might be but also when you think about risk adverse entities and I'm thinking about SMEs and even more so about public sector entities if employees are currently fixing bugs adding features and upstreaming their patches because why not? With the CRA this will turn into something that they have to get approval from a higher up and once you have to get approval then becomes the question well why would we give approval or what's in it for us to take on this risk? So there's a risk that people will be afraid to contribute to projects. Then from the project side any patch that they accept will agree to their prior package that they will then be distributing and so then they have to take responsibility for anything that they're distributing and so not only will people be nervous about contributing but projects will be nervous about accepting external patches and for us this completely spoils the way we've always built our communities and our development models and the long tail which fixes a lot of bugs and gives a lot of security review. So this is the consequences of the CRA seemingly being written from a point of view looking only at proprietary software models. There is a paragraph about free and open source software this is the Recital 10 and this is it's somewhat useful we're glad it's there it shows that we were considered but the wording is quite unclear the wording in general is surprising at first the software is considered a product a developer is considered a manufacturer or possibly a supplier would be a manufacturer so sometimes the wording isn't completely obvious the first time people see it but the exemption applies to free and open source software distributed in outside the course of a commercial activity and so the word commercial is always a source of uncertainty we never know exactly of what point does a website that has ads or what point does an organization that accept donations or what happens when somebody fixes a bug and then later receives a bug bounty there are so many financial revenue models in free and open source software that this becomes very complicated and once things get complicated then because we generally don't have legal counsel we generally have to assume that okay if I'm not sure this exemption applies to me I have to assume it doesn't apply so this tends to make the exemption more or less not get used and so it may as well not exist in that case to the extent that it is clear it's also very unfortunate that it only applies to non-commercial software because of course the software really grows when we can build up a business ecosystem we don't rely on the students contributing their free time and weekend hackers the biggest, the most successful the most useful software practice we have have multiple companies paying developers and hopefully making money off this software so this exemption that exists it doesn't really serve the purpose of protecting our communities and our models in general so when we look at the text we've spent a long time now talking to the people in the parliament council and commission and when I say a long time I mean six or seven months which is actually quite short for a legislative procedure and this is unfortunate the timing is such that in January all the politicians have to go to election mode so at the moment they're rushing to get everything finished by December so it's actually moving quite quickly when we look at the text though we can see certain signs that could have been avoided had we been involved earlier in the process or had the process last longer for example the obligation that your software must not have any known exploitable vulnerabilities in general the definition of all of these individual words is not clear for everyone but also we generally consider that this is possibly an impossible goal once you get beyond a certain size there are then requirements such as your software has to have a default configuration that is secure which is also difficult because we don't know where our software is going to be used particularly if you write a library you never know if this compression algorithm is going to be used in a light bulb in a nuclear power plant in a school and then we look at the wording that talks about organization financing there are there is one exemption for non-profits but it only covers your non-profits if you don't have recurring donations and so here they've tried to avoid the situation where a non-profit is set up as a way to launder the software but the end result is anyone who's running a non-profit here if you want financial stability which you do you need to have recurring donations this exemption will only apply to you if your non-profit has not yet reached the status of being well-run then there's another piece of text which for me is my favorite is an exemption for foundations who make occasional supply now anyone who has a software project and wants that to be hosted by a foundation who promises to make it available occasionally well I think they need to rethink their idea the idea of occasional supply it's a legal instrument that exists so that non-profits can have a fundraiser at the end of the year and sell some pens and candles without being treated as a candle shop but the thing is they've taken that and putting the word software instead of candles and this is one of the things that's in there to help us so this is what happens if we don't get involved so we're involved now we're doing a lot of work it's quite complicated but we are getting more time with the policymakers which is the good thing that's my presentation of the Cyber Resilience Act I'm sure there'll be quite a question a brief moment on the status is that the parliament the commission writes the original text they hand it to the parliament and the council I won't go into the details they've finished their work so now that we have three entities that have texts the council, the parliament and the commission one person from each of these entities will now be nominated to go into trilogues and so they'll try and merge the three texts the three texts are very different so the final outcome will not resemble any of the individual texts which also means that there's a lot of freedom for anything to be changed really which could be to our advantage but it's also something we have to be concerned about because things can go wrong as well so everything is still open there is still plenty of work to do but it is going to finish probably by the end of November and so we've got a lot of work to do particularly to be ready for September we're going to try to put together a big policy document 20-30 pages giving lots of examples if we can get some of the CMS examples that would be fantastic and we need to show them how our software gets written how it gets financed and how it should be protected and how we can increase cybersecurity because if we want them to help us we have to make sure we're actually accepting a few obligations and as many as possible really to increase cybersecurity and so this is the complex task that we're working on at the moment and I'm looking forward to staying in contact and working on it together Karen, thank you so much for not only for this presentation but also for the work that you've been doing and Open Forum Europe has been doing to convene open source and advocate for open source one of the goals if we go to the next slide I just want to review I mean it's a little redundant what Karen said but just the three priorities are the biggest problems that we have with the regulation but really the purpose of this webinar is to build awareness among our communities about the role and what is going on primarily because at least in my opinion one thing open source doesn't do well is advocate for itself outside of its own community we have a we all have collectively very strong communities very principled communities and yet we have folks outside the community not quite understanding how open source operates and writing rules that doesn't reflect and doesn't really support the principles so that's really the purpose of this webinar this discussion has been this rule has been out since September hearing through the process Open Forum has done we are a little bit late but not too late as Karen said there's they're writing this final rule the other purpose or goal of building awareness is that I think we the four groups on this call came to the realization that we need to start advocating for ourselves to legislatures in Europe in the US wherever we need to because if they don't have a correct understanding of open source there's a there can be a contagion of lack of understanding that moves to other other regulatory bodies and this is this is one rule there are the rules coming down down the road that we need to ensure that they treat open source correctly our three main concerns with this rule is the definition of commercial activity is unclear and potentially problematic and did a great job talking about the different ways that either official not-for-profits or volunteers can receive something of value that could be construed as commercial activity we have the the flaws of the in the notion of unfinished software the rule only accepts unfinished software if it's only deployed for the purposes of testing and not available to market and at most folks knowing this better than myself even this idea kind of goes against the idea of agile software development minimum viable product deploying to get many eyes on to get feedback etc and lastly the legal responsibility that open source products the nature of open source products are not accounted for in the legal responsibility legal accountability that the rule is placing my understanding is that it's it's falling back to an older kind of manufacturing product model of liability and it says if you make you know that whoever makes the software is responsible for in terms of a manufacturer and as we know in open source there can be many manufacturers of the of the software and not just one um these are our primary concerns there are others we are engaged with open forum Europe and and will be you know part of their processes as and support them as and give our input as we as they as we write the policy paper you're the next slide just want to go over kind of the high level some people have asked you know why are we holding this webinar it's to build awareness and the impact of the rule on open source projects and the folks in this call we all have different models of how we support open source either from a a formal not-for-profit with paid staff to completely volunteer models all those models are affected by this it can affect contributors whether you're volunteer paid or sponsored it under this rule contributions may become more complicated you know there's no certainty in this but I think where we need to advocate is to ensure that the rule is written clearly so so open source is not adversely affected and continue to be fundamental to software and the web in Europe and then lastly our broader our broader communities can be affected whether you work for a large company or a small company or work by yourself um there may be compliance requirements of this rule is placing on you that that will be quite burdensome so we have a letter we will be distributing this this recorded webinar and continuing our advocacy efforts let me let's switch I think it goes over to you Crystal to talk about next steps and I would encourage people we have questions put questions in the Q and A that's where we'll try to answer them if we have good answers we'll put them in as we have them and we will be confirming if we need to think more about them Crystal let me turn it over to you thank you Tim yes so our next steps because the letter was just the beginning we are going to continue collaborating with each other and with the broader open source community like open forum Europe as well as hopefully directly with EU legislators because as Kieran mentioned open source is going to be included one way or another so the best way to minimize the negative impact is to work with them constructively and give them ways that we can comply even if it's stuff that we're already doing so we're going to help offer open source first language or wording or best practices that were that we are able to include without being too burdensome which will hopefully influence the final wording of the act to be a little bit more distinct between proprietary and open source software we're also working on organizing a seminar in Brussels in person we're hoping to discuss with legislators about open source because it seems that the people who drafted this didn't necessarily have an understanding at least until after they started getting feedback on the nuances of open source software and how many different kinds of ways that can play out in a community even if that seminar is a little bit too late to directly influence the CRA I'm hoping that it will also help them understand open source for the future too because there are going to be more things coming down that might influence open source and so it would be helpful for them to have a better understanding right from the start the details of that are going to be announced as we figure them out but likely it's going to take place in September or October but we're not just going to stop with the cyber resilience act it also goes beyond that so we're going to continue working together as open source CMSs we are going to have to address other legislation around the world possibly as a group in the future there are similar acts coming up in the US and in other places around the world there is also other legislation from the EU which could impact open source software that is not just about security but is about digital products and things like that if I remember correctly and I'm sure that there is going to be more coming through also so we are going to continue working together on things like this and collaborating and perhaps including other open source CMS communities as well in that collaboration because we are stronger working together the four just have I mentioned at the beginning that the four communities are presented here represent basically half of the websites that are running on the web which is a lot that's incredible so we are by combining our communities we can combine our expertise we can combine our reach and create more change that benefits all of us as an open source community which is really cool and exciting I get really excited about that and we're also promoting open source software overall because it's not just about open source CMS it's about open source in general open source matters we care about the open source community because it's we all share the same values and intentions so let's get into how you can help now if you're here all right so firstly I'm going to rock it through this so we have like 15 minutes for questions first thing is you might be hearing about this for the first time and you might find all of this alarming don't find it alarming don't panic but do take that feeling of like oh no we should be doing something and join us in in this next set of things that we're going to ask you to do so number one we would like you all to help us spread the word into your communities you can reshare the letter that we wrote there will be a recording of this that you all are welcome to share anywhere that is helpful make sure that the stakeholders in your local communities are aware of what this is and why it matters and of course why open source matters another thing that we ask you to do even if you're not going to spread the word is stay up to date with us so there are some upcoming opportunities for you to collaborate with your projects with us here to voice your concerns and help us collect information we have been asked to collect some information about all of the things that would be in line or not in line with the various definitions that we are having concerns about and so we're going to send out some information to ask you to get that collaborative knowledge better together and then in general just engage in this conversation with us like I said talk about the values and benefits of open source in your local communities and that survey I know that it was shared in the chat already once if someone wants to share it with everyone in the chat again that would be great but also we will just have it go out from all of our projects it asks questions about plugins, themes, extensions all those things just to get a sense for products in our ecosystems and then also if you all in your products in your small open source communities whatever it is have above and beyond measures that you take for security that look like they could be scalable absolutely let us know because that is one of the main concerns of the CRA that we of course are immediately trying to make clear about how we manage things and so those are the three big ways that you can help immediately I know it does not say contact your PM contact your MEP but that is probably a thing we will ask for at some point as we go through it done time for questions I took twice as long as I was going to take that was good no you did good we have a we have a bunch of questions in the chat I was just going to pull out some maybe for quick answers Kiran since you kind of have been doing the most work on this one question has proprietary software industry made comment on the rule do you have any insight into that not as much as we were expecting so we kind of focused on the recital to an exemption for free and open source software because we thought the requirements that generally apply to software they're going to annoy a large swath of proprietary software companies and you know they should work on that and hopefully they'll make that kind of reasonable for everyone we're surprised how little changed and so I'm not sure if they didn't pay enough attention if they just didn't manage to convince or it could be that a lot of the proprietary software lobbies in Europe are mostly financed by non-European software companies and it's possible that either they're not interested in fixing the CRA or that much or maybe the emu policy makers were not interested in listening to entities funded by US software companies so it appears that they haven't done as much as we were expecting at all thank you and then we had another question about you meant and you covered the definition of commercial or the inclusion of the word commercial activity in the rule and some of the concerns with that do you know specifically why they included that what were they what loophole were they trying to close by including commercial activity in I think it's section 10 or wherever yeah they they have a guide a terminology guide called the blue guide and that's part of a an initiative called the the new legislative framework and they try to emu's words that are in the blue guide because these are words where they've looked at the case law and they've looked at how this word is used in various contexts and they can recommend these words be used again just to include or to improve the consistency from between legislation so the word commercial is in there and that's the real reason the main reason they want to use it now it doesn't really apply very well to software like this is taken from product legislation which is mostly focused on physical products and so in that context the word commercial is getting more and more defined but now it's being applied to software and it's a lot less clear and it's not even just the word commercial it's outside the course of a commercial activity and then you're wondering well if I'm paid a salary and I do this during my office hours is the software being distributed during the course of a commercial activity even though maybe my employer has zero interest in the software so there's multiple things there but the word commercial yeah they're using it because it has a meaning in other contexts good thank you and I yeah please I would encourage folks to put their questions in the chat some of the questions we may need to think about and come back later so I'm kind of happy yeah we're going to save questions that don't get answered here so that we can answer them later yep one question here and I'm so glad you're on the call because we're really putting you on the spot the so additional EU legislation is there any additional EU legislation you would like to cite that's coming down the road I think we have a list the AI act and the data act are almost finished but because they're blocked they're all of a sudden they're open again so things still might change there and next year we're going to have the AI liability directive there's a standard essential patents regulation which is actually really interesting because there's good things in there so we would like to see that happen that get finished but you know we're running out of time for that to be finished by the end of the year there is in parallel to the CRA there's the product liability directive which is actually very similar in scope and once again it has the obligations triggered by supply so it's similar again but it gives you liability for any damage caused by your software and the interesting thing here is that it doesn't require any fault on behalf of the supplier or the developer you don't have to be negligent it just has to be that your software caused somebody damage and the damage can include things like data loss so if somebody if you have a buggy version and people start losing data then you could be liable for that according to the product liability directive which is happening in parallel it's about a month or two months later than the CRA I guess that's there's actually a review of the blue guide and the VNLF new legislative framework coming up and so that's built for it's quite deeply legal nerdy kind of topic but it's actually going to be of very serious consequences and it's an opportunity to get things right yeah there's a lot of difference that's half my list that's the main ones so there's a lot yes there's a lot and this is where I think my comment was one of the reasons we were getting involved is because we see there's a growing interest in the in the EU to write rules or update rules that will impact open source question came in and this is really for us if you're here in a break what are the concrete next steps for the project representatives leading today's call so let me share what I'm finding to do and others weigh in so I'm in awareness mode with my community with the Drupal community especially my European members get the word out and then Kieran we'll be working with Open Forum Europe to contribute however we can on the policy paper they're developing and so if there are as drafts are circulated or there are questions or need for input I'll be reaching out to my community members to say hey here's here's an issue here the question that that's going to be handled in the policy paper what have you what's our position on what what do we think about it so and then and then lastly supporting an in-person event that Crystal mentioned in in in Europe in September that's not exactly sure the form or the date of that or the output but we'll be supporting that so right now I'm kind of an awareness and opening the dialogue my community so we can be quickly responsive Crystal Matias you guys run away and what you're doing yeah what we're doing is pretty in line with what you said making sure our community that the general community is aware of what the CRA is and how it could affect our contributors or the people who have built their livelihoods surrounding Juma as a CMS and making sure that we are communicating with our security team to discuss what we are already doing and how the details of this act could affect us or the different versions of it trying to narrow down some of the feedback that we might be able to give back to legislators to see what we can we can advise on and try and communicate with our communities as well through things like survey that was shared earlier possibly a different survey will come out as well that's going to be a little bit more generic for the to discuss what makes a product what makes a what makes a project commercial and get our communities perspectives on all of those things because ultimately we are doing our best not just to represent our projects but also to represent our communities and make sure that you are accounted for as well since this will also affect you yeah and from the type of three community we are doing a lot of the same things we also have a little chat that we've opened up on talk.typeof3.org we're asking some questions to community members and well feedback is is very welcome there and I we're also doing a job to get this message out I think apart from from just focusing on the type of three association I think all of you who are listening to this it is really important to make sure that that open source is understood by legislators and well everyone in in Europe because it is really central to the European economy and to to our modern modern technology so this really shows that you know we have to go out there and talk about our systems our projects but also this basic value system that we're working on that we actually don't learn in school and wordpress is doing all the same stuff we also have the community summit coming up where I imagine I will talk to a lot of our our local community leaders about what they learn here and what questions they have as well and I'll be able to keep everybody updated as we do that at the end of August thank you so I think this webinar is less of a call to action specific action that we're asking members to take right now more awareness stay tuned and so as we reach out to you we can get information your feedback and input but I'd suggest there's a couple more questions and then wrap a quick wrap up and we'll talk about how we'll make this recording and answer the questions and other things available after the call Karen back to you I hope you had a nice break we had a question here about non-code contributions and are they is there any would this cover non-code contributions to open source projects I think he is no but I'm not sure I think I think that's safe yeah I think I don't say I don't think none code would be covered so that that would be okay and there's a small thing I want to just mention so just the interest of covering EU legislation even for outside EU so like between the US and the EU the US is the stronger clearly but the thing is because the US has a more its own slower policy on regulating in the US there's a tendency to let things progress and then jump in when they fall off the rails and in the EU the tendency is to make a framework early and then have progression happen within the framework and there's there's pluses and minuses for both but it just means that in certain areas where the US does regulate the US tends to lead the world then but whenever the US decides to not to regulate then the EU is often there to jump in and start regulating and so this can then have a run-on effect on the US and in other parts of the world and so this is also a reason why the the CRA is of interest I think for for people all around the world great thank you thank you for that and I would agree with that analysis of the import of this this rule beyond the Europe beyond Europe I think we were minutes I would suggest wrap up Chris I don't know if you want to wrap up or is there anything we want to say collectively I think that there was one more question that would be good to address if we have if we have another minute or so because it affects specifically people who build websites so the question is given all the project projects here at CMS Systems with the exception the open source exception applied to people including commercial entities who use these platforms to build websites which is an excellent question I don't know the answer to that because in I could totally see that a website could be considered a digital product but Akira and I hope you don't mind if you if you have any insight on on how that might apply Oh SaaS exception I'm sorry there was a software as a service exception that was referenced Yeah indeed so there's a SaaS exception for software that's running on the server there are still some questions about CMS because for example when people are viewing a web page it's going to have some JavaScript in the web page and so it's not clear whether a web server supplying a web page to somebody with JavaScript is this also a supplying software and you know then if your web site has any commercial aspects then you have to wonder am I within the course of a commercial activity or not so the problem is that yeah just a lot of the times when it's not certain people will err on the side of caution and this just causes a chilling effect in general but there are a lot of these questions where the answer will be for a long time yeah we don't really know Thank you hopefully it becomes clear as we work through this We have still quite a few questions in the question answer box I we can't get to all of them but we will collect them and do our best to address them after the webinar we're not going to necessarily answer all of them because some of them is going to be I don't know but either way we will do our very best before we log off I just wanted to say thank you again to Matthias, Tim, Jacefa, Kiran for speaking today you all have been wonderful to work with in getting the letter together and getting this webinar together and I'm very excited to continue working with you both for the CRA as well as other things in the future we had 500 people registered for this webinar which is just so incredible to see such interest from across our different communities we will be publishing the recording of it believe and sending out the survey links that were mentioned earlier so you will receive those in your email so far as I understand it and thank you all for for attending for taking the time to show up especially those of you who are not in the EU because I know that you are some of you are attending in the middle of the night which is very inspiring thank you for your commitment and your interest well done all of you and I I think that was it did I miss anything all good I think you covered it our special thanks goes to you Crystal for making the initial calls to each of us to post together on this so thank you for doing that it's my pleasure I can't take any credit it was a member a couple members of my Juno community that told me hey are we doing something about this and made me aware that we should be so well then we'll pass the kudos down to our community members because I also had a couple community members who were like are we doing things so thanks everyone for your time yeah ultimately it's all about the community right exactly that's why we're here all right thank you right thank you everyone thanks a lot