As the European Union’s Cyber Resilience Act (CRA) makes its way through the legislative process, there is a growing apprehension about the way the proposed regulation inadvertently puts a major burden on developers of open source software. “What is surprising about the CRA is that none of the people who know about open source were consulted in the process. So a software regulation was developed without input from the people in the European Union who could have shaped this into something more impactful,” says Mike Dolan, SVP and GM of Projects at the Linux Foundation.
In this episode recorded at the Open Source Summit in Bilbao, Spain, Dolan talks about the Act, why the open source community is concerned about it and what the Linux Foundation is doing to fix it.
Key highlights from the video interview are:
- The new regulation, introduced by the European Parliament in September last year, is well intentioned in terms of improving software security in Europe — if we fix all the security issues up at the open source project level, everybody downstream will have a perfectly secure code base that comes through the system. However, Dolan points out that the construct in which the CRA goes about it places liability on the upstream developer community.
- Dolan explains that the CRA inadvertently ends the whole structure upon which open collaboration has thrived over the last couple of decades. It’s ironic as Europe is a hub of a lot of grassroot open source development.
- There is a lot that goes into a product decision-making process, where you decide how to use a specific upstream open source project. But developers in the upstream open source projects won’t know exactly how downstream users might be using their code base at the end of the day.
- The conflict, as Dolan puts it, is that the EU thinks that companies control open source projects in a way that they can just dictate.
- One of the organizations the EU reached out to apparently was the Mozilla Foundation. “Well, Mozilla has a very different model for open source projects. Most of the developers work for Mozilla Corporation and then there is Mozilla Foundation with a core engineering team that can build engineering practices in place. But most open source projects are not run like Mozilla; they don’t have the funding and resources of Mozilla,” explains Dolan.
- The Linux Foundation is calling for the broader community to take immediate action.
- The Foundation is in talks with the companies that are major economic factors for the European Union to help them understand why the CRA is an issue. It is also making efforts to figure out how to channel their energy and comments back into the process.
Dolan also talks about OpenTofu, a fork of Terraform that is being managed by the Linux Foundation. HashiCorp, creator of Terraform, recently announced it was changing the software’s license from a Mozilla Public License v2.0 (MPLv2) to a Business Source License v1.1. Yet within weeks, the community came together and announced OpenTofu that would serve as a drop-in replacement.
- OpenTofu is now a place where people who do want to have a say in where this technology goes in the future and do so under a reasonable open source license, can come and work on it together. But Dolan says that they shouldn’t be surprised when they change the value equation with their end users and developer communities that they may not go along with that.
- Dolan also talks about the risks if we let organizations change the meaning of open source and how to deal with that to make sure that we retain the core definition of what is open source.
On Generative AI
- Dolan talks about developers and data scientists who are building communities around generative AI models, whether they be large language models, or even specialized models or foundational models.
- He points at the collaborative element as the same drivers of what drives open source projects to come to a foundation will be value propositions for generative AI communities.
This summary was written by Monika Chauhan