This seems to mostly be a policy piece, targeted at political folks rather than technical ones. The laborious establishment of a couple analogies was particularly hard to get through, but I suppose it will be useful for the target audience.
A concern with this sort of thing is that it will have weird expectations about developer responsibility in securing the, as they like to call it, “software supply chain.” It was nice to see that that they reiterated the open source developers basically have no responsibility.
I don’t see too much objectionable here, no idea if they proposals would actually help but they seem mostly harmless.
An analogy that occurred to me while reading was: open source developers could be seen as more like a natural resource, something like wild animals. In particular wild bees. People don’t really expect bees to follow many instructions. You can set up nice places for them to put their hives. But mostly you should just leave them alone and be happy to collect the honey they produce, which they produce as a side effect of existing — you can check if you want to eat it.
«You can domesticate programmers the way beekeepers tame bees. You can't exactly communicate with them, but you can get them to swarm in one place and when they're not looking, you can carry off the honey.» (Orson Scott Card)
It seems to me that there ought to be a principle of "opacity entails responsibility".
An open-source project and its developers can easily claim to have no liability because it's possible for downstream users to fully inspect the source code. However, it's harder to argue the same thing for a closed-source product or service.
If a company claims to provide a closed-source service according to certain specifications, and then fails to, then they're liable for that failure. In other words, if you want to fence your code off to more effectively generate profit from it, OK -- but now you are liable for any disasters caused by it.
It becomes particularly interesting if and when a closed-source project depends on open-source dependencies upstream, especially if these dependencies are not declared. Can the downstream company then deflect responsibility? It seems that not.
Of course, it's not a black and white thing. A developer that deliberately inserts malicious code into an open-source codebase should still be held liable for this. I'm sure one could craft a similar argument for limitations on liability of even closed-sourced codebases.
Many countries like to ensure a certain level of food security by growing essential foods domestically or importing them from good allies. Yet, farmers also don't have any responsibility. They only respond to incentives set up by the government.
The EU Cyber-Resilience Act would mandate expensive 3rd-party audits for some categories of software (including open-source) before they can be sold commercially, https://news.ycombinator.com/item?id=33594440
> the big players who can afford certification will be able to use ANY open-source component for free but the people who built it will have a tough time to go to the market because they will require the funds they don't necessarily have.
The list of "critical" software categories can be updated by the EU based on perceived cybersecurity risk. It currently includes:
Operating systems (server/client/mobile)
Hypervisors and container runtimes
Public key infrastructure
Firewalls for industrial use
Routers for industrial use
What a strange wandering analogy-laden article. The actual benefits of open-source software to governments are pretty clear:
1) Many government services and programs rely heavily on software. Private vendors who supply proprietary software solutions to governments at high cost could be replaced by open-source solutions maintained by government employees, with the core code for each critical package updated regularly and checked constantly for security flaws by a separate entity.
2) Note that in this scenario, a great many techs across a wide variety of government agencies would be responsible for installing, monitoring, updating etc. their local systems, but the actual job of developing and maintaining the code body would be the job of another entity - something like a government-funded academic foundation.
So yes, uninstall Windows across the board and install Linux. Huge savings right there. See Brazil, 2005:
As far as the actual software-infrastructure interface, i.e. the code that critical infrastructure from the FAA to the trains to the electricity grid relies upon, let alone the nuclear power plants, well, "Stuxnet" is the first thing that should come to mind. That's a situation were security thinking should come first, and open-source avoids the 'security-through-obscurity' flaw, at least.
I'm always a bit ambivalent about these sorts of articles.
On the one hand if free software is got the greater good, then it makes sense that collective payment would be effecient - and the existing collective payment system we have currently is taxes and govt funding. So yay, let's tap into that.
On the other hand this system is grossly ineffecient, and is subject to political oversight. Do we really want them picking and choosing winners and losers?
This sort of funding also leads to stagnation. United Launch Alliance has been happily consuming govt $ for 5 decades, with very little improvement in tech. SpaceX comes along to show what can be done by adding a bit of ambition. (and I understand they sell to govt now, but they started with private money.)
At the root of this discussion is the fact that Open Source / Free Software has yet to figure out the right funding model. We all agree that the current outcomes are positive, that competition is healthy, that Open access is desirable, but after 4 decades of trying we still don't know how to effeciently fund it.
Donations are a bust. Companies aren't set up to pay for things altruistically, and govt funding would (IMO) likely corrupt the system, and incentize gaming-for-grants rather than making better software. Plus those you most need the $ will discover that applying and getting govt funds can result in a lot (I mean a LOT) of extra paperwork.
So yeah, on the one hand more $ in the system is good. But govt $ comes at a cost.
And that's before we discuss who actually gets paid if a "project" is funded.
We already have people in big companies picking winners and losers via the kinds of projects that they fund. Having more funding can only lead to more winners, hopefully of a different kind than what companies are picking.
>At the root of this discussion is the fact that Open Source / Free Software has yet to figure out the right funding model.
It has. The biggest one is that tech companies work on open source software either to accomplish their business needs, commoditizing their complement, recruiting, etc. The money to do this comes from that companies business model / investors.
I find a lot of things tending towards "governments should fund this". I agree in principal that, at least in this case, everyone should collectively fund this. I don't understand how diverging ability to tax (given gross, massive, uncontrolled tax avoidance) and increasing pressures to fund as society grows more complex (and just/fair/compassionate?) and we realize we have difficult, not-profit-solution-compatible problems are ever going to meet. What's the all-encompassing solution? Our problems are that we cannot continue into debt infinitely, we are struggling to implement basic global tax norms (real, true minimums), there will always be inter-country competition for capital, people will always hate being taxed, we cannot ignore problems indefinitely.
A couple of points. Govt's dont make what they fund, its nearly always outsourced including but not exclusively the decision making. You want Govt's to fund roads, a roads laying and maintenance is nearly always outsourced to a business.
On the point of this software, does open source software really matter when its still going to be run on a closed source cpu of sorts. Your network switches, are just highly optimised cpu's for the job of routing, which is still closed source. Even something like ARM on the RaspberryPi is closed source BLOB's.
At best, this is like arguing for legislation to made available online when previously it was only available from the parliamentary library's or some of limited and specific journal like the thegazette.co.uk for company related announcements.
However all my internet access comes from private businesses, so how would open source software be of benefit to me, when most people are still using a private provider. Even Broadcom provide most of the broadband cabinets here in the UK which is a private business last time I checked.
The cover image, of grievously mutated minifigs, surrounded by the guts of surreal machinery strewn about the floor... represents a dire situation of open source infrastructure?
(I can't tell whether it's Stable Diffusion or intentional.)
That's crazy that this group (Of VIPs IMO) got involved in this topic. I wonder what this spells? I'd love to be optimistic but the phrases that come to mind are: something wicked this way comes; and, slumbering toward Bethlehem to be born...
The fact that policy folks (essentially non-productive folks living off other people's work) are considering making unpaid volunteers criminally liable for security bugs leads to a question: how did we end up here?
This policy paper argues pretty strongly against making unpaid volunteers criminally liable for security bugs.
People in the political realm think of tech as "big tech" (their term for FAANG) and are currently trying to come up with solutions to address the societal problems caused by the FAANGs. That's why it's important for people who understand tech to explain the full consequences of their policy ideas to politicians, regulators and others discussing how to regulate tech. It would also help if there were more people from the tech world going into politics because there's a real risk that computer illiterate politicians will pass something stupid or will inadvertently allow FAANG to capture a regulatory agency and use it to crush their smaller competitors.
Only read the executive summary, but that far it just reinforces my view of open source as the road to serfdom for talented engineers. Sure, there’s a line here and there about funding maintenance and security audits, but writing it in the first place should of course be free.
I have the greatest respect for Richard Stallman sleeping under his desk at MIT so he could write gcc. But I like to get paid. I like to do business. I would like to write challenging and interest software while living in a house, and yes: partaking in the capitalist system. I don’t like the idea that any challenging and interest work in software must be given away for free.
There is no reason to not get paid for writing Free Software in the first place too. Some Free Software companies do that, but there are also things like grants.
You are confusing Open Source and Free Software. Richard Stallman always pushed for reciprocal licensing e.g. GPL. Companies have been pushing against that because they love taking without giving back.
[+] [-] bee_rider|3 years ago|reply
A concern with this sort of thing is that it will have weird expectations about developer responsibility in securing the, as they like to call it, “software supply chain.” It was nice to see that that they reiterated the open source developers basically have no responsibility.
I don’t see too much objectionable here, no idea if they proposals would actually help but they seem mostly harmless.
An analogy that occurred to me while reading was: open source developers could be seen as more like a natural resource, something like wild animals. In particular wild bees. People don’t really expect bees to follow many instructions. You can set up nice places for them to put their hives. But mostly you should just leave them alone and be happy to collect the honey they produce, which they produce as a side effect of existing — you can check if you want to eat it.
[+] [-] nine_k|3 years ago|reply
[+] [-] RobotToaster|3 years ago|reply
Paying their rent would be a good start, and like bees, make them more productive.
[+] [-] CGamesPlay|3 years ago|reply
> bee_rider
On the internet, nobody knows you're a colony of bees!
[+] [-] movpasd|3 years ago|reply
An open-source project and its developers can easily claim to have no liability because it's possible for downstream users to fully inspect the source code. However, it's harder to argue the same thing for a closed-source product or service.
If a company claims to provide a closed-source service according to certain specifications, and then fails to, then they're liable for that failure. In other words, if you want to fence your code off to more effectively generate profit from it, OK -- but now you are liable for any disasters caused by it.
It becomes particularly interesting if and when a closed-source project depends on open-source dependencies upstream, especially if these dependencies are not declared. Can the downstream company then deflect responsibility? It seems that not.
Of course, it's not a black and white thing. A developer that deliberately inserts malicious code into an open-source codebase should still be held liable for this. I'm sure one could craft a similar argument for limitations on liability of even closed-sourced codebases.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] abdullahkhalids|3 years ago|reply
[+] [-] walterbell|3 years ago|reply
> the big players who can afford certification will be able to use ANY open-source component for free but the people who built it will have a tough time to go to the market because they will require the funds they don't necessarily have.
The list of "critical" software categories can be updated by the EU based on perceived cybersecurity risk. It currently includes:
[+] [-] photochemsyn|3 years ago|reply
1) Many government services and programs rely heavily on software. Private vendors who supply proprietary software solutions to governments at high cost could be replaced by open-source solutions maintained by government employees, with the core code for each critical package updated regularly and checked constantly for security flaws by a separate entity.
2) Note that in this scenario, a great many techs across a wide variety of government agencies would be responsible for installing, monitoring, updating etc. their local systems, but the actual job of developing and maintaining the code body would be the job of another entity - something like a government-funded academic foundation.
So yes, uninstall Windows across the board and install Linux. Huge savings right there. See Brazil, 2005:
https://www.nytimes.com/2005/03/29/technology/brazil-free-so...
As far as the actual software-infrastructure interface, i.e. the code that critical infrastructure from the FAA to the trains to the electricity grid relies upon, let alone the nuclear power plants, well, "Stuxnet" is the first thing that should come to mind. That's a situation were security thinking should come first, and open-source avoids the 'security-through-obscurity' flaw, at least.
[+] [-] bruce511|3 years ago|reply
On the one hand if free software is got the greater good, then it makes sense that collective payment would be effecient - and the existing collective payment system we have currently is taxes and govt funding. So yay, let's tap into that.
On the other hand this system is grossly ineffecient, and is subject to political oversight. Do we really want them picking and choosing winners and losers?
This sort of funding also leads to stagnation. United Launch Alliance has been happily consuming govt $ for 5 decades, with very little improvement in tech. SpaceX comes along to show what can be done by adding a bit of ambition. (and I understand they sell to govt now, but they started with private money.)
At the root of this discussion is the fact that Open Source / Free Software has yet to figure out the right funding model. We all agree that the current outcomes are positive, that competition is healthy, that Open access is desirable, but after 4 decades of trying we still don't know how to effeciently fund it.
Donations are a bust. Companies aren't set up to pay for things altruistically, and govt funding would (IMO) likely corrupt the system, and incentize gaming-for-grants rather than making better software. Plus those you most need the $ will discover that applying and getting govt funds can result in a lot (I mean a LOT) of extra paperwork.
So yeah, on the one hand more $ in the system is good. But govt $ comes at a cost.
And that's before we discuss who actually gets paid if a "project" is funded.
[+] [-] ClumsyPilot|3 years ago|reply
I feel this was the most low-effort trying I've ever seen.
I've seen fortune tellers and spiritual healers achieve better results that our industry did at rewarding alturism.
[+] [-] pabs3|3 years ago|reply
[+] [-] charcircuit|3 years ago|reply
It has. The biggest one is that tech companies work on open source software either to accomplish their business needs, commoditizing their complement, recruiting, etc. The money to do this comes from that companies business model / investors.
[+] [-] loufe|3 years ago|reply
Has anyone else been feeling this way?
[+] [-] goodpoint|3 years ago|reply
[+] [-] moremetadata|3 years ago|reply
On the point of this software, does open source software really matter when its still going to be run on a closed source cpu of sorts. Your network switches, are just highly optimised cpu's for the job of routing, which is still closed source. Even something like ARM on the RaspberryPi is closed source BLOB's.
At best, this is like arguing for legislation to made available online when previously it was only available from the parliamentary library's or some of limited and specific journal like the thegazette.co.uk for company related announcements.
However all my internet access comes from private businesses, so how would open source software be of benefit to me, when most people are still using a private provider. Even Broadcom provide most of the broadband cabinets here in the UK which is a private business last time I checked.
Its a nice idea, but impractical in practice.
[+] [-] neilv|3 years ago|reply
(I can't tell whether it's Stable Diffusion or intentional.)
[+] [-] kleene_op|3 years ago|reply
[+] [-] mathgladiator|3 years ago|reply
[+] [-] userbinator|3 years ago|reply
[+] [-] perihelions|3 years ago|reply
[+] [-] graderjs|3 years ago|reply
[+] [-] none_to_remain|3 years ago|reply
Nerd: I made this!
DC/Brussels: You made this?
DC/Brussels: I made this!
[+] [-] natmaka|3 years ago|reply
[+] [-] bitL|3 years ago|reply
[+] [-] bdw5204|3 years ago|reply
People in the political realm think of tech as "big tech" (their term for FAANG) and are currently trying to come up with solutions to address the societal problems caused by the FAANGs. That's why it's important for people who understand tech to explain the full consequences of their policy ideas to politicians, regulators and others discussing how to regulate tech. It would also help if there were more people from the tech world going into politics because there's a real risk that computer illiterate politicians will pass something stupid or will inadvertently allow FAANG to capture a regulatory agency and use it to crush their smaller competitors.
[+] [-] flangola7|3 years ago|reply
[deleted]
[+] [-] indymike|3 years ago|reply
[+] [-] mouse_|3 years ago|reply
[+] [-] userbinator|3 years ago|reply
[+] [-] nuker|3 years ago|reply
[+] [-] Haga|3 years ago|reply
[deleted]
[+] [-] bjornsing|3 years ago|reply
I have the greatest respect for Richard Stallman sleeping under his desk at MIT so he could write gcc. But I like to get paid. I like to do business. I would like to write challenging and interest software while living in a house, and yes: partaking in the capitalist system. I don’t like the idea that any challenging and interest work in software must be given away for free.
[+] [-] pabs3|3 years ago|reply
https://github.com/fossjobs/fossjobs/wiki/resources
[+] [-] goodpoint|3 years ago|reply