The polls just closed, the results are in. Congratulations to the returning directors Aeva Black, and Catharina Maracke, and the newly elected director Anne-Marie Scott.
Anne-Marie Scott has been confirmed and joins as a director elected by the Affiliate organizations. She’ll take the seat that was occupied by Hong-Phuc Dang who resigned in June 2022. Aeva Black and Catharina Maracke collected the votes of the Individual members.
The OSI thanks all of those who participated in the 2023 board elections by casting a ballot and asking questions to the candidates. We also want to extend our sincerest gratitude to all of those who stood for election. We were once again honored with an incredible slate of candidates who stepped forward from across the open source software community to support the OSI’s work, and advance the OSI’s mission. The 2023 nominees were again, remarkable: experts from a variety of fields and technologies with diverse skills and experience gained from working across the open source community. We hope the entire Open Source software community will join us in thanking them for their service and their leadership. We’re better off because of their contributions and commitment, and we thank them.
Next stepsThe board of directors will formalize the election results in an ad-hoc meeting. The new board member will be invited to a series of onboarding meetings to get to know the internal tools of the organization and familiarize with the mission, vision and strategy of the organization. And to know each other and the staff.
We’ll also run a post-mortem analysis of the voting process and tools we used to keep improving.
The complete election results OSI Affiliate directors elections 2023There are 4 candidates competing for 1 seats. The number of voters is 35 and there were 34 valid votes and 1 empty vote.
Counting votes using Scottish STV.
R|Anne-Marie|Gabriele C|Gaël Blond|Matt Jarvi|Exhausted |Surplus |Threshold | Scott |olumbro |elle |s | | | =============================================================================== 1| 12.00000| 9.00000| 10.00000| 3.00000| 0.00000| 0.00000| 18.00000 |---------------------------------------------------------------------------- | Count of first choices. No candidates have surplus votes so candidates will | be eliminated and their votes transferred for the next round. =============================================================================== 2| 12.00000| 11.00000| 10.00000| | 1.00000| 0.00000| 18.00000 |---------------------------------------------------------------------------- | Count after eliminating Matt Jarvis and transferring votes. No candidates | have surplus votes so candidates will be eliminated and their votes | transferred for the next round. =============================================================================== 3| 15.00000| 15.00000| | | 4.00000| 0.00000| 18.00000 |---------------------------------------------------------------------------- | Count after eliminating Gaël Blondelle and transferring votes. No | candidates have surplus votes so candidates will be eliminated and their | votes transferred for the next round. =============================================================================== 4| 27.00000| | | | 7.00000| 9.00000| 18.00000 |---------------------------------------------------------------------------- | Count after eliminating Gabriele Columbro and transferring votes. | Candidates Anne-Marie Scott and Gabriele Columbro were tied when choosing | candidates to eliminate. Candidate Gabriele Columbro was chosen by breaking | the tie at round 2. Candidate Anne-Marie Scott has reached the threshold | and is elected.Winner is Anne-Marie Scott.
OSI Individual directors elections 2023There are 5 candidates competing for 2 seats. The number of voters is 194 and there were 192 valid votes and 2 empty votes.
Counting votes using Scottish STV.
R|Aeva Bla|Catharin|Chris An|Duane O’|Jim Jagi|Exhauste|Surplus |Threshol |ck |a Marack|iszczyk |Brien |elski |d | |d | |e | | | | | | ========================================================================== 1|44.00000|69.00000|30.00000|27.00000|22.00000| 0.00000| 4.00000|65.00000 |----------------------------------------------------------------------- | Count of first choices. Candidate Catharina Maracke has reached the | threshold and is elected. Candidates have surplus votes so surplus | votes will be transferred for the next round. ========================================================================== 2|45.50722|65.00000|30.63767|28.04346|22.57970| 0.23195| 0.00000|65.00000 |----------------------------------------------------------------------- | Count after transferring surplus votes from Catharina Maracke with a | transfer value of 4.00000/69.00000. No candidates have surplus votes | so candidates will be eliminated and their votes transferred for the | next round. ========================================================================== 3|49.62316|65.00000|39.86955|35.21737| | 2.28992| 0.00000|65.00000 |----------------------------------------------------------------------- | Count after eliminating Jim Jagielski and transferring votes. No | candidates have surplus votes so candidates will be eliminated and | their votes transferred for the next round. ========================================================================== 4|69.26083|65.00000|52.33331| | | 5.40586| 4.26083|65.00000 |----------------------------------------------------------------------- | Count after eliminating Duane O’Brien and transferring votes. | Candidate Aeva Black has reached the threshold and is elected.Winners are Aeva Black and Catharina Maracke.
OSI is pleased to announce our 2023 Open Source Initiative License Clinic, an in-person event to be held April 4th in Washington D.C. This one day workshop will cover advanced topics on open source software licenses of interest to the US federal government as well as emerging issues such as the confluence of AI models, licenses and data.
The workshop is in keeping with the Open Source Initiative’s (OSI) non-profit educational mission and has been created in collaboration with the D.C. legal and technology communities. The small and timely content-rich clinic offers an educational opportunity for attendees as well as an opportunity for the OSI to hear what’s top of mind for government practitioners.
The clinic is designed as a cross-industry, cross-community workshop for legal, contract, acquisition and program professionals who wish to deepen their understanding of open source software licenses, and raise their proficiency to better serve their organizations objectives as well as identify problems which may be unique to the government. Presenters will include OSI board members (current and emeritus) and federal government practitioners.
Topics include Open Source 201, an Expert Panel Discussion: challenges, successes, best practices, operational policies, resources for federal practitioners; a briefing on the evolution of Supply Bills of Material (SBOM); AI/ML OSS tools, licenses and modern challenges; a primer on alternative license.
Expert Panelists and Presenters:
The clinic is free to attend for OSI Professional Members and those with a .gov or .mil email address. Cost is $250 for general public.
Register now, seats are limited.
This Monday, I was in Brussels to attend a stakeholder workshop for the Digital Market Act (DMA) organized by the European Commission. For those who aren’t familiar with the DMA, it’s a new law that the European Parliament voted on recently and one of its goals is to force interoperability between messaging services by allowing small players the ability to communicate with users from the so-called gatekeepers (e.g., WhatsApp).
I attended this meeting as a representative of KDE and NeoChat. NeoChat is a client for the Matrix protocol (a decentralized and end-to-end encrypted chat protocol). I started developing it with Tobias Fella a few years ago during the covid lockdown.
I learned about this workshop thanks to NLNet, who funded previous work on NeoChat (end-to-end encryption). They put Tobias Fella and me in contact with Jean-Luc Dorel, the program officer for NGI0 for the European Commission. I would never have imagined sitting in a conference room in Brussels, thanks to my contribution to Open Source projects.
I work on NeoChat and other KDE applications as a volunteer in my free time, so I was a minor player at the workshop but it was quite enlightening for me. I expected a room full of lawyers and lobbyists, which was partially true. A considerable amount of attendees were people who were silent during the entire workshop, representing big companies and mostly taking notes.
Fortunately, a few good folks with more technical knowledge were also in the room. With, for example, people from Element/Matrix.org, XMPP, OpenMLS, Open Source Initiative (OSI), NlNet, European Digital Rights (EDRi) and consumer protection associations.
The workshop consisted of three panels. The first was more general, and the latter two more technical.
Panel 1: The Scope, Trade-offs and Potential Challenges of Article 7 of the DMA
This panel was particularly well represented by a consumer protection organization, European Digital Rights, and a university professor, who were all in favor of the DMA and the interoperability component. Simon Phipps started a discussion about whether gatekeepers like Meta should be forced to also interop with small self-hosted XMPP or Matrix instances, or if this would only be about relatively big players. I learned that, unfortunately, while it was once part of the draft of the DMA, social networks are not required to interop. If Elon had bought Twitter earlier, this would have probably been part of the final text too.
From this panel, I particularly appreciated the remarks of Jan Penfrat from the EDRi, who mentioned that this is not a technical or standardization problem, and pointed out that some possible solutions like XMPP or Matrix already exist and have for a long time. There were also some questions left unanswered, like how to force gatekeepers to cooperate, as some people in the audience fear that they would make it needlessly difficult to interoperate.
After this panel, we had a short lunch, and this was the occasion for me to connect a bit with the Matrix, XMPP and NlNet folks in the room.
Panel 2: End-to-End Encryption
This panel had people from both sides of the debate. Paul Rösler, a cryptography researcher, tried to explain how end-to-end encryption works for the non-technical people in the audience, which I think was done quite well. Next, we had Eric Rescorla, the CTO of Mozilla, who also gave some additional insight into end-to-end encryption.
Cisco was also there, and they presented their relative success integrating other platforms with Webex (e.g. Teams and Slack). This ‘interoperability’ between big players is definitively different from the direction of interoperability I want to see. But this is also a good example showing that when two big corporations want to integrate together, there are suddenly no technical difficulties anymore. Cisco is also working on a new messaging standard (which reminds me a bit of xkcd 927) as part of the MIMI working group of the IETF that they have already deployed in production.
Next, it was the turn of Matrix, and Matthew Hodgson, the CEO/CTO at Element showed a live demo of client-side bridging. This is their proposed solution to bridging end-to-end-encrypted messages across protocols without having to unencrypt the content inside a third-party server. This solution would be a temporary solution; ideally, services would converge to an open standard protocol like Matrix, XMPP or something new. He pointed out that Apple was already doing that with iMessage and SMS. I found this particularly clever.
Last, Meta sent a lawyer to represent them. The lawyer was reading a piece of paper in a very blank tone. He spent the entirety of his allocated time telling the commission that interoperability represents a very clear risk for their users who trust Meta to keep their data safe and end-to-end encrypted. He ignored Matthew’s previous demo and told us that bridging would break their encryption. He also envisioned a clear opt-in policy to interoperability so that the users are aware that this will weaken their security, and expressed a clear need for consent popups when interacting with users of other networks. It is quite ironic coming from Meta who, in the context of the GDPR and data protection, was arguing against an opt-in policy and against consent. As someone pointed out in the audience, while Whatsapp is end-to-end-encrypted, this isn’t the case for Messenger and Instagram conversations, which are both also products of Meta. The lawyer quickly dismissed that and explained that he only represented Whatsapp here and couldn’t answer this question for other Meta products. As you might have guessed, the audience wasn’t convinced by these arguments. Still, something to note is that Meta had at least the courage to speak in front of the audience, unlike other big gatekeepers like Microsoft, Apple and Google who were also in the room but didn’t participate at all in the debate.
Panel 3: Abuse Prevention, Identity Management and Discovery
With Meta in the panel again, consent was again a hot subject of discussion. Some argued that each time someone from another server joins a room, each user should consent so this new server can read their messages. This sounds very impractical to me, but I guess the goal is to make interoperability impractical. It also reminds me very much of the GDPR popup, in which privacy-invading services try to optimize using dark patterns so that the users click on the “Allow” button. In this case, users would be prompted to click on the “Don’t connect with this user coming from this untrusted and scary third party server” button.
There was some discussion about whether it was the server’s role to decide if they allow connection from a third-party server or the user’s role. The former would mean that big providers would only allow access to their service for other big providers and block access to small self-hosted instances. The latter would give users a choice. Another topic was the identifier. Someone from the audience pointed out that phone numbers used by Whatsapp, Signal and Telegram are currently not perfect as they are not unique across services and might require some standardization.
In the end, the European Commission tried to summarize all the information shared throughout the day and sounded quite happy that so many technical folks were in the room and active in the conversation.
After the last panels, I went to a bar next to the conference building with a few people from XMPP, EDRi, NlNet and OpenMLS to get beers and Belgian fries.
The nominations for the Open Source Initiative board of elections just closed, March 6th. It’s time for voters to meet the candidates.
The OSI board of directors will renew three of its seats with an open election process among its full individual members and affiliates. We will be holding two elections:
We encourage members to check out the list of Individual and Affiliate Candidates below. Read about their backgrounds and interest in serving on the board.
Each candidate page also features a comments section: OSI members can ask candidates about their plans, hopes, and views for the OSI (don’t endorse candidates there please).
Take advantage of the ability to ask questions as it’s the best way for you to learn about each candidate and what they hope to achieve as board members of the OSI.
Individual candidates: Affiliate candidates:Voting opens this Friday, March 10. Individual full members and affiliate representatives will receive a ballot via email with instructions on how to vote. Only individuals who are Full Members at the time voting opens may vote in the Individual election. Only the official representative of the OSI Affiliates may vote in the Affiliate election, one vote per Affiliate. More details on the elections page.
Upcoming 2022 election schedule
The value and prosperity generated from Open Source arises from Open Source software licenses seamlessly and frictionlessly permitting anyone to use, modify, and redistribute the software for any purpose including monetization. When SEPs are licensed in such a way that bilateral negotiation with the licensors is a necessary element of software use, Open Source projects must necessarily avoid implementation of the associated standards to the extent that it is possible for them to do so. A requirement for bilateral, after-the-fact patent licensing is by definition not Open Source due to this introduction of licensing friction.
This is not a matter of ideology but of pragmatics. Open Source developer communities operate on the assumption that the intellectual property owners – including both copyright and patent owners – have granted in advance all necessary rights to enjoy the software in any field of use and in any way. SEPs licensed on bilaterally-negotiated terms break this model and thus are naturally avoided. Further, the tendency for such bilateral negotiations to have some form of non-disclosure agreement (NDA) as a prerequisite also prevents many communities wanting to engage with them as unlike companies they do not have the mechanisms or resources to “firewall” NDA terms and thus routinely refuse NDAs.
Not all standards have SEPs, and not all SEPs require licensing on restricted terms. While some standards are encumbered by patents registered by contributors to the standards process, patents are not an essential or inherent aspect of standardization. As I explained for Open Forum Europe, some standards are developed in a sequence of activities that starts from a statement of requirements (“requirements-led”) while others are developed as a harmonization of existing industry implementation (“implementation-led”).
The requirements-led approach leads some standards development organizations (SDOs) to tolerate restricted licensing of included patented technologies due to the long lead-times in research and development investment by standards contributors. Despite this practice leading to barriers to entry in the resulting markets, tolerating SEP monetization appears a compromise that in many cases can be proportionate to the delayed monetization opportunity for participants. While negotiation-required (FRAND) licensing of these SEPs is desirable for the commercial entities consuming them, the bilateral negotiation with NDA-enforced privacy that results unwittingly erects a barrier to the normal practice of Open Source communities, where both restrictions on mere use and requiring NDAs are anathemic antipatterns. As a consequence, the standards of this kind are unwelcome in Open Source projects.
By contrast, the implementation-led approach frequently arises in circumstances where recovery of R&D costs is already in hand and patent monetization is not a proportionate compromise. As a result, projects developed under an implementation-led approach (such as at OASIS and W3C) frequently opt for the restriction-free (RF) subset of FRAND terms that results in a negotiation-free usage. As a consequence, standards of this kind do not conflict with the realities of Open Source community operation and are widely implemented as Open Source.
The Commission’s activities regulating SEPs and their licensing are a golden opportunity to also harmonize their standards strategy with their Open Source aspirations. In particular, standards organizations should be required to ask contributors at standards-inception whether a negotiation-required or a negotiation-free/royalty-waived subset of FRAND is appropriate for the resulting standard and develop the standard on that basis — with a default to waiving royalties. We wrote to the consultation by the Commission last May to explain.
This does not mean ending SEPs anywhere else, but there is no point tolerating the desire of certain dominant parties at SDOs to try to pretend Open Source can be defined as copyright-only so they can tax implementation outside their legacy domains. Trying to openwash encumbered standards may satisfy the peers of their bubble but it will simply chill progress and proliferate standards outside it as the market works around the obstacle. The only way forward is to respect the 17-year-old settled consensus and embrace OSI’s Open Standards Requirement.
ClearlyDefined has a new community manager! Nick Vidal has joined the project hosted by the Open Source Initiative (OSI) that helps Open Source projects thrive by putting essential licensing data at teams’ fingertips. Vidal comes with 20 years of experience developing Open Source communities and will lead ClearlyDefined to its next phase. He previously served as the director of community and business development at the OSI and director of Americas at the Open Invention Network. Currently he is chair of the outreach committee of the Confidential Computing Consortium from the Linux Foundation.
Vidal joins the project as we celebrate its five year anniversary and the 25th anniversary of OSI. The goal of ClearlyDefined is to bring clarity around licenses and security vulnerabilities to Open Source projects. It provides a mechanism for harvesting available data about Open Source projects using tools such as ScanCode and FOSSology, and facilitates crowd-sourcing the curation of that information when ambiguities or gaps arise.
A lot has changed in the first years of ClearlyDefined, and we’re excited for what the future holds. The ClearlyDefined community has grown to include individuals from organizations such as Microsoft, SAP, Bloomberg, Qualcomm, HERE Technologies, Amazon, nexB, the Eclipse Foundation, and Software Heritage. Together, the community has successfully built a robust software system that is accessible through an open API. The number of definitions in ClearlyDefined has doubled year over year. With a redesigned UI, the data is displayed in a more user-friendly way, making it easier to understand and consume.
Even with all its growth, there’s a lot of room for further improvements as we look ahead to the next five years. Ever since the Log4Shell vulnerability, governments and organizations from around the world have come to realize the essential role Open Source plays in society, given its pervasiveness in the cloud, mobile devices, IoT and critical infrastructure. Clarity around licenses and security vulnerabilities of Open Source projects has become a key concern.
As community manager, Vidal will continue to grow a healthy community of individuals and organizations dedicated to tackling this community-wide concern. Projects ClearlyDefined will be collaborating with include OpenSSF’s Alpha-Omega, Core Infrastructure Initiative, OpenChain, SPDX, FOSSology, OSS Review Toolkit, Automating Compliance Tooling, Sigstore, Supply chain Levels for Software Artifacts (SLSA), Eclipse’s SW360, OWASP’s CycloneDX and OASIS’ Common Security Advisory Framework.
As we celebrate the triumph of Open Source software on its 25th anniversary, at the same time must acknowledge the great responsibility that its pervasiveness entails. Open Source has become a vital component of a working society and there’s a pressing need to bring clarity around licenses and security vulnerabilities to Open Source projects. With contributions from ClearlyDefined and the Open Source community at-large, the future of Open Source is bright and clear.
The community support for ClearlyDefined over the past 5 years has been tremendous. We encourage and invite you to join us at GitHub and follow us on Discord and Twitter.
For over 20 years the Open Source Initiative (OSI) has worked to raise awareness and adoption of open source software, and build bridges between open source communities of practice. As a global non-profit, the OSI champions software freedom in society through education, collaboration, and infrastructure, stewarding the Open Source Definition (OSD), and preventing abuse of the ideals and ethos inherent to the open source movement.
Open source software is made by many people and distributed under an OSD-compliant license which grants all the rights to use, study, change, and share the software in modified and unmodified form. Software freedom is essential to enabling community development of open source software.