7 min Devops

‘Regulations are no fun, but uncertainty is even less so’

Majority of open-source developers unsure of how legislation affects them

‘Regulations are no fun, but uncertainty is even less so’

The acceptance of open-source is on the rise, according to research by the Linux Foundation. However, the same survey shows that many developers have no idea what new European legislation requires of them. Ignorance, a lack of strategy, and the age-old lack of time are endangering the further growth of open source.

Mirko Boehm is secretly a bit proud of having influenced a formulation in the European Commission’s upcoming Cyber Resilience Act. In that dozens-page document, there was a crude distinction between “commercial” and “non-commercial” software, where open-source was supposedly non-commercial. “Of course, that’s not true,” Boehm stated during our conversation at the Open Source Summit in Vienna last week.

“Open source software can be a perfectly fine commercial product, made or used by commercial parties,” he says. “However, the wording we saw in early versions of the Cyber Resilience Act (CRA) didn’t clarify that. It suggested that open source, by definition, excludes commercial use, but it is more nuanced than that. Open source can ideally serve the public good, but it can just as easily be part of a commercial product or service.”

One word makes a difference

It takes a while for Boehm, researcher but also Senior Director of Community Development for the Linux Foundation (you could somewhat unkindly call him a lobbyist), to plow through the legislation. But eventually, he finds what he is looking for: in Chapter 2 of the CRA, the text talks about obligations of ‘manufacturers’.

Expectantly, he looks at us; we look back, puzzled.

“This is the first time that such a text speaks of creators of software (‘manufacturers’) and its administrators (‘stewards’)! Thus, doing away with the improper distinction between commercial companies and makers of open-source software, as if the two were incompatible.”

That clarifies a lot. It seems like a minuscule adjustment, but it is a major victory for the Linux Foundation, along with OpenForum Europe and a few other open-source advocacy groups, that they managed to get this detail into European legislation. Not explained in a footnote, but as the title of a chapter, no less. A if it were the most normal thing in the world. And it is, Boehm and his team believe. Or at least it should be.

Boehm is fighting ignorance and uncertainty concerning open source. He is one of the authors of the report Open Source Maturity in Europe, an annual study of precisely what it says on the cover: the state of open source in Europe. The report is part of the global World of Open Source survey and consists of a quantitative survey and a select number of qualitative interviews.

Strategy is often lacking

First, the bad news. Much to Boehm’s dismay, 70 percent of government and semi-government organizations and 83 percent of higher education institutions do not have a clear open source strategy. According to the same study, these are precisely the areas where open source can make the most difference, in addition to the IT sector. Furthermore, more than half of those surveyed have no idea how legislation such as the Cyber Resilience Act will affect operations.

“Some told us, ‘We don’t get it.’ That’s understandable because I, too, have had to spend a lot of time sifting through legislation. However, I can say that the Cyber Resilience Act is really understandable. I can’t say the same about the AI Act. (Which, by the way, went into effect on August 1 of this year, the enforcement of which will be rolled out in phases -Ed.) There are still so many ambiguities to that latter piece of legislation, especially since the potential of AI is still such unexplored territory.” The study states that the precise definition of open-source AI leads to ‘strong disagreement’ in the community.

Uncertainty acts as a brake

“In such a context, how do you prepare for a future that cannot be predicted?” continues Boehm. “Such ambiguities are not good for the development climate. Before you know it, you’re developing something that you later have to scrap, or adjust completely. Those are things interviewees brought up during our research.”

Although uncertainty about legislation can put a brake on (open-source) software development, it is not said that clear rules automatically fuel the fun. “Regulation actually makes things less fun. The open-source community tends to be averse to restrictive rules. It often feels best as a grassroots movement that stays under the radar.”

As a result, Boehm finds himself in the precarious position of promoting the benefits of open-source to policymakers on the one hand, but on the other hand, dealing with a constituency that grumbles over stringent legislation that might curtail creativity. Now that open source is increasingly getting acknowledged by policy wonks –essentially a victory for the community–, isn’t there a danger that all sorts of bureaucrats and politicians will interfere with this self-regulated community?

Regulating comes later

Boehm bites his tongue. At least, ‘we will adapt,’ is his evasive answer. That is a very optimistic stance, he acknowledges. Like a true diplomat, he argues that the creative, unregulated, bump-and-punch process of open-source software development is primarily something that plays out in the early stages of a project. Once it has matured, it is time to start documenting and recording things. And thus to regulate it.

Overall, the survey, conducted yearly since 2022, paints a positive picture of open source initiatives in Europe. This is no surprise since the respondents consist of people who are professionally involved with open-source software. Still, when asked, they discern an upward trend. For example, 64 percent say open source adds value to their business operations, up from 59 percent in 2022, when the survey was first conducted.

Public money, public code

The survey further shows strong support for the principle that the code behind software created thanks to public funds should be publicly available. Of all those surveyed, 82 percent said they agreed with the adage ‘public money, public code’. This was not in the report the previous years, so this high percentage cannot be compared.

According to respondents, the most important benefits of open source for organizations are a lower cost of ownership, greater productivity, less vendor lock-in and better software quality. The main reasons for contributing to open-source projects tend to be personal. Think of one’s own development and fascination, collaboration with like-minded people and scratching a technological ‘itch’.

As for security, more than three-quarters think open-source solutions are more secure than closed-source. In part because anyone can inspect the source code and try to poke holes in it. Also, 43 percent think AI and machine learning applications benefit greatly from an open source approach, because of the transparency inherent in it.

Too little time and knowledge

What sometimes gets in the way of enthusiasm in general is a lack of skills among themselves or stakeholders. Also, a lack of time to really dive into something, being tied to outdated systems, and procurement policies that favor proprietary software. Regulations also add difficulty, as mentioned above, as some of them are outdated or, in other cases, unclear.

It is especially important to maintain enthusiasm, says Mirko Boehm, “That is what ultimately makes open source successful.” Precisely that enthusiasm may well come under pressure as open source solutions are increasingly in the spotlight and even –with correct wording and all– end up in legal texts. Then it all becomes really serious. “Regulation makes a lot of things less fun. But you know what’s even worse? Not knowing where you stand, that uncertainty. That’s why we keep insisting on clarity and transparency. Precisely what open source is known for.”

Read also: Linux Foundation and CNCF continue fight against ‘patent trolls’