Transcript
Olimpiu Pop: Hello everybody. I’m Olimpiu Pop, an InfoQ editor, and I have Gabriele Columbro in front of me. He has a bunch of titles on open source, but the Linux Foundation is the most important one in terms of PR coverage. But without further ado, Gabriele, please introduce yourself.
Gabriele Columbro: First of all, thank you for having me here, Olimpiu. And yes, my name is Gabriele Columbro.
I do two things at the Linux Foundation, I am the general manager of Linux Foundation Europe, our Brussels-based entity, and then I lead one of our foundations, which is FINOS, the FinTech Open Source Foundation, which is a global community of all the financial services constituencies collaborating in open source.
Europe invests more effort into open-source than it benefits commercially [01:20]
Olimpiu Pop: Two essential topics: one financial and the other Europe. But what I observed during the OpenSource Summit, it was something that personally made me happy, that you had a lot of reports more focused on the impact that open source has on commercial entities, more or less. That’s how I translated it, because on one hand, you brought Frank Nagle, who famously put the 90% plus open source into pretty much everything, so that’s the paper that he helped put together, and now it’s on all slides that 90% of all the software is actually open source.
And the other one was about financing and open source, and that was quite interesting because we do have examples of a lot of software that is also open source, but it also has a commercial license, and that needed some attention. It’s nice to see that coming from you.
Consider including some highlights and thoughts from those. There are many topics, so let’s take them one by one. You pick one.
Gabriele Columbro: Sounds good. Yes, as you correctly said, the Linux Foundation research arm is a trove of beneficial information, especially since I took the Linux Foundation Europe role; it has really driven our decisions, our focus, and our evolution. We like to be data-driven, and I’m excited that these research reports are freely available to everyone, not just the report itself, but even the backing data is something that we encourage people actually to play around with. That said, several reports were announced at Open Source Summit in Amsterdam. The two that you refer to are actually one focused on Europe, the open source opportunity for Europe, and then the state of commercial open source. Whilst they do touch on different topics, they are more connected than one would think.
I grew up in the open source community, as an Apache committer first, and then moved to the world of foundations, the magic world of foundations itself. But now, living in California for 15 years, I think the main highlight from the combination of these two reports, and I’m happy to go a little bit more into the data later on during our conversation, is really the fact that Europe has a strong grassroots open source community. Suppose you look at the stats on GitHub, for example. In that case, there are actually more open source contributors and maintainers from Europe than even from the US or from China, where you do have, in the US, substantial private sector investment in open source, and in China, a strong national, state-driven strategy around open source over the last couple of decades. But you see, in Europe, this is a very grassroots engagement.
But if you then turn it into value capture out of open source, especially as most recently the digital sovereignty conversation has become heated up as the geopolitics of open source evolve quite drastically over the last couple of years, it has become pretty apparent that Europe doesn’t do a good job at creating ecosystems around the open source projects that are born and maintained mainly in Europe. I’ll give you a couple of examples here. There are 1.6 more developers in Europe, but there’s 4x less funding. There are only two European companies in the top 20 contributors, according to the open source contributor index.
I’ve spoken with many founders of open source open core projects in Europe, and they all tell me the same story.
They start in Europe, but then they largely move to the US because of better funding, fiscal, and then exit climate, which brings me all the way back to one of the major findings that we basically validated through our Europe report, which is whilst there is a deep understanding of the value of open source in Europe, there is quite a bit of a gap in the strategic understanding of open source, especially when it comes to C-level engagement. Only about 60% of executives recognize the value of open source versus almost 90% of the non-C-suite practitioners, and I think this is a common thread that I’ve seen over the last three years.
Olimpiu Pop: So what we’re saying is that we, the developers of Europe, like open source and put a lot of effort into it. Let’s look at it compared to the other larger climates, like the Americas and Asia, where we do have, in the case of China, more particularly. We have government involvement pushing more into that, while we have a much better dual definition of the ecosystem in the US. But if we look at it from the bottom up, at the boardrooms and the C-level of the organisation, people usually don’t fully understand what’s happening. And it’s also in terms of, this is added by me, in terms of bureaucratic ways of doing things at the commission level, because that’s what most of the people are saying.
Gabriele Columbro: That’s a good recap. And I would paraphrase it as at the Linux Foundation, if you think about CNCF, Linux, and other ecosystems that are sustainable in open source, it’s a combination of obviously this grassroots engagement, but a lot of mostly private sector funding on commercial startups that are built on this open source and that ultimately bring those products to market. An end user rarely consumes open source directly. Sure, libraries, we all know that final products are 80% to 90% made of open source. But when it comes to an actual solution, 90 out of 100 is a commercial company that makes an open source project, puts it into a product, and provides the layer of support and services around it. And that’s what essentially has been missing in Europe, both in the understanding of the commission, as you were saying, but also in the climate of funding, fiscal and exit.
Olimpiu Pop: Yes. And I think that’s a good way of looking at it, because as you said, we, as knowledgists, we can go with working with open source, but you have to be hardcore and build your own stuff. But lately, you see the emergence of technology all over the place, in all different places, and now computer literacy is not something that anybody’s taking for granted and you have to have that in place. But now, in comparison with 20, 30 years ago, everybody needs to have access to it, and that’s why you have simple things like operating systems which are based… And it’s a layered approach, so that’s something that we need to understand.
Open-source the last global innovation ground [08:54]
I was at KubeCon this spring in London, and it was nice to see that the Linux Foundation Europe is trying to play the glue role. You got a bunch of big names on stage, if I remember correctly, you had people from SAP, about this new digital sovereignty that everybody’s looking into. And it was nice to see people from France, from Germany, that normally will not come together that easily, working together towards a common goal, and everything under the helm of the Linux Foundation, which has a name, it’s well-known, as you already mentioned. Besides all the other projects that you have under your helm, CNCF is probably one of the most impactful in the infrastructure space. And what’s nice, if you just go around the open source booths in KubeCon particularly, it’s nice to see people from all over Europe, but also China, the US, South America, and it’s a very small village, a global village, with everything. So what are the plans of the Linux Foundation Europe, is it focused on Europe or let’s rebuild the bridges around the world?
Gabriele Columbro: That’s a really good question, and I think it does really go to the very core and very heart of why we launched Linux Foundation Europe. The Linux Foundation is already a global community, open source is a global community. If you just sample the Linux Foundation, even in 2023, we already had 30% of our members come from Europe, about 30% of our contributors come from Europe. So there is a very evenly split geographical distribution of both contributors and funders. And that is, again, sampling the fact that open source is global in nature and it’s, I would argue, the most beautiful innovation engine that we have left, especially in the last two years of heightened tensions from a geopolitical basis, it is the one vehicle of collaboration that we really have left to innovate globally on technology and beyond, I would argue.
So to your specific question, our tagline, it’s collaborate locally, innovate globally. The idea is that we’re very much aware that Europe has very particular legal framework, where you have 27 states with a supernational entity, like the EU, that really requires a specific entity, where you can base projects in Europe, where you can, again, address some of the concerns, like digital sovereignty that you’ve mentioned in terms of where the project is actually hosted. But on the other hand, it’s innovate globally. We want to make sure that this pushes for digital sovereignty, which are absolutely understandable, you want to be able to be sovereign. As open source people, we’ve always understood the value of vendor lock-in prevention, and so digital sovereignty is really just an evolution of that. But we want to make sure that these pushes do not result into fragmenting the open source community, into creating the notion of American open source versus Chinese open source versus European open source.
And so, you mentioned SAP was on stage launching the NeoNephos project, one of the seven projects that we have under the Linux Foundation. Well, I think that’s a really good example of NeoNephos comes out of IPCEI-CIS funding, which is a EU-level funding for digital sovereign effort. Great, it makes sense to have a truly openly governed effort that is hosted under Europe to address the European-specific requirements, to address the European-specific priorities. But the beauty of being within the Linux Foundation is that you can easily access upstream projects, like Kubernetes and all the other building blocks that can and should create the sovereign stack, as well as a platform like KubeCon, where you can get on stage in front of 15,000 people, and that’s frankly what the Linux Foundation can offer in terms of maximizing the success potential of a project. So, go for local collaboration, but make sure that we don’t fragment across borders. I hope that that makes sense and addresses your question.
How maintainers are adapting to CRA implementation [13:43]
Olimpiu Pop: Yes, definitely, thank you. Actually, there’s a follow-up question that you touched on,an important aspect, the geopolitics of open source. As you said, we cannot have American, Chinese, European open source or something, regardless of the label that we have. But there was the Cyber Resilience Act that ignited the passion of the open source community, and I know a lot of people that were involved, names that come into my mind now are the people from Sonatype, more particularly Brian Fox was one of the people that pushed a lot on this. In the end, the form was decent, accepted by the open source community, but now we are coming into force. Do you see any risks for fragmentation of the ecosystem now with the coming into force? Because definitely, the lobbying entities of bigger companies will have more steam than the actual individuals involved with open source, even though the European open source community is big.
Gabriele Columbro: If I read through the lines, I would say that yes, at the beginning, in the early texts of the CRA, given some of the requirements that were posed on the intermediaries of open source, meaning going back to the notion of ecosystem and the full understanding of the ecosystem, whilst the CRA obviously has a commendable goal, some of the early drafts would put some really, really strong requirements, like liability on the stewards, like foundations, on the intermediaries, like central repositories, GitHub and so on and so forth. So I remember early in the days, there were some fears that that would result into some of these intermediaries not serving Europe anymore or shutting access to Europe to manage their risk.
Now, the reality is that with the current version, the version that was approved, the version that is now about a year out from full enforcement, as you said, we’re in a much better place. I think the requirements from stewards are much more manageable. The requirement for these intermediaries are much more manageable. The requirements for individual contributors are very loose. We as Linux Foundation, and by no means we can speak on behalf of the whole open source community, but given the criticality of the projects that we have, I think we’re doing all we can to, A, provide training and education.
We do have a free training that is the most taken training in the Linux Foundation’s entire curriculum. We’ve done research, and that, yes, shows that there is still quite a bit of an awareness of what’s needed, especially in the manufacturer community. And we are working through our OpenSSF Foundation to really provide tools and standards for not just our projects, but hopefully something that then can be also included in the standardization process that is currently ongoing at ETSI and CENELEC and the various European open source standard organizations.
To your question, whether I see risk, I think the biggest question is, will manufacturers be ready to meet the challenge? That is something where even last week, we had our member summit in Ghent, our CRA track was completely full. There’s still obviously a lot of questions, more questions than answers, I would say, from the manufacturers, as obviously the standardization is still ongoing, and so you don’t know exactly what you will need to comply with. So there’s certainly work to be done.
That being said, we also had Greg Kroah-Hartman on stage, which you might know is the maintainer of the stable branch of the Linux kernel, it was very refreshing to hear him say, “Look, we got this”. The Linux got this, and if the Linux kernel got this, everyone should be able to comply. Requirements on open source projects are not as burdening as they were in the early stages. And frankly, this is stuff that you should have been doing anyway, whether it is having higher security posture, or to the manufacturers, the requirements to upstream some of their fixes, it’s things that obviously, as foundations, we’ve been encouraging for quite a bit. So yeah, I’m not going to say that it’s all hunky-dory. There’s a lot of work to be done, and I would exhort the manufacturers to step up and learn and implement their own processes, but rely on upstream work that has been done by foundations and the major projects. But it’s not as daunting as it looked like in the early draft.
Olimpiu Pop: I tend to agree with that. In the last couple of years, I put a lot of effort also talking in different ecosystems and different conferences about pretty much the same thing about supply chain security and now, where I feel that there is the biggest risk, at least from my angle, is when people start looking into the CRA pretty much in the same position as we look at security standards, like ISO standards, like SOC 2 standards, where we just want to have the stamp. We don’t care about the process and what you actually get, but we just want to validate those kinds of things, and that’s the only thing where you’re just getting lost in the fog of bureaucracy and paperwork, and I think that’s the most important thing. But hopefully, everything will be in place because Europe has, in my opinion, a very good direction into what it tries to achieve. But now, it’s about bringing together private education and also the governments so that we understand exactly where we need to go.
Gabriele Columbro: I think you’re absolutely right. And if I may jump in there, I think the one party that might be more in a squeeze is the European small and medium businesses that are building on open source, because while the large manufacturers have deep pockets to comply, whilst individual contributors and foundations now recognize the stewards have a loosened regulatory framework, small and medium business who have a commercial interest built on open source, they have to comply with a pretty strong set of requirements.
That being said, I was pleased to see that Europe and the public sector recognize that and have put out grants and funding to support this, as well as, you probably might know, there is now a proposal being pitched to the European Union for an EU-level sovereign tech fund akin to the German sovereign tech fund that we’ve seen very successful. So obviously, there’s more to do, even in the space of creating that sustainability cycle, that funding, long-term private sector funding. We are working a lot with VCs to encourage this commercial open source investment in Europe. I think the EU has understood that they need to put their money where their mouth is, and so they’re supporting some of the classes that may be a bit more of a squeeze.
Open source underlying infrastructure risk [21:12]
Olimpiu Pop: Yes, I think you’re right. From another conversation with Brian Fox, he ranked the alarm bell on open source infrastructure. Definitely, he was more caring about Maven Central, because that rests on Sonatype’s shoulders. How do you feel about it? You have a lot of open source projects that you maintain, and definitely in order to provide the infrastructure for a global community, that’s a big responsibility to have that nobody actually thinks about. If it’s in the cloud, it’s there, we don’t care about it. But when you have the bill, you are the one that has to care about it. How big of a risk is that?
Gabriele Columbro: It’s a very good question, and I’ve seen Brian and several other foundations’ open letter recently. I think it’s a very important conversation. I used to be a Maven guy myself before turning to the magic world of foundation, I used to be a release manager, and to your point, yes, we take that infrastructure for granted. I think this is an area where, given the critical role that it plays in the supply chain, if Maven Central goes down tomorrow, you can imagine the amount of red builds across the world, it’s an area where I think both private funding, but to an extent, public funding is needed. I think it’s an area where, honestly, neutral governance might be beneficial. Even if you think about what happened with the CVE repository recently and being in a way dependent from public funding, it’s risky. So I work a lot with banks, so the more you can diversify the risk and the dependency, the better, I would say, there.
And to your point, bringing it to us, this is, I think, one of the features of the Linux Foundation. Obviously, we don’t host repositories, we don’t host artifact repositories. We obviously host infrastructure on GitHub, GitLab, and in some cases, our own hosted Git servers. But the Linux Foundation has over a thousand members, and our funding is, in nature, very distributed and very decentralized. And so, yeah, I welcome certainly the call from Brian, Sonatype, and that open letter out there, because again, this is an area also where a lot of those builds happen in cloud and GitHub actions are free, and so the value chain needs to be re-evaluated quite deeply there.
Olimpiu Pop: Thank you. After the alarm bells, it’s refreshing to hear about that there is hope. Is there anything else that I should have asked you, but I didn’t, that our listeners should know about?
Gabriele Columbro: Maybe the one thing that I would add is, just to wrap, we went pretty much the whole meeting without talking about AI, which is interesting. That might call for a whole separate discussion between the geopolitical aspect of AI and commoditization of models, now being open source, but also something that Jim, our executive director, has started floating lately, what is the impact of AI in open source? We know about AI slops and the burden on maintainers, but what is the best way to accelerate open source through AI? And then, obviously, lastly, the whole agentic frontier, where a lot of the core infrastructure is now open source, everyone talks about MCP. There’s a lot to unpack there, but I think that might require a dedicated conversation.
Olimpiu Pop: That’s for sure. It has multiple levels. And the two that I will just name are one of them is you as a group of organizations, because it’s not only one that is stewarding open source, it’s about the content and the quality of the things that are actually coming from the perspective of the generative nature of AI. And then, on the other side, we are talking about open source, open data, the ethical aspects, and a lot of other things that should be of importance for people that are actually using it. But as you said, that’s a whole different story, that should be treated differently, and that’s why I left it to the side, because everybody’s talking about it. Gabriele, thank you, thank you a lot for your time.
Gabriele Columbro: Thank you, Olimpiu, it was nice to meet you, and happy to have a follow-up conversation at any point in time.
Olimpiu Pop: Thank you.
Mentioned:
.
From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.
