About

Providing research and advocacy to support open tech and digital public goods | More ››

Recent posts | All posts

  • EU’s next long-term budget proposal: EU Sovereign Tech Fund

    EU’s next long-term budget proposal: EU Sovereign Tech Fund

    The European Commission is preparing for the next multiannual financial framework (MFF), the EU’s long-term budget, which will begin in 2028.

    The Commission has launched seven public consultations across various policy areas to gather stakeholders’ views on how the next MFF should be shaped.

    We prepared input for the “EU competitiveness fund” area, supporting the EU-wide Sovereign Technology Fund (EU-STF) proposal submitted by OpenForum Europe, with particular focus on the heavy reliance on proprietary solutions.

    At a time when the EU is rightly questioning its external technology dependencies, particularly amid the “EuroStack” conversations, a well-designed EU-STF with a long-term commitment could be positioned to the EU’s advantage.

    In summary, the long-term goals should be:

    • To increase the production of all open source software (OSS), including end-user applications.
    • To shift the software market towards open source software, gradually replacing proprietary solutions with open source alternatives.
    • To aim for full digital sovereignty, maximum innovation, and economic impact, particularly around the software stack.

    Regarding the fund:

    • Establish a proportional fund size for the software sector and increase it gradually by introducing an “open source tax”; increase the value-added tax on proprietary solutions.
    • Allow all companies producing open-source software to generate revenue through the fund.
    • Ensure the fund is distributed periodically as direct revenue. The primary metrics should be “software usage” and “software complexity”.
    • Make a long-term commitment to ensure businesses can rely on this revenue.
    • Fund only EU-based OSS initiatives. Companies outside the EU should be invited to the EU or asked to lobby for establishing a fund in their countries.

    Since the consultation received over 2,000 responses, we decided to keep our contribution brief. You can read our two-page proposal at the following link:
    Proposal for a Long-Term EU Sovereign Tech Fund

  • Interview with Bill Doerrfeld: How do we fund open source?

    Interview with Bill Doerrfeld: How do we fund open source?

    Photo credit from the original article: Gecko Studio / Shutterstock

    We had the pleasure of interviewing Bill Doerrfeld, an independent tech journalist, about the sustainability of open source software.

    During our discussion, we argued that the public nature of open source software (OSS) and the lack of coordination among consumers (often called the “Tragedy of the Commons” or the “Free-rider problem“) prevent this ecosystem from receiving adequate financial return compared to the economic value it creates.

    Our position is that, as with other public goods, the only way to ensure stable funding for OSS is to introduce a dedicated tax. In the interview, we shared our “Open source tax” proposal to address this issue: partially increasing value-added tax on proprietary software sales and allocating the tax revenue to support the OSS ecosystem.

    You can visit the following link to read the full article:
    How do we fund open source? | InfoWorld

  • The US Government RFI on OSS – Summary Report

    The US Government RFI on OSS – Summary Report

    The U.S. government has released a summary report on last year’s RFI on open source software, outlining key submissions, findings, and actionable recommendations to strengthen and secure the open source ecosystem.

    The report details the following twelve activities that government agencies plan to address in the coming period:

    1. Advance research and development.
    2. Secure package repositories.
    3. Partner with open-source software communities.
    4. Promote further development and implementation of the use of Software Bill of Materials (SBOMs).
    5. Strengthen the software supply chain.
    6. Establish the first U.S Government Open-Source Program Office (OSPO).
    7. Assign vulnerability severity metrics.
    8. Increase education and training tools.
    9. Expand International Collaboration.
    10. Enhance security and replace components of legacy software.
    11. Advance public-private partnerships.
    12. Use formal methods.

    “A significant step in the right direction”

    In our response to the RFI, we (under the Dalewind Software name) recommended that the US establish a dedicated public fund to support the open source ecosystem, similar to the Sovereign Tech Fund in Germany, with a focus on scalability. We are pleased that the report specifically highlights our proposal in the Sustaining Open-Source Software Communities and Governance chapter.

    The full report can be accessed via the following link:
    Summary Of The 2023 Request For Information On Open-Source Software Security

  • Legal entity update: forCrowd and Dalewind Software merge

    We are merging forCrowd Foundation and Dalewind Software, both founded about 10 years ago, under one umbrella.

    We established the forCrowd Foundation (Stichting forCrowd) to house our research and advocacy work on open source software, as well as the projects we were developing.

    Dalewind Software, on the other hand, was incorporated to serve as a legal entity for our commercial software development work.

    Over time, as we continued our software development work at Dalewind Software, we were unable to sustain the non-profit efforts we had initiated under the foundation.

    In the coming period, we plan to continue as a consulting firm with a primary focus on research and advocacy for open source software and digital public goods.

    Therefore, during this transition period, we have decided to merge these two organizations and continue under the name forCrowd, given its background in open source software.

    As of this week, we have closed the forCrowd Foundation and renamed Dalewind Software as forCrowd.

  • The US Government, Open Source Software, and Analyzing 786 Pages of Responses – Highlights

    The US Government, Open Source Software, and Analyzing 786 Pages of Responses – Highlights

    A content analysis of the submitted responses to the U.S. Government’s Request for Information on Open Source Software – Part II: Highlights

    In our previous article, we shared details of our analysis of responses to the U.S. government’s Request for Information (RFI) regarding open source software.

    In this article, we list the sections that caught our attention and present them in a simple format without commentary. Our aim is to provide a general overview of the details outlined in this public consultation process.

    We have compiled these sections from 25 organizations under seven different topics. To view the complete response, you can click the organization’s name.

    We would like to reiterate that our primary focus in this analysis was on how organizations define open source software, the challenges they identify, and the solutions they propose, particularly regarding funding. Therefore, while the RFI’s main focus is software security, you will see fewer items related to technical solutions.

    Enjoy the collection!

    1. Current State

    Anchore, Inc

    Modern day funding of core open source projects is not likely to generate revenue, because the current development model is not sustainable for many small open source projects. As a result, the current open source model does not incentivize or reward secure development practices.

    Chainguard

    In sum, open source software security is a public policy problem in the same way that “health” or “housing” or “foreign affairs” is a public policy problem. It’s just newer. And that newness is exciting, but that same newness should also be a reason for some caution and modesty.

    Eclipse Foundation

    One of the greatest challenges to sustaining open source software lies in its economic model. Access to the benefits of software which has been developed and licensed as open source is freely available to all actors in the ecosystem. Many companies deriving the benefits of OSS for a range of well-understood reasons contribute back to the projects which serve as the basis of their commercialized offerings, while many more do not. This later behavior is referred to as “free riding” and is not one of the industry’s better practices.

    Microsoft Corporation

    To deal with [the lack of investment and participation in open-source software] challenges effectively, governments must adopt a long-term view that considers the security, sustainability, and resilience of these vital systems. Instead of prioritizing short-term interventions, governments should invest in holistic solutions and strategic partnerships that lower systemic risk, improve efficiency, and increase competitiveness.

    Open Source Initiative (OSI)

    However, many companies that rely on OSS do not contribute back financially to the OSS projects and communities upon which their service offerings rely. The very licenses that govern open source require freedom of use, which means that the commercial entities that use OSS are free to do so without contributing to the security and health of the software. This is sometimes referred to as the “free-rider” or “tragedy of the commons” problem. This freedom to use and reuse has resulted in a boon to innovation, but not in economic equity and sustainability. Inconsistent support for open source projects by the commercial entities that use them has been a difficult problem to solve.

    Open@RIT – Rochester Institute of Technology

    In an era where digital advancements are critical for addressing global challenges, including climate change, public health crises, and technological innovations, there is a growing recognition that the siloed nature of digital infrastructure development is unsustainable. To harness the full potential of digital knowledge, it is imperative to foster an environment that promotes openness, collaboration, and the removal of barriers to access.

    OpenSSF

    As a public good, there is a market failure when it comes to dedicating resources to open-source communities. There are few incentives for many organizations to participate, and yet those organizations all benefit when another organization does commit resources and personnel to the cause – a variation of the “tragedy of the commons.”

    Rust Foundation

    A related issue that represents a real security and stability risk in Open-Source is the reliance of Open-Source Software Foundations upon the goodwill of private sector companies to donate their resources in-kind to cover these infrastructure costs. As it currently stands, the world’s basic infrastructure and hosting costs for Open-Source languages (not only Rust, but several of the top 10 most used languages in the world) are supported by only a handful of vendors. Any one of these vendors exiting the market or pivoting their strategy would deal a severe blow to the security and stability of the ecosystem, and would have the potential to effectively bankrupt the Foundation affected.

    Tidelift, Inc.

    The bottom line for the impact of volunteerism on government and industry is that deep, fundamental security work requires constant, consistent work and uncompensated volunteers don’t typically get work done on a constant, consistent basis.

    2. Facts and Figures

    Apache Software Foundation

    While that scenario of individual developers may seem like an outlier, it is not an insignificant portion of the ecosystem. The 2022 Census II of Free and Open Source Software found that 94% of projects had fewer than ten developers accounting for more than 90% of the lines of code added. In 49 of the top 50 non-npm projects reviewed, nearly a quarter of them had only one developer responsible for more than 80% of the lines of code added.

    Open Source Initiative (OSI)

    The FreeBSD Foundation has also identified three security roles that it needs to fill in order to strengthen the project’s security posture to meet current and future needs. These three people will add $500,000 in currently unfunded annual salary expenses. Significantly securing critical OSS software will require a significant increase in investment.

    Python Software Foundation

    The first version of PyPI was opened for public use over twenty years ago in 2002, and it continues to be the main repository for open-source Python packages. PyPI has grown to host over 490,000 distinct projects, with over 5 million releases, which are downloaded collectively over a billion times per day. Maintainers upload roughly between 12,000-15,000 new releases per day to PyPI. PyPI website typically receives between 3.7 and 4 million unique visitors (humans) per month. PyPI receives approximately 3 billion web requests per day for projects hosted on its infrastructure (approx. 90 billion per month).

    A large volume of projects on PyPI … are maintained by volunteers, not by corporations. Many projects are even maintained by a sole maintainer, often without the resources or even the knowledge to update their package publishing processes to more secure methods. Out of 490,000 projects on PyPI, 91% of projects have a single account with the maintainer role.

    Rust Foundation

    The scaling and adoption of memory-safe languages such as Rust has related challenges in the associated scaling of the infrastructure that supports the language. The Rust Foundation is responsible for hosting Crates.io, the package repository for Rust, which alone costs upwards of $40k per month as of August 2023, and this cost rises monthly as the development and adoption of Rust increases. This is one of several infrastructure costs that the Rust Foundation is obligated to meet in order for individuals and companies to use the language to build.

    Sonatype, Inc.

    Over the last decade, Sonatype has seen first-hand an escalation of attacks that directly target developer and development infrastructure; Solarwinds is just one example of this type of attack. As part of our efforts to secure software repositories, Sonatype has also invested in human and AI/ML approaches to address these new attacks via malicious packages. Having identified over 250,000 malicious packages, the threat to OSS via public repositories and package managers is real.

    Tidelift, Inc.

    Similarly, somewhere around half of open source maintainers do that critical maintenance work alone. In our survey, about 44% of maintainers said they were solo maintainers, and other studies report similar numbers (eg, 57% in the [referenced] study of the most popular projects, and perhaps 93% in the [referenced] study of Python).

    3. Most Important Area

    Carnegie Mellon University – Software Engineering Institute

    In summary, the Software Engineering Institute (SEI) considers the behavioral and economic incentives area to be the most important as the incentives will need to influence the behavior of the OSS ecosystem thus achieving the goals of the Open-Source Software Security Initiative’s (OS3I) proposed initiatives. Without such incentives, the OSS ecosystem will likely continue its current path and trends likely without the changes the OS3I is attempting to achieve. Though this area is the most important for improvement, it may also be the most challenging. The OS3I and government must devise incentives that will work for the diverse and global open-source software ecosystem. That understanding is not as much a technical one as it is a socioeconomic one. Without that understanding, no amount of technical advancement will be effective. With that understanding, OS3I can engage with the open-source software ecosystem to understand the gaps that exists between OS3I’s desired state and the interests of the other stakeholders within the ecosystem as to what foundational needs, technical as well as socioeconomic, are required to close that gap.

    Tidelift, Inc.

    [Our] response to the ONCD Request for Information will focus specifically on the RFI topic area of “incentives for securing the open source ecosystem.” We believe that this is, in many ways, the most important area called out in the RFI. Open source is not magic! While other areas called out in the RFI are important, if incentives and motivations of open source maintainers are not well-understood by policy-makers, those other improvements will not happen, or will happen only slowly. That puts the question of incentives and motivation on the critical path for almost all other improvements to the security of the open source ecosystem.

    4. Public Funding

    Amazon Web Services

    Many, if not all, of the recommendations, actions, or potential regulations that may emerge as a result of this RFI will require significant work from maintainers and producers of OSS projects. In some cases the outputs of this process may lead to ongoing costs for things like additional infrastructure and recurring audits. Many OSS projects are run on an entirely voluntary basis by people who are not paid for their efforts, providing them with a significant challenge to fund this kind of additional work. Additionally, any risk of inequitable liability requirements will diminish their available funds to support OSS security best practices and requirements. Just as many other items discussed in this response require funding, finding a way to fund the work needed from small, independent projects is an important element of this overall effort that must be prioritized.

    Organized funds to improve open source security are already having an impact. Linux Foundation’s Alpha-Omega Project, Germany’s Sovereign Tech Fund, and, while not its specific focus, the United States’ Open Technology Fund have all contributed to improving the open source supply chain. Innovative efforts like the Open Source Technology Improvement Fund (OSTIF) is finding a way to bridge the communications gap between security professionals and open source project maintainers. More is needed to secure the critical foundations of our shared digital infrastructure, and the USG is in a good position to help advance these existing efforts, and potentially establish new ones.

    Atlantic Council – Cyber Statecraft Initiative

    Several federal entities such as NASA and the NSF already provide forms of funding for OSS projects, communities, or research. OS3I can leverage its position as an interagency coordinator to collate lessons from these entities learned in their OSS funding experiences into a best-practices framework for government funding.

    For timely responses to urgent needs in key OSS projects—for example, those heavily used in government or critical infrastructure—government should have a means of quickly allocating funding or other security resources such as developers, infrastructure, or security audits to those projects when required.

    In addition to targeted and timely interventions, government should seek a vehicle for longer-term, sustainable investments in the health of the OSS ecosystem. Government is uniquely well-positioned to take a long-term view on the public goods created by OSS and invest in initiatives to shore up the health of the community to promote these public goods and to forestall costly crises down the line.

    Eclipse Foundation

    Explore the feasibility of creating the equivalent of the Sovereign Tech Fund in the US, with a focus on contributing to sustaining and improving security of the open source software which the US federal government depends upon which might otherwise go untended. Choose a federal agency to create an appropriate agreement to underwrite the effort and give the program a three year pilot period to demonstrate impact.

    GitHub

    The federal government should establish an open-source software infrastructure fund like the German Sovereign Tech Fund model. One implementation option would be to expand the Open Technology Fund’s recently established Free and Open Source Software Sustainability Fund with a simple mandate to support important open source digital infrastructure.

    Google

    Open source software is a critical element of US digital infrastructure that needs financial support through new and existing public funding sources. The federal government should partner with existing OSS foundations such as the Rust Foundation, Python Software Foundation, Eclipse Foundation, Linux Foundation, Open Source Security Foundation (OpenSSF), and many others with expertise in this space. The federal government can leverage their collective knowledge and relationships to most effectively direct funding and support to key projects.

    The federal government should consider expanding the availability of public funding programs for open source technologies, similar to grant programs such as the OpenSSF’s Alpha-Omega Program, US AGM’s Open Tech Fund, Mozilla’s Open Source Support Awards, and the German government’s Sovereign Tech Fund. The National Science Foundation’s Pathways to Enable Open Source Ecosystems (POSE) program is a promising experiment in direct public funding of open source innovation, and we applaud its mission to foster wholly new open source foundations and ecosystems. POSE would be most effective if paired with a funding vehicle in the form of an “Open Source Tech Fund,” providing financial support for US and international organizations that maintain key open source projects. This support will help ensure the security and sustainability of critical, widely used and free public services like software repositories.

    OpenSSF

    Identify critical OSS projects/foundations and support them to improve their security, through funds or other contributions. One example is the Alpha-Omega project, a technical initiative of the OpenSSF. Alpha-Omega provides a path for industry to come together to catalyze critical OSS projects and foundations as they improve their OSS security in systemic and durable ways. It does this by funding security staffing, ecosystem-wide improvements, project audits, and security tooling. We would also like to see the OS3I supporting a government funding parallel to Alpha-Omega, similar to Germany’s Sovereign Tech Fund or the differently focused Open Technology Fund.

    5. Ideas and Insights

    Atlantic Council – Cyber Statecraft Initiative

    Government OSPO: The OS3I should serve as a prototype for and coordinator of US government open source program offices (OSPOs). First, OS3I should collate lessons learned from OSPOs in industry, academia, and US and foreign governments into guidance for US government agencies developing their own. It should also coordinate existing and future agency-level OSPOs or similarly tasked offices and serve as a functional single point of contact for OSS issues communicated to the US government in coordination with the ONCD, rerouting outreach to the correct offices and backstopping where none yet exists.

    Tracking dependencies: The rapid pace of digital innovation and the informal relationships between OSS dependencies and their downstream beneficiaries has created a digital ecosystem prone to stacking risk on a relatively small number of critical OSS projects. It’s also created challenges for entities—including government—seeking visibility into those points of concentration. Tracking dependencies is key to managing risk, and OSS dependencies run deep and quiet—US government cannot secure what it does not know it relies upon, hampering its ability to preempt or respond to crisis.

    Cybersecurity Coalition Comments

    All software: While utilizing memory safe languages can contribute towards more resilient software, it cannot be viewed in isolation. Practicing safe cyber hygiene and abiding by industry best practices are also important factors contributing to the overall security of open source software security. It is important to remember that all software has the potential to contain vulnerabilities, and therefore we should avoid concentrating on specific technical issues and instead focus on the overarching security of all critical software.

    Tech is evolving: We would also caution against mandating certain controls or specific memory safe languages. Technology is always evolving, and what may be considered best-in-class today could change tomorrow. Therefore, mandating specific controls in a regulation that could stand for decades is short sided. Instead, requiring ‘adherence to security best practices’ or referring to standards or frameworks that are more regularly updated is preferred.

    Datalytica

    Federally-funded bug bounty programs: The current and most popular bug bounty programs are “Hack the Pentagon” and “Hack Department of Homeland Security (DHS)”. One drawback to these efforts are that they are time-bound events, which some cybersecurity experts believe may not deliver consistent security improvements. A dramatically improved bug bounty program would persist over time and would involve increased public transparency (e.g., live streaming with Social Media presence, drawing broad viewership), industry collaboration, increasing the incentives, and expanding the scope of targets.

    Eclipse Foundation

    SBOM registry: Creating a centralized, accessible SBOM registry that not only stores these materials but also performs automated analysis could be a game-changer. The registry would offer to store an SBOM for any official release of any software product. This could include simple tasks such as automatic conversions (when possible) between CycloneDX and SPDX, automatic dependency checks, license compatibility evaluations, and even security vulnerability assessments. It could also compare SBOMs generated by different providers (for example different Linux distributions shipping the same software with slightly different options). Such a service would provide immediate, actionable insights for developers, making SBOM generation a value-added activity, because of the access of those additional functions. Results of the analysis should be publicly available.

    Institute for Security and Technology (IST)

    Centralized database of known vulnerabilities: We encourage the U.S. government to focus first on developing a centralized database of known vulnerabilities, along with tools and approaches to identify vulnerabilities at scale. It is critical to first understand the scale and scope of the open-source ecosystem and its associated security issues before identifying opportunities to increase its security.

    OWASP Foundation, Inc.

    On memory safety: Memory safety is not a panacea. Memory safety helps with a bug class not highly present in web application languages, frameworks, and APIs – buffer overflows. OWASP notes that memory-safe languages do not address the following bug classes, including insecure, insufficient, or missing:

    • Architecture
    • Authentication and Session Management
    • Authorization
    • Input validation and output encoding
    • Cryptographic Flaws
    • Error Handling
    • Data Protection and Privacy
    • Secure communications
    • Malicious code checks
    • Business Logic Flaws
    • File and Resource Handling
    • API Security
    • Configuration

    Open Source Initiative (OSI)

    Updating procurement rules: Through a multi-agency effort, the federal government should update its procurement rules to prefer technology suppliers that demonstrate financial and/or engineering support for the OSS in the suppliers own solution stack. This preference should apply to both cloud and on-premises solutions provided to the US Government.

    Python Software Foundation

    Centrally curated toolset: Right now, projects need to adopt each standard or tool implementing the standard individually and must use customized workflows or configurations, which dissuades many projects from adopting. Toward these standards being adopted by critical open-source Python projects, we propose creating a centrally curated toolset for building Python packages with optimal security practices enabled by default. A central toolset would require a relatively small investment to leverage existing security technology to create widespread adoption in one of the largest open source ecosystems in the world.

    Surveying the ecosystem: Because every migration of a project into memory safety requires time and resources, it is critical to prioritize projects that are most important to migrate and to avoid placing undue burden on projects which are less or not safety-critical. The nature of open source consumption doesn’t lend itself to knowing how and where a project is being used, so many project maintainers don’t know whether security must be prioritized for their own projects, increasing the complexity of this task. Effectively prioritizing candidate projects for migration would require surveying the ecosystem with usage information (number of downloads, dependency graph information, and input from consumers like the federal government) and whether their primary function would benefit from using a memory safe language (such as packages implementing cryptography or processing uncontrolled inputs).

    Red Hat, Inc.

    On package repos: Engagement with these key centers of distribution [‘warehouses’ (also known as package repositories)], which fill a vital function and are heavily depended on by the ecosystem, to improve their security posture could reap significant systemic benefits for software developers, vendors, service providers and users. Many of the packages and much of the community code found in warehouses are unsigned and have little information on their provenance. As a result, it is challenging to validate that the software received is authentic and intended for use by the maintainer, whether it is legitimate, or whether it is safe.

    On memory safety: The fact is that there is a growing use of memory safe languages in development communities. This is a major step forward in good programming practices. However, it is of no value when hastily implemented by developers lacking the proper training and experience to develop quality software. An experienced and security-focused C++ developer is more likely to produce code of greater efficiency and execution security than an inexperienced Rust developer.

    The Open Source Technology Improvement Fund

    Identifying the under-maintained projects: Projects first need to be identified and categorized by their lifecycle status, language, and relationship to critical infrastructure. There are millions of projects across billions of installs, so we need to prioritize appropriately. A critical exercise that will take approximately $10 million and between one to two years to complete is the identifying of projects in our infrastructure that are under maintained. The administration can start with supporting the Software Bill of Materials and any initiatives that identify software that is no longer maintained.

    6. Let’s Be Frank

    Chainguard

    Un-asked question: … the U.S. federal government should first define, assess and improve its own open source software security and, next, that of critical infrastructure, before seeking to contribute broadly to the safety and security of free and open source software writ large.

    Why focus on the federal government’s own open source software supply chain? Because it’s mostly a black box and likely full of the known dangers and risks that companies and open source software developers have been coping with. Does any entity within the federal government have a machine-readable list of all the software that entity depends upon and the open source software components within it? If the answer is no, and all indications are that the answer is no, then assessing the open source software security of the government isn’t even an unsolved problem; it’s more like an un-asked question.

    Sonatype, Inc.

    No intention for change: Unfortunately, we have observed and heard directly from organizations that do not believe the government intends to change the status quo. Their belief is supported, in their opinion, by a lack of specific action by the federal government to hold software organizations directly responsible and accountable. Given this, they hold much of the current rhetoric and public discourse as nothing more than pageantry with no intention for change.

    Sonatype does not hold this belief but recommends that the government should take clear, public steps in demonstrating the actions and capabilities of the federal government on these issues.

    The Open Source Technology Improvement Fund

    Very few good feelings: You need to build trust with the community which has been slowly chipped away over decades of government secrecy, spying, oversight, and perceived miserliness. In order to accomplish even the short-term projects suggested by this RFI, it will be necessary for the government agencies working on this to set aside their egos in the name of enacting change. Frankly, no one in the open source industry is going to willingly sign up for projects that are directly and singularly run by government agencies. There are very few good feelings towards government management or involvement in open source, especially in security. What you need to do is demonstrate that this government is transparent in its funding and support of security improvements for projects with no ulterior motives.

    The biggest challenge: Possibly the biggest challenge in defining and acting upon open source projects’ security is that big tech companies will not easily accept having to spend their profits on security efforts that do not just benefit themselves. Proprietary firms do not feel that using open source code is a commitment to the community of users and buyers of their software and hardware. Not only do they not practice any accountability back to open source, they benefit massively from the contributions and code of others for free.

    7. Rules and Regulations

    Apache Software Foundation

    While the general intentions of Europe’s Cyber Resilience Act (CRA) and Product Liability Directive (PLD) are welcomed in general–and their much-needed bolstering of security in particular–we are concerned by the proposed specifics. Proposed regulation imposes obligations too early in the supply chain, risking stifling innovation and jeopardizing the ability of open source organizations, such as the Apache Software Foundation, to make a positive contribution by coordinating the downstream industry with regard to security.

    Rust Foundation

    Funds for the support of OSS will require international disbursement with minimum bureaucracy in order for those funds to be allocated appropriately and to generate the desired impact. Any financial contribution or investment frameworks developed to funnel funds towards this work must ensure that they are free from substantial bureaucracy or restrictions.

    GitHub

    International collaboration can multiply the impact of federal government activities across all open-source software security priority areas. As with other global challenges and public goods, national governments share common interests in security, even among competitors. Each of the areas identified by the RFI should be on the agendas of most national governments. US diplomacy should encourage other national governments to increase and coordinate investments in open-source software security, utilizing the motion itself to build trust, as well as increasing global resilience by decreasing cyber risk.

    MITRE’s Center for Data-Driven Policy

    The U.S. government should work with and lobby the European Union to modify the current draft language of the CRA to ensure these developers are protected from liability. If we fail to do so, and the CRA is passed with the current language, then the negative effects on the U.S. and global FOSS ecosystem may be substantial.

    RTX Technology Research Center

    The United States should collaborate with the European Union on the Cyber Resiliency Act to seek standardization of terms such as “Critical Class I/II” and “Critical Infrastructure.” This will enable greater collaboration across international supply chains.

    Sonatype, Inc.

    We must collaborate with other governments and security agencies to ensure future regulations and policies prevent fragmentation within the OSS ecosystem. OSS is a public good; the contributors and custodians of this public good that underpins all software must be protected and supported through thought policy and regulation.

  • The US Government, Open Source Software, and Analyzing 786 Pages of Responses – Results

    The US Government, Open Source Software, and Analyzing 786 Pages of Responses – Results

    A content analysis of the submitted responses to the U.S. Government’s Request for Information on Open Source Software – Part I: Results

    In August, the U.S. government issued a Request for Information (RFI) regarding open source software. The objective was to gather input from the private and public sectors and begin formulating a long-term strategy and action plan for the federal government to strengthen the open source ecosystem. You can read more about the RFI through the following link: Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization.

    In response to this call, we submitted the “National Public Fund to Finance Open Source Ecosystem” proposal, which suggests establishing a federal-level fund modeled after Germany’s Sovereign Technology Fund. In our proposal, we specifically emphasized that the fund should account for the fast-paced nature of the software ecosystem and that the funding structure should be designed accordingly. You can read more about our proposal in the previous article.

    ***

    When this public RFI was completed in November, a total of 107 responses, comprising 786 pages, were collected from organizations and individuals with different perspectives on open source software, including large technology companies, foundations, research centers, and security firms.

    Because all submitted responses were made public and limited to 10 pages, this pool of responses turned into a useful and rich resource for researching how open source software is perceived in the industry and the kinds of solutions proposed.

    When we began examining these responses individually, our initial goal was to identify those that were similar to our proposal. However, our work quickly evolved into a deeper, more systematic analysis, and we began documenting our findings.

    Results

    You can access the following document, which lists all responses, the keywords we searched for, and our notes, via the link: ONCD-2023-0002 – Content Analysis.

    Steps

    Here are the steps we took to prepare the results:

    1. List several keywords to search for. For example, “Volunteer”, “Public good”, “Procurement”.
    2. Run a text search with these keywords within all the responses.
    3. If the response has the keyword, mark that response in the sheet.
    4. Read the full text of the marked responses.
    5. Determine true (✅) and false (✖) positives; for example, does the “volunteer” keyword appear when describing open source software or in another context?
    6. Take note of important sections and newly revealed keywords during the review (e.g., “Volunteer” leads to “Hobbyist”).
    7. Iterate through the steps with the new keywords.

    All responses submitted to the RFI are available as PDFs in this online folder.

    Categories & Keywords

    Below is the list of categories, associated keywords, and the number of different responses they appear in. In the document, please check the “Notes” of each column to see the details and alternative keywords in the document.

    Definitions: Which keywords does the response refer to when describing OSS?

    • Volunteer: 22 responses
    • Public good: 14 responses

    Solutions: Which solutions does the response recommend?

    • Government funding: 37 responses
    • Procurement: 8 responses
    • Tax credits: 7 responses
    • Government OSPO: 4 responses

    Systemic issues: Which systemic issues does the response mention?

    • Underfunded: 12 responses
    • Free rider: 6 responses
    • Bureaucracy: 4 responses
    • Cyber Resilience Act: 11 responses

    Organizations: Which organizations does the response mention?

    • OpenSSF: 23 responses
    • OWASP: 12 responses
    • Sovereign Tech Fund: 10 responses
    • Open Technology Fund: 7 responses
    • Open Source Initiative: 6 responses

    Quick Takes

    Here are our brief remarks about the results.

    Growing demand for public funding

    Compared to previous conversations on financing open technologies, it is promising to see public funding promoted as a viable solution by numerous organizations. Degrees and conditions vary, but of 107 responses, 37 suggest government funding as a way to strengthen the open source ecosystem, including big tech companies like Amazon, Google, and Microsoft.

    In line with this general consensus in the responses, it would not be surprising if the US government were to take a step towards creating a dedicated public fund to support the open-source ecosystem. Such a move by the US, which could set an example for other countries, would be a significant milestone in further opening up the option of public funding for the open source ecosystem.

    Charity or business?

    On the flip side, open source software is still predominantly defined as volunteer work rather than a potentially business activity that generates substantial economic value. The terms “volunteer” or their alternatives appear alongside open source software in 22 responses—similarly, only a few mention the social and economic benefits of open technologies.

    This outcome might be understandable since the RFI primarily focuses on security. Still, we see this as a sign that we should work on the elevator pitch for open tech across the board and emphasize its connections with real-world challenges.

    Successful organizations

    Under the Organizations category, the Open Source Security Foundation (OpenSSF), established under the Linux Foundation only three years ago, stands out prominently. Undoubtedly, the RFI is perfectly in line with its scope. Still, it is impressive that it was mentioned in 23 responses, making it the most referenced organization.

    Similarly, despite being just one year old, the Sovereign Tech Fund has been cited as a model in almost every instance in which dedicated public funding has been proposed.

    A closer look at the ingredients of these organizations might be good homework, giving us valuable insights.

    Highlights

    In the second article of the series, we share over forty highlights that got our attention while reviewing the responses. It’s a compilation of quotes from 25 organizations, including major technology companies, well-known foundations, universities, and security firms.

  • The US Government RFI on OSS proposal: National Public Fund to Finance Open Source Ecosystem

    The US Government RFI on OSS proposal: National Public Fund to Finance Open Source Ecosystem

    In August, the U.S. government issued a Request for Information (RFI) regarding open source software. The objective was to gather input from the private and public sectors and begin formulating a long-term strategy and action plan for the federal government to strengthen the open source ecosystem.

    Here is an excerpt from the official press release:

    In addition to its many benefits, the ubiquity of open-source software in commercial products, government systems, and military platforms presents unique security risks. For this reason, the White House established the Open-Source Software Security Initiative (OS3I), an interagency working group with the goal of identifying policy solutions and channeling government resources to foster greater open-source software security across the ecosystem. By working with other interagency partners, OS3I identified several focus areas, including:

    • (i) increasing the proliferation of memory safe programming languages;
    • (ii) designing implementation requirements for secure, privacy-preserving security attestations;
    • and (iii) identifying and promoting focused areas for prioritization.

    For more detailed information about the RFI, see the following link: Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization.

    ***

    In response to this call, we submitted a proposal to create a federal-level fund to support the open source ecosystem, similar to the Sovereign Technology Fund established in Germany. Our full response can be found here: National Public Fund to Finance Open Source Ecosystem.

    To summarize our answer, considering open source software (OSS) falls under the public good category, and its global consumption leads to the well-known Free-rider problem:

    • Can we create dedicated funds to address coordination problems among OSS consumers?
    • And can we design these funds to account for the fast-paced nature of these new digital public goods?

    Below is the section of “Principles” we propose for these dedicated funds:

    • Proactive: The fund should proactively identify and evaluate eligible open source initiatives, reducing bureaucracy and uncertainty.
    • Scalable: The fund should be designed to scale, accounting for the ongoing growth of the open-source ecosystem.
    • Data-Driven: Resource allocation should rely on objective metrics to ensure an unbiased distribution.
    • Transparent: The evaluation criteria, metrics, and weights should be publicly accessible.
    • Continuous: Acknowledging the ongoing contributions of the OSS to the economy, the fund should commit to generating constant revenue rather than one-off payments.

    For the first time in this document, we use the term “Digital Goods Income” to describe the income generated from the funds. We have also included YouTube’s data-driven payment structure, where it shares advertising and subscription revenue with content creators, as an example. Please feel free to share your thoughts on these details.

    We would also like to thank Deborah Bryant, Michelle Barker, Benjamin Nickolls, Richard Littauer, Gerardo Lisboa, Django Skorupa, and Andrew Nesbitt for taking the time to provide feedback as we prepared this text!

  • Open Source Public Fund experiment – One-and-a-half-year review

    Sponsored by

    First, the exciting news: we are delighted to share that we have started working with the Open Source Collective and Ecosystems teams on this research, and the Open Source Collective is sponsoring the following updates!

    ***

    We had the chance to improve the data, processes, and algorithms over the last couple of weeks. You can see all the changes on the Open Source Public Fund experiment document.

    TL;DR: We extended the Criticality Score algorithm to include usage metrics from the Ecosystems API and applied it to all open source accounts under the Open Collective, resulting in a new ranking system! We also provided the ability to adjust each parameter’s weight, allowing you to experiment with the algorithm yourself.

    Dataset refresh

    We refreshed the account list and included the country and yearly budget in the data. There are now 4729 accounts with a code repository.

    Criticality Score’s latest version

    We updated our Criticality Score repository to the latest version. The new version is written in Go rather than Python and includes a second algorithm that calculates the score by retrieving the “dependent count” data from the Open Source Insights (deps.dev) API.

    Manual score calculations

    We recreated all the formulas for calculating scores in the “Criticality Score – Results” sheet. It is now possible to experiment with the weight of each parameter and see the results directly in the document.

    New config with the Ecosystems data

    Decoupling data collection from score calculation made it easy to extend the data from other custom resources. Thus, we retrieved each repository’s “dependent_repos_count” data from the Ecosystems API and created a new algorithm configuration. This one replaces the deps.dev’s “dependent count” parameter.

    Now there are three different algorithms for score calculation, and you can see their parameters under the “Criticality Score – Config” sheet:

    • original_pike – Yellow: The default algorithm from the Criticality Score.
    • pike_deps.dev – Green: The second algorithm from the Criticality Score includes the “dependent count” from deps.dev as an extra parameter.
    • ecosyste.ms – Blue: The new algorithm that uses the “dependent_repos_count” data from the Ecosystems API and replaces the deps.dev’s “dependent count” parameter. We use the results of this new algorithm to distribute the funds.

    Changing a parameter on the “Criticality Score – Config” sheet updates the scores on the “Criticality Score – Results” sheet. Feel free to copy the document and try it yourself.

    Stats

    In the new “Stats” sheet, you can see a quick overview of the entire dataset, including budgets, languages, and licenses.

    Results

    This sheet shows the history and details of the three projects we randomly select each month to test the algorithm.

    Process details

    Below is a brief list of actions to prepare the data and the final results. One critical remark is that the process currently only works with GitHub repositories, so we exclude non-GitHub ones—hopefully a detail to improve in the future.

    • Retrieve account data from the Open Collective API to create “Accounts” and “Budgets” sheets.
    • Call the GitHub API to find the most starred repositories of each GitHub user, which you can find under the “GitHub – Top repos” sheet.
    • Run the Criticality Tool to retrieve the data points for each repository and store them in the “Criticality Score – Results” sheet.
    • Call the Ecosystems API’s Lookup endpoint to retrieve each repository’s additional “dependent_repos_count” data, then combine it with the other parameters in the “Criticality Score – Results” sheet.
    • Once the data is in place, the existing formulas in the “Criticality Score – Results” sheet calculate the scores.

    Stats overview

    Here are some current stats that stand out:

    • The total number of Open Collective accounts with a code repository is 4729.
    • 96.32% of those accounts use GitHub as their code repository.
    • However, 15.38% of GitHub usernames are invalid or non-existent, a significant figure. It would be beneficial for Open Collective to implement a verification mechanism for such critical user information, or at least require users to update their profiles periodically.
    • 81.62% of the accounts use USD as their currency. These accounts have an annual budget of approximately $15 million, with an average of $3,887 per account. These figures likely fall short of even one percent of ideal figures.
    • JavaScript is the most widely used programming language in our dataset; it’s used in almost a third of all repositories. Python is second, and PHP is third.
    • MIT dominates the license list with 41.91%, followed by 27 different licenses. 15.41% of the repositories don’t have any.
    • By country, the United States leads the list with 11.4%. China follows with 2.9%, the United Kingdom with 2.8%, Germany with 2.7%, and India with 2.5%.
    • The Ecosystems search returns 1453 matches across 3336 unique repositories. Among this data, npm is the top ecosystem at 46.94%, Go is second at 13.35%, and PyPI is third at 9.70%.
    • Using this experiment as a pretext, we invested $4,259 in 57 open source collectives over 19 rounds.
    • And last, here are the top five repositories with the highest criticality score based on the Ecosystems config:

    You can see the full ranking of each algorithm and more under the “Stats” sheet.

    What’s next?

    Here are some of the practical items on our list:

    • Most under-appreciated: Find the accounts with the highest score and minimum yearly budget.
    • License parameter: Categorize the licenses as permissive vs. copyleft, and add a license parameter to the algorithm as an experiment.
    • Repositories vs. releases: Combine repository data with release information, and improve the algorithm by including release metrics.
    • National public funds simulation: Categorize accounts by country and simulate fund distribution per country.

    Thank you for tuning in, and we hope you enjoy this experiment as much as we do. See you on the next update!

  • Sustain Podcast: Serkan Holat on Agile Public Funds

    Sustain Podcast: Serkan Holat on Agile Public Funds

    In this new episode of the Sustain podcast, we discussed the details of the “Open Source Public Funding experiment” with Richard Littauer and Leslie Hawthorn.

    We started the conversation by reiterating our main proposal for open source funding: gradually redirecting resources from proprietary to open source software by adding an “Open source tax” on the sale of proprietary solutions.

    Then we touched on our recently launched experiment, which aims to demonstrate how public funds should distribute collected tax revenues to open source initiatives in a data-driven, scalable manner.

    You can listen to the full episode at the following link:
    Sustain Episode 175: Serkan Holat on Agile Public Funds

  • Open Source Public Fund experiment – First-year review

    One year ago, we started an experiment about funding open source software with the following question:

    If you had 100 money, how would you distribute it across the entire open source ecosystem?

    Each month, we select three open source projects from the Open Collective platform, calculate their scores using the Criticality Score tool, and distribute that month’s amount among them based on those scores.

    Our goal is to spark more in-depth discussions about the use of public money to fund the open source ecosystem, how the ‘Agile Public Fund’ should work, and to engage with our open source entrepreneurs.

    Here are some quick stats about the last twelve months:

    • Including the test run, we invested $2646 in 39 open-source collectives, with one failed payment.
    • The project with the highest score is Zulip, a team chat application, with with a score of 0.7932.
    • The project with the highest estimated annual budget is Qubes OS, a security-focused operating system, which is well above the average at approximately $43K.
    • After the first six months, the average estimated annual budget for all projects was $3667. After a year, that’s now down to $2425. Not even close to an average salary for a single month, let alone a year.
    • Fifteen projects had no prior donations on Open Collective; we were the first to donate.
    • The most used license is MIT, with 17 projects.

    As a side “marketing” experiment, we used the followers of our personal Twitter account to determine the monthly amount. We have gained ~45 new followers after one year. Although our efforts are relatively passive, we can say that the experiment hasn’t significantly impacted our audience growth so far. We will include LinkedIn and Mastodon accounts in future rounds.

    We hope to add extra details to the project list and see whether we can improve the Criticality Score. As usual, your feedback is priceless, so please don’t hesitate!