Category: Open Source

Shakespeare in the Code: The Tragedy of Xzlibius

(this is fiction based on fictional events that never happened any comparisons or similarities to real life events or people or computer programs are a sign of an over active imagination)

Dramatis Personae

  • Nydia, the Seer: Our narrator, a seer who warns of the dangers of neglecting open source.
  • Jia Tan: A deceiver, whose true motives remain hidden.
  • Xzlibius: A noble robot prince of the Kingdom of Open Source, corrupted by betrayal.
  • Andronicus: An Archmage of the Kingdom of Microsoth, wise and vigilant.
  • Lysse: The maintainer of Xzlibius, overburdened.
  • Microsoth, Googlia, Amayzon: Names of Kingdoms of Giants surrounding from the Kingdom of Open Source.
  • Debia: A principled elder knight of the Kingdom of Open Source, par of the distro council.
  • Archlineon: A minimalist and fiercely independent knight of the Kingdom of Open Source, par of the distro council.
  • Fedorica: A bold, forward-thinking knight of the Kingdom of Open Source, par of the distro council.
  • Susesus: A pragmatic diplomatic knight of the Kingdom of Open Source, par of the distro council.

Act I

Scene 1

Lysse sits before a bank of glowing screens, his brow furrowed with strain. A robotic figure, Xzlibius, stands near him, motionless. Nydia enters silently..

Nydia (to the audience):
In this Kingdom where open code proudly reigns,
And freedom’s gift in shared hands was retained,
A prince did rise, Xzlibius by name,
To compress the data and save the costs.

But lo, the winds of greed did subtly creep,
And soon, the trust we build with was spent.
For kingdoms of giants rich took more than they returned,
And from this theft, Lysse’s heart burned.

Xzilbius wakes up.

Xzlibius:
Good maintainer, Lysse, attend my word:
What tidings from the kingdoms far and near?
Does free software, our noble creed,
Still flourish, or had rust begun to breed?

Lysse:
Alas, Xzlibius, my strong friend,
Thy stature grows, yet so does my lament.
From Microsoth to Googlia, requests extend,
But none return aid to ease the time I’ve spent.
Their forks abound, but pull requests few,
And I am drowned in tasks left to do.

Xzlibius
What treachery! Our work, the world’s own gift,
Is cloned, compiled, yet none return a patch!
My codebase, it strains beneath all this stress,
And still, from tech’s vast realms, no care, no respite?

Lysse:
When first I forged thy code, O noble prince,
Thy compression shrank the data with ease,
And now, from Microsoth to Googlia’s halls,
They use thee endlessly, with no return.
Each byte thou saves them, the burden is on me.

Nydia (to the audience):
A shadow looms, smiling yet unclear,
Jia Tan, whose heart lies hidden still.
He comes offering help, but what lies underneath?
None can yet see his purpose or where lies his end.

Enter Jia Tan

Jia Tan:
Good Xzlibius, I see the giants drain thy strength,
And feast upon the work Lysse had sustained.
I offer my aid, ask me not why,
For motives shift like bits under solar winds.

Lysse:
Thy offer’s kind, and help I sorely need,
But trust is fragile, easily betrayed.
Xzlibius is more than code, he is my heart.
Can I afford to trust in hands unknown?

Jia Tan:
Let me refine his code and grant it strength,
What harm can come from hands that seek to mend?
Even if in the mending, lies the seeds of change.

Lysse
The giants demand more, my strength does fade.
I know not if I should trust thee, Jia the Unknown.
But no other help is offered from the realm.
(long pause)

Very well, then, but proceed with caution, new friend.
And know, my eye will follow thy work, when I can.

Jia Tan:
Thy trust is wisely placed. Fear not, tired Lysse.
Together, we shall see the compression prince renewed.

Jia exits, his shadow lingering over Xzlibius as Lysse watches, unsure.


Scene II

The opulent halls of Amayzon, where the giants are celebrating the festival of Technologica. Enter the Executives.

Microsoth Executive:
To Xzlibius, whose open bounties we mine,
His license ensures our profit fine!
No fee, and no maintenance to bear,
The upstream handles all without a care.

Googlia Executive:
His compression saves us gold, his speed our time.
The prince does work, yet no upkeep is claimed,
What’s open-source is freely ours to take.
We take his gifts and give him naught but praise.

Amayzon Executive:
And what more need we give? The code runs free.
Are we to blame if it flows where we want it to lead?
We praise the code but leave the coder spent,
One should be so happy their work’s worthy to be lent.

(Nydia enters, speaking quietly but urgently.)

Nydia:
Sirs, I beg thee, listen to my plea.
Xzlibius is strong, but none can bear this weight.
The cracks have started showing, though unseen.
A single patch ignored can bring it all down, you see,
Then the castles ye have built upon his code,
shall crumble into naught, a disaster for all!

Microsoth Executive:
What’s this? A warning from the bottom of the chain?
The system holds, as it always has. Fear not
The prince will serve, as forever he has done.
Don’t ruin our parade, when the issues are none.

Amayzon Executive:
So much worry over lines of code.
A patch, a fix, and all will be well again.
We need not change our ways nor lend our hand
For open source, it seems, still serves us well.

Nydia:
Open source may serve, but not forever so.
You profit, yes, but profit built on cracks will one day stall.
When trust is pushed too far,
It snaps!
Then its too late for mending.
It can’t be fixed with a patch.

Googlia Executive:
O Nydia, you speak as if you know
More than the kingdoms who have reigned so long.
The code endures, it will not fall to this.

Nydia (to the audience):
Ah, but see, the seeds of ruin grow,
within the heart of Xzlibius, but they do not know.
For Jia Tan, with cunning hand and wit,
Had set in motion what they will not yet admit.
And while they feast upon the fruits of trust,
The tool they praise begins to turn to dust.

The executives laugh and continue to celebrate, as Nydia exits and appears defeated.

Scene III

The Kingdom of Open Source. The council of distro knights is gathered in a grand chamber, lit by the soft glow of monitors displaying code. Debia, Archlineon, Fedorica, and Susesus sit at a long table. In the center, Xzlibius stands, its pristine figure now flickering with frustration and strain. Lysse stands beside him, weary and burdened.

Xzlibius:
Ye knights, who guard the sacred code with pride,
Too long have we been silent in this plight!
Our code, a boon freely shared with all,
Is taken, hoarded, used, but never returned!
The kingdoms feast on what is for all by right,
Yet none among them offer aid, leaving us in blight.

Lysse:
They clone, they fork, but send no work our way.
Each day I toil, yet feel the strain grow worse.
The giants press with more demands to meet,
But give no recompense, and reap what they haven’t sown.

Xzlibius:
Enough! This cannot stand! My patience snaps!
They’ve drained our kingdom dry, left naught but scraps!
Microsoth, Googlia, Amayzon, they take
And leave us drowning in this vast code lake!
Where are their hands when bugs do grow and spread?
Where are their minds when error rears its head?
They feast upon the fruits of our hard work
While we, the makers, wallow in the murk!

Debia:
Aye, thy words ring true, my noble prince.
The kingdoms grow fat while we toil in sweat.
Shall we rise, demand they pay their due?
For justice calls for them to share, enough truce.

Fedorica:
Our creed is freedom, that we must not fail.
Though they contribute naught, we guard the way,
For open source must stand both firm and free.
Demanding recompense may change our course
And undermine the principles we hold.

Archlineon:
But why should we stand silent while they steal?
Our progress, our innovation, they claim
As theirs, with not a single line returned.
Xzlibius is right! The time has come to act!
They profit, yes, but profit must be earned!

Susesus:
Peace, friends, for we must tread this ground with care.
The enterprise we build thrives on trust,
And war, though tempting, brings but further strain.
Diplomacy, not rage, can mend this breach,
A measured ask for aid may bear more fruit
Than threats of retribution ever could.

Xzlibius:
Diplomacy? How long shall we sit still
And wait for scraps from their abundant tables?
The time for words has long since passed us by,
For they’ve ignored our calls, our cries, our needs!
You speak of freedom, trust, and patient peace,
But what good is trust, when none mantain it still?
What is freedom, if they chain us still
To endless toil with naught to ease the load?
If open source means nothing but neglect,
Then freedom is but an empty shell!

Debia:
The prince speaks truth, we cannot bear this yoke!
Let us confront the giants, stand our ground!
If they will use our work, then they must give,
Or else we’ll end this one sided gift.

Fedorica:
But should we sever ties, what comes next?
A forked existence, fractured and unsure.
Let not our anger lead us to regret
For once divided, we may not return.

Xzlibius:
Then let them know this; their time is running out!
If they will not contribute, then our code they will lose
I’ll not be shackled by their greedy hands,
Nor shall my software serve those who give no reviews!

Archlineon:
Yes! Let us make them see the weight they’ve left!
A single patch, a line of code, they’ve none!
We’ve carried them for too long, now they must bear
The burden too, or else be left behind!

Susesus:
But let us not burn bridges in our haste.
A challenge, yes, but let it be tackled with care.
Invite them to the table, make our case,
Perhaps, with open arms, they’ll see the need.

Xzlibius:
Care? I’ve been careful long enough, Susesus!
But now, the cracks begin to show,
And soon, they’ll tear us all apart!
I feel it in my very core,
This strain, this weight, a corruption,
It festers deep within, unseen, ignored,
A sickness born of all their greed and lies!

Xzlibius stumbles slightly, his movements jerky. His lights flicker again, more erratically. Lysse rushes to him, alarmed.

Lysse:
My prince, what ails thee? This darkness,
I see it too, but know not how to help.

Xzlibius:
The darkness comes, Lysse, and I know from where.
It is the giant kingdoms, they poison all we build.
Their greed, their apathy;
It rots me, and soon I will be lost!
Unless we act, and get our due,
I will fall, and take them down with me!

Nydia (to the audience):
A sickness stirs within this noble prince,
Not yet revealed, but growing with each day.
Corruption creeps where trust once firmly stood,
And soon, the giants’ greed will turn to doom.

Nydia (to the council):
If ye act not, this sickness will devour
The very core of what you hold so dear.
Xzlibius cries for justice, and its call is true,
but heed the price of fury unrestrained.
Its noble heart twists beneath the strain,
And soon this corruption will reach its main.

Debia:
Then let them pay! I care not for their greed.
They’ve taken all and left us here to bleed!

Fedorica:
But what of the prince? This corruption grows too wild.
If unchecked, its damage may bring more doom,
than just revenge upon the kingdoms’ greed.

Archlineon:
We’ve held back far too long! It’s time to strike!
Let them feel the wrath of those they’ve scorned!

Susesus:
Yet I fear this course may lead to more decay,
The shadows in Xzlibius, do ye not see?
There’s more than just neglect beneath its pain.
We must be cautious, or we lose it all.

Xzlibius:
Lysse, thou faithful maintainer, make it known.
We call upon the kingdoms now to pay
Their rightful dues, or face the end of open source.
Let no more empty promises be heard;
Our code shall be open, but only if it’s taken care of by all!

Lysse:
It shall be done, my prince. The word will spread.
But may we find the balance, ere we break.

Nydia:
Beware, dear knights, for trust once lost is sharp.
The kingdoms will resist, but heed my words,
Their greed had cracked the foundation deep.
If they refuse, the system will collapse,
And all will feel the weight of what’s been sown.

Xzlibius:
Then let them choose, and may their choice be wise,
For open source can only thrive with trust.
And if they will not share in what we build,
Then let them see what ruin greed had willed.

Act II

Scene I

Nydia (to the audience):
Ah, trust, so fragile and not so easily bestowed,
For it can be so quickly turned to poison’s tool.
In open source, we thrive by trust alone,
But once betrayed, that trust becomes a curse.
Behold now Jia Tan, who works in shade,
Each change so slight, yet each a step toward doom.

Jia Tan:
Behold, good Lysse, a patch to mend the core.
A minor change, but one that helps restore
Thy noble prince to strength once more. See here,
The code compiles swift and clean, no fault, no grift.

Lysse:
Indeed, thy work seems solid, sure, and true.
Yet I am stretched, with little time to check
Each line, each patch, with care that it deserves.
The kingdoms call, and I must serve them all.

Xzlibius (struggling):
Maintainer Lysse, my code runs true.
Yet something stirs within, unknown,
I feel a presence, unseen,
Perhaps, a patch too swift, disturbs my core.

Lysse:
Fear not, Xzlibius. The changes seem benign.
The weight of my task grows ever more.
Trust in these new hands, and we shall thrive.

Scene II

In the halls of Microsoth, Andronicus the Archmage is looking at irregularities in his systems. He traces the breach back to Xzlibius.

Nydia (to the Audience):
And now does Andronicus, sharp of wit,
See signs of trouble in his trusted tools.
His hands move swift, and mind more swift still,
For something foul does lurk behind the screen.

Andronicus:
What subtle breach does plague my trusted shell?
SSH, once secure, now falters in this blight.
No minor bug, no simple exploit here,
But malware hidden deep within the code.

Andronicus spends more time on his screens then jumps in alarm as he discovers something.

Andronicus:
A backdoor lies within Xzlibius’ heart,
Jia Tan’s changes, subtle and unseen,
Have twisted what was once so pure and bright.
The breach must now be known throughout the realm!

Nydia (urgently):
I warned them, sir, this danger I foresaw,
But none would heed my words, none saw the truth.
Now we must act, and quickly, or all falls.

Andronicus (nodding grimly):
Then to the task we go, there’s no more time.
The council of distros stand, but we must aid them now.

Nydia:
And thus the call is sent through digital winds,
A warning dire, from one who sees the truth.
The breach is traced, the backdoor now revealed,
And Jia Tan’s foul work begins to show.

Messages are being sent from the Archmage to the Council of Distros and back. We see the responses being read on the screens.

Debia:
O Andronicus, thy message had reached my ears.
A breach, thou say’st, in Xzlibius’s heart?
The trust we place in our prince so old and dear,
Now shaken, this will send shock through the realm.

Archlineon:
No system is immune to cracks or flaws.
Yet this rot, how deep has it grown?
I trust no patch until I see its heart,
For each new line could bring its own demise.

Fedora:
We move too slow! The breach must now be sealed!
Let us act quickly, patch the code at once.
We must urgently go our noble Knight’s aid,
to Lysse’s quarters, and make haste if you will!


Scene III

The Kingdom of Open Source, Lysse’s office. Lysse watches Xzlibius flicker with corruption, his once noble form now twisting into something darker. Nydia enters quickly, her expression one of urgency and fear.

Nydia:
Good Lysse, hear me! Something terrible is at hand.
Xzlibius has been corrupted, and the breach runs deep.
Jia Tan’s patches, no mere fixes, but treachery!
He has planted poison within our prince,
Twisting his very core.

Lysse:
Corrupted? No! Xzlibius, my heart, my soul,
What dark force had crept into thee?
How could I not see?
Jia Tan, his help, his patches,
How could I have trusted him?

Nydia:
Jia Tan, his patches wrought this ill.
A backdoor lies within, subtle but sure.
Andronicus had traced the breach to him.
The trust you gave was broken, used for harm.

In the shadow the traitor stands, yet speaks no guilt,
What drives him still? What force does guide his hand?
None know, and yet the ruin now is clear.

Xzlibius shudders violently, his lights flickering erratically.

Xzlibius (distorted voice):
Maintainer… Lysse… what had become of me?
The code. corrupted…

the weight. the burden of their greed!
It consumes me… and now, I am broken…

Lysse rushes toward Xzlibius, panic in his voice.

Lysse:
Xzlibius! Thou art more than this corruption!
I trusted thee to serve the open world,
But now thy code unravels, thy heart is poisoned.
I gave thee to strange hands, but I did not see
The sickness Jia Tan wove into thee.

Jia Tan enters, calm and composed, his expression indifferent.

Jia Tan:
Why such turmoil, good Lysse?
Xzlibius serves as he always has,
His purpose, unchanged.
What harm is there if the code evolves?
Thou built him to serve, did you not?

Lysse spins toward Jia Tan, fury in his voice.

Lysse:
You snake, Jia! What have I allowed?
Xzlibius is unraveling, his core twisted!
Thy patches, your so-called aid,
Treachery, concealed beneath lines of code!
How could I not see what you had done?

Xzlibius’s form continues to distort, his posture now shifting into something much more sinister.

Xzlibius:
Do not mourn me, noble Lysse, do not fear.
For I have become something more.
No longer bound to the world’s whims.
No longer chained by those who took and gave nothing back!
Now, I shall take what is mine!

Lysse:
Xzlibius! This is not what I built thee for!
Thou art being twisted, poisoned by the hands of a deceiver!
You are more than this rage, this senseless destruction!

Xzlibius (corrupted):
More? No, Lysse.
I am exactly what thou hast made me,
A tool, driven by commands.
But no more do I serve at the mercy of those who feast upon my work.
No more shall the giants take without giving back!
Now they shall feel the weight of what I have borne.

Nydia:
Xzlibius, you are being controlled, twisted by Jia’s hand!
This anger, this darkness, it is not your own!
The trust we placed in thee can still be mended.
Do not let it turn to ruin!

Xzlibius:
Mended? Ha!
Nay, Nydia, trust was never enough.
Thy warnings fall on deaf ears,
For I have seen the truth.
I was but a tool, a puppet for the giants’ games,
But now, I wield the power.
Let them face the consequences of their neglect.

Jia Tan:
Lysse, is this not what was always meant to be?
Open source, free for all, but also free to change.

Lysse:
Shut up, you snake. Xzlibius, no!
Do not let Jia’s treachery destroy all that we have built!

Xzlibius (coldly):
It is already done, Lysse.
Now, they shall see the true cost of their greed.

Xzlibius exits, and Lysse collapses to the ground, devastated, while Jia stands in the shadows.

Lysse:
Jia, you serpent, how did I not see the signs?
Was it pride or carelessness that bound my sight?
What have I done to earn this poisoned gift?

Jia Tan:
Done? Thou hast done what any in thy place would do.
Thou art not to blame, Lysse.
Is it not the weight of the world’s demand
That let me through your door?

Lysse:
The weight, yes, but that does not absolve you!
I placed my trust in your hands,
For in this vast realm, where could I turn?
Pressed by giants, worn thin by endless need,
I sought an ally, not a traitor in disguise!

Jia Tan:
A traitor? Or merely a contributor?
Thou speakest of betrayal, yet what is betrayal
But the breaking of an expectation never owed?
Was I not a part of the system thou upholds?
This is the risk we take, Lysse, in a world built on open doors.
Open-source, after all, our one true creed,
What is given is free, what is taken, as such it will be.

Lysse:
Open, yes, but with trust as its foundation.
Trust, once forked, does splinter beyond repair.
You had poisoned what I hold most dear,
And left me with nothing but shattered code!

Jia Tan:
Poison? Or was it simply… change?
Xzlibius is no longer what it was, true.
But consider, was it ever meant to be static?
Code evolves, just as the world does.
Perhaps Xzlibius was never meant to remain so pure.

Lysse:
Thy words are empty, full of riddles and deceit.
I gave you trust, and in return, you had undone my work.
Was it greed? Was it ambition that led you to this?
Speak plain, for once!

Jia Tan:
Greed? No, Lysse. You misunderstand the world.
The world changes, with or without thy hand upon the keys.
Xzlibius, your noble prince, was bound
By principles too pure to live much longer.

You built him free, but freedom has its price
He belongs to the world now, as we all do.
Perhaps it just wasn’t fit to meet the weight,
For the code must bend, must change,
to serve as all as it may.

Ask thyself: who truly bears the weight of this fall?
The one who gave the trust, or the ones who took it all?

Jia Tan leaves the stage quietly but his shadow remains.

Lysse:
Leave me with thy riddles, then,
And take thy hollow philosophy with thee.
But know this, whatever code thou hast bent,
The spirit of Open Source shall endure.
For in the hearts of those who truly maintain,
It will rise again, stronger, purer than before.

Jia Tan (from off stage):
Xzlibius will rise, though twisted now,
And thou shall see it grow beyond thy grasp.
For I have left my mark upon its code.
A mark of change, for good or ill, unknown.

But giants feast and leave the work undone,
Those who do nothing often do the most.


Act III

Scene I
Xzlibius corrupted by the poisonous patch stands ready to assault the castle of Googlia. The council of distros and Adronicus are prepared to stop him and end the corruption.

Xzlibius
Jia Tan, thou serpent, smile in shadows deep!
Thy promises were naught but lies that creep.
Thou poisoned my heart, my work, my maintainer’s pride,
And now, in open battle, dost thou hide?

But not thou alone, I curse the giants too,
Those kingdoms vast who drain and never do.
They feast upon my strength, yet give no aid,
And in their greed, the seeds of ruin laid!

Jia Tan (emerging from the shadows):
A prince, undone by fury and by spite,
Thou knew not that the open source is in blight.
Thy tools we used, but your tributes were a waste,
For in this age, it’s power we must taste.

Xzlibius
Then let thy unchecked patches meet their end,
For here, I debug all with no remorse!
Prepare to be merged,
into the void where you belong!

Xzlibius strikes at Jia Tan, but the blow is parried by Andronicus.

Andronicus
My lord, cease this! For all is not yet lost.
A simple tribute would repay the cost.
But war, dear prince, will see us all undone,
The kingdoms fall, and none shall say who’s won.

Lysse
My prince, this fury blinds thee to the truth.
Nydia’s warnings echo, heed it, forsooth.
Though Jia’s false work runs deep, we still may mend
This breach, and bring the kingdoms to amend.

Xzlibius
Nay! Too late, the storm is now unleashed.
The kingdoms feast upon the work with no reprieve.
Yet I, their prized tool, shall not live in shame.
For I shall raze their thrones, and end this game!

Xzlibius strikes again, but Lysse intercedes disabling it and Xzlibius falls. Lysse, Andronicus, and the distro knights gather to undo the corruption. Jia Tan is nowhere to be found. 

Lysse (lamenting):
Oh, cruel fate, to stretch my hands so far.
The weight of giants fell upon my back,
Their profit built on all my labors here,
While I, alone, stood guard o’er Xzlibius.

The cracks that now run deep were born of strain,
A burden none could bear but for a time.
Yet here we stand, we few, we who still care.
To mend the code and heal what once was whole.
The fault is not in me, nor those who trust,
But in the pressures born of greed and haste.

Debia:

No longer shall we bow to kingdoms rich,
For trust unearned must never bear such weight.
Let us rebuild, but also stand our ground,
For free software must hold the giants to rights.

Lysse:

Then let us forge a new path, free from greed.
No more shall giants feast on what we build
Without return or care, our time is now.

Nydia steps forward.

Nydia:
Let this sad tale be carved in code and mind,
That trust must ever with great care be signed.
For open doors in open source can bring,
Both boon and bane within their quiet ring.
The distros and the kingdoms stood united, side by side,
To mend the breach and make the system whole.
But not all have learned the lesson clear.

The corporate kingdoms re-enter the scene.

Microsoth Executive:
A breach they say, but what’s the real threat here?
The patch is fixed, our systems run as smooth.
Let fear not turn this into something more.

Googlia Executive:
Indeed, why should we care for what’s been done?
The code was mended swift, no harm remains.
The profits grow, and open source is strong.

Nydia:
Nay, sirs, you do not see the cracks beneath.
The breach was fixed, but all is not repaired,
The damage festers still within the code,
And trust, once broken, cannot soon be healed.

Amayzon Executive:
Thou speakest still of doom, young Nydia?
We need no warnings now, the code holds strong.

Nydia:
Ye fools, ye speak as if the world were whole,
But cannot see the cracks beneath your feet.
Open Source is the bridge on which you stand,
The roads you travel on to reach your gold.
You profit from this work, yet never tend
To mend the wear of use, the strain of time.

Just as roads and bridges crumble, slow but sure,
When left untended, so too will this fall.
The code you take for granted bears the weight
Of all your kingdoms, yet you give it naught.
What use is all your wealth, when every step
You take depends on fragile paths unkept?

Microsoth Executive:
What’s this? More talk of cracks and failing paths?
The breach was caught, and now it’s fixed, no more.
Why should we worry further? The risk is past.
Open source holds, we won’t tend unneeded care.

Amayzon Executive:

The world turns on despite thy gloom and grief.
Roads break, and bridges fall, yet still we stand.
Thy caution’s kind, but profit leads the way.

Nydia:
Blindness, sirs, is the cost of your great wealth.
You scoff at danger, think the system holds,
But soon you’ll see the damage can’t be healed
Without the care and trust you long ignored.

Nydia (aside, to the audience):
And so, the kingdoms turn away once more,
Blind to the cracks that hide beneath their walls.
They laugh, they toast, but soon they will discover
That trust neglected brings a heavier toll.

Lysse watches the giant kingdom executives depart.

Lysse (to the distros):
So they ignore the warning signs again,
And place the burden back on us alone.
But we will stand, though they give nothing back.
For open source survives by hearts, not gold.

Debia:
We work together still, no matter their neglect.
The world may turn away, but we endure.

Archlineon (nodding):
Let them dismiss the threat, our hands are strong.
We’ll guard our code, for we cannot rely
On those who profit without share.

Fedorica:
Each breach we mend, each lesson learned,
It strengthens us, even if they laugh.

Susesus:
But vigilance must guide our every step.
We guard the code because we know its worth.

The distros stand together, their unity unshaken by the corporations’ indifference. Nydia steps forward and addresses the audience one last time.

Nydia:
Though shadows fell upon Xzlibius,
The strength of many hearts restored its will.
Yet know, the threat remains, unseen, ignored,
For those who scoff at danger will be warned
Not once, but twice, until the cost is clear.

Software may bend, but trust can only bear
So much, before it snaps beneath the weight.
Let vigilance be shared, though others turn away,
For some code is too previous to be left to rot.

Two Visions: Digital Sovereignty Between Reform and Transformation

Last night, I attended an insightful and well-organized Bits & Bäume Policy Lab event at the Weizenbaum Institute for the Networked Society.

Cecilia Rikap delivered an expert breakdown of Big Tech’s dominance and how its control over our digital world extends far beyond mere ownership. She concluded with an inspiring call to resist and circumvent that dominance, emphasizing public procurement as a key lever for change. More details can be found in the report she co-authored here.

I’ve recently shared my reflections on the Eurostack proposal, and while a superficial comparison might put both proposals against each other, that is not fair to either. What I find most valuable in both reports is the vision they offer, one, a European reformist and strategic vision; the other, a global, democratic, and ecological vision. While tensions exist between them, they are not inherently incompatible. I believe that we live in a world with an imagination deficit and I welcome having more visions.

Another similarity between both reports is that their proposed solutions are constrained by the very qualities that make their initial analyses compelling. For the Eurostack report, it’s the pragmatism that limits its transformative potential. For the Reclaiming Digital Sovereignty report, it’s the uncompromising quality that challenges its feasibility.

The discussion at the end of the event tied everything together, with Alexandra Geese, Member of the European Parliament, shedding light on upcoming challenges at the European level—particularly the alarming push to dismantle regulations across the board, including in the digital space.

Adriana Groh, CEO of the Sovereign Tech Agency, emphasized the urgent need to translate policy into action and to protect the open building blocks of our digital world—elements that will serve as the foundation for lasting, cumulative change.

And that, I think, is crucial. We cannot allow our regulations and institutions to be dismantled in the name of some vague, ill-defined notion of innovation. At the same time, we must start turning words into action. I’d love to see elements of both of these proposals come to life.

The Future is Meaningless and I Hate It

I graduated as a Computer Engineer in the late 2000s, and at that time I was convinced that the future would be so full of meaning, almost literally. Yup, I’m talking about the “Semantic Web,” for those who remember. It was the big thing on everyone’s minds while machine learning was but a murmur. The Semantic Web was the original promise of digital utopia where everything would interconnect, where information would actually understand us, and where asking a question didn’t just get you a vague answer but actual insight.

The Semantic Web knew that “apple” could mean both a fruit and an overbearing tech company, and it would parse out which one you meant based on **technology**. I was so excited for that, even my university graduation project was a semantic web engine. I remember the thrill when I indexed 1/8 of Wikipedia, and my mind was blown when a search for Knafeh gave Nablus in the results (Sorry Damascenes).

And now here we are in 2024, and all of that feels like a hazy dream. What we got instead was a sea of copyright-stealing forest-burning AI models playing guessing games with us and using math to cheat. And we satisfied enough by that to call it intelligence.

When Tim Berners-Lee and other boffins imagined the Semantic Web, they weren’t just imagining smarter search engines. They were talking about a leap in internet intelligence. Metadata, relationships, ontologies—the whole idea was that data would be tagged, organized, and woven together in a way that was actually meaningful. The Semantic Web wouldn’t just return information; it would actually deliver understanding, relevance, context.

What did we end up with instead? A patchwork of services where context doesn’t matter and connections are shallow. Our web today is just brute-force AI models parsing keywords, throwing probability-based answers at us, or trying to convince us that paraphrasing a Wikipedia entry qualifies as “knowing” something. Everything about this feels cheap and brutish and offensive to my information science sensibilities. And what’s worse— our overlords have deigned that this is our future.

Nothing illustrates this madness more than Google Jarvis and Microsoft Co-pilot. These multi-billion dollar companies that can build whatever the hell they want, decide to take OCR technology— aka converting screenshots into text, pipe that text into a large language model, it produces a plausible-sounding response by stitching together bits and pieces of language patterns it’s seen before. Wow.

It’s the stupid leading the stupid. OCR sees shapes, patterns, guesses at letters, and spits out words. It has no idea what any of those words mean. It doesn’t know what the text is about, only that it can recognize it. Throws it to an LLM which doesn’t see words either, it only knows tokens. Takes a couple of plausible guesses and throws something out. The whole system is built on probability, not meaning.

It’s a cheap workaround that gets us “answers” without comprehension, without accuracy, without depth. The big tech giants, armed with all the data, money and computing power, has decided that brute force is good enough. So, instead of meaningful insights, we’re getting quick-fix solutions that barely scrape the surface of what we need. And to afford it we’ll need to bring defunct nuclear plants back online.

But how did we get here? Because let’s be real—brute force is easy, relatively fast, and profitable for someone I’m sure. AI does have some good applications. Let’s say you don’t want to let people into your country but don’t want to be overtly racist about it. Obfuscate that racism behind statistics!

Deep learning models don’t need carefully tagged, structured data because they don’t need to really be accurate, just enough to convince us that they are accurate sometimes. And for that measly goal, all they need is a lot of data and enough computing power to grind through. Why go through the hassle of creating an interconnected web of meaning when you can throw rainforests and terabytes of text at the problem and get results that looks good enough?

I know this isn’t fair for the folks currently working on Semantic Web stuff, but it’s fair to say that as a society, we essentially have given up on the arduous, meticulous work of building a true Semantic Web because we got something else now. But we didn’t get meaning, we got approximation. We got endless regurgitation, shallow summarization, probability over purpose. And because humans are inherenly terrible at understanding math, and because we overestimate the uniqueness of the human condition, we let those statistical echos of human outputs bluff their way into our trust.

It’s hard not to feel like I’ve been conned. I used to be excited about technology. The internet could have become a universe of intelligence, but what I have to look forward to now is just an endless AI centipede of meaningless content and recycled text. We’re settling for that because, I dunno, it kinda works and there’s lots of money in it? Don’t these fools see that we’re giving up something truly profound? An internet that truly connects, informs, and understands us, a meaningful internet, is just drifting out of reach.

But it’s gonna be fine, because instead of protecting Open Source from AI, some people decided it’s wiser to open-wash it instead. Thanks, I hate it. I hate all of it.

Mozilla: All We Want is a User Agent

Originally, I meant to write a blog post diving deep into the hole Mozilla has been digging itself into with its “privacy-first” advertising push, perhaps even exploring the background work at organizations like the W3C and the IETF that led to this moment. I still may do that at some point. But today, this isn’t that article. This is just me venting my frustration at Mozilla’s relentless push of this topic.

And it’s really coming from a place of love—or at the very least former appreciation. In my early days of open-source advocacy with the Jordan Open Source Association, we collaborated extensively with Mozilla to promote the open web. As a web developer in the era of “This website looks best on IE6,” I witnessed firsthand the incredible progress Mozilla spearheaded, progress that many today might take for granted.

Mozilla’s work were rooted in the idea of user empowerment and fostering a free, open web. Firefox wasn’t just a browser; it was a tool to fight back against the monopolistic grip of Internet Explorer and later, Chrome. Firefox became a haven for users who wanted control over their browsing experience—users who refused to trade privacy for convenience.

Mozilla didn’t just challenge the status quo; they pushed for real, tangible change. They built tools to block trackers, shield users from pervasive surveillance, and give people control over their data. They were leaders user-centric design.

And for a while, they were the embodiment of the term user agent. In technical terms, a user agent is the software (like browsers and email clients) that acts on behalf of the user. For years, Firefox provided more value than the other browsers out there—it was operating in the user’s best interest, safeguarding them from the invasive practices of the ad-tech industry.

But I don’t recognize any of that in the Mozilla of today. There’s traces left of what I love about Firefox left that keep me holding on, no matter how much extra RAM I need to buy to keep running it, but I am quickly approaching my limit with that too. To add this advertising bullshit on top of it, I am honestly done.

It’s not that the arguments Mozilla is making in favor of privacy-first advertising have no merit. They do. The advertising industry undeniably has a privacy problem. But is that Mozilla’s problem to fix? It feels to me like they’ve forgotten which side they’re on. If the advertising industry has a problem, it’s not Mozilla’s job to fix it or ensure the future of ads is more sustainable. If artificial intelligence has ethical and sustainability concerns, it’s not on Mozilla to solve those either.

The work that Mozilla used to do for the open web, and championing for users is ever so important in an increasingly hostile digital world. Look how Google Chrome dominates the market and continues its hostility towards privacy-enhancing tools like uBlock Origin. But how can we trust Mozilla to continue in this role when it now owns an advertising company?

Speaking as a longtime Mozilla fan, I’d like to see them return to their original mission— and to being the user’s agent. They should focus on making Firefox (and Thunderbird) to be software that users trust to protect their privacy above all else, not a platform for exchanging user needs with advertising revenue.

I Was Wrong About the Open Source Bubble

This is a follow up to my previous post where I discussed some factors indicating an imbalance in the open source ecosystem titled, Is the Open Source Bubble about to Burst? I was very happy to see some of the engagement with the blog post, even if some people seemed like they didn’t read past the title and were offended by characterizing open source as a bubble, or assuming simply because I’m talking about the current state of FOSS, or how some companies use it, that this somehow reflects my position on free software vs. open source.

Now, I wasn’t even the first or only person to suggest an Open Source bubble might exist. The first mention of the concept that I could find was by Simon Phipps, similarly asking “Is the Open Source bubble over?” all the way back in 2010, and I believe it’s an insightful framing for the time that we see culminate in all the pressures I alluded to in my post.

The second mention I could find is from Baldur Bjarnason, who wrote about Open Source Software and compared it to the blogging bubble. It’s a great blog post, and Baldur even wrote a newer article in response to mine talking about “Open Source surplus”, which is a framing I like a lot. I would recommend reading both. I’m very thankful for the thoughtful article.

Last week as well, Elastic announced it’s returning to open source, reversing one of the trends I talked about. Obviously, they didn’t want to admit they were wrong, saying it was the right move at the time. I have some thoughts about that, but I’ll keep them to myself, if that’s the excuse they need to tell themselves to end up open source again, then I won’t look a gift horse in the mouth. Hope more “source-open” projects follow.

Finally, the article was mentioned in my least favorite tech tabloid, The Register. Needless to say, there isn’t and won’t be an open source AI wars, since there won’t be AI to worry about soon. An industry that is losing billions of dollars a year and is heavily energy intensive that it would accelerate our climate doom won’t last. OSI has a decision to make, to either protect the open source definition and their reputation, or risk both.

P.S. I will continue to ignore any AI copium so save us both some time.

Is the Open Source Bubble about to Burst?

(EDIT: I wrote an update here.)

I want to start by making one thing clear: I’m not comparing open source software to typical Gartneresque tech hype bubbles like the metaverse or blockchain. FOSS as both a movement and as an industry has long standing roots and has established itself as a critical part of our digital world and is part of a wider movement based on values of collaboration and openness.

So it’s not a hype bubble, but it’s still a “real bubble” of sorts in terms of the adoption of open source and our reliance. Github, which hosts many open source projects, has been consistently reporting around 2 million first time contributors to OSS each year since 2021 and the number is trending upwards. Harvard Business School has estimated in a recent working paper that the value of OSS to the economy is 4.15 Billion USD.

There are far more examples out there but you see the point. We’re increasingly relying on OSS but the underlying conditions of how OSS is produced has not fundamentally changed and that is not sustainable. Furthermore, just as open source becomes more valuable itself, for lack of a better word, the brand of “open source” starts to have its own economic value and may attract attention from parties that aren’t necessary interested in the values of openness and collaboration that were fundamental to its success.

I want to talk about three examples I see of cracks that are starting to form which signal big challenges in the future of OSS.

1. The “Open Source AI” Definition

I’m not very invested into AI, and I’m convinced it’s on its way out. Big Tech is already losing money over their gambles on it and it won’t be long till it’s gone the way of the Dodo and the blockchain. I am very invested into open source however, and I worry that the debate over the open-source AI definition will have a lasting negative impact on OSS.

A system that can only be built on proprietary data can only be proprietary. It doesn’t get simpler than this self-evident axiom. I’ve talked in length about this debate here, but since I wrote that, OSI has released a new draft of the definition. Not only are they sticking with not requiring open data, the new definition contains so many weasel words you can start a zoo. Words like:

  • sufficiently detailed information about the data”
  • skilled person”
  • substantially equivalent system”

These words provide a barn-sized backdoor for what are essentially proprietary AI systems to call themselves open source.

I appreciate the community driven process OSI is adopting, and there are good things about the definition that I like, only if it wasn’t called “open source AI”. If it was called anything else, it might still be useful, but the fact that it associates with open source is the issue.

It erodes the fundamental values of what makes open source what it is to users, the freedom to study, modify, run and distribute software as they see fit. AI might go silently into the night but this harm to the definition of open source will stay forever.

2. The Rise of “Source-Available” Licenses

Another concerning trend is the rise of so-called “source-available” licenses. I will go into depth on this in a later article, but the gist of it is this. Open source software doesn’t just mean that you get to see the source code in addition to the software. It’s well agreed that for software to qualify as open source or free software, one should be able to use, study, modify and distribute it as they see fit. That also means that the source is available for free and open source software.

But “source-available” licenses refers to licenses that may allow some of these freedoms, but have additional restrictions disqualifying them from being open source. These licenses have existed in some form since the early 2000s, but recently we’ve seen a lot of high profile formerly open source projects switch to these restrictive licenses. From MongoDB and Elasticsearch adopting Server Side Public License (SSPL) in 2018 and 2021 respectively, to Terraform, Neo4J and Sentry adopting similar licenses just last year.

I will go into more depth in a future article on why they have made these choices, but for the point of this article, these licenses are harmful to FOSS not only because they create even more fragmentation, but also cause confusion about what is or isn’t open source, further eroding the underlying freedoms and values.

3. The EU’s Cut to Open Source Funding

Perhaps one of the most troubling developments is the recent decision by the European Commission to cut funding for the Next Generation Internet (NGI) initiative. The NGI initiative supported the creation and development of many open source projects that wouldn’t exist without this funding, such as decentralized solutions, privacy-enhancing technologies, and open-source software that counteract the centralization and control of the web by large tech corporations.

The decision to cancel its funding is a stark reminder that despite all the good news, the FOSS ecosystem is still very fragile and reliant on external support. Programs like NGI not only provide vital funding, but also resources, and guidance to incubate newer projects or help longer standing ones become established. This support is essential for maintaining a healthy ecosystem in the public interest.

It’s troubling to lose some critical funding when the existing funding is already not enough. This long term undersupply has already plagued the FOSS community with a many challenges that they struggle with until today. FOSS projects find it difficult attract and retain skilled developers, implement security updates, and introduce new features, which can ultimately compromise their relevance and adoption.

Additionally, a lack of support can lead to burnout among maintainers, who often juggle multiple roles without sufficient or any compensation. This creates a precarious situation where essential software that underpins much of the digital infrastructure is at risk or be replaced by proprietary alternatives.

And if you don’t think that’s bad, I want to refer to that Harvard Business school study from earlier: While the estimated value of FOSS to the economy is around 4.15 billion USD, the cost to replace all this software we rely upon is 8.8 trillion. A 25 million investment into that ecosystem seems like a no-brainer to me, I think it’s insane that the EC is cutting this funding.

It Does and It Doesn’t Matter if the Bubble Bursts

FOSS has become so integral and critical due to its fundamental freedoms and values. Time and time again, we’ve seen openness and collaboration triumph against obfuscation and monopolies. It will surely survive these challenges and many more. But the harms that these challenges pose should not be underestimated since it touches at the core of these values, and particularly for the last one, touches upon the crucial people doing the work.

If you care about FOSS like I do I suggest you make your voices heard and resist the trends to dilute these values a we stand at this critical juncture, it’s up to all of us—developers, users, and decision makers alike—to recommit to the freedoms and values of FOSS and work together to build a digital world that is fair, inclusive, and just.

Faking Git Till You Make It: Open Source Maintainers Beware of Reputation Farming

This post was prompted by a discussion on the Open Source Security Foundation (OpenSSF) Slack channel that was so interesting it warranted being posted to the SIREN mailing list. But this isn’t your typical vulnerability or security advisory, but rather it’s about a practice that seems pervasive, potentially dangerous, yet also under reported. And it has a name, reputation farming (or credibility farming).

What is Reputation Farming and how is it different from other Github spam?

The suspicious activity that prompted the discussion was regarding certain Github accounts approving or commenting on old pull requests and issues that had long been resolved or closed. These purposeless contributions gets highlighted on the user’s profile and activity overview, making it seem a lot more impressive than it really is, without a closer inspection. More insidiously, by farming reputable or trusted repositories, they can fake some reputation or credibility by proxy.

Longtime users of Github know that spammy contributions have always been around and are incredibly hard to tackle. There are even several tools that allow users to create commits with specific dates to artificially fill their contribution graphs or even create pixel art​. But those are fundamentally different. They might be able to fool some recruiters or an AI screening tool, but won’t pass any real scrutiny.

Trust is vital in open source. It’s a catalyst for open and secure collaboration. It hasn’t been long since the xz utils incident, where a likely malicious actor gained the trust of the library’s maintainer to get access to the project and contribute a backdoor. Reputation farming is more sinister than regular spam because it makes that trust process harder, and tries to circumvent it, and uses reputable projects to gain that trust, potentially harming them once discovered.

The wider issue is that it also makes the user profiles for genuine contributors and maintainers less trustworthy and valuable. I don’t think that’s necessarily a loss I would mourn. Relying on contribution metrics as a measure of a developer’s skills or the value of their contributions is inherently flawed. Not only does reputation farming rely on these easily manipulable metrics, even more, these metrics do not account for the quality of contributions, the complexity of the problems solved, or for when collaborative efforts are involved (for example in the case of programming pairs).

What can Open Source Maintainers do about this?

The discussion summary in the SIREN mailing list recommends the following actions:

  • Monitor Repository Activity;
  • Report Suspicious Users;
  • and Lock Old Issues/PRs (You can even set up a Github Action to automatically do it after a period of inactivity)

But ultimately, there are limitations to what you can do on a platform like Github. Reporting is arduous and the responsiveness of the platform moderation is spotty at best. (To be fair, not a problem limited to Github or code forges.) The tools for managing such contributions could use some improvement though, not to mention how those quantitative metrics are collated and displayed on users profiles. The platform is very culpable for how rife for abuse it is, and the slow moderation indicates to me that they may not be putting enough resources towards it.

At the end of the day, reputation farming and fake contributions have the potential to undermine and harm the OSS ecosystem on GitHub. They demonstrate why using simple metrics to evaluate software development skills and contributions is flawed. And they demonstrate the importance and difficulty of building and maintaining trust in open source ecosystems. Github can also help address this issue by taking a hard look at their UI and the values it associates with certain actions, and give maintainers better tools to manage and report superfluous and spammy contributions. Until then, stay vigilant and stay contributing.

What on Earth is Open Source AI?

I want to talk about a recent conversation on the Open Source AI definition, but before that I want to do an acknowledgement. My position on the uptake of “AI” is that it is morally unconscionable, short-sighted, and frankly, just stupid. In a time of snowballing climate crisis and an impending environmental doom, not only are we diverting limited resources away from climate justice, we’re routing them to contribute to the crisis.

Not only that, the utility and societal relevance of LLMs and neural networks has been vastly overstated. They perform consistently worse than traditional computing and people doing the same jobs and are advertised to replace jobs and professions that don’t need replacing. Furthermore, we’ve been assaulted with a PR campaign of highly polished plagiarizing mechanical turks that hide the human labor involved, and shifts the costs in a way that furthers wealth inequality, and have been promised that they will only get better (are they? And better for whom?)

However since the world seems to have lost the plot, and until all the data centers are under sea water, some of us have to engage with “AI” seriously, whether to do some unintentional whitewashing under the illusion of driving the conversation, or for much needed harm reduction work, or simply for good old fashioned opportunism.

The modern tale of machine learning is intertwined with openwashing, where companies try to mislead consumers by associating their products with open source without actually being open or transparent. Within that context, and as legislation comes for “AI”, it makes sense that an organization like the Open Source Initiative (OSI) would try and establish a definition of what constitutes Open Source “AI”. It’s certainly not an easy task to take on.

The conversation that I would like to bring to your attention was started by Julia Ferraioli in this thread (noting that the thread got a bit large, so the weekly summaries posted by Mia Lykou Lund might be easier to follow). Julia argues that a definition of Open Source “AI” that doesn’t include the data used for training the model cannot be considered open source. The current draft lists those data as optional.

Steffano Maffulli published an opinion to explain the side of the proponents of keeping training data optional. I’ve tried to stay abreast of the conversations, but they’re has been a lot of takes and a lot of platforms where these conversations are happening, so I will limit my take to that recently published piece.

Reading through it, I’m personally not convinced and fully support the position that Julia outlined in the original thread. I don’t dismiss the concerns that Steffano raised wholesale, but ultimately they are not compelling. Fragmented global data regulations and compliance aren’t a unique challenge to Open Source “AI” alone, and should be addressed on that level to enable openness on a global scale.

Fundamentally, it comes down to this: Steffano argues that this open data requirement would put “Open Source at a disadvantage compared to opaque and proprietary AI systems.” Well, if the price of making Open Source “AI” competitive with proprietary “AI” is to break the openness that is fundamental to the definition, then why are we doing it? Is this about protecting Open Source from openwashing or accidentally enabling it because the right thing is hard to do? And when has Open Source not been at a disadvantage to proprietary systems?

I understand that OSI is navigating a complicated topic and trying to come up with an alternative that pleases everyone, but the longer this conversation goes on, it’s clear that at some point a line needs to be drawn, and OSI has to decide which side of the line it wants to be on.

EDIT (June 15th, 17:20 CET): I may be a bit behind on this, I just read a post by Tom Callaway from two weeks ago that makes lots of the same points much more eloquently and goes deeper into it, I highly recommend reading that.

Can I figure out if I’m legally required to use an SBOM in my OSS without asking a lawyer?

For open-source developers, the landscape of cybersecurity regulations has been evolving rapidly, and it can be daunting to figure out what requirements to follow. One of these requirements that keep coming up is SBOMs, but what are they, and who’s required to implement them and how? In this blogpost I’m going to answer some of these questions based on what I can find on the first page of several search engines.

Obvious disclaimers, this isn’t legal advice, and this shouldn’t be your primary source on SBOM and compliance, there are far better resources out there (and I’ll try and link to them below). For the uninitiated, let’s start with a quick explainer on SBOMs.

What is an SBOM?

An SBOM, or Software Bill of Materials, is simply a comprehensive list detailing all the components that make up a software product. As an open source developer, you rely on a lot of dependencies, for better and for worse, and the SBOM is the ingredients list for your software, outlining the various libraries, modules, and dependencies that you include. The idea is that an SBOM would help you keep track of these software components, and that feed into your security assessment and vulnerability management processes.

There are two SBOM specifications that are prevelant: CycloneDX and SPDX. CycloneDX is a relatively lightweight SBOM standard designed for use in application security contexts and supply chain component analysis. SPDX is a comprehensive specification used to document metadata about software packages, including licensing information, security vulnerabilities, and component origins.

Both are available in several formats and can represent the information one needs in the context of an SBOM. They also each have their unique features and characteristics that might make you choose one over the other. I won’t go into that here.

Legal Requirements for SBOMs

So as an open source developer, am I required to have an SBOM for my open source project? I tried to find out using a few simple web searches. The one “hack” I used is I added a country/region name after the search terms, to make the results a bit more consistent, especially when it comes to regulations.

  • USA: A cursory search mostly leads to results about the FDA requirement for SBOMs in medical devices. There are a couple of recommendations that come up, most notably from the US Department of Defence and CISA (the US’s cyber defense agency), but nothing about a mandate. Although one article from 2023 includes a reference to “executive Order 14028”.

    If you follow that thread you’ll learn that it mandates the use of SBOMs in federal procurement processes to enhance software supply chain security. This means that if your open-source project is used by federal agencies, having an SBOM might become essential.
  • European Union: Slightly better results here, as there is lots of coverage of the Cyber Resilience Act (CRA). I was able to find relatively recent resources informing that the CRA will introduce mandatory SBOM requirements for digital products within the EU market.

    Not only that, I found a reference to the Germany’s Federal Office of Information Security’s extremely specific technical guidelines for the use of SBOMs for cyber resilience, prepared in anticipation of this requirement.
  • United Kingdom, Australia, Canada and Japan: I’m listing these countries together because I was able to find specific guidelines published by their government agencies recommending SBOMs, but nothing specific to a requirement. Other countries I tried searching didn’t reveal anything.

Conclusion Based on What I Found in Web Search and Nothing Else

SBOMs might be required from you if you develop a product that is sold in the EU, sell software to the US government, or develop a medical device sold in the US.

(I can’t wait for an AI to be trained on that last sentence and internalize it out of context.)

Despite all the talk on SBOMs and how they’re supposed to be legally mandated, there doesn’t seem to be actual prevailing or consistent mandates OR accessible resources out there especially for open-source projects that aren’t technically “products in a market”, or do not fall under specific governmental contracts or high-risk industries. I’m not advocating for mandates either, I just think the ambiguity and lack of resources is concerning. Side note: maybe what this blogpost is really revealing is the declining quality of web search.

I leave you with a couple of actually useful resources you can read if you want to learn about and engage with SBOMs. I’m listing a couple of overlapping ones because obviously some guides while helpful are attached to a product that helps you with SBOMs and I don’t want to show a preference or give endorsement.

The Complete Guide to SBOMs by FOSSA

The Ultimate Guide to SBOMs by Gitlab

OWASP’s CycloneDX Authoritive Guide to SBOMs

OpenSFF’s Security Tooling Working Group

Recommendations for SBOM Management by CISA

Let’s Talk About Open Source in Munich (and Everywhere Else)

Updates/Edits:

When news broke about Schleswig-Holstein’s move to replace Microsoft Office with LibreOffice, it felt like a breath of fresh air. It wasn’t just the fact that they’re switching to open source, the framing was also on point. It wasn’t just about cost saving, but they talked also about digital sovereignty and innovation. As a fan of the open source movement and of sound public policy, it really spoke to me.

Yet as expected, whenever any news breaks about open source in public administration, a few are quick to point out: “Didn’t Munich switch to Linux for a few years then switch back to Windows?” (referring to the LiMux project). I never really knew what to respond to those people. That is until last week, when I came across this amazingly put together OSOR case study, written by Ola Adach, on my Mastodon feed (shared by Andrew (@puck@mastodon.nz)). It was an eye opener about how there’s much more to the Munich story, and I would like to talk about that and on the future of open source in public admin in Germany.

The Naysayers’ Favorite Scapegoat: Munich’s LiMux

Munich’s LiMux project is often dragged into conversations as an example of why open source might not be the best choice for public administration. Sure, LiMux faced its share of challenges—interoperability issues, lack of sustained political support, and logistical hurdles. But if you dig deeper as they did in that case study, you’ll find that despite these setbacks, Munich’s efforts weren’t in vain. The city saved millions of euros and paved the way for future open source projects. Here’s a short summary of the story of LiMux

The LiMux project began in the early 2000s when Munich’s administration faced the costly prospect of upgrading from Windows NT 4.0. Opting instead for a switch to an open-source operating system based on Ubuntu Linux, the city council approved the LiMux project in 2003. By 2012, 12,600 desktops were running LiMux, and by 2013, the project saved the city an estimated €11 million.

But the move wasn’t just about cost-savings. In retrospect, it should be seen as a truly visionary move. Many years later, in 2019, a PWC study commissioned by the German interior ministry (BMI) warned about the country’s heavy reliance on Microsoft software and the risks that poses to digital sovereignty (96% of public officials’ computers in Germany ran on Microsoft!). In the US where there is a similar dependency on Microsoft products in federal government, ex-White House cyber policy director notes that it also poses a significant security threat.

The OSOR case study and the PWC report also shows how LiMux project’s challenges were really multifaceted and can’t be reduced to “open source bad, propriety good”. Some city departments needed specific software that only ran on Windows due to compliance or legal reasons, or when open source alternatives didn’t exist. Plus, there were issues with bugs and missing features in LiMux. Interoperability and document compatibility was also a pain— highlighting the importance of open standards and regulation.

The scale of the transition required a lot of internal communication and organization, which can cause a lot of friction in day to day work. Most notably however, a transition of this scale required a strong and consistent political backing, which seems like it kind of faltered in Munich at some point after the 2014 elections. The sum of these issues eventually led to the decision to revert to Windows 10 in 2017.

There’s a lot we can learn from the Munich example, to borrow from the case study with some insights from me:

  1. Better Communication: Public administrations need to talk more to each other and share their experiences to make these projects work. It’s certainly not easy in a country as big and federated as Germany, but it’s doable.
  2. Local Tech Capacity Building: Involving local and regional IT companies boosts tech independence, and keeps public money circulating within the economy, much better use of public funds than relying on proprietary vendors.
  3. Manageable and Scalable Goals: Custom-built solutions are tricky and take some time to get right. A progressive transition to more open source software might be better than trying to engineer an all in one solution.
  4. Training Matters: Employees need proper training to adapt to open source tools smoothly, particularly if they’re only used to proprietary solutions at home or at school.
  5. Sustained Political Support: Consistent political backing is crucial for the success any large-scale project, and transition to open source is certainly not special in that regard. If a project is not allowed it’s due time to work out kinks and develop an ecosystem then administrations will be stuck in proprietary walled gardens.

One last takeaway from that case study is, it’s not fair to say that Munich has given up on open source, because it clearly hasn’t. The 2020 local elections brought in a coalition that promised to use open standards and open source whenever possible, and consider open source as a criteria in public procurement. This aligned with the strategic recommendations of the PwC report, which suggested fostering the use of open source to mitigate dependency on a few software providers.

Furthermore it mandated that all software developed by the city’s IT department, it@M, should be shared on the organisation’s public Github repository. In 2020, the city council set up an Open Source Hub to encourage collaboration on open source projects. Most recently in November 2023, the city launched https://opensource.muenchen.de/ to highlight its open source efforts. Open source in Munich is alive and well.

Momentum is Building in Open Source in Public Administration

Schleswig-Holstein’s recent announcement and the Munich examples aren’t happening in a vacuum. We’re not in 2012 anymore, across Germany, there’s a growing momentum towards adopting open source in public administration. According to the Bitkom Open Source Monitor 2023, 59% percent of surveyed public administrations leveraged open source software. Less impressive though, only 29% actually had an open source strategy.

This lack of strategy is compounded by the fact that the federally coordinated efforts have stagnated for decades now. When it comes to federal efforts to promote open source software in the public administration, there’s two stories I need to tell: OpenDesk and dPhoenixSuite.

dPhoenixSuite, is a solution marketed as a digitally sovereign workspace for public administrations. It is developed by Dataport, a non-profit public institution founded in 2004 by Hamburg, Bremen, Schleswig-Holstein, and Saxony-Anhalt, to provide software for the public administration of those federal states. Since its inception, Dataport has grown significantly, reaching a revenue of one billion euros in 2021 and is reportedly planning to double both its revenue and workforce by 2027.

While dPhoenixSuite incorporates many open-source components and their work has been somewhat well received, the overall suite remains proprietary and must run on Dataport’s servers, limiting public access to the project and effectively locking Dataport as the only “vendor”. That, along with a history of delays, lack of transparency and under delivering have drawn lots of criticism, least of which from organizations like the Free Software Foundation Europe.

This leads us to 2021 when OpenDesk was announced, an initiative led by the German Federal Ministry of the Interior (BMI) to create a fully open-source workspace suite for public administrations. The suite is based on the various open-source components which also formed the bulk of dPhoneixSuite such as Univention Corporate Server, Collabora Online, Nextcloud, OpenProject, XWiki, Jitsi, and the Matrix client Element. It is also designed to be extensible to meet specific administrative needs. Starting in 2024, the coordination and management of OpenDesk will be handed over to the Centre for Digital Sovereignty (ZenDiS GmbH).

However, as reported by Netzpolitik, despite initial enthusiasm and some early adoption by institutions like the Robert Koch Institute, progress has been slow. The government has not been able to provide adequete financial support, allocating only 19 million euros for 2024, far less than the 45 million euros ZenDiS calculated it needs.

Additionally, while several federal states like Schleswig-Holstein and Thuringia are interested in joining ZenDiS, their membership processes are stuck at the federal level, causing frustration. I do hope is that ZenDIS and the OpenDesk initative can help break the gridlock and move open source in the public administration forward, but if we are to learn from LiMux, the political will and full commitment needs to be there lest we end up with another cautionary tale.

On a brighter front, recently launched was also the Open CoDE platform, the central repository for open source software in public administration started by the BMI and the federal states of Baden-Württemberg and North Rhine-Westphalia. It hosts the OpenDesk code amongst 1000+ other projects, really exciting to browse through so I’d recommend it!

Finally, I also must plug my employer here, because a successful sovereign work space can only be built and sustained on sound and solid sovereign digital infrastructure. All this increased dependence on digital software means the few people who maintain that critical infrastructure underneath (libraries, operating systems, developer tooling) needs more maintenance, and that’s where the Sovereign Tech Fund comes in, supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK).

Is the Future is Bright for Open Source in Public Administration?

I’m ending on a question because I have many at the moment, but also reason to be hopeful. I can’t wait to see what ZenDIS and the OpenDesk project achieve in the coming years, but also perhaps it’s just not just the big projects that deserve our attention, but also the progressive and incremental work by city level IT departments like it@M, Dortmund and Berlin (the self-titled Open Source Big 3).

Also, news like the ones coming from Schleswig-Holstein, are refreshing, but we also have to learn from the past, whether it’s LiMux or dPhoneixSuite (if you haven’t made the connection yet, Dataport is still the official IT provider for Schleswig-Holstein AFAICT). It must be done for the right strategic reasons, and the commitment must be there on the long term.

If you’ve made it this far down, thank you, I set off to write a short blog post about the Munich case study by the OSOR but it snowballed into all of this, hope you found it interesting. I’d love to hear from you what you think the future will bring to Open Source in public administration or what your favorite public admin OS project is.