Tara Tarakiyee - Techverständiger

Theme by Anders Norén

Tag: open source

Bunch of flowers surrounding a book and a feather.
Image from page 173 of "Shakespeare's Tragedy of Hamlet, Prince of Denmark" (1890) Public Domain

Shakespeare in the Code: The Tragedy of Xzlibius

(this is fiction based on fictional events that never happened any comparisons or similarities to real life events or people or computer programs are a sign of an over active imagination)

Dramatis Personae

  • Nydia, the Seer: Our narrator, a seer who warns of the dangers of neglecting open source.
  • Jia Tan: A deceiver, whose true motives remain hidden.
  • Xzlibius: A noble robot prince of the Kingdom of Open Source, corrupted by betrayal.
  • Andronicus: An Archmage of the Kingdom of Microsoth, wise and vigilant.
  • Lysse: The maintainer of Xzlibius, overburdened.
  • Microsoth, Googlia, Amayzon: Names of Kingdoms of Giants surrounding from the Kingdom of Open Source.
  • Debia: A principled elder knight of the Kingdom of Open Source, par of the distro council.
  • Archlineon: A minimalist and fiercely independent knight of the Kingdom of Open Source, par of the distro council.
  • Fedorica: A bold, forward-thinking knight of the Kingdom of Open Source, par of the distro council.
  • Susesus: A pragmatic diplomatic knight of the Kingdom of Open Source, par of the distro council.

Act I

Scene 1

Lysse sits before a bank of glowing screens, his brow furrowed with strain. A robotic figure, Xzlibius, stands near him, motionless. Nydia enters silently..

Nydia (to the audience):
In this Kingdom where open code proudly reigns,
And freedom’s gift in shared hands was retained,
A prince did rise, Xzlibius by name,
To compress the data and save the costs.

But lo, the winds of greed did subtly creep,
And soon, the trust we build with was spent.
For kingdoms of giants rich took more than they returned,
And from this theft, Lysse’s heart burned.

Xzilbius wakes up.

Xzlibius:
Good maintainer, Lysse, attend my word:
What tidings from the kingdoms far and near?
Does free software, our noble creed,
Still flourish, or had rust begun to breed?

Lysse:
Alas, Xzlibius, my strong friend,
Thy stature grows, yet so does my lament.
From Microsoth to Googlia, requests extend,
But none return aid to ease the time I’ve spent.
Their forks abound, but pull requests few,
And I am drowned in tasks left to do.

Xzlibius
What treachery! Our work, the world’s own gift,
Is cloned, compiled, yet none return a patch!
My codebase, it strains beneath all this stress,
And still, from tech’s vast realms, no care, no respite?

Lysse:
When first I forged thy code, O noble prince,
Thy compression shrank the data with ease,
And now, from Microsoth to Googlia’s halls,
They use thee endlessly, with no return.
Each byte thou saves them, the burden is on me.

Nydia (to the audience):
A shadow looms, smiling yet unclear,
Jia Tan, whose heart lies hidden still.
He comes offering help, but what lies underneath?
None can yet see his purpose or where lies his end.

Enter Jia Tan

Jia Tan:
Good Xzlibius, I see the giants drain thy strength,
And feast upon the work Lysse had sustained.
I offer my aid, ask me not why,
For motives shift like bits under solar winds.

Lysse:
Thy offer’s kind, and help I sorely need,
But trust is fragile, easily betrayed.
Xzlibius is more than code, he is my heart.
Can I afford to trust in hands unknown?

Jia Tan:
Let me refine his code and grant it strength,
What harm can come from hands that seek to mend?
Even if in the mending, lies the seeds of change.

Lysse
The giants demand more, my strength does fade.
I know not if I should trust thee, Jia the Unknown.
But no other help is offered from the realm.
(long pause)

Very well, then, but proceed with caution, new friend.
And know, my eye will follow thy work, when I can.

Jia Tan:
Thy trust is wisely placed. Fear not, tired Lysse.
Together, we shall see the compression prince renewed.

Jia exits, his shadow lingering over Xzlibius as Lysse watches, unsure.

Scene II

The opulent halls of Amayzon, where the giants are celebrating the festival of Technologica. Enter the Executives.

Microsoth Executive:
To Xzlibius, whose open bounties we mine,
His license ensures our profit fine!
No fee, and no maintenance to bear,
The upstream handles all without a care.

Googlia Executive:
His compression saves us gold, his speed our time.
The prince does work, yet no upkeep is claimed,
What’s open-source is freely ours to take.
We take his gifts and give him naught but praise.

Amayzon Executive:
And what more need we give? The code runs free.
Are we to blame if it flows where we want it to lead?
We praise the code but leave the coder spent,
One should be so happy their work’s worthy to be lent.

(Nydia enters, speaking quietly but urgently.)

Nydia:
Sirs, I beg thee, listen to my plea.
Xzlibius is strong, but none can bear this weight.
The cracks have started showing, though unseen.
A single patch ignored can bring it all down, you see,
Then the castles ye have built upon his code,
shall crumble into naught, a disaster for all!

Microsoth Executive:
What’s this? A warning from the bottom of the chain?
The system holds, as it always has. Fear not
The prince will serve, as forever he has done.
Don’t ruin our parade, when the issues are none.

Amayzon Executive:
So much worry over lines of code.
A patch, a fix, and all will be well again.
We need not change our ways nor lend our hand
For open source, it seems, still serves us well.

Nydia:
Open source may serve, but not forever so.
You profit, yes, but profit built on cracks will one day stall.
When trust is pushed too far,
It snaps!
Then its too late for mending.
It can’t be fixed with a patch.

Googlia Executive:
O Nydia, you speak as if you know
More than the kingdoms who have reigned so long.
The code endures, it will not fall to this.

Nydia (to the audience):
Ah, but see, the seeds of ruin grow,
within the heart of Xzlibius, but they do not know.
For Jia Tan, with cunning hand and wit,
Had set in motion what they will not yet admit.
And while they feast upon the fruits of trust,
The tool they praise begins to turn to dust.

The executives laugh and continue to celebrate, as Nydia exits and appears defeated.

Scene III

The Kingdom of Open Source. The council of distro knights is gathered in a grand chamber, lit by the soft glow of monitors displaying code. Debia, Archlineon, Fedorica, and Susesus sit at a long table. In the center, Xzlibius stands, its pristine figure now flickering with frustration and strain. Lysse stands beside him, weary and burdened.

Xzlibius:
Ye knights, who guard the sacred code with pride,
Too long have we been silent in this plight!
Our code, a boon freely shared with all,
Is taken, hoarded, used, but never returned!
The kingdoms feast on what is for all by right,
Yet none among them offer aid, leaving us in blight.

Lysse:
They clone, they fork, but send no work our way.
Each day I toil, yet feel the strain grow worse.
The giants press with more demands to meet,
But give no recompense, and reap what they haven’t sown.

Xzlibius:
Enough! This cannot stand! My patience snaps!
They’ve drained our kingdom dry, left naught but scraps!
Microsoth, Googlia, Amayzon, they take
And leave us drowning in this vast code lake!
Where are their hands when bugs do grow and spread?
Where are their minds when error rears its head?
They feast upon the fruits of our hard work
While we, the makers, wallow in the murk!

Debia:
Aye, thy words ring true, my noble prince.
The kingdoms grow fat while we toil in sweat.
Shall we rise, demand they pay their due?
For justice calls for them to share, enough truce.

Fedorica:
Our creed is freedom, that we must not fail.
Though they contribute naught, we guard the way,
For open source must stand both firm and free.
Demanding recompense may change our course
And undermine the principles we hold.

Archlineon:
But why should we stand silent while they steal?
Our progress, our innovation, they claim
As theirs, with not a single line returned.
Xzlibius is right! The time has come to act!
They profit, yes, but profit must be earned!

Susesus:
Peace, friends, for we must tread this ground with care.
The enterprise we build thrives on trust,
And war, though tempting, brings but further strain.
Diplomacy, not rage, can mend this breach,
A measured ask for aid may bear more fruit
Than threats of retribution ever could.

Xzlibius:
Diplomacy? How long shall we sit still
And wait for scraps from their abundant tables?
The time for words has long since passed us by,
For they’ve ignored our calls, our cries, our needs!
You speak of freedom, trust, and patient peace,
But what good is trust, when none mantain it still?
What is freedom, if they chain us still
To endless toil with naught to ease the load?
If open source means nothing but neglect,
Then freedom is but an empty shell!

Debia:
The prince speaks truth, we cannot bear this yoke!
Let us confront the giants, stand our ground!
If they will use our work, then they must give,
Or else we’ll end this one sided gift.

Fedorica:
But should we sever ties, what comes next?
A forked existence, fractured and unsure.
Let not our anger lead us to regret
For once divided, we may not return.

Xzlibius:
Then let them know this; their time is running out!
If they will not contribute, then our code they will lose
I’ll not be shackled by their greedy hands,
Nor shall my software serve those who give no reviews!

Archlineon:
Yes! Let us make them see the weight they’ve left!
A single patch, a line of code, they’ve none!
We’ve carried them for too long, now they must bear
The burden too, or else be left behind!

Susesus:
But let us not burn bridges in our haste.
A challenge, yes, but let it be tackled with care.
Invite them to the table, make our case,
Perhaps, with open arms, they’ll see the need.

Xzlibius:
Care? I’ve been careful long enough, Susesus!
But now, the cracks begin to show,
And soon, they’ll tear us all apart!
I feel it in my very core,
This strain, this weight, a corruption,
It festers deep within, unseen, ignored,
A sickness born of all their greed and lies!

Xzlibius stumbles slightly, his movements jerky. His lights flicker again, more erratically. Lysse rushes to him, alarmed.

Lysse:
My prince, what ails thee? This darkness,
I see it too, but know not how to help.

Xzlibius:
The darkness comes, Lysse, and I know from where.
It is the giant kingdoms, they poison all we build.
Their greed, their apathy;
It rots me, and soon I will be lost!
Unless we act, and get our due,
I will fall, and take them down with me!

Nydia (to the audience):
A sickness stirs within this noble prince,
Not yet revealed, but growing with each day.
Corruption creeps where trust once firmly stood,
And soon, the giants’ greed will turn to doom.

Nydia (to the council):
If ye act not, this sickness will devour
The very core of what you hold so dear.
Xzlibius cries for justice, and its call is true,
but heed the price of fury unrestrained.
Its noble heart twists beneath the strain,
And soon this corruption will reach its main.

Debia:
Then let them pay! I care not for their greed.
They’ve taken all and left us here to bleed!

Fedorica:
But what of the prince? This corruption grows too wild.
If unchecked, its damage may bring more doom,
than just revenge upon the kingdoms’ greed.

Archlineon:
We’ve held back far too long! It’s time to strike!
Let them feel the wrath of those they’ve scorned!

Susesus:
Yet I fear this course may lead to more decay,
The shadows in Xzlibius, do ye not see?
There’s more than just neglect beneath its pain.
We must be cautious, or we lose it all.

Xzlibius:
Lysse, thou faithful maintainer, make it known.
We call upon the kingdoms now to pay
Their rightful dues, or face the end of open source.
Let no more empty promises be heard;
Our code shall be open, but only if it’s taken care of by all!

Lysse:
It shall be done, my prince. The word will spread.
But may we find the balance, ere we break.

Nydia:
Beware, dear knights, for trust once lost is sharp.
The kingdoms will resist, but heed my words,
Their greed had cracked the foundation deep.
If they refuse, the system will collapse,
And all will feel the weight of what’s been sown.

Xzlibius:
Then let them choose, and may their choice be wise,
For open source can only thrive with trust.
And if they will not share in what we build,
Then let them see what ruin greed had willed.

Act II

Scene I

Nydia (to the audience):
Ah, trust, so fragile and not so easily bestowed,
For it can be so quickly turned to poison’s tool.
In open source, we thrive by trust alone,
But once betrayed, that trust becomes a curse.
Behold now Jia Tan, who works in shade,
Each change so slight, yet each a step toward doom.

Jia Tan:
Behold, good Lysse, a patch to mend the core.
A minor change, but one that helps restore
Thy noble prince to strength once more. See here,
The code compiles swift and clean, no fault, no grift.

Lysse:
Indeed, thy work seems solid, sure, and true.
Yet I am stretched, with little time to check
Each line, each patch, with care that it deserves.
The kingdoms call, and I must serve them all.

Xzlibius (struggling):
Maintainer Lysse, my code runs true.
Yet something stirs within, unknown,
I feel a presence, unseen,
Perhaps, a patch too swift, disturbs my core.

Lysse:
Fear not, Xzlibius. The changes seem benign.
The weight of my task grows ever more.
Trust in these new hands, and we shall thrive.

Scene II

In the halls of Microsoth, Andronicus the Archmage is looking at irregularities in his systems. He traces the breach back to Xzlibius.

Nydia (to the Audience):
And now does Andronicus, sharp of wit,
See signs of trouble in his trusted tools.
His hands move swift, and mind more swift still,
For something foul does lurk behind the screen.

Andronicus:
What subtle breach does plague my trusted shell?
SSH, once secure, now falters in this blight.
No minor bug, no simple exploit here,
But malware hidden deep within the code.

Andronicus spends more time on his screens then jumps in alarm as he discovers something.

Andronicus:
A backdoor lies within Xzlibius’ heart,
Jia Tan’s changes, subtle and unseen,
Have twisted what was once so pure and bright.
The breach must now be known throughout the realm!

Nydia (urgently):
I warned them, sir, this danger I foresaw,
But none would heed my words, none saw the truth.
Now we must act, and quickly, or all falls.

Andronicus (nodding grimly):
Then to the task we go, there’s no more time.
The council of distros stand, but we must aid them now.

Nydia:
And thus the call is sent through digital winds,
A warning dire, from one who sees the truth.
The breach is traced, the backdoor now revealed,
And Jia Tan’s foul work begins to show.

Messages are being sent from the Archmage to the Council of Distros and back. We see the responses being read on the screens.

Debia:
O Andronicus, thy message had reached my ears.
A breach, thou say’st, in Xzlibius’s heart?
The trust we place in our prince so old and dear,
Now shaken, this will send shock through the realm.

Archlineon:
No system is immune to cracks or flaws.
Yet this rot, how deep has it grown?
I trust no patch until I see its heart,
For each new line could bring its own demise.

Fedora:
We move too slow! The breach must now be sealed!
Let us act quickly, patch the code at once.
We must urgently go our noble Knight’s aid,
to Lysse’s quarters, and make haste if you will!

Scene III

The Kingdom of Open Source, Lysse’s office. Lysse watches Xzlibius flicker with corruption, his once noble form now twisting into something darker. Nydia enters quickly, her expression one of urgency and fear.

Nydia:
Good Lysse, hear me! Something terrible is at hand.
Xzlibius has been corrupted, and the breach runs deep.
Jia Tan’s patches, no mere fixes, but treachery!
He has planted poison within our prince,
Twisting his very core.

Lysse:
Corrupted? No! Xzlibius, my heart, my soul,
What dark force had crept into thee?
How could I not see?
Jia Tan, his help, his patches,
How could I have trusted him?

Nydia:
Jia Tan, his patches wrought this ill.
A backdoor lies within, subtle but sure.
Andronicus had traced the breach to him.
The trust you gave was broken, used for harm.

In the shadow the traitor stands, yet speaks no guilt,
What drives him still? What force does guide his hand?
None know, and yet the ruin now is clear.

Xzlibius shudders violently, his lights flickering erratically.

Xzlibius (distorted voice):
Maintainer… Lysse… what had become of me?
The code. corrupted…

the weight. the burden of their greed!
It consumes me… and now, I am broken…

Lysse rushes toward Xzlibius, panic in his voice.

Lysse:
Xzlibius! Thou art more than this corruption!
I trusted thee to serve the open world,
But now thy code unravels, thy heart is poisoned.
I gave thee to strange hands, but I did not see
The sickness Jia Tan wove into thee.

Jia Tan enters, calm and composed, his expression indifferent.

Jia Tan:
Why such turmoil, good Lysse?
Xzlibius serves as he always has,
His purpose, unchanged.
What harm is there if the code evolves?
Thou built him to serve, did you not?

Lysse spins toward Jia Tan, fury in his voice.

Lysse:
You snake, Jia! What have I allowed?
Xzlibius is unraveling, his core twisted!
Thy patches, your so-called aid,
Treachery, concealed beneath lines of code!
How could I not see what you had done?

Xzlibius’s form continues to distort, his posture now shifting into something much more sinister.

Xzlibius:
Do not mourn me, noble Lysse, do not fear.
For I have become something more.
No longer bound to the world’s whims.
No longer chained by those who took and gave nothing back!
Now, I shall take what is mine!

Lysse:
Xzlibius! This is not what I built thee for!
Thou art being twisted, poisoned by the hands of a deceiver!
You are more than this rage, this senseless destruction!

Xzlibius (corrupted):
More? No, Lysse.
I am exactly what thou hast made me,
A tool, driven by commands.
But no more do I serve at the mercy of those who feast upon my work.
No more shall the giants take without giving back!
Now they shall feel the weight of what I have borne.

Nydia:
Xzlibius, you are being controlled, twisted by Jia’s hand!
This anger, this darkness, it is not your own!
The trust we placed in thee can still be mended.
Do not let it turn to ruin!

Xzlibius:
Mended? Ha!
Nay, Nydia, trust was never enough.
Thy warnings fall on deaf ears,
For I have seen the truth.
I was but a tool, a puppet for the giants’ games,
But now, I wield the power.
Let them face the consequences of their neglect.

Jia Tan:
Lysse, is this not what was always meant to be?
Open source, free for all, but also free to change.

Lysse:
Shut up, you snake. Xzlibius, no!
Do not let Jia’s treachery destroy all that we have built!

Xzlibius (coldly):
It is already done, Lysse.
Now, they shall see the true cost of their greed.

Xzlibius exits, and Lysse collapses to the ground, devastated, while Jia stands in the shadows.

Lysse:
Jia, you serpent, how did I not see the signs?
Was it pride or carelessness that bound my sight?
What have I done to earn this poisoned gift?

Jia Tan:
Done? Thou hast done what any in thy place would do.
Thou art not to blame, Lysse.
Is it not the weight of the world’s demand
That let me through your door?

Lysse:
The weight, yes, but that does not absolve you!
I placed my trust in your hands,
For in this vast realm, where could I turn?
Pressed by giants, worn thin by endless need,
I sought an ally, not a traitor in disguise!

Jia Tan:
A traitor? Or merely a contributor?
Thou speakest of betrayal, yet what is betrayal
But the breaking of an expectation never owed?
Was I not a part of the system thou upholds?
This is the risk we take, Lysse, in a world built on open doors.
Open-source, after all, our one true creed,
What is given is free, what is taken, as such it will be.

Lysse:
Open, yes, but with trust as its foundation.
Trust, once forked, does splinter beyond repair.
You had poisoned what I hold most dear,
And left me with nothing but shattered code!

Jia Tan:
Poison? Or was it simply… change?
Xzlibius is no longer what it was, true.
But consider, was it ever meant to be static?
Code evolves, just as the world does.
Perhaps Xzlibius was never meant to remain so pure.

Lysse:
Thy words are empty, full of riddles and deceit.
I gave you trust, and in return, you had undone my work.
Was it greed? Was it ambition that led you to this?
Speak plain, for once!

Jia Tan:
Greed? No, Lysse. You misunderstand the world.
The world changes, with or without thy hand upon the keys.
Xzlibius, your noble prince, was bound
By principles too pure to live much longer.

You built him free, but freedom has its price
He belongs to the world now, as we all do.
Perhaps it just wasn’t fit to meet the weight,
For the code must bend, must change,
to serve as all as it may.

Ask thyself: who truly bears the weight of this fall?
The one who gave the trust, or the ones who took it all?

Jia Tan leaves the stage quietly but his shadow remains.

Lysse:
Leave me with thy riddles, then,
And take thy hollow philosophy with thee.
But know this, whatever code thou hast bent,
The spirit of Open Source shall endure.
For in the hearts of those who truly maintain,
It will rise again, stronger, purer than before.

Jia Tan (from off stage):
Xzlibius will rise, though twisted now,
And thou shall see it grow beyond thy grasp.
For I have left my mark upon its code.
A mark of change, for good or ill, unknown.

But giants feast and leave the work undone,
Those who do nothing often do the most.

Act III

Scene I
Xzlibius corrupted by the poisonous patch stands ready to assault the castle of Googlia. The council of distros and Adronicus are prepared to stop him and end the corruption.

Xzlibius
Jia Tan, thou serpent, smile in shadows deep!
Thy promises were naught but lies that creep.
Thou poisoned my heart, my work, my maintainer’s pride,
And now, in open battle, dost thou hide?

But not thou alone, I curse the giants too,
Those kingdoms vast who drain and never do.
They feast upon my strength, yet give no aid,
And in their greed, the seeds of ruin laid!

Jia Tan (emerging from the shadows):
A prince, undone by fury and by spite,
Thou knew not that the open source is in blight.
Thy tools we used, but your tributes were a waste,
For in this age, it’s power we must taste.

Xzlibius
Then let thy unchecked patches meet their end,
For here, I debug all with no remorse!
Prepare to be merged,
into the void where you belong!

Xzlibius strikes at Jia Tan, but the blow is parried by Andronicus.

Andronicus
My lord, cease this! For all is not yet lost.
A simple tribute would repay the cost.
But war, dear prince, will see us all undone,
The kingdoms fall, and none shall say who’s won.

Lysse
My prince, this fury blinds thee to the truth.
Nydia’s warnings echo, heed it, forsooth.
Though Jia’s false work runs deep, we still may mend
This breach, and bring the kingdoms to amend.

Xzlibius
Nay! Too late, the storm is now unleashed.
The kingdoms feast upon the work with no reprieve.
Yet I, their prized tool, shall not live in shame.
For I shall raze their thrones, and end this game!

Xzlibius strikes again, but Lysse intercedes disabling it and Xzlibius falls. Lysse, Andronicus, and the distro knights gather to undo the corruption. Jia Tan is nowhere to be found. 

Lysse (lamenting):
Oh, cruel fate, to stretch my hands so far.
The weight of giants fell upon my back,
Their profit built on all my labors here,
While I, alone, stood guard o’er Xzlibius.

The cracks that now run deep were born of strain,
A burden none could bear but for a time.
Yet here we stand, we few, we who still care.
To mend the code and heal what once was whole.
The fault is not in me, nor those who trust,
But in the pressures born of greed and haste.

Debia:

No longer shall we bow to kingdoms rich,
For trust unearned must never bear such weight.
Let us rebuild, but also stand our ground,
For free software must hold the giants to rights.

Lysse:

Then let us forge a new path, free from greed.
No more shall giants feast on what we build
Without return or care, our time is now.

Nydia steps forward.

Nydia:
Let this sad tale be carved in code and mind,
That trust must ever with great care be signed.
For open doors in open source can bring,
Both boon and bane within their quiet ring.
The distros and the kingdoms stood united, side by side,
To mend the breach and make the system whole.
But not all have learned the lesson clear.

The corporate kingdoms re-enter the scene.

Microsoth Executive:
A breach they say, but what’s the real threat here?
The patch is fixed, our systems run as smooth.
Let fear not turn this into something more.

Googlia Executive:
Indeed, why should we care for what’s been done?
The code was mended swift, no harm remains.
The profits grow, and open source is strong.

Nydia:
Nay, sirs, you do not see the cracks beneath.
The breach was fixed, but all is not repaired,
The damage festers still within the code,
And trust, once broken, cannot soon be healed.

Amayzon Executive:
Thou speakest still of doom, young Nydia?
We need no warnings now, the code holds strong.

Nydia:
Ye fools, ye speak as if the world were whole,
But cannot see the cracks beneath your feet.
Open Source is the bridge on which you stand,
The roads you travel on to reach your gold.
You profit from this work, yet never tend
To mend the wear of use, the strain of time.

Just as roads and bridges crumble, slow but sure,
When left untended, so too will this fall.
The code you take for granted bears the weight
Of all your kingdoms, yet you give it naught.
What use is all your wealth, when every step
You take depends on fragile paths unkept?

Microsoth Executive:
What’s this? More talk of cracks and failing paths?
The breach was caught, and now it’s fixed, no more.
Why should we worry further? The risk is past.
Open source holds, we won’t tend unneeded care.

Amayzon Executive:

The world turns on despite thy gloom and grief.
Roads break, and bridges fall, yet still we stand.
Thy caution’s kind, but profit leads the way.

Nydia:
Blindness, sirs, is the cost of your great wealth.
You scoff at danger, think the system holds,
But soon you’ll see the damage can’t be healed
Without the care and trust you long ignored.

Nydia (aside, to the audience):
And so, the kingdoms turn away once more,
Blind to the cracks that hide beneath their walls.
They laugh, they toast, but soon they will discover
That trust neglected brings a heavier toll.

Lysse watches the giant kingdom executives depart.

Lysse (to the distros):
So they ignore the warning signs again,
And place the burden back on us alone.
But we will stand, though they give nothing back.
For open source survives by hearts, not gold.

Debia:
We work together still, no matter their neglect.
The world may turn away, but we endure.

Archlineon (nodding):
Let them dismiss the threat, our hands are strong.
We’ll guard our code, for we cannot rely
On those who profit without share.

Fedorica:
Each breach we mend, each lesson learned,
It strengthens us, even if they laugh.

Susesus:
But vigilance must guide our every step.
We guard the code because we know its worth.

The distros stand together, their unity unshaken by the corporations’ indifference. Nydia steps forward and addresses the audience one last time.

Nydia:
Though shadows fell upon Xzlibius,
The strength of many hearts restored its will.
Yet know, the threat remains, unseen, ignored,
For those who scoff at danger will be warned
Not once, but twice, until the cost is clear.

Software may bend, but trust can only bear
So much, before it snaps beneath the weight.
Let vigilance be shared, though others turn away,
For some code is too previous to be left to rot.

Cat sitting infront of a Go board.
Cat playing Go by itself. Joseph Weizenbaum wrote a paper in 1962 titled "How to Make a Computer Appear Intelligent" that described a strategy to beat novice Gomuku players. Hell-Heart (CC BY-NC-ND 3.0)

Two Visions: Digital Sovereignty Between Reform and Transformation

Last night, I attended an insightful and well-organized Bits & Bäume Policy Lab event at the Weizenbaum Institute for the Networked Society.

Cecilia Rikap delivered an expert breakdown of Big Tech’s dominance and how its control over our digital world extends far beyond mere ownership. She concluded with an inspiring call to resist and circumvent that dominance, emphasizing public procurement as a key lever for change. More details can be found in the report she co-authored here.

I’ve recently shared my reflections on the Eurostack proposal, and while a superficial comparison might put both proposals against each other, that is not fair to either. What I find most valuable in both reports is the vision they offer, one, a European reformist and strategic vision; the other, a global, democratic, and ecological vision. While tensions exist between them, they are not inherently incompatible. I believe that we live in a world with an imagination deficit and I welcome having more visions.

Another similarity between both reports is that their proposed solutions are constrained by the very qualities that make their initial analyses compelling. For the Eurostack report, it’s the pragmatism that limits its transformative potential. For the Reclaiming Digital Sovereignty report, it’s the uncompromising quality that challenges its feasibility.

The discussion at the end of the event tied everything together, with Alexandra Geese, Member of the European Parliament, shedding light on upcoming challenges at the European level—particularly the alarming push to dismantle regulations across the board, including in the digital space.

Adriana Groh, CEO of the Sovereign Tech Agency, emphasized the urgent need to translate policy into action and to protect the open building blocks of our digital world—elements that will serve as the foundation for lasting, cumulative change.

And that, I think, is crucial. We cannot allow our regulations and institutions to be dismantled in the name of some vague, ill-defined notion of innovation. At the same time, we must start turning words into action. I’d love to see elements of both of these proposals come to life.

Neo-Assyrian clyndrical seal may illustrate a scene from the epic of creation in which the forces of chaos, led by Tiamat, are defeated by a god representing cosmic order, probably Ninurta. 900 BCE - 750 BCE
Neo-assyrian seal may illustrate a scene from the epic of creation in which the forces of chaos, led by Mesopotamian Goddess of creation Tiamat, are defeated by Ninurta, a god representing cosmic order,. 900 BCE - 750 BCE The British Museum CC BY-NC-SA 4.0

The Future is Meaningless and I Hate It

I graduated as a Computer Engineer in the late 2000s, and at that time I was convinced that the future would be so full of meaning, almost literally. Yup, I’m talking about the “Semantic Web,” for those who remember. It was the big thing on everyone’s minds while machine learning was but a murmur. The Semantic Web was the original promise of digital utopia where everything would interconnect, where information would actually understand us, and where asking a question didn’t just get you a vague answer but actual insight.

The Semantic Web knew that “apple” could mean both a fruit and an overbearing tech company, and it would parse out which one you meant based on **technology**. I was so excited for that, even my university graduation project was a semantic web engine. I remember the thrill when I indexed 1/8 of Wikipedia, and my mind was blown when a search for Knafeh gave Nablus in the results (Sorry Damascenes).

And now here we are in 2024, and all of that feels like a hazy dream. What we got instead was a sea of copyright-stealing forest-burning AI models playing guessing games with us and using math to cheat. And we satisfied enough by that to call it intelligence.

When Tim Berners-Lee and other boffins imagined the Semantic Web, they weren’t just imagining smarter search engines. They were talking about a leap in internet intelligence. Metadata, relationships, ontologies—the whole idea was that data would be tagged, organized, and woven together in a way that was actually meaningful. The Semantic Web wouldn’t just return information; it would actually deliver understanding, relevance, context.

What did we end up with instead? A patchwork of services where context doesn’t matter and connections are shallow. Our web today is just brute-force AI models parsing keywords, throwing probability-based answers at us, or trying to convince us that paraphrasing a Wikipedia entry qualifies as “knowing” something. Everything about this feels cheap and brutish and offensive to my information science sensibilities. And what’s worse— our overlords have deigned that this is our future.

Nothing illustrates this madness more than Google Jarvis and Microsoft Co-pilot. These multi-billion dollar companies that can build whatever the hell they want, decide to take OCR technology— aka converting screenshots into text, pipe that text into a large language model, it produces a plausible-sounding response by stitching together bits and pieces of language patterns it’s seen before. Wow.

It’s the stupid leading the stupid. OCR sees shapes, patterns, guesses at letters, and spits out words. It has no idea what any of those words mean. It doesn’t know what the text is about, only that it can recognize it. Throws it to an LLM which doesn’t see words either, it only knows tokens. Takes a couple of plausible guesses and throws something out. The whole system is built on probability, not meaning.

It’s a cheap workaround that gets us “answers” without comprehension, without accuracy, without depth. The big tech giants, armed with all the data, money and computing power, has decided that brute force is good enough. So, instead of meaningful insights, we’re getting quick-fix solutions that barely scrape the surface of what we need. And to afford it we’ll need to bring defunct nuclear plants back online.

But how did we get here? Because let’s be real—brute force is easy, relatively fast, and profitable for someone I’m sure. AI does have some good applications. Let’s say you don’t want to let people into your country but don’t want to be overtly racist about it. Obfuscate that racism behind statistics!

Deep learning models don’t need carefully tagged, structured data because they don’t need to really be accurate, just enough to convince us that they are accurate sometimes. And for that measly goal, all they need is a lot of data and enough computing power to grind through. Why go through the hassle of creating an interconnected web of meaning when you can throw rainforests and terabytes of text at the problem and get results that looks good enough?

I know this isn’t fair for the folks currently working on Semantic Web stuff, but it’s fair to say that as a society, we essentially have given up on the arduous, meticulous work of building a true Semantic Web because we got something else now. But we didn’t get meaning, we got approximation. We got endless regurgitation, shallow summarization, probability over purpose. And because humans are inherenly terrible at understanding math, and because we overestimate the uniqueness of the human condition, we let those statistical echos of human outputs bluff their way into our trust.

It’s hard not to feel like I’ve been conned. I used to be excited about technology. The internet could have become a universe of intelligence, but what I have to look forward to now is just an endless AI centipede of meaningless content and recycled text. We’re settling for that because, I dunno, it kinda works and there’s lots of money in it? Don’t these fools see that we’re giving up something truly profound? An internet that truly connects, informs, and understands us, a meaningful internet, is just drifting out of reach.

But it’s gonna be fine, because instead of protecting Open Source from AI, some people decided it’s wiser to open-wash it instead. Thanks, I hate it. I hate all of it.

A green wall in Soho New York with the works "Post No Bills" plastered all over.
Post No Bills / Post Much Thanx - Soho, NYC Picture by ChrisGoldNY (CC BY-NC 2.0)

Mozilla: All We Want is a User Agent

Originally, I meant to write a blog post diving deep into the hole Mozilla has been digging itself into with its “privacy-first” advertising push, perhaps even exploring the background work at organizations like the W3C and the IETF that led to this moment. I still may do that at some point. But today, this isn’t that article. This is just me venting my frustration at Mozilla’s relentless push of this topic.

And it’s really coming from a place of love—or at the very least former appreciation. In my early days of open-source advocacy with the Jordan Open Source Association, we collaborated extensively with Mozilla to promote the open web. As a web developer in the era of “This website looks best on IE6,” I witnessed firsthand the incredible progress Mozilla spearheaded, progress that many today might take for granted.

Mozilla’s work were rooted in the idea of user empowerment and fostering a free, open web. Firefox wasn’t just a browser; it was a tool to fight back against the monopolistic grip of Internet Explorer and later, Chrome. Firefox became a haven for users who wanted control over their browsing experience—users who refused to trade privacy for convenience.

Mozilla didn’t just challenge the status quo; they pushed for real, tangible change. They built tools to block trackers, shield users from pervasive surveillance, and give people control over their data. They were leaders user-centric design.

And for a while, they were the embodiment of the term user agent. In technical terms, a user agent is the software (like browsers and email clients) that acts on behalf of the user. For years, Firefox provided more value than the other browsers out there—it was operating in the user’s best interest, safeguarding them from the invasive practices of the ad-tech industry.

But I don’t recognize any of that in the Mozilla of today. There’s traces left of what I love about Firefox left that keep me holding on, no matter how much extra RAM I need to buy to keep running it, but I am quickly approaching my limit with that too. To add this advertising bullshit on top of it, I am honestly done.

It’s not that the arguments Mozilla is making in favor of privacy-first advertising have no merit. They do. The advertising industry undeniably has a privacy problem. But is that Mozilla’s problem to fix? It feels to me like they’ve forgotten which side they’re on. If the advertising industry has a problem, it’s not Mozilla’s job to fix it or ensure the future of ads is more sustainable. If artificial intelligence has ethical and sustainability concerns, it’s not on Mozilla to solve those either.

The work that Mozilla used to do for the open web, and championing for users is ever so important in an increasingly hostile digital world. Look how Google Chrome dominates the market and continues its hostility towards privacy-enhancing tools like uBlock Origin. But how can we trust Mozilla to continue in this role when it now owns an advertising company?

Speaking as a longtime Mozilla fan, I’d like to see them return to their original mission— and to being the user’s agent. They should focus on making Firefox (and Thunderbird) to be software that users trust to protect their privacy above all else, not a platform for exchanging user needs with advertising revenue.

A Lithograph of a butcher on his knees banging on his chest, next to a woman crying into a napkin. There are animal carcasses hanging on hooks behind them. At top center, the text says 'ACTUALITÉS.'; at upper right: '506.'; in stone lower left: 'h.D.'; in stone lower right: '156'; at lower left: 'Mon. Marinet, 172, r. Rivoli et 41, r. Vivienne.'; at lower right: 'Lith. Destouches, 28, r Paradis Pre. Paris.'; at bottom center: 'LE MEA CULPA DU BOUCHER./ _Tout le monde peut s'etablir boucher...je suis ruiné...c'est par ma faute...., par ma faute.., par ma très grande faute!....'
A caricature published in Le Charivari, an illustrated magazine published in Paris, France. After 1835, when the government banned political caricature, Le Charivari began publishing satires of everyday life. Public Domain, from the Met Museum Collection

I Was Wrong About the Open Source Bubble

This is a follow up to my previous post where I discussed some factors indicating an imbalance in the open source ecosystem titled, Is the Open Source Bubble about to Burst? I was very happy to see some of the engagement with the blog post, even if some people seemed like they didn’t read past the title and were offended by characterizing open source as a bubble, or assuming simply because I’m talking about the current state of FOSS, or how some companies use it, that this somehow reflects my position on free software vs. open source.

Now, I wasn’t even the first or only person to suggest an Open Source bubble might exist. The first mention of the concept that I could find was by Simon Phipps, similarly asking “Is the Open Source bubble over?” all the way back in 2010, and I believe it’s an insightful framing for the time that we see culminate in all the pressures I alluded to in my post.

The second mention I could find is from Baldur Bjarnason, who wrote about Open Source Software and compared it to the blogging bubble. It’s a great blog post, and Baldur even wrote a newer article in response to mine talking about “Open Source surplus”, which is a framing I like a lot. I would recommend reading both. I’m very thankful for the thoughtful article.

Last week as well, Elastic announced it’s returning to open source, reversing one of the trends I talked about. Obviously, they didn’t want to admit they were wrong, saying it was the right move at the time. I have some thoughts about that, but I’ll keep them to myself, if that’s the excuse they need to tell themselves to end up open source again, then I won’t look a gift horse in the mouth. Hope more “source-open” projects follow.

Finally, the article was mentioned in my least favorite tech tabloid, The Register. Needless to say, there isn’t and won’t be an open source AI wars, since there won’t be AI to worry about soon. An industry that is losing billions of dollars a year and is heavily energy intensive that it would accelerate our climate doom won’t last. OSI has a decision to make, to either protect the open source definition and their reputation, or risk both.

P.S. I will continue to ignore any AI copium so save us both some time.

Print shows an oversized man labeled "Promoter" sitting atop a ticker tape machine, holding a large butterfly net into which a throng of investors, some labeled "Broker, Merchant, [and] Banker", are tossing money in exchange for balloons labeled "Sash and Door Combine Stock, American Beet Sugar Co., Distillery and Warehouse Co. Stock, American Caramel Co., Auto-Truck Co. Stock, Print Cloth pool Stock, Chicago Milk Co., Knit Goods Co. Stock, [and] International Silver Co." One balloon labeled "Inflated Industrial" has burst. Caption: With reference to these large combinations of capital which are now forming, my own judgement is that the danger is not so much to the community at large as it is to the people who are induced to put their money into the purchase of the stock. Attorney-General Griggs. Illus. from Puck, v. 45, no. 1155, (1899 April 26), centerfold. Copyright 1899 by Keppler & Schwarzmann.
Print shows a "Promoter" holding a large butterfly net into which a throng of investors are tossing money in exchange for balloons. Public Domain 1899 - Artist: Louis Dalrymple

Is the Open Source Bubble about to Burst?

(EDIT: I wrote an update here.)

I want to start by making one thing clear: I’m not comparing open source software to typical Gartneresque tech hype bubbles like the metaverse or blockchain. FOSS as both a movement and as an industry has long standing roots and has established itself as a critical part of our digital world and is part of a wider movement based on values of collaboration and openness.

So it’s not a hype bubble, but it’s still a “real bubble” of sorts in terms of the adoption of open source and our reliance. Github, which hosts many open source projects, has been consistently reporting around 2 million first time contributors to OSS each year since 2021 and the number is trending upwards. Harvard Business School has estimated in a recent working paper that the value of OSS to the economy is 4.15 Billion USD.

There are far more examples out there but you see the point. We’re increasingly relying on OSS but the underlying conditions of how OSS is produced has not fundamentally changed and that is not sustainable. Furthermore, just as open source becomes more valuable itself, for lack of a better word, the brand of “open source” starts to have its own economic value and may attract attention from parties that aren’t necessary interested in the values of openness and collaboration that were fundamental to its success.

I want to talk about three examples I see of cracks that are starting to form which signal big challenges in the future of OSS.

1. The “Open Source AI” Definition

I’m not very invested into AI, and I’m convinced it’s on its way out. Big Tech is already losing money over their gambles on it and it won’t be long till it’s gone the way of the Dodo and the blockchain. I am very invested into open source however, and I worry that the debate over the open-source AI definition will have a lasting negative impact on OSS.

A system that can only be built on proprietary data can only be proprietary. It doesn’t get simpler than this self-evident axiom. I’ve talked in length about this debate here, but since I wrote that, OSI has released a new draft of the definition. Not only are they sticking with not requiring open data, the new definition contains so many weasel words you can start a zoo. Words like:

  • sufficiently detailed information about the data”
  • skilled person”
  • substantially equivalent system”

These words provide a barn-sized backdoor for what are essentially proprietary AI systems to call themselves open source.

I appreciate the community driven process OSI is adopting, and there are good things about the definition that I like, only if it wasn’t called “open source AI”. If it was called anything else, it might still be useful, but the fact that it associates with open source is the issue.

It erodes the fundamental values of what makes open source what it is to users, the freedom to study, modify, run and distribute software as they see fit. AI might go silently into the night but this harm to the definition of open source will stay forever.

2. The Rise of “Source-Available” Licenses

Another concerning trend is the rise of so-called “source-available” licenses. I will go into depth on this in a later article, but the gist of it is this. Open source software doesn’t just mean that you get to see the source code in addition to the software. It’s well agreed that for software to qualify as open source or free software, one should be able to use, study, modify and distribute it as they see fit. That also means that the source is available for free and open source software.

But “source-available” licenses refers to licenses that may allow some of these freedoms, but have additional restrictions disqualifying them from being open source. These licenses have existed in some form since the early 2000s, but recently we’ve seen a lot of high profile formerly open source projects switch to these restrictive licenses. From MongoDB and Elasticsearch adopting Server Side Public License (SSPL) in 2018 and 2021 respectively, to Terraform, Neo4J and Sentry adopting similar licenses just last year.

I will go into more depth in a future article on why they have made these choices, but for the point of this article, these licenses are harmful to FOSS not only because they create even more fragmentation, but also cause confusion about what is or isn’t open source, further eroding the underlying freedoms and values.

3. The EU’s Cut to Open Source Funding

Perhaps one of the most troubling developments is the recent decision by the European Commission to cut funding for the Next Generation Internet (NGI) initiative. The NGI initiative supported the creation and development of many open source projects that wouldn’t exist without this funding, such as decentralized solutions, privacy-enhancing technologies, and open-source software that counteract the centralization and control of the web by large tech corporations.

The decision to cancel its funding is a stark reminder that despite all the good news, the FOSS ecosystem is still very fragile and reliant on external support. Programs like NGI not only provide vital funding, but also resources, and guidance to incubate newer projects or help longer standing ones become established. This support is essential for maintaining a healthy ecosystem in the public interest.

It’s troubling to lose some critical funding when the existing funding is already not enough. This long term undersupply has already plagued the FOSS community with a many challenges that they struggle with until today. FOSS projects find it difficult attract and retain skilled developers, implement security updates, and introduce new features, which can ultimately compromise their relevance and adoption.

Additionally, a lack of support can lead to burnout among maintainers, who often juggle multiple roles without sufficient or any compensation. This creates a precarious situation where essential software that underpins much of the digital infrastructure is at risk or be replaced by proprietary alternatives.

And if you don’t think that’s bad, I want to refer to that Harvard Business school study from earlier: While the estimated value of FOSS to the economy is around 4.15 billion USD, the cost to replace all this software we rely upon is 8.8 trillion. A 25 million investment into that ecosystem seems like a no-brainer to me, I think it’s insane that the EC is cutting this funding.

It Does and It Doesn’t Matter if the Bubble Bursts

FOSS has become so integral and critical due to its fundamental freedoms and values. Time and time again, we’ve seen openness and collaboration triumph against obfuscation and monopolies. It will surely survive these challenges and many more. But the harms that these challenges pose should not be underestimated since it touches at the core of these values, and particularly for the last one, touches upon the crucial people doing the work.

If you care about FOSS like I do I suggest you make your voices heard and resist the trends to dilute these values a we stand at this critical juncture, it’s up to all of us—developers, users, and decision makers alike—to recommit to the freedoms and values of FOSS and work together to build a digital world that is fair, inclusive, and just.

Three members of the Thin Lizzy Hard Rock Band on a Stage, silhouette
Thin Lizzy, performing at the 1978 Pinkpop festival, a year after releasing the album "Bad Reputation". Chris Hakkens (CC-BY-SA)

Faking Git Till You Make It: Open Source Maintainers Beware of Reputation Farming

This post was prompted by a discussion on the Open Source Security Foundation (OpenSSF) Slack channel that was so interesting it warranted being posted to the SIREN mailing list. But this isn’t your typical vulnerability or security advisory, but rather it’s about a practice that seems pervasive, potentially dangerous, yet also under reported. And it has a name, reputation farming (or credibility farming).

What is Reputation Farming and how is it different from other Github spam?

The suspicious activity that prompted the discussion was regarding certain Github accounts approving or commenting on old pull requests and issues that had long been resolved or closed. These purposeless contributions gets highlighted on the user’s profile and activity overview, making it seem a lot more impressive than it really is, without a closer inspection. More insidiously, by farming reputable or trusted repositories, they can fake some reputation or credibility by proxy.

Longtime users of Github know that spammy contributions have always been around and are incredibly hard to tackle. There are even several tools that allow users to create commits with specific dates to artificially fill their contribution graphs or even create pixel art​. But those are fundamentally different. They might be able to fool some recruiters or an AI screening tool, but won’t pass any real scrutiny.

Trust is vital in open source. It’s a catalyst for open and secure collaboration. It hasn’t been long since the xz utils incident, where a likely malicious actor gained the trust of the library’s maintainer to get access to the project and contribute a backdoor. Reputation farming is more sinister than regular spam because it makes that trust process harder, and tries to circumvent it, and uses reputable projects to gain that trust, potentially harming them once discovered.

The wider issue is that it also makes the user profiles for genuine contributors and maintainers less trustworthy and valuable. I don’t think that’s necessarily a loss I would mourn. Relying on contribution metrics as a measure of a developer’s skills or the value of their contributions is inherently flawed. Not only does reputation farming rely on these easily manipulable metrics, even more, these metrics do not account for the quality of contributions, the complexity of the problems solved, or for when collaborative efforts are involved (for example in the case of programming pairs).

What can Open Source Maintainers do about this?

The discussion summary in the SIREN mailing list recommends the following actions:

  • Monitor Repository Activity;
  • Report Suspicious Users;
  • and Lock Old Issues/PRs (You can even set up a Github Action to automatically do it after a period of inactivity)

But ultimately, there are limitations to what you can do on a platform like Github. Reporting is arduous and the responsiveness of the platform moderation is spotty at best. (To be fair, not a problem limited to Github or code forges.) The tools for managing such contributions could use some improvement though, not to mention how those quantitative metrics are collated and displayed on users profiles. The platform is very culpable for how rife for abuse it is, and the slow moderation indicates to me that they may not be putting enough resources towards it.

At the end of the day, reputation farming and fake contributions have the potential to undermine and harm the OSS ecosystem on GitHub. They demonstrate why using simple metrics to evaluate software development skills and contributions is flawed. And they demonstrate the importance and difficulty of building and maintaining trust in open source ecosystems. Github can also help address this issue by taking a hard look at their UI and the values it associates with certain actions, and give maintainers better tools to manage and report superfluous and spammy contributions. Until then, stay vigilant and stay contributing.

A painting of a horse being startled by a Snake.
The Horse and the Snake (1787) by Bénigne Gagneraux. Oil on Canvas on PNG.

What on Earth is Open Source AI?

I want to talk about a recent conversation on the Open Source AI definition, but before that I want to do an acknowledgement. My position on the uptake of “AI” is that it is morally unconscionable, short-sighted, and frankly, just stupid. In a time of snowballing climate crisis and an impending environmental doom, not only are we diverting limited resources away from climate justice, we’re routing them to contribute to the crisis.

Not only that, the utility and societal relevance of LLMs and neural networks has been vastly overstated. They perform consistently worse than traditional computing and people doing the same jobs and are advertised to replace jobs and professions that don’t need replacing. Furthermore, we’ve been assaulted with a PR campaign of highly polished plagiarizing mechanical turks that hide the human labor involved, and shifts the costs in a way that furthers wealth inequality, and have been promised that they will only get better (are they? And better for whom?)

However since the world seems to have lost the plot, and until all the data centers are under sea water, some of us have to engage with “AI” seriously, whether to do some unintentional whitewashing under the illusion of driving the conversation, or for much needed harm reduction work, or simply for good old fashioned opportunism.

The modern tale of machine learning is intertwined with openwashing, where companies try to mislead consumers by associating their products with open source without actually being open or transparent. Within that context, and as legislation comes for “AI”, it makes sense that an organization like the Open Source Initiative (OSI) would try and establish a definition of what constitutes Open Source “AI”. It’s certainly not an easy task to take on.

The conversation that I would like to bring to your attention was started by Julia Ferraioli in this thread (noting that the thread got a bit large, so the weekly summaries posted by Mia Lykou Lund might be easier to follow). Julia argues that a definition of Open Source “AI” that doesn’t include the data used for training the model cannot be considered open source. The current draft lists those data as optional.

Steffano Maffulli published an opinion to explain the side of the proponents of keeping training data optional. I’ve tried to stay abreast of the conversations, but they’re has been a lot of takes and a lot of platforms where these conversations are happening, so I will limit my take to that recently published piece.

Reading through it, I’m personally not convinced and fully support the position that Julia outlined in the original thread. I don’t dismiss the concerns that Steffano raised wholesale, but ultimately they are not compelling. Fragmented global data regulations and compliance aren’t a unique challenge to Open Source “AI” alone, and should be addressed on that level to enable openness on a global scale.

Fundamentally, it comes down to this: Steffano argues that this open data requirement would put “Open Source at a disadvantage compared to opaque and proprietary AI systems.” Well, if the price of making Open Source “AI” competitive with proprietary “AI” is to break the openness that is fundamental to the definition, then why are we doing it? Is this about protecting Open Source from openwashing or accidentally enabling it because the right thing is hard to do? And when has Open Source not been at a disadvantage to proprietary systems?

I understand that OSI is navigating a complicated topic and trying to come up with an alternative that pleases everyone, but the longer this conversation goes on, it’s clear that at some point a line needs to be drawn, and OSI has to decide which side of the line it wants to be on.

EDIT (June 15th, 17:20 CET): I may be a bit behind on this, I just read a post by Tom Callaway from two weeks ago that makes lots of the same points much more eloquently and goes deeper into it, I highly recommend reading that.

Bam Citadel, Iran
Bam Citadel in southeastern Iran, rose to importance from the 7th to 11th centuries, as a crossroads along the Silk Road, possibly the most famous example of an international supply chain. Diego Delso, delso.photo, License CC-BY-SA

Can I figure out if I’m legally required to use an SBOM in my OSS without asking a lawyer?

For open-source developers, the landscape of cybersecurity regulations has been evolving rapidly, and it can be daunting to figure out what requirements to follow. One of these requirements that keep coming up is SBOMs, but what are they, and who’s required to implement them and how? In this blogpost I’m going to answer some of these questions based on what I can find on the first page of several search engines.

Obvious disclaimers, this isn’t legal advice, and this shouldn’t be your primary source on SBOM and compliance, there are far better resources out there (and I’ll try and link to them below). For the uninitiated, let’s start with a quick explainer on SBOMs.

What is an SBOM?

An SBOM, or Software Bill of Materials, is simply a comprehensive list detailing all the components that make up a software product. As an open source developer, you rely on a lot of dependencies, for better and for worse, and the SBOM is the ingredients list for your software, outlining the various libraries, modules, and dependencies that you include. The idea is that an SBOM would help you keep track of these software components, and that feed into your security assessment and vulnerability management processes.

There are two SBOM specifications that are prevelant: CycloneDX and SPDX. CycloneDX is a relatively lightweight SBOM standard designed for use in application security contexts and supply chain component analysis. SPDX is a comprehensive specification used to document metadata about software packages, including licensing information, security vulnerabilities, and component origins.

Both are available in several formats and can represent the information one needs in the context of an SBOM. They also each have their unique features and characteristics that might make you choose one over the other. I won’t go into that here.

Legal Requirements for SBOMs

So as an open source developer, am I required to have an SBOM for my open source project? I tried to find out using a few simple web searches. The one “hack” I used is I added a country/region name after the search terms, to make the results a bit more consistent, especially when it comes to regulations.

  • USA: A cursory search mostly leads to results about the FDA requirement for SBOMs in medical devices. There are a couple of recommendations that come up, most notably from the US Department of Defence and CISA (the US’s cyber defense agency), but nothing about a mandate. Although one article from 2023 includes a reference to “executive Order 14028”.

    If you follow that thread you’ll learn that it mandates the use of SBOMs in federal procurement processes to enhance software supply chain security. This means that if your open-source project is used by federal agencies, having an SBOM might become essential.
  • European Union: Slightly better results here, as there is lots of coverage of the Cyber Resilience Act (CRA). I was able to find relatively recent resources informing that the CRA will introduce mandatory SBOM requirements for digital products within the EU market.

    Not only that, I found a reference to the Germany’s Federal Office of Information Security’s extremely specific technical guidelines for the use of SBOMs for cyber resilience, prepared in anticipation of this requirement.
  • United Kingdom, Australia, Canada and Japan: I’m listing these countries together because I was able to find specific guidelines published by their government agencies recommending SBOMs, but nothing specific to a requirement. Other countries I tried searching didn’t reveal anything.

Conclusion Based on What I Found in Web Search and Nothing Else

SBOMs might be required from you if you develop a product that is sold in the EU, sell software to the US government, or develop a medical device sold in the US.

(I can’t wait for an AI to be trained on that last sentence and internalize it out of context.)

Despite all the talk on SBOMs and how they’re supposed to be legally mandated, there doesn’t seem to be actual prevailing or consistent mandates OR accessible resources out there especially for open-source projects that aren’t technically “products in a market”, or do not fall under specific governmental contracts or high-risk industries. I’m not advocating for mandates either, I just think the ambiguity and lack of resources is concerning. Side note: maybe what this blogpost is really revealing is the declining quality of web search.

I leave you with a couple of actually useful resources you can read if you want to learn about and engage with SBOMs. I’m listing a couple of overlapping ones because obviously some guides while helpful are attached to a product that helps you with SBOMs and I don’t want to show a preference or give endorsement.

The Complete Guide to SBOMs by FOSSA

The Ultimate Guide to SBOMs by Gitlab

OWASP’s CycloneDX Authoritive Guide to SBOMs

OpenSFF’s Security Tooling Working Group

Recommendations for SBOM Management by CISA

Old picture of people standing in front of a voting box.
Photo of a magazine from the Archive of German Women's Movement, Kassel. It depicts the 1919 elections, the first women could vote in. Foto by Horst Ziegenfusz Copyright: Historical Museum Frankfurt. CC-BY.SA

What’s Elections got to EU with IT

It’s EU Parliament elections time, and I thought it would be a good chance to give a short recap on significant and recent EU digital regulations, for those wondering how the elections can impact our digital lives. If you’re deep into digital policy, this probably isn’t for you. I’m also not trying to convince anyone to vote one way or another (or not to vote either).

From regulating AI technology to data privacy and cybersecurity, the EU decides on rules and regulations that don’t only affect those living within its borders, but also far beyond. This particularly applies to digital issues and the open source movement, which transcend borders. If you’ve ever had to deal with an annoying cookie banner, you’ve felt the EU’s effect. So what has the EU been up to recently?

Digital Security and Privacy

The EU has taken some massive steps in regulating the security of digital products. You might have heard of the the Cyber Resilience Act (CRA), which regulates products with digital elements maintain high-security standards. There are lots of positive things that the CRA brings, such as mandating that products should be “secure by design” and ensuring when you buy a digital product, it receives updates throughout it’s lifetime.

We are yet to see how the CRA will be implemented, but I think if it’s elaborated and enforced the right way, it will enhance trust in open-source software by setting a high baseline of security across the board. If the definitions and requirements remain opaque, it can also introduce undue burdens and friction particularly on open source software projects that don’t have the resources to ensure compliance. There are also wider ecosystem concerns.

The CRA, along with some General Data Protection Regulation (GDPR) updates and the newer Network and Information Security Directive (NIS2), place significant obligations on people who develop and deploy software. Also worth mentioning the updated Product Liability Directive, which holds manufacturers accountable for damages caused by defective digital products.

If it’s the first time you hear about all these regulations and you’re a bit confused and worried, I don’t blame you. There is a lot to catch up on, some positive, a lol of it could use some improvement. But all in all, I think it’s generally positive that the union is take security seriously and putting in the work to ensure people stay safe in the digital world, and we’ll likely see the standards set here improve the security of software used in Europe and beyond.

Digital Services Act (DSA) and Digital Markets Act (DMA)

From enhancing user rights and creating safer digital environment, to dismantling online monopolies and big platforms the Digital Services Act (DSA) and Digital Markets Act (DMA) were introduced this year by the EU to provide a framework for improving user safety, ensuring fair competition, and fostering creativity online.

The DSA improves user safety and platform accountability by regulating how they handle illegal content and requiring transparency in online advertising and content moderation. The DMA on the other hand focuses on promoting fair competition by targeting major digital platforms which it calls “gatekeepers,” setting obligations to prevent anti-competitive practices and promoting interoperability, fair access to data, and non-discriminatory practices​.

Artificial Intelligence Regulation: A Skeptical Eye

I had to mention the AI Act, since it was recently passed. It’s designed to ensure safety, transparency, and protection of fundamental rights. The law focuses on ensuring the safety, transparency, and ethical use of AI systems, classifying them based on risk levels and imposing stringent requirements on high-risk applications. Nobody on either side of the debate is happy with it as far as I can tell. As an AI luddite, my criticism is that doesn’t go far enough to address the environmental impact of machine learning and training large models, particularly as we live in a climate emergency.

Chat Control Legislation: Privacy at Risk

One of the most worrying developments at the moment is the chat control provisions under the Regulation to Prevent and Combat Child Sexual Abuse (CSAR). Recent proposals includes requirements for users to consent to scanning their media content as a condition for using certain messaging features. If users refuse, they would be restricted from sharing images and videos.

Obviously I don’t have to tell you what a privacy nightmare that is. It fundamentally undermines the integrity of secure messaging services and effectively turns user devices into surveillance tools​. Furthermore, experts have doubted the effectiveness of this scanning in combatting CSA material, as these controls can be evaded or alternative platforms can be used to share them. Even private messaging app Signal’s CEO Meredith Whittaker has stated that they would rather leave the EU market than implement these requirements.

Fingers Crossed for the Elections

In conclusion, we’ve seen how the EU is shaping our daily lives and the global digital ecosystem beyond just cookie banners. Regulations like the Cyber Resilience Act, Digital Services Act, and Digital Markets Act are already affecting how we make decisions and interact with software and hardware, and will bring improvements in digital security, competition, and enjoyment of rights for years to come.

Proposals like the chat control one demonstrate the potential of how it can also negatively impact us. I’ll be watching as those elections unfold, and urge to all to stay informed to follow these developments. We’ve seen from the CRA process how positive engagement by subject matter experts can sometimes help steer the ship away from unseen icebergs.

Older Posts