Summarizing Community over Code EU 2024

I helped organize Community over Code EU, June 3-5, in Bratislava, Slovakia. On the actual conference days Software Guru, the agency the ASF (Apache Software Foundation) chose to work with for this event, had everything covered so I could join a lot of talks, and the hallway track too. I have learned a ton about how the ASF works, and about upcoming EU regulations. In fact, I got to participate in the keynote panel around the CRA and AI Act with Mirko Boehm, Community Development at the Linux Foundation Europe, Ana Jiménez Santamaría, OSPO Program Manager at the TODO Group (Linux Foundation), and Natali Vlatko, Open Source Architect at Cisco, SIG Docs Co-Chair for Kubernetes.

A(n attempt at a) summary:

What I now know about the ASF

Craig Russell, ASF Incubator PMC member and Board member, talked about the 25y/o institution and public not-for-profit 501(c)(3) charity: the Apache Software Foundation. "The ASF is a community with over 300 projects, over 800 members, over 9000 committers, and an enormous user base." ASF's mission is to provide software for the public good, free of charge, free to use, modify, distribute and sub-license. ASF's governance is staffed by volunteers.

The ASF is "Safe/Reliable/Trustworthy". Users trust software that works, contributors rely on legal shield, and downstream users rely on fair treatment.

PMCs are key. They set project direction, manage repositories/build/test/release, vote in new PMC members, vote in new committers, and vote for software releases. Votes are required to document the PMC decisions and there's a distinction between binding and not-binding votes:

• PMC members: binding
• PPMC (Podling) members: not binding unless also IPMC (Incubator)
• Community: not binding

Speaking of voting, during and right after CoC the EU European Union Parliament Election took place.

Before a release, a PMC needs to:

• Decide content and release manager
• Create release candidate(s)
• Vote: only binding votes count
• Repeat until 3 binding +1s
• Publish download page, artifacts, checksums, signature(s)
• Announce via Public relations

Special rules apply for incubating "podlings":

• PPMC has no official standing
• Incubator PMC must vote on releases
• Releases are voted on dev@podlingfirst
• Once vote passes with 3 PPMC votes:
  • vote goes to general@incubator for IPMC members to vote
  • if all Podling Mentors cast +1, vote passes
  • if not, try to get IPMC Member votes

Brand has an important role in the ASF ecosystem:

• Primary issue is Name Confusion
• Apache Foo(R) or Apache Foo(TM)
• Companies != "original creators of Apache Foo"
• Apache Foo != "open source edition"
• ASF websites must be role models:
  • Apache Foo(TM) at the beginning of all pages
  • Trademark notices in footer of all places

Justin Mclean, ASF Director, VP ASF Incubator, and Datastrato Community Manager, shared stories from "Inside the Apache Software Foundation Board". With lots of board members in the room, curiously.

ASF Governance:

• Board of Directors governs foundation
  • The 9 members are all unpaid volunteers
  • At least once yearly meeting, they had a "f2f" just before Community over Code in Bratislava
  • ASF members vote in ASF members
  • Board members voted in by ASF members
• PMCs (Project Management Committees) govern the project
• Officers of the corporation set foundation-wide policies

BoD possible future change: change from yearly term to ... longer term.

As a Board member, you:

• Attend monthly (virtual) board meetings
  • Review officers and project reports
  • vote on "resolutions"
• Attend the Board f2f to discuss things like the CRA

Individual board members are "shepherds" who get assigned a number of projects and handle those project's reports.
A good report should:

• be accurate (data should be contextualized. "Contributions went up 20%" could just be dependabot being busy)
• be community-focused
• contain all the requested information

Reviewing reports, Justin looks at:

• number of contributors (and contributor make-up)
• number of commits
• Active contributor base (but notes that little activity is not necessarily bad)

All ASF mailing lists are archived and publicly available, they only use private lists for member/PMC nominations, or security issues.

David Nalley, Director Open Source Strategy & Marketing at AWS, and ASF President, started the 3rd day with a "State of the Foundation". The ASF has an obligation to act in the best interest of the general public, not stakeholders, not members. Davis specifically calls out Apache Airflow as providing tremendous value to the general public.

The Foundation should make it easy for its projects to provide value. 25 years ago they offered services to get backups of data, running version control, ticketing system, CI, etc to that end. Today Infrastructure still does that, even if those services are now abundantly available for free (Infrastructure had a table at the conference for office hours)

Today the Foundation should make the compliance story easier. Tools are needed to meet those standards, like easy code signing. "We need to enable projects to build to the highest quality we can attest to." Dirk-Willem van Gulik's talk was a great follow to this, but in this report I'll cover his session later.

Kanchana Welagedara, Committer/member ASF and Software Development Manager AWS (OSPO), talked about ASF mentorship and "The Apache Way". She shared a metaphor where when birds fly in a "v" formation, any bird can take over the lead when the first bird gets tired: Community over Code.

In the ASF community:

• Personally and publicly earned authority
• Individuals participate, not organizations: community of peers
• All communications related to code and decision-making to be publicly accessible: Open Communications dev@ (primarily project development)
  • user@ (user community discussion and peer support)
  • commits@ (automated source change notifications)
  • occasionally supporting roles such as marketing@ (project visibility)
• Projects are overseen by a self-selected team of active volunteers who are contributing to their respective projects: Consensus Decision Making
• Governance model is based on trust and delegated oversight: Responsible Oversight

The membership values derived from it:

• Persistence
• Openness
• Collaboration
• Responsiveness

Opportunities to join the community abound:

• Incubate your project with Apache incubator
• Join Google Summer of Code and work on an ASF project
• Establish your local Apache meetup
• Find your favorite project from the ASF project directory
• Help fix DEI challenges - I'll return to that at the end, but ASF's Diversity statement includes the vision to "Become the most equitable open source foundation in the world"

Now Dr. Sherae Daniel in her keynote that shared the outcomes from studies of how we present ourselves as open source folks, online, had comments on the lack of diversity in the ASF community. Her survey respondents were "mostly male, looking around the room I see that that's about right. The age distribution is as expected too." Many people in the room claimed to dislike self-promotion. Brian Profitt in his session asked "Why community marketing and advocacy?" Because you're competing with 372,000,000 open source projects for eyeballs, that's why.

What I now know about (upcoming) EU regulations affecting OSS

I loved Dirk-Willem van Gulik's, VP Public Affairs at the ASF, keynote "All your code are belong to the policymakers, politicians and the law (and that's nowhere near as bad as you think)". Referencing the "move fast and break things" ethos of Mark Zuckerberg, Dirk-Willem says that it "is more important to us humans to not have technology fail than the innovation and wealth it brings when unchecked".

The regulatory outlook:

• PLD - Product Liability Directive
  • Updated to add software (no new (strict) liability created)
• CRA - Cyber Resilience Act
  • TL;DR: do decent security (test, triage, fix, updates, disclose)
• NIS2, DORA, AI Act, Interop Act, DSA

Political work is done or almost done, and mostly uncontroversial. All of these are already published or will soon be, roll in is phased over the next 1-3 years. The good news: it's not a disaster (anymore).

• A new concept "Open Source Stewards" was introduced last minute
• Decent security is now a requirement when you place something in the market
• (With PLD) waivers and disclaimers now generally void when it involves a natural person
• Impact first and foremost on our industry (i.e. on our community)
  • Certain models are no longer viable; software (services) generally more expensive
  • Roadkill calculated in (some companies will die) & all sort of funding for mitigation, capacity and capability building available

An "open-source software steward" (art 3, paragraph 18a) means a legal person, other than a manufacturer that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products.

The CRA brings with it a new class of "economic actors". It's expected to "put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product". Exactly what that means relies on standards that are yet to be written. Something we're already doing are CVE processes, risk based triage, and responsible disclosure. Newer still are SBOMs, and explicit reporting/alerts to the regulators.

As is the case with any type of Standards "the devil is in the details". Many are required (43+) and not written yet. CRA borrows from existing standards (think ISO27001, OWASP, etc), so look at those, but realize there are large gaps still. The ASF of course works with their peers and the industry at Eclipse to write down what we do today (industry best practice): news.apache.org/foundation/entry/open-source-community-unites-to-build-cra-compliant-cybersecurity-processes

For products (that are placed on the market) decent software engineering (including testing, maintenance and fixes) is now "the law". "No matter what Sales, Product Management or shortsighted managers may say". Good governance and proof of functioning management are paramount. Think: mandatory risk assessment throughout the product lifecycle, vulnerability management and (free) security updates. We'll see much higher standards for more critical things (browsers, password managers, chipcard software, hypervisors, PKI, firewalls) - up to third party certification.

The impact on the ASF is direct (as an open source steward) and indirect (downstream). Direct: "we do most of this already; but formalize & automate the boring stuff". Indirect: just like win-win of sharing code - expect a win-win proposition for our employers to also work on these challenges in open source fashion.

CRA makes it mandatory to consider impact on living humans first. "If you're a PMC of 1 (or 2/3 but they aren't very active) you can't meet the requirements of the CRA and you'd be irresponsible placing your product (project) onto the market", says Dirk-Willem. Crossing the threshold to being a digital product is a makefile, making your software available through package managers, writing release notes, etc, signaling a healthy project, vs a hobby script you threw on GitHub.

Niharika Singhal, Project Manager Free Software Foundation Europe, in "Ethical Algorithms, Licensing Impasses: The intersection of Free Software and AI openness" says that the fact that "open source AI" is not defined yet is kind of a big deal.

The AI Act says "safe, traceable, non-discriminatory and environmentally sustainable AI systems. The OSD (Open Source Definition) doesn't discriminate field of endeavor, so when the OSI finishes writing the definition of open source AI, it might be at odds with the AI act."

The FSF defines free and open source as free to:

• Use (The software can be used for any purpose without restrictions)
• Study (The software and its code can be analyzed by anyone)
• Share (The software can be shared without limitations)
• Improve (The software can be modified by you or others to give back to the community)

Today AI labeled as "open" exists on a long gradient of semi-open to not really transparent at all.

To ensure "openness" in AI, any new licenses should be interoperable with free software licenses. AI systems should be accessible, reusable and sustainable. And ethical compliance checks must fall within the purview of regulations and not software licenses, says Niharika.

Talking about environmental sustainability, the Green Software Foundation might well be a good partner to seek out. Asim Hussain, Executive Director at Green Software Foundation, in his keynote talked about power as the ability to influence people and events. "Open source is a dilution of power, open source leading the sustainability revolution: the impact framework is a technology that dilutes power". "Make diff, not war", and "if you're fully transparent you can never be accused of greenwashing, only of being wrong". You can get involved grnsft.org/if-whats-next.

What I now know about better decision making

Addie Girouard, Principal at Third Man Agency, taled about decision making in an open source project. The 2 tips I'll remember are to add two documents to my project to add transparency through documentation and explaining the "how":

• Governance.md: https://github.com/SOM-Research/collaboro/blob/master/governance.md
• Communications.md: https://patterns.innersourcecommons.org/appendix/extras/communication-template

Rich Bowen, Open Source Strategist at Amazon Web Services (AWS), talked about "Talking to management about open source" (slides). He started with an old opensource.com survey on why individuals do open source. "Fun" was a big factor. He notes: that's not why your company does open source, they're in for: profit, customers, shareholders, profit again, and talent.

"All up the company goals and understandings vary." Comprehending the lense through which you will be understood is super important.
Don't be afraid to tell a scary story (heartbleed, log4j, etc) and talk about the cost of replacing stuff. Because: "free does not mean without cost". Rich talked about the "Elephant factor". When one company contributes the most to a project or worse yet all of the code, what happens when they cancel their investment? He also mentioned the "Pony factor", when an IC contributes the majority of the code.

Lead with data. "Apache Commons is a critical component in our product ZYX, which earned USD27M last year. If the project were to fail, we would have to replace it with something else, which would take approximately 6 months of work by 4 engineers, assuming we could find a comparable project with which to replace it, rather than developing what we need from scratch. Therefore, it is in the best interest of our customers, and our bottom line , to participate in the sustainability of that project by contributing bug fixes, feature enhancements, and PR reviews. "

Bertrand Delacretaz, Principal Scientist at Adobe, and ASF Board member, had sever pointers for better communication that I'll take to heart:

• "If it isn't on the mailing list it didn't happen"
• "Don't ask for forgiveness, radiate intent"
• "Communication around decisions taken needs to happen on a stable URL" (read: not in a Slack thread)

What's next?

The North America Community over Code will take place October 7-10, in Denver, Colorado, with Cassandra Summit rolling up in it as a track.

I personally will be looking at getting involved with improving https://community.apache.org and the diversity effort. I've started to talk to Gláucia Esppenchutz who had a talk on the topic at the conference. And I'm very glad for the insights Ruth Ikegah, Community Lead at CHAOSS Africa, shared around the African open source community and its unique challenges (lack of infrastructure resources like bandwidth connectivity, light and power, need for mentorship, VISA issues). Africa is 54 countries, and 70% of the population are under 30 years old. Forbes said it to be the "next tech hub". The Octoverse report (GitHub) shows Africa as an emerging market for OSS indeed. Ruth suggested checking out OSCA open source community Africa, All in Africa, and the CHAOSS programs in Africa.

Comments

[Honestly Witty]

Precise.

Is it possible to link the profile URL of people who are on the platform ?